Patent Application
20170070518
Computer networks are susceptible to being compromised by external agents for malicious purposes. A “vulnerability” is a flaw in software or hardware that makes such software or hardware vulnerable to attack. An “exploit” (e.g., viruses, worms, Trojans, bots, etc.) is software that takes advantage of a vulnerability to do something malicious to the vulnerable software or hardware. A “signature” is a pattern of bytes that can be used to identify an exploit. An attack is the use of an exploit against a vulnerability. Accordingly, armed with a signature for an exploit, a defender can block the exploit from reaching the vulnerability.
A “0-day” attack is the first time an exploit against a vulnerability has been used. Prior to such a first time attack, it may not even be known that the software or hardware has a vulnerability. The exploit has never been seen before, so no signature exists for that exploit. As a result, it may not be possible to defend against 0-day attacks using signature-based methods (e.g., viruses, worms, Trojans, bots, etc.).
For a detailed description of various examples, reference will now be made to the accompanying drawings in which:
Certain terms are used throughout the following description and claims to refer to particular system components. Different companies may refer to a component by different names. This document does not intend to distinguish between components that differ in name but not function. In the following discussion and in the claims, the terms “including” and “comprising” are used in an open-ended fashion, and thus should be interpreted to mean “including, but not limited to . . . .” Also, the term “couple” or “couples” is intended to mean either an indirect or direct connection (wired, optical, wireless, etc.). Thus, if a first device couples to a second device, that connection may be through a direct connection or through an indirect connection via other devices and connections.
An example of a 0-day attack is an Advanced Persistent Threat (APT). An APT infects a network, performs a discovery of the internal machines in the network and exfiltrates confidential data and does all of this with exploits for which there are no known signatures. Exfiltrating data means to transmit data from the network to a destination outside the network (e.g., for theft purposes). The signatures for which signature-based detection software (e.g., antivirus software) attempts to detect generally do not exist in for an APT. That is, APTs often have no particular signature which could otherwise be used in their identification. As such, signature-based detection software generally is impotent to detect, much less mitigate, an APT.
Reference is made below to the identification of an advanced persistent threat (APT) in a network. An APT is also referred to herein as an APT attack. Logic is described below that indicates whether it is likely that an APT attack has occurred. That is, the logic may not determine with 100% certainty that an APT attack has indeed occurred, rather that it is more likely than not that an APT attack has occurred. Any reference herein to the identification of an APT includes detecting an APT or at least determining that an APT is likely to be occurring.
The techniques disclosed herein make use of network devices such as Intrusion Detection System (IDS) devices and/or Intrusion Prevent System (IPS) devices. Such network devices may be distributed throughout a network with some network devices being at the “edge” of the network and other network devices not being at the edge of the network (e.g., being in the core of the network). The “edge” of a network refers to the entry point into the network through which packets are received by the network as well as the exit point for which outgoing packets are transmitted by the network. The “core” of the network refers to all nodes, computers, switches, etc. that are internal to the network and not at the edge.
The network devices (e.g., IDS devices and/or IPS devices) filter network packets to identify packets that may be indicative of malicious activity such as a virus. The network devices are configured to address such detected malicious activity (e.g., by generating an alert, dropping a packet, etc.). All other packets (packets not identified by the network devices as possibly being infected with a virus) are sent to a centralized logic element, referred to herein as the APT Identification and Response System. The APT Identification and Response System may perform a behavioral analysis on such received packets to identify an APT and to identify attempted exfiltration of data from the network as a result of an APT.
Once an APT is identified, the APT Identification and Response System may send an alert to a security management system (SMS). The SMS is a control interface to configure the various IPS and IDS devices. Through the SMS, the APT Identification and Response System can broadcast attack response messages to the IPS and IDS devices to mitigate the attack. The SMS 120 generally provides “real-time” APT responses. That is, when the APT Identification and Response System identifies an APT, a response to the APT can occur using the SMS 120 immediately thereafter (e.g., within about one second).
A network machine (e.g., client computer, server, etc.) infected with an APT exhibits certain behavior. An APT attack generally includes three phases: (1) infiltration or initial infection whereby the attacker infiltrates an enterprise network using advanced malware, e.g., to initiate a 0-day exploit, (2) a discovery phase in which the attacker looks for a particular target inside the network, and (3) a data exfiltration phase during which certain data from the discovered target is exfiltrated from the network to the attacker. During these phases, the APT may be in constant touch with the attacker or a remote controller (external to the network).
