Detection of Spreading Process on many assets over the network
sbc-vn
3,209 views
30 slides
Oct 03, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
Detection of Spreading
Process on many assets
over the network
Slide Content
© 2024 Akamai | Confidential1
Hunt
Detection of Spreading
Process on many assets
over the network
Quy Le
Solutions Engineer
Hunt
Detection of Spreading
Process on many assets
over the network
Quy Le
Solutions Engineer
© 2024 Akamai | Confidential2
Agenda
●Motivation
●Goal
●Solution Approach
○TF-IDF
○Using TF-IDF for detecting processes spreading over the
network
●Technical Use Cases
●Appendix
Agenda
●Motivation
●Goal
●Solution Approach
○TF-IDF
○Using TF-IDF for detecting processes spreading over the
network
●Technical Use Cases
●Appendix
© 2024 Akamai | Confidential3
Motivation
●Malware (malicious software) is designed to harm or exploit computer
systems, networks, or devices.
●Malware can come in many forms, such as viruses, worms, Trojans,
ransomware, etc., and used to steal sensitive information, corrupt files,
or take control of a device.
●It is often spread through email attachments, malicious websites, or
infected software downloads that can cause significant damage to
individuals, organizations, and even entire countries.
Motivation
●Malware (malicious software) is designed to harm or exploit computer
systems, networks, or devices.
●Malware can come in many forms, such as viruses, worms, Trojans,
ransomware, etc., and used to steal sensitive information, corrupt files,
or take control of a device.
●It is often spread through email attachments, malicious websites, or
infected software downloads that can cause significant damage to
individuals, organizations, and even entire countries.
© 2024 Akamai | Confidential4
Motivation
●An example: Trickbotis a banking trojan, a type of malware designed
to steal sensitive information from infected devices, such as login
credentials, financial data, and other personal information.
●It is typically spread through phishing emails that trick recipients into
clicking on a link or downloading a Microsoft Office files attachment.
Motivation
●An example: Trickbotis a banking trojan, a type of malware designed
to steal sensitive information from infected devices, such as login
credentials, financial data, and other personal information.
●It is typically spread through phishing emails that trick recipients into
clicking on a link or downloading a Microsoft Office files attachment.
© 2024 Akamai | Confidential5
Motivation
●Process graph of
Trickbot
Motivation
●Process graph of
Trickbot
© 2024 Akamai | Confidential6
Motivation
●To identify the presence of malware and prevent it from spreading
further, we want to detect suspicious processes spreading over a
network.
●By isolating infected systems and alert of malicious traffic,
organizations can limit the damage caused by malware and prevent it
from spreading to other systems or networks.
Motivation
●To identify the presence of malware and prevent it from spreading
further, we want to detect suspicious processes spreading over a
network.
●By isolating infected systems and alert of malicious traffic,
organizations can limit the damage caused by malware and prevent it
from spreading to other systems or networks.
© 2024 Akamai | Confidential7
The Goal
●Detecting suspicious (legit/malicious) processes that spreads over
Hunt customers network communication.
●Identify and alert these processes to minimize the potential damage of
security incidents.
The Goal
●Detecting suspicious (legit/malicious) processes that spreads over
Hunt customers network communication.
●Identify and alert these processes to minimize the potential damage of
security incidents.
© 2024 Akamai | Confidential8
TF-IDF
Term Frequency-Inverse Document Frequency
●A statistical method used in Natural Language Processing (NLP) to
evaluate the importance of a word in a document or corpus.
●This method is usually used in various domains like Information
retrieval, Sentiment analysis, Text classification, Recommendation
system, Social network, etc.
TF-IDF
Term Frequency-Inverse Document Frequency
●A statistical method used in Natural Language Processing (NLP) to
evaluate the importance of a word in a document or corpus.
●This method is usually used in various domains like Information
retrieval, Sentiment analysis, Text classification, Recommendation
system, Social network, etc.
© 2024 Akamai | Confidential9
TF-IDF
Term Frequency-Inverse Document Frequency
●Researchers have employed the TF-IDF method in the social
network domain to detect fake news or hate speech spreading on
Twitter [1, 2].
●Given that this approach is similar to our own problem of identifying
processes that spread over the network, we have decided to also
use the TF-IDF method.
TF-IDF
Term Frequency-Inverse Document Frequency
●Researchers have employed the TF-IDF method in the social
network domain to detect fake news or hate speech spreading on
Twitter [1, 2].
