 Let's get started So my name is Brad Woodberg. I'm a product manager with emerging threats of proof point and today We're gonna be talking about command and control channels so just quick Run down of what we're gonna be covering in a few minutes on the intro We're gonna go heavy into some malware techniques. We're gonna talk about you know actual malware case studies, what's what we're kind of seeing predictions and trends for the malware I Think as actually We're having an issue on that. I think I think I have like one older version of the rev on here But we're just gonna plow through it We're gonna talk about defense and and then we'll again wrap this up on 45 minutes so that we can go get some beer and have some fun right So why command control right? Why is this topic so interesting because you know so much of the You know so much of the information that you know that we talk about that we see in the security industry blogs Articles etc. Focus on vulnerabilities exploits and the actual malware and these are all great topics, you know all very interesting But you know one of the big challenges for anyone who's operating in IDS Actually dealing with this on the front lines is we know that trying to detect You know vulnerabilities the whole CVE game, you know different types of exploits, you know, it's very noisy It's not very high fidelity. You oftentimes will you know have You know alerts that trigger when actually, you know an asset wasn't actually breached But actually when you look at command and control that's actually the point where you can say hey with high confidence I know that this asset has been compromised You know when you see that that control channel is reaching out, you know It's kind of as Rashid Wallace of my Detroit pistons once say you know the ball don't lie And when you see that command control channel, you know that something's going on But probably the other thing that's really interesting about command and control is that this is actually the point where you go You know from being on pure defense, you know, you're getting hounded all day long You know attacked from every which way to actually the tables are being turned on the attackers So you know where you had to get it right every single time and they only had to get it right once now It's the other way around in order for them to maintain that connection to maintain that control over the asset They have to be right all the time and so that's why I think you know This is interesting and why you know why we should talk about today So, you know just a matter to you know, just when we look at just how this whole thing gets started, right? The way I see it There's really two primary ways that assets are being compromised you have executable content, you know This is your traditional malware scripts macro embedded and word documents and other office file formats, etc You know, there's actually not an exploit happening here. It's just Oftentimes now it's just social engineering get someone to open a doc and and and then you know There's a malware that now runs the machine The other way is the exploit driven approach, which is obviously ever so popular with with the exploit kits And this is where you know You're actually taking advantage of a vulnerability to be able to gain execution control on an endpoint But really it doesn't matter how it happened The fact is you know all that matters is that it's been compromised so You know to say a word to like why do why does malware even need command control channels like what's happening here? You know oftentimes when an asset is breached. It's not under the best of scenarios You know it may happen on an asset that really isn't the ultimate target ultimate goal It doesn't have the information that you know that an attacker is looking for There might not be sufficient privileges. It might you know, especially when you're dealing with exploits You know, you have a very small buffer or window in which to fit the actual payload in so you have to deliver in pieces and you know really You know oftentimes a lot of malware just doesn't have a full especially if you're dealing with like crimeware You're not so much target attacks. You know, it's basically Shipped bare bones and it needs to get more information before it can pull off whatever it's trying to do So that's where command control comes in You know just a word to I mean, you know, basically the command control channel is Give me use for a lot of different things for pushing the actual configuration for escalating the breach as I mentioned And this is where it's going to be reaching out to command control infrastructure Another aspect of command control is actually exfiltration. So getting the information, you know The intellectual property that's on an endpoint on an asset out into, you know, the attacker's hand So if we look at something like like Lockheed, you know It may be going through and cataloging all the files on the endpoint figure out what's interesting and encrypting them You know, if we look at something like Zbot, it's actually this one is actually using a DNS channel for you know command control so You know, they didn't even have to use anything special to customize They're actually or even direct for that matter with DNS You can just send a query and it's gonna find its way home and Essentially all the way to the server and back so you know in this case It's actually exchanging commands and information for the for the malware to to take advantage of So let's just take a quick look at you know an ever-popular Vector so the Anglo exploit kit may it rest in peace You know, this is I chose this because it's just so prolific You know in the last few years, you know even, you know I saw like a bakery down the street from a house had their website actually been popped and it was serving up an angler redirector And that's really the interesting thing, you know, is that you know, it's not that there's not that the signs are always so obvious You know leading up to an infection, you know, it's