visualizingaackcampaignsusingtriageanaly8cs · globalintelligencenetwork...

Visualizing A,ack Campaigns using TRIAGE Analy8cs Case Study: The Targeted A,acks Landscape in 2011 (ISTR’12)

Olivier Thonnard Symantec Research Labs

Research Labs

http://www.symantec.com/research

Who I am

• Dr. Olivier Thonnard –  Sr Research engineer

–  Symantec Research Labs (Europe) since 2010 •  Collabora8ve Advanced Research Department (CARD) •  Led by Marc Dacier, Sr. Director of research

–  PhD from EURECOM, Sophia AnGpolis (France)

–  Research on methods for aJack aJribuGon and threats analysis •  Data mining, Machine learning, Clustering, MulG- criteria Decision Analysis (‐ MCDA)

–  Leading Symantec R&D efforts in VIS- SENSE ‐ (EU- FP7 ) ‐–  Before joining SRL

•  Military Officer in Belgium (Senior Captain) •  Teaching Network Security at the Royal Military Academy

Research Labs

FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐

http://www.vis-sense.eu

Outline

Security Intelligence – TRIAGE AnalyGcs 1

Case Study: Targeted AJacks Landscape in 2011 2

Conclusion & Future Challenges 3


Security Intelligence: SePng the Scene

Highlights and Trends in 2010- 2011 ‐


Global Intelligence Network Iden8fies more threats, takes ac8on faster & prevents impact

Information Protection Preemptive Security Alerts Threat Triggered Actions

Global Scope and Scale Worldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity •  240,000 sensors •  200+ countries

Malware Intelligence •  133M client, server,

gateways monitored •  Global coverage

Vulnerabilities •  40,000+ vulnerabilities •  14,000 vendors •  105,000 technologies

Spam/Phishing •  5M decoy accounts •  8B+ email messages/day •  1B+ web requests/day

Austin, TX Mountain View, CA Culver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, Ireland Calgary, Alberta

Chengdu, China

Chennai, India Pune, India


•  Ghostnet (March 2009) –  Large- scale cyber spying operaGon ‐–  Infiltrated computer systems in 103 countries, including embassies, foreign ministries,

government offices, and the Dalai Lama's Tibetan exile centers –  Began capturing data on May 22, 2007

•  Trojan.Hydraq (Jan 2010) – OperaGon “Aurora” –  High- profile targeted threat affecGng mulGnaGonal corporaGons ‐

•  Stuxnet (June 2010)

•  AJack against RSA (August 2011) •  The Nitro AJacks (July 2011 à October 2011)

–  Stealing Secrets from the Chemical Industry •  Sykipot and Taidoor aJacks (2011 – Defense industry, Governments, … )

•  W32.Duqu (November 2011) – precursor to Stuxnet- like aJack ‐–  Zero day exploit embedded in Word document

Threat Landscape � Targeted a,acks Some examples


TRIAGE analyGcs Sykipot a,acks


Rise in Targeted A,ack Ac8vity over Time – 2011

0

50

100

150

200

Jan Feb MarAvr May Jun Jul Aug Sep Oct Nov Dec

25.6 30.0

82.193.1

78.092.9

50.1

77.0

108.399.9 94.1

154.3

Average nr of targeted attacks blocked per day

2011


TRIAGE analyGcs The Targeted A,acks Landscape in 2011

SOME FUNDAMENTAL QUESTIONS :

§  Same or similar aJacks targeGng mulGple organizaGons ? On the same or different dates? à SGll linked to the same individuals ??

§  Apparently unrelated aJacks sGll part of the same AJack Campaign (AC)? à e.g., Nitro, Sykipot, Taidoor, Luckycat, etc.

§  What are the characterisGcs and dynamics of AJack Campaigns? What is the modus operandi of aJackers?

§  Uncover any relaGonship between aJack features: §  (subjects, aJachments) and target / date (breaking news?) / ...


