Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Coping with malware

Coping with malware

For LIS 510 "Information Security and Privacy."

837b357dc46c47fc99560e03b8841a27?s=128

Dorothea Salo

March 26, 2021
Tweet

Transcript

  1. Coping with malware Dorothea Salo

  2. Jargon File: “ATTACK SURFACE” ✦ How much opportunity you are

    giving attackers to compromise you. ✦ A function of: ✦ How many di ff erent systems / software / platforms you’re using (more systems, more problems!) ✦ How exposed to the open Internet you and your systems are ✦ How sensible your (physical, digital/online, and human) security practices are ✦ Whether your systems / software / platforms are common attack targets ✦ Whether YOU are a particularly desirable or common attack target
  3. Jargon File: “INDICATOR OF COMPROMISE” ✦ often abbreviated to IOC

    or IoC ✦ A recognizable sign that a given kind of malware has gotten into a system ✦ Could be a fi le left behind (or altered or deleted), a system behavior, distinctive network tra ff i c… lots of things. ✦ Answers the question “How can I tell if I’ve got MirEmoLoveBleed in my network or systems or endpoints anywhere?” ✦ MITRE ATT&CK o ff ers these for the TTPs it lists where possible. All responsible bug-hunters try to fi nd and publicize them. Hugely important for both prevention and remediation! ✦ Antivirus/antimalware builds these into its list of malware “SIGNATURES.”
  4. A malware taxonomy ✦ MALWARE: Umbrella term for software intended

    to mess with a system and/or its security in some way ✦ “mal-“ is a Latin pre fi x meaning “bad.” ✦ WAREZ: Slang. Malware available for easy download and use. (Sometimes used for “illegally-obtained information available for download.”) ✦ There are LOTS of kinds of malware! Some characteristics often used to classify them: ✦ What they target: “Windows malware” “Android malware” “browser malware” ✦ How they spread and/or infect victims: virus/worm/Trojan ✦ What they do (often “-ware”): ransomware/adware/spyware ✦ I do not expect you to memorize all the di ff erent kinds of malware. I don’t think it’s useful. ✦ That’s a “ fi gure it out if/when you need to” kind of thing.
  5. I do want you to know about: ✦ RANSOMWARE: malware

    that encrypts your data and asks you to pay for the decryption key ✦ Of late, ransomware has also been ex fi ltrating data and threatening to leak it if the ransom is not paid. ✦ SPYWARE/STALKERWARE: malware that reports out somewhere on the activities performed on the device, without the device’s user(s) knowing ✦ KEYLOGGER: Spyware that sends every keystroke typed (including on a mobile’s “keyboard”) somewhere ✦ Malware that adds endpoints to botnets ✦ BOTNET: A group of devices, often huge, that has been compromised such that an external device (“COMMAND-AND-CONTROL [SERVER]” or “C2”) can make the compromised devices do bad things (such as send spam email, or try to overwhelm a web or DNS server)
  6. Ransomware attackers are garbage humans. ✦ Common targets: hospitals (particularly

    during the COVID-19 pandemic), schools ✦ This is partly because they’re known to be soft targets, but some ransomware attackers just seem to prefer them. ✦ One known death due to a ransomwared hospital. ✦ One is an extremely unlikely number. ✦ Just. How can these people even sleep at night.
  7. Ransomware defenses ✦ Backups, backups, BACKUPS. And test them! ✦

    The ideal backup is at least partially “airgapped” from your computer. (Tape backup is good here!) Backups that look to the OS like ordinary drives (“share drives,” persistent cloud storage) will be ransomwared just like ordinary drives. ✦ Sophisticated ransomware will speci fi cally try to go after backups. ✦ Good incident response. The sooner you detect and react to ransomware, the less hurt you’ll be. ✦ If you’re hit, before you despair and pay up, check to see if the ransomware has been cracked. ✦ Quite a lot of it has been. You may be able to get your data back without paying the ransom even if you don’t have a backup. ✦ DO NOT PAY, if you can possibly avoid it. ✦ It just encourages them! ✦ Some of them abscond with your payment… without giving you the key. So you’ve lost both your data and the ransom.
  8. Antivirus/antimalware ✦ Classically: works by “signature” ✦ That is, security

    researchers dissect malware fi les so that they can detect them later (e.g. when they show up as email attachments). ✦ The reason A/V software ties up your internet connection so often is to update its set of signatures. ✦ Four problems with this: ✦ The fi rst people to run into a given piece of malware get pwned. Nobody’s fi gured out its signature yet! ✦ Assumes that malware is fi le-based. No longer a safe assumption! “Memory-resident malware” and malware that targets layers underneath the OS/ fi lesystem (BIOS malware) both exist. ✦ It’s often possible to OBFUSCATE malware fi les to evade the usual signature-detection techniques, e.g. by re-encoding text. ✦ Malware on the web. Files are remote, where antivirus can’t see them!
  9. Should you use antivirus/ antimalware software? ✦ On balance, it’s

    a good idea, but it’s also not the savior it once was. ✦ For people who are (for whatever reason) extra-likely to be (even accidentally) an attack target, de fi nitely install it. ✦ One big caveat: don’t use it on a machine you plan to do infosec work from! ✦ When I tried to install Metasploit on my work laptop, the (work- mandated) A/V absolutely howled. Exploits, exploits everywhere! ✦ Palliative: do infosec work from a virtual machine (VM), or a cloud server. (I like DigitalOcean. Linode is another one.)
  10. Different (sometimes newer) techniques ✦ Heuristic analysis ✦ Establish a

    baseline for what your systems do, when, and how. (Remember that systems include people!) ✦ Then fl ag behavior that seems seriously weird and have a human being check it out (computers aren’t smart enough). ✦ AI/machine learning ✦ Same idea, only make the computer establish the baseline and look for deviations from it. ✦ Remember that computers are easily fooled, however. ✦ Strict limits on computing (“whitelisting”), especially software installation ✦ Users will HATE this, guaranteed. It’s only workable in highly- regulated situations — fi nance or similar.
  11. Would whitelisting work in higher ed? ✦ AHAHAHAHAHAHAHAHAHAHAHAHA no. ✦

