visualizing*aackcampaigns*using*triage*analy8cs · global*intelligence*network...
TRANSCRIPT
Visualizing A,ack Campaigns using TRIAGE Analy8cs Case Study: The Targeted A,acks Landscape in 2011 (ISTR’12)
Olivier Thonnard Symantec Research Labs
Research Labs
http://www.symantec.com/research
Who I am
• Dr. Olivier Thonnard – Sr Research engineer
– Symantec Research Labs (Europe) since 2010 • Collabora8ve Advanced Research Department (CARD) • Led by Marc Dacier, Sr. Director of research
– PhD from EURECOM, Sophia AnGpolis (France)
– Research on methods for aJack aJribuGon and threats analysis • Data mining, Machine learning, Clustering, MulG- criteria Decision Analysis (‐ MCDA)
– Leading Symantec R&D efforts in VIS- SENSE ‐ (EU- FP7 ) ‐– Before joining SRL
• Military Officer in Belgium (Senior Captain) • Teaching Network Security at the Royal Military Academy
Research Labs
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
http://www.vis-sense.eu
Outline
Security Intelligence – TRIAGE AnalyGcs 1
Case Study: Targeted AJacks Landscape in 2011 2
Conclusion & Future Challenges 3
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Security Intelligence: SePng the Scene
Highlights and Trends in 2010- 2011 ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Global Intelligence Network Iden8fies more threats, takes ac8on faster & prevents impact
Information Protection Preemptive Security Alerts Threat Triggered Actions
Global Scope and Scale Worldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity • 240,000 sensors • 200+ countries
Malware Intelligence • 133M client, server,
gateways monitored • Global coverage
Vulnerabilities • 40,000+ vulnerabilities • 14,000 vendors • 105,000 technologies
Spam/Phishing • 5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day
Austin, TX Mountain View, CA Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, Ireland Calgary, Alberta
Chengdu, China
Chennai, India Pune, India
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
• Ghostnet (March 2009) – Large- scale cyber spying operaGon ‐– Infiltrated computer systems in 103 countries, including embassies, foreign ministries,
government offices, and the Dalai Lama's Tibetan exile centers – Began capturing data on May 22, 2007
• Trojan.Hydraq (Jan 2010) – OperaGon “Aurora” – High- profile targeted threat affecGng mulGnaGonal corporaGons ‐
• Stuxnet (June 2010)
• AJack against RSA (August 2011) • The Nitro AJacks (July 2011 à October 2011)
– Stealing Secrets from the Chemical Industry • Sykipot and Taidoor aJacks (2011 – Defense industry, Governments, … )
• W32.Duqu (November 2011) – precursor to Stuxnet- like aJack ‐– Zero day exploit embedded in Word document
Threat Landscape � Targeted a,acks Some examples
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
TRIAGE analyGcs Sykipot a,acks
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Rise in Targeted A,ack Ac8vity over Time – 2011
0
50
100
150
200
Jan Feb MarAvr May Jun Jul Aug Sep Oct Nov Dec
25.6 30.0
82.193.1
78.092.9
50.1
77.0
108.399.9 94.1
154.3
Average nr of targeted attacks blocked per day
2011
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
TRIAGE analyGcs The Targeted A,acks Landscape in 2011
SOME FUNDAMENTAL QUESTIONS :
§ Same or similar aJacks targeGng mulGple organizaGons ? On the same or different dates? à SGll linked to the same individuals ??
§ Apparently unrelated aJacks sGll part of the same AJack Campaign (AC)? à e.g., Nitro, Sykipot, Taidoor, Luckycat, etc.
§ What are the characterisGcs and dynamics of AJack Campaigns? What is the modus operandi of aJackers?
§ Uncover any relaGonship between aJack features: § (subjects, aJachments) and target / date (breaking news?) / ...
