Post on 09-Jul-2015
description
transcript
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
-Brian Foster, CTO Damballa
1
The Old Security Stack
Prevention DetectionResponse
ForensicsATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
Firewall
IDS/IPS
Web Security
Email Security
Sandboxing
Host AV/IPS/FW
Resource intensive, inefficient manual
investigation efforts.
“Is this alert real or a false positive?”
ALERT & LOGS
SOC
SIEMSingle Pane of Glass
2
The New Security Stack
Prevention DetectionResponse
ForensicsATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
NGFW
Endpoint Containment
Sandboxing
Email Gateway
ALERT & LOGS
SOC
SIEMSingle Pane of Glass
LEGACY
Host AV/IPS/FW
Damballa fills
the security
gap between
failed
prevention and
your incident
response
3
Productizing Research
4
5
Predictive Security Analytics Platform
Case Analyzer Platform
Connection
Query
• Indicators of
Compromise
• Threat Actors / Intent
File
Request
• Zero Day Files
• Suspicious HTTP
Content
Domain Fluxing
Automation
Execution
Peer-To-Peer
• Automated Malicious
Activity
• Observed Evasion Tactics
Data Transferred PCAPs Communication Success Malicious File Availability Sequence of Events Importance of Endpoint Malware Family Intent Severity AV Coverage
Damage Potential
• Observed Activity
• Device Properties
• Threat Sophistication
• Threat Intent
9 Risk
Profilers
Prioritized Risk
of Confirmed
Infections
8 Detection
Engines
Rapid Discovery &
Validation
of Infections
5
Network Data
qrl89y666z.tang.la
p5ctnvqyd3.myftp.org
5opskttv3y.serveblog.net
tzeh62imx.informatix.com.ru
0zd2bwqqyu.no-ip.info
2ndk2swdma.madhacker.biz
pe4d0t35bs.no-ip.info
5c0x3re4vr.zapto.org
seqkhgd4pj.logout.us
zkycgbn8es.serveblog.net
a4669k3.spacetechnology.net
s45223a.tang.la
0098.no-ip.info
Sbdat.servevlog.net
0few3kd4yv.mooo.info
…
6
Network Data
qrl89y666z.tang.la
p5ctnvqyd3.myftp.org
5opskttv3y.serveblog.net
tzeh62imx.informatix.com.ru
0zd2bwqqyu.no-ip.info
2ndk2swdma.madhacker.biz
pe4d0t35bs.no-ip.info
5c0x3re4vr.zapto.org
seqkhgd4pj.logout.us
zkycgbn8es.serveblog.net
a4669k3.spacetechnology.net
s45223a.tang.la
0098.no-ip.info
Sbdat.servevlog.net
0few3kd4yv.mooo.info
…
Numbers
30 Billion per day.
8 Trillion per year.
DNS Records
ISPs
Telcos
Enterprises
7
Network Data
Numbers
100 Thousand per day.
36.5 Million per year.
Malware samples
Enterprises.
Industry sharing/feeds.
8
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
9
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
10
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
11
Unsupervised Learning
Y-Axis – n-grams.
X-Axis – Entropy.
12
Unsupervised Learning
Y-Axis – n-grams.
X-Axis – Entropy.
13
Domain Name Reputation
• message-tvit.com – 172.16.32.193
• artizondigital.com – 10.10.9.1
• ubibar.ubi.com – 192.168.7.4
• www.benjaminsparkmemorialchapel.ca -172.16.1.45
• player-update.info – 10.1.3.156
• king-orbit.com – 192.168.24.1914
Domain Name Reputation
• message-tvit.com - .08
• artizondigital.com - .87
• ubibar.ubi.com - .93
• www.benjaminsparkmemorialchapel.ca - .78
• player-update.info - .05
• king-orbit.com - .1215
Notos
16
Zone Based Clusters
17
Introduction
Motivation
Preparation
Notos’ Components
Results
Conclusions and Future Work
Network Profile Modeling
Network and Zone Profile Clustering
Reputation Function
2nd Level Clustering Split Due to Zone Properties
[A]: ns6.b0e.ru 218.75.144.6
...
188.240.164.122.dalfihom.cn 218.75.144.6
0743f9.tvafifid.cn 218.75.144.6
ns5.bg8.ru 218.75.144.6
097.groxedor.cn 218.75.144.6
adelaide.zegsukip.cn 218.75.144.6
07d2c.fpibucob.cn 218.75.144.6
0c9.xyowijam.cn 218.75.144.6
ns6.b0e.ru 218.75.144.6
0678fc.yxbocws.cn 218.75.144.6
ns1.loverspillscalm.com 218.75.144.6
09071.tjqsjfz.cn 218.75.144.6
0de1f.wqutoyih.cn 218.75.144.6
katnzvv.cn 218.75.144.6
...
