Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Barr-Smith, Frederick; Ugarte-Pedrero, Xabier; Graziano, Mariano; Spolaor, Riccardo; Martinovic, Ivan

doi:10.1109/sp40001.2021.00047

Cited by 23 publications

(17 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They then collected OSINT data like domain names and social media information of 30 companies to determine how much information is available to the adversaries. Additional works on APTs analysis focused on describing the phases of the attacks and possible countermeasures [10], the analysis of the malware employed in a few well-known campaigns [21], or the prevalence of living-off-the-land techniques in certain samples [51].…”

Section: Analysis Of Attackers Characteristicsmentioning

confidence: 99%

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Tizio

Michele

Massacci

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data. Our manually curated dataset of APT attacks covers 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g. 0-days vs public vulnerabilities), and affected software and versions. Contrary to common belief, most APT campaigns employed publicly known vulnerabilities. If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months. However, if attacked, it could still be compromised from 14% to 33% of the times. As in practice enterprises must do regression testing before applying an update, our major finding is that one could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions.

show abstract

Section: Analysis Of Attackers Characteristicsmentioning

confidence: 99%

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Tizio

Michele

Massacci

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…As a result, it significantly increases the aptitude for detection and prevention of fileless malware [49] and Living-Off-The-Land (LotL) attacks [50] as shown in Section V.…”

Section: • Process 5 -Update Existing Resource(s)mentioning

confidence: 99%

“…Hence, if an attacker compromises the employee's endpoint, it is extremely unlikely that further malicious tools can execute as their hash and relevant information are not present on-chain. Nevertheless, malware executed directly from memory (e.g., fileless malware [49]) or malicious activities leveraging valid and legitimate system tools such as PowerShell, also known as LotL attacks [50], are still a risk to take into consideration.…”

Section: Test Environment and Implementationmentioning

confidence: 99%

Blockchain-Enabled Intrusion Detection and Prevention System of APTs Within Zero Trust Architecture

Alevizos

Eiza

et al. 2022

IEEE Access

View full text Add to dashboard Cite

In a world where organisations are embracing new IT working models such as Bring Your Own Device (BYOD) and remote working, the traditional mindset of defending the network perimeter is no longer sufficient. Zero Trust Architecture (ZTA) has recently emerged as a new security model in which the breach mindset dominates the threat model. By default, the ZTA considers any endpoint (i.e., device), user, or application to be untrusted until proven otherwise. Nonetheless, once proven by the endpoint, using Advanced Persistent Threats (APT), attackers can still take over an authenticated and authorised session via that endpoint. Therefore, they can perform several user/device centric malicious activities in addition to lateral movement rendering the endpoint as the Achilles heel of ZTA. To effectively deter APT attack capabilities on the endpoints, this work proposes a Blockchain-enabled Intrusion Detection and Prevention System (BIDPS) that augments ZTA onto endpoints. The BIDPS aims to achieve two core outcomes: first, detect and prevent attackers' techniques and tactics as per MITRE's ATT&CK enterprise matrix earlier than the lateral movement stage, and secondly, strip trust out of the endpoint itself and place it on-chain, thus creating an immutable system of explicit trust. To evaluate the effectiveness of the BIDPS, a testbed was built where techniques of over ten APTs attacks were launched against the endpoint. BIDPS has proven a high rate of success defending against the launched attacks owing to its Blockchain's immutability, fortifying the detection/prevention processes.

show abstract

“…Operating system files and malware often have similar behaviors, which probably confuse the detection models and even a trained analyst [8]. Therefore, in order to help SeqNet observe the general differences between malicious and benign programs and make SeqNet more robust, we add about 10,000 system files as benign data.…”

Section: Training Datasetmentioning

confidence: 99%

SeqNet: An Efficient Neural Network for Automatic Malware Detection

Xu¹,

Fu²,

Bu³

et al. 2022

Preprint

View full text Add to dashboard Cite

Malware continues to evolve rapidly, and more than 450,000 new samples are captured every day, which makes manual malware analysis impractical. However, existing deep learning detection models need manual feature engineering or require high computational overhead for long training processes, which might be laborious to select feature space and difficult to retrain for mitigating model aging. Therefore, a crucial requirement for a detector is to realize automatic and efficient detection.In this paper, we propose a lightweight malware detection model called SeqNet which could be trained at high speed with low memory required on the raw binaries. By avoiding contextual confusion and reducing semantic loss, SeqNet maintains the detection accuracy when reducing the number of parameters to only 136K. We demonstrate the effectiveness of our methods and the low training cost requirement of SeqNet in our experiments. Besides, we make our datasets and codes public to stimulate further academic research.

show abstract

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Cited by 23 publications

References 17 publications

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Blockchain-Enabled Intrusion Detection and Prevention System of APTs Within Zero Trust Architecture

SeqNet: An Efficient Neural Network for Automatic Malware Detection

Contact Info

Product

Resources

About