in the cloud security - first · in the cloud security - identifying what we don’t know! software...
TRANSCRIPT
July 28, 2009
In the Cloud Security
Greg DayPrincipal Security Analyst EMEAAVERT member
July 28, 20092 Confidential McAfee Internal Use Only
The Tsunami
• Decades of threats, surely we have a handle on this?
• Estimated in excess $1trillion loss through Cybercrime and data loss in 2008McAfee Unsecured Economies Report 2009
• Q1 2009 - 12 million new IP’s zombied since January!50 percent increase since 2008 McAfee Quarterly threat Report Q1 2009
• Koobface - more than 800 new variants in March 09!McAfee Quarterly threat Report Q1 2009
July 28, 20093 Confidential McAfee Internal Use Only
Understand the motivation, to understand the methodology
Source: Chat Interview with the Dream Coders Team, the developers of MPackhttp://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
July 28, 20094 Confidential McAfee Internal Use Only
Today anyone can be a cyber criminal!
July 28, 20095 Confidential McAfee Internal Use Only
Over 20 years of Anti-Virus
• Dr Solomon’s Anti-virus from 1990
• Looking for string match against known malware
July 28, 20096 Confidential McAfee Internal Use Only
The age old question - Is anti-virus dying?
1991 : Michelangelo : 6 months ?1997 : WM/Cap : 2 months ?1999 : WM/Melissa : 1 Day ?2000 : VBS/Loveletter : 4 hours ?2001 : CodeRed/Nimda : 1 hour ?2003 : Slammer : 3 mins ?2008 : Mass Web compromises : secs ?
Anti-Virus protection (%) of 2003 Medium+ threats
0
20
40
60
80
100
AV
AV software% Proactive protection % Reactive Protection
Anti-Virus protection (%) of 2004 Medium+ threats
0
20
40
60
80
100
AV software
%
% Proactive protection % Reactive Protection
July 28, 20097 Confidential McAfee Internal Use Only
From Elephant to Chameleon How threats have changed
July 28, 20098 Confidential McAfee Internal Use Only
Evolution of threats
1987 – Brain & Stoned (Early BSV)1990 – Vienna modified to be polymorphic1991 – Polymorphism hits the wild (Tequila)1995 – WM/Concept (first Macro Virus)1999 – Melissa Mass Mailer & ExploreZip reply mailer2000 – Phage (Virus for Palm Pilot)2001 – CodeRed & Nimda (utilise security vulnerabilities)2002 – Klez & Elkern, Bugbear (Droppers)2003 – Slammer (Speed), Slapper (Unix, directed attack)2004 – Turf wars (Bagle Netsky, Sober, BOTs)2005 – System & data theft (Trojan’s & Rootkit)2007 – Rootkits, Packers, Recycling (Threat Longevity)2008 – Drive-by infections,
July 28, 20099 Confidential McAfee Internal Use Only
Early proactive techniques
July 28, 200910 Confidential McAfee Internal Use Only
Heuristics (behavioural analysis)
•Positive & Negative analysis•Protection against new file and/or macro viruses•Checks for virus like characteristics•Block execution of possible virus code (OAS)•No cleaning as no exact match•Tangible sample to send to virus lab
July 28, 200911 Confidential McAfee Internal Use Only
Speed…
The blended/zero day attack, bought the new solutions
July 28, 200912 Confidential McAfee Internal Use Only
July 28, 200913 Confidential McAfee Internal Use Only
July 28, 200914 Confidential McAfee Internal Use Only
Proactive behavioural protection(HIPS, NIPS, FW, Whitelisting etc…)
• Known Vulnerably detection• Behavioural controls
– RFC non-compliance– Anomaly detections– Policy controls
• Define web/email usage• Lockdown Windows & Windows system folder• Registry Modification• Block un-used ports
– Proactive or Reactive?• Blacklist non-corperate high risk appsConficker – AutoRun.inf
July 28, 200915 Confidential McAfee Internal Use Only
Proactive Behavioural Controls - limitations
• What did I really stop?• Did it stop all of the attack?• What else could it have done?
• We still want to identify the threat• We sometimes need to clean up
• Assumes clean at point of install
July 28, 200916 Confidential McAfee Internal Use Only
• 246% growth from 2006 to 2007
• 400%+ growth projected for 2008
• 2008 exceed projections
2006
900,000 -
800,000 -
700,000 -
600,000 -
500,000 -
400,000 -
300,000 -
200,000 -
100,000 -
0 -
271,197
78,381
2007 2008
1,500,000+
~350,000 projected for ‘08
# of
thre
ats
Source: McAfee Avert Labs
Volume…
July 28, 200917 Confidential McAfee Internal Use Only
The Great Zoo: McAfee Known Malware Samples
17
Count of dirty samples/hashes in the McAfee zoo
July 28, 200918 Confidential McAfee Internal Use Only
Shark – Compliable multi system back door TrojanNow anyone can be a cyber criminal!
