An Early Malware Detection, Correlation, and Incident Response System with Case Studies

Software)and)systems)complexity)can)have)a)profound)impact)on)information)security.)Such) complexity)is)not)only)imposed)by)the)imperative)technical)challenges)of)monitored) heterogeneous)and)dynamic)(IP)and)VLAN)assignments))network)infrastructures,)but)also) through)the)advances)in)exploits)and)malware)distribution)mechanisms)driven)by)the) underground)economics.))In)addition,)operational)business)constraints)(disruptions)and) consequences,)manpower,)and)endEuser)satisfaction),)increase)the)complexity)of)the)problem) domain)that)security)analysts)must)adequately)operate)within.)This)is)particularly)evident) when)implementing)effective)response)measures)to)malware)infections)in)a)timely)manner,) minimizing)the)risk)to)business.)A)simple)question)becomes)particularly)valid)under)such) complex)environments;)what)appropriate)response)actions)must)be)met)to)appropriately) eradicate)malware)infections)while)maintaining)high)operational)and)low)risk)profile?)This) need)stems)from)the)absence)of)predefined)and)preEcorrelated)knowledge)of)the)environment) and)malware)behaviors.)Without)such)knowledge,)isolating,)analyzing,)and)responding)to) incidents)at)the)very)same)time)of)the)infection)become)increasingly)difficult.)Specially,)when) the)incident)involves)aggressive)malware)specimens)exhibiting)behaviors)such)as)network) propagation,)acting)as)a)spambot,)or)seeking)data)exfiltration.)In)this)case,)it)is)critical)to) respond)to)the)incident)before)serious)consequences)to)the)business)occur.) The)faster)the)compromise)is)detected)and)responded)to,)the)more)it)will)be)controlled)and)the) less)impact)it)will)have.)For)this)purpose,)a)methodological)framework)to)respond)to)malware) incidents)is)proposed.)At)its)core,)the)framework)focuses)on)minimizing)the)DetectionEToE Response)(DTR))process)and)time)frames.)The)foundations)upon)which)the)framework)is)built) consist)of)preEcorrelated)contextual)knowledge)about)the)monitored)network,)and)a)preEbuilt) malware)analysis)knowledgebase.)This)allows)the)framework)to)systematically)and) dynamically)automate)network)actions)to)isolate)infected)hosts)as)early)as)detection.)At)the) same)time,)the)collected)multidimensional)knowledge)is)presented)to)the)analyst)to)aid)during) the)investigation)and)response)phases.)Ultimately,)the)early)automation)of)response)actions,) and)reduced)response)time)frames)preserve)the)continuity)of)operations,)as)well)as)endEusers) relationship)fidelity.))To)demonstrate)the)efficacy)of)such)framework,)two)case)studies)are) presented)to)help)evaluate)the)proposed)framework)in)responding)to)malware)incidents.! An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 2 ! Yaser!Mansour,[email protected]! ! ! 1. Complexity and Information Security “The complexity of software is an essential property, not an accidental one” (Brooks, 1987). The adopted software architecture and coding paradigms directly affect software internal and external quality attributes, specifically complexity (Mansour & Mustafa, 2011). However, complexity is not a desired system attribute. As (Schneier, 2000) notes, “The future of digital systems is complexity, and complexity is the worst enemy of security”. Complexity in this paper not only refers to the inherent complexity of software and the interactions among discrete systems (Booch, 1994), but also delves into the technical and operational challenges imposed by the monitored network infrastructure and business constraints. The former challenges include the heterogeneous and dynamic nature of a network infrastructure. The latter challenges involve the consequences on business due to malware (in this context, malware refers to any type of malicious code designed to damage or otherwise perform unintended actions on behalf of a computer system user, such as Trojans, worms, viruses, backdoors, etc.) infections, lack of manpower and expertise to respond to infected hosts and the end-user perspective. Both types of challenges require the analyst to adequately operate while maintaining credible incident analysis and response. Finally, the ability to technically respond to malware infections before they severely impact business operations is a key. Heterogeneous environments necessitate the deployment and support of various operating systems (OS’s) as business requires. This expands the problem domain for the analyst as different OS’s will be prone to different types of vulnerabilities and may be targeted with different malware infections. Hence, requiring different response techniques. Dynamic and role-based IP address and VLAN assignments raise the level of complexity for the analyst. An infected host must be accurately identified, tracked, and isolated if necessary within appropriate time frames prior to changes caused by the dynamic infrastructure. Without predetermined and readily available knowledge about the environment and infections behaviors and mitigations, it becomes increasingly difficult for the analyst to properly respond to infected hosts in a timely manner. In addition, the absence of An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 