The present invention relates to computer and network security, more specifically to forensic analysis of attacking processes and their evidences for improving network security. It is also related to computer malware and sandbox, attack's kill chain, network sniffer, and endpoint snapshot.
As refereed herein, a kill chain means an attacking process. It consists multiple steps, from a reconnaissance to an action on an objective (AOO). Each of such steps fulfills special needs. For example, a reconnaissance, step 1, is to find weakness to lock down a target. Step 2 is a weaponization: writing shell codes to exploit the weakness or vulnerability found. Step 3 is a delivery: spreading the shell codes to targets. Step 4 is an exploitation: executing the shell codes. Step 5 is installation: installing back door Trojan. Step 6 is for command and control (C&C): harvesting stolen data and/or launching more attacks. Step 7 is for actions on objectives: completing its attacking goal.
As refereed herein, a sandbox is designed for a malware file object or an URL object to execute within an isolated environment to produce behavior log for malicious analysis. In the above kill chain, at step 5, if a Trojan file is captured, it could be sent to a sandbox for behavior analysis.
As refereed herein, a network sniffer is designed and implemented for network packet capture. In the above kill chain, at step 1 as a reconnaissance, step 3 as a delivery, and step 6 as connecting to command and control (C&C), an attack leaves some traces and evidences in network packets. Those traces and evidences are good sources for forensic analysis of attacks.
As refereed herein, a malware is a harmful program designed and implemented by an attacker to infect and to take over control of a victim's computer for malicious purposes. In the above mentioned kill chain, step 2, 4, and 5 are related to malwares.
As refereed herein, a pen test (PT) is a method of testing a computer system to detect its vulnerabilities based on predefined rules.
A computer network, typically consists of multiple computing devices, such as desktop computers, laptop computers, server computers, physical computers, virtual computers, handholds devices such as smart phones, and devices of Internet Of Things (IOT), linked together through switches, such as physical switches or virtual switches, one or multiple routers, physical or virtual routines, implemented in hardware or software, one or multiple firewalls, implemented in hardware or software, and then maybe linked to Internet.
Programs running on computers and devices in a network typically are:
operating systems such as Windows OS, Linux OS, routing OS, and firewall OS; and
applications including server applications, such as Microsoft web server, Apache web server, SQL, and SAS; and endpoints software, such as word processors, internet chatting software, email clients, and internet browsers.
Attackers herein are typically computer criminals who break into the computer network system without users' authorization, steal valuable data/information from the system, and cause damage to the system or to users, for malicious purposes.
A weakness means a system security vulnerability that can be used as an entry for an attacker to break into a network system. Reasons that a weakness exists in a network system include a system design flaw, a hardware or software implementation bug, outdated hardware or software, infection by a malware or a planted backdoor by a previous attacker, an access token for authentication being stolen, a vulnerable or stolen password, etc.
There are many products and solutions that can detect some weaknesses in network system, such as anti-virus software (AVS), intrusion detection software (IDS), intrusion prevention software (IPS), firewall, sandbox (for analyzing suspicious file objects or URL based on execution behavior), and pen tester (PT).
Each product or solution focuses on a particular stage of a kill chain to address attacking problems. Usually, they produce tons of alert messages overwhelming and drowning users. Users face tons of alerts daily and cannot figure the messages out easily what and where shall get fixed first.
There is a need for a product or a solution that focuses on finding a particular weakness currently discovered and aimed at by an attacker, in order to provide a user with a workable instruction as what and where with the highest priority a weakness that needs to be fixed right away. If the user can keep it up and always fixes the weakness or vulnerability at least at the time the attacker just discovered or aimed at or even one step ahead of the attacker, it is possible to defeat attacks.
The present invention discloses methods of discovering a weakness while an attacker is aiming at by analyzing attacker's early reconnaissance and traces or evidences at different stages of an attack's kill chain. At least one of the methods in the present invention is to keep a user always one step ahead of the attacker, knowing where and what the weakness is being discovered and aimed at by the attacker. While the attacker is locking down a target for attacking, a user, meantime, is able to lock down the highest priority to fix and seal a vulnerability that is targeted before an attack is launched.
Sometimes, at a step of a kill chain, there are only a few or limited traces or evidences and they could also be scattered all over different places, such as network traffic logs, malware sandbox behavior analysis logs, and endpoint system snapshots, while a single product or a solution usually only collects and looks into the traces or evidences in an isolated way and thus could fail to detect an attack. This invention discloses an automated method and system that collects the scattered traces or evidences with a maximized extend. Even though such a trace or an evidence is not a direct or obvious indication of an attack, once all of such traces or evidences are put together, an attack signal or indication becomes clearer. The method disclosed here is to put all evidences collected from all different places and different stages of the kill chain together for a comprehensive analysis. This comprehensive analysis detects where and what kind of weakness is being utilized by the attacker. It further decomposes the algorithm implemented in performing the attack or reconnaissance, and use it to test other computer devices/system for finding out if such a weakness exists in other places for proactively finding out similar weakness in other places in the network. When the weakness is detected, the system in the present invention produces instructions as how to fix it and seal the vulnerability.
The following description with reference to exemplary and illustration drawings of the present invention will be further described in detail, but the present illustration is not intended to limit the embodiment of the present invention, any similar structure of the present invention and similar changes should be included in the scope of the present invention.
Below in conjunction with illustration with
In
In
In
In
In
In
In
A weakness could also exist in network communication itself, in network contents that are delivered to applications, or in a network protocol through protocol vulnerabilities. The method in the present invention uses one or more network sniffer(s) 301 for collecting all relevant network packets and sends to them to an analysis center for comprehensive triage.
