Malware Command and Control Channels -a journey into Darkness-
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 93 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36223 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
Produkt <Mathematik>MalwareKontrollstrukturLESCASE <Informatik>TabelleGamecontrollerDatenverwaltungProdukt <Mathematik>PunktTypentheorieDifferenteSpieltheorieSkriptspracheExploitEinfach zusammenhängender RaumSoftwareschwachstelleInformationMalwareComputersicherheitVersionsverwaltungInhalt <Mathematik>MultiplikationsoperatorOrdnung <Mathematik>CASE <Informatik>Twitter <Softwareplattform>BereichsschätzungVorhersagbarkeitGeradeBeobachtungsstudieEindringerkennungTabelleFokalpunktWeb logMakrobefehlWort <Informatik>ExistenzaussageLie-Gruppe
02:34
IndexberechnungRechnernetzMalwareBinärdatenInhalt <Mathematik>MakrobefehlSoftwareFlash-SpeicherAppletDichte <Stochastik>BrowserPhysikalisches SystemIdeal <Mathematik>Wurm <Informatik>KryptologieGruppenoperationOperations ResearchVirtuelle MaschineSoftwareschwachstelleSocial Engineering <Sicherheit>DateiformatGamecontrollerOffice-PaketMalwareMakrobefehlWort <Informatik>Software Development KitInformationBildschirmfensterExploitPuffer <Netzplantechnik>Wurm <Informatik>Computeranimation
04:02
MalwareMAPTelekommunikationProtokoll <Datenverarbeitungssystem>Wort <Informatik>Elektronische PublikationPhasenumwandlungDirekte numerische SimulationRoboterAttributierte GrammatikRechnernetzDifferenteGamecontrollerWort <Informatik>KonfigurationsraumEntropie <Informationstheorie>Elektronische PublikationCASE <Informatik>ServerInformationDirekte numerische SimulationMalwareAbfrageFigurierte ZahlKategorie <Mathematik>Computeranimation
05:09
GruppenoperationExploitStichprobeClientWurm <Informatik>VerschlingungBereichsschätzungPunktVersionsverwaltungFlash-SpeicherQuick-SortPhysikalisches SystemDifferenteEindringerkennungCASE <Informatik>VektorraumGamecontrollerVorzeichen <Mathematik>IndexberechnungWort <Informatik>ComputersicherheitSoftwareSchreiben <Datenverarbeitung>Verteilte ProgrammierungWeb SiteSoftware Development KitWurm <Informatik>BildschirmfensterRechter WinkelPhysikalischer EffektComputeranimation
07:12
PhasenumwandlungRechnernetzProtokoll <Datenverarbeitungssystem>StandardabweichungWorkstation <Musikinstrument>Twitter <Softwareplattform>DifferenteUnternehmensarchitekturGamecontrollerDatei-ServerDifferentialElektronische PublikationMultiplikationsoperatorNichtlinearer OperatorSelbst organisierendes SystemProtokoll <Datenverarbeitungssystem>CASE <Informatik>SoftwareMalwareSchnittmenge
08:58
Wurm <Informatik>ÄhnlichkeitsgeometrieMalwareSelbst organisierendes SystemStandardabweichungZeitabhängigkeitNetzwerkschichtRechnernetzDickeAdditionASCIIPunktwolkeZeichenketteIdentitätsverwaltungSoftwareRechter WinkelMessage-PassingMalwareApp <Programm>TypentheorieDifferenteZentrische StreckungProxy ServerFirewallGamecontrollerMultiplikationsoperatorSelbst organisierendes SystemElektronische PublikationSpieltheorieKartesische KoordinatenComputerunterstützte ÜbersetzungSpannweite <Stochastik>PunktKontextbezogenes SystemMetadatenPunktwolkePeer-to-Peer-NetzGewicht <Ausgleichsrechnung>BitComputeranimation
11:11
ZeitabhängigkeitRippen <Informatik>MathematikDirekte numerische SimulationMalwareReverse EngineeringVerschlingungPunktwolkeArithmetische FolgePunktGrenzschichtablösungMultiplikationsoperatorEinfache GenauigkeitProdukt <Mathematik>BitPeer-to-Peer-NetzMalwareDirekte numerische SimulationGarbentheorieNP-hartes ProblemTropfenMailing-ListeTwitter <Softwareplattform>CodeSelbst organisierendes SystemKonfigurationsraumProtokoll <Datenverarbeitungssystem>FrequenzKartesische KoordinatenCloud ComputingGenerator <Informatik>RegelkreisPublic-domain-SoftwareRoutingTypentheorieSpieltheorieNetzadresse
13:58
UnicodeE-MailStichprobeRechnernetzProtokoll <Datenverarbeitungssystem>Elektronische PublikationVideokonferenzSpezialrechnerOpen SourceMalwareLucas-ZahlenreiheTypentheorieMetadatenVektorpotenzialBitDifferenteZahlenbereichVideokonferenzProtokoll <Datenverarbeitungssystem>E-MailMessage-PassingStichprobenumfangMalwareChiffrierungSoftwareCodeÄhnlichkeitsgeometrieDatenfeldBildschirmfensterBildgebendes VerfahrenNeuroinformatikFahne <Mathematik>Elektronische PublikationInformationNetzadresseKonfigurationsraumPixelVirtuelle MaschineWeg <Topologie>GraphfärbungCASE <Informatik>SteganographieCodierung <Programmierung>
17:31
MalwareSelbst organisierendes SystemCodierung <Programmierung>ZahlenbereichMessage-PassingGamecontrollerCASE <Informatik>Minkowski-MetrikPerspektiveGewicht <Ausgleichsrechnung>Rechter WinkelMalwareAnalysisPublic-Key-KryptosystemPrivate-key-KryptosystemNetzadresseBitEinfach zusammenhängender RaumPhysikalisches SystemTypentheorieOpen SourceUmwandlungsenthalpieDifferenteChiffrierungTermInformationDigitales ZertifikatWort <Informatik>
20:54
SystemplattformDickeRechnernetzBridge <Kommunikationstechnik>Protokoll <Datenverarbeitungssystem>StichprobeMalwareTelekommunikationCASE <Informatik>ZeitabhängigkeitZeichenketteWurm <Informatik>StandardabweichungWurm <Informatik>Protokoll <Datenverarbeitungssystem>CASE <Informatik>ZeichenketteBitHash-AlgorithmusEvoluteMultiplikationsoperatorFamilie <Mathematik>PunktEindringerkennungVersionsverwaltungSelbst organisierendes SystemDickeWort <Informatik>TypentheorieRechter WinkelDifferenteMalwareInverser LimesBeobachtungsstudieGamecontrollerGüte der AnpassungUmwandlungsenthalpieRPCMatchingKomponente <Software>FunktionalTabelle
23:27
ServerChiffrierungPasswortZeichenketteClientTelekommunikationBitMalwareDifferenteQuick-SortPasswortAuthentifikationXML
24:20
RechnernetzAdressraumWurm <Informatik>Physikalisches SystemProtokoll <Datenverarbeitungssystem>CASE <Informatik>MultiplikationsoperatorVektorpotenzialAdressraumMinkowski-MetrikInternetworkingE-MailFlächeninhaltSoftwareGraphiktablettDifferenteSpieltheorieComputeranimation
25:48
Disjunktion <Logik>Gleitendes MittelRFIDÄhnlichkeitsgeometriePunktDienst <Informatik>UDP <Protokoll>Protokoll <Datenverarbeitungssystem>StatistikImplementierungEindringerkennungArithmetisches MittelMalwareProdukt <Mathematik>BitElektronische UnterschriftZeichenketteWurm <Informatik>Trojanisches Pferd <Informatik>Disjunktion <Logik>InformationSchaltnetzComputeranimation
26:33
TropfenPunktwolkeMalwareTwitter <Softwareplattform>FacebookVideokonferenzSpezialrechnerInhalt <Mathematik>StichprobeInhalt <Mathematik>Wurm <Informatik>BildschirmfensterMakrobefehlMessage-PassingMultiplikationsoperatorUnternehmensarchitekturTypentheorieHash-AlgorithmusServerGamecontrollerDifferenteTropfenRechter WinkelComputervirusComputersicherheitVirtuelle MaschineInformationMalwareVerschiebungsoperatorVirenscannerComputeranimation
28:55
Nichtlinearer OperatorTelekommunikationSystemprogrammierungMalwareImplementierungStichprobeClientGamecontrollerKartesische KoordinatenAuflösung <Mathematik>Ganze ZahlDirekte numerische SimulationReelle ZahlInformationTwitter <Softwareplattform>Wurm <Informatik>Mailing-ListeTypentheorieCASE <Informatik>Einfach zusammenhängender RaumWeg <Topologie>MathematikMehrrechnersystemBenutzerbeteiligungComputeranimation
30:22
MalwareStandardabweichungServerClientRegistrierung <Bildverarbeitung>Streaming <Kommunikationstechnik>Open SourcePhysikalisches SystemPunktBeweistheorieEinsTwitter <Softwareplattform>TypentheorieMalwareComputeranimation
31:06
ChiffrierungAxonometrieWellenpaketChi-Quadrat-VerteilungNetzadresseDomain-NameDigitales ZertifikatCASE <Informatik>ComputersicherheitFreewareKartesische KoordinatenClientZahlenbereichBrowserRuhmassep-BlockGewicht <Ausgleichsrechnung>Projektive EbeneSpieltheorieMalwareGeradeChiffrierungArithmetisches MittelPunktInternetworkingEinsInformationSelbst organisierendes SystemDrall <Mathematik>AggregatzustandKomponente <Software>
33:53
