a broad view of the ecosystem of socially engineered
play

A Broad View of the Ecosystem of Socially Engineered Exploit - PowerPoint PPT Presentation

Sep 14, 2022 •243 likes •1.11k views

A Broad View of the Ecosystem of Socially Engineered Exploit Documents Stevens Le Blond, Cdric Gilbert, Utkarsh Upadhyay, Manuel Gomez Rodriguez and David Choffnes Challenges with measuring targeted attacks Low-volume, socially

  1. A Broad View of the Ecosystem of 
 Socially Engineered Exploit Documents Stevens Le Blond, Cédric Gilbert, Utkarsh Upadhyay, Manuel Gomez Rodriguez and David Choffnes

  2. Challenges with measuring targeted attacks • Low-volume, socially engineered messages that convince 
 specific victims to install malware 2

  3. Challenges with measuring targeted attacks • Low-volume, socially engineered messages that convince 
 specific victims to install malware • Three studies published at Usenix Security’14 • Tibet (Hardy et al.), Middle East (Marczak et al.), and Uyghur (Le Blond et al.) 2

  4. Challenges with measuring targeted attacks • Low-volume, socially engineered messages that convince 
 specific victims to install malware • Three studies published at Usenix Security’14 • Tibet (Hardy et al.), Middle East (Marczak et al.), and Uyghur (Le Blond et al.) 2

  5. Challenges with measuring targeted attacks • Low-volume, socially engineered messages that convince 
 specific victims to install malware • Three studies published at Usenix Security’14 • Tibet (Hardy et al.), Middle East (Marczak et al.), and Uyghur (Le Blond et al.) ? 2

  6. Challenges with measuring targeted attacks • Low-volume, socially engineered messages that convince 
 specific victims to install malware • Three studies published at Usenix Security’14 • Tibet (Hardy et al.), Middle East (Marczak et al.), and Uyghur (Le Blond et al.) ? Measuring targeted attacks 
 is a long and difficult process 2

  7. Can Anti-Virus Aggregators (VirusTotal) help? 3

  8. Can Anti-Virus Aggregators (VirusTotal) help? 3

  9. Can Anti-Virus Aggregators (VirusTotal) help? 3

  10. Can Anti-Virus Aggregators (VirusTotal) help? 3

  11. VirusTotal Statistics (one week) 4

  12. VirusTotal Statistics (one week) 4

  13. VirusTotal Statistics (one week) 4

  14. VirusTotal Statistics (one week) 4

  15. VirusTotal Statistics (one week) 4

  16. VirusTotal Statistics (one week) 4

  17. VirusTotal as a vantage point 
 to measure targeted attacks 5

  18. VirusTotal as a vantage point 
 to measure targeted attacks 5

  19. VirusTotal as a vantage point 
 to measure targeted attacks 5

  20. VirusTotal as a vantage point 
 to measure targeted attacks 5

  21. Research questions • Do targeted groups upload exploit documents to VirusTotal? • Can we scale our analysis to hundreds of thousands of samples? • How do attacks faced by different groups compare with each other? • Is VirusTotal used by other actors such as attackers and researchers? 6

  22. Outline 1) Methodology 2) Analysis of exploit documents 3) Future work 7

  23. Exploit document infection process Exploit Decoy Malware 8

  24. Exploit document infection process Exploit Decoy Malware 8

  25. Exploit document infection process Exploit Decoy Malware 8

  26. Exploit document infection process Exploit Decoy Malware 8

  27. Data acquisition and processing workflow 9

  28. Data acquisition and processing workflow 9

  29. Can we scale our analysis to hundreds of thousands of samples? Acquisition 257,635 10

  30. Can we scale our analysis to hundreds of thousands of samples? Acquisition 257,635 10

  31. Can we scale our analysis to hundreds of thousands of samples? Acquisition 257,635 143 10

  32. Data acquisition and processing workflow 11

  33. Can we scale our analysis to hundreds of thousands of samples? Detection 257,635 143 12

  34. Can we scale our analysis to hundreds of thousands of samples? Detection Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 IX 2007 X 2010 XI 257,635 143 12

  35. Can we scale our analysis to hundreds of thousands of samples? Detection Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 IX 2007 X 2010 XI 257,635 143 12

  36. Can we scale our analysis to hundreds of thousands of samples? Detection Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 IX 2007 X 2010 XI 257,635 143 - 219,794 -29 37,841 114 12

