fidelis xps™ power tools - t.e.n. - tech exec networks word - white_paper-networkyara_mn5 hm1 tl1...
TRANSCRIPT
1
1
Introduction
Threat actors are constantly evolving their tactics, employing new evasion techniques, new ways to trick the user, and new methods to exploit your network infrastructure. While there have been some recent instances of purely destructive attacks, the majority of compromises we examine are attempting to steal something of value. The network defender is tasked with the daunting responsibility of stopping the onslaught of attacks from across the Internet, and protecting their valuable information from theft. The Fidelis XPS™ advanced threat defense solution supports the defender’s goals by providing access to leading edge technological advances and enabling unparalleled detection at unmatched speed to stop a targeted attack.
The network security ecosystem has evolved in lockstep with the threat actors, attempting to stay ahead of them and provide the appropriate defenses. One of the chief goals of network security tools is to quickly and accurately identify a file object entering a network and determine if that object is malicious. Identification accuracy is important because network defenders do not have the time or resources to chase every lead. They need high confidence that a detected event is in fact something worth investigating. An additional aspect of accuracy is the ability to detect new malicious threats that have not been previously observed in the wild, finding the unknown before it infects your infrastructure. Speed of detection is also a key factor of network defense; because alerting of a compromise is only valuable if the defender is given time to react. It is a clear goal of Fidelis XPS to identify malicious behavior as early in the threat lifecycle as possible, giving the defender as much time to thwart the attacker as possible.
Speed and accuracy are key tenets of Fidelis XPS, which is continuously evolving to ensure Fidelis customers stay ahead of the threat actors by identifying the newest threats and doing so at the speed of their business. Incorporating network-‐based YARA analysis of objects on the wire in real-‐time into the Fidelis XPS’ Deep Session Inspection® provides a new capability to Fidelis customers and the industry, leaping forward in both the ability to find new threats and the speed to stop attackers in their tracks.
2
2
Fidelis XPS: The Speed to Prevent
Fidelis XPS is an advanced threat defense solution that has three primary components, a management console (Fidelis XPS CommandPost), a network sensor (Fidelis XPS family of sensors) and a non-‐selective network memory device (Fidelis XPS Collector). The family of Fidelis XPS sensors is deployed on the network at key monitoring points; for example, where the internal network traffic leaves the enterprise’s control or outside a network data center. In these locations, Fidelis XPS sensors can inspect network traffic in real-‐time and take user-‐defined granular actions on sessions and session objects that violate a defined policy. The core technology that powers the Fidelis XPS solution is the patented Deep Session Inspection architecture.
Deep Session Inspection®
Most malicious content is obfuscated or embedded in some way to make it through enterprise network security hygiene layers. Fidelis XPS leverages more than twelve years of development on our core intellectual property, Deep Session Inspection, to extract malicious content out of the most obfuscated traffic.
Fidelis XPS’ patented Deep Session Inspection technology reassembles sessions, decodes and analyzes compression, packing, obfuscation, embedded objects, etc. and gets to the core components of a network transmission in real time. This technology is applied to all network protocols, applications, and content types and is successful at decoding traffic types it does not natively understand, such as raw TCP sessions. Through these techniques, Fidelis XPS sees deeper into the content of traffic on the network than any other technology.
Fidelis XPS’ Deep Session Inspection engine extracts all objects of interest from network sessions and prioritizes them using a combination of object type, static object decoding, and analysis. Next, in conjunction with Fidelis XPS’ policy engine and Insight Threat Intelligence feeds; passes these objects to further stages of analysis through the Malware Detection Stack along with extracting session attributes and metadata for detailed analysis and threat determination.
