At the second day of the TROOPERS16 conference an interesting talk about Advanced Persistent Threats took place from Marion Marschalek and Raphaël Vinot. Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail.
The talk was about detecting APTs in your network by finding correlations in large data sets from different sources of malware samples. They introduced a tool called MISP what i able to correlate events and find out if APTs already acted and may just be known on another name or is a new APT. You can find the MISP project here at Github: https://github.com/MISP/MISP.
They developed a special tool for the TROOPERS16 talk that allows to query a data set out of MISP really fast with usage of bloom filters. This allows to do a lot of queries and also protects the sensitive information about the known APTs in the MISP database. This allows to install those bloom filters on many systems or central points on the network. The tool is based on samples of closed repositories of MISP and BT.
For the development they used the python library “pfile” for example to extract entry points, import hashes or amounts of sections of a file. Additionally they used the fuzzy hash algorithm “ssdeep” to calculate similarity hashes of files to be able to find similar parts across different files what can be found here.
By analyzing a big data set of over 15000 malware samples, they were able to find correlations between APTs and find many APTs that are in fact the same group that has been classified to be another APT group before. Also they found out interesting information about evolving APTs over the time. They showed that some APTs add continuously more functionality on their malware. Later in the talk they discussed some major APTs and explained how they found out that some APTs are duplicated with the help of their data.
To conclude this, this project may be very helpful in the future to find APTs in the network faster and observe the behavior of the APTs in a more detailed way than it is possible without any correlation of the data.
Thanks for reading and we may see you at TROOPERS17 🙂