2017 was the year of ransomware. 2018 is already shaping up to be the year of cryptocurrency mining malware. Are you prepared for this threat?
Good morning. Your CEO just called and she wants to know what capabilities you have to detect cryptocurrency mining malware? You spoke to her a couple of weeks ago about detecting ransomware. Hello? That is pretty darn obvious - and easy to detect! But, what about detecting cryptocurrency mining malware? How do you detect whether your CPU cycles are being stolen from your organization? Oh sure, you have already done the obvious. You have ensured that your anti- malware definitions are updated, so that known malicious executables, including cryptocurrency mining malware, can be detected. And, you have already blocked known outbound ports used by mining pool malware (e.g., 8080 - an alternate HTTP port, and 8081- Sun Proxy Administrative Service).
What if encrypted tunnels are being used for this activity (e.g., SSH or TOR)? What about new variants of cryptocurrency mining malware? Wikipedia currently tracks over 1,565 cryptocurrencies, and surprisingly, and “at least 39 digital currencies have market capitalisations of more than $1bn, according to three price tracking websites”.1 Really? And, what if that malware is not running on a known port? What if your threat intelligence is not up to date? How do you detect this type of malware? So you don’t know the destination IP address(s). And, you don’t know the destination port(s). And, you don’t know the name of the executable. So, how are you going to write a correlation for your SIEM to find this malware? Does your SIEM have any idea of what your systems’ CPU utilization is, or know what “normal” is for those systems? Good luck.
Enter machine learning. I don’t need to know what the destination IP address(s) is / are. I don’t need to know what the destination port(s) is / are. And, I don’t know the name of the executable(s). I’m not looking for known unknowns. I’m going hunting for unknown unknowns by looking for modeled behavior(s). All I need to look for is some measure where the standard deviation = 0. Maybe that standard deviation of zero is temporal? Maybe those compromised systems are reporting their computation results back to a C2-like server every 30 seconds, or every minute, or every ____________________ (fill in the blank). While the results / reporting of those computations probably has some entropy, it is likely that each of the systems doing the mining is downloading a standardized size of data for computations. And, it is likely that any compromised systems are reporting back to a fairly static list of destination IP addresses(s).
Combing through vast amounts of log data to find this of cryptocurrency mining activity on a near real-time basis is relatively trivial for machine learning.
Good luck getting the same results with your SIEM’s correlations.
Interested in finding out more about PatternEx? Request a demo.
1. Financial Times, “Growing number of cryptocurrencies spark concerns,” January 8, 2018; https://www.ft.com/content/a6b90a8c-f4b7-11e7-8715-e94187b3017e.