.
Intelligent Fighting of Greyware
1Robert Leong, Director of Product Management, McAfee LabsVersion 4.0
Will You Be In the Storm? Or in Calm Weather?
.
Agenda
• A History Lesson
• How the World Has Changed
• Pop Quiz!
• How Attacks Have Changed and Why
• Success Criteria in the New World of Greyware
• A New Approach
• Would That Work?
• Summary, Takeaways, and Stuff to Think about…
3
.
The Answer is:
9
• He used a combination of:
• Scams
• Smuggling
• Disguises
• Misdirection
• Inside men
For over 100 years, it was considered to be…
Media Source: www.pond5.com
Edward Pierce, that’s who!
.
Today: 100 Banks, 30 Different Countries…
USA
Brazil
Canada
Morocco
Spain
Iceland
Great Britain
France
Switzerland
Germany
Norway
Czech Republic
Poland
Bulgaria
Ukraine
Russia
Pakistan
India
Nepal
China
Hong Kong
Taiwan
Australia
.
16
Media Source: www.pond5.com; Data Source: New York Times, 2015;
The biggest financial theft of all time was done exclusively with “greyware”
.
Carbanak Greyware…
• Since late 2013 (it is ongoing!), an unknown group of hackers has reportedly stolen $1,000,000,000.00 from banks across the world, with majority of the banks being in Russia.
• Hackers send email containing a malware program called “Carbanak” to hundreds of bank employees, hoping to infect a bank’s administrative computer.
• The programs are all ‘Greyware’.
17
Source: New York Times 14 February 2015 “Bank Hackers Steal Millions via Malware”
Infection
.
“It’s all about trust…”What is “Greyware”?
18
• Greyware is defined as an object on the system for which the level of trust is indeterminate at any given point in time
• This could be due to profile information, behavior or actions of the actor, origin information or any other factors that leave the object in an indeterminate state
Media Source: www.pond5.com , PhotoDisc.com
.
Greyware and Screen-Scrapers and Keyboard Loggers, Oh My!
• Programs installed by the malware record keystrokes and also take screen grabs of the bank’s computers
• Hackers spend weeks and months learning proper bank procedures and personnel
• They also enable the hackers to control the bank’s computer’s remotely
19
HarvestingIntelligence
.
https://www.surveymonkey.com/r/top-threats
Guess the Top Cyber-Espionage Target…
20
Real EstateInformationUtilities
ProfessionalPublic Transport
Manufacturing
Financial Education
Medical
.
“Hi My Name is Bill Gates…”
By mimicking the bank procedures that have been learned, the hackers are able to direct the bank’s computers to steal money in a variety of ways, e.g.:
1. Transferring money into hacker’s fraudulent bank accounts
2. Using e-payment systems to send money overseas to fraudulent accounts
3. Directing ATMs to dispense money at set times when “mules” are there to collect
21
Mimicking the Staff
https://www.surveymonkey.com/r/top-threats
.
It’s Really Cyber-espionage via Malware…
22
Infection Harvesting Intelligence Mimicking the Staff
https://www.surveymonkey.com/r/top-threats
.
Why Greyware?
Media Source: www.pond5.com
23
1.No Physical Risk
2.Hard to Detect, Easy to get Through
3.Profitable
.
https://www.surveymonkey.com/analyze/_2BkWdP92bS9ZaCxGZCSv8fGhZhvwcGpOUb7qc9WHLu3Y_3D
Let’s See How You All Did!
24
Real EstateInformationUtilities
ProfessionalPublic Transport
Manufacturing
Financial Education
Medical
.
Banking and financial services are not even in the top three…
Ask the Audience!
25
Data Source: 2016 Verizon Data Breach Investigations Report
Real EstateInformationUtilities
ProfessionalPublic Transport
Manufacturing
Financial Education
Medical
.
The top ten cyberespionage targeted industries (Breach Counts) (n=86)
Cyberespionage 2016
26Numbers within parentheses are the industry NAICS codes
Source: Verizon 2016 Data Breach Investigations Report
2 2 3 3 44
6
10
17
31
0
5
10
15
20
25
30
35
.
