WEBVTT 0:00:02.140000 --> 0:00:07.740000 In this video, I'd like to talk about some email security evasion tactics. 0:00:07.740000 --> 0:00:11.800000 So these tactics, I'm just going to go over a high level of three sort 0:00:11.800000 --> 0:00:18.000000 of common ways that attackers try to evade your ESA from detecting that 0:00:18.000000 --> 0:00:20.740000 they're doing something wrong or malicious. 0:00:20.740000 --> 0:00:24.100000 And these attacks are also not only used in email attacks, but also web 0:00:24.100000 --> 0:00:25.300000 -based attacks as well. 0:00:25.300000 --> 0:00:28.380000 So knowing the terms that we're going to go over here, which specifically 0:00:28.380000 --> 0:00:33.620000 I'm going to talk about at a real high level polymorphism, obfuscation, 0:00:33.620000 --> 0:00:38.200000 and sleep timers, three very common ways that attackers try to get around 0:00:38.200000 --> 0:00:43.160000 security implementations like an ESA. 0:00:43.160000 --> 0:00:47.500000 So unfortunately, this first line here is absolutely true. 0:00:47.500000 --> 0:00:53.460000 No single security solution is 100% effective at blocking malicious emails. 0:00:53.460000 --> 0:00:59.700000 There are just way too many viruses, attacks coming out on any given day, 0:00:59.700000 --> 0:01:03.140000 and there's just no way to keep on top of all of them. 0:01:03.140000 --> 0:01:08.360000 So there are however several known techniques that malicious actors use 0:01:08.360000 --> 0:01:09.620000 to avoid detection. 0:01:09.620000 --> 0:01:11.280000 That's what we're going to focus in on here. 0:01:11.280000 --> 0:01:18.020000 So at a high level, I'm going to talk about obfuscation, polymorphism, 0:01:18.020000 --> 0:01:19.280000 and sleep timers. 0:01:19.280000 --> 0:01:22.940000 So let's go down to the bottom first, sleep timers, then we'll wrap that 0:01:22.940000 --> 0:01:25.600000 up around to obfuscation. 0:01:25.600000 --> 0:01:32.480000 The idea about sleep timers is that most virus detection and malware detection 0:01:32.480000 --> 0:01:39.740000 programs, what they do is when malware is installed on your laptop per 0:01:39.740000 --> 0:01:44.920000 PC, once you've installed it unwittingly, unwillingly, and it's triggered, 0:01:44.920000 --> 0:01:50.500000 it takes effect, that malware a lot of times will reach out to a server 0:01:50.500000 --> 0:01:52.140000 somewhere on the internet. 0:01:52.140000 --> 0:01:56.400000 It'll reach out to a server to be able to download even more code or to 0:01:56.400000 --> 0:02:01.600000 download instructions or maybe to upload the information that it's found. 0:02:01.600000 --> 0:02:05.140000 But a lot of times, the situation where now the malware sitting on your 0:02:05.140000 --> 0:02:08.700000 or the virus is sitting on your laptop, PC or server, it will reach out 0:02:08.700000 --> 0:02:12.280000 to an external source and expect something back. 0:02:12.280000 --> 0:02:16.120000 Now a lot of virus signatures, a lot of detection algorithms, what they're 0:02:16.120000 --> 0:02:21.820000 looking for is when they see your laptop, PC or server initiate an outbound 0:02:21.820000 --> 0:02:25.260000 connection to something, they watch that and they watch to see what's 0:02:25.260000 --> 0:02:29.260000 coming back. And if what goes out and what comes back matches a known 0:02:29.260000 --> 0:02:32.540000 signature, matches something that's already known to be malicious, they 0:02:32.540000 --> 0:02:35.780000 say, aha, I got you, I know exactly what you're doing, I'm going to strip 0:02:35.780000 --> 0:02:37.920000 out that code, I'm going to block that action. 