DOCSLIB.ORG

NAVIGATING the THREAT LANDSCAPE a Practical Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
NAVIGATING the THREAT LANDSCAPE a Practical Guide NAVIGATING THE THREAT LANDSCAPE A practical guide David Emm, Principal Security Researcher Global Research & Analysis Team, Kaspersky Lab usa.kaspersky.com/business-security Contents Chapter 1 The evolution of malware 3 Chapter 2 How malware spreads 9 Chapter 3 Malware: on the move as much as you are 12 Chapter 4 Are you in the firing line? A new era of targeted attacks 14 Chapter 5 The human factor in security 15 Chapter 6 Anti-malware technologies 16 Chapter 7 10 Top tips for creating security awareness in your organization 19 About the author David Emm, Principal Security Researcher Global Research & Analysis Team (GReAT) David Emm is Principal Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. He has been with Kaspersky Lab since 2004 and is currently part of the company’s Global Research & Analysis Team. He has worked in the anti-malware industry since 1990 in a variety of roles, including Senior Technology Consultant at Dr Solomon’s Software, and Systems Engineer and Product Manager at McAfee. In his current role, David regularly delivers presentations on malware and other IT threats at exhibitions and events, highlighting what organizations and consumers can do to stay safe online. He also provides comment to broadcast and media on the ever-changing cybersecurity and threat landscape. David has a strong interest in malware, ID theft and the security industry in general. He is a knowledgeable advisor on all aspects of online security. 2 Chapter 1: The evolution of malware It’s over 25 years since the first PC viruses appeared. Since then, the nature of the threat has changed significantly and today, the threats are more complex than ever before. In recent years, the Kaspersky Lab Global IT Risks media at work. Security concerns around these Survey has highlighted changes in working practices, developments continue to figure highly in the survey, and, all of which have had a significant impact on corporate unsurprisingly, the 2015 results highlight that “preventing security. These include growing mobility and the and dealing with security breaches is a primary concern trend towards bring your own device (BYOD); the storage for 50% of companies1 and guarding against cyberthreats of business data in the cloud, the increased use of is the top security priority for 27% of companies.”2 virtualized systems and the widespread use of social Dealing with security breaches is a primary concern for 50% of companies.1 TOP CONCERNS OF THE IT FUNCTION1 Dealing with security breaches, understanding new technologies and managing changes to IT systems are the primary concerns. Security breaches are a concern for companies of all sizes. By size Preventing/dealing with IT security breaches 50% Understanding the full range of new technologies E (1500+) 54% that are available and how to use them 44% Managing change in IT systems and infrastructure 42% MB (250-1499) 50% Making decisions about future IT investments 37% SB (50-249) 48% Dealing with cost constraints/limited budgets 31% VSB (1-49) 46% Training users how to use IT systems 26% Planning for and recovering from failure 22% or destruction of IT infrastructure Dealing with mobile working patterns and BYOD 18% Complying with industry regulations and standards 16% Managing wide range of different IT suppliers/product and service vendors 15% 1. Kaspersky Lab Global IT Risks Security Survey 2015 2. Kaspersky Lab Global IT Risks Security Survey 2015 3 Increasing in scale, increasing in severity The interconnected world means that attacks can be Malicious code can be embedded in an email, injected launched on victim’s devices very quickly and as widely into fake software packs, placed on “grey-zone” or selectively as the malware authors and criminal Webpages, or downloaded by a Trojan installed on an underground sponsors require. infected computer. COMPANY IT SECURITY PRIORITIES FOR THE NEXT 12 MONTHS2 Guarding against cyberthreats is now the top priority (previously third), supplanting preventing data leaks. Guarding against external cyberthreats such as malware 27% Fraud prevention 27% Preventing data leaks 25% Continuity of service of business-critical systems 25% Security of cloud infrastructure (public and private) 22% Security of mobile/portable computing devices 21% Physical security of critical business systems 21% Eliminating vulnerabilities in existing systems 19% Security of virtualized infrastructure 19% Information security training provided to employees 19% Enhancing disaster recovery measures/planning 17% Compliance with industry/regulatory requirements 15% Improving response to information security incidents 14% Leveraging cloud-based or managed security services 13% Protecting against distributed denial of service (DDoS) attacks 12% The scale of the problem has also continued to increase. The number of new malware samples discovered daily by Kaspersky Lab runs into hundreds of thousands. 