MARPLE: Mitigating APT - Northwestern University

MARPLE: Mitigating APT - Northwestern University

MARPLE: Mitigating APT Damage by Reasoning with Provenance in Large Enterprise Networks October 11, 2017 Agenda Time Topic Presenter(s) 11:00am-11:05am Arrival and Introduction All

11:05am-11:10am Overview of Site Visit Agenda J.R. Rao THE MARPLE APPROACH 11:10am-11:20am MARPLE Post-Engagement Analysis All 11:20am-11:30pm Architecture Evolvement For Cross-Host Forensics

J.R. Rao 11:30am-12:15pm Policy Enforcement: MARPLE Response System Xiaokui Shu, R. Sekar, and Yan Chen 12:15pm-12:30pm Lunch 12:30pm-12:50pm A Faster and More Versatile -calculus and FCCE

Xiaokui Shu and Doug Schales 12:50pm-13:10pm RiskDroid with Neural Nets Heqing Huang 13:10pm-13:30pm SLEUTH Development and Plans R. Sekar 13:30pm-13:50pm APT Story Teller

Venkat Venkatakrishnan 13:50pm-14:10pm Automatic Attack Graph Pruning Haitao Xu 14:10pm-14:40pm Windows Monitoring and Graph Generation Yan Chen 14:40pm-15:00pm

Discussion and Next Steps All 2 Automatic Attack Graph Pruning Goal APT Detection Analytics IoC When and Where to get into

the system Malicious Point backward tracking forward tracking More malicious behavior In system 4

Expected Output Ground-truth attack graph Our graph Firefox C:\Users\steve\Desktop\procman.exe 5 Illustration based on 5D Data Rules One or more malicious

points 5D data Set Attack graph 6 Pruning Rules 1 Imposed on Subject/Object 2 Based on Time stamp

1.1 Deal with Hub process & injection 2.1 Time stamp in injection 1.2 Delete irrelevant nodes 1.3 DLL files 3 Imposed on Events 3.1 Event_modify_file_attribute 3.2 Event_check_file_attribute 3.3 Event_read

7 Rule 1.1: Deal with Hub Processes Characteristic Benign process Involved in a lot of operations Difficult to prune 8 Rule 1.1: Hub processes vs Injection processes

Difference (?) Not malicious point Do malicious behavior through other malicious process Firefox.exe execute Limit time stamp 9 Rule 1.2: Delete Irrelevant Nodes *.ttf(TTF) font file *.ttc(TTC) font file

12 Rule 1.3: DLL Files Characteristic Large amount Difficult to prune Shared with other process 13 Rule 1.3: DLL Files - contd Rules No backward or forward tracking

14 Rule 2.1: Prune Nodes before Attacks Rules Perform only forward tracking; No backward tracking 9:00 B inject D B 10:00 D

A 7:00 C 15 Rule 3: Event_read, Event_check, modify_file_attribute Characteristic Such events are not so suspicious like Event_write Important information but with large amount

Rules Perform only backward tracking; No forward tracking B D Event_check_file_attributes A C 16 Data Issue: Data Loss in Pandex Injection Attack All the nodes are missing after Meterpreter

17 FCCE Integration FCCE provides a complete data management solution PHF detection relies on streaming data processing Attack graph pruning relies on historical data queries FCCE is scalable No worries about memory size and large graphs FCCE now has a REST API Stateless query interface Extensible for writing and specific query needs Attack graph pruning is a good starting task to integrate FCCE and NWUs modules 18

Windows Monitoring and Graph Generation Outline System Overview Challenges and solutions Components User-level parser Kernel logger parser CDM translator Our Advantages Fine-grained (i.e., thread-level) System call Stack walk information Device information (e.g., USB Keylogging)

Deployment and Overhead 20 ETW Architecture ETW has many trace providers (600+ in Win7, 1000+ in Win10) NT Kernel Logger: Kernel logging Microsoft-Windows-USB-UCX/Microsoft-Windows-USB-USBPORT: USB logging Stackwalking with xperf (A tool which also uses ETW): Stack logging 21 Challenges Efficiency The default ETW tdh library for parsing events can only achieve 2000-3000 events per second. Solution: we manage to get the struct of each event class and are the first to parse more than 1,000,000 events per second.

System call parameter reconstruction ETW provides only the address of a system call. We need to do mapping from address to system call name. 22 Challenges & Solutions contd System call parameter reconstruction The parameters of system calls are not directly provided via ETW. We correlate events to extract the parameters for most security-related system calls.