1. Setup server
2. Compile threat
3. Infected systemstalk home!
4. See what you have!
5. Full control!
6. Enable keylogger
7. Control processes
July 28, 200919 Confidential McAfee Internal Use Only
Buy the deployment tools
July 28, 200920 Confidential McAfee Internal Use Only
Mass infection of public web pages globally (13 March 08 )
• 200,000 web pages compromised– SQL injection– Vuls in .ASP pages running phpBB
• Inserted JS to write IFRAME in header or body– MS06-014– RealPlayer (ActiveX Control)– Baofeng Storm (ActiveX control)– Ourgame GL World GlobalLink Chat (ActiveX Control)
• Daisy chains to China server– Drops down loaders– Steals gaming credentials
July 28, 200921 Confidential McAfee Internal Use Only
Booby-trapped legitimate sitesBooby-trapped legitimate sites
MPack C&C centerMPack C&C center
(1): connection to a legitimate site
(1): connection to a legitimate site
(2): silent redirect
(2): silent redirect
(3): exploitation(3): exploitation
(4): HTML infection(4): HTML infection
Botnet,RockPhish,Fast-Flux,DDoS,Identity theft,…
(4): machine under control(4): machine under control
1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame).
2. They are silently redirected to the server hosting the attack tool.
3. Depending on the browser, various vulnerabilities may be tested. Various malware are downloaded and executed.
4. The web pages accessible from the victim's workstation are in turn booby-trapped.
Example: IFrame & MPack
July 28, 200922 Confidential McAfee Internal Use Only
Regular “Protection Gap”
Protection gap of 24-72 hours with current solutions
Malware in the wild
Malware discovered
Protection is available
Protection is downloaded
Protection is deployed
t1 t2 t3t0 t4
July 28, 200923 Confidential McAfee Internal Use Only
Security in the Cloud
July 28, 200924 Confidential McAfee Internal Use Only
Next Gen “In the cloud” detection
Internet
FingerprintDatabase
July 28, 200925 Confidential McAfee Internal Use Only
End-node reporting
Very little system overhead
Meta-data
What is “in the Cloud scanning”?
July 28, 200926 Confidential McAfee Internal Use Only
In the cloud security -Blocking what we already know!
Non-replicating malware is static
And some replicating is static too (e.g. worms)
Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.)
Black List of fingerprints
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
Replicating vs Non-Replicating Malware
July 28, 200927 Confidential McAfee Internal Use Only
How does in the Cloud anti-virus work?
Internet
No detection with existing DATs, but the file is “suspicious”
2
3 Fingerprint of file is created and sent using Artemis
4 Artemis reviews this fingerprint and other inputs statistically across threat landscape
5 Artemisidentifies threat and notifies client
User receives new file via email or web1
6 VirusScan processes information and removes threat
Artemis
Collective Threat Intelligence
July 28, 200928 Confidential McAfee Internal Use Only
In the Cloud in action
July 28, 200929 Confidential McAfee Internal Use Only
In the cloud security -Identifying what we don’t know!
Software may be deemed “suspicious” based onObserved behaviours
SourceDetections by other products
Behaviours, sources, detections can be assigned a weight
Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty
July 28, 200930 Confidential McAfee Internal Use Only
Closing the loop
July 28, 200931 Confidential McAfee Internal Use Only
Malware case study – Spy-Agent.bw
First seen – 15th October 2008, 22:24:28
Auto-blacklisted – 15th October 2008, 22:57:01
Artemis clients sent fingerprints ~2 hours before regular submission saw the file
July 28, 200932 Confidential McAfee Internal Use Only
Security & privacy
U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRgqEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8qBk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI
0nqHhRWX+TDgPgXRfW9wD06qE
Cryptographically strong actionable responses
Query specific Immune to replay attacks
Example:
July 28, 200933 Confidential McAfee Internal Use Only
Cloud security compressed “Protection Gap”
Malware in the wild
Malware discovered
Protection is available
Protection is downloadedProtection is
deployed
t1 t2 t3t0 t4
Protection delivered in real-time
t1
Case study – Spy-Agent.bw
• Artemis protection – ~32 minutes• Regular protection – ~8.5 hours
– Not including deployment time