AxonometrieProtokoll <Datenverarbeitungssystem>ComputersicherheitInternetworkingRuhmasseAdressraumRechnernetzSoftwareOpen SourceGoogolProtokoll <Datenverarbeitungssystem>E-MailComputersicherheitFirmwareVersionsverwaltungRechter WinkelPerfekte GruppeDifferenteWindkanalZahlenbereichDateiformatComputeranimation
34:47
AxonometrieStichprobeOpen SourceMalwareEindeutigkeitIdeal <Mathematik>ClientWeb SiteGamecontrollerMalwareApp <Programm>AutorisierungStichprobenumfangMultiplikationsoperatorMechanismus-Design-TheoriePunktwolkeCASE <Informatik>Computeranimation
35:29
Web SiteOpen SourceGruppenoperationVektorpotenzialPunktwolkep-BlockAdressraumFreewarePhysikalischer EffektElektronische PublikationMultiplikationsoperatorStabBildgebendes VerfahrenMalwareKartesische KoordinatenQuaderSelbst organisierendes SystemPhysikalisches SystemInformationPunktwolkeApp <Programm>ARM <Computerarchitektur>SpieltheorieGamecontrollerTypentheorieGeradeMessage-PassingComputerunterstützte ÜbersetzungGewicht <Ausgleichsrechnung>PrimidealSichtenkonzeptTropfenTwitter <Softwareplattform>Überlagerung <Mathematik>BitUnendliche MengePunktSystemzusammenbruchRechter WinkelComputeranimation
37:37
Kette <Mathematik>MAPChiffrierungCodierung <Programmierung>Inhalt <Mathematik>Mechanismus-Design-TheorieRechter WinkelTermDickeComputersicherheitInhalt <Mathematik>SchaltnetzInformationProtokoll <Datenverarbeitungssystem>
38:58
Binder <Informatik>MusterspracheTypentheorieMechanismus-Design-TheorieBandmatrixVirtuelle MaschineCASE <Informatik>Bildgebendes VerfahrenSteganographie
39:59
MalwareRechnernetzWechselsprungp-BlockFirewallInnerer PunktMereologieFlächentheorieRippen <Informatik>StichprobenumfangGamecontrollerSoftwareMalwareGemeinsamer SpeicherUnternehmensarchitekturSystemverwaltungWurm <Informatik>Spannweite <Stochastik>Kartesische KoordinatenSchlüsselverwaltungVorhersagbarkeitTwitter <Softwareplattform>BitDifferenteRechter Winkel
41:28
MereologieRechnernetzFlächentheoriep-BlockFirewallUmfangBinärdatenZeichenketteProtokoll <Datenverarbeitungssystem>VektorpotenzialRippen <Informatik>IdentitätsverwaltungBinärcodeProtokoll <Datenverarbeitungssystem>ChiffrierungStreaming <Kommunikationstechnik>TypentheorieMalwareGewicht <Ausgleichsrechnung>EindringerkennungBrennen <Datenverarbeitung>Quick-SortThumbnailSteganographieComputeranimation
42:08
MereologieMalwareElektronischer FingerabdruckIdentitätsverwaltungMusterspracheOpen SourceRFIDGeradeSoftwareMalwareElektronischer FingerabdruckComputersicherheitRauschenHilfesystemARM <Computerarchitektur>Open SourceSpieltheorieMaßerweiterungRechter WinkelComputeranimation
43:14
MereologieRechnernetzOpen SourceGamecontrollerStichprobenumfangOffene MengeStreaming <Kommunikationstechnik>Mixed RealityElektronischer FingerabdruckPhysikalisches SystemDigitales ZertifikatHeuristikToter WinkelKontrollstrukturBenutzerbeteiligungWeb SiteGüte der AnpassungMetropolitan area networkInstantiierungSchaltwerkVirtuelle MaschineRechter WinkelElektronische UnterschriftCASE <Informatik>Figurierte Zahl
44:52
MereologieRechnernetzDirekte numerische SimulationIdentitätsverwaltungMalwarePublic-domain-SoftwareClientServerComputersicherheitSoftwareFreewareSystemprogrammierungOpen SourceTypentheorieDifferenteTopologieKontextbezogenes SystemExpertensystemChecklisteProzessfähigkeit <Qualitätsmanagement>Selbst organisierendes SystemComputersicherheitSensitivitätsanalyseRechter WinkelARM <Computerarchitektur>
46:16
Offene MengeOpen SourceFreewareDatenerfassungGamecontrollerStichprobenumfangPhysikalischer EffektHilfesystemProgrammierumgebungDifferenteSoftwareschwachstelleLoginMalwareCASE <Informatik>PunktTUNIS <Programm>Hyperbolischer RaumTwitter <Softwareplattform>MaschinenschreibenSpieltheorieExogene VariableInformation
48:02
FreewarePunktRobotikBeweistheorieGrundsätze ordnungsmäßiger Datenverarbeitung
Transkript: Englisch(automatisch erzeugt)
00:00
let's get started. So uh my name is Brad Woodberg, I'm a product manager with uh Emerging Threats at Proofpoint and uh today we're gonna be talking about command and control channels. So uh just quick uh rundown of what we're gonna be covering, few minutes on the intro but we're gonna go heavy into some malware techniques, we're gonna talk about you know actual malware uh case studies, what's what
00:23
we're kinda seeing predictions and trends uh for malware um I think it's actually uh sorry we're having an issue on that I think I think I have like one older uh version of the rev on here but we're just gonna plow through it. Uh we're gonna talk about defense and uh and then we'll wrap this up
00:41
all in 45 minutes so that uh we can go get some uh beer and have some fun tonight. So why command and control right? Why is this topic so interesting because uh you know so much of the uh uh you know so much of the information that you know that we talk about that we see in the security industry, blogs, articles, etcetera focus on vulnerabilities, exploits and the actual malware and these
01:01
are all great topics um you know all very interesting uh but uh you know one of the big challenges for anyone who's operating IDS you know actually dealing with this on the front lines is we know that trying to detect uh you know vulnerabilities, the whole CVE game, um you know different types of exploits uh you know it's it's very noisy, it's not very high fidelity, you often times will uh you know
01:22
have um uh you know alerts that trigger when actually uh you know an asset wasn't actually breached. Um but actually when you look at command and control that's actually the point where you can say hey with high confidence I know that this asset has been compromised um you know when you see that that control channel is reaching out you
01:40
know it's kind of uh as uh Rashid Wallace and my Detroit Pistons once say you know the ball don't lie and uh when you see that command and control channel you know that something's going on. But probably the other thing that's really interesting about command and control is that this is actually the point where you go you know from being on pure defense um you know you're getting hounded all day long you know attacked from every which way uh to actually
02:01
the tables are being turned on the attacker so um you know where you had to get it right every single time and they only had to get it right once now it's the other way around in order for them to maintain that connection uh to maintain that control over that asset they have to be right all the time. Uh and so that's why I think uh you know this is interesting and uh why you know why we should talk about it today. So uh you know just a minute or two you know just
02:22
when we look at just how how this whole thing gets started right? I the way I see it there's really two primary ways that assets are being compromised. You have executable content uh you know this is your traditional malware uh scripts macro embedded uh in word documents and other office file formats etc. Um you know there's
02:40
actually not an exploit happening here it's just um oftentimes now it's just social engineering get someone to open a dock and uh and and then you know there's uh malware that now runs the machine. Uh the other way is the exploit driven approach which is obviously ever so popular with uh with the exploit kits um and this is where you know you're actually taking advantage of a vulnerability to be able to gain execution control on an
03:03
endpoint. But really it doesn't matter how it happened the fact is you know all that matters is that it's been compromised. So um you know to say a word to like why do why does malware even need command and control channels like what what's happening here? Um you know oftentimes when an asset is breached it's not under the
03:22
