INCOSE Benefits Limitations of Current Techniques for Measuring System Readiness
Limitations of Current Security...
Transcript of Limitations of Current Security...
Emerging Persistent ThreatsLimitations of Current Security Technologies
Srinivas Mukkamala PhD.Chief Technology Officer
CAaNESComputational Analysis and Network Enterprise Solutions
IA Research as a Service (RaaS)
Mobile: 505 948 4305
Who Am I?• Senior Research Scientist and Adjunct Faculty
– New Mexico Tech - ICASA
• PhD Computer Science
– Computational Intelligent Techniques for Intrusion Detection
• US Patent – Computational Intelligence for Intrusion Detection
• One of the Most Cited and Downloaded Papers– Intrusion Detection Using Ensemble of Intelligent Paradigms
• Author of 120 Peer Reviewed Publications
• CACTUS Project – One of the Leads
– Computational Analysis of Cyber Terrorism Against the US
• Managed Several Security Engagements
– Security Posture Assessments
– Incident Response and Digital Forensics
7941855
FireFunctionality checks,Detector service
WaterSmart Meters,Use / Flow Sensing
HVACFans, Variable Air Volume, Air Quality
ElevatorsMaintenance, Performance
Access/SecurityBadge in, Cameras, IntegrationPerimeter, Doors, Floors, Occupancy
LightingOccupancy Sensing
24/7 MonitoringCondition Monitoring, Parking Lot Utilization
EnergySmart Meters, Demand response
Emerging Facilitators – Non Traditional Computing
Voice/Video/Data
Integrated Building & Communications Services
Images from IBM Smart Planet
Are Traditional Methods Working?
Network Access(OSI Layer 1 – 3)
Protocols(OSI Layer 4 – 7)
Application(New Layer 8+)
Network
Layer
Application
Layer
Data Layer
Perimeter
Firewall
Network Firewall
Data Center
Firewall
Web Application Firewall
Behavioral Based Tools?
Departmental
Firewall
Intrusion Prevention
System (IPS) & Deep Inspection
Firewall
Web Application Security
PORT 80
PORT 443
Attacks Now Look ToExploit Application
VulnerabilitiesPerimeter Security
Is StrongBuffer Overflow
Cross-Site ScriptingSQL/OS Injection
Cookie Poisoning Hidden-Field Manipulation
Parameter Tampering
!Infrastructural
Intelligence
!Non-
compliant
Information
HighInformation
Density=
High ValueAttack
!Forced
Access to
InformationBut Is Open
to Web Traffic
A Few Facts About Web App Scanners
Analyzing the Accuracy and Time Costs of Web Application Security Scanners: Larry Suto
SC
OP
ECloud
Application Enumeration
Data Store
Network
CrawlingVariablesValidation
Configurations
Automated Testing
OWASPTop 10
Top 25 ProgErrors
Top 10Database
Default
Items of Interest
XSSData Injections
Data ManipulationSession
ManagementNon Repudiation
Manual Testing
Vulnerabilities
Frequent
Patterns
Reports
PVSPort
ProtocolVariableScript
Location
Advanced
Crawling Structure
Logical AttacksSemantics
Access Controls
Logical AttacksManipulationsHidden Code
Hidden VariablesEscalation
…
months
days
hrs
mins
secs
Program
Viruses Macro
Viruses E-mail
Worms Network
Worms
Flash
Worms
Pre-
automation
Post-
automation
Co
nta
gio
n P
eri
od
Sig
na
ture
Re
sp
on
se
Pe
rio
d
Stopping Malicious Code • We’ve reached an inflection point where the latest threats now
spread orders of magnitude faster than our ability to respond
• The existing signature based capture/analyze/signature/rollout
model fails to address these threats on its own
1990 Current
Contagion Period
Signature Response Period
Symantec Research
Performance of Antivirus Scanners
N M1 M2 D P K F A
Mydoom.A � � � � � � � �
Mydoom.A V1 � � � � � � � �
Mydoom.A V2 � � � � � � � �
Mydoom.A V3 � � � � � � � �
Mydoom.A V4 � � � � � � � �
Mydoom.A V5 � ? � � � � � �
Mydoom.A V6 � � � � � � � �
Mydoom.A V7 � � � � � � � �
N – Norton, M1 – McAfee UNIX Scanner, M2 – McAfee, D – Dr. Web, P – Panda, K – Kaspersky, F – F-
Secure, A – Anti Ghostbusters, SAVE −−−− Static Analyzer for Vicious Executable, Similarity
Analysis Methodology. ACSAC 2004
The Forensics of a QakBot/Variant
Vulnerability reported /
Vendor Acknowledges
Bulletin & patch available
No exploit
Exploit code in public
Worm in the world
MS 06-035Jan 5–06
MS 09-001 Jun 25-08
MS 10-054 Feb 11-10
MS 06-035 Aug–06
MS 09-001 Jan 13-09
MS 10-054 Aug 10-10
July 17 2006Sep 14 2008Aug 11 2010
May 7 2009June 28 2010
Report� Vulnerability in
SMB