  37. How many versions of 
 readers do we have to test? CDF # affected versions 13

  38. How many versions of 
 readers do we have to test? CDF # affected versions Few exploits are portable across all reader versions 13

  39. Data acquisition and processing workflow 14

  40. Can we scale our analysis to hundreds of thousands of samples? Extraction Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 IX 2007 X 2010 XI - 219,794 -29 257,635 143 37,841 114 15

  41. Can we scale our analysis to hundreds of thousands of samples? Extraction Office w/ driver Acrobat w/ driver Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -29 257,635 143 37,841 114 15

  42. Can we scale our analysis to hundreds of thousands of samples? Extraction Office w/ driver Acrobat w/ driver Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -29 257,635 143 37,841 114 15

  43. Can we scale our analysis to hundreds of thousands of samples? Extraction Office w/ driver Acrobat w/ driver Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -29 -34,026 257,635 143 -11 37,841 114 3,815 103 15

  44. Data acquisition and processing workflow 16

  45. Can we scale our analysis to hundreds of thousands of samples? Analysis Acrobat w/ driver Office w/ driver Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -29 257,635 143 -34,026 -11 37,841 114 3,815 103 17

  46. Can we scale our analysis to hundreds of thousands of samples? Analysis Acrobat w/ driver Office w/ driver Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 257,635 -34,026 37,841 3,815 17

  47. Can we scale our analysis to hundreds of thousands of samples? Analysis Malware Acrobat w/ driver sandboxes Office w/ driver Translators Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -34,026 37,841 3,815 17

  48. Can we scale our analysis to hundreds of thousands of samples? Analysis Malware Acrobat w/ driver sandboxes Office w/ driver Translators Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -34,026 37,841 3,815 17

  49. Can we scale our analysis to hundreds of thousands of samples? Analysis Malware Acrobat w/ driver sandboxes Office w/ driver Translators Office w/ EMET Acrobat w/ EMET SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 SP0 SP1 SP2 SP3 0.0 1.0 2.0 3.0 4.0 5.0 VIII 2003 VIII 2003 IX 2007 IX 2007 X 2010 X 2010 XI XI - 219,794 -34,026 2,447 3,705 37,841 3,815 17

  50. Outline 1) Methodology 2) Analysis of exploit documents 3) Future work 18

  51. Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys) 19

  52. Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys) 19

  53. Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys) 19

  54. Do targeted groups upload exploit documents on VirusTotal? Likely targets (inferred from decoys) VirusTotal gives visibility into attacks targeting numerous groups 19

  55. How attacks faced by different groups compare with each other? Languages of decoys Fraction 20

  56. How attacks faced by different groups compare with each other? Languages of decoys Fraction 20

  57. How attacks faced by different groups compare with each other? Languages of decoys Fraction 20

  58. How attacks faced by different groups compare with each other? Languages of decoys Fraction 20

  59. How attacks faced by different groups compare with each other? Languages of decoys Fraction Decoys tend to use the official language of the groups they target 20

  60. How attacks faced by different groups compare with each other? Malware targeting 21

  61. How attacks faced by different groups compare with each other? Malware targeting 21

  62. How attacks faced by different groups compare with each other? Malware targeting 21

  63. How attacks faced by different groups compare with each other? Malware targeting 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A broad view of heritage Historic buildings Archaeological sites Collections

A broad view of heritage Historic buildings Archaeological sites Collections

A broad view of heritage Historic buildings Archaeological sites Collections Places and objects linked to industrial, maritime and transport history Natural and designed landscapes Wildlife A broad view of heritage

189 views • 15 slides
Scanners Divers Prefer a broad view Master specific details before general concepts

Scanners Divers Prefer a broad view Master specific details before general concepts

= Never Anywhere + Anytime Tackling the motivation challenges of continual learning Betha Gutsche, OCLC/WebJunction Elizabeth Iaukea, Washington State Library ALA Annual 2016, Orlando Scanners Divers Prefer a broad view Master

670 views • 28 slides
Engineered quantum systems. G J Milburn Centre for Engineered Quantum Systems, The University of

Engineered quantum systems. G J Milburn Centre for Engineered Quantum Systems, The University of

Engineered quantum systems. G J Milburn Centre for Engineered Quantum Systems, The University of Queensland Taipei, June 2011. Engineered quantum systems? Superconducting qubits and microwave resonators. Entanglement via continuous measurement

641 views • 61 slides
Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection

Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection

Socially Assistive Robotics Grace Chandler Socially assistive robotics (SAR): An intersection between assistive robotics and socially intelligent robotics, often for a therapeutically beneficial role TEACHING: MITs Tenga- A second language

734 views • 47 slides
NEIGHBORHOOD MAP 1. S. BROAD ST - LOOKING NORTH 2. S. BROAD ST - LOOKING SOUTH 3. S. BROAD ST -

NEIGHBORHOOD MAP 1. S. BROAD ST - LOOKING NORTH 2. S. BROAD ST - LOOKING SOUTH 3. S. BROAD ST -

NEIGHBORHOOD MAP 1. S. BROAD ST - LOOKING NORTH 2. S. BROAD ST - LOOKING SOUTH 3. S. BROAD ST - ACROSS THE STREET LOOKING NORTHEAST AT THE SITE 2 5 1111 S. BROAD ST LOT AREA = 10,675 SF 4 1 3 4. S. BROAD ST - ACROSS THE STREET LOOKING

706 views • 36 slides
The importance of taking the broad view: the NuSTAR AGN Physics Program Giorgio Matt (

The importance of taking the broad view: the NuSTAR AGN Physics Program Giorgio Matt (

The importance of taking the broad view: the NuSTAR AGN Physics Program Giorgio Matt ( Universita Roma Tre, Italy ) On behalf of the NuSTAR AGN Physics WG NuSTAR is the fjrst focusing hard X-ray satellite NuSTAR INTEGRAL Grazing Incidence

1.01k views • 47 slides
The importance of taking the broad view: NuSTAR observations of radio-quiet AGN Giorgio Matt (

The importance of taking the broad view: NuSTAR observations of radio-quiet AGN Giorgio Matt (

The importance of taking the broad view: NuSTAR observations of radio-quiet AGN Giorgio Matt ( Universita Roma Tre, Italy ) On behalf of the NuSTAR AGN Physics WG NuSTAR is the fjrst focusing hard X-ray satellite NuSTAR INTEGRAL Grazing

251 views • 23 slides
Tackling kling Tobacco bacco Through ough Re Re-engineered engineered Pr Prim imar ary y

Tackling kling Tobacco bacco Through ough Re Re-engineered engineered Pr Prim imar ary y

Tackling kling Tobacco bacco Through ough Re Re-engineered engineered Pr Prim imar ary y Care re Daren Wu, M.D. Chief Medical Officer Learning Objectives Understand the key stumbling blocks that can interfere with tobacco

433 views • 40 slides
Note For CPS 196, Spring 2006, I skimmed a tutorial giving a broad view of the area. It is

Note For CPS 196, Spring 2006, I skimmed a tutorial giving a broad view of the area. It is

Note For CPS 196, Spring 2006, I skimmed a tutorial giving a broad view of the area. It is by Joe Hellerstein at Peer-to-Peer and Large- Berkeley and is available at: Scale Distributed Systems db.cs.berkeley.edu/jmh/talks/

293 views • 5 slides
Models: Take a broad view! Structural Dynamic Macroeconomic Models in Asia-Pacific Economies

Models: Take a broad view! Structural Dynamic Macroeconomic Models in Asia-Pacific Economies

BANK INDONESIA and BANK FOR INTERNATIONAL SETTLEMENTS WORKSHOP Models: Take a broad view! Structural Dynamic Macroeconomic Models in Asia-Pacific Economies Economy-wide dynamic stochastic models Bali, Indonesia, June 3-4, 2008 for

328 views • 13 slides
Development of Ecosystem component maps Henna Rinne, HELCOM Secretariat henna.rinne@helcom.fi

Development of Ecosystem component maps Henna Rinne, HELCOM Secretariat henna.rinne@helcom.fi

Development of Ecosystem component maps Henna Rinne, HELCOM Secretariat henna.rinne@helcom.fi 6.9.2016 40 Ecosystem component layers Pelagic habitats (2) Broad-scale seabed habitats (6) Habitat forming species (5) Natura 2000

524 views • 24 slides
Indian Institute Of Technology, Bombay Engineered Versus Natural System ENGINEERED SYSTEM Design

Indian Institute Of Technology, Bombay Engineered Versus Natural System ENGINEERED SYSTEM Design

Indian Institute Of Technology, Bombay Engineered Versus Natural System ENGINEERED SYSTEM Design Operation Optimization Control Engineered system: bottom-up design with known functionality of components Natural system: top down design with

1.08k views • 34 slides
Delivering Engineered Solutions www.bowyerengineering.co.uk

Delivering Engineered Solutions www.bowyerengineering.co.uk

Delivering Engineered Solutions www.bowyerengineering.co.uk stevea@bowyerengineering.co.uk AS9100, ISO 9001 & RR Sabre Accredited Delivering Engineered Solutions Staff and Premises Knowledge &

284 views • 15 slides
Rangeland Ecosystem Services and Influence Of Grazing Management Shannon R. White, Thomas J.