2. Kaspersky Lab Global IT Risks Security Survey 2015 4 A problem of perception In the past 12 months 90% of companies experienced But there’s a misconception that malware belongs some form of external attack, and 46% of companies on its own, in a discrete category. In fact, malware reported an increase in the number of attacks,3 although forms an essential component of many cyberattacks there is a perception that there were fewer instances and remains the most frequent and dangerous of data theft and obvious malware events in 2015. threat to IT security. Targeted attacks, cyberespionage, phishing attacks and more all incorporate malware. So it’s not that malware attacks are declining, but that they may not be perceived as malware attacks. 90% of companies had experienced some form of external incident.3 EXTERNAL THREATS EXPERIENCED3 90% of companies had experienced some form of external incident. Fewer instances of theft and obvious malware events in 2015 compared to previous waves. 65% 63% 61% 61% 59% 58% 57% 55% 54% 53% 40% 36% 36% 35% 33% 26% 28% 24% 24% 23% 22% 21% 20% 20% 19% 19% 18% 18% 15% 13% Spam Viruses, worms, Phishing attacks Network intrusion/ Denial-of-service Theft of mobile spyware and hacking (DoS), distributed- devices by external other malicious denial-of-service party programs attacks (DDoS) Especially Especially IT, Education Financial services & Govt. 17% 16% 16% 13% 13% 13% 12% 11% 9% 9% 8% 7% 4% 4% 4% 3% 1% 1% Cyberespionage Theft of larger Targeted attacks aimed Criminal damage Point-of-sale (POS) Attacks on ATMs hardware specifically at our systems intrusion Especially organization/brand Manufacturing 5% among Especially Telecoms consumer services firms 2011 (n=1715) 2012 (n=2938) 2013 (n=2164) 2014 (n=2943) 2015 (n=3580) Significantly lower YOY 3. Kaspersky Lab Global IT Risks Security Survey 2015 5 From cybervandalism to cybercrime Until around 2003, viruses and other types of malware After 2003, the threat landscape changed. Much were largely isolated acts of computer vandalism– of today’s malware is purpose-built to hijack computers “anti-social self-expression” using high-tech means. and make money illegally. As a result, the threats Most viruses confined themselves to infecting other businesses now face have become significantly more disks or programs. complex. IT administrators have a lot more to contend with–there are more types of threats to protect against, and the damage they cause is likely to be financial, not just IT downtime. 1 in 3 companies who’ve experienced a data breach event suffered temporary loss of ability to trade and typical direct costs incurred from a serious event are $38K for SMBs and $551K for enterprises.4 ESTIMATED DIRECT COSTS INCURRED RESULTING FROM ANY SERIOUS DATA LOSS INCIDENT4 Although not every expense is incurred by every business, we can nonetheless estimate a typical loss taking into account the likelihood of an organization incurring each expense. SMB Enterprise Potential cost Proportion of Potential cost Proportion of If experienced business incurring If experienced business incurring this expense this expense Professional Professional Services 88% Services 88% $11K $84K Typical damage Typical damage to SMBs from to enterprises from + a serious event + a serious event Lost business Lost business opportunities 32% $38K opportunities 29% $551K $16K $203K + + 2014 $33K 2014 $636K 2013 $36K 2013 $566K Down-time Down-time 34% 30% $66K $1.4M Each potential cost is multiplied by the likelihood to experience that cost then added together to find the expected overall typical costs. 4. Kaspersky Lab Global IT Risks Security Survey 2015 6 New motives, new tactics The change in motive also brought about a change The main reason for the change is that attacks now in tactics. There was a decline in the number of global have criminal intent and look to steal confidential epidemics–designed to spread malware as far and as data, which can then be processed and used. Where quickly as possible. Attacks have become more focused. millions of victim machines are involved, detection is more likely, and it creates a huge logistical operation. Therefore, malicious code authors now prefer to focus their attacks. Attacks now have criminal intent and look to steal confidential data. The rise of the Trojan Trojans are the most common type of malware today. They can be used to spy on victims. They can be used They are categorized according to their function: The to install additional malware to suit the needs of the most common include backdoors, password stealers, attackers. They can be used in distributed-denial-of- downloaders and banking Trojans. service (DDoS) attacks attacks on organizations: such attacks seek to extort money from organizations, using They are used to steal confidential information a demonstration DDoS attack to give the victims a taste (username, password, PIN, etc.) for bank fraud. of what will happen if they don’t pay up. Holding your system for ransom In recent years, there has also been a steady growth While anti-malware can detect ransomware, it may not in ransomware.
