1 ©2014 check point software technologies ltd. modern threats and malware kierk sanderlin regional...
TRANSCRIPT
1©2014 Check Point Software Technologies Ltd.
Modern Threats and Malware
Kierk Sanderlin
Regional Engineering Manager
2©2014 Check Point Software Technologies Ltd. 2©2014 Check Point Software Technologies Ltd.
We are surrounded by buzzwords
but what do they all mean?
3©2014 Check Point Software Technologies Ltd.
A Little History
4©2014 Check Point Software Technologies Ltd.
Behind The Scenes
Who would write a virus?A
Why would they write it?B
5©2014 Check Point Software Technologies Ltd.
Behind The Scenes
‘80s and ‘90s
Nerds
Show OffCause Damage
Who
Why
6©2014 Check Point Software Technologies Ltd.
Examples
Ping Pong Videohttp://www.youtube.com/watch?v=yxHalzuPyi8
Cascade Videohttp://www.youtube.com/watch?v=z7g-v3d7-Gk
Other Celebrities:
CIHMelissa
ILOVEYOU
7©2014 Check Point Software Technologies Ltd.
Behind the Scenes
‘80s and ‘90s 21st Century
NerdsCriminals
Nation-State
Steal MoneySteal Data
Show OffCause Damage
Who
Why
Cause Damage
8©2014 Check Point Software Technologies Ltd.
Examples
Criminals Nation-State
• Zeus• Spy-Eye• ZeroAccess/Sirefef• Carberp• Cridex• [more to come]
• Stuxnet• Duqu• Flame• Gauss• Shamoon• APT1• [more to come]
9©2014 Check Point Software Technologies Ltd.
One Ware to Rule Them All
Steal Damage
• Spyware • Ransomware
Harass
• Adware• Scareware• Fake AV
Generic Names
• Virus• Trojan• Worm• Malware
M A L W
A R E
10©2014 Check Point Software Technologies Ltd.
• Someone else’s code running on your server without your permission or knowledge is bad
• Malware can change functionality, based on collected information
• Malware can download other malware
• Bot-herders rent out parts of their network
• Bot-herders can change their mind
Why Do That?
11©2014 Check Point Software Technologies Ltd.
• Was trademarked by
• Describes the phases of an attack
• Has become an industry standard
• We’ll get back to this later…
Cyber Kill Chain™
12©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6
13©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6
14©2014 Check Point Software Technologies Ltd.
Spearphishing1Phishing Example #1: Completely Generic
15©2014 Check Point Software Technologies Ltd.
Spearphishing1
16©2014 Check Point Software Technologies Ltd.
Spearphishing1
17©2014 Check Point Software Technologies Ltd.
Spearphishing1
18©2014 Check Point Software Technologies Ltd.
Spearphishing1
19©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
A Phishing email aimed at a particular victim. The email is crafted using information that the victim is most likely to respond to. Might contain actual actionable content.
• Examples:
• CV’s sent to HR personnel
• A business proposal based on the victim’s previous work
• A request for opinion, decision or help
20©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability)
21©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
Most of the times, the emailwill contain a malicious document.
ActualContent
22©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability),
Exploit
ActualContent
23©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability), and aPayload,
Exploit
ActualContent
Payload
24©2014 Check Point Software Technologies Ltd.
Spearphishing1Spearphishing
Most of the times, the emailwill contain a malicious document. The document, in turn, contains an Exploit targeting a vulnerability, whether Disclosed or Undisclosed (also known as a 0-Day Vulnerability), and aPayload, which installs aMalware on the computer.
Exploit
ActualContent
Payload
Malware
25©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1
Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6
Malware-bearing Spam2
26©2014 Check Point Software Technologies Ltd.
Malware-bearing Spam2
27©2014 Check Point Software Technologies Ltd.
Malware-bearing Spam20-Day Vulnerability
When a vulnerability is published or disclosed, the days until it’s patched are counted. This is the age of the vulnerability. If the vulnerability was never disclosed, it is still unpatched. 0 days have passed since its disclosure.
An Exploit is a piece of code and data that takes advantage of an unpatched vulnerability, in order to gain Code Execution or Privilege Escalation.
28©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1
Pirated Software4Drive-By Download5Infected Media6
Malware-bearing Spam2Link-bearing Spam3
29©2014 Check Point Software Technologies Ltd.
Link-bearing Spam3
30©2014 Check Point Software Technologies Ltd.
