research threat intelligence malware infrastructures
play

Research: Threat Intelligence & Malware Infrastructures Andrea - PowerPoint PPT Presentation

Feb 06, 2024 •198 likes •379 views

Malware Analysis Research: Threat Intelligence & Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it May, 3 2017 Andrea Lanzi: andrea.lanzi@unimi.it Malware Analysis Malware Analysis Malicious Infrastruture Who am I? My

  1. Malware Analysis Research: Threat Intelligence & Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it May, 3 2017 Andrea Lanzi: andrea.lanzi@unimi.it

  2. Malware Analysis Malware Analysis Malicious Infrastruture Who am I? My research focuses on systems and systems security: Memory Error Detection and exploitation. Malware Detection and Analysis (program analysis techniques). Software Reverse Engineering (program analysis techniques). Hardware-supported Virtualization (OS protection). Studying the Malicious Infrastructures (ToR, SPAM, Sandboxes etc.). Andrea Lanzi: andrea.lanzi@unimi.it

  3. Malware Analysis Malware Analysis Malicious Infrastruture Malicious Infrastructure Study the malicious phenomena on the network and try to understand the business model under the malicious infrastructures. Try to design defensive system that are able to shutdown or detect such malicious infrastructures. Challenges here is to find out automatic techniques (e.g., program analysis, network algorithms etc.) that can be applied in order to design analysis framework for new business model. Andrea Lanzi: andrea.lanzi@unimi.it

  4. Malware Analysis Malware Analysis Malicious Infrastruture Spam is an ever-green economy despite the several botnet takedowns. Spam ranges: Search Engine Optimization product advertising generic phishing targeted malware spreading Andrea Lanzi: andrea.lanzi@unimi.it

  5. Malware Analysis Malware Analysis Malicious Infrastruture Rather than focusing on spam prevention, we want to analyze the infrastructure that is the basis of modern spam business. URLs embedded advertised in spam messages can be distinguished in two groups: source: intial URLs advertised by the spammer final: pages where the user ends up when he visits a source URL 1 Many source URL may redirect to a single final URL 2 One redirection chain leads from a source URL to a final URL Andrea Lanzi: andrea.lanzi@unimi.it

  6. Malware Analysis Malware Analysis Malicious Infrastruture Structure and content information: continuous recrawl of the suspicious chains information collected from different sources focus on identifying the most important nodes ( TDSes ) Contributions: analysis of the evolution of the malicious infrastructure development of an approach for identifying malicious nodes/domains Andrea Lanzi: andrea.lanzi@unimi.it

  7. Malware Analysis Malware Analysis Malicious Infrastruture Example of chains: H3 1 H1 2 H1 → H2 → H3 3 H4 → H2 → H3 4 Possible approaches: in-degree analysis Pagerank clustering using features of the page Andrea Lanzi: andrea.lanzi@unimi.it

  8. Malware Analysis Malware Analysis Malicious Infrastruture Example of chains: H3 1 H1 2 H1 → H2 → H3 3 H4 → H2 → H3 4 Possible approaches: in-degree analysis Pagerank clustering using features of the page Andrea Lanzi: andrea.lanzi@unimi.it

  9. Malware Analysis Malware Analysis Malicious Infrastruture Example of chains: H3 1 H1 2 H1 → H2 → H3 3 H4 → H2 → H3 4 Possible approaches: in-degree analysis Pagerank clustering using features of the page Andrea Lanzi: andrea.lanzi@unimi.it

  10. Malware Analysis Malware Analysis Malicious Infrastruture Study Pilot I 10,000 malicious chains chains re-crawled consecutively for 11 days detection rule : TDS if linked by two distinct domains Andrea Lanzi: andrea.lanzi@unimi.it

  11. Malware Analysis Malware Analysis Malicious Infrastruture Study Pilot II using only most frequent other 10,000 malicious chains version of a chain chains re-crawled detection rule : TDS if linked consecutively for 60 days by two distinct domains Correctly identi- fied 7988 mali- cious chains out of the 10,000 considered. Andrea Lanzi: andrea.lanzi@unimi.it

  12. Malware Analysis Malware Analysis Malicious Infrastruture Andrea Lanzi: andrea.lanzi@unimi.it

  13. Malware Analysis Malware Analysis Malicious Infrastruture Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence Published in USENIX Security Symposium 2015 Novel methodology based on machine learning and data-mining to automatically identify malware development cases from the samples submitted to a malware analysis sandbox. We were able to automatically identify thousands of developments, and to show how the authors modify their programs to test their functionalities or for evading sandboxes. Andrea Lanzi: andrea.lanzi@unimi.it

  14. Malware Analysis Malware Analysis Malicious Infrastruture Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence Try to cluster together binary executable first based on the binary similarity by using ssdep tools. Moreover we considered also time frame based on the developing task . We start from 32,294,094 binaries files and we obtained 5972 clusters containing on average 4.5 elements each . the timeline was 5 year. We also considered the same IP submission and we were able to create 225 macro clusters . Andrea Lanzi: andrea.lanzi@unimi.it

  15. Malware Analysis Malware Analysis Malicious Infrastruture Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence We also performed intra-cluster Analysis and we extract some code-based features based on: code normalization, programming languages, and call-graph and CFG comparison . We then extract other features based on the Antvirus analysis such as: IP from which client was connected to, type of evasion technique, email address used, timesstamp of submission etc. we applied machine learning algorithm and we train a classifier based on the selected features and the system flagged 3038 cluster as a potential development over a six years period . Andrea Lanzi: andrea.lanzi@unimi.it