Load more

Recommended publications
  • Hacks, Leaks and Disruptions | Russian Cyber Strategies
    CHAILLOT PAPER Nº 148 — October 2018 Hacks, leaks and disruptions Russian cyber strategies EDITED BY Nicu Popescu and Stanislav Secrieru WITH CONTRIBUTIONS FROM Siim Alatalu, Irina Borogan, Elena Chernenko, Sven Herpig, Oscar Jonsson, Xymena Kurowska, Jarno Limnell, Patryk Pawlak, Piret Pernik, Thomas Reinhold, Anatoly Reshetnikov, Andrei Soldatov and Jean-Baptiste Jeangène Vilmer Chaillot Papers HACKS, LEAKS AND DISRUPTIONS RUSSIAN CYBER STRATEGIES Edited by Nicu Popescu and Stanislav Secrieru CHAILLOT PAPERS October 2018 148 Disclaimer The views expressed in this Chaillot Paper are solely those of the authors and do not necessarily reflect the views of the Institute or of the European Union. European Union Institute for Security Studies Paris Director: Gustav Lindstrom © EU Institute for Security Studies, 2018. Reproduction is authorised, provided prior permission is sought from the Institute and the source is acknowledged, save where otherwise stated. Contents Executive summary 5 Introduction: Russia’s cyber prowess – where, how and what for? 9 Nicu Popescu and Stanislav Secrieru Russia’s cyber posture Russia’s approach to cyber: the best defence is a good offence 15 1 Andrei Soldatov and Irina Borogan Russia’s trolling complex at home and abroad 25 2 Xymena Kurowska and Anatoly Reshetnikov Spotting the bear: credible attribution and Russian 3 operations in cyberspace 33 Sven Herpig and Thomas Reinhold Russia’s cyber diplomacy 43 4 Elena Chernenko Case studies of Russian cyberattacks The early days of cyberattacks: 5 the cases of Estonia,
    [Show full text]
  • Crowdstrike Global Threat Intel Report
    TWO THOUSAND FOURTEEN CROWDSTRIKE GLOBAL THREAT INTEL REPORT www.crowdstrike.com TWO THOUSAND FOURTEEN CROWDSTRIKE GLOBAL THREAT INTEL REPORT INTRODUCTION .........................................................................4 Table of KEY FINDINGS ............................................................................7 STATE OF THE UNION .............................................................9 Contents: NOTABLE ACTIVITY ............................................................... 13 Criminal ................................................................................ 13 State ...................................................................................... 19 Hacktivist/Nationalist ............................................................. 25 2014 Zero-Day Activity ........................................................... 34 Event-Driven Operations ......................................................... 39 KNOW THE ADVERSARY ....................................................49 Effect of Public Reporting on Adversary Activity ........................ 49 HURRICANE PANDA .................................................................50 GOTHIC PANDA ..........................................................................55 Overview of Russian Threat Actors ........................................... 57 2015 PREDICTIONS.................................................................61 CONCLUSION ........................................................................... 73 2 Introduction Intelligence
    [Show full text]
  • Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’S College London, UK Published Online: 23 Dec 2014
    This article was downloaded by: [Columbia University] On: 08 June 2015, At: 08:43 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Strategic Studies Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/fjss20 Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’s College London, UK Published online: 23 Dec 2014. Click for updates To cite this article: Thomas Rid & Ben Buchanan (2015) Attributing Cyber Attacks, Journal of Strategic Studies, 38:1-2, 4-37, DOI: 10.1080/01402390.2014.977382 To link to this article: http://dx.doi.org/10.1080/01402390.2014.977382 PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.