not like it was you know defaced or something like that It was just you know, there's a little i-frame shoved in there And you know if you weren't running, you know some security software you wouldn't you would never know But anyhow, we digress so so looking at the angler exploit kit, you know first, you know Typically you're gonna hit some sort of a redirector right in this case as I mentioned our our poor bakery And that is going to redirect you to a traffic distribution system So this is basically going to evaluate your endpoint. It's gonna say hey, you know, they're running Microsoft windows Seven and flash this version. Okay, we're gonna custom tailor and exploit to that actual Because an exploit to that endpoint and then finally, you know an exploit and payload will be delivered oftentimes by different infrastructure Now here's the really interesting thing about this up until this point there's no You really don't have confidence that an asset has actually been Compromised and all the while you're probably chasing down a million alerts from your IDS and all sorts of other end point systems Because you know say hey, you know We saw this anglery director and blah blah blah and there's this exploit and you know to check what version of flash But there's really no indicate, you know, no high fidelity Indication that this has actually been fully compromised Until you see that command and control and once you see that then you know for sure that You know that the system has been overtaken Now just a quick word, you know for you know a lot a lot of times feel get lateral infections Confused with actual command and control And so basically with lateral infections, you know typically what you're talking about is how malware is going to spread within an organization and You know one thing that I think is a big differentiator is that typically lateral infections will leverage native enterprise protocols to to spread not exclusively but but that's a lot of what we see Whereas command and control may be anything from a traditional Channel to you know, so so basically maybe like a ACP ACPS and maybe a custom protocol We'll talk about some of the different trends and things in just a little bit but but but effectively You know the the internal lateral stuff like if we take locky for you know as a perfect example and in all the hospitals That made a lot of news, you know when they got breached and all their you know Files were encrypted in the whole place shut down and they had to pay $17,000 ransom, which is really quite a steal in my my opinion for full operations of the hospital, but But yeah, glad it wasn't more In that case, you know, basically it was just an endpoint that got compromised It wasn't like the file server got breached and then you know It actually you know broken the you know actually encrypted the files It was an endpoint that had access to the file server using SMB encrypted the files So you actually do see a lot of that you know just leveraging the native Protocols that are within the network itself. Whereas command and control is a far far more Exit, you know rich and exotic and interesting Set of protocols are used Now I like to kind of just you know just before you get into the meat You know just talking about how kind of the cat and mouse game has evolved because like many things You know the attackers kind of operate on a you know on an economical scale, right? You know, they don't want to especially when you're talking about crime where but they don't want to do you know Take more effort than they need to you know spend more money more time to to make their infrastructure more robust So they're going to kind of you know play along with the vendors and what is you know Actually, you know being effective to the point where it's not then they kind of up the game and you know A lot of the very early malware was just you know leveraging very simple, you know high-level or high high High-range like TCP UDP ports That you know could really easily be filtered out on a router or on a firewall easy as that You know kind of evolved in leveraging other applications like IRC For for command and control and then of course, you know as some organizations start to tamp down more and more and Restrict firewall access and outbound proxy access, you know a lot of them and really the funny thing is that there was a the exact same time I feel like You know a lot of the peer-to-peer applications the file sharing apps bit torn and so forth They kind of converged along with the malware because they realized that hey, you know these ports are almost always open So, you know so we can leverage them malware also shifted over port 80 for 443 Then you had the NGFWs come out that could identify. Hey, this isn't HTTP. This is some you know binary protocol that we've never seen so we can block it and All that isn't very interesting, but what's starting it more interesting is how a lot of the malware is leveraging You know different types of cloud apps and it's actually, you know doing Stagnography and in coding messages in You know in files and in various other Metadata that we'll see we'll go through some examples in a bit And this is kind of where you know where I think a lot of the future is but you know Essentially the malware has gotten to a point where it's really getting sophisticated in command-control channels Now at the same time it's important to look at how command-control systems are being hosted you know This isn't like categorically, you know a precise you know kind of drop off at any point in time For for when things change over but you know, but we actually do see you know progression Especially with some of the more sophisticated actors and malware, you know at the very beginning everything was kind of statically hosted You had IPs that were hard-coded into malware and the malware wasn't really changing so today We still see IPs that are hard-coded into malware, but you know it wasn't really you know You would have these C2 hosts are up for you know years and you