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Research towards A,ack A,ribu8on
“ Chance is a word void of sense; nothing can exist without a cause. ”
- Voltaire FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Security intelligence A,ack a,ribu8on
• … is not only about “IP traceback”
• … is also about idenGfying the root causes of observed aJacks by linking them together thanks to common, external, contextual “fingerprints”
• … is about “cyber intelligence” • … is about “connecGng the dots”
Research Labs
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
What is TRIAGE? • Data analy8cs framework for a#ack a#ribu*on
– Find systema.cally groups of events likely due to the same root cause
– Enable the analysis of their modus operandi
• Novelty: combines two approaches
– (Graph) Clustering techniques
– MulG- Criteria Decision Analysis (MCDA)‐ – Mostly unsupervised approach
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Research Labs
http://www.wombat-project.eu
Started under…
http://www.vis-sense.eu
Visual analyGcs
Security intelligence The TRIAGE approach
à Clustering based on MulG- ‐Criteria Decision Analysis (MCDA) à AutomaGc grouping of elements likely to share the same root causes
Σ Per feature
Graph- based analysis ‐(Build rela8onships)
MulG- criteria‐ AggregaGon (data fusion)
MulG- Dimensional ‐Clusters (MDC’s)
(visualiza8on) Events
Features SelecGon
Research Labs
“Vague statements” on the nr of criteria
“At least k strong similariGes”
Importances & InteracGons among criteria
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Industrial Espionage and Targeted A,acks (ISTR’12)
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
O. Thonnard, L. Bilge, G. O’Gorman, S. Kiernan, and M. Lee. Industrial Espionage and Targeted Attacks: Characteristics of an Escalating Threat15th Int. Symposium on Research in Attacks, Intrusions, and Defenses (RAID’12)#
Case Study – RSA AJacks (CVE- 2011- 0609)‐ ‐ Begins with a Spear Phishing Email
Traits:
Related to recipient’s line
of work
“Strange” English
Email recipient is rarely the
end target
Emails are often re-used
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Targeted AJacks Experimental Data Set • A targeted aJack is defined as:
§ low copy number aJacks carrying malicious email aJachments § showing some clear evidence of a selecGon of the subject and the targets § embedding a relaGvely sophisGcated malware
• In 2011: Symantec.cloud blocked over 26,000 targeted aJacks – DetecGon: SKEPTIC technology, manual analysis, dynamic analysis
• All email a,achments (MD5) were analyzed: – By a series of common AV engines à AV Signatures – Dynamic analysis using sandboxing systems
à Files read or created, network connecGons, C&C informaGon, etc.
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Targeted AJacks A,achment – Document type
PDF document 35%
Office 18%
Zip / RAR 27%
Rich Text Format 15%
Others 4%
PE32 Exe 1%
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Targeted AJacks Most Targeted Sectors
Government & DiplomaGc
34%
Internet & Web services
15%
Services and Consultancy
10%
Defence industry
9%
Chemical industry
8%
NGO 4%
Aerospace 8%
Oil & Energy 4%
Military 1%
Others 7%
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Targeted AJacks AV Signatures - Microsod ‐
27%
13%
12% 8%
8% 5%
4%
4%
4% 2% 13%
Win32/CVE- 2010- 3333 ‐ ‐Win32/CVE- 2009- 3129 ‐ ‐SWF/CVE- 2011- 0611.C ‐ ‐SWF/CVE- 2011- 0611.A ‐ ‐Win32/CVE- 2010- 2883.A ‐ ‐Win32/CVE- 2011- 2462.B ‐ ‐SWF/CVE- 2011- 0611.P ‐ ‐JS/ShellCode.AE
Win32/CVE- 2011- 2462.C ‐ ‐Win32/CVE- 2011- 2462.D ‐ ‐Others
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
(!! Only 30% of the a,acks were iden8fied by a signature)
Internet Security Threat Report (ISTR 2012) TRIAGE – Looking for A,ack Campaigns
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
TARGETED ATTACKS
RELATIONSHIPS
AGGREGATIONMODEL
DATA FUSION
ORIGINSFrom
IP AddressMailerATTACK
Attach MD5SubjectDate
TARGETTo Address
BCC Address
January 17, 2011
May 12, 2011
July 22, 2011
Importance Factors,Interactions
TRIAGE analyGcs Targeted A,ack Campaign
• An A,ack Campaign (AC) is a series of targeted aJacks that: 1. Are linked by a sufficient Nr of highly similar features
