484 research outputs found
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Hidden and Uncontrolled - On the Emergence of Network Steganographic Threats
Network steganography is the art of hiding secret information within innocent
network transmissions. Recent findings indicate that novel malware is
increasingly using network steganography. Similarly, other malicious activities
can profit from network steganography, such as data leakage or the exchange of
pedophile data. This paper provides an introduction to network steganography
and highlights its potential application for harmful purposes. We discuss the
issues related to countering network steganography in practice and provide an
outlook on further research directions and problems.Comment: 11 page
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
DYNAMIC DATA EXFILTRATION OVER COMMON PROTOCOLS VIA SOCKET LAYER PROTOCOL CUSTOMIZATION
Obfuscated data exfiltration perpetrated by malicious actors presents a significant threat to organizations looking to protect sensitive data. Socket layer protocol customization presents the potential to enhance obfuscated data exfiltration by providing a protocol-agnostic means of embedding targeted data within application payloads of established socket connections. Fully evaluating and characterizing this technique will serve as an important step in the development of suitable mitigations. This thesis evaluated the performance of this method of data exfiltration through experimentation to determine its viability and identify its limitations. The evaluation assessed the effectiveness of exfiltration via socket layer customization with various application protocols and characterized its use to determine the most suitable protocols. Basic host-based and network-based security controls were introduced to test the exfiltration method’s ability to bypass typical security controls implemented to prevent data exfiltration. The experimentation results indicate that this exfiltration method is both viable and applicable across multiple application protocols. It proved flexible enough in its design and configuration to bypass basic host-based access controls and general network intrusion prevention system packet inspection. Deep packet inspection was identified as a potential solution; however, the required inspection and filtering granularity might make implementation infeasible.Office of Naval Research, Arlington, VA 22203-1995Outstanding ThesisPetty Officer First Class, United States NavyApproved for public release. Distribution is unlimited
Towards a Near-real-time Protocol Tunneling Detector based on Machine Learning Techniques
In the very last years, cybersecurity attacks have increased at an
unprecedented pace, becoming ever more sophisticated and costly. Their impact
has involved both private/public companies and critical infrastructures. At the
same time, due to the COVID-19 pandemic, the security perimeters of many
organizations expanded, causing an increase of the attack surface exploitable
by threat actors through malware and phishing attacks. Given these factors, it
is of primary importance to monitor the security perimeter and the events
occurring in the monitored network, according to a tested security strategy of
detection and response. In this paper, we present a protocol tunneling detector
prototype which inspects, in near real time, a company's network traffic using
machine learning techniques. Indeed, tunneling attacks allow malicious actors
to maximize the time in which their activity remains undetected. The detector
monitors unencrypted network flows and extracts features to detect possible
occurring attacks and anomalies, by combining machine learning and deep
learning. The proposed module can be embedded in any network security
monitoring platform able to provide network flow information along with its
metadata. The detection capabilities of the implemented prototype have been
tested both on benign and malicious datasets. Results show 97.1% overall
accuracy and an F1-score equals to 95.6%.Comment: 12 pages, 4 figures, 4 table
- …