View
24
Download
0
Category
Preview:
Citation preview
Malware Economics and its Implication to
Anti-Malware Situational AwarenessArun Lakhotia, Univ of Louisiana-Lafayette
Vivek Notani, Cythereal
Charles LeDoux, Cythereal
Presented at CyberSA, June 11-12, 2018 Glasgow
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 1
Motivation: Attacker’s try, try, and try
Can we gain situational awareness from attacker’s attempts?
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 2
Try, Try, and Try done using reuse and variants
“Last year's most common malware, Conficker, was based on a 7-year-old vulnerability”.
- Gartner Predicts 2017- Threat and Vulnerabilities
“Over 90% of all malware attacks are by unique variants”
- Webroot
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 3
Malware economics drive reuse and variants
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 4
Key Idea: Detect repeated attack by shared code
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 5
Cythereal MAGIC: Search engine for malware
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 6
Malware data show very high sharing of code
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 7
Case Study
• Financial Services company profile• 120,000 servers, 60 countries
• Have in-house, trained staff in malware analysis
• Separate Security Op and Threat Investigation Op
• Data• Selection of 463 Binaries
• VirusTotal first seen: Jun 2006 to April 2014• Unseen: 18 binaries
• Size: 95 percentile – 700Kb
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 8
Finding: High variations in AV Detection rate
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 9
Finding: Clusters of malware with shared code
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 10
Finding: Different methods to breach security
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 11
Results validated using BinDiff
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 12
Conclusions
• Advanced attackers repeatedly probe the defense, until they succeed
• Repeated attempts are performed using malware variants
• Sharing of code can provide indication of repeated attempts
• Cythereal MAGIC provides capability to search/cluster malware based on shared code
• Case study affirms that clustering malware variants can provide situational awareness of the threat environment.
6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 13
Recommended