Malicious traffic detection system. Miroslav Stampar @stamparm)

Transcription

1 Malicious traffic detection system Miroslav Stampar @stamparm)

2 Project motivation Idea of a system that would produce less noise by condensing numerous events into threats Prioritization of malicious activities coming from inside (e.g. malware) - e.g. from CERT perspective, malware infection is a more severe problem than mass scans Usage of available knowledge in form of publicly available blacklists and custom lists of malicious trails (IOCs) per malware campaign System should not be (too) resource intensive 2

3 Short glossary (used terms) Trail suspicious and/or malicious IP address, DNS name, URL (path), HTTP User-Agent, etc. Blacklist list of trails Event log record with details of a single detected trail occurrence Threat all trail related events coming from the same source IP (or multiple in case of distributed attacks) Heuristics non-trail related mechanisms for recognition of suspicious and/or malicious threats 3

4 Short history Croatia heavily struck with banking malware (ZeuS VM KINS) Nov started creation of custom free and open-source passive network monitoring tool (mainly for in-house usage) Dec DNScrutinize (only DNS traffic monitoring) Dec renamed to Maltrail (expansion from DNS only to IP/DNS/URL monitoring) Feb started with usage in production environment (HITRONet over 25.HR government bodies) 4

5 Repository (GitHub) 5

6 First commit 6

7 Current status (Jan ) 51 daily pulled blacklist feeds (e.g. alienvault, autoshun, badips, etc.) 31 (manually collected) static sinkhole trail lists 103 malware static trail lists based on IOCs from AV reports 12 static lists of suspicious trails (e.g. browser_hijacking, computrace, dynamic_domain, ipinfo, superfish, etc.) 13 heuristic mechanisms (e.g. port scanning, long domains, sinkhole responses, suspicious HTTP requests, suspicious HTTP user agents, excessive NXDOMAIN, etc.) 7

8 Blacklist feeds (example) 8

9 Sinkhole server (example) 9

10 AV report(s) IOCs (example) 10

11 Suspicious trails (example) 11

12 Heuristic mechanisms (example) 12

13 Architecture Sensor component for traffic monitoring in search for trails (i.e. blacklisted features) Server component for log storage of (sensor) triggered events in form of CSV and serving on demand for further (client) analysis Client component for further analysis and reporting of raw log data 13

14 Configuration 14

15 Sensor (run) Python (2.6.x or 2.7.x) Pcapy (e.g. sudo apt-get install python-pcapy) 15

16 Sensor (update) 16

17 Server (run) Python (2.6.x or 2.7.x) 17

18 Server (log storage) 18

19 Client Modern web browser (IE, Chrome, Firefox, etc.) HTML/JS (heavy usage of JavaScript fat client) 19

20 Client (authentication) 20

21 Client (header) Timeline, documentation, issues, log in/out 21

22 Client (timeline) 22

23 Client (status buttons) Threats, events, severity, sources, trails 23

24 Client (status graphs) 24

25 Client (details table) Details for each (detected) threat 25

26 Client (threat details) 26

27 Client (high severity threats) 27

28 Client (medium severity threats) 28

29 Client (low severity threats) 29

30 Client (detail condensed form) 30

31 Client (reverse DNS and WHOIS) 31

32 Client (trail dorking) 32

33 Real-life cases (mass scans) 33

34 Real-life cases (known attackers) 34

35 Real-life cases (Tor) 35

36 Real-life cases (service attackers) 36

37 Real-life cases (known DGA) 37

38 Real-life cases (unknown DGA) 38

39 Real-life cases (known malware) 39

40 Real-life cases (ipinfo) 40

41 Real-life cases (dynamic domain) 41

42 Real-life cases (Host:) 42

43 Real-life cases (sqlmap) 43

44 Real-life cases (direct.exe download) 44

45 Real-life cases (?) 45

46 Questions? 46