The top ten cyberespionage targeted industries (percentage splits) (n=460)
Cyberespionage 2015
27
Source: Verizon 2015 Data Breach Investigations Report
0.7 0.8 1.3 1.7 1.83.9
6.2
13.3
20.2
27.4
0
5
10
15
20
25
30
.
Variety of data compromised within cyberespionage (%) (n=457)
Cyberespionage
28
Source: Verizon 2015 Data Breach Investigations Report
0.2 0.4 0.4 0.7 2.4 2.66.6 8.5
11.4
85.8
0
10
20
30
40
50
60
70
80
90
100
.
Source: Verizon 2016 Data Breach Investigations Report
Cyberespionage 2016
29Top threat action varieties within cyberespionage (n=154)
88
76
68
33
19
10
9
7
3
3
Hacking - use of backdoor or C2
Malware - C2
Social - Phishing
Malware - Backdoor
Hacking - use of stolen creds
Malware - export data
Hacking - footprinting
Social - pretexting
Misc - privilege abuse
Social - bribery
.
Source: Verizon 2015 Data Breach Investigations Report
Cyberespionage 2015
30Vector of malware cyberespionage (%) (n=361)
39.937.4
16.6
3.62.8 2.2 1.9
0.30
10
20
30
40
50
EmailAttachment
Email Link Web Drive-By Direct Install Download byMalware
WebDownload
RemoteInjection
NetworkPropagation
.
“Dear Sir or Madam…”
31
Media Source: LinkedIn.com; Data Source: Verizon 2015 Data Breach Investigations Report
50%NEARLY 50% OPEN
E-MAILS AND CLICK ON
PHISHING LINKS WITHIN
THE FIRST HOUR.
23%OF RECIPIENTS NOW
OPEN PHISHING
MESSAGES AND
11% CLICK ON
ATTACHMENTS.
70-90%OF MALWARE
SAMPLES ARE
UNIQUE TO AN
ORGANIZATION.
.
An Example of the Exponential Growth of “Greyware”
McAfee Labs saw over 4.5 Million new variants of Ransomware, mostly from CTB-Locker and its “affiliate” program that has flooded the market with phishing campaigns
Key Concepts:
1. Affiliate Program = agreement to
use infrastructure to propagate the
malware with new payment
instructions
2. Obfuscation = Minor changes to
content and cryptography to create
malware with a new, unknown
signature
32
Source: McAfee Labs, 2016
CTB-Locker = Curve-Tor-Bitcoin-Locker
Elliptic Curve Cryptography
C&C servers = Tor Anonymity Network
Ransom is in Bitcoin
.
From One Comes Many…
McAfee Labs researchers estimate that the millions of “Unique Ransomware Samples” are comprised of Ransomware built from only 12-15 different toolkits
Source: McAfee Labs 2016
.
Seventy-four (74) analyzed Carbanak samples: breakdown of behaviors and prevalence:
Let’s look at the Carbanak Greyware…
34
Source: Lastline Labs, 2015 – analysis of 74 Carbanak malware samples in VirusTotal
Number of
Samples
Fraction of
Samples
Suspicious/Malicious
Behavior Category
13 17.57% Evasion
60 81.08% Execution
69 93.24% Packer
70 94.59% Network
70 94.59% Autostart
70 94.59% Stealth
70 94.59% File
72 97.30% Memory
https://www.surveymonkey.com/r/top-threats
.
“Sub Total”
• Biggest heist of all time was done with malware
• The malware used multiple shades of greyware
• Your industry may in-fact be much higher on the “target list” than you thought
• If targeted, it is highly-likely they will “get in” to your organization
• Growth of “greyware” is exponential and will likely keep going
35
.
Requirements to Succeed…
• New endpoint strategy must be able to make things a lot better without starting all over
• Must be able to counter current threats
• Must be able to adapt to new threats
• Must leverage what we already know and have access to
36
What can we do about this?
