 Without further ado, I would like Guy to talk to his own introduction, but thanks guys for coming on this Sunday morning and hopefully you're not as hungover as I am. Hey guys, good morning. Can everyone hear me okay? Cool. So I'll start. My name is Guy and I'm here to talk to you about Present My Talk, Exploiting Mume Defenses, Can My World Learn from Biological Viruses? So I'll start a bit introducing myself. My name is Guy Proper and I see the font here. It's kind of funny, but never mind. It's I had people ask me that throughout the conference section my real name. It's not an alias. And well, I find it funny, but none of you guys do probably. And I've been a researcher for the past two years at a cybersecurity company called Deep Instinct and before that I did my bachelor's degree in biology and cognitive science in the Hebrew University of Jerusalem. And right now I live in Tel Aviv, which is a cool city and that's why the photo is there. Actually, before I start out of interest, how many of you guys have a biological background, a degree or? Okay, cool. Cool. Okay, the agenda for today, I'll start with some general background. Basically general biological background that's necessary for the second part of the talk in which I'll talk about how viruses exploit immune defenses and in the third part I'll conclude and compare a well-known virus and a well-known malware, HIV-1 and Dukku-2 to see if they're similar in any way. So I'll start with a background. What are biological viruses? Basically, biological viruses are structures that contain genetic material. It can be DNA or RNA, which is surrounded by a protective structure called the capsid. It's a protein structure. What's unique about viruses is that they are defined as non-living, meaning they cannot reproduce on their own. In order to reproduce, they must abuse the replication machinery of another living cell. I'll talk more about that later. So basically, in order to do that, what they have to do is infect another cell, enter it, and then abuse the machinery that that cell uses for its own replication in order to reproduce themselves and continue spreading. What you can see on on the left is a virus that attacks bacteria. It's called the phage and the picture there has the DNA, which is surrounded by you see the protective structure that I talked about called the capsid and on the right is an actual electron microscope image. It's a real image of these phages around a bacterial cell preparing to enter it. One more thing that's important to know about viruses is that they are very diverse. Viruses attack pretty much every known organism. There are viruses that attack bacteria, animals, of course, and also plants. The last bit of basic background I want to talk about is something called the central dogma of biology. This is a very basic idea in molecular biology, and it talks about the transfer of information in biology. So basically all information in the cell is stored in molecules called DNA. They contain the genetic code and these molecules, the code contains all the instructions that the cell will perform during its lifetime. One important note is that all living organisms have these small basic units called cells which make up their bodies and each of these cells contains DNA. This DNA is then transcribed into an intermediary molecule called RNA, which also stores the information and then that RNA is translated into proteins and proteins are three-dimensional structures and they actually perform the day-to-day functions of the cell. So when you breathe or eat or whatever else, the proteins are what performs the functions in your body and the instructions for these proteins are contained in the DNA. And when the viruses abuse the replicative machinery of the cell, basically what they do is they do this process, but they cannot, they don't have the machinery that is needed to transcribe and translate. So they abuse the proteins that the cell has in order to do that. I also want to talk a bit about defense mechanisms against viruses. So since viruses attack all other types of organisms that we know of, these organisms can also defend themselves from viral attacks. And this is a really big topic and I'll not go into detail here, but all I want to say is that these defenses, there are two types of defenses, generic and targeted. By generic defenses, I mean defenses that protect the organism from any kind of attack. It could be from viruses, bacteria, even from like physical harm. And then there are targeted defenses which protect the organism either against a specific type of threat, so protect against all viruses, or even more targeted than that, can protect against specific types of viruses. An example for that is our adaptive immune system, which learns throughout our lifetime to recognize specific threats. And so if we were attacked by a specific type of virus for the first time, it might not necessarily recognize it, but this system has memory and it will recognize a second attack and respond much faster and much more effectively. And now I want to move on to the second part of the talk. I'll give a brief overview of what we're going to cover. So I want to start with some key differences between viruses and malware, which I think are important for the next points. And then I'll cover briefly the life cycle of viruses and then methods of privilege, escalation, persistence and defensive vision and viruses. OK, so two key differences between malware and viruses are intent and evolution. What I mean by intent is that when someone writes a piece of malware, they have a specific cause for writing that. It could be stealing money or stealing information or whatever else they want to do. While viruses were not formed, they were formed by nature. You could put it that way, but they weren't formed with a specific intent. They weren't formed, for example, to cause a disease. Their only real purpose, even though there's not really a purpose in evolutionary biology, is to reproduce and survive. So all the damage that they cause to achieve that purpose is not intentional. It's just like a statistical byproduct of evolution. So the second difference is evolution. When malware evolves, it's due to the author of that malware wanting to either achieve new goals or to escape defenses. Even if there's a mutation engine in the malware, which is random or semi-random, that was also put intentionally