[B]: e752.p.akamaiedge.net72.247.179.52
...
e882.p.akamaiedge.net 72.247.179.182
e707.g.akamaiedge.net 72.247.179.7
e867.g.akamaiedge.net 72.247.179.167
e747.p.akamaiedge.net 72.247.179.47
e732.g.akamaiedge.net 72.247.179.32
e932.g.akamaiedge.net 72.247.179.232
e752.p.akamaiedge.net 72.247.179.52
e729.g.akamaiedge.net 72.247.179.29
e918.p.akamaiedge.net 72.247.179.218
e831.p.akamaiedge.net 72.247.179.131
e731.p.akamaiedge.net 72.247.179.31
...
25 / 32
RZA - Motivation
• Takedowns are: ad-hoc, of arguable success, are performed without oversight
• System goal: add rhyme/reason to takedowns
– evaluate previous takedown attempts, and
– recommend and inform on/for future takedowns
18
RZA - Datasets
• Large passive DNS (pDNS) database– pDNS stores historic assignments btw IPs/domains– ~3 years of visibility
• Implement RHDN/RHIP operations–
–
• Source: major NA ISP, other customers• Data also in Hadoop for large-scale processing• Malware MD5 <-> domain name mapping
19
RZA - Overview
Domains
InfrastructureEnumeration
DomainReputation
Domain &MD5
Association
MalwareInterrogation
pDNS
Malware DB
MD5s
RZA
EnumeratedDomains
Low ReputationDomains
Malware-relatedDomains
InterrogatedDomains
PostmortemReport
TakedownRecommendation
1
2
3
4
5a
5b
Malware Backup Plan
De
Ds
Di
Dr
Dm
Dm: malware-related domains
De: enumerated domains
Dr: low reputation domains
Ds: seed domains
Di: malware interrogation domains
20
• Manipulate fundamental protocol packets to convince malware its primary network asset is unavailable– DNS and TCP– Easy to add additional protocols
• If malware is presented with unavailable infrastructure:– Retries hardcoded IPs/domains,– Tries to reach a finite set of IPs/domains, or– Tries to reach an infinite set of IPs/domains (DGA/P2P)
RZA – Malware Interrogation
21
22
23
24
25
26
RZA – Malware Interrogation
• Game malware to present primary infrastructure failure
• DNS/TCP packet manipulation (NXDomain/TCP RST)
• Automaticallydetermine backup behaviors
VM1 ...
G1 ...
VM2
G2
VMn
Gn
VM0
Gnull
Host
Internet
27
RZA – Malware Interrogation
• Simple heuristics to determine malware behavior
• Fake domain-level and IP-level takedowns
– Forge all non-white DNS responses -> NXDomain
• Alexa top 10K
– Forge all non-white TCP connections -> TCP reset
• IPs derived from Alexa top 10K
• Five analysis scenarios:
– Vanilla run
– DNS whitelist for time t
– DNS whitelist for time 2t
– IP whitelist for time t
– IP whitelist for time 2t
28
RZA – Takedown Recommendation
Enumerate Infrastructure
InterrogateMalware
No Behavioral Changes
Finite Domains/
IPsDGA
Input: {Ds}
Input: {De U Di}
ClassifyMalware Behavior
P2P
1.) Revoke D
1.) Reverse engineer DGA2.) TLD cooperation3.) Revoke D
1.) Counter P2P2.) Revoke D
29
Target Which Sets?
De
Ds
Di
Dr
Dm
Dm: malware-related domains
De: enumerated domains
Dr: low reputation domains
Ds: seed domains
Di: malware interrogation domains
30
RZA – Studies
• Postmortem study: analysis of Kelihos, ZeuS, and 3322.org/Nitol takedowns
– Use lookup volume to show activity to infrastructure
• Takedown study: analysis of 45 active botnet C&Cs
– Can we take them down?
31
Postmortem: Kelihos
32
Postmortem: Zeus
33
Postmortem: 3322.org/Nitol
34
RZA – Takedown Study
• Of the 45 botnets:
– 2 had DGA-based backup mechanism
– 1 had P2P-based backup mechanism
– 42 susceptible to DNS-only takedown
35
Policy Discussion• Current drawbacks to takedowns
– ad-hoc
– Little oversight
– Arguable success
• All point to need for central authority
– ICANN’s UDRP/URS as example frameworks• Criteria for takedown
• More eyes = more successes
• Test with new TLDs (much like w/ URS)