MARPLE: Mitigating APT - Northwestern University

MARPLE: Mitigating APT - Northwestern University

MARPLE: Mitigating APT Damage by Reasoning with Provenance in Large Enterprise Networks October 11, 2017 Agenda Time Topic Presenter(s) 11:00am-11:05am Arrival and Introduction All

11:05am-11:10am Overview of Site Visit Agenda J.R. Rao THE MARPLE APPROACH 11:10am-11:20am MARPLE Post-Engagement Analysis All 11:20am-11:30pm Architecture Evolvement For Cross-Host Forensics

J.R. Rao 11:30am-12:15pm Policy Enforcement: MARPLE Response System Xiaokui Shu, R. Sekar, and Yan Chen 12:15pm-12:30pm Lunch 12:30pm-12:50pm A Faster and More Versatile -calculus and FCCE

Xiaokui Shu and Doug Schales 12:50pm-13:10pm RiskDroid with Neural Nets Heqing Huang 13:10pm-13:30pm SLEUTH Development and Plans R. Sekar 13:30pm-13:50pm APT Story Teller

Venkat Venkatakrishnan 13:50pm-14:10pm Automatic Attack Graph Pruning Haitao Xu 14:10pm-14:40pm Windows Monitoring and Graph Generation Yan Chen 14:40pm-15:00pm

Discussion and Next Steps All 2 Automatic Attack Graph Pruning Goal APT Detection Analytics IoC When and Where to get into

the system Malicious Point backward tracking forward tracking More malicious behavior In system 4

Expected Output Ground-truth attack graph Our graph Firefox C:\Users\steve\Desktop\procman.exe 5 Illustration based on 5D Data Rules One or more malicious

points 5D data Set Attack graph 6 Pruning Rules 1 Imposed on Subject/Object 2 Based on Time stamp

1.1 Deal with Hub process & injection 2.1 Time stamp in injection 1.2 Delete irrelevant nodes 1.3 DLL files 3 Imposed on Events 3.1 Event_modify_file_attribute 3.2 Event_check_file_attribute 3.3 Event_read

7 Rule 1.1: Deal with Hub Processes Characteristic Benign process Involved in a lot of operations Difficult to prune 8 Rule 1.1: Hub processes vs Injection processes

Difference (?) Not malicious point Do malicious behavior through other malicious process Firefox.exe execute Limit time stamp 9 Rule 1.2: Delete Irrelevant Nodes *.ttf(TTF) font file *.ttc(TTC) font file

12 Rule 1.3: DLL Files Characteristic Large amount Difficult to prune Shared with other process 13 Rule 1.3: DLL Files - contd Rules No backward or forward tracking

14 Rule 2.1: Prune Nodes before Attacks Rules Perform only forward tracking; No backward tracking 9:00 B inject D B 10:00 D

A 7:00 C 15 Rule 3: Event_read, Event_check, modify_file_attribute Characteristic Such events are not so suspicious like Event_write Important information but with large amount

Rules Perform only backward tracking; No forward tracking B D Event_check_file_attributes A C 16 Data Issue: Data Loss in Pandex Injection Attack All the nodes are missing after Meterpreter

17 FCCE Integration FCCE provides a complete data management solution PHF detection relies on streaming data processing Attack graph pruning relies on historical data queries FCCE is scalable No worries about memory size and large graphs FCCE now has a REST API Stateless query interface Extensible for writing and specific query needs Attack graph pruning is a good starting task to integrate FCCE and NWUs modules 18

Windows Monitoring and Graph Generation Outline System Overview Challenges and solutions Components User-level parser Kernel logger parser CDM translator Our Advantages Fine-grained (i.e., thread-level) System call Stack walk information Device information (e.g., USB Keylogging)

Deployment and Overhead 20 ETW Architecture ETW has many trace providers (600+ in Win7, 1000+ in Win10) NT Kernel Logger: Kernel logging Microsoft-Windows-USB-UCX/Microsoft-Windows-USB-USBPORT: USB logging Stackwalking with xperf (A tool which also uses ETW): Stack logging 21 Challenges Efficiency The default ETW tdh library for parsing events can only achieve 2000-3000 events per second. Solution: we manage to get the struct of each event class and are the first to parse more than 1,000,000 events per second.

System call parameter reconstruction ETW provides only the address of a system call. We need to do mapping from address to system call name. 22 Challenges & Solutions contd System call parameter reconstruction The parameters of system calls are not directly provided via ETW. We correlate events to extract the parameters for most security-related system calls.