    Why not: ✦ An entire university represents an incredibly broad array of research and teaching and outreach and other activities. You just can’t lock that down the way you’d lock down (say) a bank. The work can’t get done like that! ✦ Academics (myself included) are exceptionally stubborn and annoying people. We don’t always listen to sense, and we resent limits. ✦ Research especially — the generation of new knowledge — often relies on very new OR very old OR very weird equipment and software. If the CISO tries to mess with research, THE CISO WILL LOSE. Won’t even be a close fi ght. ✦ This means exceptionally large attack surfaces across the whole university. ✦ This makes infosec work in universities amazingly di ffi cult. Respect the CIO’s o ff i ce here, folks. They have a tough job.
  12. The honeypot defense ✦ Deliberately put a vulnerable machine out

    there. ✦ Watch how it’s attacked. Learn. ✦ Sometimes honeypots become part of your IDS: if nobody interacts with a given machine except attackers, simply block anyone who tries to interact with it, because they’re an attacker! ✦ Similarly: put fake data in your database or data warehouse, as an early-warning system for compromises/leaks. ✦ Especially fake contact points (email addresses, textable phone numbers) that you monitor. Any contact is near-proof of a hack/leak!
  13. Randall Munroe, “xkcd: Network” https://www.xkcd.com/350/ CC-BY-NC

  14. So now what? ✦ Make systems less hackable (“REDUCE ATTACK

    SURFACE”). ✦ This runs into all the problems around training and incentives that I discussed… but malware has gotten so bad as to force better practices, at least in major attack points like OSes and browsers. ✦ You can do this for yourself, to some extent, by turning o ff communication services you’re not using, consciously limiting the software/apps you install, and deleting old unused software/apps. ✦ Don’t detect fi les; detect anomalous behavior. ✦ This is part of how “intrusion detection systems” (IDSes) work, also heuristics and AI/ML-based approaches. ✦ The major problem with this: anomaly is not the same as threat. Huge false-positive potential here! ✦ Some days we all act funny! That doesn’t mean we’ve suddenly started to hack our own machines and workplaces!
  15. In which Dorothea gets FURIOUS at a CISO ✦ As

    I’ve said already, privacy is a librarian thing and I am a librarian. Just as background. ✦ We librarians are supposed to let you explore the subjects you want to explore without looking over your shoulder. None of our business! ✦ There are presently e ff orts to change library-resource access technology, partly so content vendors have an easier time detecting “fraud” in e-resource use. ✦ Which does happen, but when it does, the library handles it discreetly, quietly, and INTERNALLY. Publishers don’t get to sue or hassle anybody! ✦ So a current e ff ort (SNSI) brought in a pet CISO who touted anomalous-behavior detection. ✦ Corey Roach: “You can also move over to behavioral stu ff . So it could be, you know, why is a pharmacy major suddenly looking up a lot of material on astrophysics or… Why is a medical professional and a hospital suddenly interested in internal combustion things that just don’t line up and we can identify fi shy behavior.”
  16. EXCUSE THE HELL OUT OF YOU, COREY ROACH. THAT IS

    COMPLETELY ENTIRELY UTTERLY 100% UNACCEPTABLE AND UNETHICAL FOR LIBRARIES TO DO.
  17. And a personal story as illustration ✦ An anomalous-behavioral-detection system

    would have caught me red-handed in 2009-2010. ✦ I’m a librarian, technologist, and educator. That’s a lot of what I read, no surprise. ✦ I suddenly developed a devouring, anomalous-for- me interest in oncology. Speci fi cally, “cancer of unknown primary origin.” ✦ It was in the process of killing my mother. ✦ Tell me my anomalous reading behavior was wrong or fraudulent, CISO Corey Roach. I DARE YOU. ✦ Tell me vendor pro fi ts entitle them to hassle me about that, CISO Corey Roach. I DOUBLE-DOG DARE YOU.
  18. And anyway… ✦ … why is it a bad thing

    for people to develop new interests?! ✦ In what universe should a pharmacy major be punished for suddenly thinking astrophysics is really freakin’ cool? ✦ Because, you know, astrophysics is really freakin’ cool. ✦ (Also, I’m pretty sure hospitals have, you know, vehicles and HVAC systems. Perhaps some other internal-combustion gadgetry too, I’m no medical technologist.)
  19. Moral of the story: Privacy and security are not the

    same thing. Security that abuses privacy is not a good tradeoff. Please become aware and stay aware of this.
  20. Questions? Ask them! This lecture is copyright 2018 by Dorothea

    Salo. It is available under a Creative Commons Attribution 4.0 International license.