0:02:37.920000 --> 0:02:45.240000 But what if when the malware initiates that outbound connection, it's 0:02:45.240000 --> 0:02:50.620000 pre-programmed to wait a long time before getting a response back? 0:02:50.620000 --> 0:02:56.500000 You see a lot of malware and virus programs or anti-malware, anti-virus 0:02:56.500000 --> 0:02:59.900000 programs, they expect that transition to happen really quick. 0:02:59.900000 --> 0:03:03.360000 They expect the transaction from the outbound request to the inbound data 0:03:03.360000 --> 0:03:06.220000 coming back to happen within seconds. 0:03:06.220000 --> 0:03:11.380000 So if the malware was intentionally crafted in such a way that, hey, when 0:03:11.380000 --> 0:03:14.400000 the malware initiates the outbound connection to the malicious server 0:03:14.400000 --> 0:03:17.720000 out there somewhere, if the malicious server is intentionally going to 0:03:17.720000 --> 0:03:25.920000 wait minutes or days or hours, quite possibly the detection algorithm 0:03:25.920000 --> 0:03:31.120000 in your anti-malware, anti-virus signature program will have timed out. 0:03:31.120000 --> 0:03:35.160000 It will have said, well, I saw something going out, but by default, I 0:03:35.160000 --> 0:03:38.580000 only wait like five minutes and then I figure out, I guess it's nothing 0:03:38.580000 --> 0:03:42.320000 to worry about because I never saw anything come back and I move on. 0:03:42.320000 --> 0:03:45.880000 So sleep timers are malware like it says here that intentionally induce 0:03:45.880000 --> 0:03:50.860000 lengthy delays between malicious instructions and responses so as to timeout 0:03:50.860000 --> 0:03:52.940000 detection techniques. 0:03:52.940000 --> 0:03:54.740000 That's what a sleep timer is. 0:03:54.740000 --> 0:03:57.200000 Now let's roll up to obfuscation. 0:03:57.200000 --> 0:04:02.500000 At a high level, what obfuscation is, is that when malware or a virus 0:04:02.500000 --> 0:04:07.020000 is, let's say, in an email, right, let's say an email has an attachment 0:04:07.020000 --> 0:04:10.880000 and an attachment has malware or a virus or Trojan horse or something 0:04:10.880000 --> 0:04:12.660000 like that inside of it. 0:04:12.660000 --> 0:04:17.120000 Well, a very common way that the ESA and other security appliances will 0:04:17.120000 --> 0:04:20.620000 try to detect that is when they scan that email and when they look at 0:04:20.620000 --> 0:04:24.180000 like the binary or the bits within that email, they'll be looking for 0:04:24.180000 --> 0:04:28.080000 known patterns, known, recognizable, what we call signatures. 0:04:28.080000 --> 0:04:33.460000 So an obfuscation technique is that the person who crafted that malware 0:04:33.460000 --> 0:04:38.480000 will intentionally manipulate the bytes, manipulate the bits so that they 0:04:38.480000 --> 0:04:43.180000 don't look like something that's well known so that they bypass these 0:04:43.180000 --> 0:04:45.540000 techniques to try to spot them. 0:04:45.540000 --> 0:04:49.160000 And like it says here, this could be something as obscuring a file name. 0:04:49.160000 --> 0:04:52.120000 Maybe there's a well-known file name that when you see that file name 0:04:52.120000 --> 0:04:53.400000 up, that's a virus. 0:04:53.400000 --> 0:04:54.360000 We know about that one. 0:04:54.360000 --> 0:04:58.060000 Well, what if I send you that virus and I just change the file name. 0:04:58.060000 --> 0:05:03.360000 Now whatever that that technique is to spot that won't recognize it. 0:05:03.360000 --> 0:05:07.600000 It could be modifying file attributes or even a file that's operating 0:05:07.600000 --> 0:05:11.580000 under the pretense of a legitimate program or service. 