best of of scenarios um you know it may happen on an asset that really isn't the ultimate target ultimate goal it doesn't have the information that uh you know that uh an attacker is looking for. Um there might not be sufficient privileges uh it might you know especially when you're dealing with uh exploits you know you have a very small buffer uh or or window in which to fit the
03:42
actual payload in so you have to deliver it in pieces um and um you know really uh you know oftentimes a lot of malware just doesn't have a full especially if you're dealing with like crime ware you know not so much target attacks um you know it's basically shipped bare bones and it needs to get more information before it can uh pull off whatever
04:00
it's trying to do. So that's where command and control comes in. Um you know just a word or two I mean you know basically the command and control channel is gonna be used for a lot of different things for pushing the actual configuration for escalating the breach as I mentioned um and this is where it's gonna be reaching out to command control infrastructure. Um another aspect of command and control is
04:22
actually exfiltration so getting the information you know the intellectual property that's on an endpoint on an asset out into uh you know the attacker's hands so if we look at something like uh like locky uh you know maybe going through and cataloging all the files on the endpoint uh figure out what's interesting and encrypting them um you know
04:41
if we look at something like uh uh zbot uh it's actually this one is actually using a DNS channel uh for you know uh command control so uh you know they didn't even have to use anything special or customized or actually or even direct for that matter with DNS you can just send a query and it's gonna find it's way home and essentially all the way to the uh server and back so you know in this case it's
05:03
uh actually exchanging commands and information for the uh for the malware to uh to take advantage of. So let's just take a quick look at uh you know an ever popular uh uh vector so the angular exploit kit may it rest in peace. Um you know this is I I chose this cause it's just so prolific uh you know
05:23
in the last few years um you know even you know I saw like a bakery down the street from a house uh had uh their website had actually been popped and and was serving up an angular redirector and that's really the interesting thing um you know uh uh is that um you know it's it's not that there's not that the signs are always so obvious uh you know
05:43
leading up to an infection you know it's not like it was uh you know defaced or something like that it was just you know there was a little iframe shoved in there and you know if you weren't running uh you know some security software you wouldn't you would never know. Um but anyhow uh we digress. Uh so so looking at the angular exploit kit you know first you know typically you're gonna
06:01
hit some sort of a redirector right uh in this case as I mentioned our our poor bakery uh and that is going to redirect you to a traffic distribution system um so this is basically going to evaluate your endpoint it's gonna say hey you know they're running Microsoft Windows uh 7 and flash this version ok we're gonna custom tailor an exploit to that
06:22
actual um uh an exploit to that endpoint um and then finally you know an exploit in payload will be delivered oftentimes by different infrastructure. Now here's the really interesting thing about this up until this point um there's no you really don't have confidence that an asset has actually been compromised and all the while
06:42
you're probably chasing down a million alerts from your IDS and all sorts of other endpoint systems uh because you know saying hey you know we saw this angular redirector and blah blah blah and there was this exploit and you know it checked what version of flash but there's really no indicate you know no high fidelity uh uh indication that this has actually been fully compromised until you see that
07:03
command and control uh and once you see that then you know for sure that um you know that that the system has been uh overtaken. Now just a quick word uh you know for uh you know a lot a lot of times people get uh lateral infections uh uh confused with uh actual command and
07:21
control uh and so basically with lateral infections you know w-w-w-w typically what you're talking about is how malware is going to spread within an organization um and um uh you know one thing that I think is a big differentiator is that typically lateral infections will leverage native enterprise protocols uh to to spread not exclusively but but that's a lot
07:43
of what we see um uh whereas command and control may be anything from a traditional channel um to uh you know uh so so basically it may be like a H-G-P, H-G-P-S it may be a custom protocol we'll talk about some of the different trends and things uh in in just a little bit. Um but uh but
08:00
effectively um uh you know the the internal lateral stuff like if we take Locky for you know as a perfect example in in all the hospitals uh that made a lot of news um you know when they got breached and all their you know uh files were encrypted and the whole place shut down uh and they had to pay seventeen thousand dollars ransom which is really quite a steal in my my opinion for uh full operations of a
08:22
hospital but uh but yeah glad it wasn't more. Um in that case you know basically it was just an endpoint that got compromised it wasn't like the file server got breached uh and then you know it actually uh you know broken uh uh you know actually encrypted the files it was an endpoint that had access to the file server using SMB it encrypted the files uh so you you actually do see a lot of that
08:42
you know just leveraging the native protocols that are within uh the network itself whereas command and control is a far uh far more uh ex- you know rich and exotic and an interesting uh um uh set of uh protocols that are used. Now I
09:00
like to kinda just you know just before we get into the the meat you know just talking about how kinda the the cat and mouse game has evolved because like many things um you know the attackers kinda operate on a uh you know on an economical scale right you know they don't want to especially when you're talking about crime aware but they don't want to do you know take more effort than they need to you know spend more money more time to uh to make
09:23
their infrastructure more robust um so they're going to kinda you know play along with the vendors and what is you know um actually you know being effective to the point where it's not then they kinda up the game. Um and you know a lot of the very early malware was just you know leveraging very simple you know high level or high uh high
09:42
range uh like TCP UDP ports um that you know could really easily be filtered out on a on a router or on a firewall you know easy as that. Um you know kind of uh evolved into leveraging other applications like IRC uh for for command and control um and then of course you know as some
10:01
organizations started to tamp down more and more and restrict firewall access and outbound proxy access uh you know a lot of them and really the the funny thing is that there was a at the exact same time I feel like uh you know a lot of the the peer to peer applications, the file sharing apps, Bittor and so forth they kinda converge along with the malware because they realize that hey you know these
10:20
ports are are almost always open so you know so we can leverage them. Malware also shifted over port 80, port 443. Then you had the NGFWs come out that could identify hey this isn't HTTP this is some you know uh binary protocol that we've never seen so we can block it. And all that isn't very interesting but what's starting to get more interesting is how uh a lot of the malware
10:42