Research towards A,ack A,ribu8on

“ Chance is a word void of sense; nothing can exist without a cause. ”

- Voltaire FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐

Security intelligence A,ack a,ribu8on

• … is not only about “IP traceback”

• … is also about idenGfying the root causes of observed aJacks by linking them together thanks to common, external, contextual “fingerprints”

• … is about “cyber intelligence” • … is about “connecGng the dots”

Research Labs


What is TRIAGE? •  Data analy8cs framework for a#ack a#ribu*on

–  Find systema.cally groups of events likely due to the same root cause

–  Enable the analysis of their modus operandi

•  Novelty: combines two approaches

–  (Graph) Clustering techniques

–  MulG- Criteria Decision Analysis (MCDA)‐ –  Mostly unsupervised approach


Research Labs

http://www.wombat-project.eu

Started under…


Visual analyGcs

Security intelligence The TRIAGE approach

à  Clustering based on MulG- ‐Criteria Decision Analysis (MCDA) à  AutomaGc grouping of elements likely to share the same root causes

Σ Per feature

Graph- based analysis ‐(Build rela8onships)

MulG- criteria‐ AggregaGon (data fusion)

MulG- Dimensional ‐Clusters (MDC’s)

(visualiza8on) Events

Features SelecGon

Research Labs

“Vague statements” on the nr of criteria

“At least k strong similariGes”

Importances & InteracGons among criteria


Industrial Espionage and Targeted A,acks (ISTR’12)


O. Thonnard, L. Bilge, G. O’Gorman, S. Kiernan, and M. Lee. Industrial Espionage and Targeted Attacks: Characteristics of an Escalating Threat15th Int. Symposium on Research in Attacks, Intrusions, and Defenses (RAID’12)#

Case Study – RSA AJacks (CVE- 2011- 0609)‐ ‐ Begins with a Spear Phishing Email

Traits:

Related to recipient’s line

of work

“Strange” English

Email recipient is rarely the

end target

Emails are often re-used


Targeted AJacks Experimental Data Set • A targeted aJack is defined as:

§  low copy number aJacks carrying malicious email aJachments §  showing some clear evidence of a selecGon of the subject and the targets §  embedding a relaGvely sophisGcated malware

• In 2011: Symantec.cloud blocked over 26,000 targeted aJacks –  DetecGon: SKEPTIC technology, manual analysis, dynamic analysis

• All email a,achments (MD5) were analyzed: –  By a series of common AV engines à AV Signatures –  Dynamic analysis using sandboxing systems

à Files read or created, network connecGons, C&C informaGon, etc.


Targeted AJacks A,achment – Document type

PDF document 35%

Office 18%

Zip / RAR 27%

Rich Text Format 15%

Others 4%

PE32 Exe 1%


Targeted AJacks Most Targeted Sectors

Government & DiplomaGc

34%

Internet & Web services

15%

Services and Consultancy

10%

Defence industry

9%

Chemical industry

8%

NGO 4%

Aerospace 8%

Oil & Energy 4%

Military 1%

Others 7%


Targeted AJacks AV Signatures - Microsod ‐

27%

13%

12% 8%

8% 5%

4%

4%

4% 2% 13%

Win32/CVE- 2010- 3333 ‐ ‐Win32/CVE- 2009- 3129 ‐ ‐SWF/CVE- 2011- 0611.C ‐ ‐SWF/CVE- 2011- 0611.A ‐ ‐Win32/CVE- 2010- 2883.A ‐ ‐Win32/CVE- 2011- 2462.B ‐ ‐SWF/CVE- 2011- 0611.P ‐ ‐JS/ShellCode.AE

Win32/CVE- 2011- 2462.C ‐ ‐Win32/CVE- 2011- 2462.D ‐ ‐Others


(!! Only 30% of the a,acks were iden8fied by a signature)

Internet Security Threat Report (ISTR 2012) TRIAGE – Looking for A,ack Campaigns


TARGETED ATTACKS

RELATIONSHIPS

AGGREGATIONMODEL

DATA FUSION

ORIGINSFrom

IP AddressMailerATTACK

Attach MD5SubjectDate

TARGETTo Address

BCC Address

January 17, 2011

May 12, 2011

July 22, 2011

Importance Factors,Interactions

TRIAGE analyGcs Targeted A,ack Campaign

• An A,ack Campaign (AC) is a series of targeted aJacks that: 1.  Are linked by a sufficient Nr of highly similar features