23 Existing Work on Windows Low-Level Data Collection Non-ETW approaches SSDT and API Hooking (Affect the stability and reliability of the running system, limited usefulness in recent versions of Windows) SSDT: Overwriting of a kernel data structure API: Modification of running software to intercept function calls Run the system on QEMU (Efficiency problem ?) Monitor single processes (High Overhead) ETW-based approaches [purdue] overhead is very high based on our measurements and other papers (100K+ events/sec) No parameter reconstruction

24 Our System Four components 25 Component 1: ETW Controller 26 Component 2: NT Kernel Logger Parser NT Kernel Logger Session is a special session which provides events from Windows kernel. Contains 21 providers, and provides 105 events in total on Win7 Automatically correlate joint events to infer parameters of system calls.

For example, 1 event "FILE CREATE" + 1 event "SYSTEM CALL ENTRY "(NtCreat eFile) = NtCreateFile + some of the parameters from the other event 27 Component 2: NT Kernel Logger 28 Component 2: NT Kernel Logger Parser contd 29 Component 3: User-level parser contd User-Level Events Windows Start

Account(Login/Logout) File Registry Process Thread (Remote Thread Creation) Network (TCP/UDP, Bind to Port) Dynamic Library Load System and Security Log Clear WMI Queries USB related 30 Component 3: User-level parser 31

Component 4: CDM Translator User Level (short list) ETW Events CDM Records Windows Start Subject(SUBJECT_PRO CESS), EVENT_BOOT Account Login EVENT_LOGIN Registry Link

EVENT_LINK Registry Read EVENT_READ File Read EVENT_READ File Read Attribute EVENT_CHECK_FILE_A TTRIBUTES Dynamic Library Load

EVENT_LOADLIBRARY, EVENT_UPDATE, FileObject(hash) Kernel Level (short list) ETW Events CDM Records ALPC_SEND ALPC_REC EVENT_SIGNAL FILEIO::Name FILEIO::Create


EVENT_MMAP Image::Image_Load EVENT_MMAP TCPIP::RecvIPV4 EVENT_RECVFROM EVENT_RECVMSG Several ETW events may be combined together to produce one CDM record. 32 Advantage 1: Fine-grained System Call Collection

33 Advantage 2: Call Stack Call stack: stack data structure that stores information about the active subroutines of a program. Frames are stored in the call stack If the frame sizes are not equal, stack pointers indicate frame pointers Routines are popped out of the stack after they are finished Return address is used to check where should the program go after its execution is finished 34 Advantage 2: Stack Logging

35 Advantage 2: USB Keylogging Microsoft-Windows-USB-UCX (usb3.0, Win8 +) Microsoft-Windows-USB-USBPORT (usb2.0, Win7 +) 36 Deployment and System Overhead We have tested our system on server physical machines: Computer Specification

CPU:Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz RAM: 8.GB Operation System : Windows 7 SP1 64 bit ETW Parser Overhead: Idle-Run:1%-3% CPU , 34MB memory (increment) Full-Load: 8%-12% CPU, 50MB memory (increment) System has been deployed and running on the TA3 VM 37 Comparison with FiveDirections MARPLE 5D

System Call Call Stack Thread Information

User Level Events Real-time Parsing Notes: 5D is mainly user-level data, has to be saved to logs before reading from it. We read directly from providers, have no disk access (save resource, small load on the system). 38

Policy Enforcement Scenario Support Policy 1: Originating User NT-Kernel-Logger::Process (SID) NT-Kernel-Logger::TCPIP Policy 2: NT-Kernel-Logger::TCPIP Policy 3: keyboard Microsoft-Windows-USB-UCX Microsoft-Windows-USB-USBPORT Policy 4: NT-Kernel-Logger::FileIo_Read offset size

Microsoft-Windows-TCPIP Microsoft-Windows-DNS-Client 39 Policy Enforcement: MARPLE Response System Policy Enforcement Architecture MARPLE Policy Enforcement Response System TA1 server Apache Customized HTTP Server Enforcement Module Task Dispatcher Decision Combinator

TA1 client Firefox Monitor SLEUTH traversal module BBN Kafka -calculus traversal module

FCCE 41 Policy Enforcement TA2 Requirement Input Output

Policy ID Client IP Client Port Server IP Server Port Timestamp 202 Accepted Req 400 Bad Req 500 Error 200 Passed 400 Failed

MARPLE Policy Enforcement Response System Customized HTTP Server Task Dispatcher Decision Combinator Procedure 1. Locate the subject of the network object 2. Perform one or multi-step backtracking 3. Extract specific CDM information associated with subjects, e.g., user name 4. Yield binary answer with subgraph 5. Combining decisions Data