3
3
YARA: The Power to Identify
YARA is a malware discovery and classification tool that was written by Víctor Manuel Álvarez from VirusTotal. His tool has gained broad acceptance in the malware analysis and reverse engineering communities as the new de facto standard for creating and sharing malware identification and classification rules. He summarizes the tool best in the introduction of the YARA User’s Manual ver.1.6 [http://code.google.com/p/yara-‐project/]:
“YARA is a tool aimed at helping malware researchers to identify and classify malware families. With YARA you can create descriptions of malware families based on textual or binary information contained on samples of those families. These descriptions, named rules, consist of a set of strings and a Boolean expression, which determines the rule logic. Rules can be applied to files or running processes in order to determine if it belongs to the described malware family.”
This analysis engine provides the ability to create in-‐depth query statements in a way that is easy to understand and implement. For example, if someone wants to identify multiple strings in a file object he can create the condition “all of them”, “any of them”, or “one of them”. This logic can include more involved statements, which allow for deep scanning with an easy to understand implementation.
YARA is also supported by a diligent and growing community of malware analysts, network defenders, and reverse engineers that are constantly discovering new techniques and communicating those discoveries via community forums, blogs, and private sharing groups. These rules are shared in a standardized format, which allows security analysts and security products to understand the data structure and quickly implement the intelligence. Most security tools in the market maintain their own proprietary rule writing language that make intelligence sharing and data input a multi-‐step, difficult process. YARA provides a standardized rule syntax that expedites dissemination and ingestion of actionable intelligence.
4
4
Combining the Speed to Prevent with the Power to Identify
YARA is an outstanding and powerful analysis engine, typically employed against data-‐at-‐rest. Deep Session Inspection was designed to operate on data-‐in-‐motion. By incorporating YARA, Fidelis XPS now offers extraordinary file detection, classification, and control over objects moving across your network or across your boundaries in real time.
Harnessing the Power of Deep Session Inspection
YARA excels at malware discovery and classification, but the tool needs to be provided with an object of interest in order for it to operate. Typically, this would be a file present on the disk or an end-‐point system’s memory snapshot that has been selected because of an ongoing investigation. This characteristic reduces the effectiveness of detection in the traditional implementation of YARA, since an analyst would need some way of funneling a suspicious object to YARA for investigation. Fidelis XPS takes the approach that all network traffic is of interest and warrants some type of investigation, thus using Fidelis XPS Deep Session Inspection as the funnel; we are able to apply YARA analysis to all applicable files entering the enterprise or crossing some boundary in the company.
As Fidelis XPS is reassembling a session in real-‐time in memory and decoding and analyzing the content, it is also categorizing the file objects discovered. Fidelis XPS can find file objects hidden behind obfuscation, archived objects, compressed files, and many other forms of evasion techniques used by threat actors. Once Fidelis XPS finds the hidden objects, it subjects them to targeted analysis aimed at uncovering the attributes of the particular file type and analyzes the object using our Malware Detection Stack [See our white paper titled Fidelis XPS Power Tools: Malware Detection Stack at: http://www.fidelissecurity.com/data-‐security-‐resources/white-‐papers. At this stage, Fidelis XPS will also apply YARA rules directly to content of interest, for example YARA rules meant to find malicious executable files will work exclusively against found executable file objects in the network stream.
Leveraging the Community
Malware analysts have been leveraging YARA rules to detect known malware, new variants of malware families, and even previously unknown malware for years. There is a wealth of rules available online and in user communities, with new rules being developed and shared everyday. One of the best resources to find YARA sharing communities and additional information on using
5
5
YARA for analysis is Deep End Research: [http://www.deependresearch.org/2013/02/yara-‐resources.html].
Fidelis XPS provides a simple user interface for implementing existing YARA rules. Since the standard YARA syntax is utilized by Fidelis XPS for rule creation, an analyst can transition from finding an exciting new rule to defending their enterprise in seconds. This functionality allows your network defense team to immediately expand their research potential to the vast potential of the entire YARA community. Copy, paste, protect.
Prevent! Prevent! Prevent!