23 Existing Work on Windows Low-Level Data Collection Non-ETW approaches SSDT and API Hooking (Affect the stability and reliability of the running system, limited usefulness in recent versions of Windows) SSDT: Overwriting of a kernel data structure API: Modification of running software to intercept function calls Run the system on QEMU (Efficiency problem ?) Monitor single processes (High Overhead) ETW-based approaches [purdue] overhead is very high based on our measurements and other papers (100K+ events/sec) No parameter reconstruction

24 Our System Four components 25 Component 1: ETW Controller 26 Component 2: NT Kernel Logger Parser NT Kernel Logger Session is a special session which provides events from Windows kernel. Contains 21 providers, and provides 105 events in total on Win7 Automatically correlate joint events to infer parameters of system calls.

For example, 1 event "FILE CREATE" + 1 event "SYSTEM CALL ENTRY "(NtCreat eFile) = NtCreateFile + some of the parameters from the other event 27 Component 2: NT Kernel Logger 28 Component 2: NT Kernel Logger Parser contd 29 Component 3: User-level parser contd User-Level Events Windows Start

Account(Login/Logout) File Registry Process Thread (Remote Thread Creation) Network (TCP/UDP, Bind to Port) Dynamic Library Load System and Security Log Clear WMI Queries USB related 30 Component 3: User-level parser 31

Component 4: CDM Translator User Level (short list) ETW Events CDM Records Windows Start Subject(SUBJECT_PRO CESS), EVENT_BOOT Account Login EVENT_LOGIN Registry Link

EVENT_LINK Registry Read EVENT_READ File Read EVENT_READ File Read Attribute EVENT_CHECK_FILE_A TTRIBUTES Dynamic Library Load

EVENT_LOADLIBRARY, EVENT_UPDATE, FileObject(hash) Kernel Level (short list) ETW Events CDM Records ALPC_SEND ALPC_REC EVENT_SIGNAL FILEIO::Name FILEIO::Create


EVENT_MMAP Image::Image_Load EVENT_MMAP TCPIP::RecvIPV4 EVENT_RECVFROM EVENT_RECVMSG Several ETW events may be combined together to produce one CDM record. 32 Advantage 1: Fine-grained System Call Collection

33 Advantage 2: Call Stack Call stack: stack data structure that stores information about the active subroutines of a program. Frames are stored in the call stack If the frame sizes are not equal, stack pointers indicate frame pointers Routines are popped out of the stack after they are finished Return address is used to check where should the program go after its execution is finished 34 Advantage 2: Stack Logging

35 Advantage 2: USB Keylogging Microsoft-Windows-USB-UCX (usb3.0, Win8 +) Microsoft-Windows-USB-USBPORT (usb2.0, Win7 +) 36 Deployment and System Overhead We have tested our system on server physical machines: Computer Specification

CPU:Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz RAM: 8.GB Operation System : Windows 7 SP1 64 bit ETW Parser Overhead: Idle-Run:1%-3% CPU , 34MB memory (increment) Full-Load: 8%-12% CPU, 50MB memory (increment) System has been deployed and running on the TA3 VM 37 Comparison with FiveDirections MARPLE 5D

System Call Call Stack Thread Information

User Level Events Real-time Parsing Notes: 5D is mainly user-level data, has to be saved to logs before reading from it. We read directly from providers, have no disk access (save resource, small load on the system). 38

Policy Enforcement Scenario Support Policy 1: Originating User NT-Kernel-Logger::Process (SID) NT-Kernel-Logger::TCPIP Policy 2: NT-Kernel-Logger::TCPIP Policy 3: keyboard Microsoft-Windows-USB-UCX Microsoft-Windows-USB-USBPORT Policy 4: NT-Kernel-Logger::FileIo_Read offset size

Microsoft-Windows-TCPIP Microsoft-Windows-DNS-Client 39 Policy Enforcement: MARPLE Response System Policy Enforcement Architecture MARPLE Policy Enforcement Response System TA1 server Apache Customized HTTP Server Enforcement Module Task Dispatcher Decision Combinator

TA1 client Firefox Monitor SLEUTH traversal module BBN Kafka -calculus traversal module

FCCE 41 Policy Enforcement TA2 Requirement Input Output

Policy ID Client IP Client Port Server IP Server Port Timestamp 202 Accepted Req 400 Bad Req 500 Error 200 Passed 400 Failed