    [Show full text]
  • Aladdin's Lamp: the Theft and Re-Weaponization of Malicious Code
    2018 10th International Conference on Cyber Conflict Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profit or CyCon X: Maximising Effects non-commercial purposes is granted providing that copies bear this notice T. Minárik, R. Jakschis, L. Lindström (Eds.) and a full citation on the first page. Any other reproduction or transmission 2018 © NATO CCD COE Publications, Tallinn requires prior written permission by NATO CCD COE. Aladdin’s Lamp: The Theft and Re-weaponization of Malicious Code Kārlis Podiņš Kenneth Geers CERT Latvia Comodo Group Riga, Latvia Toronto, Canada Abstract: Global superpowers do not have a monopoly on cyber warfare. Software thieves can steal malware written by more advanced coders and hackers, modify it, and reuse it for their own purposes. Smaller nations and even non-state actors can bypass the most technically challenging aspects of a computer network operation – vulnerability discovery and exploit development – to quickly acquire world-class cyber weapons. This paper is in two parts. First, it describes the technical aspects of malware re-weaponization, specifically the replacement of an existing payload and/or command-and-control (C2) architecture. Second, it explores the implications of this phenomenon and its ramifications for a range of strategic concerns including weapons proliferation, attack attribution, the fog of war, false flag operations, international diplomacy, and strategic miscalculation. And as with Aladdin’s magic lamp, many malware thieves discover that obtaining a powerful new weapon carries with it risks as well as rewards. Keywords: malware, cyberwar, re-weaponization, false flag, attribution 1.
    [Show full text]
  • Who's Spying on You? | Cyber-Espionage Whitepaper
    SPECIAL REPORT WHO’S SPYING ON YOU? No business is safe from cyber-espionage With Kaspersky, now you can. kaspersky.com/business Be Ready for What’s Next CONTENTS “Many cyberattacks can be mitigated by relatively Cyber-espionage: simple measures. Why should your business care? 4 Espionage is nothing new 5 Unfortunately, some What do the perpetrators gain? 7 people fail to take Is any business safe? 8 what appear to be basic precautions – such as Methods of spreading cyber-espionage malware 14 using strong passwords, Beyond cyber-espionage 16 applying patches and How can you protect running a security your business? 17 solution. In many cases, How Kaspersky Lab security breaking into a company’s technologies can help 22 network is easier than Appendix: it sounds.” An overview of some COSTIN RAIU significant cyberthreats 28 “High-profile targeted DIRECTOR, GLOBAL RESEARCH & ANALYSIS TEAM A cyber-glossary 30 KASPERSKY LAB attacks on enterprises About Kaspersky 34 are becoming increasingly widespread. Thousands of businesses have already been hacked and had their sensitive data stolen – resulting in multi-billion dollar losses. Cyber-espionage is a tangible and growing global threat today – and fighting it is one of the principal tasks we’ve set ourselves.” EUGENE KASPERSKY CEO, KASPERSKY LAB 2 3 WHY SHOULD YOUR BUSINESS ESPIONAGE IS NOTHING NEW CARE ABOUT CYBER-ESPIONAGE? EXECUTIVE OVERVIEW Espionage, in one form or another, has existed for as long as any Cyber-espionage may sound like some strangely exotic activity from organisation or individual has felt that it could gain an advantage the movies. However, the harsh reality is that almost any business by illicitly accessing someone else’s confidential information.
    [Show full text]
  • Anti-War and the Cyber Triangle Strategic Implications of Cyber Operations and Cyber Security for the State
    Anti-War and the Cyber Triangle Strategic Implications of Cyber Operations and Cyber Security for the State Sven Herpig ACKNOWLEDGEMENT I would like to thank my loving wife – source of inspiration, firmest believer and harshest critic. For without her, this research would have never progressed beyond the first few paragraphs. I am deeply grateful for having an amazing family. Their tireless encouragement and support allowed me to pursue my dreams. During the years of research, I was not able to spend as much time with them as I would have wanted, and only a tiny fraction of what they would have deserved. I would also like to acknowledge Doctor David Lonsdale, brilliant academic and amazing supervisor, without whom this work would have remained a body without soul. Last but not least, I want to give a shout-out to all the infosec people, cyber libertarians, strategists, hackers, academics and practitioners who helped me with their immense knowledge and vast networks over the last couple of years. Sven Herpig, January 2016 ____________________________ PhD Thesis, University of Hull Research: May 2011–March 2015 Approval: August 2015 Editing: January 2016 1 TABLE OF CONTENTS LIST OF ABBREVIATIONS .....................................................................................7 LIST OF FIGURES ................................................................................................... 10 LIST OF TABLES ..................................................................................................... 11 INTRODUCTION ....................................................................................................