●Given that this approach is similar to our own problem of identifying
processes that spread over the network, we have decided to also
use the TF-IDF method.
© 2024 Akamai | Confidential10
The Suggested Solution Approach
Detecting spreading processes
We leverage TF-IDF method for detecting processes spreading over the network
How?
The processrepresents the word
The assetrepresents the document
The Suggested Solution Approach
Detecting spreading processes
We leverage TF-IDF method for detecting processes spreading over the network
How?
The processrepresents the word
The assetrepresents the document
© 2024 Akamai | Confidential11
The Suggested Solution Approach
Detecting spreading processes
●In addition, we can know from the data how many unique destination
assets the process is connected to them from a specific source asset.
●Thus we want to include that in the TF-IDF formula.
○Unique Destination Assets (UDA) =
*destination_node_id
The Suggested Solution Approach
Detecting spreading processes
●In addition, we can know from the data how many unique destination
assets the process is connected to them from a specific source asset.
●Thus we want to include that in the TF-IDF formula.
○Unique Destination Assets (UDA) =
*destination_node_id
© 2024 Akamai | Confidential13
The benefits in the solution approach
●The solution approach is simple to understand and to implement.
●Explainability
○The ability to provide a clear detailed explanation for the
detection.
●Providing automated metrics for the analysts
○Generate and present relevant information in a way that it will
be easy to understand and intercept.
The benefits in the solution approach
●The solution approach is simple to understand and to implement.
●Explainability
○The ability to provide a clear detailed explanation for the
detection.
●Providing automated metrics for the analysts
○Generate and present relevant information in a way that it will
be easy to understand and intercept.
© 2024 AKAMAI TECHNO LOG IES
Adaptive Segmentation Use Cases
Quick Response to Threats
Mitigate malicious behavior on the workloads and network level
Emerging Threats and Active Campaigns
Virtually patch workloads with critical CVEs and apply APT preventative measures
Attack Surface Reduction
Minimize lateral movement risk by reducing unused communication paths
Infrastructure Misconfiguration
Detect Active Directory misconfigurations and suggest remediation steps
Policy Drift
Analyze application and network composition changes that might affect the current
policy and suggest remediation steps
Adaptive Segmentation Use Cases
Quick Response to Threats
Mitigate malicious behavior on the workloads and network level
Emerging Threats and Active Campaigns
Virtually patch workloads with critical CVEs and apply APT preventative measures
Attack Surface Reduction
Minimize lateral movement risk by reducing unused communication paths
Infrastructure Misconfiguration
Detect Active Directory misconfigurations and suggest remediation steps
Policy Drift
Analyze application and network composition changes that might affect the current
policy and suggest remediation steps
© 2024 AKAMAI TECHNO LOG IES
Polyfill.io Attack
Quick Response to Threats
●Massive supply chain attack
executed through CDNs
●Polyfill.io library compromised
with injected malicious
JavaScript
●Impacted a range of 100,000
to over 10 million websites
Block Access to Malicious
Websites
Known Malicious Domains
Change Passwords and
schedule rotations
Implement MFA
Authentication
Hunt Recommendations
June 25, 2024
Found in 35%of
customer environments
Polyfill.io Attack
Quick Response to Threats
●Massive supply chain attack
executed through CDNs
●Polyfill.io library compromised
with injected malicious
JavaScript
●Impacted a range of 100,000
to over 10 million websites
Block Access to Malicious
Websites
Known Malicious Domains
Change Passwords and
schedule rotations
Implement MFA
Authentication
Hunt Recommendations
June 25, 2024
Found in 35%of
customer environments
© 2024 AKAMAI TECHNO LOG IES
Emerging Threats and Active Campaigns
XZ Utils Backdoor
Hunt detected ransomware related
commands ran on a workload
vulnerable to XZ Utils with evidence of
internet originating traffic
Quarantine Affected Asset
Patch liblzmapackage
Apply Block Rules to
reduce attack surface
Hunt Recommendations
Emerging Threats and Active Campaigns
XZ Utils Backdoor
Hunt detected ransomware related
commands ran on a workload
vulnerable to XZ Utils with evidence of
internet originating traffic
Quarantine Affected Asset
Patch liblzmapackage
Apply Block Rules to
reduce attack surface
Hunt Recommendations
© 2024 AKAMAI TECHNO LOG IES
© 2024 AKAMAI TECHNO LOG IES
Malware Detection and Remediation
Malware Detected
Hunt detected malware trying to connect
into the network over a socks5 proxy
running on the workload, customer
struggled to investigate the breadth of the
attack due to lack of coverage
Expand Network
Visibility by Deploying
More Agents
Deploy Internet-Internal
Block Rulesets
Hunt Recommendations
Malware Detection and Remediation
Malware Detected
Hunt detected malware trying to connect
into the network over a socks5 proxy
running on the workload, customer
struggled to investigate the breadth of the
attack due to lack of coverage
Expand Network
Visibility by Deploying
More Agents
Deploy Internet-Internal
Block Rulesets
Hunt Recommendations
© 2024 AKAMAI TECHNO LOG IES
● Malware Analysis:
○ Malware: client-windows-x64.exe
○ Analysis: Symbol-stripped binary forwarding SOCKS5 traffic to an
attacker-controlled server. Uses a hardcoded key and parameter for
command execution.