there by the author. It wasn't formed by chance. While in biology, evolution is statistical and everything happens by chance. And if it succeeds, then it just keeps going and replicating. Now I want to show you. OK, I wasn't supposed to start yet. Never mind. I want to show you a short video of viral infection. This is a phage attacking a bacterial cell. So it attaches itself to the cell and is preparing to inject its DNA. Once the DNA is injected, the virus abuses the replicative machinery of that cell and lots of new viruses are formed. Eventually, they will want to exit the cell and they will kill the cell when exiting it and then they will infect all the cells nearby while the bacterial population tries to defend itself. One important note, this is not a real video. It's just like an impression. I think this is close to what happens in real life because electron microscope images are close to this, but I don't think anyone has a video of an actual viral infection to this resolution. OK, the lifecycle of viruses is, I guess, the same or similar to the lifecycle of malware. It starts with creation of the virus. The viruses were created at some point by nature. Then there is infection where the virus attaches itself to a cell that it wishes to infect and abuse. Once the virus manages to infect the cell, it executes its code, which can do a bunch of things. But again, the only real purpose of that code is to cause the virus to replicate and spread. And that leads to both host response because the host wants to continue living and to evolution of both the virus and the host as they continue to combat each other. Now we'll go into a bit more detail about privilege, escalation, persistence and defense evasion in viruses. I'm not going to cover in a lot of detail the similarities to malware, but I have the examples in the slides. So in order to replicate inside the cell, the virus has to enter it in two parts. The first part is entering the cell itself. You can see a picture of an animal cell there. It has this wall around it called a membrane. And well, the big yellow circle inside is the nucleus. And this is what contains the actual replicative machinery of the cell. I call this privilege escalation because not everything can enter the cell because its entry and exit is mediated by a bunch of components in the cell. And I'll have a bit of a spoiler. In the second part, the virus has to enter the nucleus, which is even harder because again, not everything can enter the nucleus. It's highly monitored. So in order to replicate, the virus has to escalate privileges twice in order to first enter the cell and then enter the nucleus. So how does it do that? In viruses that attack bacteria, as you saw before, there is code injection. The DNA or RNA of the virus is injected directly into the cell and then it's run. And in animal viruses, the virus is fused to the cell membrane, this wall around the cell, or they abuse a bunch of cell entry mechanisms. They basically trick the cell into letting them in like it lets in other nutrients and stuff like that. The second part, as I said before, is entering the nucleus. The viruses do that through a bunch of mechanisms, but I wanted to cover two main ones here. I called the first one phishing because I thought it was very similar to the phishing that we know from malware. It works by exposing something called a nuclear localization sequence. It's a sequence that is attached to proteins that basically tells the cell to take this protein and everything else that is attached into it, into the nucleus. So many viruses use this mechanism, for example, HIV-1. And in that way, they achieve privilege escalation by tricking the cell to basically tell the cell, let me enter the nucleus and let me replicate. And the second mechanism is physical exploits, which can be either entry during cell division because when the cells divide the wall around the nucleus, it becomes looser and so viruses can abuse that to enter the nucleus during that time. And also some viruses are so small that they don't have to abuse anything really, they can just enter and tack through the wall around the nucleus and the gaps there are bigger than them. So these are two ways viruses achieve privilege escalation to enter the nucleus. Now I'll talk about persistence. The two main mechanisms I want to cover here are latency and something called native proteins. Latency is also similar to what we know from malware. When viruses are latent, they produce their proteins slowly or they don't produce them at all. Some viruses have a life cycle which contains a very active virulent stage which causes disease and then a latent stage during which the viruses incorporate themselves into the DNA or RNA of the host and they wait for some signal in order to let themselves back out and when they're back out they continue the regular violent cycle of abusing the host's machinery and then killing the host. It's assumed that between 5% and 8% of the human genome contains viral sequences of viruses that entered the genome at some point during evolution and due to mutations or whatever else became inactive and we have this residue in our DNA. The second mechanism, native proteins, basically means that the virus can either steal or borrow or encode by itself proteins which are used natively by the cell for various functions which mediate cell death mostly. For example, HIV has a protein called CD59 which protects the cell from being killed by the immune system so HIV produces this protein and puts it in the cell and in that way HIV can survive inside the cell and continue to persist and replicate and the cell won't be killed. The next, I want to cover now, defense evasion and this next mechanism, mutations. I think it's the main defense mechanism used by viruses and I think it's like the thing that makes them unique. It's also the most researched evasion mechanism in viruses. The thing that is unique about viruses is that their rate of mutation is very, very fast and if they attack in large enough numbers then they always have a statistical chance of several viruses having the right mutation and being able to multiply and continue attacking the cells while evading defenses against these cells such as the immune system. I want to cover shortly how mutation happens. So what you have is you have your original DNA sequence there on the top that's contained inside the