how targeted apt and advanced malware attacks evade anti-virus software

How Targeted Attacks Evade Anti-Virus Software

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Compromised insiders defined The anatomy of a compromised insider campaign Non mitigation techniques: Anti-virus Mitigating compromised insiders in theory

+ Real world case study: RSA

Mitigating compromised insiders in practice

2

Agenda

CONFIDENTI

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Insider Threat

Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements.

They do so: + Maliciously + Accidentally + By being compromised

4

Insider threat defined

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation.

5

Compromised insider defined

Compromised Insider

© 2012 Imperva, Inc. All rights reserved.

In recent events …

Saudi Aramco + Malicious Insider,

30,000 computers hacked, full service disruption.

Global Payments + Compromised Insider,

causes 1.5M payment cards compromised.

6 6

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Malware: Compromised insiders on the rise

2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches

incorporated Malware”. A 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches

were conducted by implicated internal employees.” A 13% decrease compared to 2011.

Director of National Intelligence • “Almost half of all computers in the United States

have been compromised in some manner and ~60,000 new pieces of malware are identified per day”.

© 2012 Imperva, Inc. All rights reserved.

The 1% to be really concerned about

“Less than 1% of your employees may be

malicious insiders, but 100% of your employees have the potential to be compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Who does it?

Governments - Stealing Intellectual Property (IP) and raw data, as well as, espionage. - Motivated by politics and nationalism.

Private hackers - Stealing IP and data. - Motivated by profit.

Hacktivists - Exposing IP and data, but also compromising infrastructure. - Motivated by almost anything - have attacked, nations, people, religion, commerce, etc…

9

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Multimillion dollar

datacenter

10

Where do they attack?

Desktop and the

user

Well protected

Not well protected

Both access the same data

© 2012 Imperva, Inc. All rights reserved.

Anatomy of a Compromised Insider Campaign

11

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

12

With social networks, smart bombing is not hard

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

13

With social networks, smart bombing is not hard

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

14

Industrialized approach

Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing.

How easy is it ? For $700: 3 month license for BlackHole available online. Includes support!

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

15

Is this real?

Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By.

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

16

Is this real?

Persistent XSS Vulnerable Sites provide the Infection Platform.

GMAIL, June 2012

TUMBLR, July 2012

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

17

Is this real?

• “Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the criminals with "complete access“.

• “Unauthorized transactions were preceded by unauthorized

logins that occurred outside of normal business hours” • "The DDoS attacks were likely used as a distraction”

Sep 24th 2012, FBI Issued a warning of Targeted Scams.

© 2012 Imperva, Inc. All rights reserved.

Non Mitigations: Anti-Virus

18

© 2012 Imperva, Inc. All rights reserved.

The media view

“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/

© 2012 Imperva, Inc. All rights reserved.

The hacker view

An entire industry exists to bypass anti-virus. Today, anti-virus stops between 6-27%

of viruses.

Source: http://adamonsecurity.com/?p=323

© 2012 Imperva, Inc. All rights reserved.

The anti-virus vendor view

Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/

Hackers exploit ‘zero-day' bugs for 10 months on average before they're exposed.

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.

+ Much of security budgets spent on: – Malware detection – Virus prevention

+ Front-line/end-user defenses must be 100% accurate.

– If one mouse gets past them the cheese is gone.

22

Protect and monitor the cheese

© 2012 Imperva, Inc. All rights reserved.

Mitigating Compromised Insiders

23

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Classify Sensitive Information + Identifying the information within the corporate databases and

file servers allows understanding of risk and severity of data access.

Persistent Security Policy + A good security policy will allow you to put compensating

controls in place while not disrupting business needs and maintaining security.

User Rights + Map your users’ rights. Understand who has access to what,

and why there are dormant accounts?

Analyze, Alert, and Audit on Activity + By keeping track of access and access patterns, it becomes easy

to understand who accessed your data, what was accessed, and why.

24

Step 1: Know what users do with data

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

What: weirdness probably means trouble.