  16. Malware Analysis Malware Analysis Malicious Infrastruture Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence Campaign Early Submission Time Before Public Disclosure Submitted by Operation Aurora 4 months US ✓ Red October ✓ 8 months Romania APT1 43 months US ✓ Stuxnet ✓ 1 months US Beebus 22 months Germany ✓ LuckyCat ✓ 3 months US BrutePOS 5 months France ✓ NetTraveller ✓ 14 months US Pacific PlugX 12 months US ✓ Pitty Tiger ✓ 42 months US Regin 44 months UK ✓ Equation ✓ 23 months US Andrea Lanzi: andrea.lanzi@unimi.it

  17. Malware Analysis Malware Analysis Malicious Infrastruture Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence This system can be used as an early warning system and can be designed in a way to resistance to the attacker attacks. any public sandboxes can be equipped with a active monitor that is able to detect early malware development and stop the malware propagation. Andrea Lanzi: andrea.lanzi@unimi.it

  18. Malware Analysis Malware Analysis Malicious Infrastruture Q&A Thank You! Q&A? Andrea Lanzi: andrea.lanzi@unimi.it

Recommend

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3 October 2018 What is Intelligence Convincing evidence Probable cause, beyond a reasonable doubt, or preponderance of

646 views • 25 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer

Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer

Embracing the new threat: towards automatically, self-diversifying malware Mathias Payer <mathias.payer@nebelwelt.net> UC Berkeley and (soon) Purdue University Image (c) http://ucrtoday.ucr.edu/9768/assassin-bugs Malware landscape is

555 views • 27 slides
MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat

MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat

MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat Sharing Marion Marschalek - Rapha el Vinot - TLP:WHITE July 6, 2016 MISP and starting from a practical use-case During a malware analysis

357 views • 18 slides
Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 , Ji Huang 1,2 , and Tianning Zang 2 1.School of Cyber Security, UCAS 2.Institute of Information Engineering, CAS Existing Techniques Used by Malware

638 views • 30 slides
THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat Intelligence (CTI) Define Cyber Intelligence (CI) Understand the importance of CTI to an organization Components of Threat Sources of

197 views • 19 slides
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3

Integrated Threat Management Appliance 1 http://www.youtube.com/watch?v=F 7pYHN9iC9I 2 3 Denial of Service Attack (DoS) 4 THREAT CATEGORY THREAT ACTION TYPE Malware/Badware Send data to the external entity/site, Trapdoor/Backdoor Entry,

719 views • 23 slides
FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive

FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive

FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive Threat Analytics Cognitive Threat Analytics @ AnnaBandicoot @ verovaleros WHO WE ARE? Anna Veronica Threat Researcher Threat Researcher

605 views • 42 slides
New Threat Vectors for ICS/SCADA Networks and How to Prepare for Them June 27, 2017 Phil

New Threat Vectors for ICS/SCADA Networks and How to Prepare for Them June 27, 2017 Phil

New Threat Vectors for ICS/SCADA Networks and How to Prepare for Them June 27, 2017 Phil Neray, VP of Industrial Cybersecurity Why Now? Featuring CyberXs threat intelligence & vulnerability research 3 Key Trends Driving ICS

537 views • 25 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Trustworthy Host Platforms For Accelerated Research And Education: Strategic Cyber Threat

Trustworthy Host Platforms For Accelerated Research And Education: Strategic Cyber Threat

Trustworthy Host Platforms For Accelerated Research And Education: Strategic Cyber Threat Reduction Through International Research Cooperation John C. Mallery Computer Science & Artificial Intelligence Laboratory

599 views • 16 slides
MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat Intelligence and Hunting Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019 MRO SAC Update Technical Training and Social

478 views • 45 slides
Network T elescopes Revisited From Loads of Unwanted Traffjc to Threat Intelligence Piotr

Network T elescopes Revisited From Loads of Unwanted Traffjc to Threat Intelligence Piotr

Network T elescopes Revisited From Loads of Unwanted Traffjc to Threat Intelligence Piotr Bazydo, Adrian Korczak, Pawe Pawliski Research and Academic Computer Network (NASK, Poland) Who are we Piotr Bazydo Head of Network Security

684 views • 40 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3

Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3

Impact of e-Infrastructures on ICT Research Jan Gruntord CEO of CESNET Member of the GN3 Executive Committee Representative of the CZ in e-IRG Member of the Board for Large Infrastructures for R&D in CZ Prague, October 12th, 2010

481 views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2 2020 Sergio Caltagirone Dave Bittner VP Threat Intelligence Producer & Host Dragos The CyberWire Podcast Before we get started - The

874 views • 17 slides
and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy

and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy

Harmful Algal Blooms, Agricultural Initiatives, and Research Programs Threat to Aquatic Life and Water Quality Threat to local economy (Fisheries, Recreation, Tourism etc.) Sources: both Urban & Rural Whats Agricultures

520 views • 24 slides
Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous:

Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous:

Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous: Los Alamos National Lab: IR Lead US Navy: Information Warfare Officer University of Chicago: Philosophy Drop-Out Network vs. Host

1.07k views • 71 slides

More recommend