In
In
In
In
In
In
In
In
In
In
In
In
In
The method in the present invention collects one or more endpoint snapshot(s) for threat analysis and investigation. The method in the present invention also combines reports and logs from both sandbox(es) and endpoint snapshot(s) in a comprehensive analysis for identifying a malware or an attack.
In
Symbol 602 represents a triaging center that performs a comprehensive analysis including analyzing network logs and endpoint snapshots. If a file object or URL object is received, it also fires up a sandbox to perform behavior analysis. The interface for file, network records and snapshot submission is through restful APIs. Symbols 401-40n represent multiple sandbox VMs. Each sandbox can be configured to run various versions of various operating systems including but not limited to Windows OS so that different malware file objects can find right versions of OS to run. Symbol 610 represents a set of triaging analysis VM(s) that performs comprehensive analysis on correlated traces and evidences including but not limited to that in one or more of the following: endpoint snapshots, network traffic records and sandboxes' behavior reports and logs, decomposes attacking algorithms used by an attacker, and then sends a result back to tester VM 605 for fire-drill tests. Symbol 611 represents a database that stores all collected information from the sandboxes, the snapshots, and the network traffic records.
Symbols 621, 622, . . . , and 62n represent VM agent servers for taking snapshot and monitoring event triggers. The same or similar agents installed on these servers can be installed on physical computer servers or workstations for taking snapshot and monitoring event triggers. Symbol 606 represents a set of virtual switches. Alternatively a set of physical switches can be used. Symbol 604 represents a set of virtual machine sniffers. Alternatively sniffers can be implemented and installed on physical computer devices and linked with physical switches.
Symbol 601 represents a threat triaging center implemented in cloud but alternatively it can also be implemented on physical cluster of computers. The interfaces for the agent(s) submitting snapshot and for the sniffer(s) submitting network log are the same as restful APIs.
The triaging center 612 takes collected logs and reports from the database 611 and performs a comprehensive analysis. If it is found that an attack is at an early step reconnaissance 201, the triaging center 612 identifies if any weakness is exposed at a step 709. If the answer is “yes”, the triaging center 612 performs a step 710 to analyze the weakness and then performs a step 715 to decompose the algorithm that is used by the attacker in finding the weakness. Next in a step 716 the triaging center 612 uses the decomposed algorithm to perform test against other systems where the attacker hasn't attacked yet. Meantime, the triaging center 612 also produces actionable instructions for a user to fix the weakness identified at step 717.
The triaging center 612 checks if an attack is at a shell code delivery step 203. If the answer is “yes”, the triaging center 612 analyzes the network content at a step 705 and abstracts a network content at a step 711. Then the triaging center 612 analyzes the abstracted content at a step 714. After this step, the triaging center performs step 709 for checking if any weakness is exposed. If “yes”, the triaging center 612 performs the step 715 to decompose the algorithm that is used by the attacker to deliver the shell code followed by using such a delivery algorithm to perform the step 716 for testing other systems to see if such a delivery by the attacker has succeeded or not. If “yes”, it indicates other systems are also vulnerable to such an attacking algorithm. In parallel, the triaging center 612 performs a step 717 to produce repair instructions for having the weakness fixed.
If collected information indicates an attack is at an exploitation stage 204 of a kill chain, the triaging center 612 performs a step 706 to analyze snapshots and performs a step 712 to confirm a vulnerability. Then the triaging center 612 performs the step 709 for checking if a weakness is exposed. Then the triaging center 612 performs the step 715 to decompose the algorithm as how the exploitation went succeeded by the attacker. And then the triaging center 612 performs the step 716 to test other systems using the attack algorithm for identifying if other systems are also vulnerable to such an exploitation. And in parallel, the triaging center 612 also produces repair instructions by performing the step 717 for repairing the weakness.
If collected information indicates an attack is at an installation stage 205 of a kill chain, the triaging center 612 performs a step 707 to capture installation file object(s) by an agent inside 612 and performs a step 713 to send the file object(s) to one or more sandbox(es) for behavior analysis. Then the triaging center 612 performs a step 718 for identifying if any backdoor is installed. Then the triaging center 612 performs the step 709 for checking what kind of weakness exposed that allows such an installation went succeeded. And then the triaging center 612 performs the step 710 to analyze the weakness and performs the step 715 to decompose the algorithm used by the attacker for figuring out how the backdoor gets installed. Afterwards, the triaging center 612 performs the step 716 to use the decomposed algorithm for testing other systems to see if the same or similar weakness also exists in other systems. Meantime, the triaging center 612 performs the step 717 to produce repair instructions for fixing the weakness.
If collected information indicates an attack is at communication with command and control (C&C) stage 206 of a kill chain, the attack has established a footage and control over a victim's computing device. The triaging center 612 performs a step 708 using one or more network sniffer(s) to capture network packets, performs the step 711 to abstract content from captured network packets, and performs the step 714 to analyze the abstracted content for identifying vulnerabilities that allow the attack succeed to this stage and a content being communicated with the C&C 206. Then the triaging center 612 performs the step 709 to check if a weakness is exposed. If so, the triaging center 612 performs the step 715 to decompose the algorithm as how the exploitation went succeeded by the attacker. And then the triaging center 612 performs the step 716 to test other systems using the attack algorithm for identifying if other systems are also vulnerable to such an exploitation. And in parallel, the triaging center 612 also produces repair instructions by performing the step 717 for repairing the weakness.