How: + Profile normal, acceptable

usage and access to sensitive items by

– Volume – Access speed – Privilege level

+ Put in place monitoring or “cameras in the vault.”

25

Step #2: Look for aberrant behavior

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Checks the entry method. Legitimate individuals should, typically, access data through a main door.

Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, monitor what they are doing. Malware from spear phishing typically causes unusual behavior.

Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what these privileged users are accessing.

26

Example: Databases

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Copying Folders Routine Access

Nonselective All subfolders and files accessed

Selective

Temporally continuous Temporally irregular

Recursive Random order

Directory accessed before its files

Files can be accessed without directory

Example: File Systems

Source: Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012.

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

28

Conclusion: Rebalance the portfolio

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

2002

$1.44 Billion

2012 (est.)

$7.84 Billion

29

Worldwide anti virus spend: 2002 vs 2012

A 5x increase without the 5x improvement. Source: Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002

© 2012 Imperva, Inc. All rights reserved.

Real World Incident

30

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Organizations known to have been compromised:

• Saudi Aramco • Goldman Sachs • Global Payments • SF Computer Systems • Sandia National Labs • CardSystems • EPA • Motorola • Sberbank • Google (Aurora) • RSA • Toyota

The list goes on ….

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Mass phishing campaign against RSA employees

32

RSA – phishing mail

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Excel file with embedded Flash 0 day Flash vulnerability

33

RSA – the exploit

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

“With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system.”

34

Proliferation within the network

Source: http://www.pcmag.com/article2/0,2817,2382970,00.asp

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

SecureID hacked

35

RSA – the result

© 2012 Imperva, Inc. All rights reserved.

Mitigation in Action

36

© 2012 Imperva, Inc. All rights reserved.

Imperva SecureSphere – Database coverage

Coverage for Heterogeneous Databases

DB2 DB2 z/OS DB2400 Informix Netezza

DB2 z/OS

© 2012 Imperva, Inc. All rights reserved.

Imperva Database Security Products

38

Database Activity Monitoring

Full auditing and visibility into database activities

Discovery & Assessment Server

Vulnerability assessment, configuration management,

database discovery and classification

© 2012 Imperva, Inc. All rights reserved.

Users

Deployment options

Management Server (MX)

Agent Auditing

Agent Auditing

Database Activity

Monitoring

Network Auditing Gateway

Network Auditing Gateway

DBA/Sys admin

DBA/Sys admin

Database Activity

Monitoring

© 2012 Imperva, Inc. All rights reserved.

Auditing database activity

40

Audit trail captures all database activity, including SELECT, DML, DDL, privileged activities.

Details answer the who?, what?, where?, when? and how?

Privileged Operations

DB2 for z/OS Activity

Who? What?, How? When? Where?

Complete Audit Trail

© 2012 Imperva, Inc. All rights reserved.

Audit analytics

Pre-defined audit views provide quick and flexible access to audit details

Graphical Analysis

Drill down to audit data

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

SecureSphere provides real-time alerts on any security event and policy violation.

Dynamic Profiling enables identification of abnormal behaviors.

Alerts enable immediate response to minimize the impact of a breach.

42

Real-time alerts on security events

Profiling violation – unauthorized database and schema access

Destination

Date and Time

Alert Details

Source application User

© 2012 Imperva, Inc. All rights reserved.

Universal user tracking

Universal User Tracking

Full user visibility and accountability • Map application users to database activity

User A

User B

User A User B

Tech User

© 2012 Imperva, Inc. All rights reserved.

CONFIDENTIAL - Imperva 44

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

No need to define special policies for mainframe databases.

Granular policies defined and managed through a centralized, friendly interface.

Preconfigured compliance policies and reports for SOX, PCI, and data privacy.

45

Unified policies across heterogeneous platforms

DB2 for z/OS

Other databases

Define and apply policies to heterogeneous databases

© 2012 Imperva, Inc. All rights reserved.

Webinar Materials

46

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.

Webinar materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

www.imperva.com

- CONFIDENTIAL -