� MS activated response process
� News in Security Blogs
Bulletin� MS delivered to
customers
� Continued outreach to analysts, press, community, partners, government agencies
Exploit� Core – MS 06-035
� Anonymous
� Stratsec and Source Fire – MS 10-054
Worm� QakBot discovered
–; variants and other viruses hit simultaneously
� New Variant on June 28 2010
MS 06-035 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
MS 09-001 Vulnerabilities in SMB Could Allow Remote Code Execution
MS 10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution
Backdoor:Win32/Qakbot.gen!arc (Trojan.Win32.Bzud.a (Kaspersky)) is a generic detection for an archive file that contains a copy of Backdoor:Win32/Qakbot
Qakbot
Backdoor:Win32/Qakbot.gen!AEncyclopedia entryUpdated: May 14, 2010
Published: May 21, 2009
AliasesTrojanSpy:Win32/Botinok (other)
Trojan.Spy.Shoe.B (BitDefender)
Win32/Qakbot!generic (CA)
Trojan-Spy.Win32.Botinok.a (Kaspersky)W32/Pinkslipbot (McAfee)
Mal/Qbot-B (Sophos)
W32.Qakbot (Symantec)Backdoor.QBot.F (VirusBuster)
Backdoor:Win32/Qbot.A (other)
Detection initially created:Definition: 1.45.287.0Released: Released: Oct 07, 2008
Qakbot Variant
Backdoor:Win32/Qakbot.gen!arc
Encyclopedia entryUpdated: Jul 06, 2010
Published: Jun 28, 2010
AliasesWin32/Qakbot!Data (CA)
Trojan.Win32.Bzud.a (Kaspersky)W32/Qbot.W.worm (Panda)
Mal/QbotArc-A (Sophos)
TROJ_BZUD.SM (Trend Micro)
Detection initially created:Definition: 1.85.782.0Released: Jun 24, 2010
The Power of Similarity Analysis– An original malware contains a sequence of
System/API calls S
– Obfuscated version retains the functionality of the original malware and contains a sequence of System/API calls S’
– Variants created or modifications will generally not change high-level System/API calls if the functionality is retained
• This assumption holds good for Rapid Variants and Polymorphism; however might not be true for Metamorphic Malware
Therefore …
– S ≈ S’
bazjztgqk.exe bkvmbcmzs.exe btroyqkix.exe dqicelous.exe febimqrjh.exe fosgwphwn.exe
bazjztgqk.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096
bbokuvagc.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096
bkvmbcmzs.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
btroyqkix.exe 66.94528 72.9347315 100 75.051016 73.192293 53.4822965
bvorgnydm.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
cvktxdxlc.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
dctiawdew.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096
dkcfydapk.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
dqicelous.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466
dqopbvvgf.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
eaodfxaqb.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466
evdrdrici.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466
fayzieggg.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466
febimqrjh.exe 68.95742 73.423462 78.0761 72.817556 100 63.8070003
fosgwphwn.exe 16.29039 30.1519036 18.61352 31.898936 16.205353 100
gedlhqeqs.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
gmesqesad.exe 63.00304 100 71.61254 76.052123 71.813771 66.0121886
kmuilexef.exe 58.84703 63.5237935 68.86642 100 64.549778 77.5841466
kmxjjbvsr.exe 100 73.6786478 78.24114 71.74157 76.071396 76.9073096
Feature Extraction(API Sequence)
Feature Extraction(API Sequence)
ROC Curves False Positives•Result•Summary
ReportMalware AnalysisMalware Analysis
Knowledge
Normal vs. Malware
MalwareOriginal/Variants
Pre-processing
Experiments
Executables
Scripts
Compressed Files
StaticAnalysis
DynamicAnalysis
FeatureExtraction (API Calls)
APIBag
APIFrequency (TF)
PackingUnpacking
APISequence
SimilarityMeasures
ErrorCorrection
BRAVEMalware Analysis Framework
Viewpoints
•Similarity•SVMs•Clustering
Report
•Similarity•APIs•Packing•Behavior•Complex
Report
False Negatives
Normal vs. Malware(Classification/Detection)
Normal vs. Malware(Classification/Detection)
Similarity Analysis Malware of Interest
Presented at International Conference on Cyber Warfare 2011Pending Journal Publication
Similarity Analysis of Popular MalwareWin32.Bagl
e.c.mal
Bagle.O.ma
l
Mydoom.b
.mal
Win32.Net
Sky.ad.mal
Win32.Net
Sky.aa.mal
Worm.Sass
er.D.mal
Worm.Sass
er.C.mal
Win32.Sirc
am.c.mal
Sircam.A.m
al
Vundo.FCC.
