ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

Similar documents
Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Endpoint Protection : Last line of defense?

GREYCORTEX MENDEL NETWORK TRAFFIC ANALYSIS SOLUTION FOR IOT

Cyber security tips and self-assessment for business

Ethical Hacking and Prevention

FIREWALL BEST PRACTICES TO BLOCK

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

IBM Security Network Protection Solutions

FlowMon ADS implementation case study

68 Insider Threat Red Flags

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Intelligent and Secure Network

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

HELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE

PrecisionAccess Trusted Access Control

10 FOCUS AREAS FOR BREACH PREVENTION

MOBILE SECURITY OVERVIEW. Tim LeMaster

Novetta Cyber Analytics

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CyberArk Privileged Threat Analytics

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Automated Threat Management - in Real Time. Vectra Networks

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

Seceon s Open Threat Management software

The evolution of malevolence

CIS Controls Measures and Metrics for Version 7

Synchronized Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

CIS Controls Measures and Metrics for Version 7

Maximum Security with Minimum Impact : Going Beyond Next Gen

Increase Threat Detection & Incident Response

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Automating Security Response based on Internet Reputation

Understanding Cisco Cybersecurity Fundamentals

Curso: Ethical Hacking and Countermeasures

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

CYBERSECURITY RISK LOWERING CHECKLIST

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

The best for everyday PC users

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Speed Up Incident Response with Actionable Forensic Analytics

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Artificial Intelligence Drives the next Generation of Internet Security

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Built without compromise for users who want it all

Security report Usuario de Test

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Optimizing Security for Situational Awareness

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

RSA Security Analytics

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Agile Security Solutions

CounterACT Check Point Threat Prevention Module

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Forensic Network Analysis in the Time of APTs

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Chapter 4. Network Security. Part I

The Cognito automated threat detection and response platform

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Cisco Cyber Threat Defense Solution 1.0

The Future of Threat Prevention

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Unit 2 Assignment 2. Software Utilities?

When the Lights go out. Hacking Cisco EnergyWise. Version: 1.0. Date: 7/1/14. Classification: Ayhan Koca, Matthias Luft

Chapter 11: Networks

Top 10 Considerations for Securing Private Clouds

Network Security Monitoring with Flow Data

Symantec Ransomware Protection

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Cisco s Appliance-based Content Security: IronPort and Web Security

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

Most Common Security Threats (cont.)

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Cyber Security. Our part of the journey

Transcription:

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

AGENDA Network Traffic Analysis: What, Why, Results Malware in the Heart of Europe Bonus Round 2

WHAT: NETWORK TRAFFIC ANALYSIS = Statistical analysis, machine learning, artificial intelligence, metadata, and content inspection to detect suspicious activities in the network = Mirrored network traffic via TAP/SPAN NetFlow analysis, full-packet capture 3

WHY NTA Unknown malware Insider threats Forensic investigation Network visibility IoT and BYOD devices Rapid Detection & Response Effective Because Threats Create Detectable Traffic 4

NTA RESULTS Detect Threats Visualize the Full Network You don t know until Your network is compromised 5

Uses ARTIFICAL INTELLIGENCE MACHINE LEARNING BIG DATA ANALYSIS To Help GOVERNMENTS + CRITICAL INFRASTRUCTURE+ ENTERPRISE MAKE IT OPERATIONS SECURE AND RELIABLE 6

Malware in the Heart of Europe Customer and PoC Network Examples 7

CASE 1 LETHIC SPAMBOT A Device in the Observed Network: Queried external DNS servers (Google) for known-infected server names Communicated via port 1123 to servers in Norway Silenced traffic when the device was running anti-virus scanner and remained silent for the next two hours, later resuming communication on port 1123 Communicated periodically to MS Hotmail service on port 25/tcp 8

CASE 1 LETHIC SPAMBOT Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows SMTP Permanent Communication Anomaly: Communicated periodically to MS Hotmail service on port 25/tcp A new service on a host discovered IDS rule matched (Lethic SpamBOT) External DNS server, poor reputation Ips High external DNS traffic (1-2 queries reached170) 9

CASE 1 SCREENS 10

CASE 2 ETERNAL BLUE A Device on the Observed Network: Suddenly used a DNS tunnel and TOR network together, exchanging one message After 4 hours of waiting, it started opening port 445/tcp connections on multiple external hosts Tried to use CVE-2017-0143 (exploit MS17-010) on the connected host 11

