DamballaOverview
4 likes2,482 views
The document discusses Damballa's advanced threat protection and detection capabilities. It highlights that Damballa can discover hidden threats that have gone undetected, terminate criminal communications to reduce risk, and provide the earliest detection of emerging threats. It explains that Damballa shifts the focus from protection to active threat monitoring and detection using advanced threat intelligence and machine learning to identify hidden infections on networks and endpoints. Damballa provides appliances and solutions that pinpoint compromised assets and criminal activity through network monitoring and host forensics.
DamballaOverview
- 1. Transforming the Fight Against Cyber Threats David Petty May 30,2012 David.Petty@damballa.com 949-325-4625 When malware talks…Damballa listens
- 2. Why Damballa Advanced Threat Protection? Mitigate corporate Risk • Discover hidden threats that have gone undetected • Terminate criminal communications and the risk of data theft • Earliest possible discovery of emerging threats Improve security team Efficiency • Threat Conviction Engine effectively eliminates false-positives Improve incident response Workflow • Asset Risk Factor helps prioritize response and reduce cost of remediation Secure ALL devices - traveling, mobile and BYOD…. • Analyze network behavior to protect any endpoint device regardless of infection vector or phase of threat lifecycle (PC, Mac, iPad, iPhone, Android, servers, embedded systems…) 2
- 3. ‘Protection’ has its limitations Corporate Production Through the ‘front door’ (ingress) Network Win32 Network-based inbound ? malware capture and Win64 analysis tools PCs How do you Encrypted/armored, etc. detect a breach? Mac Mac Embedded systems/POS/other OS Embedded/POS USBs/DVDs/Cloud Storage Traveling Employees/Contractors/BYOD BYOD “Guest” (Bring Your Own malware) Network 3
- 4. Shifting from Protection to Detection Noisy Alerts Corporate False Positives Production (not correlated with Network other evidence) ! PCs Black Lists Reputation Systems f(x) Static Criminal Communications Known bad destinations Mixed use destinations New destinations (no history) Mac Covert channels Damballa® FirstAlert - The most advanced cyber threat intelligence - Early detection of emerging threats Embedded/POS - Machine-learning behavioral classifiers (heuristics) Threat Conviction Engine - Automatically correlates behaviors seen - Virtually eliminates false positives Asset Risk Factor - Automatically assesses severity of breach - Prioritization of risk and remediation “Guest” “…Damballa Failsafe 5.0 intelligently uncovers Network stealthy and hidden attacks masterfully avoiding any false positive alerts. Frost & Sullivan views this solution as a novel dimension to safeguard corporate networks.” 4
- 5. Active Threat Monitoring (Enterprise Networks) We discover hidden infections that have gone undetected by preventative security measures: APT, advanced malware, targeted attacks…whatever. Network detection of suspicious downloads (inbound malware) Endpoints communicating to suspicious destinations Network behavior indicative of criminal communication DNS look-ups & activity indicative of criminal behavior Deep packet inspection and PCAPs of criminal traffic Using the most advanced threat intelligence in the industry Correlating observations of criminal activity to positively identify hidden infections. 5
- 6. Damballa® Failsafe 1U Appliance Management Console & Sensor(s) Out-of-band (span or tap) Captures and assesses evidence from egress, proxy and DNS traffic to hunt for hidden threats Can terminate criminal communications Management Console pinpoints compromised assets; provides network and host forensics with criminal attribution Integrated workflow…. 6
- 7. Damballa® Labs Thought Leadership Thought Leadership Blackhat, Defcon, RSA, USENIX, ACSAC, NSDI, HackerHalted, FIRST, ICDM, CCS, NDSS, ISSA, IEEE, VB, etc. RAID, etc. Threat Analysis Applied Research Sr. Threat analysts Doctorate-level 10+ years experience Top-tier academics ex NSA, CIA, DoD Big Data analysis Reverse engineering Predictive analytics Deep penetration Machine Learning Publications Publications Blogs, whitepapers, Top-tier academic articles, training courses conferences and patents Notable Research Backers 8
