Embed Size (px)
Citation preview
SOLUTION BRIEF
The Angler exploit kit has been steadily gaining traction for the last couple of years, ultimately claiming the top spot across all exploit kits in the wild. In 2015, Trend Micro estimated that Angler exceeded 1,600,000 URLs accessed, which is significantly ahead of other exploit kits such as Nuclear and Magnitude.1 This paper focuses on Trend Micro TippingPoint’s Next-Generation Intrusion Prevention System (NGIPS), Threat Protection System (TPS) and the new technology in TOS version 3.8.3 that is capable of detecting most variants of Angler Exploit Kit.
Page 1 of 4 • SOLUTION BRIEF • TIPPINGPOINT TAKES ON ANGLER EXPLOIT KIT WITH MACHINE LEARNING
Trend Micro
TIPPINGPOINT® TAKES ON ANGLER EXPLOIT KIT WITH MACHINE LEARNING
Page 2 of 4 • SOLUTION BRIEF • TIPPINGPOINT TAKES ON ANGLER EXPLOIT KIT WITH MACHINE LEARNING
Angler is globally ubiquitous and highly effective due to its ease of integration. It has been linked to a number of other malware families, ransomware and malvertisement. In addition, there are 15 Common Vulnerabilities and Exposures (CVEs) that are attributed to Angler.2,3 The following graphs illustrate the geographic deployments and infection rates
Page 3 of 4 • SOLUTION BRIEF • TIPPINGPOINT TAKES ON ANGLER EXPLOIT KIT WITH MACHINE LEARNING
Across many industries, machine learning techniques are being quickly adopted; however, Trend Micro is the first to leverage this capability to detect and eliminate Angler threats inline at wire speed through its TippingPoint Next-Generation Intrusion Prevention System and Threat Protection System.4 Our revolutionary approach provides an additional measure of security on top of the traditional signature-based approach to intrusion prevention.
Digital Vaccine (DV) filter packages are a strong mechanism to detect network-based malicious activity, exploitation of vulnerabilities, and unwanted application use. However, as the TippingPoint NGIPS and TPS block these critical attacks more effectively, exploit kit authors looked for ways to evade traditional signature-based techniques such as pattern-matching regular expressions. They now obfuscate content, including packing/compression, script obfuscation, encryption and much more. This makes classic detection mechanisms extremely difficult, often requiring multiple signatures and in many cases, only detecting a subset of the malicious content.
This is where machine learning and statistical data modeling become so effective. At a high level, machine learning works by training a machine to use either human or computer-provided input called “feature vectors” to compute a mathematical model. This model is evaluated against network traffic and, in the case of the TippingPoint NGIPS and TPS, can make a real-time decision about whether the content appears to emulate the Angler exploit kit model that the filter was trained against.
The following illustration details a very simplistic representation of machine learning capabilities.
Illustration: Basics of machine learning and application to the TippingPoint NGIPS and TPS
Page 4 of 4 • SOLUTION BRIEF • TIPPINGPOINT TAKES ON ANGLER EXPLOIT KIT WITH MACHINE LEARNING
©2016 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [SB01_TP_MachineLearning_DigitalVaccine_160907US]
The DVLabs team has delivered statistical analysis using machine learning primitives with DV filters 23799, 24884, and 24837. DV filter 23799 is designed to address almost all variants of Angler, as well as multiple other exploit kits leveraging obfuscating JavaScript. It can be used in deployments that are intended to browse only well-known or commonly visited websites, and has a low false positive rate against the top Alexa domains. DV filters 24884 and 24837 are specifically targeted at variants of Angler and have a minimal to no false positive rate observed during testing. As we continue to grow and utilize this technology, we will release additional filters leveraging the new capabilities. These filters operate without affecting network performance and without introducing a high amount of false positives. Before deploying these filters, customers should keep in mind the following considerations As we continue to grow and utilize this technology, we will release additional filters leveraging the new capabilities. These filters operate without affecting network performance and without introducing a high amount of false positives. Before deploying these filters, customers should keep in mind the following considerations:
• In networks processing enormous amounts of HTML and JavaScript content, the machine learning filters may have a tangible reduction on NGIPS/TPS throughput. Adaptive Filter Configuration (AFC) can be leveraged to protect the network from significant performance implications.5 When tested against BreakingPoint’s “real-world” traffic mixes6, these filters demonstrated very minimal impacts to the device under test.
• When tested against the top 100,000 Alexa sites7, a list of the top sites on the Internet by traffic volume, the filters experienced less than a 1 percent false positive rate. From a true positive perspective, we have concluded that these filters catch the overwhelming majority of current variants of the Angler Exploit Kit. As an added benefit, we observed a number of other similar-looking exploit kits detected during our testing of malicious content. As a result, the filters designed to address only Angler make reference to it in the name:
23799: Obfuscated HTML Usage in Exploit Kits
24884: Obfuscated HTML Usage in Exploit Kits (Angler)
24837: Obfuscated HTML Usage in Exploit Kits (Angler)
• Our recommendation for these filters is to stage them prior to production on a network tap and monitor performance throughput as well as false positives. This can be done by setting the filter action set to Permit/Notify + Trace, generating network pcaps for any events observed when the filter fires.
If you are unable to conclude whether the event was a false positive or a true positive, please reach out to the Trend Micro TippingPoint Technical Assistance Center (TAC). We are interested in your feedback, stories and collaboration regarding this technology as we work to maximize your TippingPoint investment.
References:
1. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-setting-the-stage.pdf
2. https://cve.mitre.org/
3. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-setting-the-stage.pdf
4. http://www.trendmicro.com/us/business/network-security/intrusion-prevention-system/
5. http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c02586208-1.pdf
6. https://www.ixiacom.com/products/breakingpoint
7. https://support.alexa.com/hc/en-us/articles/200449834-Does-Alexa-have-a-list-of-its-top-ranked-websites-