MARPLE Policy Enforcement Response System Customized HTTP Server Task Dispatcher Decision Combinator Procedure 1. Locate the subject of the network object 2. Perform one or multi-step backtracking 3. Extract specific CDM information associated with subjects, e.g., user name 4. Yield binary answer with subgraph 5. Combining decisions Data

SLEUTH traversal module -calculus traversal module FCCE Streaming CDM from TA1 client 42 -calculus Development Plan For Policy Enforcement Principal CDM records support Retrieve user/group information for Policy #1

Realization: explicit node vs. implicit node vs. property Functional, lazily evaluated, and customized traversal Current: a ~> b, following temporal and information flow Planned: a ~> b with f(x), f(x) is a function which specifies rules for traversals Functionality in examples: only follow EVENT_EXECUTE, exclude EVENT_MMAP, etc. Compiler/Batcher Current: interactive shell that evaluate each command, e.g., MATCH, DUMP Planned: execution of pre-programmed scripts in batch Policy enforcement wrapper Compare retrieved values and provide binary answer to our customized HTTP server 43 SLEUTH Development Plan For Policy Enforcement

Need input from SBU/UIC 44 Windows Backtracking Strategy Study (NWU) NWU is preparing some examples of the 4 policies on Window Issues such as no specific data will be mentioned when talking about the examples 45 Questions on Policies Policy #1 (Originating user) Is multi-step traversal needed? We will handle sudo, but how about: User -> ssh -> run script -> service start daemon -> fork script -> fork browser -> send packet Policy #2 (Block suspect server communication)

Clear and feasible Policy #3 (Block automated scripts) TA2 needs to search for UI events associated with the process Can we get the list of names of events or related objects? Can TA1s confirm the items (previous bullet) are in the data? Policy #4 (Block uploads with network data) TA2 needs multi-step traversal We may need provenance information for hub processes, e.g., Firefox, Nginx Otherwise, hard to know if the file /tmp/foo2.txt read is associated with the out-going network traffic 46 The End

Recently Viewed Presentations

  • Chapter 3: Human-wildlife Conflict and Wildlife Abundance ...

    Chapter 3: Human-wildlife Conflict and Wildlife Abundance ...

    CHAPTER 3: HUMAN-WILDLIFE CONFLICT AND WILDLIFE ABUNDANCE: ASSESSING WILDLIFE DENSITY AND ABUNDANCE ON MAUNGU RANCH * Wildlife Abundance in Kasigau An Integral Part of CBE Dispersal area for wildlife (Maina 2004) Tsavo East and West National Parks Mt. Kasigau, an...
  • Presentación de PowerPoint

    Presentación de PowerPoint

    The national health service, (separate in Scotland NI and Wales) commissioners and providers. Central government being the main ministries of government - some 17 or so including home office, treasury, revenue and customs, defence etc ... El Modelo CIPFA FM....
  • Bringing Science to the Grid

    Bringing Science to the Grid

    Keynote Talk at the High Performance Distributed Computing Conference in Chicago, IL. July 29,1998
  • Andy Warhol -

    Andy Warhol -

    Today's lesson is about Indigenous Australian Artist Richard Bell, who also uses Pop Art style to create his works.What is a "propagandist'?Richard Bell uses a wide range of media including painting, performance, and video to challenge theway the viewer thinks...
  • Emerging Treatment Strategies for Tuberous Sclerosis Complex David

    Emerging Treatment Strategies for Tuberous Sclerosis Complex David

    Everolimus Effect on SEGA in TSC Baseline 6 months RAD001 Cerebellar Tuber Growth Cerebellar Tuber Before and After Treatment With Rapamycin RAD001 Effect on SEGA Volume Before Treatment Everolimus x 3 months Angiomyolipoma Before and After Treatment Chylothorax in LAM...
  • Scalars and Vectors - Council Rock School District

    Scalars and Vectors - Council Rock School District

    Scalars vs. Vectors (continued) has magnitude & direction (example: 15 mi/h North) has a magnitude only (example: 30 km/h) If an object STARTS & STOPS at the same point, the velocity is
  • Early America to 1750 -

    Early America to 1750 -

    Task: For your assigned character, you will collect textual evidence to build a picture for this character's characterization (background, appearance, personality, behavior, beliefs). Record quotes and page #s from the text that are examples of direct and indirect characterization.
  • Grace Link Sabbath School Program for Children A

    Grace Link Sabbath School Program for Children A

    Grace Link Sabbath School Program for Children A Leadership Certification Course #1