.
How can we leverage and extend this?
What’s the Endpoint Doing Now?
• Fingerprinting: identify with near certainty that an object is either malicious or clean
• This technique is effective and deterministic by nature
• Technology: hash (signature) scanning, heuristic drivers
• Although very precise, the “greyness” of new attacks provides an opportunity to improve the strategy
Getting high confidence (not total confidence) takes but a
fraction of the effort, and is the basis for a new approach.
37
.
Multiple clues…
The Levels of Grey…
38
Definitely
BadDefinitely
Good
StartHere
Suspicious
Origin
Packed or Encrypted
Suspicious
URLNew
Application
Suspicious
Low Age
Certificate
Document
TypeLow
Prevalence
High # of
Rapid
Changes
Suspicious
Email Link
.
Leveraging Multiple Sources of “Grey”
• New Approach:
• Identify a suspicious characteristic or activity
• Give the object a reputation and confidence level
• Backend automation produces reputations, but they aren’t leveraged by current technologies, e.g. • URL classification
• IP classification
• Many new technologies can be combined to “roll-up” into a combined reputation and confidence level
The key is to combine multiple non-deterministic observations.
Extending the endpoint with what we know…
39
.
How to Adapt to Change Needed for “Greyware”
41
Media Source: Pond5.com
High performance, market-competitive detection, cloud-enabled, auto-update, telemetry, safety, etc. Table Stakes
Build reputations of all types (Process, URL, File, Certificate, Age, Prevalence) from multiple sources.Reputation-Aware
Employ scanners which help influence reputations.Multi-Scanner Support:
Protect platform from malicious activity of depending on suspiciousness.
Isolation and Containment
Restore and unwind activities when they are deemed malicious.Auto-Remediation
Turn the Endpoint into part of a “Sensor Network”, and integrate detection and response with network and Cloud resources and capabilities
Combine Intelligence
.
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
42
Source: McAfee Labs 2016
Prevalence Age
(Generic Rule)
.
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
43
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge Endpoint Info
Enterprise Local Knowledge
Generation 1
(Generic Rule)
.
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
44
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge Endpoint Info
Enterprise Local Knowledge
Generation 1
(Generic Rule)
.
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
45
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge Endpoint Info
Enterprise Local Knowledge
Generation 1
(Generic Rule)
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
46
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge Endpoint Info
Enterprise Local Knowledge
Generation 1
(Generic Rule)
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
47
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge
Global Cloud Intelligence
Endpoint Info
Enterprise Local Knowledge
Generation 1 Generation 2
(Generic Rule)Global Cloud Intelligence
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
48
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge
Global Cloud Intelligence
Endpoint Info
Enterprise Local Knowledge
Global Cloud Intelligence
Generation 1 Generation 2
(Generic Rule)
HIPS(exploit monitoring)
Behavior Profiler
Disk Filter(storage protection)
Memory Scanning
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
49
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge
Global Cloud Intelligence
Endpoint Info
Enterprise Local Knowledge
Global Cloud Intelligence
HIPS(exploit monitoring)
Behavior Profiler
Disk Filter(storage protection)
Memory Scanning
Generation 1 Generation 2
(Generic Rule)
Web GW
Email GW
NextGen
FWSIEM
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
50
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge
Global Cloud Intelligence
Endpoint Info
Enterprise Local Knowledge
Global Cloud Intelligence
HIPS(exploit monitoring)
Behavior Profiler
Disk Filter(storage protection)
Memory Scanning
Generation 1 Generation 2
Web GW
Email GW
NextGen
FWSIEM
(Generic Rule)
Behavior Profiler
Behavioral Intelligence
Cloud Classification
.
URL Reputations
File/Cert Reputation
AV Engine(heuristic drivers)
Environmental Info
Static Profiler
ATD VirusTotalEnterprise
Reputation
LocalEnterprise
Local Knowledge
Global
Cloud Intelligence
Block?
