Applied Network Security Analysis: The Malware Analysis Use Case

As we resume our tour of advanced use cases for Network Security Analysis, it’s time to consider malware analysis. Of course most successful attacks involve some kind of malware at some point during the attack. If only just to maintain a presence on the compromised device, some kind of bad stuff is injected. And once the bad stuff is on a device, it’s very very hard to get rid of it – and even harder to be sure. Most folks (including us) recommend you just re-image the device, as opposed to trying to clean the malware. This makes it even more important to detect malware as quickly as possible and (hopefully) block it before a user does something stupid to compromise their device. There are many ways to detect malware, depending on the attack vector, but a lot of what we see today is snuck through port 80 as web traffic. Sure, dimwit users occasionally open a PDF or ZIP file from someone they don’t know, but more often it’s a drive-by download, which means it comes in with all the other web traffic. So we have an opportunity to detect this malware when it enters the network. Let’s examine two situations, one with a purpose-built device to protect against web malware, and another where we’re analyzing malware directly on the network analysis platform. Detecting Malware at the Perimeter As we’ve been saying throughout this series, extending data collection and capture beyond logs is essential to detecting modern attacks. One advantage of capturing the full network packet stream at the ingress point of your network is that you can check for known malware and alert as they enter the network. This approach is better than nothing but it has two main issues: Malware sample accuracy: This approach requires accurate and comprehensive malware samples already loaded into the device to detect the attack. We all know that approach doesn’t work well with endpoint anti-virus and is completely useless against zero-day attacks, and this approach has the same trouble. No blocking: Additionally, once you detect something on the analysis platform, your options to remediate are pretty limited. Alerting on malware entering the network is useful, but blocking it is much better. Alternatively, a new class of network security device has emerged to deal with this kind of sneaky malware, by exploding the malware as it enters the network to understand the behavior of inbound sessions. Again, given the prevalence of unknown zero-day attacks, the ability to classify known bad behavior and see how a packet stream actually behaves can be very helpful. Of course no device is foolproof, but these devices can provide earlier warning of impending problems than traditional perimeter network security controls. Using these devices you can also block the offending traffic at the perimeter if it is detected in time, reducing the likelihood of device compromise. But you can’t guarantee you will catch all malware, so you must figure out the extent of t he compromise. There is also a more reactive approach: analyzing outbound traffic to pinpoint known command and control behavior and targets, which usually indicating a compromised device. At this point the device is already pwned, so you need to contain the damage. Either way, you must figure out exactly what happened and whether you need to sound the alarm. Containing the Damage Based on the analysis on the perimeter, we know both the target device and the originating network address. With our trusty analysis platform we can then figure out the extent of the damage. Let’s walk through the steps: Evaluate the device: First you need to figure out if the device is compromised. Your endpoint protection suite might not be able to catch an advanced attack, so search your analysis platform (and logging system) to find any configuration changes made on the device, and look for any strange behavior – typically through network flow analysis. If the device is still clean all the better. But we will assume it’s not. Profile the malware: Now you know the device is compromised, you need to figure out how. Sure you could just wipe it, but that eliminates the best opportunity to profile the attack. The network traffic and device information enable your analysts to piece together exactly what the malware does, replay the attack to confirm, and profile its behavior. This helps figure out how many other devices have been compromised, because you know what to look for. Determine the extent of the damage: The next step is to track malware proliferation. You can search the analysis platform to look for the malware profile you built in the last step. This might mean looking for communication with the external addresses you identified, identifying command and control patterns, or watching for the indicative configuration changes; but however you proceed, having all that data in one place facilitates identifying compromised devices. Watch for the same attack: You know the saying: “Fool me once, shame on you. Fool me twice, shame on me.” Shame on you if you let the same attack succeed on your network. Add rules to detect and block attacks you have seen for the future. We have acknowledged repeatedly that security professionals get no credit for blocking attacks, but you certainly look like a fool if you get compromised repeatedly by the same attack. You are only as good as your handling of the latest attack. So learn from these attacks; the additional data collection capabilities of network security analysis platforms can give you an advantage, both for containing the damage and for ensuring it doesn’t happen again. As we wrap up this Applied Network Security Analysis series early next week, we will examine the use case of confirming a breach actually happened, and then revisit the key points to solidify our case for capturing network traffic as a key facet of your detection capabilities. Share:

Read Post

Friday Summary: November 4, 2011

I wouldn’t say I’m a control freak, but I am definitely “control aligned”. If something is important to me I like to know what’s going on under the hood. I also hate to depend on someone else for something I’m capable of. So I have no problem trusting my accountant to keep me out of tax jail, or hiring a painter for the house, but there is a long list of things I tend to overanalyze and have trouble letting go of. Pretty damn high up that list is the Securosis Nexus. I have been programming as a hobby since third grade, and for a while there in the early days of web applications it was my full time profession. I don’t know C worth a darn, but I was pretty spiffy with database design and my (now antiquated) toolset for building web apps. I still code when I can, but it’s more like home repair than being a general contractor. When Mike, Adrian, and I came up with the idea for the Nexus I did all the design work. From the UI sketches we sent to the visual designers to the features and logic flow. Not that I did it all alone, but I took point, and I’m the one who interfaces with our contractors. Which is where I’m learning how to let go. The hard way. I have managed (small) programming teams before but this is my first time on the hiring side of the contractor relationship. It’s also the first time I haven’t written any significant amount of code for something I’m pretty much betting my future on (and the future of my partners and our families). Our current contractor team is great. Among other things they suggested an entirely new architecture for the backend that is far better than my initial plans and our PoC code. I wish they would QA a little better (hi guys!), and we don’t always see things the same way, but I’m damn happy with the product. But it’s extremely hard for me to rely on them. For example, today I wanted to change how a certain part of the system functioned (how we handle internal links). I know what needs to be done, and even know generally what needs to happen within the code, but I realized I would probably just screw it up. And it would take me a few hours (to screw up), while they can sort it all out in a fraction of the time. I don’t know why this bothers me. Maybe it’s knowing that I’ll see a line item on an invoice down the road. But it’s probably some deep-seated need to feel I’m in control and not dependant on someone else for something so important. But I am. And I need to get used to it. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Me (Rich) in a DLP video I for Trend Micro. I really liked the video crew on this one and the quality shows. I may need to get myself a Canon DSLR for our future Securosis videos instead of our current HD camcorder. I also wrote up how to recover lost iCloud data based on my own serious FAIL this week. Favorite Securosis Posts Mike Rothman: Virtual USB? Not.. Adrian has it right here. Even though it’s more secure to carry (yet another) device, users won’t do it. They want everything on their smartphone, and they will get it. It’s just a matter of when, and at what cost (in terms of security or data loss). Adrian Lane: How Regular Folks See Online Safety. Lately news items are right out of Theater of the Absurd: Security Tragicomedy. Rich: Tokenization Guidance: Audit Advice. Adrian is really building the most definitive guide out there. Other Securosis Posts Incite 11/2/2011: Be Yourself. Conspiracy Theories, Tin Foil Hats, and Security Research. Applied Network Security Analysis: The Advanced Security Use Case. Applied Network Security Analysis: The Forensics Use Case. Favorite Outside Posts Mike Rothman: 3 Free Tools to Fake DNS Responses for Malware Analysis. This is a good tip for testing, but also critical for understanding the tactics adversaries will use against you. Adrian Lane: The Chicago Way. Our own Dave Lewis does the best job in the blogsphere at explaining what the heck is going on with the Anonymous / Los Zetas gang confrontation. James Arlen: Harvard Stupid. Two posts in one – interesting financial story tailed by an excellent example of how security should be implemented from a big picture view. If you run IT security for your company, read this! Rich: Kevin Beaver on why users violate policies. I don’t agree with the lazy comment though – it’s not being lazy if your goal is to get your job done and you deal with something in the way. Research Reports and Presentations Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. Top News and Posts UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones. Malaysian CA Digicert Revokes Certs With Weak Keys, Mozilla Moves to Revoke Trust. Four CAs Have Been Compromised Since June. Hackers attacked U.S. government satellites. How Visa Protects Your Data. Exposing the Market for Stolen Credit Cards Data. ‘Nitro’ Cyberespionage Attack Targets Chemical, Defense Firms. Blog Comment of the Week This week we are redirecting our donation to support Brad “theNurse” Smith. This week’s best comment goes to Zac, in response to Conspiracy Theories, Tin Foil Hats, and Security Research. I personally think that the problem with the media hype is that it seems to distract more than inform. The overall result being that you end up with “experts” arguing over inconsequential

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.