2.  Are likely to originate from the same people (because of 1.)

3.  On the same day or spanning mulGple days (consecuGve or not)

Feature coali8on Aggregated Value

Only 1 feat. 0.03 < X < 0.13

Any 2 feat. 0.09 < X < 0.20 (MD5- ssdeep) < X < (MD5- IP) ‐ ‐

MD5 – IP – Day 0.40

MD5 – From – Subject 0.39

IP – From – Subject 0.366

IP – To – Subject 0.336

At least 3 strong correla8ons



Targeted AJack Campaigns High- level Figures ‐• On average, a targeted aJack campaign:

–  will comprise 78 aJacks

–  targeGng 61 email addresses

–  within a 4 days- period ‐

Characteris8c Average Maximum

Nr of A,acks 78 848

Dura8on 4 days 9 months

Nr of From addr. 6 98

Nr of To addr. 61 1,800

Nr of Targ. Sectors 1- 2 ‐ 22

Nr of MD5 4- 5 ‐ 59

Nr of Exploits 1- 2 ‐ 4

“Single aJack” ?

Massive OrganizaGonal Targeted AJacks (MOTA) Large- Scale Campaigns – Mul8ple Sectors ‐

• Over 1/3rd of ACs are organized on a “large- scale”, ‐ i.e.: –  Target mulGple organizaGons, acGve in different sectors

–  Most oten, on different days

• Most of those large- scale ACs are very well- resourced ‐ ‐–  Up to 4 exploits used during the same campaign, e.g.:

•  Re- packed into 50+ different MD5s ‐•  43 days- campaign, spread over 5 months, targeGng 4+ sectors ‐

–  MulGlingual: the language used is tuned to the targeted recipients •  Use of Chinese for .cn domains, Japanese for .jp, Russian for .ru, …


Massive OrganizaGonal Targeted AJacks (MOTA) Example: NR4 campaign


Timeline

2011- 04- 28 ‐ ‐ 2011- 07- 19 ‐ ‐

3 attackers – 848 emails on 16 dates over 3 months

AJacker Subject Sector

MD5 AV Sig. C&C

[removed]

[removed]

NR4 Mass- scale campaign – Comparing Emails ‐


AJacker #1

AJacker #2

Different dates

Same malicious file (same MD5)

[ + same C&C server … ]

à Same aJack, but on different targets!

NR4 Mass- scale campaign – Comparing Emails (2) ‐


AJacker #2

New aJack, on different targets!

Same date here

New malicious files, reused by AJacker #3

AJacker #3

Clear connecGon with AJacker #2 …

NR4 Mass- scale campaign – Comparing Emails (3) ‐


AJacker #3

New aJack from AJacker #3, on yet another target

New aJack from AJacker #2, but this Gme in Chinese

AJacker #2 Yet other dates

[ + again, same C&C server … ]

Note: All attacks exploit the same vulnerability … (SWF/CVE-2011-0611.C )

Mass- scale Targeted AJack Campaign (MOTA)‐ NITRO a,acks


Detailed review in the: The Nitro A9acks: Stealing Secrets from the Chemical Industry

More Info:

HB

VXSSRUW#>UHPRYHG@FRP

FKHPFRP

>UHPRYHG@5HDGHU8SJUDGH5LJKWQRZHB >@FKHPFRPHB

>UHP@GHIFRP HB

>UHP@GHIFRP

HB

HQHUJ\FRP

HB

HB

FKHPFRP

HBHQHUJ\FRP

HB HB

XNFKHPFRP

HB

FKHPFRP

HB

>@FKHPFRP

HB

FRQVXOWFRP

HB

HB

FKHPFRP

HB

HB

LW#FKHPFRP

FKHPFRPWZ

>UHP@5HDGHU8SJUDGHHB

HBFKHPFRP

HB

HB

HB

>@GHIFRP

HB

HB

GRPDLQFRP

HB

>UHP@FRUSFRP

HB

FKHPFRPVJ

HB

GRPDLQFRP

HB

HB

HB

GRPDLQFRP

HB

FKHPFRPFQ

HB

HB

HB

HB

HB

FKHPFRP

HB

GHIFRP

HB

HB

HB

GRPDLQFRP

HB

HB

HB

HB

HB

HB

FKHPFRPKN HB

HB

HB

HB

HB

HB

FKHPFRP

HB

HB

HB

HB

FDQFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

XNHQHUJ\FRP

HB

HB

HB

HB

HB

HB

HB

>@FKHPFRP

HB HB

HB

HB

HB

HB

HB

HB

HB

HB

FRQVXOWGN

HB

HB

>@FKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HBVHHQHUJ\FRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