0:05:11.580000 --> 0:05:14.920000 And it will also talk right now about polymorphism as well. 0:05:14.920000 --> 0:05:17.220000 Polymorphism is really bad. 0:05:17.220000 --> 0:05:22.640000 This is an example of a virus or malware that can dynamically change its 0:05:22.640000 --> 0:05:27.280000 shape, change its characteristics so that by the time it gets forwarded 0:05:27.280000 --> 0:05:31.840000 on to something else, it has changed and is no longer recognizable from 0:05:31.840000 --> 0:05:33.600000 what it once was. 0:05:33.600000 --> 0:05:37.200000 So let's take a look starting at obfuscation. 0:05:37.200000 --> 0:05:43.340000 Okay, so like it says, many anti-malware programs will parse through downloaded 0:05:43.340000 --> 0:05:48.040000 code attachments looking for recognizable strings such as a recognizable 0:05:48.040000 --> 0:05:54.700000 malicious URL, a URL that's known to point to a malicious server or known 0:05:54.700000 --> 0:05:56.860000 malicious words like bot. 0:05:56.860000 --> 0:06:00.620000 Anytime you see a URL and somewhere in the URL or somewhere in the file 0:06:00.620000 --> 0:06:04.260000 name, it has bot, that's something you've got to be aware of. 0:06:04.260000 --> 0:06:07.060000 So a lot of anti-malware programs will be looking for that kind of stuff. 0:06:07.060000 --> 0:06:09.180000 So what does obfuscation do? 0:06:09.180000 --> 0:06:14.420000 It changes. It obfuscates that thing that the virus scanner is looking 0:06:14.420000 --> 0:06:20.320000 for, making binary and textual data unreadable and hard to understand. 0:06:20.320000 --> 0:06:24.400000 And it can be as simple as manipulating a few bits to as complex as using 0:06:24.400000 --> 0:06:26.240000 cryptographic techniques. 0:06:26.240000 --> 0:06:29.260000 So I'm just going to show you some examples of this. 0:06:29.260000 --> 0:06:32.440000 Not going to go into any great details of how this stuff works. 0:06:32.440000 --> 0:06:36.820000 You can always Google that on your own, but for some examples of obfuscation 0:06:36.820000 --> 0:06:41.180000 are applying an exclusive or operation to hide the data. 0:06:41.180000 --> 0:06:44.900000 For example, maybe what you downloaded looks like this. 0:06:44.900000 --> 0:06:47.720000 And if you look at that sort of purple area there, there's nothing in 0:06:47.720000 --> 0:06:51.680000 there that says bot, there's nothing in there that looks like URL, but 0:06:51.680000 --> 0:06:56.120000 that's because the original data was had an XOR operation applied to it. 0:06:56.120000 --> 0:07:00.660000 And if you XOR decode it, hey, look at that, it actually turns out that 0:07:00.660000 --> 0:07:03.920000 that is URL and that has the word bot in it. 0:07:03.920000 --> 0:07:07.780000 So that's one way to obfuscate something. 0:07:07.780000 --> 0:07:13.220000 There's also something called base64 encoding, which is also very tricky. 0:07:13.220000 --> 0:07:20.600000 Where it takes your binary data and shops it up into bits of six bits 0:07:20.600000 --> 0:07:27.240000 each and then uses a base64 alphabet to encode that into a base64 string. 0:07:27.240000 --> 0:07:33.020000 So if your antivirus or anti-malware detection method is not trying to 0:07:33.020000 --> 0:07:37.980000 look for things that are base64 encoded, it will think that something's 0:07:37.980000 --> 0:07:40.820000 just normal. For example, look at the plain text there. 0:07:40.820000 --> 0:07:44.940000 Is looking at Windows system 32, but when you encode that with base64 0:07:44.940000 --> 0:07:49.840000 encoding, it looks nothing like what the original plain text look like. 0:07:49.840000 --> 0:07:53.600000 Another thing is something called ROT 13. 0:07:53.600000 --> 0:07:55.900000 ROT stands for rotate. 0:07:55.900000 --> 0:08:02.180000 It's an assembly language and ROT 13 just simply means, hey, ROT 13 characters. 0:08:02.180000 --> 0:08:05.640000 So it's a simple letter substitution method. 