is leveraging um you know different types of cloud apps uh and it's actually um you know doing uh steganography and in in encoding messages in um you know in files and in various other uh uh metadata that we'll we'll see we'll go through some examples in a bit. Um and this is kind of where
11:01
you know where I think a lot of the future is but um you know essentially the malware has gotten to a point where it it it you know it's really getting sophisticated in command control channels. Now at the same time it's important to look at how uh command control systems are being hosted. Um you know uh this isn't like categorically you know uh uh
11:21
precise uh you know kind of drop off at any point in time uh for for when things change over but you know but we actually do see you know progression especially with some of the more sophisticated actors in malware. You know at the very beginning everything was kind of statically hosted. Um you had uh IPs that were hard coded into malware and the malware wasn't really changing so today we still see IPs that
11:43
hard coded into malware but um you know it it it it wasn't really you know you would have these uh C2 hosts that are up for you know years and uh you know it would take a long time for that to kind of filter into uh you know various lists and so on and so forth. Um you know that the you know I think that those days are uh you know things have evolved
12:00
uh uh quite a bit. Um you know shifted to leveraging DNS but again you still had a single point of failure, a name, um you know and uh even though the IP could change and you could route the traffic elsewhere uh you were you still had to you know cope with the fact that you know if that DNS name was discovered and blacklisted, wasn't changed and again we're
12:21
talking over a long period of time you know not like what we have today which can be you know hours or days uh basically the the DNS uh uh you know the the malware could be shut down. Config updates, malware actually you know go out and and update itself again not particularly sophisticated but where things started to really get interesting in in my mind is you know around the time of the game over botnet with
12:42
uh the Zeus malware because um uh it certainly wasn't the the very first but we saw you know organizations really really really had a very hard time for for several years I mean you know for for you know almost you know 8 years or something uh trying to control this malware because it leveraged more advanced techniques you know domain
13:01
generation algorithms, peer to peer, um you know C2 infrastructure so you really got rid of that um you know that that centralized model uh in the same way that you know like BitTorrent and you know uh Skype and other types of uh peer to peer based networking uh protocols and applications
13:21
would work. Um and perhaps the most interesting is that now so many of the uh or not so many but we're seeing more and more of the uh uh malware starting to leverage cloud services as C2 so basically you don't even have to operate anything yourself. Um you know we'll get into this a little bit but you know you can use Twitter, you can use Amazon, you can use the comment section, um you know kind of
13:41
the classic uh you know Cold War spy drop where you know you bring the briefcase in the park and you drop it and leave and someone else comes and picks it up. It's kind of the same approach and the beauty of it is it requires almost no investment um and uh we'll get you know we'll save more for that uh in in in just a bit. Um so yeah so one
14:00
of the things that I found uh most interesting is is steganography and uh you know what's kind of happening uh you know some of the potential we've seen you know hints of this uh certainly in a bunch of different malware and I think it's you know probably one of the most uh you know powerful uh you know ways to be able to exchange information in a covert channel um you know basically
14:23
this is hiding information in plain sight. It's been used you know it's not anything new, it's been used for centuries uh if you guys have ever uh seen the video of um uh I think it was a army or naval captain uh Jeremiah Denton uh who was captured in Vietnam and he actually blinked in morse code they were you know doing one of those kind of captive videos where they interview you and ask all those
14:41
questions and he actually blinked in morse code torture and of course they put out the video everyone you can I'm sure that they probably knew that that type of thing was going on anyways but it was you know very very powerful because here you know no you know obviously the the Vietnamese uh army didn't know uh and uh you know it it kind of made it through so I think a lot of the kind of similar
15:01
techniques uh can be used in actual malware uh for covert channels and when you look at it there's actually just uh a wealth of of potential opportunities and places that you can hide this data um you know uh everything from protocol headers uh if you're talking about the network layer um metadata and files you have um you know all different types
15:23
of um uh you know encodings um audio video etcetera we'll go into some of this um and it just really uh makes for a uh an excellent place to hide your data and have plausible deniability and of course you can layer other um uh you know other techniques on top of it so you can leverage
15:41
encryption plus stag to kind of hide things um you know in plain sight if you will. So let's take a look at a few examples. So um this is actually an an APT malware sample uh that that we saw um and uh I uh obviously anonymized the uh the IP addresses uh but but basically what was happening here was that the um the the intro
16:03
machine that was compromised we think it was kind of like a Chinese APT um uh it was sending TCP packets um you know and and there was no flags which is obviously a an interesting uh uh problem zero window um and it was never establishing a session so it was actually communicating to a
16:20
C2 you know just by sending these packets just by leveraging the the the fields and the headers um and this can really be done with a number of different protocols it's not anything that's restricted to to TCP. Um another example is um you know when it comes to images we're seeing you know malware like gawtrac and others that they'll actually embed configuration in an image uh so the in this case
16:43
what I did was I used a tool called OpenPuff and I took um uh you know the Defcon logo Defcon 24 logo and one logo I had you know is just the original and the other is there's an encoded message um and as you can see there's you know you can't see right? Uh it's it's there there's nothing uh that that our eyes can distinguish what's actually
17:02
happening here is it's actually uh in uh using the least significant bit and it's encoding the message or the file you can do anything in that least significant bit so you know the color palette is tweaked by you know just one tiny uh value in in in each pixel and that's enough that you know another party could come across it grab it extract the
17:23
message out if they know what to look for but to not only the human eye but even other computers it would be very hard to be able to detect this type of technique. So let's talk about another uh set uh you know besides just trying to hide what are attackers trying to do to ensure that uh command and control channels are um you know are are uh not
17:44
compromised um and so there's a number of different uh uh counter offensive techniques that they're taking um you know one technique is um is is to actually filter who can connect uh back and and this is used in other uh cases too I mean it may be used in the case of um not just for
18:01