SDNFKHPFRP

HB

HB

IUDFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

LQGFKHPFRP

HB GHFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

WKDFKHPFRP

HB

HB HB

HB

HB

HB

HB

HB

HB

HB

]DHQHUJ\FRP HB

HB

HB

HB

EUDFKHPFRP

HB

HB

HB

FKHFKHPFRP

HB

HB

HBHB

HB

HB

HB

HB

HB

HB

HB

HB

HB

WUDLQLQJFKHPFRP

HB

HB>@GHIFRP

HB

HB

HBHBHB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

HB

HB

HB

HB

HB

GHXFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

FKHPFRPSK

HB

SKOFKHPFRP

HB

HBHB

HB

HBHB

HB

HB

VJSFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

YHQFKHPFRP

HB

IUHQHUJ\FRP

HBHB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

OX[FKHPFRP

HB

HBHB

HB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

HB

HB

HB

HBHB

WXUFKHPFRP

HB

HB

HB

HB

HB

HB

>@GHIFRP

HB

HB

HB

HB

HB

EJUFKHPFRP

HB

EODFNVWRQHFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

PH[FKHPFRP

HB

NRUFKHPFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

FRQVXOWFRPSOHB

HB

HB

HB

HB

HB

HB

HB

HB

>@GHIFRP

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HBHB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

HB

SXVZN[

VVEER

U]YH

I[JXND\

QTV

OUIT]XK\FU

FIOTIZ

MPQXM\T\Q

GN]XPN\G

VI[F

ZLLDH

QXU

DEHVV

D[[TR

IUKJ[N

MFSV

SUPOV

JNPIHOR

DHS

MZF

IKFXKHDM

DXQ

HG\OIOK

OXS

GZP

UD

Q]SIWWMK

QSRZ

E

DFLQMO

DVMM

EZKZNNH

GLTLOT[

WNME

FXGKWT

FIFT

WI

OMUMU

IVKVU\PDFE

IOQNZLF

WTUG

SJGV\SQJV

YS

[TSN

EONPOK]

IDQ]VQLZ

JMUL\KG

LDRVXWG

WSP[SYNVWY]

U[KJ[

]LYXFEYS

ZNYQQ\

QNDP

ZUMU

[NRHQFZ

KKV\S]GFOQ

WVEG

\LXWU]

M]JW

KHXS

WR

P\HLNT

\]SXLEVONT

LL\

OUGGZ

QHS

TIDWXINP

\LQH

PH]J\

TWGWSNYK\U

\ROIEQP

HYL

MJRV

KVR

]QELP]

FQG[[IGUXY

U[LSD

SFWS\

HEK

PSJ

FLYOVH\M

KMJM

Q[VHU

KTXHVPTDOUONK\

ZXOJF

UJFUMTMV

EQIK

GWER

EXPDSEYXT

]SMEOR

L\]ZSY]

TIKE

LHNH

UNR

QRZU

XUY

FKJ

V[W]E

ZX[QF[

EIHVJ

EN[MTTWSN

[[JIPXRV

ODTIWZ

RNK[QZ

[]

EXSFGQ

WGVSR

GSSRUZW\

SHPVFU

JIYIFG

PFLQ\MX

DW

K]Y\WTOU

ZSHS

VNJZFKS

\QE]

SLD

FLRF]YH

FRV

TTDHITVIZZ

KNST

STR

XEKU

[TYW

QMVQSXS

N

XLRQF\ERU]YSLFHG

RMEML

LGOROIM

MDTS\EFPW

NPUGOZ

I\FIEISP

SIYUY

KZT

N][ZW

G]T

VHIE

]HUVMUQ

PEJW\[PX

YTHD

IMMYDVZ

]IIV

VT[LGSO

]OOM

RVRQF

DUODN

DDUVP

TSQ

NG

VLX\

UFDOKMMUI

KWTZSST

LQODFGG\

UMGDIN

X\P

UV\EF

X[

F]VS]Z

[V[IO\

TPRF

SGKHXVYK

QYO[[NYV

NRP[PKUD

MWV\[XFY

WGVDHW

JDMUQ[\QI

G\X

IVK\TVELR

F[YHTD

ZH]]