2. Are likely to originate from the same people (because of 1.)
3. On the same day or spanning mulGple days (consecuGve or not)
Feature coali8on Aggregated Value
Only 1 feat. 0.03 < X < 0.13
Any 2 feat. 0.09 < X < 0.20 (MD5- ssdeep) < X < (MD5- IP) ‐ ‐
MD5 – IP – Day 0.40
MD5 – From – Subject 0.39
IP – From – Subject 0.366
IP – To – Subject 0.336
At least 3 strong correla8ons
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Targeted AJack Campaigns High- level Figures ‐• On average, a targeted aJack campaign:
– will comprise 78 aJacks
– targeGng 61 email addresses
– within a 4 days- period ‐
Characteris8c Average Maximum
Nr of A,acks 78 848
Dura8on 4 days 9 months
Nr of From addr. 6 98
Nr of To addr. 61 1,800
Nr of Targ. Sectors 1- 2 ‐ 22
Nr of MD5 4- 5 ‐ 59
Nr of Exploits 1- 2 ‐ 4
“Single aJack” ?
Massive OrganizaGonal Targeted AJacks (MOTA) Large- Scale Campaigns – Mul8ple Sectors ‐
• Over 1/3rd of ACs are organized on a “large- scale”, ‐ i.e.: – Target mulGple organizaGons, acGve in different sectors
– Most oten, on different days
• Most of those large- scale ACs are very well- resourced ‐ ‐– Up to 4 exploits used during the same campaign, e.g.:
• Re- packed into 50+ different MD5s ‐• 43 days- campaign, spread over 5 months, targeGng 4+ sectors ‐
– MulGlingual: the language used is tuned to the targeted recipients • Use of Chinese for .cn domains, Japanese for .jp, Russian for .ru, …
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Massive OrganizaGonal Targeted AJacks (MOTA) Example: NR4 campaign
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Timeline
2011- 04- 28 ‐ ‐ 2011- 07- 19 ‐ ‐
3 attackers – 848 emails on 16 dates over 3 months
AJacker Subject Sector
MD5 AV Sig. C&C
[removed]
[removed]
NR4 Mass- scale campaign – Comparing Emails ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
AJacker #1
AJacker #2
Different dates
Same malicious file (same MD5)
[ + same C&C server … ]
à Same aJack, but on different targets!
NR4 Mass- scale campaign – Comparing Emails (2) ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
AJacker #2
New aJack, on different targets!
Same date here
New malicious files, reused by AJacker #3
AJacker #3
Clear connecGon with AJacker #2 …
NR4 Mass- scale campaign – Comparing Emails (3) ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
AJacker #3
New aJack from AJacker #3, on yet another target
New aJack from AJacker #2, but this Gme in Chinese
AJacker #2 Yet other dates
[ + again, same C&C server … ]
Note: All attacks exploit the same vulnerability … (SWF/CVE-2011-0611.C )
Mass- scale Targeted AJack Campaign (MOTA)‐ NITRO a,acks
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Detailed review in the: The Nitro A9acks: Stealing Secrets from the Chemical Industry
More Info:
HB
VXSSRUW#>UHPRYHG@FRP