An APT often carries out the attack over well-known network protocols. For example, communication with the remote controller may happen via a domain name service (DNS) and data exfiltration happens over open protocols such as DNS, hyper-text transport protocol (HTTP), and hyper-text transport protocol secure (HTTPS). The APT Identification and Response System analyzes relevant network traffic, e.g., DNS traffic and HTTP(S) traffic, in near real-time to provide hints about the occurrence of the phase 1 (initial infection), and to detect the occurrences of phases 2 (discovery) and 3 (data exfiltration). That is, an APT typically exhibits certain behaviors in terms of how the APT works and its communications back to the remote controller controlling the APT. The APT Identification and Response System performs a behavioral analysis on the network packets specifically attempting to detect behaviors characteristic of an APT.
Router 50 is shown coupled to switches 56 and 58. Switch 56 in turn is coupled to a machine 60. The term “machine” in this disclosure refers to any type of device in the network. Examples of machines include servers (as in the case of machine 60), client computers, storage devices, switches, etc. Switch 58 is coupled to machine 62 (server) and machine 64 (client computer).
Like an IDS device, an IPS device may also examine packets for certain signatures indicative of a malicious activity. However, an IPS device goes one step further than just detecting the malicious activity. An IPS device also attempts to block or stop the malicious activity. An IPS device may send an alarm, drop a packet deemed to be malicious in nature, reset a network connection, and/or block network traffic from an offending internet protocol (IP) address. Each of the IDS/IPS device 52, 54 are hardware devices that may have software running thereon on to cause the hardware to implement the intrusion detection and prevent functionality.
The IPS/IDS devices (e.g., devices 52, 54) may be placed virtually anywhere in the network. Some network devices may be at the edge of the network while other network devices may in the core of the network. IPS/IDS device 52 is connected to router 50 and thus is an example of a network device located at the edge of the network. IPS/IDS device 54 is connected to internal switch 58 and thus is an example of network device located in the core of the network.
A security information and event management (SIEM) system 130 is also shown in
The various machines (e.g., machines 60-64) are able to communicate with one another and with locations/domains outside the network.
The non-transitory storage device 109 may include volatile memory (e.g., random access memory), non-volatile storage (e.g., hard disk drive, optical storage, flash memory, etc.), or combinations thereof. The non-transitory storage device 109 includes a filter policy module 112, a behavioral analysis module 114, and a response module 116. Each module 112-116 may include instructions that are executable by the processing resource 110.
Each engine 102-106 of
As illustrated in the example of
During operation, as the various IPS/IDS devices 52, 54 encounter packets that correspond the types of packets and information that the APT Identification and Response System 100 has indicated to be of interest, the IPS/IDS devices 52, 54 send such packets to the APT Detection and Response System.
The APT Identification and Response System 100 receives the packets from the various IPS/IDS devices distributed throughout the network. The packets received by the APT Identification and Response System 100 may be packets that are sent to or received from a location external to the network and other packets transmitted internal to the network (e.g., between machines internal to the network), and generally may be packets that have not been determined to contain a virus by the network devices themselves. The APT Identification and Response System 100 then performs a behavioral analysis on the packets to identify an APT. Once an APT is identified, the APT Identification and Response System 100 may send a message to the SMS 120 which, in turn, creates an action for responding to the APT and sends messages to some or all IPS/IDS devices in the network to cause each such device to respond appropriately to the identified APT.
At 152, the method includes the behavioral analysis engine 104 performing a behavioral analysis on the received packets to identify an APT. This operation may also include the identification of data exfiltration resulting from the APT.
At 154, the method includes, upon identifying an APT, sending an alert to the SMS 120 to cause the SMS 120 to distribute an attack response message to at least some of the network devices.