3 ! Yaser!Mansour,[email protected]! ! ! automated response actions can be overwhelming, especially when dealing with multiple incidents at once. This is particularly evident if a host is infected with offensive malware exhibiting behaviors such as data exfiltration or attacking the internal network. Other examples include network worms such as Dorkbot (possibly propagating to other hosts) and Steckt/Neeris IRCbots, or ransomware infections such as Uruasy. In general, these types of infections not only prevent employees from performing business functions, but also can leave a negative impact if not responded to in a timely fashion. Dorkbot and Steckt/Neeris worms are presented as case studies in this paper (see Section 3). An emergent need stems from the absence of actionable data which allows for a timely-fashioned, and informed decision making regarding malware compromises. If such data exists, response actions can be dynamically determined and automated on the fly at the very same time when a malware infection strikes. Hence, avoiding the organization the consequences preceding the incident. The work presented in this paper attempts to assess the proposed custom framework to fulfil this emergent need. Another aspect of the framework that is equally important is the ability to instantly present the analyst with the pre-correlated and multidimensional knowledge regarding the malware incident. This knowledge then serves as the initial response and investigation strategy. 1.1. Malware, an Added Layer of Complexity and its Importance Historically, malware existed since the 1980’s when Fred Cohen demonstrated the ability to use malicious code to attack computers (Stamp, 2011). Unfortunately, over time and due to several factors, the perception of malware infections is not necessarily regarded as a serious risk (Ross, 2010). One of these factors that is of interest to this paper is the naming conventions used to identify malware. For example, “The quirky names given to viruses...exacerbate this tendency to trivialize an infected host as nuisance rather than a true security threat.” (Ross, 2010). One might assume since malware naming convention standards such as the Computer Antivirus Research Organization (CARO) and the Common Malware Enumeration (CME) Initiative exist, !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1!An!example!of!how!CARO!assigns!names!to!malware!is!available!at:! http://www.microsoft.com/security/portal/mmpc/shared/malwarenaming.aspx! 2!CME!is!no!longer!active!and!all!of!its!efforts!have!been!transferred!to!the!Malware!Attribute! Enumeration!and!Characterization!(MAEC):!http://maec.mitre.org/! An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 4 ! Yaser!Mansour,[email protected]! ! ! it may be relatively easy to name and identify malware. However, in reality, it is still a difficult task to assign malware names in a consistent manner (Zeltser, 2011). As a result, this may become a major confusion to the analyst. Mainly, because of the uncertainty of whether existing detection signatures and tools cover the encountered malware. An added layer of complexity for the analyst comes bundled with the advances in tactics and dynamics in which malware is distributed, operated, and the motivations behind it. For instance, the Kaspersky report (Kaspersky, 2013) reveals that the number of phishing attacks has almost doubled; registering an 87% increase from last year. Not only has the number of attacks increased, but also the organization of attackers. For example, targeted phishing attacks by selectively gathering intelligence about targets to craft specific phishing scams (Schneier, 2013) have been observed. This can be relatively easy using automated social engineering tools described in (Kennedy, 2013). In (Batchelder et al., 2013) report, malicious or compromised websites topped the list of threats that enterprises encounter, leading to the distribution of malware as a result. An example of such a technique to distribute malware is typically done by compromising a site which hosts content that is of common interest to a domain or group of people. Once compromised, the site’s HTML code is injected with malicious JavaScript possibly exploiting vulnerabilities on users’ machines browsing the compromised site. This type of attack is known as “Waterholing” or “Watering hole”. Specifically, this attack was used to plant malicious JavaScript on a popular developer forum to exploit unpatched Java (Romang, 2013) which eventually ended up compromising hosts at Microsoft (Thomlinson, 2013), Facebook, and Apple (Mimoso, 2013). A similar attack against the official PHP site that involved appending obfuscated JavaScript that redirected the visiting users to malicious sites to download malware (Kimberly, 2013). A high level diagram of the drive-by payload is depicted in Figure 1. Through a relatively similar type of attack utilizing a 0-day vulnerability – CVE-2013-3906 – (Li, 2013), a variant backdoor malware was distributed through embedding the exploit code into a site “known to draw visitors that are likely interested in national and international security policy” (Moran, Vashisht, Scott & Haq , 2013). An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 5 ! Yaser!Mansour,[email protected]! ! ! Malware is a prevalent problem that can have serious consequences on businesses. In fact, the (Verizon, 2013) report stresses that malware ranks in the top threats facing organizations, registering 40% of the number of breaches. This is driven by the underground economics behind exploits and malware distribution, which add more sophistication to the attacks nature. (Grier et al., 2012) discusses the model of “Exploitas-a-service”. Simply, the model describes how attackers that monetize from compromised hosts may be independent from attackers that exploit the same hosts (i.e.: affiliate programs). Their study showed that 32 families of the most prominent malware are distributed through exploit kits and drive-by downloads. In addition, malware automation tools discussed in (Elisan, 2013) allow automated creation and updating of polymorphic malware specimens with encryption and anti-debugging capabilities to evade detection. This, combined with the commercialization and automation of exploit kits (Kirk, 2013) chaining exploits to guarantee penetration, and possibly dropping malware payloads increase the complexity of incident detection, tracking, and response. Figure 1. A high-level diagram of the PHP.net compromise (drive-by). An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 6 ! Yaser!Mansour,[email protected]! ! ! 1.2. Towards Defensive and Self-Healing Networks The work done in (Gu et al., 2007), emphasizes a malware dialog-based correlation technique to gather and correlate the stages of the malware (bots) infection process. The proposed model provides a comprehensive report of the related events of the infection which can be useful for the analyst during incident response. Also, defensive (Johnson, 2013) and decoy (Tangwongsan & Pangphuthipong, 2007) network systems can capture a wealth of attack information, not only through actions generated by an attacker, but also can be utilized to capture information about automated malware behaviors, such as a malware mapping the internal network for potential targets. A recent project (Automated Cyber Reasoning) was initiated by DARPA (DARPA, 2013) in the form of a cyber-challenge with autonomous defense systems as its theme. Through software reasoning and utilizing signature-based systems such as IDSs, the goal is to implement resilient and autonomous integrated systems capable of automatically gathering and validating information about software vulnerabilities and patches, as well as discovering and mitigating security flaws. This is a particularly important project which may lead to advances in the field of self-healing networks. In a relatively similar fashion, when a malware infection is detected, it must be contained and responded to as early as the detection takes place. Such an infection may be internal due to misconfigurations or user unawareness, or through an external (unmanaged) host connecting to the corporate network. This allows conducting the investigation and eradication phases in an isolated environment, without affecting production systems. In order to achieve this, response actions must be dynamically determined and automated based on the pre-correlated contextual knowledge. 2. Automated Correlation, Detection, and Response 2.1. Breaking Down the Problem Domain Approaching a complex problem domain necessitates dissecting it into smaller manageable sub-domains and addressing these in relation to each other. The work presented in this paper is driven by the challenges discussed in the introduction and which are detailed in this section. An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 7 ! Yaser!Mansour,[email protected]! ! ! Challenge 1: Alert-to-Host-to-User (AHU) identification Description: In a dynamic environment, IP-to-host assignments largely depend on a number of factors such as the DHCP server(s) and DHCP leases, port changes and host restarts, to name a few. It is significant to be able to identify a host and its owner as soon as the malware infection occurs. This allows the ability to track and directly approach the infected machine for remediation. Dissecting the various types of logs generated by different types of network appliances can also be challenging. Even though the logs are related, unfortunately, the relation among them are not directly inferred or easily tracked, especially in a dynamic environment. For example, hunting down an IP address that triggered a malware alert on the IDS may not be trivial and even may be time consuming. The analyst then needs to determine the effects and consequences of the malware, increasing the time to respond to the incident. Other limiting factors may also include separations of duties, where an analyst may need to access certain appliance logs but by virtue of the job duties and ownership, the access may be not feasible. Challenge 2: Prioritizing malware infection incidents Description: One of the major tasks the security analyst performs is to prioritize events generated by the IDS. The same should also apply to malware infections. This is driven by facts that