SLEUTH traversal module -calculus traversal module FCCE Streaming CDM from TA1 client 42 -calculus Development Plan For Policy Enforcement Principal CDM records support Retrieve user/group information for Policy #1

Realization: explicit node vs. implicit node vs. property Functional, lazily evaluated, and customized traversal Current: a ~> b, following temporal and information flow Planned: a ~> b with f(x), f(x) is a function which specifies rules for traversals Functionality in examples: only follow EVENT_EXECUTE, exclude EVENT_MMAP, etc. Compiler/Batcher Current: interactive shell that evaluate each command, e.g., MATCH, DUMP Planned: execution of pre-programmed scripts in batch Policy enforcement wrapper Compare retrieved values and provide binary answer to our customized HTTP server 43 SLEUTH Development Plan For Policy Enforcement

Need input from SBU/UIC 44 Windows Backtracking Strategy Study (NWU) NWU is preparing some examples of the 4 policies on Window Issues such as no specific data will be mentioned when talking about the examples 45 Questions on Policies Policy #1 (Originating user) Is multi-step traversal needed? We will handle sudo, but how about: User -> ssh -> run script -> service start daemon -> fork script -> fork browser -> send packet Policy #2 (Block suspect server communication)

Clear and feasible Policy #3 (Block automated scripts) TA2 needs to search for UI events associated with the process Can we get the list of names of events or related objects? Can TA1s confirm the items (previous bullet) are in the data? Policy #4 (Block uploads with network data) TA2 needs multi-step traversal We may need provenance information for hub processes, e.g., Firefox, Nginx Otherwise, hard to know if the file /tmp/foo2.txt read is associated with the out-going network traffic 46 The End

Recently Viewed Presentations

  • Слайд 1 - Parliament

    Слайд 1 - Parliament

    sasurvelia, magram ar aris aucilebeli. aucilebelia. miWirs pasuxis gacema. parlamenti. ministrTa kabineti. adgilobrivi TviTmmarTveloba. politikaSi qalis adgili ar aris. ojaxi. politikuri sistema da politikuri kultura. qalTa mier survilisa da gamocdilebis arqona. qalis diskriminacia sazog-Si da stereotipebi qalis rolis Sesaxeb. ar...
  • Las cláusulas adverbiales

    Las cláusulas adverbiales

    Aunque introduce cláusulas adverbiales en subjuntivo si la acción a que se refiere es hipotética o desconocida. Se usa con el indicativo cuando se refiere a hechos reales, habituales o concluidos: No se lo dirá a nadie aunque lo sepa....
  • Dimensionality Reduction and Feature Construction  Principal components analysis

    Dimensionality Reduction and Feature Construction Principal components analysis

    Times New Roman Arial Calibri Symbol Default Design Microsoft Equation 3.0 Dimensionality Reduction and Feature Construction Slide 2 Background for PCA Slide 4 Slide 5 Slide 6 Slide 7 PCA Slide 9 Slide 10 Slide 11 Slide 12 Slide 13...
  • Preliminary Results Presentation, Year to 30th June 2008

    Preliminary Results Presentation, Year to 30th June 2008

    Preliminary Results Presentation, Year to 30th June 2008 Greg Fitzgerald - Chief Executive Frank Nelson - Finance Director Market Conditions Operating Review - Housebuilding Extremely difficult market Visitor numbers reduced High cancellation rate Mortgage availability and consumer confidence key constraints...
  • Mad River Community Hospital Nursing Student Orientation Topics

    Mad River Community Hospital Nursing Student Orientation Topics

    All Mad River Community Hospital team members are expected to help fulfill this mission. More Than A Hospital ... Reporting information relative to the patient's plan of care to the clinical instructor and staff assigned to the patient ... Arcata...
  • Why is 9th grade important for my future?

    Why is 9th grade important for my future?

    Biology. Chemistry or Physics or IPC. One Advanced Science. Advanced Science. ... [email protected] / 281-634-7674. She specializes in career exploration and assisting students through the college application process. Course Selection.
  • BRAC - Military OneSource

    BRAC - Military OneSource

    We started offering MI/PMM files in both written and CD format. Our Relocation Request Form was a single sheet of paper that asked the clients if they wanted CD or paper, or both. We used a 10 - CD stand...
  • Energy drinks are big business around the world

    Energy drinks are big business around the world

    The Market is Australia A$550 million New Zealand NZ$171 million Growth of ~20% Target demographic 16-34 year olds Key Competitors V 60% share NZ / 31% share Aust Red Bull 20% share NZ / 34% share Aust There are many...