As explained above, APTs are characterized by a lack of any particular signature that is otherwise characteristic of a virus. While it may be difficult to detect the initial infection of an APT into a network, APTs, however, tend to follow certain behaviors which can be detected by the APT Identification and Response System 100 after the initial infection. For example, an APT-infected machine may periodically contact other machines inside the network or a domain that acts as a remote controller for the APT. The APT Identification and Response System 100 can identify periodic accesses to internal machines and external suspicious domains from DNS requests and responses. In other cases, malware may exhibit bursty behavior by making DNS requests for many suspicious domains in a short period of time. The APT Identification and Response System 100 can identify suspicious domains in many ways, and
Referring to
In
At 160, the APT identification method includes identifying periodic communications over a DNS with machines internal to the network and domains external to the network. A true APT may periodically communicate with a remote controller and may also periodically communicate a machine internal to the network to infect it. Operation 160 detects such activity which is indicative of an APT.
At 162, the method includes identifying DNS queries for algorithmically-generated domains that occur with greater than a threshold frequency (e.g., more than 100 per minute). Some APT attacks may result in the attempt to contact the APT controller outside the network (e.g., to report status, exfiltrate data, etc.) by automatically generating a domain name, using a DNS message to attempt to contact that generated domain name, and determining if the controller is present at the contacted domain name. If the controller is not present at that domain name, then the APT generates a different domain name and repeats the process. This iterative domain name and communication process continues until the APT successfully is able to locate the external APT controller. Such behavior thus is characterized by a large number of DNS messages in a short period of time. Thus, operation 162 attempts to detect such “bursty” DNS messaging.
At 164, the method includes identifying DNS queries for a domain on a list of domains suspected to be untrustworthy (e.g., a black list). Certain domain names may be known via various techniques and prior knowledge to be prior sources of possible viruses and APT attacks. Such domain names may be added to a black list and operation 164 identifies queries to such black-listed domain names.
At 166, the method includes identifying DNS queries and associated responses for any of:
Once a machine has been identified as having been infected with APT (e.g., per the method of
In
As was the case for the method of
At 170, the method includes monitoring outbound packets from machines in the network identified as potentially infected with an APT for a predetermined protocol known to be used for exfiltrating data from networks. An APT may attempt to exfiltrate data using a certain network protocol such as DNS, HTTP, or HTTPS. There may not be anything inherently wrong with the use of such protocols, but their use may be typical of data exfiltration by an APT attack.
At 172, the method includes determining whether a destination of an outbound packet has been contacted by fewer than a threshold number of machines internal to the network. APT-based data exfiltrations are rarer than legitimate outbound data packets. Thus, an outbound packet to a destination that is relatively infrequently contacted may be indicative of APT-based data exfiltration. This threshold may be hard-coded or user-configured.
At 174, the method includes determining whether a destination of an outbound packet is in a predetermined geographic region. As indicated above, certain geographic regions may not be trustworthy. Thus, outbound packets from a network to such locations may be indicative of APT-based data exfiltrations.
At 176, the method includes determining whether outbound DNS requests have similar lengths, high entropy, and a frequency greater than a second threshold. Some APT attacks exfiltrate the targeted data by sending the data in small chunks by way of outbound DNS requests. For example, a targeted data file may be exfiltrated one byte or a few bytes at time in a series of DNS requests. Instead of the data payload of the DNS request packets being a domain name to translate to an IP address, the data payload of DNS request packets includes a portion of the data to be exfiltrated. Such data exfiltration is characterized by a larger number of DNS request packets in a short period of time and packets that have a similar length and a relatively high value of entropy. The APT controller receives the numerous DNS, recovers the data bytes, and reassembles the piece-meal exfiltrated data back into the original file.
The APT Identification and Response System 100 thus detects the occurrence of a burst (e.g., more than a threshold number of such packets in a certain period of time—greater than a particular frequency) of outbound DNS request packets of the same or similar length and with high entropy. This threshold value also may be hard-coded or user-configurable.
At 178, the method includes determining whether outbound packets include a file having a predetermined format. Data exfiltration resulting from an APT tend to include files of a particular few file formats such as “zip” files, Roshal Archive (RAR) files, etc. There may not be anything inherently wrong with the use of such file formats, but their use may be typical of data exfiltration by an APT attack.
At 180, the method includes determining whether outbound packets include encrypted data. Data exfiltration resulting from an APT tend to include encrypted data.
The above discussion is meant to be illustrative of the principles and various embodiments of the present invention. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.
This application is a continuation of International Application No. PCT/US2014/039406, with an International Filing Date of May 23, 2014, which is incorporated herein by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/US2014/039406 | May 2014 | US |
| Child | 15355592 | US |