not all malware specimens are the same nor they behave in the same manner. Most importantly, the impact imposed by different malware types may require certain response time frames and procedures. Such prioritization should also be inherited by the actions performed during the response. For instance, CryptoLocker malware may be downloaded within twenty-four hours after the initial infection (Baykal, 2013). Since Cryptolocker can lead to data and productivity loss, instance response driven by the contextual knowledge can have a vital role in crippling the malware from downloading the encryption keys, hence failing to encrypt files on the system. Challenge 3: Determining initial response upon which further analysis is carried Description: In tandem with Challenge 2, prioritizing infection incidents can help the analyst make informed response decisions. Essentially, the existence of predefined and instant knowledge about the malware and its behaviors can greatly improve the response process. For example, a malware capable of propagating through the network to An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 8 ! Yaser!Mansour,[email protected]! ! ! critical business servers (ex.: file sharing serves) may warrant disabling access to the server(s). This also includes actionable knowledge such as the interactions with the host operating system such as executable directory, registry entries, persistence methods, and so forth. The knowledge also contains steps and tools that can be used for disinfection. Having this information in hand at the time of infection not only helps the analyst quickly and specifically address the infection, but also reduces the risk of the malware damages, as well as the negative productivity impact on end users. Challenge 4: Isolating host(s) infected with serious malware Description: Certain malware specimens may exhibit behaviors that can impact business continuity and assets. Such types of malware require immediate containment before further consequences occur. Considering Cryptolocker example again, the ability to dynamically isolate the infected host as soon as an alert is generated to an isolated network segment with no internet access may prevent CryptoLocker from contacting its Command and Control (C&C) servers, thus preventing the malware from obtaining the encryption keys. Consider also hosts acting as spambots due to infections with malware such as kelihos. If not contained appropriately, it may lead to IP blacklisting of the affected organization due to the mass sending of spam emails from the infected hosts. Other damaging malware examples include password-stealing and exfiltration malware such Zeus/Zbot (MMPC, 2013) and Vawtrak (MMPC, 2013), as well as backdoor malware (RAT) allowing an attacker to control the infected host, possibly initiating a DDOS from a wide range of infected hosts. Instantly and dynamically isolating such infections is crucial to business continuity due the damages imposed by the malware. Challenge 5: Bridging the gaps between helpdesk teams and security teams Description: In general, helpdesk teams are considered the frontline when it comes to end-users reporting technical complaints. Such issues may be caused by a malware infection preventing an end user from performing business functions. In this case, the helpdesk team may need to be armed with basic response skills to aid the security team in combatting malware, and at the same time, respond to end-users inquiries. This need is particularly evident when a malware infection outbreak is in place. Achieving a seamless response skills sharing without overloading helpdesk teams is An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 9 ! Yaser!Mansour,[email protected]! ! ! important. The existence of pre-correlated knowledgebase can facilitate skills sharing. In other words, the helpdesk team will not have to spend the time and efforts hunting down the infected machine and then research eradication techniques. Instead, the knowledge to fix the problem is already shared. Similarly, the security team can allocate the time saved into analyzing other incidents or continue building and improving the knowledgebase. Challenge 6: Minimizing the impact on business continuity and end-users Description: Malware incidents can prove to be disruptive to business operations. The time taken to analyze the incident, determine appropriate response and containment actions, and eventually recover operations to its fully operational state can be costly. This effect also extends to individual end users. Malware infections can be frustrating, especially for none tech-savvy employees when infections prevent them from operating routinely. The ultimate goal of early detection and response is to minimize such disruptions for both, the business and end-users alike. 