virus and when the virus enters the cell and starts to replicate then the cell machinery, it has a sort of rate of error which changes between cell types and virus types. So during replication this machinery can enter a few... You can look at it as errors or you can look at it as changes however you want. So this machinery enters a few changes in the sequence which are mutations. As you can see, there was the original sequence and then there was a point mutation that changed the base T to C and then some of these mutations can be successful and cause viruses to evade the immune system. However, many mutations are not successful and viruses are any other organism because all organisms have some rate of mutation. If a mutation is unsuccessful it can either be sick and not reproduce or it can just die. And in many experiments done on this I was seeing that depending on the type of virus and depending on the experiment the success rate of mutations and viruses is anything from 1 to 100 to 1 in a million viruses succeeding after a mutation. But because viruses have such a quick mutation rate and attack in such large numbers then it's very, very hard to protect against that. Two other methods of defense evasion are obfuscation and packing. This is very similar I think to a packing and obfuscation and malware because in viruses the code is inside the virus, the RNA or DNA, and it's only exposed basically at runtime when it's either injected into the cell or fused and then enters it. So the cell and other defense mechanisms of the body can't access this code either to read it or to destroy it until it enters the cell and then it's just erased because the process is very, very quick. And also viruses have a bunch of very, very sophisticated anti-immune mechanisms which I'm just gonna talk shortly about because they could have a whole talk from the cells. Basically viruses can mimic, modify or repress immune messengers. The whole immune response is made up of a very long chain of reactions. So sorry if a virus is able to modify part of that chain then it can redirect the reaction to attack a different pathogen or to not do anything at all. And viruses can also actively repress immune system cells that attack them, cause them not to be produced or to just sit back and not do anything. I think this is similar to some anti-AV mechanisms but in my opinion these mechanisms are more daring I guess and more sophisticated because they have a bunch of ways in which to attack the immune system and make it stop working against them. I want to conclude by comparing a well-known malware and a well-known virus that's HIV and Dukku II. So HIV is an RNA virus, it's the virus that causes AIDS and the thing that it does that harms people is there's a gradual failure of the immune system and Dukku II is a sophisticated philis malware which was uncovered in 2015 and it was used to spy on many targets. So both of these, the virus and the malware they have methods of privilege escalation, persistence and defense evasion. I'll cover each one of them. For privilege escalation both use phishing. HIV-1 enters the cell through the nuclear localization sequence I covered earlier. So it has the sequence that tells the machinery of the cell take me into the nucleus and I'll reproduce there. And Dukku II, as far as I know the initial attack vector is assumed to be phishing. I'm guessing it was, I don't think it was uncovered 100%. Persistence mechanisms. So HIV-1, as I said before, it attacks cells of the immune system. These cells have a particularly long lifespan and it attacks different types of immune system cells including memory cells. And these memory cells since they have to remember which pathogens attack the body, they have a very, very long lifespan so it can sit inside these cells and persist. And Dukku II persisted through the main servers in the network which had a long uptime and from there it sent its implants to all the other computers in the network so it could stay up for a long time. And also both had a bunch of defense evasion mechanisms which I'm not gonna cover each one of them but I'll focus on mutations. HIV-1 has a very, very high mutation rate. Actually the mutation rate is so high that the only successful medication against HIV so far is a cocktail of several medications together because when each one of these is used separately, the virus can mutate against it and make it ineffective but because several different medications are used at once and each one of them attacks a different part of the virus, then the chances of success of the virus mutating against all three and attacking them are very, very low and thankfully it hasn't happened so far. And Dukku II also had a sort of mutation mechanism. It had for each new target a unique combination of encryption and packing which was randomly chosen but it was limited because it was hard-coded by the attackers so even if there were, I don't know, 30 packers and 30 encryption mechanisms that's limited while HIV-1 could have its mutation at random anywhere in its code. It risked not being successful but through that it had much higher chances of success at evading the system. Okay, to conclude, while I was preparing this talk, I found that there were many similarities between viruses and malware and that it sort of surprised me but I think that might be due to the fact that both malware and viruses, they have the same specific problem. They try to infect the host and abuse it. A difference though between viruses and malware is that viruses have been evolving and combating their hosts for millions or even hundreds of millions of years while malware doesn't have such a long history so we might be able to learn from that. And I think there are many things that we can learn but two examples that I thought of here are either implementing a mutation mechanism in malware that has a more, it's more statistical meaning the mutations are more random and can be anywhere in the code. So that's something that might be learned from viruses and the second thing is likely virus borrows or encodes host proteins for its own functions if malware could infect the computer and then start taking code off processes also maybe at random in order to see if it can if it can succeed in any way. That's also something that might be learned from viruses. Thank you everyone for listening. I hope you find this picture funny. I did. Thanks.