Rangeland Ecosystem Services and Influence Of Grazing Management Shannon R. White, Thomas J.

A Geographically- Broad Assessment of Rangeland Ecosystem Services and Influence Of Grazing Management Shannon R. White, Thomas J. Habib, & Daniel R. Farr Alberta Biodiversity Monitoring Institute University of Alberta Its Our Nature

488 views • 29 slides
About AH Industries A/S Company Structure Manufacturing Engineered Engineering Solutions CI

About AH Industries A/S Company Structure Manufacturing Engineered Engineering Solutions CI

About AH Industries A/S Company Structure Manufacturing Engineered Engineering Solutions CI Value Proposition Supply Chain Components Solutions - Engineered Solutions Georgia Singleblade Yoke Significant benefits can be achieved

143 views • 12 slides
How to Encourage Socially Responsible Behavior? Responsible Behavior? Tore Ellingsen Milano 21

How to Encourage Socially Responsible Behavior? Responsible Behavior? Tore Ellingsen Milano 21

How to Encourage Socially Responsible Behavior? Responsible Behavior? Tore Ellingsen Milano 21 October 2011 Outline 1. What is socially responsible behavior? 2. Is there any reason to encourage it? 3. If so how? a) What drives socially

321 views • 31 slides
Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice

Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice

Closing Town Hall Courtney Shurtleff | Director, Alumni Relations Merritt Crowley | Vice President, Advancement October 2020 Campus Life Engagement in a Virtual World Virtual Wine Tasting with Fontaine McFadden '05 Engagement in a Virtual

522 views • 9 slides
Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela

Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela

Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela 1 , Luana Bulat 2 , Anita L. Vero 2 , Stephen Clark 2 , 3 1 Facebook AI Research 2 University of Cambridge 3 Google DeepMind dkiela@fb.com

425 views • 13 slides
Augmented Reality (AR) and Virtual Reality (VR) for Science education Clement Onime

Augmented Reality (AR) and Virtual Reality (VR) for Science education Clement Onime

Augmented Reality (AR) and Virtual Reality (VR) for Science education Clement Onime International Centre for Theoretical Physics (ICTP), Trieste, Italy onime@ictp.it C. Onime - onime@ictp.it Advanced Workshop on T echnology for Sustainable

703 views • 25 slides
Li Lightin ting in Virt rtual W l World rld Rongkai Guo Lights in the Real World Sun

Li Lightin ting in Virt rtual W l World rld Rongkai Guo Lights in the Real World Sun

Li Lightin ting in Virt rtual W l World rld Rongkai Guo Lights in the Real World Sun Lamp Blinds Flashlight And all of the Virtual Lights we CREATED! Lighting Concepts Three-Point Lighting Basics Key Light

188 views • 7 slides
Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you

Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you

5.1 Unit 5 State Machines 5.2 What is state? You see a DPS officer approaching you. Are you happy? It's late at night and your car broke down. It's late at night and you've been partying a little too hard. Your interpretation is

717 views • 26 slides
Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun

Fast Parallel Longest Common Subsequence with General Integer Scoring Support Adnan Ozsoy , Arun Chauhan, Martin Swany School of Informatics and Computing Indiana University, Bloomington, USA 1 Fast Parallel Longest Common Subsequence with

495 views • 37 slides
Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson

Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson

Correlating Low-Level Events To Identify High-Level Bot Behaviors Liz Stinson Matt Fredrikson Somesh Jha John Mitchell University of Wisconsin Stanford University Lorenzo Martignoni University of Milan Our anti-inspirations

534 views • 18 slides
Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data

Welcome Clients of Mariner Wealth Advisors Cybersecurity Education Series Securing Personal Data Content provided by Presenter: Ray Cool, CEO PBSI Technology Solutions Webinar will begin at 10:00 Page 1 Series Goals Series Goals

146 views • 13 slides

More recommend