You can hack, but you can't hide: Using log analysis to detect APTs
Kevin Bowers - RSA
Nov 12, 2014Size: 98.4MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractIn my talk I will be describing new techniques developed at RSA Labs to analyze massive log data commonly collected by large enterprises to detect and identify suspicious activity. Unlike common signature-based detection mechanisms used today, our approach leverages behavior patterns that persist across different infection vectors, and is thus more resilient to attacker evasion. Moreover, our techniques are unique in their ability to detect stealthy campaigns in which only a single host sporadically communicates with malicious sites controlled by attackers. Through effective data reduction and algorithms inspired from the graph-theoretic belief propagation model we identify the most suspicious domains contacted by hosts in an organization in different stages of an APT campaign (e.g., initial delivery, infection, command-and-control, etc.).
We demonstrate the effectiveness of our techniques against two datasets. The first, a public dataset made available by Los Alamos National Laboratory includes the simulations of APT campaigns overlaid on their DNS traffic. We successfully detect 94% of the campaigns with only a 1% false positive rate. We then apply the techniques to 38TB of web proxy logs collected by a large enterprise to discover hundreds of malicious domains that had bypassed other installed security tools.
About the SpeakerKevin Bowers is a Senior Research Scientist and Manager of RSA Laboratories, the security research group at RSA, the Security Division of EMC. He holds a B.S. in Electrical, Computer and Systems Engineering and Computer Science, and a B.S. in Mathematics, both from Rensselaer Polytechnic Institute, as well as an M.S. in Computer Science from Carnegie Mellon University. Kevin has been with RSA Labs since 2007 and his current research is focused on user authentication, breach resilience, and data science for security applications.
Kevin’s publication history covers many diverse topics including numerous cryptographic protocols for remote verification of integrity and resilience, time stamping, secure chain-of-custody, as well as advanced authentication techniques and steganography.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.