Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient - - PowerPoint PPT Presentation

cache trigger impersonate enabling context sensitive
SMART_READER_LITE
LIVE PREVIEW

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient - - PowerPoint PPT Presentation

Mar 26, 2024 331 likes •687 views

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill Motivation PU Internet Get

slide-1
SLIDE 1

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire

By Teryl Taylor, Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill

slide-2
SLIDE 2

2

Motivation Cache, Trigger, Impersonate

Motivation

2

ev

PU

Internet

Get www.somenews.com

slide-3
SLIDE 3

3

Motivation Cache, Trigger, Impersonate

Motivation

3

ev

PU

Internet

slide-4
SLIDE 4

4

Motivation Cache, Trigger, Impersonate

Motivation

4

ev

PU

Internet

Get www.exploitkit.com

slide-5
SLIDE 5

5

Motivation Cache, Trigger, Impersonate

Motivation

5

ev

PU

Internet

I have Win7, IE11 Flash 11.8

CVE-2015-0318

Exploit Flash

slide-6
SLIDE 6

6

Goals and Current Approaches Cache, Trigger, Impersonate

Current Approaches

6

www.mal.com www.evil.com www.owned.com

Internet

Get http://www.mal.com www.mal.com Get http://www.evil.com www.evil.com Get http://www.owned.com www.owned.com

End users HTTP Analyzer Internet

slide-7
SLIDE 7

Current Approaches

End users HTTP Analyzer Internet

7

Get http://www.owned.com www.owned.com

Internet

www.mal.com www.evil.com www.owned.com

slide-8
SLIDE 8

❖ Limit interaction with the client or server. ❖ Must handle the fire hose of data. ❖ Attackers spread exploits across multiple web resources. ❖ Limited to memory storage.

8

Operational Challenges Cache, Trigger, Impersonate

Operational Challenges and Constraints

8

HTML

Javascript

CSS Flash

slide-9
SLIDE 9

❖ CACHE: ❖ A small time window of traffic. ❖ TRIGGER: ❖ On a potentially exploitable file type. ❖ Flash comprises 75% for popular kits.

9

Operational Challenges Cache, Trigger, Impersonate

Framework

9

❖ IMPERSONATE: ❖ The client and server using the

semantic cache and a honeyclient.

slide-10
SLIDE 10

10

Motivation Cache, Trigger, Impersonate

Example

10

ev

PU

Internet

www.a.com

PU

www.b.com

PU

www.maliciouspage.com evilflash.com/evil.swf Client IP: 192.168.2.30

slide-11
SLIDE 11

Example Cont’d

11 11

evilflash.com/evil.swf Network Client IP: 192.168.2.30

slide-12
SLIDE 12

Semantic Cache

!

HTTP Analyzer

ev

CACHE

12 12

Two-level Cache

www.maliciouspage.com www.a.com/ page2 www.a.com/ page1 evilflash.com/ evil.swf

slide-13
SLIDE 13

Semantic Cache

!

Semantic Cache

! !

Trigger

!

Trigger

TRIGGER

13 13

HTTP Analyzer H(.) H(.) H(.) H(.) H(.) H(⨁)

ev

slide-14
SLIDE 14

Impersonate

!

Semantic Cache

!

Semantic Cache

! !

Trigger

IMPERSONATE

14 14

HTTP Analyzer

Network Oracle evilflash.com/evil.swf Network Client IP: 192.168.2.30 Retrieve Client Configuration Browser: IE 10 Flash Version: 18.5 OS: Windows 7

ev

slide-15
SLIDE 15

Impersonate

!

Semantic Cache

!

Semantic Cache

! !

Trigger

IMPERSONATE

15 15

HTTP Analyzer www.a.com/page1 www.a.com/page2 evilflash.com/evil.swf www.maliciouspage.com Chaining Algorithm: Going Back in Time!

ev

slide-16
SLIDE 16

Semantic Cache

!

Semantic Cache

! !