Recently pundits have stated the concept of preventing malicious content from entering the enterprise is too difficult and costly to put in place. Instead, they say network defenders should assume they have been infected and focus their time and resources on remediation and containment. At Fidelis, we understand the need for a strong remediation focus and historical evidence collection. Fidelis XPS Collector was created from the need to assist network investigations by providing rich metadata about all network session traversing the Fidelis XPS family of sensors. However, we do not believe in letting the malware authors have their way in your network, even for a second. Instead we empower our users to take the fight back to the network ingress point by providing market leading analysis and prevention of anomalous traffic. YARA is yet another tool in our toolbox allowing network defenders to define a malicious object and prevent it from entering your enterprise. If prevention is not utilized, Fidelis XPS still offers extremely fast detection of malicious or suspicious events in the network, resulting in notification of policy violation seconds after the event.
Remediation and containment are important aspects of incident response, but giving up on prevention entirely because it is too difficult only ensures that your remediation team will be extremely busy for the foreseeable future. Combining the speed of Fidelis XPS Deep Session Inspection and the power of YARA analysis makes the seemingly difficult problem of prevention suddenly appear simple. With Fidelis XPS, prevention can be a powerful tool in the network defenders arsenal.
6
6
Fidelis XPS Implementation of YARA
Below is an example of implementing a YARA rule for detecting njRAT, a malicious remote administrative tool that Fidelis has observed in the field. For more information on NJRAT please see the Fidelis Threat Advisory [http://www.threatgeek.com/2013/06/fidelis-‐threat-‐advisory-‐1009-‐njrat-‐uncovered.html] or the blog post describing YARA detection rules [http://www.threatgeek.com/2013/07/njrat-‐detection-‐rules-‐using-‐yara-‐.html].
Figure 1 shows how the YARA rule posted on the ThreatGeek blog was copied and pasted into the text area shown below in Fidelis XPS CommandPost. The right side of the image shows the granular selection of file objects that can be scanned with this YARA rule. In this example, the njRAT is a windows executable file object, so ‘exe’ is selected. One could just as easily apply this rule to PDF files, Microsoft Office files, and any other of the formats Fidelis XPS detects.
Figure 1 - njRAT YARA Rule Entry in Fidelis XPS
7
7
By simply choosing the rule action of “Alert and Prevent” in the Fidelis XPS CommandPost when creating the rule, Fidelis XPS will drop the malicious transmission when detected. The figure below shows a YARA alert generated by the transmission of the njRAT malware across the network. This alert highlights the power of Deep Session Inspection, because the njRAT file was hidden in a ZIP archive, then a RAR archive and then base64 encoded and Fidelis XPS was still able to detect the executable using the YARA rule in real time. Note the file object that triggered the YARA rule is highlighted by the Fidelis XPS CommandPost in the Decoding Path section on the right of Figure 2. The left section of the image also shows the Violation Information, which contains the name of the Policy and Rule that generated the alert. Rich alert metadata is provided throughout the rest of this alert screen including IP addresses of source and destination, time of alert, extracted attributes from the session, and much more.
Figure 2 - njRAT Alert Generated by YARA Rule
8
8
Conclusion
The job of a network defender is not a simple one. Your adversaries spend every hour of the day developing and applying new techniques to compromise your network, because they have everything to gain and almost nothing to lose. Unfortunately, there are only so many hours in the day that an analyst can keep watch. It is imperative that we in the security industry need to work smarter and more efficiently. We need to focus on finding more anomalies to investigate and develop better procedures for weeding out false positives in order to optimize our effective time on target.
Fidelis understands the plight of the network defender, and our mission has always been making the analyst’s job easier and the attacker’s job more difficult. Incorporating a revolutionary new way of inspecting traffic in motion using YARA helps propel us forward in our mission. Fidelis XPS plus YARA enables better detection of malicious objects attempting to penetrate your network, and does so with the speed to prevent the attack. Additionally, Fidelis XPS offers extremely fast detection and rich forensics, allowing correlation and remediation to take place seconds, not days after and event. With Fidelis XPS you can detect more, faster.