Advanced Ransomware Modeling for Threat Intelligence Extraction

Abstract

Combating ransomware is essential to protecting the national infrastructure, mission-critical services, and theeconomic well-being of the nation. Both industry and academia have developed various approaches to combating malware. However, the ever-changing nature of these threats makes it difficult to identify patterns that correctly identify threats without false positives. Even if one would have reliable models for ransomware, the actual kill chain would make it challenging to identify an attack, as the deployment and activation of the ransomware is usually the last step in a highly targeted, multi-phase attack that includes an initial breach, lateral movement, and eventually the downloading of the ransomware binary. If these steps are not completed, the final ransomware component is not deployed, preventing the security analysts from extracting key threat intelligence about the attackers.We propose to develop a novel approach to create a simulated complex network environment to provideinputs to the various steps of the kill chain of a targeted ransomware attack, so that the attacker is deceivedinto delivering the final ransomware component, allowing for the collection of threat intelligence that aids inthe disruption of the malicious actor#s activity.While there are sandboxing solutions that provide a realistic execution environment for the analysis ofmalware, the multi-step nature of the kill chain, combined with the targeted nature of the attack, only allowsfor the detection of the early stages of a breach. Once the initial malware component (usually a downloaderor a remote access tool) is unable to move laterally or discovers a target network configuration that does notmeet the attacker#s expectations, the attack stops.To solve this problem, we propose a novel analysis framework that evolves the concept of a traditionalsandbox to an elastic sandbox that extends and adapts in reaction to the attempts to move laterally performedduring the early stages of an attack. Therefore, as an attacker looks for additional hosts to compromise,additional instances of the sandbox are deployed to support the advance of the kill chain. In addition, wepropose a machine-learning-based approach to providing network information that is both realistic whilenot disclosing important information to the attacker. In particular, we plan to use Generative AdversarialNetworks (GANs) to provide metadata about the network. Therefore, we plan to use real-world traffic fromthe target networkin order to train a GAN-based system. Then, during the analysis of a multi-step attack inan elastic sandbox, whenever data about the network needs to be fed to the malware samples the GAN-basedsystem is used to generate data that is consistent with (but differentfrom) the targeted network.By using this approach, it is possible to provide a more comprehensive analysis environment that automaticallyexpands as the attacker attempts to move laterally while providing meta-information about thenetwork configuration that matches the attacker#s expectation in highly targeted attacks.The resulting threat intelligence can be extremely effective in protecting computer networks from similarattacks and in disrupting the threat actor#s operations. For example, full visibility into the TTPs adoptedin the kill chain allows for the creation of models to detect both single artifacts (e.g., a specific credential harvesting component) and multi-step attacks (e.g., specific chains of tools). In addition, by obtainingthe final ransomware sample it is possible to collect command-and-control indicators, identify the ransomcollection infrastructure (e.g., the onion site used to interact with the victim), and possibly extract the cryptowallets involved.

Document Details

Document Type

DoD Grant Award

Publication Date

May 15, 2023

Source ID

N000142312387

Entities

Tags