know It would take a long time for that to kind of filter into you know various lists and so on and so forth You know that you know, I think that those days are you know things have evolved Quite a bit, you know shifted to leveraging DNS, but again, you still had a single point of failure a name You know and even though the IP could change and you could route the traffic elsewhere You would you still had to you know cope with the fact that you know if that DNS name was discovered And blacklisted wasn't changed and again, we're talking over a long period of time You know not like what we have today, which can be you know hours or days Basically the the DNS You know the malware could be shut down config updates malware actually, you know go out and update itself again Not particularly sophisticated, but where things started really get interesting in my mind is you know around the time of the game over bonnet with the with the Zeus malware because It certainly wasn't the very first but we saw you know organizations really really really had a very hard time For for several years. I mean you know for for you know almost, you know eight years or something Trying to control this malware because it leveraged more advanced techniques, you know domain generation algorithms peer-to-peer You know C2 infrastructure, so you really got rid of that You know that that centralized model in the same way that you know like bit torrent and you know skype and other types of Peer-to-peer based networking protocols and applications will work And perhaps the most interesting is that now so many of the not so many but we're seeing more and more of the Malware starting to leverage cloud services as C2, so basically you don't even have to operate anything yourself You know we're getting the list a little bit, but you know you can use Twitter. You can use Amazon You can use the comment section, you know kind of the classic You know Cold War spy dropper, you know You bring the briefcase in the park and you drop it and leave and someone else comes and picks it up it's kind of the same approach and the beauty of it is it requires almost no investment and We'll get you know, we'll save more for that in just a bit So yeah, so one of the things that I found most interesting is is Stegonography and you know what's kind of happening? You know some of the potential we've seen you know hints of this Certainly in a bunch of different malware, and I think it's you know probably one of the most you know powerful You know ways to be able to exchange information in a covert channel You know basically this is hiding information in plain sight. It's been used. You know, it's not anything new It's been used for centuries if you guys have ever seen the video of I think it was a army or naval captain Jeremiah Denton who was captured in Vietnam and he actually blinked in Morse code They're you know doing one of those kind of captive videos where they interview and ask all those questions And he actually blinked in Morse code torture and of course they put out the video everyone You can I'm sure that they probably knew that that type of thing was going on anyways But it was you know very very powerful because here, you know, no, you know, obviously the Vietnamese army didn't know And you know it kind of made through so I think a lot of the kind of similar techniques can be used in actual malware For covert channels and when you look at it, there's actually just a wealth of Potential opportunities and places that you can hide this data You know everything from protocol headers if you're talking about the network layer metadata and files you have you know all different types of You know encodings Audio video etc. We'll go into some of this And it just really Makes for a an excellent place to hide your data and have plausible deniability And of course you can layer other You know other techniques on top of it so you can leverage encryption plus tag to kind of hide things You know in plain sight if you will So let's take a look at a few examples. So this is actually an APT malware sample that that we saw And I obviously anonymized the the IP addresses, but but basically what was happening here was that the The the intro machine that's compromised. We think it was kind of like a Chinese APT It was sending TCP packets, you know, and and there was no flags, which is obviously a an interesting problem zero window and it was never establishing a session So it was actually Communicating to a C2, you know just by sending these packets just by leveraging the the the fields and headers And this can really be done with a number of different protocols. It's not anything that's restricted to TCP Another example is you know when it comes to images We're seeing you know malware like botrack and others that they'll actually embed Configuration in an image. So in this case what I do is I use a tool called open puff and I took You know the defcon logo defcon 24 logo in one logo I had you know is just the original and the other is there's an encoded message And as you can see there's you know, you can't see right it's it's there's nothing that that our eyes can distinguish What's actually happening here is it's actually Using the least significant bit and it's encoding the message or the file you do anything in that least significant bit So you know the color palette is tweaked by you know Just one tiny value in in in each pixel and that's enough that you know Another party could come across it grab it extract the message out if they know what to look for but to not only the human eye But even other computers it would be very hard to be able to detect this type of technique So let's talk about another set You know besides just trying to hide what our attacker is trying to do to ensure that their command and control channels are you know are Not compromised and so there's a number of different Counter-offensive techniques that they're taking you know one technique is Is actually filter who can connect back and this is used in other cases too