- 8. Damballa® FirstAlert Cyber Threat Intelligence Malware ISP Sharing Feeds DNS Reputation Feature Harvesters Telco Systems Extractors Malware Mobile Drive-by DNS Correlation Predictive DNS URI Engines Systems Corporate HoneyPot Malware PCAP DNS Email URI DNS URI External Data Feeds Mobile HoneyPot Registry Drive-by Blacklists 9
- 9. Emerging Threat Discovery Predictive Predictive Analysis Systems Threat growth characteristics and C&C structure are visible (and unique) at the DNS level. Victims Possible to identify new C&C infrastructure prior to malware being captured and analyzed Damballa detects threat Malware continues to weeks/months before evade signature-based malware is detected detection Weeks Set-up Early Testing Attack Launched Malware First Malware Updated 10 Discovered
- 10. Damballa® Failsafe Enterprise Assets DNS Proxy Egress Damballa Sensor(s) Deep Packet Inspection of All Internet Traffic Damballa Cyber Threat Intelligence f Is the destination shady? • Suspicious destination, low reputation or known bad Correlation of Is the traffic suspicious? ‘behaviors seen’ • Suspicious content, DPI of payload / executables / files pinpoints infected Is the behavior automated? devices • Do the events appear to be software or human driven Damballa Failsafe identifies the ‘unknown’ threat, victim machines actively communicating with cyber criminals. 11
- 11. Actionable Intelligence Victims Threats Threat Activity Identified Classified Qualified Threat Conviction Engine - Correlates Behaviors Seen DNS queries to suspicious destinations? Threat Domain fluxing? Conviction Score Egress connection attempts? (1-100) Proxy connection attempts? Non-human behavior? Suspicious binary downloads? f(x) 12
- 12. Actionable Intelligence Victims Relative Risk Threats Threat Activity Identified Assessed Classified Qualified Asset Risk Factor - relative risk posed by infected device Bytes In Receiving instructions, updates, malware being repurposed? Local Bytes Out Indicative of the amount of data stolen? Local Connection Attempts How frequently is the asset communicating with a C&C? Local Category Where does the asset sit / who does it belong to? Local # of Threats Is the asset compromised with more than one threat? Local Severity What is the risk of the threat? Global AV Coverage For a specific threat, what is my relative AV coverage? Global f(x) 13
- 13. Actionable Intelligence Victims Relative Risk Threats Threat Activity Identified Assessed Classified Qualified Full forensics for all behaviors seen Full Forensics • All Events in Sequence • Full PCAPs for malicious traffic • Malicious malware captured • Malware trace reports (host and network behaviors) • Bytes in / Bytes out • Ports / Traffic type • Connection status (failed, proxy blocked, completed) • Category and priority of risk of endpoint • Threat operator profile • Endpoint compromise history • Geo-location of C&C 14
- 14. Identifying Zero Day Malware 1 Identify Suspicious Files in Motion 2 Cloud Interrogation of Suspicious Files Behaviors Seen & Benefits Behaviors Seen & Benefits Suspicious files in motion Full malware lifecycle Malicious structure Network & host behaviors Source / URI identification AV scanner results Unique victim enumeration Extensive dynamic analysis Initial threat assessment Ongoing trace report updates Zero day files captured Behaviors feed Damballa Labs Full Malware Forensics Report in 3 the Damballa Failsafe Console 15
- 15. Identifying Criminal Communication Behaviors Seen & Benefits Malicious DNS queries DNS Domain fast-fluxing detection DNS C&C Location New domain queries Recursive Authoritative Unique victim enumeration Victim Detection prior to egress Configuration File DNS query termination Dynamic Generation Firewall Algorithm (DGA) Egress C&C Criminal Server TCP/IP Session Proxy Filtering Behaviors Seen & Benefits Behaviors Seen & Benefits C&C connection behaviors/success C&C connection behaviors/success URI identification (incl. HTTPS) URI identification (incl. HTTPS) Malicious file identification (Malware) Malicious file identification (Malware) Unique victim enumeration Unique victim enumeration Detection prior to egress Bytes-in & bytes-out monitoring Full packet capture Full packet capture Session termination Session termination 16
