Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Coping with malware

Coping with malware

For LIS 510 "Information Security and Privacy."

Dorothea Salo

March 26, 2021
Tweet

More Decks by Dorothea Salo

Other Decks in Technology

Transcript

  1. Coping with malware
    Dorothea Salo

    View full-size slide

  2. Jargon File:


    “ATTACK SURFACE”
    ✦ How much opportunity you are giving attackers
    to compromise you.


    ✦ A function of:


    ✦ How many di
    ff
    erent systems / software / platforms you’re using
    (more systems, more problems!)


    ✦ How exposed to the open Internet you and your systems are


    ✦ How sensible your (physical, digital/online, and human) security
    practices are


    ✦ Whether your systems / software / platforms are common attack
    targets


    ✦ Whether YOU are a particularly desirable or common attack target

    View full-size slide

  3. Jargon File:


    “INDICATOR OF COMPROMISE”
    ✦ often abbreviated to IOC or IoC


    ✦ A recognizable sign that a given kind of malware
    has gotten into a system


    ✦ Could be a
    fi
    le left behind (or altered or deleted), a system behavior,
    distinctive network tra
    ff i
    c… lots of things.


    ✦ Answers the question “How can I tell if I’ve got MirEmoLoveBleed in
    my network or systems or endpoints anywhere?”


    ✦ MITRE ATT&CK o
    ff
    ers these for the TTPs it lists where possible. All
    responsible bug-hunters try to
    fi
    nd and publicize them. Hugely
    important for both prevention and remediation!


    ✦ Antivirus/antimalware builds these into its list of
    malware “SIGNATURES.”

    View full-size slide

  4. A malware taxonomy
    ✦ MALWARE: Umbrella term for software intended to mess
    with a system and/or its security in some way


    ✦ “mal-“ is a Latin pre
    fi
    x meaning “bad.”


    ✦ WAREZ: Slang. Malware available for easy download and use. (Sometimes used
    for “illegally-obtained information available for download.”)


    ✦ There are LOTS of kinds of malware! Some
    characteristics often used to classify them:


    ✦ What they target: “Windows malware” “Android malware” “browser malware”


    ✦ How they spread and/or infect victims: virus/worm/Trojan


    ✦ What they do (often “-ware”): ransomware/adware/spyware


    ✦ I do not expect you to memorize all the di
    ff
    erent kinds
    of malware. I don’t think it’s useful.


    ✦ That’s a “
    fi
    gure it out if/when you need to” kind of thing.

    View full-size slide

  5. I do want you to know about:
    ✦ RANSOMWARE: malware that encrypts your data and
    asks you to pay for the decryption key


    ✦ Of late, ransomware has also been ex
    fi
    ltrating data and threatening to leak
    it if the ransom is not paid.


    ✦ SPYWARE/STALKERWARE: malware that reports out
    somewhere on the activities performed on the device,
    without the device’s user(s) knowing


    ✦ KEYLOGGER: Spyware that sends every keystroke typed (including on a
    mobile’s “keyboard”) somewhere


    ✦ Malware that adds endpoints to botnets


    ✦ BOTNET: A group of devices, often huge, that has been compromised such
    that an external device (“COMMAND-AND-CONTROL [SERVER]” or “C2”) can
    make the compromised devices do bad things (such as send spam email, or
    try to overwhelm a web or DNS server)

    View full-size slide

  6. Ransomware attackers are
    garbage humans.
    ✦ Common targets: hospitals (particularly during
    the COVID-19 pandemic), schools


    ✦ This is partly because they’re known to be soft targets, but some
    ransomware attackers just seem to prefer them.


    ✦ One known death due to a ransomwared
    hospital.


    ✦ One is an extremely unlikely number.


    ✦ Just. How can these people even sleep at night.

    View full-size slide

  7. Ransomware defenses
    ✦ Backups, backups, BACKUPS. And test them!


    ✦ The ideal backup is at least partially “airgapped” from your computer. (Tape
    backup is good here!) Backups that look to the OS like ordinary drives (“share
    drives,” persistent cloud storage) will be ransomwared just like ordinary drives.


    ✦ Sophisticated ransomware will speci
    fi
    cally try to go after backups.