HN[Z[PQK

MY\

HNY

YY

[G[PKPW

XZNUY

OGQUY

[O[QZOLD

EKKWWFSW

KOTPP

PHZKEO[]

RYOULTUIYR

MSQ

NXNWV

TLUSZYQ]D

UNP[]XT

KKTFQXS

KOS

]\MOO

OEDFYO

UVV

IXYQ

HVNJW

G[NQXI[KRR

GJXN

OITFJY

KRS

PTXPG

MEXDW

LNLLL]W

[HSIR

E]\ZGF

N\XJ]W[

MPJUS

[ZN

SEGUK

JDZLM[

]MM

WU]ZH]TL

ON]F

]HXE[[

FXUUVO

ZPFZEGKRWYJG[D

OQI\

DOLVHDY

STTJ]

NRE

RRSF

UKNWF

EZTPK

JI[P

G[X

VH]JXZYI

TKX

QKY

GD\PKQ

LMYV

H\

FLUFRYURSNF PYGHQYMEY

DJDZ

WRFI

OQWJ

EZUQL

MG]NYUMVQZ

WWTQHMGFJF

WLI

YFGSLWS

HRZLK

OISTQPR

\[D

EQ

NS[[

NO\

I[J

MRXZZT]

EEFLW]S]

N]XD

OX]KRJ

UIZ

UNUL

UFV

ZDL\WG

HGI

RKVXVPZIN

N[DMZWSKPL[IEOX]Q

ZSD\GW

TSFXJ

KSU]SZO

FFEXFW\

VIXZZD

Z\SUJPO

ERMF

QU

JNXDNI

P]VMTZ

RTX\MZGH

RINF\M\T

GLUYMVYN

UR

ZHS\WESRY

S

P

S]M\U

YVX

OUH[R[

YYJQQEQE

O[UP

PSVOK

UVX]LXEDD

UN

JF

LIXD

KUMKIHFI

\MRLM]

FMMQYZQV

ZO

INQJEJRSZ

DDGU

RQTXVYY

ID]SXPOD

V[YTWP

EGKZKV

HJNUN

RDH

HE

E]]

EFV[

NJHEUG

G]UXQU\

PKO

OLSQXY]]\S

]NNP

HM[MOFRJ

ZDNWP\[Z

\OEWSNZ

TWIU

]WI

QJPGQ]SUXZ

HXTE]WDR

EDE]M

KHF

DOWFWOS\]\XXKGOZ

FWH

JKGJQ]JQ

U\EPID

IVYUMV

NJ

QMJKP]\OVPGJN\

RGZWIXS\

\UQ

[YMXT

MIGJJF

JNJ\W

[[D

ENTG

YDZJYH

]FR

OFD]K

REFHE]

\XUFWXYL

TEUG[LHR

RTQYZUIH

TLMFSP

ZXUUJKSF

UOZJ

IDDZT

P]HG]F

IIK

EFKJPUV

OSIZ

WUDZFNKY

TXK[R

D[EOUXUXOTI]KW

SYZUJNSW

XDL

T]

LQXZG

V\ETEG

UGROI

DSMN

NQWY\L

JYPZT

PFZMNNJ

TSGMYT

OFSZY\EL

\MYSZSZ

PK\RQ

E\WVDKX

DUM\I

QWR

UV]GFV

KUSWVPNT

LYX\ZGUSZNIYQR

ODR

EFINO

\XIG

GVVUPQMFUO

F]V

TWJ

XRZRDE

MFU\D[

][RJHFJQ

WJGREUI

J[QQP

Z\G

D\OI

TTZRGHRS

RDNXWD

TQEE

WQF\YQ

VXK

HNZRIHULY

[IURMIS

UREXUT

KDR

DSKLUFZGV

KK

]OX

IULGH

YEENYUJ

MSF

OFML[QL

FXSNVWO]RE

WWM

J[OD

\\K

Q]ZZ

KK]]W

PSTI

[Y[R

Q\XXON

GM\TI\YT

TYOSV

GP]QRLF

UMJS

YZLY

LMTS

OF\YSG

JQ

RMX

REEV

MXS

TD\DFYT]

