Attack attribution
Download
Report
Transcript Attack attribution
Attack Attribution
Marc Dacier
Sr. Director, Collaborative Advanced Research Dept. (CARD)
Symantec Research Labs
Overview
• Attack Attribution
• One example:
– the TRIAGE method (WOMBAT)
• Challenges, open issues
• Conclusions
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
2
Collaborative Advanced Research Dept.
CARD
• CARD is part of Symantec Research Labs, within the CTO
office.
• Worldwide team with members located in the USA (Culver
City, California and Herndon, Washington DC) as well as in
Europe (France and Ireland).
• Specificity: long term exploratory research carried out with
external partners from academia and industry
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
3
What we do
• 2 recently completed projects:
– ANTIPHISH – EC funding (finished in June 2009)
– EC-CAM – US (finished in September 2009)
• 3 ongoing funded projects
– WOMBAT (EC)
– VAMPIRE (France)
– NICE (US)
• 2 new projects will start in 2010:
– Minestrone (US)
– VIS-SENSE (EC).
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
4
Attack Attribution ….
• … is not about IP traceback
• … is about identifying the root causes of observed attacks by
linking them together thanks to common, external, contextual
“fingerprints”
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
5
Analogy
• Serial killers accomplish a ritual that leaves traces
• Cybercriminals for efficiency reasons automate the various
steps of their attack workflow and this leaves traces
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
6
Danger
• "One swallow does not a summer make"
Aristotle, Nichomachean Ethics (384 BC - 322 BC)
The smiley face killer (?)
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
7
Danger (ctd.)
• “When all you have is a hammer,
everything looks like a nail”
Maslow's hammer law,
The Psychology of Science,
1966
http://xkcd.com/587/
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
8
Yes we can (find “things”)
This is a worm
Bridging the gap between such These are
botnets
anecdotal findings and some actionable
These are the
knowledge is hard!
threats we
should worry
about
This is a
stealthy,
localised,
recurring event
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
9
Overview
• Attack Attribution
• One example:
– the TRIAGE method (WOMBAT)
• Challenges, open issues
• Conclusions
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
10
Foreword
• What is presented here is the result of a joint collaboration between all
WOMBAT partners over the last 28 months
(see www.wombat-project.eu for the list of publications and deliverables)
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
11
The WOMBAT approach
Data
enrichment
(WP4)
Context analysis
ta
da
ta- is
Me alys
An
Sto
An rage
aly
sis
Malware analysis
Honeypots
Crawlers
Data
acquisition
(WP3)
External feeds
[email protected]
Threat
analysis
(WP5)
New collection
practices
New security
technologies
New security practices
Knowledge
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
12
Example of a WOMBAT sensor:
the SGNET data enrichment framework
Internet
Code Injection information
Malware
Symantec ++
SGNET
dataset
Clustering
techniques
Models
Anubis
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
13
Towards automated attack
attribution
• Within WOMBAT, we have developed an automated
framework that includes the expert knowledge in order to
extract meaningful sets to reason about the modus operandi
of the malicious actors: the TRIAGE framework
• First application of that approach led to significant
contributions in the latest Symantec ISTR Rogue AV report
• Public deliverable D12 is available on line and contains 6
published peer reviewed papers on the topic as well as the
rogue AV analysis technical report.
– http://wombat-project.eu/WP5/FP7-ICT-216026Wombat_WP5_D12_V01_RCA-Technical-survey.pdf
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
14
Big Picture (ctd.)
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
15
Names vs. IPs maps of Rogue AV sites
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
16
Idea behind the attribution method
• Try to connect the dots…
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
17
TRIAGE
• TRIAGE1
– = atTRIbution of Attack using Graph-based Event clustering
• Multicriteria clustering method
1) Triage (med.): process of prioritizing patients based on the severity of their condition
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
18
Successful attack attribution result
750 domains registered
over a span of 8 months
Email addr. hidden by
privacy protection
services
Time
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
19
Example (ctd.)
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
20
So, why is it useful...?
• Cyber criminality is a new business model
– Financial profits can be huge (large scale)
– Better organized - more systematic, automated procedures are used
• TRIAGE can help to:
– Get better insights into how cyber criminals operate, or how / when
they change their tactics
• Consequently, help improving detection or end-user protection systems
– Automate the identification of “networks” of attackers
• Unless they completely change their modus operandi for each campaign…
– Go toward an early warning system
– Ultimately, support law-enforcement for stopping emerging / ongoing
attack phenomena
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
21
Overview
• Attack Attribution
• One example:
– the TRIAGE method (WOMBAT)
• Challenges, open issues
• Conclusions
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
22
The need for data
• Attack attribution is an emerging field
• It requires a multi disciplinary approach and international collaboration
• It requires access to stable, representative and diversified sets of data.
• Everyone is welcome to host an SGNET sensor and benefit from the
dataset and tools generated by the project.
• The more sensors we can get, the more we will learn about the attacks.
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
23
The Symantec WINE initiative
• Symantec owns a very rich amount of threats related
datasets.
• CARD is currently building an infrastructure to provide access
to a sampled set of these data feeds.
• External researchers are welcome to submit research
proposals to gain access to this infrastructure, for free, on
site.
• CONTACT POINT: [email protected]
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
24
Challenges and Open Issues
• A truly multidisciplinary domain:
– Computer security, networking, knowledge mining, visualisation, law,
sociology, forensics, etc..
• Data can be private, confidential.
• Anonymisation is unlikely to be the silver bullet we need.
• Discovered knowledge can be sensitive ( from a technical,
political, sociological or even business viewpoint).
• Do we have the right places to publish?
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
25
BACK UP MATERIAL
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
26
References
• Actionable Knowledge Discovery for Threats Intelligence Support Using a
Multi-dimensional Data Mining Methodology, O.Thonnard (Royal Military
Academy of Belgium) and M.Dacier (Symantec), Proc. of the IEEE Data Mining
Workshops, 2008. ICDMW '08, Pisa, Italy, Dec. 15-19, 2008,
• Behavioral Analysis of Zombie Armies, O. Thonnard, W. Mees (Royal Military
Academy of Belgium) and M. Dacier (Symantec), Proc. of Cyber Warfare
Conference (CWCon), Cooperative Cyber Defense Center Of Excellence (CCDCOE), Tallinn, Estonia, June 17-19,
• Addressing the attack attribution problem using knowledge discovery and
multi-criteria fuzzy decision-making, O. Thonnard, W. Mees (Royal Military
Academy of Belgium) and M. Dacier (Symantec), Proc. of KDD’09, 15th ACM
SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on
CyberSecurity and Intelligence Informatics, Paris, France, June 28, 2009.
• Honeypot traces forensics: the observation view point matters, V.-H. Pham
(Eurecom) and M. Dacier (Symantec), Proc. of the 3rd International Conference
on Network and System Security, Gold Coast, Australia, Oct. 19-21, 2009
[email protected]
INCO-TRUST/NSF workshop, New York, USA, May 4, 2010
27