You can hack, but you can't hide: Using log analysis to detect APTs

Nov 12, 2014

Download: MP4 Video Size: 98.4MB  
Watch on YouTube

Abstract

In my talk I will be describing new techniques developed at RSA Labs to analyze massive log data commonly collected by large enterprises to detect and identify suspicious activity. Unlike common signature-based detection mechanisms used today, our approach leverages behavior patterns that persist across different infection vectors, and is thus more resilient to attacker evasion. Moreover, our techniques are unique in their ability to detect stealthy campaigns in which only a single host sporadically communicates with malicious sites controlled by attackers. Through effective data reduction and algorithms inspired from the graph-theoretic belief propagation model we identify the most suspicious domains contacted by hosts in an organization in different stages of an APT campaign (e.g., initial delivery, infection, command-and-control, etc.).

We demonstrate the effectiveness of our techniques against two datasets. The first, a public dataset made available by Los Alamos National Laboratory includes the simulations of APT campaigns overlaid on their DNS traffic. We successfully detect 94% of the campaigns with only a 1% false positive rate. We then apply the techniques to 38TB of web proxy logs collected by a large enterprise to discover hundreds of malicious domains that had bypassed other installed security tools.