attack attribution n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Attack Attribution PowerPoint Presentation
Download Presentation
Attack Attribution

Loading in 2 Seconds...

play fullscreen
1 / 27

Attack Attribution - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

Attack Attribution. Marc Dacier Sr. Director, Collaborative Advanced Research Dept. (CARD) Symantec Research Labs. Overview. Attack Attribution One example: the TRIAGE method (WOMBAT) Challenges, open issues Conclusions. Collaborative Advanced Research Dept. C A R D.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Attack Attribution' - komala


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
attack attribution

Attack Attribution

Marc Dacier

Sr. Director, Collaborative Advanced Research Dept. (CARD)

Symantec Research Labs

overview
Overview

Attack Attribution

One example:

the TRIAGE method (WOMBAT)

Challenges, open issues

Conclusions

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

collaborative advanced research dept c a r d
Collaborative Advanced Research Dept. C A R D
  • CARD is part of Symantec Research Labs, within the CTO office.
  • Worldwide team with members located in the USA (Culver City, California and Herndon, Washington DC) as well as in Europe (France and Ireland).
  • Specificity: long term exploratory research carried out with external partners from academia and industry

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

what we do
What we do
  • 2 recently completed projects:
    • ANTIPHISH – EC funding (finished in June 2009)
    • EC-CAM – US (finished in September 2009)
  • 3 ongoing funded projects
    • WOMBAT (EC)
    • VAMPIRE (France)
    • NICE (US)
  • 2 new projects will start in 2010:
    • Minestrone (US)
    • VIS-SENSE (EC).

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

attack attribution1
Attack Attribution ….
  • … is not about IP traceback
  • … is about identifying the root causes of observed attacks by linking them together thanks to common, external, contextual “fingerprints”

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

analogy
Analogy
  • Serial killers accomplish a ritual that leaves traces
  • Cybercriminals for efficiency reasons automate the various steps of their attack workflow and this leaves traces

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

danger

The smiley face killer (?)

Danger
  • "One swallow does not a summer make"

Aristotle, Nichomachean Ethics  (384 BC - 322 BC)

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

danger ctd

http://xkcd.com/587/

Danger (ctd.)
  • “When all you have is a hammer, everything looks like a nail”

Maslow's hammer law, The Psychology of Science, 1966

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

yes we can find things
Yes we can (find “things”)

This is a worm

These are botnets

Bridging the gap between such anecdotal findings and some actionable knowledge is hard!

These are the threats we should worry about

This is a stealthy, localised, recurring event

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

overview1
Overview

Attack Attribution

One example:

the TRIAGE method (WOMBAT)

Challenges, open issues

Conclusions

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

foreword
Foreword
  • What is presented here is the result of a joint collaboration between all WOMBAT partners over the last 28 months

(see www.wombat-project.eu for the list of publications and deliverables)

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

the wombat approach
The WOMBAT approach

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

example of a wombat sensor the sgnet data enrichment framework
Example of a WOMBAT sensor: the SGNET data enrichment framework

Symantec ++

Behavioral Information

AV identification

statistics

Code Injection information

Malware

Internet

Anubis

Generated

alerts

Clustering

techniques

SGNET

dataset

Models

13

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

towards automated attack attribution
Towards automated attack attribution
  • Within WOMBAT, we have developed an automated framework that includes the expert knowledge in order to extract meaningful sets to reason about the modus operandi of the malicious actors: the TRIAGE framework
  • First application of that approach led to significant contributions in the latest Symantec ISTR Rogue AV report
  • Public deliverable D12 is available on line and contains 6 published peer reviewed papers on the topic as well as the rogue AV analysis technical report.
    • http://wombat-project.eu/WP5/FP7-ICT-216026-Wombat_WP5_D12_V01_RCA-Technical-survey.pdf

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

big picture ctd
Big Picture (ctd.)

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

names vs ips maps of rogue av sites
Names vs. IPs maps of Rogue AV sites

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

idea behind the attribution method
Idea behind the attribution method

Try to connect the dots…

17

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

triage
TRIAGE

1) Triage (med.): process of prioritizing patients based on the severity of their condition

  • TRIAGE1
    • = atTRIbution of Attack using Graph-based Event clustering
  • Multicriteria clustering method

18

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

successful attack attribution result
Successful attack attribution result

Email addr. hidden by privacy protection services

750 domains registered

over a span of 8 months

Time

19

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

example ctd
Example (ctd.)

20

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

so why is it useful
So, why is it useful...?
  • Cyber criminality is a new business model
    • Financial profits can be huge (large scale)
    • Better organized - more systematic, automated procedures are used
  • TRIAGE can help to:
    • Get better insights into how cyber criminals operate, or how / when they change their tactics
      • Consequently, help improving detection or end-user protection systems
    • Automate the identification of “networks” of attackers
      • Unless they completely change their modus operandi for each campaign…
    • Go toward an early warning system
    • Ultimately, support law-enforcement for stopping emerging / ongoing attack phenomena

21

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

overview2
Overview

Attack Attribution

One example:

the TRIAGE method (WOMBAT)

Challenges, open issues

Conclusions

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

the need for data
The need for data
  • Attack attribution is an emerging field
  • It requires a multi disciplinary approach and international collaboration
  • It requires access to stable, representative and diversified sets of data.
  • Everyone is welcome to host an SGNET sensor and benefit from the dataset and tools generated by the project.
  • The more sensors we can get, the more we will learn about the attacks.

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

the symantec wine initiative
The Symantec WINE initiative
  • Symantec owns a very rich amount of threats related datasets.
  • CARD is currently building an infrastructure to provide access to a sampled set of these data feeds.
  • External researchers are welcome to submit research proposals to gain access to this infrastructure, for free, on site.
  • CONTACT POINT: marc_dacier@symantec.com

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

challenges and open issues
Challenges and Open Issues
  • A truly multidisciplinary domain:
    • Computer security, networking, knowledge mining, visualisation, law, sociology, forensics, etc..
  • Data can be private, confidential.
  • Anonymisation is unlikely to be the silver bullet we need.
  • Discovered knowledge can be sensitive ( from a technical, political, sociological or even business viewpoint).
  • Do we have the right places to publish?

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

back up material
BACK UP MATERIAL

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010

references
References
  • Actionable Knowledge Discovery for Threats Intelligence Support Using a Multi-dimensional Data Mining Methodology, O.Thonnard (Royal Military Academy of Belgium) and M.Dacier (Symantec), Proc. of the IEEE Data Mining Workshops, 2008. ICDMW '08, Pisa, Italy, Dec. 15-19, 2008,
  • Behavioral Analysis of Zombie Armies, O. Thonnard, W. Mees (Royal Military Academy of Belgium) and M. Dacier (Symantec), Proc. of Cyber Warfare Conference (CWCon), Cooperative Cyber Defense Center Of Excellence (CCD-COE), Tallinn, Estonia, June 17-19,
  • Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making, O. Thonnard, W. Mees (Royal Military Academy of Belgium) and M. Dacier (Symantec), Proc. of KDD’09, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 28, 2009.
  • Honeypot traces forensics: the observation view point matters, V.-H. Pham (Eurecom) and M. Dacier (Symantec), Proc. of the 3rd International Conference on Network and System Security, Gold Coast, Australia, Oct. 19-21, 2009

INCO-TRUST/NSF workshop, New York, USA, May 4, 2010