C2 but it can be used in the case of um uh you know actual malware infections right especially targeted phishing you know they want to make sure that vendors uh and also non-target um you know assets uh uh you know when when when when they're dealing with targeted attacks um aren't going to be uh you know potentially compromised because of course they don't want
18:20
vendors learning the secrets and so on and so forth um you know with crime ware there might be a little bit less uh you know they they they they might care less and and cast a wider net over what they're trying to uh to compromise so you might not see that quite as much uh but we do actually see a lot of filtering uh from you know IP address spaces um you know not only countries but even down to individual
18:41
organizations if they're targeting an actual organization um another thing is uh that that can be leveraged as actual uh you know kind of stagger you know hidden messages in in handshakes uh poison ivy is a really interesting uh you know long standing piece of malware that does that it it actually kind of encodes a you know a handshake in the in the um in the initial connection and so
19:03
you know even on that that essentially you know first uh data packet it'll know you know hey this is uh a legit um you know uh system or not um so we can you know just filter that out without uh you know uh if if there's you know just some other type of asset trying to reach out it can filter it and of course encryption um you know uh
19:24
especially leveraging uh you know preloaded SSL certs um it's interesting we'll talk about Let's Encrypt because it has some implications here but essentially you know you can if you just preload a trusted SSL relationship you know uh the kind of public key uh or or or symmetric key into the
19:41
actual malware it can make a connection out uh immediately um and uh so they can basically ensure that only malware um that or at least until that that certificate has been compromised only malware that is the actual target malware can reach out and so other types of uh uh you know SSL snooping tools are trying to grab information uh wouldn't be
20:02
able to uh to to uh have success there and uh just anecdotally you know just in terms of what what some of the things that we're seeing is that there's actually been a pretty strong push to a lot of anti-sandboxing techniques uh by the attackers um I won't get into a lot of the specifics but you can you know we're we're seeing that it's
20:20
getting harder and harder you know if any of you guys like um you know there's there's open source tools like like cuckoo and and other rigs you know the attackers are definitely trying to get wise to um you know to to prevent sandboxing analysis of their uh you know in in a major way right this is not a new thing but we're seeing just it really the the stakes are ramping up on uh
20:40
malware that's trying to you know kind of fly it below the radar so uh it's not just from a C2 perspective there's a lot of things all the way from the exploit to the um you know to to to the command and control where this type of thing is happening uh just a word I mean you know there's obviously different types of uh uh you know kind of families right uh you know crime ware this is just going to be
21:02
casting a huge wide net um typically these are pretty chatty but they will you know we will see um you know that they'll go to a little bit greater lengths uh in a lot of cases to to avoid uh uh detection a lot of the target attacks I mean you'd be surprised you know a lot of them are still just leveraging off the shelf remote access tools
21:20
right and and other commercial tools um you know they they are targeted in that they are you know the the the actual actor is targeting a particular party or particular organization but they're not terribly sophisticated all the way up to the targeted espionage um where you know just the sky's the limit right um it you know this uh you know in some some cases they may lack C2 altogether but
21:42
you know if you think about the you know the Stuxnuts and the Flames and the Dukus and others um you know there can be some pretty sophisticated uh command and control that can happen and and even insider threats uh to to basically make those uh make those work. So that we kind of covered you know we talked a little bit about some evolution things
22:00
that we've seen uh historically over time we talked about some of the different uh components of of uh of malware let's actually dive into a bunch of different case studies and and look at how different pieces of malware are um you know are uh communicating with uh with command and control. So Ghost Rat is like you know probably one of the most simple examples and again you know
22:21
this is this is out there there still is a uh you know a lot of Ghost Rat that we see infections um uh because it's just such a um you know um uh prevalent tool that that anyone can use and you know this is just essentially you know they at least the commodity versions obviously anyone can modify any of these things um but you know
22:42
they're it's actually gonna have you know a string in the actual payload so um so it's really easy for say like an IDS to be able to identify it because it's just you know it's there it's it's not really so obfuscated uh it's kind of like if you look at like the evolution of bit torrent you know uh you know it started on just running on random ports and then you know they switched to port 80 but then
23:02
they you know not exclusively but you know they would say bit torrent in the in the in the actual uh protocol and then they got to the point where they were using you know very advanced um uh uh forgetting the name cat- catamelia um uh uh distributed hash table functions to ensure that you know there there wasn't
23:21
such a an easy way to match specific bits because everything was being dynamically generated on the fly. So poison ivy we kind of talked about a little bit earlier where basically um you know this is leveraging uh you know a handshake so uh you know it's it's trying to basically identify is who's connecting to me uh you know a
23:42
target asset um is it actually you know could it potentially be a researcher they typically will embed you know there'll be some sort of malware will be delivered it'll have a password in it uh and that is used in the challenge authentication um so that you know even if you have different strains of poison ivy um you know an individual actor can you know
24:00
differentiate and make sure that that only the correct target is talking to them. Um and again that can be important because if you you know just allow anything wide open it means that you know the viability of this malware uh of this actual compromise is going to be uh you know uh uh not as long lived because it'll be too easy to identify, too easy to take down. Nanolocker this one uh uh you know is uh you
24:24
know came out uh uh last year is really interesting uh JavaScript um uh you know uh uh ransomware you know ransomware has just been absolutely blowing up but one of the the you know the things that I found really interesting is again not necessarily leveraging um you know like HEP or TCP based protocol but actually uh
24:43
leveraging uh the network itself and some of the you know your traditional tools within a network in this case it was actually you know uh encoding the uh the the uh bitcoin address in ICMP uh so basically you know just you know send a a packet get a packet back and uh and you
25:01
know know exactly uh what to do for the uh you know for for basically uh you know uh you know holding the uh extorting the uh the victim um and um you know the again the network protocol layers especially a lot of the legacy protocols have a lot of great hiding spots I mean if you look at the difference between like IPv4 and IPv6 now