mal
Vundo-
2075.mal
Win32.Bagl
e.c.mal 100 100 11.98579 11.01129 11.98579 88.3069 88.3069 88.3069 14.1887 14.1887 14.1887
Bagle.j.mal 90.69986 65.59547 61.35457 64.03873 64.03873 64.03873 64.03873 50.17392 50.17392 76.56955 80.24496
Bagle.al.m
al 99.42608 36.59488 66.43398 57.88603 87.88603 37.88603 87.88603 25.3252 25.3252 55.35997 52.68773
Win32.Bagl
e.o.mal 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364
Win32.Klez
.h.mal 96.64575 11.98579 48.50764 88.3069 88.3069 88.3069 88.3069 14.1887 14.1887 62.47964 17.39779
Win32.Net
Sky.c.mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301
Blaster.da
m.mall 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364
MSWord.Bl
aster.c.mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301
CodeRed.c.
mal 66.14461 80.93707 57.67036 62.46689 57.67036 64.03873 64.03873 64.03873 40.96598 40.96598 40.96598
CodeRed.a.
mal 98.14567 71.55218 67.70674 80.20834 80.20834 80.20834 80.20834 50.58495 50.58495 93.65291 74.65301
25
Similarity Analysis of Popular MalwareWin32.Bagl
e.c.mal
Bagle.O.ma
l
Mydoom.b
.mal
Win32.Net
Sky.ad.mal
Win32.Net
Sky.aa.mal
Worm.Sass
er.D.mal
Worm.Sass
er.C.mal
Win32.Sirc
am.c.mal
Sircam.A.m
al
Vundo.FCC.
mal
Vundo-
2075.mal
Worm.Love
Letter.DK.
mal 66.14461 12.2884 48.85909 66.14461 65.40386 65.40386 11.70592 3.493751 12.2884 67.62279 81.14634
VBS.LoveLe
tter.D.mal 90.69986 65.59547 61.35457 64.03873 64.03873 64.03873 64.03873 50.17392 50.17392 76.56955 80.24496
Worm.Sass
er.C.mal 97.48856 100 73.71068 97.73258 97.73258 97.73258 97.73258 48.85909 48.85909 82.69381 71.75364
Mydoom.b
.mal 92.45689 21.85249 100 76.27815 76.27815 76.27815 76.27815 19.26173 19.26173 84.64828 57.33075
Win32.Sirc
am.c.mal 98.80203 70.05651 72.64135 88.91945 88.91945 88.91945 88.91945 100 100 66.91638 65.34238
Vundo.FCC.
mal 99.03418 11.70592 30.69936 100 100 100 100 11.32529 11.32529 100 36.11959
Vundo-
2075.mal 81.18607 33.90044 74.77176 79.91469 79.91469 79.91469 79.91469 26.36764 26.36764 76.20991 100
Vundo.ELC.
mal 97.92501 58.23748 71.91817 81.19189 81.19189 81.19189 81.19189 40.21969 40.21969 79.91435 69.33983
Vundo-
1991.mal 99.03418 11.70592 30.69936 100 100 100 100 11.32529 11.32529 100 36.11959
Vundo.FCC.
mal 72.75943 39.51834 60.72317 54.45216 54.45216 54.45216 54.45216 33.51456 33.51456 70.22576 69.5021
26
Similarity of Crime Packs
Shell Code and Crime Pack Similarity Analysis
Manoj Cherukuri and Srinivas Mukkamala
Malware Similarity - Clustering
Malware Classification and Visualization
John Donahue and Srinivas Mukkamala
Malware Similarity - Clustering
Malware Classification and Visualization
John Donahue and Srinivas Mukkamala
Malware Similarity - Clustering
Malware Classification and Visualization
John Donahue and Srinivas Mukkamala
Blog Analysis and Knowledge Exploration
Malware Attribution and Malware Infrastructure Mapping
Manoj Cherukuri and Srinivas Mukkamala
Common Hacker Attack Technique(CHAT)
Reconnaissance Scanning System Access Damage Track Coverage
Indications andWarning Threshold
(Defense)
Preventive Phase(Defense)
Reactive Phase (Defense)
Web-Based
Information
Collection Social
Engineering
Broad
Network
Mapping Targeted
Scan
Service
Vulnerability
Exploitation
Privilege
Escalation
Malicious Code
Installation
System File
Modification
Binding
Log File
Changes
Steal Sensitive Data
Encrypted or Clear
Best Opportunities for Real Time Network Security
And Stall the Attacker
Incident Response
Reduce Attack Surface
• The “Attack Surface” is the sum of the ways in which
an attacker can get at you
– Smaller Attack Surface is better
Which one has the
Smaller attack surface?