Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.

Detecting malware when it is encrypted – machine learning for network https analysis

The goal is to find a way to detect malware using htps without decrypting the traffic.

Context:

• 1/2 of the world wide Internet traffic is encrypted
• 10%-40% of all malware traffic is encrypted
• the encryption interferes with the efficacy of classical detection techniques

Some solutions to the problems:

• TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
  • advantage – can use the classical detection method
  • drawback – proxy server is expensive.
  • drawback – computationally demanding
• try to find with no HTTPS decryption

Detect malware with no HTTPS decryption

Dataset used:

• ctu-13 dataset
• mcfp dataset
• own normal dataset – public ; accessing 3 days of the sites from Alexa 1000

Used the pro ids product to capture different logs:

• connection.log/s
• ssl.log/s
• x509.log/s

All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .

A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.

(ML) Algorithms used

• XGBoost (Extreme Gradient Boosting)
• Random forest
• Neural network
• svm

After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:

• certificate length of validity
• inbound and outbound packets
• number of domains in certificate
• ssl/tls version
•  periodicity

 

Knock Knock… Who’s there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.

The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.

historical overview of the brute-force malware

2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2015- Troldeshkey
2017 – Stantinko

deep dive of SATHURBOT malware

modular botnet , 4 modules:

• backdoor module
• crawling module
•  brute force module

Evading Microsoft ATA for Active Directory Domination

Microsoft ATA

• Microsoft Advanced Threat Analytics
• a product that detects attacks by reading traffic
• how is deployed; an ATA gateway that intercepts the traffic

Threats detected by ATA:

• recon
• compromised credentials
• lateral movement
• domain dominance

Evading ATA :

•  not poking the DC (Domain Controller) is the key
• If you can’t bypass it then ovoid it by minimal talk with the DC

Atacking ATA deployment:

• ATA console can be identified with basic banner grabbing.

Secure channels: Building real world crypto systems

What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.

objectives of a secure channel:

• confidentiality
• integrity establishment
• authenticity

Constructing a secure channel:

• need a way to exchange keys; keys establishment protocol
• need a key derivation phase

Secure channel protocol design phases :

• channel establishment
• key establishment
• secure data transfer
• finish the protocol

How to build efficient security awareness programs

Some quotes from the talk:

• Security problems are arising where more than one security technology are overlapping.
• Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
• Security isn’t always a business problem, but it’s always a human problem.
• Tools to fix the human factor in security:
  • Fear
  • Incentives
  • Habits
    • trigger
    • routine
    • reward
    • repeat

Open Source Security Orchestration

Context:

• multiple cloud severs, all using same Fail2ban jail.
• How can make the different servers communicate.

In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:

• firewall role propagation scenario
• drop propagation scenario
• prevent known threats scenario
• capture threat activity scenario

How to do the orchestration: using Adaptive Network Protocol (ANP)

• developed so that nodes can share event information with each other
• needed an ANP agent installed on each node.