Link-bearing Spam3Exploit Kit
A collection of Exploits, usually Web-oriented, that are used to infect a computer through its browser or associated plugins. The exploits will usually target JavaScript, Java or Flash vulnerabilities.
An Exploit Kit is a good example for CaaS – Crime as a Service.
31©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1
Drive-By Download5Infected Media6
Malware-bearing Spam2Link-bearing Spam3Pirated Software4
32©2014 Check Point Software Technologies Ltd.
Pirated Software4
33©2014 Check Point Software Technologies Ltd.
Pirated Software4Bundled Malware
A lot of today’s software is not free. If you don’t pay, you can’t use it properly. People try to bypass this protection by looking for a Cracked Copy of the software, or a KeyGen (Key Generator).
When you use cracked software, it is actually a modified software. You may think that the only change is the removal of the protection, but nothing prevents the attacker from including whatever additional functionality they desire.
34©2014 Check Point Software Technologies Ltd.
Pirated Software4Bundled Malware
The same applies to KeyGens. They really do generate a valid serial number, but at the same time they install a malware in the background.
The most famous example is Android Apps. Hackers take a software that costs money, repackage it with malware and put it back on the store, under the same name, for free.
35©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1
Infected Media6
Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5
36©2014 Check Point Software Technologies Ltd.
Drive-By Download5
37©2014 Check Point Software Technologies Ltd.
Drive-By Download5
38©2014 Check Point Software Technologies Ltd.
Drive-By Download5
39©2014 Check Point Software Technologies Ltd.
Drive-By Download5
40©2014 Check Point Software Technologies Ltd.
Drive-By Download5Watering Hole Attack
Borrowed from the Wild Life world, it describes an attack on a website that attracts many visitors, just like the watering hole.
Instead of spending agreat deal of resourcesin order to attack manyvictims, the attackeronly has to attack onevictim – the popularwebsite.
41©2014 Check Point Software Technologies Ltd.
Attack Scenario
Spearphishing1Malware-bearing Spam2Link-bearing Spam3Pirated Software4Drive-By Download5Infected Media6
42©2014 Check Point Software Technologies Ltd.
Infected Media6
43©2014 Check Point Software Technologies Ltd.
Infected Media6
44©2014 Check Point Software Technologies Ltd.
Infected Media6
45©2014 Check Point Software Technologies Ltd.
Infected Media6
46©2014 Check Point Software Technologies Ltd.
Back to the Cyber Kill Chain™
Code Execution
Privilege EscalationExploit Kit
SpamSpearphishing
Pirated Software
Bundled Malware
KeyGen
Cracked Software
Watering Hole Attack
Drive-By Download
0-Day Vulnerability
Payload
Malware
47©2014 Check Point Software Technologies Ltd. 47©2014 Check Point Software Technologies Ltd.
48©2014 Check Point Software Technologies Ltd.
Why Would Anyone Attack Me?
© Brian Krebs
49©2014 Check Point Software Technologies Ltd.
Alternate Topic
Advanced Persistent Threat
Another Pointless Term?
OR
50©2014 Check Point Software Technologies Ltd.
Advanced Persistent Threat
Nation-State
Targeted Attack
0-Day Vulnerability
Unknown Tools
Spearphishing
Compromised PC
51©2014 Check Point Software Technologies Ltd.
Random Attack
Hacker / Criminal
Wide Campaign
0-Day / Unpatched
New / Existing Tool
Spam / Drive-By
Compromised PC
52©2014 Check Point Software Technologies Ltd.
Nation-State
Targeted Attack
Unknown Vulnerability
Unknown Tools
Spearphishing
Compromised PC
Hacker / Criminal
Wide Campaign
0-Day / Unpatched
New / Existing Tool
Spam / Drive-By
Compromised PC
Now Let’s Compare…
53©2014 Check Point Software Technologies Ltd.
And…on October 21st, 2012
54©2014 Check Point Software Technologies Ltd.
What it looks like…
55©2014 Check Point Software Technologies Ltd.
Summary
“I’m not interesting, no one will attack me” and “It’s too complicated” are irrelevant responses.A
56©2014 Check Point Software Technologies Ltd.
Summary
“I’m not interesting, no one will attack me” and “It’s too complicated” are irrelevant responses.A
The balance is shifting from Prevention to Detection. B
57©2014 Check Point Software Technologies Ltd.
Summary
“I’m not interesting, no one will attack me” and “It’s too complicated” are irrelevant responses.A
The balance is shifting from Prevention to Detection. B
There is no silver bullet. You must have layered security covering all fronts.C