○ Purpose: To tunnel communication from the network to the internet.
● Visibility Issue:
○ Impact: Unable to analyze Linux malware due to visibility issues.
● Compromised Servers:
○ Linux Server: Believed to be the initial access vector.
○ Windows Hosts: Executed local and Active Directory dumping tools,
deployed network scans on administrative ports, possibly indicating
the use of the smbexectool.
● Prior Activity:
○ Detection: Numerous known-malicious IP addresses attempting
connections to internet-facing servers.
○ Recommendation: Deploy block rules to deny these attempts.
Customer Notifications:
● We continuously notified the customer of new details as they emerged during
the investigation.
Raw data
Recommendations
Expand Network Visibility:
●Fix the visibility issue in asset asset_prodand install agents
on other network assets.
Ruleset Recommendations:
●Deploy Internet-Internal Block Rulesets:
○Leverage internal policies to block SMB (445) traffic
from the internet.
●Deploy Internal-Internal Block Rulesets:
○Allow administrative traffic (SSH, SMB, RDP, RPC) only
for legitimate applications to deny lateral movement
possibilities.
●Restrict Traffic to FTP Servers:
○Multiple FTP servers are being scanned by various
malicious internet IPs. Deploy a block FTP rule (port 20,
21) to allow only legitimate hosts to access the FTP
interface.
● Malware Analysis:
○ Malware: client-windows-x64.exe
○ Analysis: Symbol-stripped binary forwarding SOCKS5 traffic to an
attacker-controlled server. Uses a hardcoded key and parameter for
command execution.
○ Purpose: To tunnel communication from the network to the internet.
● Visibility Issue:
○ Impact: Unable to analyze Linux malware due to visibility issues.
● Compromised Servers:
○ Linux Server: Believed to be the initial access vector.
○ Windows Hosts: Executed local and Active Directory dumping tools,
deployed network scans on administrative ports, possibly indicating
the use of the smbexectool.
● Prior Activity:
○ Detection: Numerous known-malicious IP addresses attempting
connections to internet-facing servers.
○ Recommendation: Deploy block rules to deny these attempts.
Customer Notifications:
● We continuously notified the customer of new details as they emerged during
the investigation.
Raw data
Recommendations
Expand Network Visibility:
●Fix the visibility issue in asset asset_prodand install agents
on other network assets.
Ruleset Recommendations:
●Deploy Internet-Internal Block Rulesets:
○Leverage internal policies to block SMB (445) traffic
from the internet.
●Deploy Internal-Internal Block Rulesets:
○Allow administrative traffic (SSH, SMB, RDP, RPC) only
for legitimate applications to deny lateral movement
possibilities.
●Restrict Traffic to FTP Servers:
○Multiple FTP servers are being scanned by various
malicious internet IPs. Deploy a block FTP rule (port 20,
21) to allow only legitimate hosts to access the FTP
interface.
© 2024 AKAMAI TECHNO LOG IES
Misconfigured AD
Hunt detected several users
incorrectly added to the domain
admin group, which could lead to
potential paths to administrative
privileges. This misconfiguration
poses a significant risk of
unauthorized access to domain
admin rights.
Step-by-step guide to
remove permission
Recommendations for
monitoring and reviewing
admin privileges
Hunt Deliverables
Infrastructure Misconfiguration
Misconfigured AD
Hunt detected several users
incorrectly added to the domain
admin group, which could lead to
potential paths to administrative
privileges. This misconfiguration
poses a significant risk of
unauthorized access to domain
admin rights.