FKHPFRP
>UHPRYHG@5HDGHU8SJUDGH5LJKWQRZHB >@FKHPFRPHB
>UHP@GHIFRP HB
>UHP@GHIFRP
HB
HQHUJ\FRP
HB
HB
FKHPFRP
HBHQHUJ\FRP
HB HB
XNFKHPFRP
HB
FKHPFRP
HB
>@FKHPFRP
HB
FRQVXOWFRP
HB
HB
FKHPFRP
HB
HB
LW#FKHPFRP
FKHPFRPWZ
>UHP@5HDGHU8SJUDGHHB
HBFKHPFRP
HB
HB
HB
>@GHIFRP
HB
HB
GRPDLQFRP
HB
>UHP@FRUSFRP
HB
FKHPFRPVJ
HB
GRPDLQFRP
HB
HB
HB
GRPDLQFRP
HB
FKHPFRPFQ
HB
HB
HB
HB
HB
FKHPFRP
HB
GHIFRP
HB
HB
HB
GRPDLQFRP
HB
HB
HB
HB
HB
HB
FKHPFRPKN HB
HB
HB
HB
HB
HB
FKHPFRP
HB
HB
HB
HB
FDQFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
XNHQHUJ\FRP
HB
HB
HB
HB
HB
HB
HB
>@FKHPFRP
HB HB
HB
HB
HB
HB
HB
HB
HB
HB
FRQVXOWGN
HB
HB
>@FKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HBVHHQHUJ\FRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
SDNFKHPFRP
HB
HB
IUDFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
LQGFKHPFRP
HB GHFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
WKDFKHPFRP
HB
HB HB
HB
HB
HB
HB
HB
HB
HB
]DHQHUJ\FRP HB
HB
HB
HB
EUDFKHPFRP
HB
HB
HB
FKHFKHPFRP
HB
HB
HBHB
HB
HB
HB
HB
HB
HB
HB
HB
HB
WUDLQLQJFKHPFRP
HB
HB>@GHIFRP
HB
HB
HBHBHB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
HB
HB
HB
HB
HB
GHXFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
FKHPFRPSK
HB
SKOFKHPFRP
HB
HBHB
HB
HBHB
HB
HB
VJSFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
YHQFKHPFRP
HB
IUHQHUJ\FRP
HBHB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
OX[FKHPFRP
HB
HBHB
HB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
HB
HB
HB
HBHB
WXUFKHPFRP
HB
HB
HB
HB
HB
HB
>@GHIFRP
HB
HB
HB
HB
HB
EJUFKHPFRP
HB
EODFNVWRQHFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
PH[FKHPFRP
HB
NRUFKHPFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
FRQVXOWFRPSOHB
HB
HB
HB
HB
HB
HB
HB
HB
>@GHIFRP
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HBHB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
HB
SXVZN[
VVEER
U]YH
I[JXND\
QTV
OUIT]XK\FU
FIOTIZ
MPQXM\T\Q
GN]XPN\G
VI[F
ZLLDH
QXU
DEHVV
D[[TR
IUKJ[N
MFSV
SUPOV
JNPIHOR
DHS
MZF
IKFXKHDM
DXQ
HG\OIOK
OXS
GZP
UD
Q]SIWWMK
QSRZ
E
DFLQMO
DVMM
EZKZNNH
GLTLOT[
WNME
FXGKWT
FIFT
WI
OMUMU
IVKVU\PDFE
IOQNZLF
WTUG
SJGV\SQJV
YS
[TSN
EONPOK]
IDQ]VQLZ
JMUL\KG
LDRVXWG
WSP[SYNVWY]
U[KJ[
]LYXFEYS
ZNYQQ\
QNDP
ZUMU
[NRHQFZ
KKV\S]GFOQ
WVEG
\LXWU]
M]JW
KHXS
WR
P\HLNT
\]SXLEVONT
LL\
OUGGZ
QHS
TIDWXINP
\LQH
PH]J\
TWGWSNYK\U
\ROIEQP
HYL
MJRV
KVR
]QELP]
FQG[[IGUXY
U[LSD
SFWS\
HEK
PSJ
FLYOVH\M
KMJM
Q[VHU
KTXHVPTDOUONK\
ZXOJF
UJFUMTMV
EQIK
GWER
EXPDSEYXT
]SMEOR
L\]ZSY]
TIKE
LHNH
UNR
QRZU
XUY
FKJ
V[W]E
ZX[QF[
EIHVJ
EN[MTTWSN
[[JIPXRV
ODTIWZ
RNK[QZ
[]
EXSFGQ
WGVSR
GSSRUZW\
SHPVFU
JIYIFG
PFLQ\MX
DW
K]Y\WTOU
ZSHS
VNJZFKS
\QE]
SLD
FLRF]YH
FRV
TTDHITVIZZ
KNST
STR
XEKU
[TYW
QMVQSXS
N
XLRQF\ERU]YSLFHG
RMEML
LGOROIM
MDTS\EFPW
NPUGOZ
I\FIEISP
SIYUY
KZT
N][ZW
G]T
VHIE
]HUVMUQ
PEJW\[PX
YTHD
IMMYDVZ
]IIV
VT[LGSO
]OOM
RVRQF