0:08:05.640000 --> 0:08:07.160000 Letter substitution method. 0:08:07.160000 --> 0:08:10.620000 For example, look at your lookup table on the bottom, capital A, B, C, 0:08:10.620000 --> 0:08:16.040000 D, whatever. Okay, so your plain text starts out with H key local machine. 0:08:16.040000 --> 0:08:17.080000 All right, that's your plain text. 0:08:17.080000 --> 0:08:21.480000 Now we don't want our virus signature, our anti-malware to see that plain 0:08:21.480000 --> 0:08:25.620000 text because then it will trigger it and it will strip out this nice malware 0:08:25.620000 --> 0:08:27.920000 I've created where I'm trying to get your money. 0:08:27.920000 --> 0:08:30.620000 So instead I apply ROT 13 to that. 0:08:30.620000 --> 0:08:31.640000 So how does that work? 0:08:31.640000 --> 0:08:33.500000 Well, look at the H key. 0:08:33.500000 --> 0:08:34.980000 Look at the capital H. 0:08:34.980000 --> 0:08:41.400000 Okay. So the capital H, if we start right there, so there's the capital 0:08:41.400000 --> 0:08:47.680000 H, if we go 13 letters away, 13 letters away, if you actually counted 0:08:47.680000 --> 0:08:51.620000 it up, gives you the capital U. 0:08:51.620000 --> 0:08:55.720000 So that is 13 rotated right there. 0:08:55.720000 --> 0:08:59.180000 And now here we see the capital H has become a capital U. 0:08:59.180000 --> 0:09:04.280000 So if we did that at every single character here, rotate it 13 characters 0:09:04.280000 --> 0:09:09.720000 to the right, we end up with this thing that looks nothing like the original 0:09:09.720000 --> 0:09:16.480000 plain text. Very simple substitution, but that could trick a lot of antivirus 0:09:16.480000 --> 0:09:20.600000 anti-malware detection mechanisms. 0:09:20.600000 --> 0:09:24.240000 There's also something called runtime packers, which is a piece of software 0:09:24.240000 --> 0:09:30.540000 that takes the original malware file and compresses it, making it unreadable. 0:09:30.540000 --> 0:09:35.640000 And then at runtime, a wrapper program will take that packed program and 0:09:35.640000 --> 0:09:39.600000 decompress it, revealing the program's original code. 0:09:39.600000 --> 0:09:42.720000 So that's another way of doing obfuscation. 0:09:42.720000 --> 0:09:50.080000 So another way to try to circumvent your ESA and other antivirus anti 0:09:50.080000 --> 0:09:54.000000 -malware detection techniques is called polymorphism. 0:09:54.000000 --> 0:10:00.140000 So polymorphism, like it says here, this is typically refers to viruses. 0:10:00.140000 --> 0:10:05.820000 Viruses can be called polymorphic viruses, which means that they are encrypted, 0:10:05.820000 --> 0:10:08.960000 the payload is encrypted, and they mutate. 0:10:08.960000 --> 0:10:13.100000 So a polymorphic virus, when it gets to you, will be encrypted and it 0:10:13.100000 --> 0:10:16.900000 will have something built into it called a mutation engine. 0:10:16.900000 --> 0:10:20.580000 So the encrypted payload hides the payload, right? 0:10:20.580000 --> 0:10:22.540000 Your scanners and threat detection can't see it. 0:10:22.540000 --> 0:10:23.440000 They can't recognize it. 0:10:23.440000 --> 0:10:27.760000 It doesn't match any known signatures. 0:10:27.760000 --> 0:10:32.120000 So threat detection, how would we be able to identify this? 0:10:32.120000 --> 0:10:34.100000 How would we be able to recognize this? 0:10:34.100000 --> 0:10:39.680000 Well, we would have to recognize it not by what the bits look like, not 0:10:39.680000 --> 0:10:44.440000 by what the name is, but by what it does, by its decryption routine. 0:10:44.440000 --> 0:10:47.440000 How is it decrypted? 