Cyber-attacks have matured and evolved from unfocused, unsophisticated criminal activities to long-term campaigns against targeted entities using advanced attack tools. This type of cyber activity is known as Advanced Persistent Threat (APT) and it poses a significant danger to every business, government or military with data to protect from public disclosure. The costs of resolving APT attacks are also financially burdening to organizations. Expenses related to attack cleanup, however, pale in comparison to the long term costs associated with the disclosure of valuable intellectual property, confidential data, trade secrets, business plans, and other data targeted by cyber attackers focused on extracting intelligence from their targets. Loss of data managed by regulatory stipulations, such as consumer financials, the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley, or military data, could result in significant fines and law enforcement action. The income loss and costs of re-establishing customer confidence once a data breach is publicly reported can be devastating.
After an APT cyber-attack has been discovered, the targeted entity requires immediate answers for timely cleanup, risk assessment, and regulatory compliance. They must quickly identify the stolen intellectual property or trade secrets, affected equipment and accounts, and attacker attribution as accurately as possible. However, ongoing public disclosures from businesses, military organizations and governments all over the world have revealed disturbing trends about APT attacks. Discovery of the cyber-attack usually goes unnoticed until security researchers observe a business' stolen data being sold or distributed by the attackers. At this point, the adversary has had long-term access to large portions of the target's intellectual property, personal information and/or classified data. Cyber-security equipment currently available does not prevent successful attacks, but instead delays intrusion, enables eventual discovery, and gives attack responders the tools required to investigate and remove a discovered attack. Attacked entities must wait for extensive forensic analysis and intrusion detective work before they can adequately respond to an attack, but sometimes receive only estimates of attacker activity.
Unlike naive, cybercrime focused malware, APT attack tools are complex and finite in number. They are often used for long periods of time with only minor adjustments. However, their communications messaging systems are complex and require cyber defenders to have advanced encryption, protocol, and malware analysis expertise. This makes it harder for regulatory agencies, law enforcement, and cyber-security service providers to counter the APT threats. In the meantime, APT attackers increase their capabilities' speed, detection evasion, and cleanup counter-attack techniques. A poorly executed intrusion response which gives the attacker time to react, may only result in existing attack tools being replaced with more advanced versions in different locations inside the business.
Unwanted software bundling is where unscrupulous companies confuse users into installing unwanted programs that can compromise a user's privacy or weaken their computer's security. Companies often bundle a wanted program download with a wrapper application that forces the user to install an unwanted application, while making it hard for the user to find how to opt-out. Nearly every single third-party free download site bundles their downloads with potentially unwanted software.
Antivirus companies define the software bundled as potentially unwanted programs (PUP), which can include software that displays intrusive advertising, or tracks the user's internet usage to sell information to advertisers, injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. Unwanted programs often include no sign that they are installed, and no uninstall or opt-out instructions. Some unwanted software bundles include software that installs a root certificate on a user's device, which allows attackers to intercept banking details without browser security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyber-attacks.
There are known devices that attempt to detect Advanced Persistent Threat (APT) activity using a variety of techniques. Network security devices, which can be adjusted to collect specific attacks, including cyber-attack tool communications, are currently available. There exists network monitoring and attack discovery products and tools, including open source tools. Some cyber-security defense products such as Intrusion Detection Systems provide “fact of” alerts based on known attack-like behaviors or malware signatures. Many of these network-monitoring devices also have the capability of collecting the network traffic associated with alerting, as well as subscription services to ensure the latest detection capabilities are installed. However, these defense products do not extract the contents of the attack tool messages they discover or process malicious tool network activity to expose the details of the intrusion previously shown. Thus, the threat becomes even greater when APT attacks are discovered after operating against and maneuvering inside an organization for months or years.
It is known to analyze network traffic real-time, i.e., “on-line.” Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). Snort has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and matching. Snort detects attacks to operating systems, fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort performs packet inspection, intrusion detection progression and intrusion prevention on protocol standards, protocol anomaly detection, application control, and signature matching. Snort analyzes application-level vulnerabilities including binary code in HTTP headers, HTTP/HTTPS tunneling, URL directory traversal, cross-site scripting, and SQL injection will also be analyzed.
Covert channels, which are used as a medium by adversaries for sending malware to victims of cyber-attack, are known, for example, DNS tunneling. In a DNS tunnel, data are encapsulated within DNS queries and replies, using base32 and base64 encoding, and the DNS domain name lookup system is used to send data hi-directionally. Botnets can use DNS tunneling to act as a covert channel, which are hard to detect. The only way to identify covert channels is by looking for Command and Control DNS messages. Attackers use DNS tunneling tools to create covert channels.
“Suricata” is a multi-threaded malware command and covert channel detector. Suricata uses malware processors or engines to monitor network IDS, IPS, and security. Suricata balances malware processing load across multiple processors. Suricata recognizes common protocols as a stream starts, thus allowing rule writers to write a rule to the protocol. Suricata can match on protocol fields, which range from HTTP URI to a SSL certificate identifier. Suricata can handle Off port HTTP, CnC channels, file identification, MD5 checksums, and file extraction. Suricata can identify malware file types crossing a network. Files can be tagged for extraction and store metadata files describing a capture situation and flow. The file's MD5 checksum is calculated on the fly so that a list of md5 hashes can be found.
US Patent Publication No. 2004-0107361 discloses a network intrusion detection system for detection of an intrusion through the analysis of data units on a network connection. U.S. Pat. No. 7,356,736 discloses a simulated computer system for monitoring of software performance. U.S. Pat. No. 5,765,030 discloses a processor emulator module having a variable pre-fetch queue size for program execution. U.S. Pat. No. 7,093,239 discloses a computer immune system and method for detecting unwanted code in a computer system. US Patent Publication No. 2010-0100963 discloses a system and method for detecting and preventing attacks and malware on mobile devices such as cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. US Patent Publication No. 2008-0022401 discloses an apparatus and method for multicore network security processing. U.S. Pat. No. 7,076,803 discloses integrated intrusion detection services. U.S. Pat. No. 6,851,061 is a system and method for intrusion detection data collection using a network protocol stack multiplexor. US Patent Publication No. 2003-0084319 discloses node, method and computer readable medium for inserting an intrusion prevention system into a network stack. U.S. Pat. No. 6,775,780 discloses detecting malicious software by analyzing patterns of system calls generated during emulation.
FIG. 1 depicts an exemplary system under threat by a plurality of malware, covert channel, steganography, and PUP servers. APT attacks are typically conducted in predictable stages. The attacker first, gains access to a machine on the network. This can be done in a variety of ways, including spear phishing. Spear phishing is the tactic of sending fraudulent emails to targeted company personnel. These emails appear to be from a trusted, legitimate source and trick the employee into performing an action that allows an attacker's malicious tool to be installed. Second, the attacker installs a small malicious tool designed to allow limited access to a victim for later use in an ongoing attack. This tool is likely immune to antivirus. Third, the attacker uses the original small malicious tool to install a larger fully featured malicious tool, which is also likely immune to antivirus. This tool will conduct a variety of tasks for the attacker, including spreading to other users and equipment and transmitting stolen confidential data back to the attacker. Fourth, the attacker spreads throughout the network to ensure long-term access to the organization, steal vital secrets at will, and upgrade the attack tools to stay one step ahead of cyber-security analysts and tools.
Every step through the APT attack requires network communication with the attacker or infrastructure controlled by them. As the attack against a target continues from stage 1 through stage 4, communications become larger with more information about the attack itself. Attackers need means of managing their attack, sending commands to the individual victim machines, and receiving stolen data from the target. Additionally, as the attack matures through stage 4, these communications increase in stability and complexity. The full-featured malicious tools used in stage 3 and 4 are designed to last the duration of an attack, for months or years, and are complex enough to evade most naive detection techniques while managing an advanced cyber-attack campaign. There exist application programming interfaces (APIs) for capturing network traffic. Unix-like systems implement PCAP in their “libpcap” libraries. Windows systems use a port of “libpcap” known as “WinPcap.” Network traffic monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network. In newer versions of the software, libpcap or WinPcap capture packets at a link layer. The PCAP API is written in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper. Captured network communications from Advanced Persistent Threat (APT) attack tools contain information vital to both attacker and target. These tailored messages almost always contain information about both the target and the attacker; such information includes victim machine Information, victim user information, stolen (also called exfiltrated) intellectual property, attacker identifying information, attacker actions taken against the target, and attacker tool information, such as date of original attack.
It is known to analyze network traffic non-real-time, i.e., “off-line.” For example, “ChopShop” is a framework developed by the MITRE Corporation. Malware processors are known for delivering robust defense against malicious attacks. Malware processors are configured to operate based on known or developed malware signatures for detection and analysis. A malware signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. A signature may be static which, in its simplest form, is a calculated numerical value of a snippet of code unique to the malware. A signature may also be behavior-based, i.e. if the malware tries to do X, Y, Z, flag it as suspicious. The signature can be unique string of bits, or the binary pattern, of a virus. For example, a virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. Anti-virus software uses the virus signature to scan for the presence of malicious code. ChopShop APT tools provide processing and analyzing very limited number of malware signal for network-based protocol decoders that enable security professionals to understand actual commands issued by or issued to malware controlling endpoints, i.e., malware servers shown in FIG. 1. Also known in cyber security are covert channels. In one example, covert channel controlling endpoints, i.e., covert channel servers shown in FIG. 1, create proprietary communication channels between controlling endpoints. As used herein, a covert channel is an attack tool that communicates messages by deviating from a standard protocol to avoid detection. A covert channel deviation can be at any one or more layers of a standard protocol stack. A malware is an attack tool against a target that uses the standard protocol stack for message communication without deviation from the standard protocol.
Also known in cyber security are other attacks including as steganography. Malicious tools use numerous methods to hide large volumes of information inside files that appear harmless and legitimate, a practice known as steganography. Some such methods use algorithms to hide the data, which the invention is able to extract in near real time. There are also steganographic techniques, which require discovery or disclosure of the cryptographic variables or keys before extraction of the hidden information.
The invention utilizes a variety of cryptographic and forensic techniques to attack encryptions in use by a steganography-wielding malicious tool and extract the hidden information. Some cryptographic and steganographic techniques are unique and will require custom functionality to identify the cryptographic variables necessary for decryption. Other techniques follow standard decryption tradecraft employed by the invention, allowing processing to use standardized cryptographic attacks.
Also known in cyber security are other attacks including PUP. There are known browser toolbars or programs that the user can be enticed to install, which the user “agreed” to give the business all of their daily activities and data. A user would not normally agree to install such a program, or did not know they were agreeing to give their daily activity, for example, making it a potentially unwanted program (PUP). PUPs are installed on the machine at the network layer by some system-monitoring tool. Firewall detects the PUP and sends it to the administrator. The administrator determines if the program is wanted or unwanted on the server. A program that is wanted can also be unwanted by the owner of the network. Running heuristic analysis is also possible, which would mostly be focused on the administration tool focused PUP. Most antivirus programs that use heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specialized virtual machine, thus permitting the anti-virus program to internally simulate what would happen if the suspicious file were to be executed while keeping the suspicious code isolated from the real-world machine. It then analyzes the commands as they are performed, monitoring for known viral activities such as replication, file overwrites, and attempts to hide the existence of the suspicious file. If one or more virus-like actions are detected, the suspicious file is flagged as a possible virus, and the user alerted. Another common method of heuristic analysis is for the anti-virus program to decompile the suspicious program, and then analyze the source code within it. The source code of the suspicious file is compared to the source code of known viruses and virus-like activities. If a certain percentage of the source code matches with the code of known viruses or virus-like activities, the file is flagged, and the user alerted.
The other side of PUP includes the administration tools, like telnet (a user command and an underlying TCP/IP protocol for accessing remote computers), RDP (a proprietary protocol that provides a user with a graphical interface to connect to another computer over a network connection), FTP (a standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet), or any other administration tool, that are very powerful administration tools used in almost every network. They are also extremely useful to hackers. The administrator cannot easily tell what the PUP (administration tool) is actually doing, aside from noting, for example, that there are no employees in China when seeing a Chinese IP address used. The system will be decoding these protocols as well, to expose the activities being conducted during these “potentially unwanted” administration activities.
The serious need to combat APT attacks on government, business, and military networks has been recognized. Enormous resources are required for conducting advanced technical analysis necessary to understand attacks, which must take into account various governmental regulatory requirements. For example, developers of cyber security products in the U.S. must comply with State Department and U.S. Department of Defense regulations under International Traffic in Arms Regulations (ITAR).
APT attacks require comprehensive reports accurately detailing the activities of the attacker, the affected users and machines, the stolen intellectual property, and clues as to the attacker attribution and motives. Additionally, information technology personnel require a comprehensive view of all affected equipment to lessen the chance that attackers could observe and evade removal attempts through coordinated cleanup strategies. Therefore, there exists a need for a robust system that defends against APT attacks.