Windows Exploit Mitigations - exploit.courses Exploit Mitigations Some statements: ...
Advanced Technologies vs. Advanced Threats › cybersec › 2019 › slides › 319 ›...
Transcript of Advanced Technologies vs. Advanced Threats › cybersec › 2019 › slides › 319 ›...
-
19-03-19
Advanced Technologies vs. Advanced Threats
Timur Biyachuev,
VP Threat Research
-
Kaspersky’s Threat Research Team: Facts About Us
«The malware research team has a well-earned reputation for rapid and accurate malware detection» Gartner
«As far as test results from the independent labs go, Kaspersky is utterly golden. It consistently receives top ratings from the major labs.»
PC Magazine
350+ threats analysts, developers, researchers and data scientists
Expert support and technologies for 30+ products and services
5+ Billions malware objects
2+ Petabytes of TI data
260+ patents
346,000 new malicious files detected every day 141,000 new spam letters detected every day
Anti-Malware Research
Content-Filtering Research
Technology Research
Whitelisting Lab
Data Science Lab
Software Security
-
Modern Threat Landscape
-
APT Landscape. KL Public Announcements
Stuxnet
Duqu
Gauss
Flame
miniFlame
NetTraveler
Miniduke
RedOctober
Icefog
Winnti
Kimsuky
TeamSpy
CosmicDuke
Darkhotel
Regin
Careto / The
Mask
Epic Turla
Energetic Bear /
Crouching Yeti
Wild
Neutron
Blue
Termite
Spring
Dragon
Desert
Falcons
Carbanak
Equation
Animal
Farm
Darkhotel
- part 2
MsnMM
Campaigns
Satellite
Turla
Hellsing
Sofacy
Naikon
Duqu 2.0
ProjectSauron
Saguaro
StrongPity
Lazarus
Lurk
Adwind
Metel
Ghoul
Fruity Armor
ScarCruft
Poseidon
GCMan
Danti
Dropping
Elephant
Moonlight
Maze
ATMitch
ShadowPad
BlackOasis
WhiteBear
Silence
WannaCry
Shamoon 2.0
ExPetr/NotPetya
BlueNoroff
StoneDrill
Olympic
DestroyerFF
Muddy
Water
Turla over
Sofacy
Apple
Jeus
Hades
Dark
Tequila
Octopus
Roaming
Mantis
Lucky
Mouse
VPN
Filter
Zebrocy
Ploutos
֍
֍
֍
֍
֍
֍
֍
֍
֍
֍
֍
֍
-
Advanced Threat Taxonomy
Attack
preparation
Delivery C&C Execution Lateral
movement
Damage &
silent leave
• gather data
• prepare strategy
• non-malware
• hidden
• encrypted
• new domain
• «gray domain»
• payload/command delivery
• hide inside normal activities
• steal credentials
• non violation of anything
• rapid
• silent
• no immediate damage
• hide the traces
• erase from logs
• leave a backdoor
-
Threat Landscape requires new approaches
Threat hunting Detection systems Prevention
systems
Prevent Detect Find
unknown evil
-
Advanced Prevention
-
Automatic Exploit Prevention
-
Automatic Exploit Prevention
-
• Classical multilayered approach is not effective against modern threats
• Attacker has an advantage
• Our approach: decision, based on threat context
THREAT CONTEXT
Cloud data
Emulation data
ML-models
data
Behavior data
Beyond multi-layered approach
-
Signatures, masks and hashes
Classic detection routine
Cloud detection (KSN)
Heuristics based on execution logs
Automation Exploit Prevention
Deep learning utilizing execution logs
(BehavioralModel, prototype)
Heuristics based on emulation logs
(Binary and Script Emulator)
Machine learning models
Beyond multi-layered approach
-
Kaspersky multilayered machine learning
Behavioral
by execution logs
ML Cloud requests w/o a model on client
Behavioral Model Deep learning utilizing execution logs
Astraea Expert system for metadata aggregation
Decision tree ensemble Built by gradient boosting technique
Behavioral by emulation logs
Cure and detection
routines
Locality-Sensitive Hashing Built by orthogonal projection learning
ML model
-
Decision tree ensemble
-
Locality-sensitive hashes
-
Adaptive Anomalies Control
-
Advanced Detection
-
Targeted Attack Analyzer. How it works?