0:10:47.440000 --> 0:10:50.220000 And then the mutation engine, this is the worst part. 0:10:50.220000 --> 0:10:54.320000 The mutation engine randomly creates a new decryption routine so that 0:10:54.320000 --> 0:10:58.680000 when the virus moves to the next target, it appears to be completely different 0:10:58.680000 --> 0:11:00.720000 to file scanners. 0:11:00.720000 --> 0:11:05.440000 Might also generate a new file name for the malicious code. 0:11:05.440000 --> 0:11:11.200000 So the real downside of these is that if a polymorphic virus is download 0:11:11.200000 --> 0:11:17.640000 onto my laptop, and let's say that my laptop quarantines it, but before 0:11:17.640000 --> 0:11:21.740000 I quarantine it, it forwarded it on to you. 0:11:21.740000 --> 0:11:25.400000 So now I've got some like advanced malware protection. 0:11:25.400000 --> 0:11:29.420000 I've got AMP for clients, AMP for endpoints running on my laptop. 0:11:29.420000 --> 0:11:30.420000 So two things have happened. 0:11:30.420000 --> 0:11:34.740000 The virus has now been quarantined by AMP, but for whatever reason, it 0:11:34.740000 --> 0:11:37.800000 was also forwarded to you before it was quarantined. 0:11:37.800000 --> 0:11:42.320000 Maybe AMP detected, okay, a lot of times with quarantining, a quarantine 0:11:42.320000 --> 0:11:45.220000 can be set up for just a certain amount of days. 0:11:45.220000 --> 0:11:48.040000 Like part of AMP, you could say, well, when something matches this, if 0:11:48.040000 --> 0:11:53.960000 we're not sure what it is, let's quarantine it for 24 hours or for a day. 0:11:53.960000 --> 0:11:57.200000 But then you can also have a configurable action that says, hey, if no 0:11:57.200000 --> 0:12:01.340000 action is taken on this, if nobody bothers to look at it in 24 hours or 0:12:01.340000 --> 0:12:05.620000 a day or two, then time out the quarantine and forward it. 0:12:05.620000 --> 0:12:07.920000 Just let it go on as if it was okay. 0:12:07.920000 --> 0:12:12.200000 But maybe keep a copy of it in quarantine just so we can look at it later 0:12:12.200000 --> 0:12:14.760000 on. So let's say that happens. 0:12:14.760000 --> 0:12:17.440000 I receive an email with an attachment. 0:12:17.440000 --> 0:12:19.200000 It gets quarantined. 0:12:19.200000 --> 0:12:22.940000 I don't bother looking at because I'm on vacation or maybe I've just been 0:12:22.940000 --> 0:12:25.780000 too busy. The quarantine expires. 0:12:25.780000 --> 0:12:29.760000 So the email is delivered to me and then a copy of it, maybe it's got 0:12:29.760000 --> 0:12:31.440000 a worm inside of it or something like that. 0:12:31.440000 --> 0:12:36.020000 That worm replicates, looks at my email contact lists and sends out a 0:12:36.020000 --> 0:12:40.020000 copy of itself to all sorts of other people in my contact lists. 0:12:40.020000 --> 0:12:44.700000 Now let's say a couple of days goes by and Cisco Talos has determined 0:12:44.700000 --> 0:12:46.840000 that that was a worm. 0:12:46.840000 --> 0:12:49.960000 That was malware that was unrecognizable before. 0:12:49.960000 --> 0:12:52.580000 Well, that's great. 0:12:52.580000 --> 0:12:56.300000 And now they say, okay, now we're going to we're going to upload our anti 0:12:56.300000 --> 0:12:59.520000 -malware, antivirus definitions to look for that worm. 0:12:59.520000 --> 0:13:00.300000 But here's the problem. 0:13:00.300000 --> 0:13:04.060000 If it was a polymorphic virus, it has changed. 0:13:04.060000 --> 0:13:08.140000 Now when it propagated to other people, it totally changed its characteristics. 0:13:08.140000 --> 0:13:10.960000 It totally changed the way it was encrypted and decrypted. 0:13:10.960000 --> 0:13:14.560000 And it doesn't look like what it originally looked like. 0:13:14.560000 --> 0:13:17.140000 So some examples. 