K]TSH[QL

PF

PEYR

DFDJK

RSJ

YYNMO

WLEVQ

NQHYZYOROD

NTQL

Y[UZ

\E\

YORZV]D

LJQ

QKFSX

RUN[\

HSERV\H

SLFGGN

QWOVYY[YS

FDOZ]GE

NXQ\PSK

XIOGPID

JSH

HOO

VLHE]ZDJ

SKTGY

DDMFWHE

]DRN]F

XKETDREK

S\

]LMQ

RKX]SY\

[OKI

DGYXLUQ

\GG

FK]D\M

TY

REDDU\

H

MM]VNWX

ZIQO

VNZJUGGK

NYFQXFHL

EMWFL

ITQF]QMKFERZXJRO

DVM

ZEHO

FLIXR

\TPK

ESPLTZZ

XOSEMK

JDTVWDMJ

MPR

TF][GMPDQK

JVKLR

PELDMSRI

MRONS

YXEI

]

OJGZJER

YJRFZNV

H\Z

XIKUKV

UUI

SNOYTWT

XMD]

YWJQMRPXEV

PDU

YSTW]

JI\QYE

QX]

]IEUOELW

U\G

Mass- scale Targeted AJack Campaign (MOTA)‐ NITRO campaign (Oct 11)



Mass- scale campaign (MOTA) ‐Taidoor A,acks – 2011


Highly targeted campaigns Single- Sector a,ack campaign ‐• About 2/3rd of ACs are highly- targeted: ‐

–  They target mulGple recipients but in a single, or a limited nr of sectors

–  E.g.: different companies acGve in the Aerospace or Defense industry

• Over 50% target the sectors: –  Gov./Dipl., Defense or Aerospace

• However, more specific industries (in “niche” sectors) are more specifically targeted by those very focused aJacks: –  Agriculture, ConstrucGon, Academic, Chemical, Oil, MariGme, Healthcare –  Much less targeted by “generic” mulG- sector AC ‐


Highly targeted campaigns Example: Sykipot a,acks


§  Long- running, very focused campaigns ‐§  Targets Defense industries, Governments, etc

Detailed review in: The Sykipot A9acks, Symantec Connect Blog

hJp://www.symantec.com/connect/blogs/sykipot- aJacks‐

More Info:

Example of Sykipot campaign (April 2011)


3 attackers – 52 emails sent on 3 dates Targeting 30 mailboxes of 2 Defense industries

Targeted aJacks 0- day malware analysis ‐• What is the prevalence and sophis.ca.on level of TT- aJacks? ‐• We use WINE to correlate malicious aJachments (droppers)

–  Worldwide Intelligence Network Environment –  Contains operaGonal data sets collected from Symantec customers’

machines (opt- in model) ‐•  AV & IDS “pings”, malware samples, reputaGon data (URL, binaries), …

–  Data sharing pla|orm open to security researchers

• Results –  TT- aJacks rely mostly on social engineering ‐–  Low level of sophisGcaGon for a majority of aJacks

•  use liJle obfuscaGon or polymorphism

–  “Only” 8 aJack campaigns used zero days •  AJacks observed +/- 2 weeks before disclosure date ‐


05

101520253035

-4 months

-1 month

-2 weeks

same day

+1 week

+1 month

+2 months

+3 months

+4 months

% o

f the

cam

paig

ns

Δt1 Δt2

0- days ‐


Conclusions – Future Challenges

TRIAGE AnalyGcs – Security Intelligence Why is it useful for us

Rogue AV Campaigns

•  Report on Rogue AV Security Sotware (ISTR’09) •  Server infrastructure and distribuGon mechanisms (RAID’10)

Targeted AJacks and Industrial Espionage

•  Link series of aJacks to larger- scale campaigns (‐ ISTR’12, FIRST’12) •  BeJer understanding of the modus operandi of aJackers (RAID’12)

Analysis of Spam Botnets OperaGons

•  Analysis of spam campaigns propagated through botnets (ISTR’12) •  New insights into spammers operaGons (CEAS’11, SECURE’11)


• Sheer volumes of data to process –  Global Intelligence Network (GIN) –  Symantec.cloud

à Develop scalable clustering techniques à Use Cloud compuGng (Hadoop/MapReduce)

• Mul8- dimensional aspect ‐–  Many features are poten.ally interesGng to aJribute aJacks

•  Timing, type of target, aJack origins and context (e.g., IP addresses, ASNs, ISPs, Registrars, DNS informaGon, …), vulnerability being targeted, type of exploit, delivery mechanisms, etc.