CASE 2 ETERNAL BLUE Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internet Correlation rule matched: malware spreading to internet IDS rules matched: DNS tunnel, TOR A day after updated IDS rule matched: Eternal Blue (based on CVE-2017-0143, exploit MS17-010) 12

CASE 2 - DEMO 13

CASE 3 WANNACRY A Device on the Observed Network: Started opening port 445/tcp connections on multiple hosts, external and internal Successfully used CVE-2017-0143 (exploit MS17-010) on another internal host immediately The second device started exhibiting the same behavior 14

CASE 3 WANNACRY Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other Outlier: high number of communication peers & flows Network scan 445/tcp to internal network and internet Correlation rule matched: malware spreading to internal network A day after updated IDS rule matched: WannaCry variant (CVE-2017-0143, exploit MS17-010) 15

CASE 3 DEMO 16

CASE 4 SSH ATTACK Identified at a Perimeter Router: Consecutive IP addresses in the public range were tried in an effort to open a session on port 22/tcp; by a host in Canada Subsequently, a high number of connections via port 22/tcp to some hosts in the range were detected 17

CASE 4 SSH ATTACK Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other SSH port sweep (22/tcp) Brute force SSH attack (22/tcp) 18

CASE 4 DEMO 19

CASE 5 UNKNOWN (YET) BOTNET A Device on an Internal Network: Periodically attempts to communicate with blacklisted IP addresses at port 30303 20

CASE 5 UNKNOWN (YET) BOTNET Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other Periodic repetitive communication at port 30303 Communication with blacklisted IP 21

CASE 5 DEMO 22

CASE 6 DOCUMENT LEAKAGE A Device on an Internal Network: Exhibited an unusually high data transfer volume to an external network 23

CASE 6 DOCUMENT LEAKAGE Unsupervised Learning Machine Behavior Flow-based Detection Discovery Analysis Other Outlier: high volume of data transfer detected (Severity 7) Outlier: high volume of data transfer detected (Severity 5) L7 content analysis: file named _Financial_Summary _Q1.pdf_ uploaded to www21.filehosting.or g; a domain of Hetzner Online GmbH 24

CASE 6 25

CASE 7 ALL TOGETHER Cases 1-6 Combined 26

CASE 7 ALL TOGETHER Unsupervised Learning Machine Behavior Flow-based Rules Discovery Analysis Other Outliers: data, flows, packets, peers, hosts, ports, performance Bayesian Expectation Maximization Gaussian Mixture Models Repetitive periodic connections or checks Port scan Port sweep Brute-force Dictionary attacks Data enumeration DoS, DDoS Detection of new or lost/unreachable: services, devices (IP, MAC, hostname), gateways, VLANs, subnets Detection of changed/duplicated hostname/ip/mac, changed VLAN, Event correlation L7 content analysis (DPI) Tunneled and encrypted data inspection IDS in the internal network, all rules active (45k+) 27

CASE 7 DEMO 28

BONUS CAUTIONARY TALES Ministry Outer System E-mail Server Provided Mailbox Access: To IP addresses of Tor endpoints and to server hosting PhpBB forum СуперМамочки Нижнекамска (static.7.236.46.78.clients.your-server.de, Hetzner Online GmbH) 170 accounts/users compromised, unnoticed almost a year More than 7100 documents stolen. The attacker basically maintained undisturbed access to any of the email accounts Strategic advantage gained? Vulnerable Network at Political Organization: Multiple intrusions by different organizations (2015, 2016) Unnoticed almost a year Internal strategy documents, emails, and possible donor lists stolen Spear-Phishing Attack on Campaign Manager: Fake security alert/log-in page Identified as legitimate by security team (or not) Secret to creamy risotto 29

BONUS CASE FINDINGS, VERDICT Findings Weak or leaked account password ( admin5 ) using single factor authentication for strong accounts. Using private accounts for work, prone to social engineering, etc. No proper evaluation of operations data in place, no insight Verdict Always watch what happens in your network, use the right tools! Do not trust administrators, they have too much power! And GOTTA CATCH EM ALL. 30

31

PALDIES PAR JŪSU UZMANĪBU! GreyCortex s.r.o. Purkyňova 127 612 00 Brno www.greycortex.com twitter.com/greycortex linkedin.com/company/greycortex Vladimír Sedláček info@greycortex.com +420 511 205 388 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback