1. Field of the Invention
The invention relates generally to the field of computer malware activity detection on a computer on a computer network. More specifically, the invention relates to one or a distributed set of network-based sensors operating in cooperation with a centralized analytics and correlation engine that can correlate events across the sensors to detect malicious activity on a monitored network using a multi-tiered network conditions and statistics rule set. When malicious activity is detected upon the satisfaction of a predetermined set of network conditions or statistics, the invention traces the activity to a host computer or computers that may responsible for the activity for further analysis and action by a network administrator.
2. Description of the Related Art
With the onset of modern cyber-attacks on high profile and high value IT targets, it is apparent the state of prior art information security methods and devices is lacking. With computers and personal computing devices becoming increasingly network-oriented, the strategies and behaviors of modern malware have adapted and evolved to focus their attacks on these interconnected networked systems.
By way of background, a discussion of certain current malware tactics and of the shortfall of the older “defense-in-depth” security implementations used to prevent and detect these tactics follows and discusses aspects of the invention for addressing advanced malware in highly networked environments. The device and methods of the invention greatly enhances the security posture of networked computer systems and enables detection of evolving malware tactics now and in the future.
Malware has been around since at least the days of the “Morris worm” detected on about Nov. 2, 1988. Even before Morris' famous Internet worm, the ARPANET had the “Bob Thomas' Creeper” program. Creeper quickly proliferated through ARPANET, infecting everything in its path and thus the first computer virus was born. At that time, hackers were developing new ways of infecting computers and damaging computer communication.
In that period, malware was merely a set of opportunistic attacks for fame and glory through high-profile nuisance attacks. Unfortunately, malware evolved and eventually was used for theft or destruction of sensitive or proprietary information and other illicit activities.
With the onset of computer networking and the “connected” PC, a greater number of potential hacker targets emerged and a highly-connected delivery mechanism was emerging called the Internet.
In about 2007, the first “botnets” began to appear. Botnets fundamentally changed the way malware could be used and brought an onset of new information security devices and procedures intended to stop or mitigate the effects of this new form of malware. Nonetheless, malware continued to evolve into targeted attacks that were used for industrial espionage, specific targeted theft, publicity attacks, and personal attacks such as revenge and spying.
Malware has continued to evolve to a point today that current informational security safeguards are limited against the onslaught of “advanced malware”, particularly, what is known as the Advanced Persistence Threat or “APT” which has moved into the mobile computing world, affecting laptop computers, smart phones, tablets and other mobile devices.
What is considered as “Advanced Malware” in the disclosure herein is defined as the plurality of malicious network attacks called by various names such as Targeted Cyber Attacks, Zero-day, Crimeware, Cyber Warfare, and Advanced Persistent Threats among other names. These types of cyber-attacks are sophisticated, targeted and in many instances, use professionally-developed cutting-edge technology. These attacks may be carried out by well-financed nation-states, organized crime, and even other corporations against their competitors.
Advanced malware is typified by the malware commonly known as Advance Persistent Threats (APT) above. APTs are highly sophisticated and use technology for which there are currently few or no defensive capabilities. APTs usually start with high levels of reconnaissance by the hacker intended lead to the ability to provide long-term infiltration (Advanced) opportunities to exploit vulnerabilities in a targeted system.
A primary goal of an APT is to minimize the risk of detection for long periods of time, allowing the APT ample time to provide stealthy, long-term access to the now-compromised network (Persistent). APTs are also designed to permit well-trained and disciplined human attackers to direct the operations of the malware infecting the compromised systems using a command and control structure (“C2”) that has been surreptitiously installed into infected host or network. This permits the human attacker ample time and opportunity to carry out a focused attack (Threat).
APTs have been defined as “Tier III” attacks in the Air Force's 2007 “Victory in Cyberspace” report. This report defined as “Tier III” attack as one where the attacker has NSA-like capabilities and nation-state resources behind them. The level of sophistication or an APT defines an attack that make conventional prior art network security controls virtually ineffective.
APTs can be used not only to attack nation-state informational networks but also can be used to attack critical infrastructure networks and Industrial Control Systems (ICS) in the form of a supervisory control and data acquisition cyber-attack or “SCADA” cyber-attack, which form of attack the instant invention can be configured to address.
An example of an APT being used against a private sector enterprise was referred to as Operation Aurora, and was carried out against a number of high-tech commercial companies worldwide. Certain of the companies targeted were high-profile entities such as Symantec, Juniper, Google and Adobe.