DUODN
DDUVP
TSQ
NG
VLX\
UFDOKMMUI
KWTZSST
LQODFGG\
UMGDIN
X\P
UV\EF
X[
F]VS]Z
[V[IO\
TPRF
SGKHXVYK
QYO[[NYV
NRP[PKUD
MWV\[XFY
WGVDHW
JDMUQ[\QI
G\X
IVK\TVELR
F[YHTD
ZH]]
HN[Z[PQK
MY\
HNY
YY
[G[PKPW
XZNUY
OGQUY
[O[QZOLD
EKKWWFSW
KOTPP
PHZKEO[]
RYOULTUIYR
MSQ
NXNWV
TLUSZYQ]D
UNP[]XT
KKTFQXS
KOS
]\MOO
OEDFYO
UVV
IXYQ
HVNJW
G[NQXI[KRR
GJXN
OITFJY
KRS
PTXPG
MEXDW
LNLLL]W
[HSIR
E]\ZGF
N\XJ]W[
MPJUS
[ZN
SEGUK
JDZLM[
]MM
WU]ZH]TL
ON]F
]HXE[[
FXUUVO
ZPFZEGKRWYJG[D
OQI\
DOLVHDY
STTJ]
NRE
RRSF
UKNWF
EZTPK
JI[P
G[X
VH]JXZYI
TKX
QKY
GD\PKQ
LMYV
H\
FLUFRYURSNF PYGHQYMEY
DJDZ
WRFI
OQWJ
EZUQL
MG]NYUMVQZ
WWTQHMGFJF
WLI
YFGSLWS
HRZLK
OISTQPR
\[D
EQ
NS[[
NO\
I[J
MRXZZT]
EEFLW]S]
N]XD
OX]KRJ
UIZ
UNUL
UFV
ZDL\WG
HGI
RKVXVPZIN
N[DMZWSKPL[IEOX]Q
ZSD\GW
TSFXJ
KSU]SZO
FFEXFW\
VIXZZD
Z\SUJPO
ERMF
QU
JNXDNI
P]VMTZ
RTX\MZGH
RINF\M\T
GLUYMVYN
UR
ZHS\WESRY
S
P
S]M\U
YVX
OUH[R[
YYJQQEQE
O[UP
PSVOK
UVX]LXEDD
UN
JF
LIXD
KUMKIHFI
\MRLM]
FMMQYZQV
ZO
INQJEJRSZ
DDGU
RQTXVYY
ID]SXPOD
V[YTWP
EGKZKV
HJNUN
RDH
HE
E]]
EFV[
NJHEUG
G]UXQU\
PKO
OLSQXY]]\S
]NNP
HM[MOFRJ
ZDNWP\[Z
\OEWSNZ
TWIU
]WI
QJPGQ]SUXZ
HXTE]WDR
EDE]M
KHF
DOWFWOS\]\XXKGOZ
FWH
JKGJQ]JQ
U\EPID
IVYUMV
NJ
QMJKP]\OVPGJN\
RGZWIXS\
\UQ
[YMXT
MIGJJF
JNJ\W
[[D
ENTG
YDZJYH
]FR
OFD]K
REFHE]
\XUFWXYL
TEUG[LHR
RTQYZUIH
TLMFSP
ZXUUJKSF
UOZJ
IDDZT
P]HG]F
IIK
EFKJPUV
OSIZ
WUDZFNKY
TXK[R
D[EOUXUXOTI]KW
SYZUJNSW
XDL
T]
LQXZG
V\ETEG
UGROI
DSMN
NQWY\L
JYPZT
PFZMNNJ
TSGMYT
OFSZY\EL
\MYSZSZ
PK\RQ
E\WVDKX
DUM\I
QWR
UV]GFV
KUSWVPNT
LYX\ZGUSZNIYQR
ODR
EFINO
\XIG
GVVUPQMFUO
F]V
TWJ
XRZRDE
MFU\D[
][RJHFJQ
WJGREUI
J[QQP
Z\G
D\OI
TTZRGHRS
RDNXWD
TQEE
WQF\YQ
VXK
HNZRIHULY
[IURMIS
UREXUT
KDR
DSKLUFZGV
KK
]OX
IULGH
YEENYUJ
MSF
OFML[QL
FXSNVWO]RE
WWM
J[OD
\\K
Q]ZZ
KK]]W
PSTI
[Y[R
Q\XXON
GM\TI\YT
TYOSV
GP]QRLF
UMJS
YZLY
LMTS
OF\YSG
JQ
RMX
REEV
MXS
TD\DFYT]
K]TSH[QL
PF
PEYR
DFDJK
RSJ
YYNMO
WLEVQ
NQHYZYOROD
NTQL
Y[UZ
\E\
YORZV]D
LJQ
QKFSX
RUN[\
HSERV\H
SLFGGN
QWOVYY[YS
FDOZ]GE
NXQ\PSK
XIOGPID
JSH
HOO
VLHE]ZDJ
SKTGY
DDMFWHE
]DRN]F
XKETDREK
S\
]LMQ
RKX]SY\
[OKI
DGYXLUQ
\GG
FK]D\M
TY
REDDU\
H
MM]VNWX
ZIQO
VNZJUGGK
NYFQXFHL
EMWFL
ITQF]QMKFERZXJRO
DVM
ZEHO
FLIXR
\TPK
ESPLTZZ
XOSEMK
JDTVWDMJ
MPR
TF][GMPDQK
JVKLR
PELDMSRI
MRONS
YXEI
]
OJGZJER
YJRFZNV
H\Z
XIKUKV
UUI
SNOYTWT
XMD]
YWJQMRPXEV
PDU
YSTW]
JI\QYE
QX]
]IEUOELW
U\G
Mass- scale Targeted AJack Campaign (MOTA)‐ NITRO campaign (Oct 11)
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
http://www.vis-sense.eu
Mass- scale campaign (MOTA) ‐Taidoor A,acks – 2011
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Highly targeted campaigns Single- Sector a,ack campaign ‐• About 2/3rd of ACs are highly- targeted: ‐
– They target mulGple recipients but in a single, or a limited nr of sectors
– E.g.: different companies acGve in the Aerospace or Defense industry
• Over 50% target the sectors: – Gov./Dipl., Defense or Aerospace