25:20
granted IPv6 has all the next headers and you know there could be some things interesting things that you could do there but there's a lot of you know uh a space where you know at the time you know in the days of yore they didn't know precisely you know that this whole internet thing was gonna blow up so they put lots of uh you know lots of padding and other uh potential areas where you could hide things in um and
25:41
uh you know as prevalent as these protocols still are today it makes a really great uh channel for attackers. So Game Over Zeus we you know uh we talked about this a little bit earlier where um you know basically they they want to avoid having the you know kind of uh fixed string centralized model and um you know and to make it hard
26:02
for IDS's to identify um so actually what they do is is a combination of techniques but basically uh they will XOR information in the packet payloads um so it's always changing and it you know it's very difficult to leverage signature based technologies with traditional IDS's to be able to identify this malware because basically um it is you
26:23
know it is always changing now that doesn't mean there isn't other ways to do it um but uh you know your your traditional uh tools of the trade if you will um you need not apply. Now Drydex uh you know being Trojan uh obviously has you know just kind of it it took for for
26:42
quite a long time the you know just the whole enterprise sector by storm um and who would have thought that you know in 2015 through 2016 that macro based malware would be you know so pervasive and successful um but the fact of the matter is is that um it it is and it was um and uh you
27:02
know even to this day you know there still is uh you know a great deal of of malware that's leveraging these you know age old techniques from you know the days of you know Windows 95 or whatever um uh particularly interesting is you know one shift that we've kind of seen is you know it's getting harder and harder to attack the machine right um uh
27:23
because of you know different types of security protections that are built in um and so attackers are you know kind of saying ah forget about that we're just going to attack the human and so I think like Drydex is a great example of that um where you know someone will you know get a document delivered it'll you know one really cool example
27:41
that that that I loved was uh uh the the document would actually be blurred uh and so it'd be an invoice doc it'd be blurred but there'd be a message that says you know uh you know click enable content uh so that so that the message will be you know uh um you know visible you know this this uh this payload may be uh you know corrupted if you you
28:00
know uh click enable content it'll it'll be visible and that's exactly what it did unbeknownst to the user it also reached out grabbed a payload and you know popped the machine um and and antivirus traditional AV couldn't keep up with that because they would send you know a new hash of those documents they would send millions and millions you know hundreds of millions even on some days um and so
28:20
tremendously successful even to this day um and obviously there's a lot of different um uh you know uh uh flavors if you will of the different malwares because they're maybe done by different actors um but you know in this case in in in this one you know they're actually again leveraging the kind of the blind the dead drop uh just like I kind of talked about with like Twitter, Amazon, you know using
28:42
Microsoft comments uh to be able to essentially you know deliver uh command and control information um that can be you know exchanged between uh this uh endpoint and the actual server in a covert fashion. Now Tor um you know obviously Tor is is near and dear it has uh you know some
29:01
very important real world uh uh applications uh you know especially in uh certain countries and regimes and for journalists so certainly not trying to uh to knock on Tor uh but uh you know for the same reasons why it's great for the um you know the aforementioned use cases uh it's actually becoming quite a problem for uh for a lot of the
29:22
research community because it doesn't even really require any type of uh you know client you know you can literally uh use like Tor to web and and do this whole thing clientless so uh whether it's uh vault track or uh deluxus or you know there's a whole number and we'll look at some trends that that I've seen uh in a minute you know Tor really is
29:42
a uh you know a a great way to essentially bridge that gap between the endpoint and the command and control channel um you know just kind of you don't have to worry about anything once you establish that tunnel. Oh yeah so so basically uh a quick animation here uh so you know just showing here we got the initial compromise uh where
30:02
where uh you know the the the payload is is delivered as a change um uh you know the the endpoint is probing for uh Tor information Tor nodes doing DNS resolution um and then finally it's making its connection to uh Tor to web uh and so it can exchange this information uh covertly. Now
30:23
Mayor Viper uh this was one uh uh you know we did some research on at at proof point uh this is obviously a targeted uh APT attack um you know uh against um uh you know uh uh the parties in the middle east will say uh Israeli uh and uh and basically um you know it was just leveraging
30:42
simple HTTP um so even though that this is you know kind of a sophisticated target attack you can see that you know sometimes uh it's easier to blend in and remain kind of a obscured if you will than to go completely out of your way uh to be able to essentially evade detection. So we talked
31:02
about a few different uh you know types of malware let's look at some trends. So one of the first ones that's really interesting is SSL again just like Tor SSL is uh you know is a critical fundamental uh you know component of uh uh of our lives in in justly so um you know we basically went in the
31:22
last couple years from about 30% of the internet traffic um to you know uh just right around uh you know uh 70% today uh leveraging SSL uh and so what does that mean when it comes to um you know to encryption or sorry to uh to command and control um uh uh in in and of itself it didn't mean that
31:43
much but one thing that there was a huge game changer is let's encrypt again uh excellent uh project and you know um basically allowing anyone to get SSL certificates without having the security poverty line um you know the browsers would trust it so on and so forth so you could secure your applications but now the attackers are
32:01
leveraging that too right uh because they say hey you know I can now in an automated fashion get legit SSL certs that the client is going to trust for free and um you know I can just burn them you know and uh just like a domain name uh just kind of rifle through them um so while I don't think this will have you know much of an impact on like the state sponsored uh uh you know malware I think that you know
32:21
especially for crime ware it's like why wouldn't you throw it in in uh you know in an encrypted tunnel and just make it that much harder uh for organizations to uh to to find this information now IPv6 is really interesting because you know we don't see quite as much of it as as one would expect uh and even in the case of malware today um you
32:43
know it's uh you know it's it's not as prevalent uh uh as as as you know we probably would have predicted you know five years ago you know even with the all the basically IPv4 net blocks being uh exhausted um and uh but but it actually represents a pretty big uh challenge for us in the security
33:00