I mean it may be used in the case of not just for C2, but it can be used in the case of You know actual malware infections right especially targeted phishing you know They want to make sure that vendors and also non-target You know assets You know when they're dealing with targeted attacks aren't going to be you know potentially compromised because of course They don't want vendors learning the secrets and so on and so forth You know with crime where there might be a little bit less You know they might care less and cast a wider net over what they're trying to to compromise So you might not see that quite as much, but we do actually see a lot of filtering from you know IP address spaces You know not only countries, but even down to individual organizations if they're targeting an actual organization Another thing is that that can be leveraged as actual You know kind of stagger you know hidden messages in in handshakes poison ivy is a really interesting You know a long-standing piece of malware that does that it actually kind of encodes a you know a handshake in the In the initial connection and so you know even on that that essentially you know first data packet It'll know you know. Hey, this is a legit You know system or not so we can you know just filter that out without you know If there's you know just some other type of asset trying to reach out it can filter it And of course encryption You know especially leveraging you know preloaded SSL certs It's interesting. We'll talk about let's encrypt because it has some implications here But essentially you know you can if you just preload a trusted SSL relationship You know the kind of public key or or or symmetric key into the actual malware it can make a connection out immediately and So they can basically ensure that only malware That or at least until that that certificate has been compromised only malware that is the actual target malware can reach out and so other types of You know SSL snooping tools are trying to grab information wouldn't be able to have success there and Just anecdotally, you know just in terms of what what some of the things that we're seeing is that there's actually been a pretty strong push to a Lot of anti-sam boxing techniques by the attackers I won't get into a lot of specifics, but you can you know, we're seeing that it's getting harder and harder You know if any of you guys like you know, there's there's open-source tools like like cuckoo and other rigs You know the attackers are definitely trying to get wise to You know to prevent Sandboxing analysis of their you know in a major way, right? This is not a new thing But we're seeing just really the the stakes are ramping up on malware that's trying to you know Kind of fly it below the radar so it's not just from a c2 perspective. There's a lot of things all the way from the exploit to the You know to to to the command and control where this type of thing is happening Just a word, I mean, you know, there's obviously different types of you know kind of families, right? You know crime where there's just going to be casting a huge wide net typically these are pretty chatty, but they will you know We will see You know that they'll go to a little bit greater lengths in a lot of cases to to avoid Detection a lot of the target attacks. I mean you be surprised You know a lot of them are still just leveraging off the shelf remote access tools right and in other commercial tools You know they are targeted in that they are you know The actual actor is targeting a particular party a pretty good organization But they're not terribly sophisticated all the way up to the targeted espionage where you know just the sky's the limit, right? You know this you know in some some cases they may lack c2 all together But if you think about the you know the Stux nuts and the flames and the dookies and others You know there can be some pretty sophisticated Command and control that can happen and and even insider threats to basically make those make those work So now we kind of covered and you know we talked a little bit about some evolution things that we've seen Historically over time we talked about some of the different components of malware Let's actually dive in a bunch of different case studies and look at how different pieces of malware are You know are Communicating with command control so ghost rat is like you know probably one of the most simple examples and again You know this is this is out there. There still is a you know a lot of ghost rat that we see infections because it's just such a Prevalent tool that anyone can use and you know this is just essentially you know they at least the commodity versions Obviously anyone can modify any of these things But you know there it's actually gonna have you know a string in the actual payload So so it's really easy for say like an IDS to be able to identify it because it's just you know It's there. It's not really so obfuscated It's kind of like if you look at like the evolution of bit torrent You know you know it started on just running on random ports and then you know they switch to port 80 But then they you know and not exclusively but you know They would say bit torn in the in the in the actual protocol and then they got to the point where they're using you know very advanced For getting the name ket ket amelia Distribute hash table functions to ensure that you know There there wasn't such a an easy way to match specific bits because everything was being dynamically generated on the fly So poison ivy we kind of talked about a little bit earlier where basically You know this is leveraging you know a handshake. So you know it's it's trying to basically identify is Who's connecting to me? You know a target asset Is it actually you know could it potentially be a researcher? They typically will embed you know They'll be some sort of malware be delivered It'll have a password in it and that is used in the challenge authentication So that you know even if you have different strains of poison ivy You know an