Here are my quick notes from the BruCON 2017 conference. All the slides can be found here.
The goal is to find a way to detect malware using htps without decrypting the traffic.
- 1/2 of the world wide Internet traffic is encrypted
- 10%-40% of all malware traffic is encrypted
- the encryption interferes with the efficacy of classical detection techniques
Some solutions to the problems:
- TLS inspection; basically is the reverse proxy which is in the middle between the server and the client
- advantage – can use the classical detection method
- drawback – proxy server is expensive.
- drawback – computationally demanding
- try to find with no HTTPS decryption
Detect malware with no HTTPS decryption
Used the pro ids product to capture different logs:
All this logs will be aggregated in order to create ssl aggregations and then generate a ssl-connect-units (each ssl-connect-unit represents a SSL connection). Each ssl-connect-unit have a source IP, destination IP, destination port, protocol and other 40 features (properties) like number of packages, number of bytes, number of different certificates, ratio of established and not established states .
A data set was created from all this ssl-connection-units and machine learning algorithms have been used against this dataset.
(ML) Algorithms used
- XGBoost (Extreme Gradient Boosting)
- Random forest
- Neural network
After using all this ML algorithms the features that have been identified as the most important ones to detect malware traffic:
- certificate length of validity
- inbound and outbound packets
- number of domains in certificate
- ssl/tls version
The talk was about malware brute force attacks of WordPress web sites which is the most used CMS product.
historical overview of the brute-force malware
2009 – first distributed brute force attack against WordPress
2013 – firstDisco also isntalled backdoors in the system
2014 – Mayhem
2015 – Aetra
2015 – CMS Catcher
2017 – Stantinko
deep dive of SATHURBOT malware
modular botnet , 4 modules:
- backdoor module
- crawling module
- brute force module
- Microsoft Advanced Threat Analytics
- a product that detects attacks by reading traffic
- how is deployed; an ATA gateway that intercepts the traffic
Threats detected by ATA:
- compromised credentials
- lateral movement
- domain dominance
Evading ATA :
- not poking the DC (Domain Controller) is the key
- If you can’t bypass it then ovoid it by minimal talk with the DC
Atacking ATA deployment:
- ATA console can be identified with basic banner grabbing.
What are secure channels – goal is to guarantee the confidentiality and integrity of data travelling over untrusted network.
objectives of a secure channel:
- integrity establishment
Constructing a secure channel:
- need a way to exchange keys; keys establishment protocol
- need a key derivation phase
Secure channel protocol design phases :
- channel establishment
- key establishment
- secure data transfer
- finish the protocol
Some quotes from the talk:
- Security problems are arising where more than one security technology are overlapping.
- Stop trying to fix human behavior with tech only;maybe that are other ways to fix that.
- Security isn’t always a business problem, but it’s always a human problem.
- Tools to fix the human factor in security:
- multiple cloud severs, all using same Fail2ban jail.
- How can make the different servers communicate.
In security operations most of the workflows are manual despite of multitude of solutions.
Different scenarios on which the automation could help a lot:
- firewall role propagation scenario
- drop propagation scenario
- prevent known threats scenario
- capture threat activity scenario
How to do the orchestration: using Adaptive Network Protocol (ANP)
- developed so that nodes can share event information with each other
- needed an ANP agent installed on each node.