    ✦ Good incident response. The sooner you detect and
    react to ransomware, the less hurt you’ll be.


    ✦ If you’re hit, before you despair and pay up, check to see
    if the ransomware has been cracked.


    ✦ Quite a lot of it has been. You may be able to get your data back without
    paying the ransom even if you don’t have a backup.


    ✦ DO NOT PAY, if you can possibly avoid it.


    ✦ It just encourages them!


    ✦ Some of them abscond with your payment… without giving you the key. So
    you’ve lost both your data and the ransom.

    View full-size slide

  8. Antivirus/antimalware
    ✦ Classically: works by “signature”


    ✦ That is, security researchers dissect malware
    fi
    les so that they can
    detect them later (e.g. when they show up as email attachments).


    ✦ The reason A/V software ties up your internet connection so often is to
    update its set of signatures.


    ✦ Four problems with this:


    ✦ The
    fi
    rst people to run into a given piece of malware get pwned.
    Nobody’s
    fi
    gured out its signature yet!


    ✦ Assumes that malware is
    fi
    le-based. No longer a safe assumption!
    “Memory-resident malware” and malware that targets layers
    underneath the OS/
    fi
    lesystem (BIOS malware) both exist.


    ✦ It’s often possible to OBFUSCATE malware
    fi
    les to evade the usual
    signature-detection techniques, e.g. by re-encoding text.


    ✦ Malware on the web. Files are remote, where antivirus can’t see them!

    View full-size slide

  9. Should you use antivirus/
    antimalware software?
    ✦ On balance, it’s a good idea, but it’s also not the
    savior it once was.


    ✦ For people who are (for whatever reason) extra-likely to be (even
    accidentally) an attack target, de
    fi
    nitely install it.


    ✦ One big caveat: don’t use it on a machine you
    plan to do infosec work from!


    ✦ When I tried to install Metasploit on my work laptop, the (work-
    mandated) A/V absolutely howled. Exploits, exploits everywhere!


    ✦ Palliative: do infosec work from a virtual machine (VM), or a cloud
    server. (I like DigitalOcean. Linode is another one.)

    View full-size slide

  10. Different (sometimes
    newer) techniques
    ✦ Heuristic analysis


    ✦ Establish a baseline for what your systems do, when, and how.
    (Remember that systems include people!)


    ✦ Then
    fl
    ag behavior that seems seriously weird and have a human
    being check it out (computers aren’t smart enough).


    ✦ AI/machine learning


    ✦ Same idea, only make the computer establish the baseline and look
    for deviations from it.


    ✦ Remember that computers are easily fooled, however.


    ✦ Strict limits on computing (“whitelisting”),
    especially software installation


    ✦ Users will HATE this, guaranteed. It’s only workable in highly-
    regulated situations —
    fi
    nance or similar.

    View full-size slide

  11. Would whitelisting work in
    higher ed?
    ✦ AHAHAHAHAHAHAHAHAHAHAHAHA no.


    ✦ Why not:


    ✦ An entire university represents an incredibly broad array of research and
    teaching and outreach and other activities. You just can’t lock that down the
    way you’d lock down (say) a bank. The work can’t get done like that!


    ✦ Academics (myself included) are exceptionally stubborn and annoying people.
    We don’t always listen to sense, and we resent limits.


    ✦ Research especially — the generation of new knowledge — often relies on very
    new OR very old OR very weird equipment and software. If the CISO tries to
    mess with research, THE CISO WILL LOSE. Won’t even be a close
    fi
    ght.


    ✦ This means exceptionally large attack surfaces across the whole university.


    ✦ This makes infosec work in universities amazingly
    di
    ffi
    cult. Respect the CIO’s o
    ff i
    ce here, folks. They have a
    tough job.

    View full-size slide

  12. The honeypot defense
    ✦ Deliberately put a vulnerable machine out there.


    ✦ Watch how it’s attacked. Learn.


    ✦ Sometimes honeypots become part of your IDS:
    if nobody interacts with a given machine except
    attackers, simply block anyone who tries to
    interact with it, because they’re an attacker!


    ✦ Similarly: put fake data in your database or data
    warehouse, as an early-warning system for
    compromises/leaks.