individual actor can you differentiate and make sure that that only the correct target is talking to them Again that can be important because if you you know just allow anything wide open It means that you know the viability of this malware of this actual compromise is going to be You know not as long live because it'll be too easy to identify too easy to take down Nano Locker this one You know as you know came out last year is really interesting a JavaScript You know ransomware, you know ransomware has just been absolutely blowing up But one of the the you know the things that I found really interesting is again Not necessarily leveraging, you know like HEP or a TCP based protocol But actually Leveraging the network itself and some of the you know that your traditional tools within a network in this case It was actually you know encoding the the the Bitcoin address in ICMP So basically, you know just you know send a packet get it back back and and you know exactly what to do for the you know for basically You know holding the extorting the the victim and You know the again the network protocol layers, especially a lot of the legacy protocols have a lot of great hiding spots I mean if you look at the difference between like IPv4 and IPv6 the grand IPv6 has all the next headers And you know there could be some things interesting things that you could do there But there's a lot of you know a space where you know at the time you know in the days of your they didn't know Precisely, you know that this whole internet thing was gonna blow up So they put lots of you know lots of padding in other other potential areas where you could hide things in And you know as prevalent as these protocols still are today. It makes a really great a channel for attackers So game over Zeus we you know we talked about this a little bit earlier where you know basically they they want to avoid having the you know kind of fixed string centralized model and You know and to make it hard for IDS's to identify So actually what they do is is a combination of techniques, but basically they will XOR information in the packet payloads So it's always changing and it you know It's very difficult to leverage signature based technologies with traditional IDS's to be able to identify this malware because basically It is you know it is always changing now that doesn't mean there isn't other ways to do it But you know your your traditional tools of the trade if you will you know need not apply now Drydex You know being chosen it obviously has you know just kind of it took for for quite a long time the You know just the whole enterprise sector by storm and who would have thought that you know in 2015 through 2016 that macro based malware would be you know so pervasive and successful but the fact of the matter is is that it is and it was and You know even to this day, you know there still is you know a great deal of Malware that's leveraging these you know age old techniques from you know the days of you know Windows 95 or whatever Particularly interesting is you know one shift that we've kind of seen is you know It's getting harder and harder to attack the machine right Because of you know different types of security protections that are built in And so attackers are you know kind of saying I forget about that We're just going to tackle the human and so I think like Drydex is a great example of that Where you know as someone will you know get a document delivered it'll you know one really cool example that that that I loved was The document would actually be blurred and so it'd be an invoice doc it'd be blurred But there'd be a message that says you know, you know click enable content so that so that the message will be you know You know visible you're this may this this this payload may be you know corrupted if you you know Click enable content. It'll it'll be visible and that's exactly what it did. I'll be nice to the user It also reached out grab a payload and you know pop the machine And and any virus traditional AV couldn't keep up with that because they would send it You know a new hash of those documents They would send millions and millions hundreds of millions even on some days And so tremendously successful even to this day And obviously there's a lot of different you know Flavors if you will of the different malware is because they may be done by different actors But you know in this case in this one, you know, they're actually again leveraging the kind of the blind the dead drop Just like I kind of talked about with like Twitter Amazon you're using Microsoft comments to be able to essentially, you know deliver command and control information That can be you know exchanged between this end point and the actual server in a covert fashion Now tour, you know, obviously tour is near and dear it has, you know, some very important real-world Applications, you know, especially in certain countries and regimes and for journalists So certainly not trying to to knock on tour But you know for the same reasons why it's great for the you know the aforementioned use cases It's actually becoming quite a problem for for a lot of the research community because it doesn't even really require any type of You know client, you know, you can literally Use like tour to web and and do this whole thing clientless. So whether it's a vol track or Deluxe this or you know, there's a whole number. We'll look at some trends that I've seen in a minute You know tour really is a you know a great way to essentially bridge that gap between the end point and the command Control channel, you know, just kind of you don't have to worry about anything once you establish that tunnel. Oh, yeah So so basically a quick animation here So, you know just showing here we got the initial compromise Where where you know the the payload is is delivered as exchange You know the the end point is probing for tour information tour nodes doing DNS resolution And then finally it's making its connection to tour to web and so it can exchange this information covertly