Along with the above “conventional” information network attacks, a further example of an APT used against Industrial Control Systems (ICS) in a SCADA cyber-attack was the Symantec, worm; an ICS APT used against Iran to disable centrifuge operations in uranium enrichment activities. Newer variants of APT's are showing up daily. Duqu and Flame are some notable examples of variants of previous APTs.
APTs are generally customized exploits with an explicit mission. They are designed to penetrate a specifically-targeted environment and remain undetected until they can carry out their task; often data exfiltration to an unauthorized receiver.
After an APT has carried out its initial mission, a well-coded APT may be configured to stay hidden and persist in the environment until re-tasked with a new mission.
Referring now to FIG. 1, most APTs and advanced malware are designed around a phased “lifecycle” that allows for them to carry out their mission. A representative lifecycle model may generally include the hacker steps of:
1. Reconnaissance (scanning the network from the outside for useful information and vulnerabilities,
2. Intrusion into the network,
3. Escalation unauthorized hacker privileges,
4. Unauthorized installation of a root kit or kits,
5. Establishment of a hacker command and control structure or “C2”,
6. Internal scan of the network for useful information (passwords, network vulnerabilities, proprietary information, etc.,
7. Staging information in the network to be exfiltrated in a subsequent step,
8. Exfiltration,
9. Modification of network data,
10. Obfuscation of hacker presence in the network.
Not all APTs use all of the above steps and the order of the steps is highly dependent on the attack. The one thing in common is that during some phases of the attack, the malicious agent will typically create or modify network traffic.
APT's utilize various tactics across different phases of the attack. Most of these tactics operate within the targeted internal network and thus cannot be detected by any perimeter defensives or even by host-based defenses. Each APT is unique in the way it operates but all APTs and advanced malware are generally designed around the concept of infection retrieving command information, discovering, replicating, carrying out its mission and remaining undetected.
FIG. 1 illustrates general steps that may be taken in an APT attack data exfiltration. An APT begins with a reconnaissance phase performed on the target organization network and/or personnel within the organization. During this phase; the attacker searches for weak links in the external perimeter of the network that can be exploited as entry points into the targeted organization's networks and systems.
This phase may include looking at remote sites and at any partners that could provide access into the targeted network. The reconnaissance phase may never touch the targeted organization's systems but instead may use social networking, evaluating a company's organization through its own website or other publically-available information to identify network entry points.
After the reconnaissance phase, the attacker is ready for the initial intrusion into the network. One of the most common and successful methods of penetrating an organization's network defense is the use of social networking with targeted spear-phishing emails. These are highly-focused emails with some type of attack embedded as part of the email. These emails may be focused on a few individuals that have elevated access within the target organization. Such spear-phishing emails contain a malicious attachment or a malicious link for the receiver to click on, which, if clicked, installs the initial infectious code.
The malicious attachment may be in the form of a document that when opened, installs malicious code. A malicious link could be directed to a site where the attacker has loaded code that exploits vulnerabilities in web browsers when the link is clicked on.
The foregoing examples highlight the fact that a determined attacker has many ways of bypassing an organization's perimeter defenses and infecting its network and systems.
After the attacker has infiltrated the organization's network with the initial intrusion, the attacker's malicious code is configured to establish a connection back to a Command and Control (C2) server that is controlled by the attacker. This permits the attacker to establish a command channel to the malware that is installed on the compromised systems and provides a mechanism to relay commands, retrieve status, and to permit the hacker to install updates to the installed malware. These C2 connections may be short-lived and configured to connect only to a single compromised system within the organization's network that, in turn, relay the command to other compromised systems within the network.
An APT is generally configured to escalate hacker privilege on the compromised system and to update and install utilities needed for its task, to perform discovery by scanning and mapping out the network, to collect information needed to carry out its tasks, and to attempt to spread the infection through “pivoting” within the organization's network. Much activity done within these phases of the attack is performed with minimal, if any, communication outside of the organization's own network. Note that at this point, any perimeter cyber-attack defenses in place on the organization's network are useless detecting the internal-to the network APT activity.
At this point, the attacker may infiltrate the targeted network and spend weeks, months or longer in the network before the mal are is activated to carry out its mission (e.g., data exfiltration). If the mission is to steal/exfiltrate data from the organization or country, then the malware may be configured to begin moving data to a compromised data staging area within the infected system.
After the data is moved to the staging system, it can be packed, obfuscated or encrypted prior to sending it across the perimeter defenses of the network to an external server that is controlled by the attacker. By doing so, it is extremely difficult for any prior art data loss prevention device to detect the exfiltration.