2.2. Making Use of Existing Log Data Almost every device (managed or unmanaged) connected to the network is either configured to or automatically generates some form of logs. Network activities registered by network appliances are logged regardless of connection type (wired, wireless, or VPN) and regardless of authentication mechanism (machine or user authentication). Also logs such as firewall logs, Network Access Control (NAC) logs, and IDS alerts all provide valuable information to the monitoring and response processes. Other logs that may not be automatically generated but has added value include ARP and NAT tables. There may also be internally maintained logs such a malware knowledgebase that can be used to provide additional information to the initial detection and assessment. Not all information recorded in the logs may be useful or necessary for a certain task. In this case the logs may be parsed and pruned appropriately to extract the useful information. For example a malware alert gets generated on the IDS. The alert is then parsed to correlate it to a certain malware knowledge base record, then the offending IP address is queried and validated against the stored NAC log record and through querying the switch ARP tables. Another example may involve a host behind a proxy or a NATed IP address. In this case the NAT table needs to be queried to obtain the host’s IP address An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 10 ! Yaser!Mansour,[email protected]! ! ! and then validate that IP address against the NAC logs store. VPN logs and session durations also play a major role in identifying infected hosts generating malware alerts. Once all of the information extracted from the logs is pre-correlated and assembled in a readable manner, it becomes easy to correlate an infected host generating alerts on the IDS, its owner and possibly the affected OS. Eventually this leads to informed decision making on how to proceed with the incident. Other malware alerts may need immediate action such isolating the infected host. With the information already correlated and stored, automatic network actions can be initiated to isolate the infected host preventing further network activities from that particular host. At the same time, the security team is notified of the action. Combined with the preexisting malware knowledge, responding to the incident can be quick. 2.3. Researching Malware for Behavior and Mitigations Researching malware in the context of this paper focuses on building the knowledge for identifying 1) malware network and C&C behaviors, 2) malware interactions with the host and the Indicators of Compromise (IoC), and 3) eradication and disinfection methods and tools. Such knowledge is mainly accumulated by performing two major tasks in order to research and obtain knowledge about malware. The first task involves utilizing online resources specializing in malware analysis. Several online resources provide a wealth of analysis data about malware families such as VirusTotal, Malwr, TotalHash, Microsoft Malware Encyclopedia, and malware analysis blogs. The second task involves dynamic malware analysis in a testing environment when possible or necessary. Through this phase, the analyst will be able to uncover and dismantle the various external and internal network activities generated by the malware. These may be DNS queries for domains requested by the malware, anomalous HTTP requests and User-Agents, or even port scans against the internal network. Another added advantage is the ability to identify variant behaviors of existing malware, such as new C&C domains and communication patterns. Thus, allowing the analyst to unleash the information required to craft custom signatures or update existing ones. Later, these will be integrated with the existing IDS infrastructure to detect suspected network activities. In addition to capturing network traffic, the analyst will also be able to record the An Early Malware Detection, Correlation, and Incident Response System with Case Studies! 11 ! Yaser!Mansour,[email protected]! ! ! interactions between the malware and host, such as file system and registry changes. This helps the analyst to reveal patterns of interactions which can be converted into IoCs that help in responding to and the reporting of malware incidents. Simulating real life infections can also serve as practical tests for malware eradication techniques and tools. All of the experienced knowledge collected during malware research and analysis provides an in-depth understanding of malware behaviors. This provides a solid ground upon which the analyst can devise incident response plans to combat malware infections. Eventually, the knowledge is presented in a consistent and formatted manner that is easily consumed to support the response process in future malware infection incidents. 2.4. System Components and Workflow The proposed framework consists of four key components; Logging and Correlation, Detection, Response, and Reporting. Each area is comprised of one or more modules, each of which is responsible for a certain functionality and cohesively operating to achieve the desired behavior. A high level architectural diagram is illustrated in Figure 2. Output%and%R eporting Malware%KB Log s%Eng ine Log s%Parser Log s% Correlator MAL%Correlation%and%Decision%Engine Final%Correlation,%Decisions%and%Actions%+ %H istory Alerts%Parser Appliances% Log s GUI%Veiws SID Level Threshold Continuous%log g ing% and%correlation% Actions%Eng ine Security Team