Now air viper. This was one, you know, we did some research on that at proof point. This is obviously a targeted APT attack you know against you know The parties in the Middle East will say Israeli and and basically, you know, it was just leveraging simple HEP so even though that this is you know kind of a sophisticated target attack you can see that you know sometimes it's easier to blend in and Remain kind of obscured if you will then to go completely out of your way to be able to essentially evade detection So now we talked about a few different, you know types of malware, let's look at some trends So one of the first ones that's really interesting is SSL again, just like tour SSL is you know it is a critical fundamental, you know component of Our lives and justly so, you know, we basically went in the last couple years from about 30% of the internet traffic to you know, just right around, you know, 70% today Leveraging SSL and so what does that mean when it comes to you know to encryption or sorry to command and control? In and of itself it didn't mean that much But one thing that there was a huge game changer is let's encrypt again excellent project and you know Basically allowing anyone to get SSL certificates without having the security poverty line You know the browsers would trust it so on so forth so you could secure your applications But now the attackers are leveraging that too right because they say hey, you know I can now in an automated fashion get legit SSL certs that the client is going to trust for free and You know, I can just burn them, you know and just like a domain name just kind of rifle through them So while I don't think of this will have you know much of an impact on like the state-sponsored You know malware I think that you know especially for crime where it's like why wouldn't you throw it in? In a you know an encrypted tunnel and just make it that much harder for organizations to find this information Now IPv6 is really interesting because you know, we don't see quite as much of it as one would expect And even in the case of malware today, you know, it's you know, it's it's not as prevalent as as you know, we probably would have predicted, you know five years ago, you know even with the all the basically IPv4 net blocks being exhausted and But but it actually represents a pretty big challenge for us in the security community You know, you can get your own you know slash 48 from you know from Hurricane Electric You know, which is you know 65,000 Net blocks with each I don't even know what that number is, you know trillion whatever of hosts for yourself, right? And so some of the you know traditional things that we could do where we could say hey You know we can you know blacklist individual IPs or even you know kind of pseudo net blocks like how do you do that? When you know anyone can access to such a massive number of IP addresses You know, I definitely think that that you know sooner or later IPv6 is gonna, you know start to make a big splash It's just once we hit that tipping point of you know of availability To to end points and we're definitely I think we're starting to get there very soon And the other interesting thing about IPv6 is a lot of security technology actually still doesn't support it surprisingly enough Or it does but you know, you're running an ancient version of whatever firmware, you know from a vendor and and it doesn't support it Or you know, one of the interesting things is you know with IPv6, you know, there's all the different tunneling capabilities So, you know, even today you can do IPv6 over IPv4 tunneling in a number of different protocols IP protocol 41 Is is a good example of that but you can do it over GRE and so on and so forth and Because you can take that approach you you know if security technology can't strip off those layers Can't recognize it Then it's just you know, it's a it's a it's a perfect path right because it can just send it right on through where it may Detect it in an unencapsulated format. It'll totally be blind to it. Totally miss it when it comes to just you know slapping a header on Tor as I mentioned so this is from you know, some of the internal Data I have access to but we've definitely seen an increase of the malware samples of Tor over time You know, it's a little bit lumpy in some cases But it certainly isn't going down and you know, I think it's just kind of a matter of time You know on the threat landscape if you know people You know don't start blocking other mechanisms, but they don't really do anything to address Tor then you know more and more authors We'll just we'll just go with that Now leveraging, you know actual cloud apps for command and control You know again, this is this is so attractive and here's the thing You know, I talked about some of the names that you would know right, you know the Twitter's the Amazon the Microsoft You know how they're using like tech not or something to Encode messages, but really I'm actually a lot less worried about the the name brand cloud apps Then I am you know other types of systems, you know, just like how my bakery got, you know popped with with angler You know, there's so many, you know, mom-pop shops or other organizations Other applications that are out there that won't have you know, such a sophisticated team with you know, incredible research staff That'll be able to you know, basically identify that hey something is going on here because now there's all these thousands of hosts That are connecting and you know, there's some shenanigans afoot, right? You know, they might notice eventually when everything totally crashes, but it might take a long time before they get to that point And and again, it's it's so it's just it's such an attractive target because again You don't have to host anything you give up a little bit of control, but you know if you can do it, right? It's you know, it's kind of prime for the for the picking and along those lines you know There's so many different ways that you could leverage a cloud app to