à AggregaGon and Data fusion is key

TRIAGE AnalyGcs Scalability Challenge


www.bigfootproject.eu

TRIAGE AnalyGcs Usability Challenge: Visual Analy8cs

Visual AnalyGcs mantra:

“ Analyze First – Show the Important Zoom, Filter and Analyze Further

Details on Demand ”



TRIAGE

Σ

VisualizaGon

Visual Analy8cs for Security http://www.vis-sense.eu


Mass- scale Spam Campaigns ‐Rustock- Grum Spam Botnets (ISTR’12) ‐



VIS- SENSE (EU- FP7) ‐ ‐•  Visual AnalyGc RepresentaGon of Large Datasets for Enhancing

Network Security –  Topic: Technology and Tools for Trustworthy ICT (2009.1.4) –  Budget: 3.32 Million Euro / 2.35 Million Euro EU ContribuGon –  Timeframe: 01.10.2010 unGl 30.09.2013

•  6 partners from 4 countries

–  Fraunhofer IGD (Germany) - ‐ Coordinator –  CERTH / ITI (Greece) –  University of Konstanz (Germany) –  Telecom SudParis (France) –  EURECOM (France) –  SYMANTEC Ltd (Ireland)


http://www.vis-sense.eu VIS$SENSE:(Visual(Analytic(Representation(ofLarge(Datasets(for(Enhancing(Network(Security

Topic: Technology*and*Tools*for*Trustworthy*ICT*(2009.1.4)Budget: 3.32*Million*Euro*/*2.35*Million*Euro*EU*ContributionTime(Frame: 01.10.2010*until*30.09.2013

6(partners(from(4(countries:– Fraunhofer*IGD*(Germany)*– Coordinator– CERTH*/*ITI*(Greece)– Institut*EURECOM*(France)– Institut*Telecom*(France)– Symantec*Ltd.*(Ireland)– University*of*Konstanz*(Germany)

http://www.visTsense.eu/

Thank you!

Copyright © 2010 Symantec Corpora8on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec CorporaGon or its affiliates in the U.S. and other countries. Other names may be trademarks of their respecGve owners. This document is provided for informaGonal purposes only and is not intended as adverGsing. All warranGes relaGng to the informaGon in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informaGon in this document is subject to change without noGce.

Thank you!


San Francisco, CA

Taipei, Taiwan

Tokyo, Japan


Chengdu, China



[email protected]

http://www.symantec.com/WINE

Fostering Research in Cyber Security

To make real advances, informa8on sharing is key

hJp://www.symantec.com/WINE Worldwide Intelligence Network Environment


Global Intelligence Network Iden8fies more threats, takes ac8on faster & prevents impact

Information Protection Preemptive Security Alerts Threat Triggered Actions

Global Scope and Scale Worldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity •  240,000 sensors •  200+ countries

Malware Intelligence •  133M client, server,

gateways monitored •  Global coverage

Vulnerabilities •  40,000+ vulnerabilities •  14,000 vendors •  105,000 technologies

Spam/Phishing •  5M decoy accounts •  8B+ email messages/day •  1B+ web requests/day


San Francisco, CA

Taipei, Taiwan

Tokyo, Japan


Chengdu, China


WINE: Data Sharing with the Academia http://www.symantec.com/WINE

Symantec’s worldwide sensors (GIN)

Pla|orm for rigorous experimentaGon

…

Research Labs


W I N E Worldwide Intelligence Network Environment

Binary reputa8on: 35M machines

Malware: 7M samples

Spam: 2.5M decoys

URL reputa8on: 10M domains

A/V telemetry: 136M machines

hJp://www.symantec.com/WINE

Research Labs


visualizing*aackcampaigns*using*triage*analy8cs · global*intelligence*network...

Documents

visualizingaackcampaignsusingtriageanaly8cs · globalintelligencenetwork...