0:13:17.140000 --> 0:13:21.040000 I found this to be kind of interesting historically how a polymorphic 0:13:21.040000 --> 0:13:23.560000 virus came to be in the first place. 0:13:23.560000 --> 0:13:24.260000 It was actually created. 0:13:24.260000 --> 0:13:28.300000 The very first one was called 1260 or V2PX. 0:13:28.300000 --> 0:13:32.020000 And it was created in 1990 as part of a research project, believe it or 0:13:32.020000 --> 0:13:36.900000 not. And the author created it to demonstrate the limitations of virus 0:13:36.900000 --> 0:13:39.200000 scanners at that time. 0:13:39.200000 --> 0:13:43.700000 Little did Mark Washburn probably know that this thing called a polymorphic 0:13:43.700000 --> 0:13:48.280000 virus he had created as just a demonstration would actually catch on with 0:13:48.280000 --> 0:13:50.420000 malicious actors. 0:13:50.420000 --> 0:13:56.440000 Some recent examples of well-known polymorphic viruses are stormworm. 0:13:56.440000 --> 0:13:57.440000 This is kind of interesting. 0:13:57.440000 --> 0:14:01.820000 This featured a backdoor Trojan was first discovered in 2007. 0:14:01.820000 --> 0:14:03.660000 It spread via email. 0:14:03.660000 --> 0:14:08.660000 And once it was executed, it turned infected systems into bots. 0:14:08.660000 --> 0:14:13.960000 It was able to change its characteristics every 10 to 30 minutes stormworm. 0:14:13.960000 --> 0:14:18.400000 And then one you definitely don't want to be subjected to is the Veriloc 0:14:18.400000 --> 0:14:23.800000 Ransomware. It's a ransomware family first discovered in 2014 and was 0:14:23.800000 --> 0:14:29.020000 considered the very first instance of polymorphic ransomware. 0:14:29.020000 --> 0:14:32.360000 As a matter of fact, what's kind of scary is that statistics say that 0:14:32.360000 --> 0:14:39.880000 of all the malware infections today, 97% of malware infections employ 0:14:39.880000 --> 0:14:44.200000 polymorphic viruses or polymorphic ransomware. 0:14:44.200000 --> 0:14:46.820000 So what are we supposed to do about this? 0:14:46.820000 --> 0:14:51.500000 Well, because you can't really spot it based on what it looks like. 0:14:51.500000 --> 0:14:55.000000 You have to be able to spot it based on its behavior. 0:14:55.000000 --> 0:14:56.960000 What is it actually doing? 0:14:56.960000 --> 0:15:02.480000 So what types of API calls is it doing within your system? 0:15:02.480000 --> 0:15:06.120000 What types of files is it trying to access? 0:15:06.120000 --> 0:15:12.540000 So we're looking at behavior based analytics rather than signature detection. 0:15:12.540000 --> 0:15:16.700000 And as the last thing here, that Veriloc Ransomware, this is what you 0:15:16.700000 --> 0:15:17.420000 would have seen. 0:15:17.420000 --> 0:15:20.660000 If you were actually subjected to this, you would have gotten this screen 0:15:20.660000 --> 0:15:26.560000 that looks really scary, got all sorts of badges here of the FBI, the 0:15:26.560000 --> 0:15:28.420000 Department of Justice. 0:15:28.420000 --> 0:15:30.760000 It's kind of interesting if you go ahead and pause this video and read 0:15:30.760000 --> 0:15:33.860000 through this, this looks scary if you get this. 0:15:33.860000 --> 0:15:36.440000 Oh my gosh, I'm going to be fine $250. 0:15:36.440000 --> 0:15:40.560000 I might be convicted and sent for five years into prison. 0:15:40.560000 --> 0:15:44.220000 Wow, I better do what they're telling me to do here and transfer some 0:15:44.220000 --> 0:15:48.960000 Bitcoin to this person so it will unlock and decrypt all the files in 0:15:48.960000 --> 0:15:55.760000 my computer. So that was an example of a polymorphic ransomware. 0:15:55.760000 --> 0:15:59.100000 So that completes this video. 0:15:59.100000 --> 0:16:02.020000 I hope it was useful to you and thank you for watching.