be able to you know hide that information You know whether it's an application like Dropbox where you can upload files whether it's a you know You know snapchat or something who know, you know Snapchat but Instagram or you can upload an image and have the information and literally encoded in that image and have people grab in it And all sudden you're trending on you know Instagram or whatever, you know But but it's really because all this you know malware is is phone-in-home and it's grabbing it's getting this information you know It really creates, you know, and you know an infinite set of possibilities So you know I expect in in future years and really all the stag we could dedicate a whole talk to may I'll be something I'll cover in a future future talk, but you know, it's it's really You know my in my view You know as soon as the kind of cat and mouse game catches up the arms race and attackers say okay You know some of these traditional methods aren't working I think that that you'll definitely see more and more that would take advantage of such a prime target Another thing is layered evasion so um, you know, we see this with you know I would say more like the apt style actors Because you know they can kind of rather than being crime where and massively, you know Triggering a lot of activity, you know, if you're just sending you're doing some IP fragmentation with TCP segments You know evasion is on top of that You know, maybe you throw an SSL above that HTTP There's obviously a lot that you can do within the HTTP protocol to be able to hide information And of course as I've gone and in some length, you know, there's a lot that you can do in the actual embedded content itself Starting to leverage these techniques in you know in in concert, right? because really it it's A way that you can catch You know some security vendors off guard that don't basically, you know, even even in 2016 Might be blind to either the individual mechanisms or some combination of the mechanisms It's it's definitely a real concern and you know again, you know, then you can keep on looping all these evasions Then you tunnel all the traffic It's it's kind of you know up to, you know, the mind's eye in terms of imagination For how how sophisticated the evasions could get and You know as I've been saying a whole bunch Steg and I free is you know, just a you know, the the possibilities there so limitless So, you know, I would definitely expect to see more and more actors And I guess the really scary thing about Steg is that you know when done, right? It's it's so incredibly difficult to identify You know as we saw earlier with the with the mirrored images, right? So it's it's almost you know what concerns me is more the unknown unknown aspect of Attackers that that could leverage this type of technique Because unlike, you know, some of the traditional mechanisms that we can use to identify individual patterns Identifying Steg and our fee is incredibly difficult in a lot of in a lot of cases both for a human and Even for a machine. So, you know, how you know, how do you do that? When you know, you have the amount of bandwidth that we're sending, you know ever increasing It's getting more and more expensive to cope with that How do you even identify when this type of technique is being used? It's a it's a very good problem So we kind of talked a little bit about, you know, the different trends of predictions Let's talk about defense, right? What are some of the things that you can do take away from the talk to, you know, basically Defend your network, your assets, your infrastructure And so with the really obvious but shockingly It still is not even in in this, you know, 2016 isn't that highly used So basically I took A ton of malware samples, millions of malware samples that we had and looked specifically at the command and control ports And what ports are using and about 17% of the malware was using high-range TCP ports for command and control So I'm not even talking about, you know, you know, other aspects of the malware I'm trying specifically for the command and control and they do that because of course most people leave those wide open And that's kind of a bad idea I totally get why and it's a can be an administrative nightmare, but you know It's you can eliminate a lot of low hanging fruit when it comes to to command and control and basically if you can with a lot of these Pieces of malware, you might be able to totally break it if it can't phone home, right? If it can't get that extra payload if it can't, you know, share that encryption key or whatever You can prevent this attack from being successful with, you know, the click on the mouse You know, another big thing is making sure that you don't have You know applications That that you wouldn't expect or wouldn't desire on your network running on your network So, you know, if you're an enterprise and there's no real reason for you to be running toward you probably shouldn't allow to or out Because you know the malware will definitely take advantage of that You know even, you know unknown binary should say streams But basically, you know, some malware on occasion will just run You know some sort of odd encrypted protocol if you can do deep packet inspection and do basically Encryption entropy, which is something that a lot of modern IDS is do and then gfw's you can identify potentially, you know unknown types of Malware just because it's you know, again, it's not matching a traditional protocol It's actually not leveraging steganography. It's kind of standing out like a sore thumb the next thing is the fingerprint no malware and You know this, you know, definitely get give a shout out and plug to you know to et open Which is, you know, free to anyone maintain We curate it, but it's free to anyone in the community And that's something that we focus heavily on because you know, rather than having you know Just trying to only fingerprint all the Cve's and you know play the whole Cve game with you know 15 year old German help desk software