Advanced malware detection through threat intelligence•Malicious code is becoming more difficult...

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Advanced malware detection through threat intelligence Javier Inclan ArcSight Security Solutions and Content Development, Manager

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Malware detection considerations

Use case definition can be challenging these days • Malicious code is becoming more difficult to detect • A lack of anti-virus products signatures leave our network exposed • Malware directed by a controller (command control server) can expand its footprint very quickly! • Firewall logs can be used to identify malware traffic, but what exactly are we looking for?


Scenario

Problem statements: • The Security team at ACME Inc. has reasons to believe that malware has been disseminated

within different corporate servers and employee workstations • The SOC analysts identified abnormal outbound/inbound traffic across multiple corporate

firewalls to/from external servers • The CSO is concerned about malware infections and BOT activities to gain control of corporate

assets through Command and Control Servers


Why is threat intelligence important? • ArcSight ESM allows customers to benefit from OpenSource threat intelligence information

available on the internet

• Threat intelligence sources provide information from the Internet that can used by ESM resources (rules, dashboards, active lists, etc.) to identify systems on your network attempting to access known malicious domains and IP addresses

• Communication with well-known malicious destinations may indicate the presence of malware, command control servers infections, advanced persistent threat, botnets, and other malicious activities. Combining threat intelligence information with ArcSight ESM allow organizations to quickly identify and mitigate these threats reducing adverse impacts and saving time and money!


Threat intelligence sources

• SANS Internet Storm Center – The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers

• Zeus Tracker – The abuse.ch ZeuS Tracker provides you the possibility to track ZeuS Command & Control servers (C&C) and malicious hosts who are hosting ZeuS files. The tracker captures and tracks the ZeuS hosts as well as the associated configuration files, binaries and drop zones. The main focus is to provide system administrators the possibility to block well-known ZeuS hosts and avoid ZeuS infections in their networks


Threat intelligence sources

• SpyEye Tracker – The SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command &Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides block lists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers

• Palevo Tracker – Palevo Tracker offers three different blocklists which can be used to block the access to well known Palevo botnet C&Cs: Domain, IP and Combined Blocklist

• Project HoneyPot – Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Information is obtained from their worldwide network of honey pots


Threat intelligence sources are very useful, but what else do I need?

Building a malware detection use case

Notifications

Reports Dashboards

Rules

“I want to use ArcSight to solve my specific problems, but have no idea where to start!”


Building a malware detection use case based on outbound traffic Requirement statement: Fire an alert when a corporate asset is communicating with a well-known malware server – outbound traffic Data sources: • Threat intelligence sources • Firewall logs


Building a malware detection use case based on outbound traffic Designing ESM content

Filter firewall

traffic to Zeus hosts

Active list Zeus hosts

Rule outbound malware detection

Active list outbound

bot infected assets

Threat intelligence

sources


Building a malware detection use case based on outbound traffic Create an Active List “Zeus Hosts” • Field-based

– IP address • Obtain IP address blocklists from Zeus Tracker • Populate Zeus Servers Active List using Import CSV File…


Zeus Hosts Active List (populated)


Building a malware detection use case based on outbound traffic BOT infected assets Active List “Bot Infected Systems” • Tracks internal hosts communicating with IPs found in

Zeus Hosts Servers Active List – Internal Host IP Address – Internal Host Name – Internal Host Zone

• Populate using a Rule (next slides) “Outbound Malware Communication Detected”

Adding the “Customer” field in Active Lists and Aggregation in Rules is a best practice as a part of ESM Network Model


Building a malware detection use case based on outbound traffic Filter to capture outbound malware traffic “Bot Infected Systems” • Captures internal hosts communicating with IPs

found in Zeus Hosts Servers Active List – Internal Host IP Address – Internal Host Name – Internal Host Zone

*The use of Network Model information is not covered in this example but is highly recommended


Building a malware detection use case based on outbound traffic Rule conditions


Building a malware detection use case based on outbound traffic Rule aggregation


Building a malware detection use case based on outbound traffic Rule actions


Building a malware detection use case based on outbound traffic Active Channel displaying Correlation Events


Building a malware detection use case based on outbound traffic Active List with information about BOT Infected Systems


Advanced Persistent Threat – Command and Control Servers Threat Monitoring Use case definition Requirement statement Create an alert when corporate assets are confirmed to be controlled by a Malware Control Server


Building a Command and Control Servers Threat Monitoring use case Designing ESM content

Firewall events

Filter firewall

traffic from Zeus Hosts

Rule Inbound

traffic Command

Control Servers

Rule inbound

traffic Command

Control Servers

Active Lists Zeus Hosts


Building a Command and Control Servers Threat Monitoring use case Create a filter that is looking for Zeus Hosts inbound traffic into corporate assets


Building a Command and Control Servers Threat Monitoring use case Rule conditions


Building a Command and Control Servers Threat Monitoring use case Rule aggregation


Building a Command and Control Servers Threat Monitoring use case Rule actions


Building a Command and Control Servers Threat Monitoring use case Active List Active List intended for tracking assets under Command and Control Server attacks Advanced Persistent Threat footprint progression and damage could be evaluated by the information in this Active List


Building a Command and Control Servers Threat Monitoring use case Active Channel with correlation events confirming the presence of Command and Control Servers activities within corporate assets


Use the mobile app 1. Click on Sessions 2. Click on this session 3. Click on Rate Session

Or use the hard copy surveys

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3264 Speaker Javier Inclan

Please give me your feedback

Advanced malware detection through threat intelligence•Malicious code is becoming more difficult...

Documents

Transcript of Advanced malware detection through threat intelligence•Malicious code is becoming more difficult...