community you know you can get your own you know slash 48 from uh you know from hurricane electric uh you know which is uh you know 65,000 uh net blocks with each uh you know I don't even know what that number is you know trillion whatever uh of hosts for yourself right? Um and so some of the you know traditional things that we could do where we could say hey you know we can you know blacklist individual
33:22
IPs or even you know kind of pseudo net blocks like how do you do that when you know anyone can get access to such a massive number of IP addresses um you know I definitely think that that you know sooner or later IPv6 is gonna you know start to make a big splash it's just once we hit that tipping point of uh you know of of
33:41
availability uh to to to endpoints and we're we're starting to get there very soon um and the other interesting thing about IPv6 is a lot of security technology actually still doesn't support it surprisingly enough or or it does but you know you're running an ancient version of whatever firmware you know from a vendor and and it and
34:01
it doesn't support it or uh you know one of the interesting things is you know with IPv6 um you know there's all the different tunneling capabilities so um you know even today you can do IPv6 over IPv4 tunneling in a number of different protocols uh IP protocol 41 uh is is a good example of that but you can do it over GRE and so on and so
34:21
forth um and because you can take that approach you can you know if if uh security technology can't strip off those layers can't recognize it um then it's just you know it's it's it's a perfect path right because it can just send it right on through where it may tech detect it in an unencapsulated format it'll totally be blind to it totally
34:43
miss it uh when it comes to just you know slapping a header on it. Tor as I mentioned so this is from uh you know some of the uh internal uh data I have access to um but we've definitely seen an increase of the malware samples of Tor over time you know it's a little bit lumpy in some cases um but
35:01
uh it it certainly isn't going down and um you know it it I think it's just kind of a matter of time you know on the threat landscape if you know if people um you know don't you know start blocking other mechanisms but they don't really do anything to address Tor then you know more and more authors will just uh will just go with that. Now leveraging uh
35:23
you know actual cloud apps for command and control um you know again this is this is so attractive and here's the thing you know I talked about some of the names that you would know right you know the Twitters the Amazon the Microsoft um you know how they're using like tech net or something to to uh encode messages but really I'm actually a lot less worried about the the name brand cloud apps than
35:43
I am you know other types of systems you know just like how my bakery got you know popped with with Angler you know there's so many you know mom pop shops or other organizations uh other applications that are out there that won't have you know such a sophisticated team with you know incredible research staff that'll be able to you
36:00
know basically identify that hey something is going on here cause now there's all these thousands of hosts that are connecting and you know there's some shenanigans afoot right? Um you know they might notice eventually when everything totally crashes but it might take a long time before they get to that point um and uh and and and again it's it's so uh it's just it's such an attractive target because
36:21
again you don't have to host anything you you give up a little bit of control uh but you know if you can do it right it's uh you know it's kind of prime for the for the picking um and along those lines um you know there's so many different ways that you could leverage a cloud app uh to be able to you know hide that information um you know
36:41
whether it's a an application like drop box where you can upload files whether it's a you know a a a you know snapchat or something who knows you know snapchat but Instagram where you can upload an image and have the information and literally encoded in that image and have people grabbing it and all of a sudden you're trending on you know Instagram or whatever you know but but it's really because all this you know malware is is is
37:02
phoning home and it's grabbing it's getting this information um you know uh it really creates uh you know an uh you know an infinite set of possibilities so you know I expect in in future years and and really all the stag we could dedicate a whole talk to me it'll be something I'll cover in a future future talk um but you know it's it's
37:22
really uh you know my in my view uh you know as soon as the kind of cat and mouse game catches up the arms race and attackers say okay you know some of these traditional methods aren't working I think that that you'll definitely see more and more that would uh take advantage of such a prime target. Another thing is layered evasion so um you
37:42
know we see this with you know I would say more like the APT style actors um uh because you know they can kind of rather than being crime aware and and massively you know uh uh triggering a lot of activity you know if you're just sending you know doing some IP fragmentation with TCP segments uh you know evasions on top of that um you know
38:02
maybe you throw an SSL above that. HTTP there's obviously a lot that you can do within uh the HTTP protocol uh to be able to hide information um and of course as I've gone in some uh length you know there's a lot that you can do in the actual embedded content itself um starting to leverage these techniques uh uh in um you know in in concert
38:23
right? Um because really it uh it's it's uh um a way that you can catch uh you know some security vendors off guard that don't basically uh you know even even in 2016 uh might be blind to either the individual mechanisms or some combination of the mechanisms um it's uh it's it's definitely
38:43
a real concern and you know again you know then you can keep on looping all these evasions then you tunnel all traffic and it it's it's kinda you know up to uh you know the minds eye in terms of imagination uh for how how sophisticated the evasions could get. And uh you know as
39:00
I've been saying a whole bunch Steganography is uh you know just a uh you know the the possibilities there are so limitless so um you know I would definitely expect to see more and more actors and I guess the really scary thing about Steg is that you know when done right it's it's so incredibly difficult to identify um you know as we saw earlier with the with the mirrored images right? Um so it's
39:22
it's almost you know what concerns me is more the unknown unknown aspects of uh of attackers uh that that that could leverage this type of uh technique um because unlike you know some of the traditional mechanisms that we can use to identify individual patterns identifying Steganography is incredibly difficult in a lot of uh in a lot of cases
39:42
both for a human and and even for a machine so you know how you know how do you do that when you know you have the amount of bandwidth that we're sending you know ever increasing it's getting more and more expensive to cope with that how do you even identify uh when this type of technique is being used? Um it's uh it's a very good problem. So
40:01
we kind of talked a little bit about uh you know uh uh the different uh uh trends and predictions let's talk about defense right? What are some of the things that you can do take away from this talk to you know basically uh defend your network your assets your infrastructure? Um and start with the really obvious but shockingly uh it still is not even in in this uh you know 2016 isn't uh that highly used.