    ✦ Especially fake contact points (email addresses, textable phone
    numbers) that you monitor. Any contact is near-proof of a hack/leak!

    View full-size slide

  13. Randall Munroe, “xkcd: Network”


    https://www.xkcd.com/350/ CC-BY-NC

    View full-size slide

  14. So now what?
    ✦ Make systems less hackable (“REDUCE ATTACK
    SURFACE”).


    ✦ This runs into all the problems around training and incentives that I
    discussed… but malware has gotten so bad as to force better practices,
    at least in major attack points like OSes and browsers.


    ✦ You can do this for yourself, to some extent, by turning o
    ff
    communication services you’re not using, consciously limiting the
    software/apps you install, and deleting old unused software/apps.


    ✦ Don’t detect
    fi
    les; detect anomalous behavior.


    ✦ This is part of how “intrusion detection systems” (IDSes) work, also
    heuristics and AI/ML-based approaches.


    ✦ The major problem with this: anomaly is not the same as threat. Huge
    false-positive potential here!


    ✦ Some days we all act funny! That doesn’t mean we’ve suddenly started
    to hack our own machines and workplaces!

    View full-size slide

  15. In which Dorothea gets
    FURIOUS at a CISO
    ✦ As I’ve said already, privacy is a librarian thing and I am a
    librarian. Just as background.


    ✦ We librarians are supposed to let you explore the subjects you want to explore
    without looking over your shoulder. None of our business!


    ✦ There are presently e
    ff
    orts to change library-resource
    access technology, partly so content vendors have an easier
    time detecting “fraud” in e-resource use.


    ✦ Which does happen, but when it does, the library handles it discreetly, quietly, and
    INTERNALLY. Publishers don’t get to sue or hassle anybody!


    ✦ So a current e
    ff
    ort (SNSI) brought in a pet CISO who
    touted anomalous-behavior detection.


    ✦ Corey Roach: “You can also move over to behavioral stu
    ff
    . So it could be, you know,
    why is a pharmacy major suddenly looking up a lot of material on astrophysics or…
    Why is a medical professional and a hospital suddenly interested in internal
    combustion things that just don’t line up and we can identify
    fi
    shy behavior.”

    View full-size slide

  16. EXCUSE THE HELL


    OUT OF YOU,


    COREY ROACH.


    THAT IS COMPLETELY


    ENTIRELY


    UTTERLY


    100% UNACCEPTABLE


    AND UNETHICAL


    FOR LIBRARIES TO DO.

    View full-size slide

  17. And a personal story


    as illustration
    ✦ An anomalous-behavioral-detection system would
    have caught me red-handed in 2009-2010.


    ✦ I’m a librarian, technologist, and educator. That’s a
    lot of what I read, no surprise.


    ✦ I suddenly developed a devouring, anomalous-for-
    me interest in oncology. Speci
    fi
    cally, “cancer of
    unknown primary origin.”


    ✦ It was in the process of killing my mother.


    ✦ Tell me my anomalous reading behavior was wrong
    or fraudulent, CISO Corey Roach. I DARE YOU.


    ✦ Tell me vendor pro
    fi
    ts entitle them to hassle me about that, CISO Corey
    Roach. I DOUBLE-DOG DARE YOU.

    View full-size slide

  18. And anyway…
    ✦ … why is it a bad thing for people to develop new
    interests?!


    ✦ In what universe should a pharmacy major be
    punished for suddenly thinking astrophysics is
    really freakin’ cool?


    ✦ Because, you know, astrophysics is really freakin’ cool.


    ✦ (Also, I’m pretty sure hospitals have, you know,
    vehicles and HVAC systems. Perhaps some other
    internal-combustion gadgetry too, I’m no medical
    technologist.)

    View full-size slide

  19. Moral of the story:


    Privacy and security


    are not the same thing.


    Security that abuses privacy


    is not a good tradeoff.


    Please become aware


    and stay aware


    of this.

    View full-size slide

  20. Questions? Ask them!
    This lecture is copyright 2018 by Dorothea Salo.


    It is available under a Creative Commons Attribution
    4.0 International license.

    View full-size slide