• However, more specific industries (in “niche” sectors) are more specifically targeted by those very focused aJacks: – Agriculture, ConstrucGon, Academic, Chemical, Oil, MariGme, Healthcare – Much less targeted by “generic” mulG- sector AC ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Highly targeted campaigns Example: Sykipot a,acks
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
§ Long- running, very focused campaigns ‐§ Targets Defense industries, Governments, etc
Detailed review in: The Sykipot A9acks, Symantec Connect Blog
hJp://www.symantec.com/connect/blogs/sykipot- aJacks‐
More Info:
Example of Sykipot campaign (April 2011)
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
3 attackers – 52 emails sent on 3 dates Targeting 30 mailboxes of 2 Defense industries
Targeted aJacks 0- day malware analysis ‐• What is the prevalence and sophis.ca.on level of TT- aJacks? ‐• We use WINE to correlate malicious aJachments (droppers)
– Worldwide Intelligence Network Environment – Contains operaGonal data sets collected from Symantec customers’
machines (opt- in model) ‐• AV & IDS “pings”, malware samples, reputaGon data (URL, binaries), …
– Data sharing pla|orm open to security researchers
• Results – TT- aJacks rely mostly on social engineering ‐– Low level of sophisGcaGon for a majority of aJacks
• use liJle obfuscaGon or polymorphism
– “Only” 8 aJack campaigns used zero days • AJacks observed +/- 2 weeks before disclosure date ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
05
101520253035
-4 months
-1 month
-2 weeks
same day
+1 week
+1 month
+2 months
+3 months
+4 months
% o
f the
cam
paig
ns
Δt1 Δt2
0- days ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Conclusions – Future Challenges
TRIAGE AnalyGcs – Security Intelligence Why is it useful for us
Rogue AV Campaigns
• Report on Rogue AV Security Sotware (ISTR’09) • Server infrastructure and distribuGon mechanisms (RAID’10)
Targeted AJacks and Industrial Espionage
• Link series of aJacks to larger- scale campaigns (‐ ISTR’12, FIRST’12) • BeJer understanding of the modus operandi of aJackers (RAID’12)
Analysis of Spam Botnets OperaGons
• Analysis of spam campaigns propagated through botnets (ISTR’12) • New insights into spammers operaGons (CEAS’11, SECURE’11)
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
• Sheer volumes of data to process – Global Intelligence Network (GIN) – Symantec.cloud
à Develop scalable clustering techniques à Use Cloud compuGng (Hadoop/MapReduce)
• Mul8- dimensional aspect ‐– Many features are poten.ally interesGng to aJribute aJacks
• Timing, type of target, aJack origins and context (e.g., IP addresses, ASNs, ISPs, Registrars, DNS informaGon, …), vulnerability being targeted, type of exploit, delivery mechanisms, etc.