or whatever, you know focusing on hey We see this malware in the wild right now and we're going to specifically identify it and so if you see this trigger You know, you really know that that this is bad And you know again, you know a lot people talk about the security poverty line and that's true to some extent But there are a lot of great open-source tools, you know You don't have to to break an arm the leg to get your hands on and this is a great example because you know By fingerprinting the no malware, you know, you can introduce, you know Have a very good single the signal-to-noise ratio and basically identify the known bad Now SSL is you know, again, it's it's kind of a mixed blessing, right? Because there's just a lot of blind spots nowadays, especially if you're off of an SSL tap And so there's a few different things that you can do When it comes to SSL, you know a lot of the there's a lot of new systems that are supporting SSL man the middle again There's you know controversy there You know, you can't always use it, you know for good reason, but you know in if your Situation dictates and you can break it open for some traffic for instance, let's say any SSL site They knew that isn't categorized by I say like a web filter or something like that You could break it open and inspect it. You'd be able to identify, you know potential You know command control infection so on and so forth within the SSL Stream but the good news is is actually you don't have to do that in all cases and again, you know The you know et open abuse that ch is another great source You know have you know, not only signatures, but publish blacklist certificate blacklist So just by you know, you can actually just view what is a known bad certificate You never have to crack open the stream You can just fingerprint it and say okay, you know this machine is pop because it's reaching back You know using a you know, let's say dried X you know known bad SSL So going to a known bad site so it doesn't require you to actually crack open the stream to figure that out Here a six-in anomaly detection, you know normally these things drive us all crazy because they're so chatty and so you know Kind of unreliable, but as you probably saw in a bunch of the samples especially on some of the targeted attacks, you know basically if you know if you You know when leveraged in the right context they can really you know light up like a Christmas tree because you will find You know You know some of the different types of techniques in these layered evasion techniques It's a great way to defeat it again doesn't require a commercial solution there's tons of off-the-shelf stuff that you can do and leverage to be able to detect these types of techniques and Really, it's you know at the end of the day just giving a shit right, you know a lot of people They just don't right, you know, and there's kind of like You know, I was told you know, there's kind of three types of organizations, right? You have like the compliant you have security conscious and you have the And you have the Security sensitive so the compliant is just like I don't care I just need to buy this so I can check off this PCI checklist and you know Just tell me how much it is go away. You have security sent You know conscious who are like hey, we want to do the right thing. We don't have you know a whole team of experts You know and and they're you know definitely a perfect audience for this because again, you know You can get you know even without having to spend our leg You can get solutions that can help you if you actually care the security sensitive You know they kind of have a you know a whole practice going on and you know less worried about them They kind of know what to do But you know Perhaps the most importantly is to get involved right so there's and I don't mean like in a like spend money Donate or anything kind of way like if you find you know command control channels interesting samples You know in your own environment, you know, it's really easy to get them into the broader community You know et opens a great way snort You know vrt as well There's other foundations if you're a coder you can develop help develop You know some of the engines that can detect this stuff You know suricata snort grow Malik there's a whole bunch of different ways that that you can get involved so just to kind of wrap this up because I know it's beer clock and We definitely definitely don't want to impose on that so basically The trends speak for themselves, you know, I don't have to speak in hyperbole Everyone knows, you know, how serious the actual malware and compromise problems are You know and and and it's only getting worse. It's really not gotten to a point where it's better Tax surface is so massive. There's so many different ways that that we can get breached But you know, we can leverage our strengths in this case detecting command and control channels Which is our attackers weakness in a lot of cases cases to be able to you know, both prevent infections and And counteract you know when they do happen respond quickly And you know basically as we up our game, they're gonna up their game We you know got to have you know kind of a line of sight to where things are going in the future But you know, but but as long as we kind of stay in touch in tune, you know review our you know With the community reviewing our logs our information our infrastructure what it has to tell us You know, that's really kind of the best shot that we have at mitigating this stuff And yeah, basically that's what I got and I want to say a few thank yous Thank you all thanks Decon, you know for accepting this talk Let me get up here on the soapbox and yeah for everyone for for attending coming all the way over here in valleys miss Now mr. Robot, I saw them all in the green room. It was really funny. I was like, oh my god It's like I'm not worthy, but uh So yeah, I'm like basically the whole emerging threats team for point. Yeah, there's too many people in the name But uh, thanks everyone