This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 4 October.
Mohamed Nabeel, Keerthiraj Nagaraj & Alex Starov (Palo Alto Networks)
Cybercriminals improve the resilience of their infrastructure to evade detection and law enforcement take down by utilizing fast flux/double flux infrastructures and/or infrastructures with low reputation. In essence, they frequently rotate hosting IPs, often compromised, and domains utilized to carry out their attacks. For example, we have observed that APTs such as Trident Ursa (Gamaredon, Primitive Bear) and Stately Taurus (Mustang Panda), and malware families such as QakBot and SmokeLoader rotate hundreds of IPs and domains in a short period of time, allowing them to persist for years. By the time current technologies detect these IOCs, attackers have already moved on to a different infrastructure, making such detections less effective. Thus, we need an approach that can proactively discover where the attackers are heading to in order to block them effectively.
Based on the observation that cybercriminals tend to reuse similar hosting infrastructure over time, pivoting on known IOCs (domains, IPs, SHAs, certificates, emails) as seed, we first build the network infrastructure using a smart crawling technique which assists in constructing manageable graphs with high toxicity. Then, we build a graph AI model over the discovered network infrastructure to identify patient-zero malicious domains, SHA256s and IPs belonging to different campaigns.
Using our discovery and detection techniques, we have been tracking hundreds of campaigns/APTs and discovering many new campaigns (e.g. ApateWeb, QuantumAI). Our analysis showed that many newly detected network artifacts (domains, IPs, SHA256s) are not identified by popular domain lookup services such as VirusTotal at the time of detection. They usually appear in VirusTotal after days to weeks from our detection time, showing the proactiveness of our approach.
In this talk, we first show how we leverage smart crawling and Graph AI to detect stealthy malicious domains, malicious files and compromised/low reputation IPs used by various attack campaigns. In particular, we provide in-depth case studies of discovered malicious infrastructure of Gamaredon, FIN7 APTs and a postal campaign, including how they evolved over time.
|
Mohamed Nabeel Mohamed Nabeel, Ph.D., is a principal researcher at Palo Alto Networks where he leads the efforts on proactive detection and graph-based threat intelligence research and development in the web security team. He obtained his Ph.D. in database security from Purdue University under a Fulbright fellowship. He has experience in the field of network and web security for over 10 years. He is passionate about building AI-powered tools and techniques to help defenders stay one step ahead of Internet miscreants. During his spare time, he teaches AI/data science to graduate students and mentors cybersecurity research students. He has authored and presented 20+ US patents and 25+ papers at top security conferences. Some of his inventions are patented by a rising cybersecurity firm named bfore.ai and some are successfully productized and deployed at Palo Alto Networks, protecting customers from all around the world. He has presented his work at top industry conferences such as RSA conference and top academic conferences such as IEEE S&P, Usenix Security and ACM CCS.
|
|
|
Keerthiraj Nagaraj Keerthiraj Nagaraj, Ph.D., is a staff data scientist in the Palo Alto Networks R&D department. He has been inventing various techniques, including graph-based approaches, to detect phishing attacks. He obtained his Ph.D. in smart and secure networks from the University of Florida. He has presented his work at top conferences and patented several innovations.
|
|
|
Alex Starov Alex Starov, Ph.D., is a senior manager in the web security research team at Palo Alto Networks. His research focuses on proactive and data-driven web security and malicious URL detection, and he manages several of the brightest researchers and engineers on protecting web users against sophisticated cyberattacks. He obtained his Ph.D. in computer science from Stony Brook University. He has published his work in top security venues as well as authored several patents. |
Back to VB2024 conference page