Step-by-step guide to
remove permission
Recommendations for
monitoring and reviewing
admin privileges
Hunt Deliverables
Infrastructure Misconfiguration
© 2024 AKAMAI TECHNO LOG IES
© 2024 AKAMAI TECHNO LOG IES
Attack Surface Reduction
Overly permissive rules
Hunt was able to detect an overly
permissive rule on one of the PCI
applications reducing the
communication down to a specific
set of IPs instead of the wide range
of subnets allowed before.
Reduce rule scope only
to the IPs in use
Hunt Recommendations
Attack Surface Reduction
Overly permissive rules
Hunt was able to detect an overly
permissive rule on one of the PCI
applications reducing the
communication down to a specific
set of IPs instead of the wide range
of subnets allowed before.
Reduce rule scope only
to the IPs in use
Hunt Recommendations
© 2024 AKAMAI TECHNO LOG IES
© 2024 AKAMAI TECHNO LOG IES
Appendix:
Defending against
breach with
microsegmentation
Appendix:
Defending against
breach with
microsegmentation
© 2024 AKAMAI TECHNO LOG IES
No Segmentation, only data centre perimeter
Servers on one big flat data centre network inside the perimeter
Internet
Hardware firewalls
Only North-South traffic
is controlled
Internet firewall
No Segmentation, only data centre perimeter
Servers on one big flat data centre network inside the perimeter
Internet
Hardware firewalls
Only North-South traffic
is controlled
Internet firewall
© 2024 AKAMAI TECHNO LOG IES
Traditional Network Segmentation
Servers in different network segments, FWs control traffic flows
Web App DB
Internet
Hardware firewalls
North-South and East-West
traffic can be controlled Internet
firewall
Traditional Network Segmentation
Servers in different network segments, FWs control traffic flows
Web App DB
Internet
Hardware firewalls
North-South and East-West
traffic can be controlled Internet
firewall
© 2024 AKAMAI TECHNO LOG IES
Maersk ransomware problem in 2017…
AD server in
Ukraine
Non-Petya
AD Server in
Ghana
AD Server
AD Server
AD Server
AD Server
AD Server AD Server
AD Server
AD Server
Power outage!!!
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Maersk ransomware problem in 2017…
AD server in
Ukraine
Non-Petya
AD Server in
Ghana
AD Server
AD Server
AD Server
AD Server
AD Server AD Server
AD Server
AD Server
Power outage!!!
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
© 2024 AKAMAI TECHNO LOG IES
Let’s look at a server…
Application Server A
Operating system
Application A
Agent A, B, C, D
Server
IP address
Sees only IP address/proto/port e.g.
To: 172.16.44.52 UDP/15445
From: Server IP UDP/ Random port
Let’s look at a server…
Application Server A
Operating system
Application A
Agent A, B, C, D
Server
IP address
Sees only IP address/proto/port e.g.
To: 172.16.44.52 UDP/15445
From: Server IP UDP/ Random port
© 2024 AKAMAI TECHNO LOG IES
Let’s add GC agent
Application Server A
Operating system
Application A
Agent A, B, C, D
Sees
To:172.16.44.52 UDP/15445
From: Server IP UDP/Random port
Process name and ID, hash, more
agent
Let’s add GC agent
Application Server A
Operating system
Application A
Agent A, B, C, D
Sees
To:172.16.44.52 UDP/15445
From: Server IP UDP/Random port
Process name and ID, hash, more
agent
© 2024 AKAMAI TECHNO LOG IES
Let’s add GC agent
Application Server A
Operating system
Application A
Agent A, B, C, D
agent
The agent allows you to
get feedbackand control
at a different levelof
abstraction, than
traditional FW
Let’s add GC agent
Application Server A
Operating system
Application A
Agent A, B, C, D
agent
The agent allows you to
get feedbackand control
at a different levelof
abstraction, than
traditional FW
© 2024 AKAMAI TECHNO LOG IES
Path to Segmentation
31
Rapid Ringfencing with AI
Create software-Defined Zero Trust
(Micro)perimeters with a few clicks
Immediate Risk Reduction
Apply curated essential policies as your
first line of defense
Expert Tailored Response to
Emerging Threats and Risks
Mitigate threats, risks and policy drift with
security focused policy recommendations
AI
Path to Segmentation
31
Rapid Ringfencing with AI
Create software-Defined Zero Trust
(Micro)perimeters with a few clicks
Immediate Risk Reduction
Apply curated essential policies as your
first line of defense
Expert Tailored Response to
Emerging Threats and Risks
Mitigate threats, risks and policy drift with
security focused policy recommendations
AI
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 3,209
- Slides 30
- Age 425 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views