Even after carrying out its mission, the malware may persist in the network. It may be configured to check back with the infected C2 server on an infrequent and irregular timeframe to check for additional updates or to initiate a new mission. While the malware remains fairly quiet within the infected C2 server, it may also be configured to spread to other vulnerable systems.
The ability of APTs to infect and operate within a targeted organization's network with such anonymity make them extremely dangerous in today's networked world.
The current informational assurance (“IA”) concept of “Defense-in-Depth” is patterned after the military defense posturing of creating layers of defenses that compel an attacker to expend a large amount of resources to penetrate the defenses. This works well in kinetic warfare but is generally unsustainable in the cyber realm. The concept of Defense-in-Depth; one of layered defenses based on people, processes and technology, may be a sound concept for defensive measures in the kinetic world but the implementation in the cyber arena was adopted long before the risks in the cyber environment were fully understood. Thus Defense-in-Depth as an IA strategy is not a complete solution in today's networked environment. Today's cyber attackers may have the resources of a nation-state behind them and are well-versed in the strategy, technologies, and business practices that are used to define Defense-in-Depth.
Current IA defenses are primarily focused on perimeter defenses. They are designed to guard against malware entering the network or to prevent the initial infection from entering the host system. They rely heavily on recognizing specific data signatures and/or the behavior of specific malware. The idea behind this layered approach is that what is missed at one layer (product) is caught by another. Unfortunately, this approach is not a great challenge to a sophisticated, determined attacker in the modern advanced malware attacks today.
The simple fact is that even though Defense-in-Depth is the predominant security mechanism in place today, successful network attacks are increasing.
The bottom line is that the ability to stop network penetrations by advanced malware is essentially not presently achievable using known prior art defensive mechanisms.
The idea of “host-based” security control is failing under the onslaught of advanced malware. It has been stated that it takes approximately 150 lines of code to develop a new attack variant but may require a million plus lines of code to defend against that attack. With asymmetry of this magnitude, there is no effective way that current security vendors can develop defense mechanisms to prevent advanced malware from entering targeted networks.
What is needed is a way of addressing the dynamic action of present day malware; a way that looks beyond the initial intrusion and a way to look for its signs across all phases of the advanced malware lifecycle. To detect the interworking of advanced malware and APTs, what is needed is a way to monitor traffic within the organization's internal network for forensic data associated with a malware infection.
It is known that even though malware cannot be stopped at the perimeter, if it is resident within the network, it must communicate over and within that network. Advanced malware has evolved to be even more dependent on the underlying network for control, propagation, and payload functionality.
By providing the instant invention that looks beyond specific malware and instead looks for malicious activity that maps to the various phases of an attack, the invention is thus capable of detecting malware before it can carry out its mission. By analyzing the potentially malicious traffic within a network, a host that is generating the malicious activity can quickly be identified and isolated.
To carry out near real-time, in-depth malware detection, a challenge exists in that multiple events must be correlated across time, frequency and lifecycle phases in order to effectively determine if and in what manner a host is infected.
Today's advanced malware and APTs generally hide within normal network traffic but still must utilize the network to carry out their mission. By utilizing a “forensics approach” to monitoring internal network traffic, when malware uses the network, it provides “indicators” or “footprints” that are recognized by the invention and that allow the malware to be detected.
To address the above need, the device and method of the invention is comprised of a set of distributed network-based sensors that feed a centralize analytics engine that correlates network and host event data that is identified by and across the sensors to detect malicious activity on a monitored network. When malicious activity is detected by the invention, it traces the activity back to the host or hosts responsible for the activity.
The invention focuses on detecting advanced malware and APTs by examining traffic deep in the core of an organization's internal network and provides an automated level of network forensic analytics that has is not known in the prior art.
The invention uses high-speed sensor technology, i.e., at 10 Gbit line rates and above, to monitor an organization's network traffic crossing the core network. The sensor elements or sensor control points of the invention look for possible low-level suspicious traffic and statistical data and send notifications to a higher-level analytics engine that correlates these notifications to identify and flag possible malicious events. These events are used to make decisions as to whether the detected activities are malicious.
Based on the results of the decisions, a network operator is notified via an alarm and supporting forensic network data is provided to illustrate a trail as to how the decisions were made. Through this advanced detection and analytics mechanism, the invention also identifies the host(s) that is producing the malicious activity.
Accordingly, a method and device of the invention is provided in the form of an appliance-based network sensor system in one or more “bump-in-the-wire” positions as an analytics processing engine providing time-based analytics on multiple sensor inputs configured for storing the results in an event data storage repository.