à AggregaGon and Data fusion is key
TRIAGE AnalyGcs Scalability Challenge
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
www.bigfootproject.eu
TRIAGE AnalyGcs Usability Challenge: Visual Analy8cs
Visual AnalyGcs mantra:
“ Analyze First – Show the Important Zoom, Filter and Analyze Further
Details on Demand ”
http://www.vis-sense.eu
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
TRIAGE
Σ
VisualizaGon
Visual Analy8cs for Security http://www.vis-sense.eu
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Mass- scale Spam Campaigns ‐Rustock- Grum Spam Botnets (ISTR’12) ‐
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
http://www.vis-sense.eu
VIS- SENSE (EU- FP7) ‐ ‐• Visual AnalyGc RepresentaGon of Large Datasets for Enhancing
Network Security – Topic: Technology and Tools for Trustworthy ICT (2009.1.4) – Budget: 3.32 Million Euro / 2.35 Million Euro EU ContribuGon – Timeframe: 01.10.2010 unGl 30.09.2013
• 6 partners from 4 countries
– Fraunhofer IGD (Germany) - ‐ Coordinator – CERTH / ITI (Greece) – University of Konstanz (Germany) – Telecom SudParis (France) – EURECOM (France) – SYMANTEC Ltd (Ireland)
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
http://www.vis-sense.eu VIS$SENSE:(Visual(Analytic(Representation(ofLarge(Datasets(for(Enhancing(Network(Security
Topic: Technology*and*Tools*for*Trustworthy*ICT*(2009.1.4)Budget: 3.32*Million*Euro*/*2.35*Million*Euro*EU*ContributionTime(Frame: 01.10.2010*until*30.09.2013
6(partners(from(4(countries:– Fraunhofer*IGD*(Germany)*– Coordinator– CERTH*/*ITI*(Greece)– Institut*EURECOM*(France)– Institut*Telecom*(France)– Symantec*Ltd.*(Ireland)– University*of*Konstanz*(Germany)
http://www.visTsense.eu/
Thank you!
Copyright © 2010 Symantec Corpora8on. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec CorporaGon or its affiliates in the U.S. and other countries. Other names may be trademarks of their respecGve owners. This document is provided for informaGonal purposes only and is not intended as adverGsing. All warranGes relaGng to the informaGon in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The informaGon in this document is subject to change without noGce.
Thank you!
Austin, TX Mountain View, CA Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, Ireland Calgary, Alberta
Chengdu, China
Chennai, India Pune, India
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
http://www.symantec.com/WINE
Fostering Research in Cyber Security
To make real advances, informa8on sharing is key
hJp://www.symantec.com/WINE Worldwide Intelligence Network Environment
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐
Global Intelligence Network Iden8fies more threats, takes ac8on faster & prevents impact
Information Protection Preemptive Security Alerts Threat Triggered Actions
Global Scope and Scale Worldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity • 240,000 sensors • 200+ countries
Malware Intelligence • 133M client, server,
gateways monitored • Global coverage
Vulnerabilities • 40,000+ vulnerabilities • 14,000 vendors • 105,000 technologies
Spam/Phishing • 5M decoy accounts • 8B+ email messages/day • 1B+ web requests/day
Austin, TX Mountain View, CA Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, Ireland Calgary, Alberta
Chengdu, China
Chennai, India Pune, India
WINE: Data Sharing with the Academia http://www.symantec.com/WINE
Symantec’s worldwide sensors (GIN)
Pla|orm for rigorous experimentaGon
…
Research Labs
FIRST 2012 - Visualizing cybercrime campaigns using TRIAGE analyGcs ‐