Improved C&C Traffic Detection Using Multidimensional Model and Elad Menahem Avidan Avraham
Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Firewall Anti-Spam Sandboxing IPS Intelligence Feeds URL Filtering Anti-malware Anti-bot EDR SIEM
Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Sandboxing Intelligence Firewall Infection Vectors Change Rapidly Anti-malware Feeds Anti-bot IPS Anti-Spam URL Filtering Social engineering Zero-day exploits One-time event EDR SIEM
Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Firewall Sandboxing Anti-Spam IPS Our Research Focuses on the Intelligence Anti-malware Feeds Anti-bot Post Infection Phase URL Filtering Continuous, EDR periodic Malware weakest link SIEM
Traditional Security Tools Fall Short Against Post Infection Firewall Anti-Spam Sandboxing IPS Intelligence Feeds URL Filtering Anti-malware Anti-bot EDR Real Time Inspection Lacks Context SIEM Event Significance is Obscured by Event Sources
Traditional Security Tools: Limited Context and Obscured Visibility Narrow Visibility Lack of context Yesterday Obscured by the source
No matter how long you stare at an IDS log event, it won t become any more informative Mark McArdle, esentire CTO NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Localized & isolated Events driven: no access to raw-data Local Data BROAD CONTEXT Global & collaborative Based on raw-data rather than security events Global Customer A WWW Customer C App App Branch Log Log Log Log Customer C Customer A 10101 10101110 10101110111 10101110111001 Customer B Customer A Log Event Raw Data Events Driven
VISIBILITY TO UNLIMITED RAW-DATA CHANGES THE GAME OF MALWARE HUNTING EXPANDING TRADITIONAL CONTEXT TO FIGHT C&C
Expanding Context to Fight C&C Client Classification NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Host, device name, source IP, user Client Data Example: Firefox TLS signature BROAD CONTEXT Human or bot Browser or not IP
Expanding Context to Fight C&C Client Classification NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Data BROAD CONTEXT Host, device name, source IP, user Human or bot Browser or not IP Raw Data 01110001011 10101011 100110 101 01110001011 10101011 100110 101 01110001011 10101011 100110 101 Machine Learning 011100 011100 011100 1011 0111001011011100 1011 110 1011 110 1011 110 110 110 Common Value Client Classification
Expanding Context to Fight C&C Target NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Target Data BROAD CONTEXT IP address, Domain Popularity Reputation Feeds 3 rd Party Ranking DIY Target Popularity Rank (Bucket) = Global Location x Number of Devices 7 10 9 1 12 15 Destination Source
Expanding Context to Fight C&C Target NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Target Data BROAD CONTEXT IP address, Domain Popularity 600000 500000 400000 300000 200000 Traffic Flows Unique Domains 25000 20000 15000 10000 DIY Target Popularity Rank (Bucket) = Global Location x Number of Devices 7 10 9 1 12 15 Destination Source 100000 5000 0 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Expanding Context to Fight C&C Time NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Singular event Client Target Time Data BROAD CONTEXT Repetitiveness Measured frequency Known Known & Unknown Jan 1 6:22am Jan 1 2:00pm Jan 2 6:22am Jan 2 3:10pm Jan 2 4:00pm Jan 2 10:22pm Jan 3 Jan 3 6:22am 7:12am Jan 3 10:22pm Jan 4 6:22am Jan 4 8:02pm Jan 1 6:22am Jan 1 2:00pm Jan 2 6:22am Jan 2 3:10pm Jan 2 4:00pm Jan 2 10:22pm Jan 3 Jan 3 6:22am 7:12am Jan 3 10:22pm Jan 4 6:22am Jan 4 8:02pm IPS Signature Jan 3 6:22pm
Network-based Malware Hunting Process Customer A 101 100110 10101011 Customer B Capture Network Flows Data Augmentation & Storage Automated Hunting Service Dimensions Utilization Human Validation
Example: Transforming Thousands of Unknown Flows to a Few Significant Events 100,000 TLS Flows Unknown URLs Filter: SOURCE: Not a Browser TARGET: Low Popularity TIME: Repetitive 1 Incident to Investigate Reduce the Noise and Focus on What Matters
Effective Network Detection and Response Unobscured Visibility Full Real-Time Context Forensic & Insights Automatic Containment From the cloud into all network endpoints For every IP, session and flow initiated from any endpoint to any target Machine learning and AI processes to mine network context over time Rapid mitigation of known and unknown threats Cato is the Network So No Setup is Required
Example: Detect Unknown C&C on the Network Same device Lookup 150 low popularity domains (DNS) 90% unresolved DNS requests - DGA Pulled client data history Search for resolved domains (HTTP) Classify Client type using HTTP traffic Unknown bot Pulled client data history Behavior repeated every 3 hours Resolved as Conficker Containment: block C&C communication
Visit Us at Booth H60