40:23
So basically I took a ton of malware samples millions of malware samples that we had um and looked specifically at the command and control ports um and and what ports they were using and about 17% of the of the malware was using high range TCP ports for command and control so I'm not even
40:41
talking about you know uh uh you know other aspects of the malware I'm talking specifically for the command and control. Um and they do that because of course most people leave those wide open uh and that's kind of a bad idea. I I totally get why and it's a can be an administrative nightmare but um you know it's you can eliminate a lot of low hanging fruit uh when it comes to to command and
41:01
control and basically if you can with a lot of these uh pieces of malware you might be able to totally break it if it can't phone home right? If it can't get that extra payload if it can't you know share that encryption key or whatever you can prevent this attack from being successful with you know the click of a mouse. Um you know another big thing is making sure that you don't have um you know
41:21
applications uh that that you wouldn't expect or wouldn't desire on your network running on your network so you know if you're an enterprise and there's no real reason for you to be running Tor you probably shouldn't allow Tor out uh because um you know the malware will definitely take advantage of that. Um you know even uh you know unknown binary we should say streams but basically you know some
41:42
malware on occasion will just run you know some sort of odd encrypted protocol if you can do deep packet inspection and do uh basically encryption entropy which is something that a lot of modern IDS's do uh in NGFW's you can identify potentially uh you know uh unknown uh types of uh of of
42:00
malware just because it's you know again it's not matching a traditional protocol it's actually not leveraging steganography it's kinda standing out like a sore thumb. Next thing is to fingerprint no malware um and uh uh you know this um you know definitely gonna give a shout out and and plug to uh you know to ET open uh which is you know uh
42:21
free to anyone maintain uh we we curate it but it's free to anyone in the community um and that's something that we focus uh heavily on because you know rather than having you know just trying to only fingerprint all the CVE's and you know play the whole CVE game with you know 15 year old German help desk software or whatever you know focusing on hey we see this malware in the wild right now and we're
42:42
going to specifically identify it and so if you see this trigger uh you know you really know that that this is bad um and uh you know again you know a lot of people talk about the security poverty line and and and that's true to some extent but there are a lot of great open source tools uh you know you don't have to uh to to break an arm and a leg uh to get your hands on and
43:03
this is a great example because you know by fingerprinting the no malware um you know you can introduce you know kind of a a a very good single the signal to noise ratio and basically identify the known bad. Now SSL is you know again it's it's kind of a mixed blessing right? Uh because there's just a lot of blind spots nowadays
43:21
especially if you're off of an SSL tap um and so there's a few different things that you can do um uh when it comes to SSL um you know a lot of the there's a lot of new systems that are supporting SSL man in the middle again there's you know controversy there uh you know you can't always use it uh you know for good reason but um you know in
43:41
in if your situation dictates and you can break it open for some traffic uh for instance let's say any SSL site that you that that isn't categorized by say like a web filter or something like that you could break it open and inspect it you'd be able to identify you know potential uh you know uh command control infection so on and so forth within
44:00
that SSL um stream. But the good news is is actually you don't have to do that in all cases. Um and again you know uh the you know ET open abuse dot CH is another great uh source um you know have um you know not only signatures but publish uh blacklists certificate blacklists so just by you know you can actually just view what is a known bad
44:23
certificate you never have to crack open the stream you can just fingerprint it and say okay you know this machine is popped because it's reaching back you know using a you know let's say Drydex uh uh you know known bad SSL so going to a known bad site um so it doesn't require you to actually crack open the stream to figure that out. Heuristics and anomaly
44:41
detection you know normally these things drive us all crazy because they're so chatty and so you know kinda unreliable but as you probably saw in a bunch of the samples especially on some of the target attacks um you know basically if uh you know if uh you um you know when leveraged in the right context they can really you know light up like a Christmas tree because you will find uh you
45:03
know uh uh you know some of the different types of techniques and these layered evasion techniques uh it's a great way to defeat it again doesn't require a commercial solution there's tons of off the shelf stuff that you can do and leverage uh to be able to detect these types of techniques. And really it's you know at the end of the day just giving a shit right? Um you know a lot of people um
45:23
they just don't right? You know and and they're just kinda like uh uh you know I was told you know there's kinda three types of organizations right? You have like the compliant, you have security conscious and you have the um uh and you have the um uh security sensitive. So the compliant is just like I
45:41
don't care I just need to buy this so I can check off this PCI checklist and you know just tell me how much it is go away. And you have security sen- uh con- uh you know conscious who are like hey we wanna do the right thing we don't have you know a whole team of experts um you know and and and they're you know definitely a perfect audience for this because again you know you can get you know
46:01
even without having to spend an arm and a leg you can get solutions that can help you if you actually care. The security sensitive you know they kinda have a a you know a whole practice going on and you know less worried about them they kinda know what to do. Um uh but you know perhaps the most importantly is to get involved right? Um so there's and and I don't mean like in a like spend money donate or
46:23
anything kinda way like if you find uh you know command control channels interesting samples um you know in your own environment um you know it's really easy to get them into the broader community. Uh you know ET opens a great way uh snort uh you know BRT uh as well there's other foundations if you're a coder you can develop help develop uh
46:42
you know some of the engines that can detect this stuff uh you know Suricata, Snort Grow, uh Moloch there there's a whole bunch of uh different ways that that you can uh get involved. So uh just to kinda wrap this up cause I know it's 3 o'clock and uh we definitely uh definitely don't wanna impose on that. Um so so basically the trends speak for themselves
47:02
you know I don't have to speak in hyperbole everyone knows you know how serious the the actual malware and compromise problems are um you know and and uh and it's only getting worse it's really not gotten to a point where it's better. Taxsurf is so massive there's so many different ways that that we can get breached but you know we can
47:21
leverage our strengths in this case detecting command and control channels which is our attacker's weakness in a lot of case cases to be able to you know both prevent infections and uh and counteract you know when they do happen respond quickly. Um and you know basically as we up our game they're gonna up their game we you know gotta have uh you
47:41
know kind of a line of sight to where things are going in the future. Um but uh you know but but but as long as we kinda stay in touch in tune you know review our uh you know with the community reviewing our our logs our information our infrastructure what it has to tell us uh you know that's really kinda the best shot that we have at mitigating this stuff. Um and um yeah basically that's
48:01
what I got and I wanna say a few thank yous uh thank you thank you. Uh. Thank you. Thank you all. Thank you DefCon you know for uh accepting this talk. Let me get up here on this soapbox and uh yeah for everyone for for attending coming all the way over here in Bally's room. Uh I missed out on Mr. Robot. I saw them all in the
48:20
green room it was really funny I was like oh my god I'm not worthy but uh uh so yeah I'm like basically the whole emerging threats team, proof point uh there's too many people to name but uh thanks everyone.