- 16. Protection From The ‘Unknown’ Threat Enables rapid, automated incident response • Rapid and positive identification of compromised assets • Asset Risk Factor and Threat Conviction Scores prioritize response • Terminate malicious communications and/or sinkhole DNS requests Provides comprehensive threat protection • Platform agnostic: Windows, Linux, Apple, Android, Blackberry • Leading academic research and advanced threat intelligence Force multiplier for over-tasked security teams • No more manual analysis of millions of lines of logs and false alerts • Automated aggregation and assessment of evidence/forensics: - Automatically Identifies the infection, threat and risk - Provides actionable intelligence • Security teams can focus on improving policies and threat defense 17
- 17. Competition and Value Proposition Damballa’s unique strengths include: Our solution has the ability to scale much better than our competition. Our standard sensor handles 2 gbs. We detect emerging threats and protect our customers even before the malware is ever discovered and analysed by our competition. We have a lower false positive rate than our competition and detect accurately more threats. 18
- 18. 19
- 19. Advanced Malware Infection Cycle Criminal Command & Control Multiple C&C proxies/Separate C&C portals Malware updates Download Payload Updater Site Updates to list of C&C’s Downloader Host malware agent(s) Confirm installation Agent integrity checking Agent selection criteria Locking ofIs this ato victim agent real machine? Whitelisted repositories Have I seen it before? Remote access & control Unique malware agent Update malware location Data Repository Repository Dropper(s) Logging of install successes C&C Portals Encrypted files from victim Stolen passwords & PII Post Unpack Disable local security Post Agent Install Prevent updates/patches Delete dropper/installer Inventory victim C&C Proxies Clear logs & events Catalogue & inventory Dropper unpacks on the Malware is Victim machine and runs updated/customized Victim 20
- 20. Advanced Malware Infection Cycle Damballa Failsafe monitors network traffic and correlates suspicious ‘behaviors seen’ to rapidly identify assets under criminal control, and stop data theft due to malware breaches. Downloader Repository Dropper(s) C&C Portals C&C Proxies Dropper unpacks on the Malware is Victim machine and runs updated/customized Victim 21
Editor's Notes
- #4: As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
- #5: As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
- #13: [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
- #14: [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
- #15: [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
- #16: Step 1Indictment PhaseSensors will identify all raw PE32 and PDF files seen in trafficSensors examine each file for MD5, source, and structureDecision is made if the file is “Suspicious” or “Malicious” AKA ‘The Indictment’If indicted as “Malicious”, it means we have seen the MD5 hash before, otherwise…File is listed as ‘Unverified’ in Asset Summary Screen & Suspicious File ReportReasons for Suspicion are displayedAt this point, Malware Admin can save the file to local machineIf ‘Indicted’ then file goes to the cloud for processing (Auto / Manual Submit)Auto: File is sent immediately to Damballa Labs for processingManual: Customer must hit submit (Asset Summary Screen / Suspicious File ReportStep 2Conviction PhaseDamballa Labs runs file through AV scanners, Dynamic Analysis in Dirty SpaceDamballa Labs reviews system outputs and makes a decisionMalicious | Suspicious | BenignMalicious files are now part of training sets and continuously examinedBy examining malware at Damballa Labs, the behaviors identified enable:Malware Grouping & Clustering Threat operator enumeration and attributionMalware & C&C Linkage Malware family-tree reconstructionPublic Victim Enumeration Authoritative DNS and Sinkholing of domainsNetwork Behavioral Clustering 0-day exploit and malware family discoveryPay-per-Install Milking New droppers & payloads from crime serversLong-term Monitoring Specific malware and threat infiltrationStep3Malware Forensics ReportTarget delivery time is 10 minutes for initial reportReport includes:Reason why convicted as ‘Malicious’, ‘Suspicious’ or ‘Benign’Summary ReportDetailed ReportReports are ‘living’ – they are updated constantly as we learn more about malwareEnables Actionable intelligence for Remediation efforts, risk prioritization, and delivery of file to AV vendors for signature creation