    [Show full text]
  • Beware the Invisible Bad Guys: Cyberespionage and Your Business
    SPECIAL REPORT BEWARE THE INVISIBLE BAD GUYS: CYBERESPIONAGE AND YOUR BUSINESS With Kaspersky, now you can. kaspersky.com/business Be Ready for What’s Next CONTENTS “Many cyberattacks can be mitigated by relatively Cyberespionage: simple measures. Why should your business care? 4 Espionage is nothing new 5 Unfortunately, some What do the perpetrators gain? 7 people fail to take Is any business safe? 8 what appear to be basic precautions – such as Methods of spreading cyberespionage malware 14 using strong passwords, Beyond cyberespionage 16 applying patches, and How can you protect running a security your business? 17 solution. In many cases, How Kaspersky Lab security breaking into a company’s technologies can help 22 network is easier than Appendix: it sounds.” An overview of some COSTIN RAIU significant cyberthreats 28 “High-profile targeted DIRECTOR, GLOBAL RESEARCH & ANALYSIS TEAM A cyberglossary 30 KASPERSKY LAB attacks on enterprises About Kaspersky 34 are becoming increasingly widespread. Thousands of businesses have already been hacked and had their sensitive data stolen – resulting in multi-billion dollar losses. Cyberespionage is a tangible and growing global threat today – and fighting it is one of the principal tasks we’ve set ourselves.” EUGENE KASPERSKY CEO, KASPERSKY LAB 2 3 WHY SHOULD YOUR BUSINESS ESPIONAGE IS NOTHING NEW CARE ABOUT CYBERESPIONAGE? EXECUTIVE OVERVIEW Espionage, in one form or another, has existed for as long as any Cyberespionage may sound like some strangely exotic activity from organization or individual has felt that it could gain an advantage the movies. However, the harsh reality is that almost any business by illicitly accessing someone else’s confidential information.
    [Show full text]
  • Metadata: the Most Potent Weapon in This Cyberwar the New Cyber-Kinetic-Meta War July 2017
    Metadata: The Most Potent Weapon in This Cyberwar The New Cyber-Kinetic-Meta War July 2017 Authored by: James Scott, Sr. Fellow, ICIT Except for (1) brief quotations used in media coverage of this publication, (2) links to the www.icitech.org website, and (3) certain other noncommercial uses permitted as fair use under United States copyright law, no part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. For permission requests, contact the Institute for Critical Infrastructure Technology. Copyright © 2017 Institute for Critical Infrastructure Technology – All Rights Reserved 1 Support ICIT Information should be liberated, not commoditized. This powerful philosophy is the bedrock of The Institute for Critical Infrastructure Technology (ICIT), a nonprofit, nonpartisan 501(c)(3) cybersecurity Think Tank located in Washington D.C. Through objective research, publications and educational initiatives, ICIT is cultivating a global cybersecurity renaissance by arming public and private sector leaders with the raw, unfiltered insights needed to defend our critical infrastructures from Advanced Persistent Threats including Cyber Criminals, Nation States, and Cyber Terrorists. Financial capital from generous individual and corporate donors is the lifeblood of the Institute and a force multiplier to our efforts. With your support, ICIT can continue to empower policy makers, technology executives, and citizens with bleeding-edge research and lift the veil from hyper-evolving adversaries who operate in the dark. Together, we will make quantum leaps in the resiliency of our critical infrastructures, the strength of our National Security and the protection of our personal information.
    [Show full text]
  • THE THREAT LANDSCAPE a Practical Guide from the Kaspersky Lab Experts Written by David Emm Senior Regional Researcher, Global Research & Analysis Team
    THE THREAT LANDSCAPE A practical guide from the Kaspersky Lab experts Written by David Emm Senior Regional Researcher, Global Research & Analysis Team With Kaspersky, now you can. kaspersky.com/business Be Ready for What’s Next ABOUT THE AUTHOR David Emm Senior Regional Researcher Global Research & Analysis Team, also known as the GReAT team David has been with Kaspersky Lab since 2004. In his role as Senior Technology Consultant, David presented information on malware and other IT threats at exhibitions and events, and provided comment to both broadcast and print media. He also provided information on Kaspersky Lab products and technologies. He was promoted to his current position in 2008. David has a particular interest in the malware ecosystem, ID theft, and Kaspersky Lab technologies, and he conceived and developed the company’s Malware Defence Workshop. David has worked in the anti-virus industry since 1990 in a variety of roles. Prior to joining Kaspersky Lab, David worked as Systems Engineer, Product Manager and Product Marketing Manager at McAfee; and before that as Technical Support Manager CONTENTS and Senior Technology Consultant at Dr Solomon’s Software. 1. The evolution of malware 2. Are you in the firing line? A new era of targeted attacks 3. Malware: now on the move as much as you are 4. How malware spreads 5. The human factor in security 6. Anti-malware technologies 7. Top tips for creating security awareness in your organization CHAPTER 1 THE EVOLUTION OF MALWARE CONTEXT INCREASING IN SCALE, INCREASING IN SEVERITY It is more than 25 years since the first PC viruses appeared.
