extracting the malware signal from internet noise

Extracting the Malware Signal from Internet Noise

Andrew Morris, Researcher

1

# whoami• Andrew Morris

• Background in offense

• R&D @ Endgame

2

Tactical Insights from Global Trends• My network is being scanned/attacked

– Am I being targeted specifically?– Are other people seeing this as well?

• A vulnerability has been disclosed– Is anyone probing for this vulnerability?– Is anyone exploiting this vulnerability?

3

4

FaradayA Global Network of Sensors

Untargeted Malware

Geographically & Logically Dispersed

Omnidirectional Internet Traffic for Collection &

Analysis

If something is *not* in Faraday, it is likely targeted

CapabilitiesIptables HTTPTelnetFTPSSHStrategic Packet CaptureCustom sensors

5

Faraday Architecture

6

Four Kinds of Traffic on Your Network

The difference between these can be hundreds of thousands of $$ in incident response

Worm, Mass Exploit

Campaign

Regular Web User

Advanced Persistent

Threat

Search Engines (e.g.

Google)

Mal

iciou

sBe

nign

Omnidirectional Targeted

7

My Network is Being AttackedOmnidirectional Malicious

$ faraday --ip 123.123.123.123 | wc -l

42013

Targeted Malicious

$ faraday --ip 1.2.3.4| wc -l

0

8

A Vulnerability Has Been Disclosed• Is anyone probing for this vulnerability?• Is anyone massively exploiting this

vulnerability?

9

Cisco CVE-2016-1287Cisco ASA Software IKEv1

and IKEv2 Buffer Overflow Vulnerability

• Critical

• Disclosed Feb 10, 2016 • Affects all Cisco ASAs 8-Fe

b-16

9-Feb-16

10-Feb-16

0500

10001500200025003000

Faraday Port 500

Faraday Port 500

10

Cisco CVE-2016-1287The spike and diversity of IP addresses over time implies:

• People are not just probing, but actively targeting it

• Where they are coming from

• Who may have known about the vulnerability prior to public disclosure

• It is not (yet) being massively exploited11

Redis CVE-2015-4335• Remote code execution vulnerability

in Redis– Built and deployed a custom Redis

sensor less than 24 hours after the vulnerability was published

– Observed attacker behavior– Recorded attacker IP addresses

12

CVE-????-????• Traffic observed targeted unknown

devices• No known vulnerabilities on services

running on those ports

13

Fun Stuff• Data Science Early Warning Applications• Dangling DNS• Bandwidth budget calculation• Worm tracking• Search engine spoofing• Reflected DDOS attacks• Provider threat model

14

Really Fun Stuff• Integration into Endgame cyber operations

platform– Visibility into novel attacker techniques– Ability to collect new malware samples– Input into reputation services– Situational awareness

Conclusion• Whether an attack is targeted or not • Derive Internet-wide vulnerability

exploitation attempts

• Collect omnidirectionally targeted malware samples

16

17

Questions?

Thank You!amorris@endgame.com

@andrew___morris

18