REDSAIL: Robust botnEt Deception via agent Synthesis And ImpLantation

Abstract

REDSAIL: Robust botnEt Deception via agent Synthesis And ImpLantationBAA N00014-18-S-B001Brendan Saltaformaggio, Taesoo Kim, Wenke Lee Georgia Institute of Technologybrendan@ece.gatech.edu, taesoo@gatech.edu, wenke@cc.gatech.eduFrom physical battle fields to the cyber world, the fog of war can provide a strategic advantage against an adversary. In the cyber domain, advanced persistent threat (APT) campaigns are entirely dependent upon their ability to perform reconnaissance in a network and the quality of informationthey can obtain. Bots exflitrate sensitive situational data to attackers, who in turn use this data to orchestrate their next attack stages. Therefore, analogous to a physical battle field, sewing deception into an attacker~s command-and-control network can counter or even disable the attack campaign.Toward this goal, we propose to use an attacker~s own bots against them ~ a concept we dub ~flipping the fangs~ of a discovered bot. Bots, which aim to provide situational awareness, require trusted access to an adversary~s remote database. We aim to exploit this trust as a means to feed misinformation to an attacker. In this project, we propose REDSAIL, a framework whichsynthesizes a deception agent from a discovered bot malware.Once a bot is detected, REDSAIL begins with concolic analysis of the malware binary to uncover execution paths, which reveal sensitive data sources and C&C communication protocols. REDSAIL~s concolic analysis framework (XANALYST) will integrate a novel constraint backsolving technique to focus symbolic modeling on only those network communications and environmentalinputs unavailable during simulation. REDSAIL then concretizes symbolic constraints with attack-instance-specific context from a memory image (collected from the discovered bot process). To do so, we propose XEXPLORER, a framework for combining memory image forensics and symbolic analysis to actualize uncovered malware behaviours for the specific ongoingcyberattack. For the remaining symbolic data, REDSAIL provides a customizable data source model (e.g., GPS coordinates) which investigators can spoof. Lastly, REDSAIL synthesizes the customized deception agent from a ~safe-copy~ of the malware, via XAGENT. The agent is then implanted in place of the original malware instance sew deception into the adversary~s C&C infrastructure.The proposed team has an extensive background in the underlying technologies of REDSAIL, namely, malware analysis, botnet detection and response, memory image forensics, and binary program reverse engineering and instrumentation. The PIs have a long history of close collaboration with joint projects, co-authored papers, and co-advised Ph.D. students. All of the PIs are supportedby the Georgia Institute of Technology and will release all software developed for REDSAIL under an academic, open-source license whenever possibleThe proposed project will cost $750K over the three phases in a total of 36 months.

Document Details

Document Type

DoD Grant Award

Publication Date

Apr 25, 2019

Source ID

N000141912179

Entities

Tags