Advanced Technologies

vs.
Advanced Threats
Timur Biyachuev,
VP Threat Research

19-03-19
Kaspersky’s Threat Research Team: Facts About Us

«The malware research team 350+ threats analysts, developers, Anti-Malware Research
has a well-earned reputation researchers and data scientists
for rapid and accurate malware Content-Filtering Research
detection» Expert support and technologies
for 30+ products and services Technology Research
Gartner
5+ Billions malware objects Whitelisting Lab

2+ Petabytes of TI data Data Science Lab

«As far as test results from the
independent labs go, 260+ patents Software Security
Kaspersky is utterly golden. It
consistently receives top
ratings from the major labs.»
PC Magazine

346,000 new malicious files

detected every day 141,000 new spam letters
detected every day
Modern
Threat
Landscape
 ֍ Octopus

APT Landscape. KL Public Announcements

֍ Muddy
Water

Metel
Duqu 2.0
֍ Turla over
Sofacy
Darkhotel ProjectSauron
Stuxnet TeamSpy - part 2
Adwind StoneDrill
Darkhotel Naikon
֍ Apple
MsnMM Saguaro Shamoon 2.0 Jeus
Duqu Miniduke Campaigns
BlueNoroff
֍
CosmicDuke Hellsing Lazarus
Hades
Satellite StrongPity WannaCry
Gauss RedOctober Turla
Lurk ExPetr/NotPetya
Regin Sofacy
֍ Olympic
DestroyerFF
Flame Icefog
ATMitch
Careto / The
Mask
Carbanak GCMan
Moonlight
֍ Dark
Tequila
miniFlame Winnti Wild Ghoul Maze
Neutron
Epic Turla
Desert
Falcons
Poseidon ShadowPad ֍ Lucky
Mouse
NetTraveler Blue Fruity Armor WhiteBear
Termite
Energetic Bear /
Equation Danti
BlackOasis
֍ VPN
Filter
Crouching Yeti
Spring ScarCruft Silence
Kimsuky
Dragon
Animal
Farm
Dropping
Elephant
֍ Zebrocy

֍ Roaming
Mantis

֍ Ploutos
Advanced Threat Taxonomy

• new domain • rapid

• gather data • «gray domain» • silent
• prepare strategy • payload/command delivery • no immediate damage

Attack Delivery C&C Lateral Execution Damage &

preparation movement silent leave

• non-malware • hide inside normal activities • hide the traces

• hidden • steal credentials • erase from logs
• encrypted • non violation of anything • leave a backdoor
Threat Landscape requires new approaches

if possible automatically prevent…

Prevent Detect ..if possible automatically detect… Find

Prevention
Detection systems Threat hunting
systems

~100% known evil <100% known evil unknown evil

Automatic Automatic + Check Manual

Endpoint protection Advanced threat detection and services

Advanced
Prevention
Automatic Exploit Prevention
Automatic Exploit Prevention
Beyond multi-layered approach

• Classical multilayered approach is not effective against modern threats

• Attacker has an advantage
• Our approach: decision, based on threat context

Cloud
data

Emulation THREAT Behavior

data CONTEXT data

ML-
models
data
Beyond multi-layered approach

Signatures, masks and hashes

Heuristics based on emulation logs

(Binary and Script Emulator)

Classic detection routine

Machine learning models

Cloud detection (KSN)

Heuristics based on execution logs

Automation Exploit Prevention

Deep learning utilizing execution logs

(BehavioralModel, prototype)
Kaspersky multilayered machine learning

Astraea Decision tree ensemble Behavioral

Expert system for metadata aggregation Built by gradient boosting technique by emulation logs

ML Cloud requests w/o a model on client

Locality-Sensitive Hashing Cure and detection

Built by orthogonal projection learning routines

ML model

Behavioral
by execution logs

Behavioral Model
Deep learning utilizing execution logs
Decision tree ensemble
Locality-sensitive hashes
Adaptive Anomalies Control
Advanced
Detection
Targeted Attack Analyzer. How it works?
Detection of suspicious activities

External
Web Server

Spear-phishing

Machine 1

KES: host downloaded

WinPE executable
from IP

Well-known executable or IP?

KATA
Detection of suspicious activities

External
Web Server

Spear-phishing

Machine 1

KES: host downloaded

WinPE executable
from IP

 Unpopular executable or IP, host 1

KATA
Detection of suspicious activities

Machine 1 Machine 2

KES:
suspicious service
is created

 Unpopular
Suspiciousexecutable
service: 1 host
or IP, host 1

KATA
Detection of suspicious activities

Machine 3 Machine 1 Machine 2

KES:
suspicious service
is created

 Unpopular executable or IP, host 1

2 hosts
Suspicious service: 1 host

KATA
Detection of suspicious activities

Machine 3 Machine 1 Machine 2

KES:
suspicious service
Machine 4 is created
 Unpopular executable or IP, host 1
 Suspicious service: 3
2 hosts

KATA
Detection of suspicious activities

Machine 3 Machine 1 Machine 2

Machine 4
 Unpopular executable or IP, host 1
 Suspicious service: 3 hosts
Trojan-banker.Carbanak.b

KATA
Detection of suspicious activities

External
Web Server

Spear-phishing

Machine 1

KES: host downloaded

WinPE executable
from IP

Well-known executable or IP?

KATA
Detection of suspicious activities

External
Web Server

Spear-phishing

Machine 1

KES: host downloaded

WinPE executable
from IP

 Unpopular executable or IP, host 1

KATA
Detection of suspicious activities

Machine 1 Machine 2

KES:
Powershell in service

 Suspicious service: powershell

Unpopular executable or IP, hostinside
1

KATA
Detection of suspicious activities

Web Server

Machine 1 Machine 2

 Unpopular executable or IP, host 1

 Suspicious service: powershell inside

KATA
Detection of suspicious activities

Web Server

Machine 1 Machine 2

TAA Agent:
Connection to IP
from PowerShell

 Unpopular executable or IP, host 1

 Unpopular
Suspicious
Well-knownIP
service:
IP? powershell inside

KATA
Detection of suspicious activities

Web Server

Machine 1 Machine 2

 Unpopular executable or IP, host 1

 Suspicious service: powershell inside
 Unpopular IP
Trojan-banker.Carbanak.c

KATA
Advanced Sandbox. How it works

10+
patents

kaspersky.com/TechnoWiki
Advanced Sandbox. How it works

10+
patents

kaspersky.com/TechnoWiki
Advanced Sandbox: Adaptive sandboxing technologies

• Adaptive Sandboxing
• Allows you to control the behavior of the sample during execution in isolated environment
• Case study: Purgen
• Uses anti-evasion techniques first 15 minutes of execution
• Case study: Upatre
• Checks uptime of the system
• Checks the environment
Advanced Sandbox: Exploit Checker technology

• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
Advanced Sandbox: Exploit Checker technology

• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
Advanced Sandbox: Exploit Checker technology

• Exploit Checker
• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,
etc. The combination of events is the detection of a possible exploit
• Case study: Microcin
• During the pilot, we discovered an exploit that was detected by Exploit Checker
• Case study: Vulnerability in game driver
• This driver could be sent code that will be executed in kernel mode
Threat
Hunting
Inside Cloud
Kaspersky Technowiki: Advanced Cybersecurity technologies

kaspersky.com/TechnoWiki
结束! Конец, the end, das ende, la fin
Kaspersky Lab HQ
39A/3 Leningradskoe Shosse
Moscow, 125212, Russian Federation
Tel: +7 (495) 797-8700
www.kaspersky.com