    [Show full text]
  • Cyber War in Perspective: Russian Aggression Against Ukraine
    cyber war in perspective: russian aggression against ukraine Cyber War in Perspective: Russian Aggression against Ukraine Edited by Kenneth Geers This publication may be cited as: Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine, NATO CCD COE Publications, Tallinn 2015. © 2015 by NATO Cooperative Cyber Defence Centre of Excellence. All rights reserved. No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non-commercial purposes, providing that copies bear a full citation. NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org LEGAL NOTICE This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre). It does not necessarily reflect the policy or the opinion of the Centre or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication. Print: EVG Print Cover design & content layout: Villu Koskaru ISBN 978-9949-9544-4-5 (print) ISBN 978-9949-9544-5-2 (pdf) NATO Cooperative Cyber Defence Centre of Excellence The Tallinn-based NATO Cooperative Cyber Defence Centre of Excel- lence (NATO CCD COE) is a NATO-accredited knowledge hub, think-tank and training facility.
    [Show full text]
  • Unsupervised Detection of APT C&C Channels Using Web Request Graphs
    Unsupervised Detection of APT C&C Channels using Web Request Graphs Pavlos Lamprakis1, Ruggiero Dargenio1, David Gugelmann1, Vincent Lenders2, Markus Happe1, and Laurent Vanbever1 1 ETH Zurich, Zurich, Switzerland 2 Armasuisse, Thun, Switzerland Abstract. HTTP is the main protocol used by attackers to establish a command and control (C&C) channel to infected hosts in a network. Identifying such C&C channels in network traffic is however a challenge because of the large volume and complex structure of benign HTTP requests emerging from regular user browsing activities. A common ap- proach to C&C channel detection has been to use supervised learning techniques which are trained on old malware samples. However, these techniques require large training datasets which are generally not avail- able in the case of advanced persistent threats (APT); APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic. In this paper, we present a novel and highly effective unsupervised ap- proach to detect C&C channels in Web traffic. Our key observation is that APT malware typically follow a specific communication pattern that is different from regular Web browsing. Therefore, by reconstructing the dependencies between Web requests, that is the Web request graphs, and filtering away the nodes pertaining to regular Web browsing, we can identify malware requests without training a malware model. We evaluated our approach on real Web traces and show that it can detect the C&C requests of nine APTs with a true positive rate of 99.5- 100% and a true negative rate of 99.5-99.7%.
    [Show full text]
  • 420 Speechmckune En.Pdf
    Acknowledgments Communities @ Risk: Targeted Digital Threats Against Civil Society is a product of a collective effort conducted over a four year period. The research and writing of this report was undertaken by Masashi Crete-Nishihata, Jakub Dalek, Ronald Deibert, Seth Hardy, Katharine Kleemola, Sarah McKune, Irene Poetranto, John Scott-Railton, Adam Senft, Byron Sonne, and Greg Wiseman. In addition, we would like to thank Christopher Davis, Brandon Dixon, Phillipa Gill, Claudio Guarnieri, Bill Marczak, Morgan Marquis-Boire, Justin Wong, and Nart Villeneuve for their input and expertise, Jane Gowan for the report layout and cover design, and Andrew Hilts for the website design. We thank VirusTotal for providing us with an intelligence subscription and to the developers of free information security tools, including Cuckoo Sandbox, URL Query, and PassiveTotal. The Citizen Lab’s research into targeted digital threats is supported by a grant from the John D. and Catherine T. MacArthur Foundation. We would especially like to thank the 10 civil society organizations that participated in the project and made this study possible. EXECUTIVE SUMMARY [Technology is] this funny thing where it’s a life line, and then...maybe your ticket to jail.” –Tibet Group 1 A civil society organization that works on China-related social justice issues receives an email from a program officer at one of its funders. She suggests that they review details of an upcoming meeting. A Tibetan webmaster receives an email continuing a thread with several collaborators about de- veloping a poster for an upcoming campaign. These messages look like the mundane email traffic of everyday work.
    [Show full text]