-
Detection of suspicious activities
External
Web Server
Spear-phishing
Machine 1
KATA
Well-known executable or IP?
KES: host downloaded WinPE executable
from IP
-
Detection of suspicious activities
External
Web Server
Spear-phishing
Machine 1
KATA
KES: host downloaded WinPE executable
from IP
Unpopular executable or IP, host 1
-
Detection of suspicious activities
Machine 1
KATA
KES: suspicious service
is created
Machine 2
Unpopular executable or IP, host 1 Suspicious service: 1 host
-
Detection of suspicious activities
Machine 1
KATA
Suspicious service: 1 host Unpopular executable or IP, host 1
Machine 2 Machine 3
KES: suspicious service
is created
Suspicious service: hosts 2
-
Detection of suspicious activities
Machine 1
KATA
Suspicious service: 2 hosts Unpopular executable or IP, host 1
Machine 2 Machine 3
KES: suspicious service
is created
Suspicious service: hosts 3 Suspicious service: 3 hosts
Machine 4
-
Detection of suspicious activities
Machine 1
KATA
Machine 2 Machine 3
Unpopular executable or IP, host 1 Suspicious service: 3 hosts
Machine 4 Unpopular executable or IP, host 1 Suspicious service: 3 hosts Trojan-banker.Carbanak.b
-
Detection of suspicious activities
External
Web Server
Spear-phishing
Machine 1
KATA
Well-known executable or IP?
KES: host downloaded WinPE executable
from IP
-
Detection of suspicious activities
External
Web Server
Spear-phishing
Machine 1
KATA
KES: host downloaded WinPE executable
from IP
Unpopular executable or IP, host 1
-
Detection of suspicious activities
Machine 1
KATA
KES: Powershell in service
Machine 2
Unpopular executable or IP, host 1 Suspicious service: powershell inside
-
Detection of suspicious activities
Machine 1
KATA
Machine 2
Suspicious service: powershell inside Unpopular executable or IP, host 1
Web Server
-
Detection of suspicious activities
Machine 1
KATA
TAA Agent: Connection to IP from PowerShell
Machine 2
Suspicious service: powershell inside Unpopular executable or IP, host 1
Web Server
Well-known IP? Unpopular IP
-
Detection of suspicious activities
Machine 1
KATA
Machine 2
Web Server
Suspicious service: powershell inside Unpopular executable or IP, host 1
Unpopular IP Trojan-banker.Carbanak.c
Suspicious service: powershell inside Unpopular executable or IP, host 1
Unpopular IP
-
Advanced Sandbox. How it works
kaspersky.com/TechnoWiki
10+ patents
https://www.kaspersky.com/enterprise-security/wiki-section/homehttps://www.kaspersky.com/enterprise-security/wiki-section/home
-
Advanced Sandbox. How it works
kaspersky.com/TechnoWiki
10+ patents
https://www.kaspersky.com/enterprise-security/wiki-section/homehttps://www.kaspersky.com/enterprise-security/wiki-section/home
-
Advanced Sandbox: Adaptive sandboxing technologies
• Adaptive Sandboxing
• Allows you to control the behavior of the sample during execution in isolated environment
• Case study: Purgen
• Uses anti-evasion techniques first 15 minutes of execution
• Case study: Upatre
• Checks uptime of the system
• Checks the environment
-
Advanced Sandbox: Exploit Checker technology
• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/https://securelist.com/elevation-of-privileges-in-namco-driver/83707/
-
Advanced Sandbox: Exploit Checker technology
• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/https://securelist.com/elevation-of-privileges-in-namco-driver/83707/
-
Advanced Sandbox: Exploit Checker technology
• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/https://securelist.com/elevation-of-privileges-in-namco-driver/83707/
-
Threat Hunting
-
Inside Cloud
-
Kaspersky Technowiki: Advanced Cybersecurity technologies
kaspersky.com/TechnoWiki
https://www.kaspersky.com/enterprise-security/wiki-section/homehttps://www.kaspersky.com/enterprise-security/wiki-section/home
-
结束! Конец, the end, das ende, la fin
Kaspersky Lab HQ
39A/3 Leningradskoe Shosse
Moscow, 125212, Russian Federation
Tel: +7 (495) 797-8700
www.kaspersky.com