Trigger

IMPERSONATE

16 16

HTTP Analyzer

Alerts

Security Analyst

Internet

Impersonate

!

ev

PU

Get www.maliciouspage.com evilflash.com/ evil.swf www.maliciouspage.com

ev

Cache

www.maliciouspa

Browser: IE 10 Flash Version: 18.5 OS: Windows 7

slide-17
SLIDE 17

Evaluation - Campus

17

Evaluation Cache, Trigger, Impersonate

17

UNC Campus Clients Internet Metasploit Server Serves: 11 Flash exploits Affects: 3 Flash Versions Windows 7 Firefox/IE 3 Flash Versions 25,000 Students Avg 1,000 Concurrent Users 14,000 HTTP flows/min Peak: 35,000 flows/min Dell R410 128 GBs RAM 8 Core Xeon 2100 CPU EndaceDAG Card ShellOS: 5 VMs Chrome, IE, Firefox Headless Browser: HTMLUnit

slide-18
SLIDE 18

Evaluation – Results

18

Evaluation Cache, Trigger, Impersonate

18

Total: 576,000 Filtered: 99% of Flash Files.

76% 8% 11% 5% Fully Analyzed Interactive Low and Slow Errors

* Found on avg 2 malicious sites per day

slide-19
SLIDE 19

Conclusion: Honeyclient to the Wire

❖ Current network-based approaches are too slow to react. ❖ We propose a framework that: ❖ Caches minutes worth of web objects. ❖ Triggers an analysis on exploitable file types. ❖ Impersonates both the client and the server. ❖ Demonstrated utility on a large campus network.

19

Conclusion Cache, Trigger, Impersonate

19

slide-20
SLIDE 20

20

Teryl Taylor Cache, Trigger, Impersonate

Questions?

20

slide-21
SLIDE 21

Evaluation – Performance

21

Evaluation Cache, Trigger, Impersonate

21

slide-22
SLIDE 22

Evaluation – Cache

22

Evaluation Cache, Trigger, Impersonate

22

slide-23
SLIDE 23

Evaluation – VirusTotal over Time

23

Evaluation Cache, Trigger, Impersonate

23

slide-24
SLIDE 24

Evaluation – Minutes between Flash-in-Flash

24

Evaluation Cache, Trigger, Impersonate

24

slide-25
SLIDE 25

Evaluation – Length of Client Cache

25

Evaluation Cache, Trigger, Impersonate

25

slide-26
SLIDE 26

➍ Honeyclients

26

Honeyclients Cache, Trigger, Impersonate

26

❖ Honeyclient H1 (ShellOS): ❖ Process contains code injection/code reuse payload. ❖ Process memory exceeds tunable threshold – heap spray. ❖ Process terminates or crashes.

(Snow et. al, ShellOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks, USENIX Security, 2011.)

slide-27
SLIDE 27

➍ Honeyclients

27

Honeyclients Cache, Trigger, Impersonate

27

❖ Honeyclient H2 (Cuckoo Sandbox): ❖ Process uses known anti-detection technique. ❖ Process spawns another process. ❖ Process downloads exe or dll file. ❖ Process accesses registry or system files.

(https://cuckoosandbox.org/)

slide-28
SLIDE 28

28

Exploit Kits Cache, Trigger, Impersonate

Exploit Kits – Corporate Ownage as a Service

Targeted Victims/day: 90,000 Exploits Served Per Day: 9,000

28

Successful Infections: 40% Ransomware Delivered: 62%

  • Cisco Talos Group: http://www.talosintel.com/angler-exposed/
  • October 2015
slide-29
SLIDE 29

Semantic Cache

!

Semantic Cache

! !

Trigger

!

Trigger

Impact of File Hashing

29 29

HTTP Analyzer

slide-30
SLIDE 30

Semantic Cache

!

Semantic Cache

! !

Trigger

!

Trigger

Impact of Piecewise Hashing

30 30

HTTP Analyzer

slide-31
SLIDE 31

Evaluation – Detection Performance

31

Evaluation Cache, Trigger, Impersonate

31

Four Core i7-2600 CPU 3.40 GHz 16 GB RAM Configuration: Windows 7 IE 8 and 10 8 Flash Versions H1: ShellOS H2: Cuckoo 177 Exploit Kit Traces* *www.malware-traffic-analysis.net Prototype: 10,000 lines of Code

Monitors Code Injection/ Reuse. Monitors OS Changes.

slide-32
SLIDE 32

Evaluation – H1 Results

32

Evaluation Cache, Trigger, Impersonate

32

92% True Positive Rate

slide-33
SLIDE 33

Evaluation – H2 Results

33

Evaluation Cache, Trigger, Impersonate

33

56% True Positive Rate H1 & H2 Combined: 100% True Positive Rate

slide-34
SLIDE 34

Evaluation – Comparison – VirusTotal

34

Evaluation Cache, Trigger, Impersonate

34

61 % True Positive Rate