6/15/2016 (C) 2016 CYTHEREAL 1

Targeting Advanced Cyber Attacks

Early Warning System for

Targeted Attack

using Malware Intelligence

Speaker:

Dr. Arun Lakhotia

Professor of Computer Science

16 Years in Malware Research

Sponsored by:

US Department of Defense

DARPA, Air Force, Army

6/15/2016 (C) 2016 CYTHEREAL 2

Founder, CEO

Mission: Targeting Advanced Targeted Attacks

USP:

Automated Malware Analytics

My 15 minutes

2003-2007: CajunBot

6/15/2016 (C) 2016 CYTHEREAL 3

2003

2005

2007

My second 15 minutes

2010: Founded Lafayette

Holi

6/15/2016 (C) 2016 CYTHEREAL 4

Current Security

Industry Segmentation

6/15/2016 (C) 2016 CYTHEREAL 5

Prevent Breachusing

Indicators ofAttack

Detect Breachusing

Indicators ofCompromise

Corporate Boundary

EPP EDR

Quiz?

6/15/2016 (C) 2016 CYTHEREAL 6

Can we leverageIndicators of

Attackto PREDICT

potential breach?

Corporate Boundary

Hint

6/15/2016 (C) 2016 CYTHEREAL 7

Defender mustsucceed 99 times

Attacker onlyonce

Attacker mustTRY 99 times

before succeedingonce

MAXIM CORROLLARY

Corporate Boundary

Targeted Attacks are

multi-staged

6/15/2016 (C) 2016 CYTHEREAL 8

InitialCompromise

EstablishFoothold

EscalatePrivileges

MoveLaterally

StealData

Mandiant ™ Targeted Attack Cycle

Targeted Attacks

Require Persistence

6/15/2016 (C) 2016 CYTHEREAL 9

InitialCompromise

EstablishFoothold

EscalatePrivileges

MoveLaterally

StealData

Mandiant ™ Targeted Attack Cycle

Attacker must try, and try, and try

Question?

6/15/2016 (C) 2016 CYTHEREAL 10

InitialCompromise

EstablishFoothold

EscalatePrivileges

MoveLaterally

StealData

Mandiant ™ Targeted Attack Cycle

How can we detectpersistent attempts?

Malware (still) plays a

dominant role in data

breaches

6/15/2016 (C) 2016 CYTHEREAL 11

phishes delivered via

email

Verizon Data Breach Report 2016

72%

85% Include malware

Persistence involves

beating AV defenses

Inundate the system

With Machine Generated Variants

ENTERPRSE

6/15/2016 (C) 2016 CYTHEREAL 12

Current Limitation: Each

Malware is Independent

6/15/2016 (C) 2016 CYTHEREAL 13

Trojan.Win.5265

KeyLog.Win.HAB

BadThing.abac

No connection between them

Cythereal’s MAGIC:

Connect malware

6/15/2016 (C) 2016 CYTHEREAL 14

Connected using

shared “Genome”

Patent Pending

Research Sponsored by:DARPA Cyber Genome program

DEMOmagic.cythereal.com

6/15/2016 (C) 2016 CYTHEREAL 15

“Google”for Malware

Case Study: Discover

Stages of Attack

6/15/2016 (C) 2016 CYTHEREAL 16

Sep

DecJu

l

Au

g

Au

g

Oct

Jan

Feb

Adware Backdoor Keylogger

Cythereal’s Vision

6/15/2016 (C) 2016 CYTHEREAL 17

MAGIC Threat Intelligence Exchange

Hub: Global Intelligence

Indicators Exchanged: Malware Genome

Spokes: Local Intelligence

Cythereal’s MAGIC

18

Learn from Adversary’s Failures

Turn Anti-Virus into

an Intelligence

Gathering Tool

Connect Malware to Connect Attacks

6/15/2016 (C) 2016 CYTHEREAL

How can you get it?

19

Giving away

FIVE Free One Year Subscription

magic.cythereal.com

Register on:

6/15/2016 (C) 2016 CYTHEREAL