Allow?
Reputation
Gathering inputs from multiple intelligent sources
Fighting Grey with Intelligence
51
Source: McAfee Labs 2016
Prevalence Age
Enterprise Local Knowledge
Global Cloud Intelligence
Endpoint Info
Enterprise Local Knowledge
Global Cloud Intelligence
HIPS(exploit monitoring)
Behavior Profiler
Disk Filter(storage protection)
Memory Scanning
Generation 1 Generation 2
Web GW
Email GW
NextGen
FWSIEM
(Generic Rule)
Behavior Profiler
Behavioral Intelligence
Cloud Classification
.
Kernel Rights Restriction
Firewall Rules
Disk Filter
Registry Filter
Containment
Object
Path-based Repair
Generic Repair
OS Restore Point
On-Disk Protection
On-Disk Rollback
Sandboxing Restore
Remediation
Object
Allow
Containment and remediation
The Future of Endpoint Protection Technologies
52
Source: McAfee Labs 2016
Suspicious
Process/File
Identified
Process/File
Determined
to be Malicious
CONTAINMENT minimizes adverse impact
Methodology leveraged will depend on observed actions and reputation.
REMEDIATIONreverses unwanted changes
.
53
What Are We Showing Here?Intelligence Fabric Demonstration
1. Shows “Behind the Scenes” decision-making on the endpoint
2. Using multiple “Blades” for threat intelligence, protection, detection, remediation to “figure out the right thing to do” when encountering greyware on the Endpoint
3. This is a debug console output that would be hidden from the user but shows how things work when endpoint encounters “Zero-Day” Ransomware
Robert Leong, Intel Security - McAfee Labs
.
54
Next
Endpoint has
multiple “Blades” it
can use to perform
Greyware security
functions…
User surfs to
‘Grey’ URL and
downloads some
Greyware…
.
55
Next
Endpoint sees new
file download,
default reputation =
50 (unknown)
Threat Prevention blade can
tell age and prevalence is
low, file is packed.
Therefore, decrease score
to 38 (might be malicious)
.
56
Next
User decides to run
the file, and yes, it’s
clearly malicious
We artificially sped up
the “demand screen” just
to show it
.
57
Next
Endpoint tracks the created
process, performs behavioral
scanning and high-speed
memory scanning (plus
containment)
RealProtect and Clifton come back with
data that file is malicious. System
drops score to 1 (definitely malicious!)
Note endpoint has option to do
remediation if needed.
.
Check against Carbanak…
Would this work?
58
Source: McAfee Labs 2016
Suspicious/Malicious
Behavior Category New Generation Approach
EvasionBehavior, Containment and Remediation Objects would detect and
remove. It’s NOT a “Sandbox” or “Virtual Environment”
Execution Behavioral Trace would detect abnormal process spawning
Packer Post-Execution Scanners and Analysis would “unmask” Packed binaries
Network Behavioral Comparison with known malware activities catches
Autostart Memory Scanning and Process Monitoring catches
Stealth Memory Scans and Behavioral Tracing catches
File Comparison with known malicious file activities would catch
Memory Caught by Memory Scanning
.
This Meets All Requirements for Success
59
Media Source: Pond5.com
Builds on top of the existing protection capabilitiesTable Stakes AV:
Leverages Reputations from all sources: Local, Network, Global.Reputation-Aware:
Allows “Mix and Match” Multi-Scanner Support.Multi-Scanner Support:
Enables use of “Let it run, figure out if its bad, keep it from doing bad things…”
Isolation and Containment
Put the endpoint back to the previous state without the user needing to do anything special. Auto-Remediation:
Turn the Endpoint into part of a “Sensor Network”, and integrate detection and response with network and Cloud resources and capabilities
Combine Intelligence
.
Conclusion
• Situational audit of your own organization
• Are you in the top-targeted industries
• If you were attacked in the ways noted here, would you have a chance to avoid an incident?
• Does your security posture include “leveraging the grey”?
60
.
Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 McAfee, Inc.