Unwanted Software: Google’s Efforts to Protect Users from Malicious Intent
Elisabeth Morant, Product Manager at Google
They analyze EVERY binary on the Internet to find unsafe binaries and malware. Misled users to “Chrome Support” and gave you a number to call to “help”. Found a nasty executable that took advantage of a bug in the Chrome webstore and persist on user’s machines. They’ve been able to fix a few bugs – but people are still downloading. Technical solutions are not enough. Google alone is not enough. They need to collaborate with others in the industry.
(Near) Real Time Attack Monitoring on System Landscapes
Kathrin Nos, Development Architect of SAP SE
Kathrin has a cat (Shroedinger, of course!). She has an electronic cat flap that leverages the RFID chip embedded in the cat, so other cats cannot come in. Now, it doesn’t stop him from bringing in creatures like mice…
This is like a system landscape. You can put up a firewall, which lets some people in. People can try to brute force this. You can train your engineers to have good passwords (or check that they are good), but what if they have downloaded malware?
It’s not just about money, but the thieves want personal information, blue prints, contracts, etc.
We have to monitor attacks, because even well meaning users can introduce attack vectors.
We’re looking for outliers – aberrant behaviour. This requires statistics – hope you paid attention in college! 🙂
Think of it like a metal detector. Define a path of filters and restrict data flow. It will help you to define a pattern – if you see X number of failed login requests from the same source, you might want to lock the account. Now, that’s probably not a low number – people forget their password, network latency issues, etc. This should also get reset based on time passing between requests.
You can define an additional pattern to detect successful login events. Here, the threshold is low. One attack is too many!
Hunting APT 28 in Your Fleet with Open Source Tools
Elizabeth Schweinsberg, Google
Elizabeth does incident report work at Google. There are multiple approaches for doing this. You go on a hunt to find data, triage what is important, and dig in.
SpicyBorscht 🙂 APt28 aka Fancybear, etc
Some of these exploits are now working together – Sofacy is Coreshell and EvilToss which work with Chopstick. Look for MD5 hashes of these binaries, registry keys, window event logs, anti-virus logs, browser history.
Google has made their own tools, like Grr. They need software that can run quickly and on large amount of data.
Timesketch uses output from plaso to give you color coded events from each machine as the attack.
They also have a tool that can dig through memory to see where the interesting stuff is happening. Can collect RAM data via GRR. Rekall will do memory forensics. Output is easy to read and share.
Intel® Device Protection Technology with Boot Guard
Shrestha Sinha, Technologist of Intel Corporation
There are so many avenues of attacks. Some are known and controlled, some we’re aware of and dealing with – and others… we haven’t learned about, yet. Boot Guard’s goal is to prevent these attacks from getting into the server.
Keep malware off, keep data where it belongs, maintain identity consistently and have a way to recover.
Funny analogy about the Leaning Tower of Pisa – we celebrate it because it has a defect – a bad foundation. Would we take our pictures next to a crashed system?
The primary question – is the code that we’re running early in boot the right code? Example: Mebromi Attack – it reflashed the bios. Could bypass secure boot and own the entire platform. This is where Intel’s BootGuard comes into play. Boot Guard is an important building block in the chain of trust.
Imagine a scenario of an Evil Hotel Maid. You leave your laptop in your hotel room, and she installs a USB drive and read the keys from the TMP and decrypt your harddrive. BootGuard protects against that scenario.
Make sure we validate all firmware from first execution. We have extended the root of trust down to the hardware.