July 28, 200934 Confidential McAfee Internal Use Only
I was blind, but now I see
VulnerabilityResearch
Risk andCompliance
HIPs
Malware Research
SPAMResearch
Collective Threat
Intelligence
SiteAdvisor
Internet
CustomerArtemis customers
July 28, 200935 Confidential McAfee Internal Use Only
Taking it to the next level
July 28, 200936 Confidential McAfee Internal Use OnlyJuly 28, 2009McAfee Global Threat Intelligence36
Atlanta
London
Hong KongSan Jose
IntelliCenterCyberWorld
IntelligenceProbes
Deploy security probes: Around the globe (firewall, email gateways, web gateways)Global intelligence system: Share cyber communication info. (e.g.: hackers, spammers, phishers)
ResultsEffective - Accurate detection of bad IPs, domainsPro-active - Deny connection to intruders to your enterprise
Collaborative Global Intelligence
PhysicalWorld
CIAFBI
Interpol
PoliceStations
PoliceStations
PoliceStationsIntelligence
Agents
ResultsEffective - Accurate detection of offendersPro-active - Stop them from coming in the country
Deploy agents: Officers around the globe (MI5, MI6, FBI, CIA, Interpol.)Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system)
ChicagoFrankfurt
July 28, 200937 Confidential McAfee Internal Use Only
Global Intelligence, Local Protection
REAL-TIME PROTECTION PLATFORMS
REAL-TIME PROTECTION PLATFORMS AUTOMATED ANALYSISAUTOMATED ANALYSIS
Dynamic ComputationOf Reputation Score
10 Billion Enterprise Messages
Analyzed per Month
Bad Good
IP Domain URL Image Message
GLOBAL DATA MONITORINGGLOBAL DATA MONITORING
IntelliCenter
Chicago
London
Portland Atlanta
Hong Kong
Global Data Monitoring is Fueled by the Network Effect of Real-Time Information Sharing from Thousands of Gateway Security Devices around the World
Ownership• Whois• Zone files• Trademark
Content• Images• Text• Links
Behavior• Social networks• Persistence• Longevity
Edge / Firewall• Traffic Shaping• Attack Blocking
Web Gateways• Anti-Malware• Anti-Spoofing
Messaging Gateways• Outbreak
Detection• Anti-Spam
Identity FraudApplications
• Anti-Phishing• Zombie Alerts
July 28, 200938 Confidential McAfee Internal Use OnlyJuly 28, 2009McAfee Global Threat Intelligence38
Intelligence: How It All Works….
Internet
Incoming traffic
1
Appliance queries
McAfee Threat Intelligence
2McAfee Threat Intelligence returns reputation info
3
McAfee Threat Intelligence updates records with new reputation info
3
This entire process happens constantly, every second, 7x24x365
TS-enabled appliance
July 28, 200939 Confidential McAfee Internal Use OnlyJuly 28, 2009TrustedSource Data Mining Technologies39
Responder Architecture
• Legacy protocol based on customized DNS servers
• Enhanced proprietary protocol (UDP over SSL)
Query Data
Reputation
Data
Analysis Systems
Inst
an
t A
naly
sis
Internal & External
Data Sources• Historical data
• Message data/metadata
• Neighborhood data
• Ownership data
• Spamtraps and honeypots
• Blacklists
July 28, 200940 Confidential McAfee Internal Use Only
What does it monitor?
• Email– IP Reputation– Message Reputation
• Web – URL Categories– Web Reputation
• Intrusion/FW – IP/Protocol
Reputation – Geo-Location – IPS Attack Vector
Correlation
July 28, 2009TrustedSource Data Mining Technologies40
Dim
en
sio
ns
Virus
Phishing
Spam
ActiveContent
Malware
HackAttack
IPDomain
URL
AttachmentImage
Message
Connection Reputation Content Reputation
Oth
er
Web
Em
ail Zombies, Botnets,
other sources
Compromised or malicious web sites
or URLs
Hacker sites
Image spam, Virus, worms,
Trojans
ActiveX, Java, VB code from infected
web sites
DoS, DDoS, miscother attacks
July 28, 200941 Confidential McAfee Internal Use OnlyJuly 28, 2009TrustedSource Data Mining Technologies41
Message Reputation
Mail Gateway
Mail Gateway
New/ Unknown spammer
New/ Unknown spammer
Known spammerKnown
spammer
1. Known spammer sends
message
2. Message is blocked
3. Unknown sender sends similar
message
4. Message is recognized and
blocked
5. Unknown sender sends
different message
6. Message is associated with new machine in
a botnet and blocked
Allows Reputations to Move Across Identities and Protocols
July 28, 200942 Confidential McAfee Internal Use Only
TS Web Reputation Breakout
July 28, 2009TrustedSource Data Mining Technologies42
July 28, 200943 Confidential McAfee Internal Use Only
Size
Precision
•TrustedSource for Email
•Domain Registrations•WHOIS data•WebWasher classifiers•SmartFilter categories•Web access logs•Malware URLs•Phishing URLs•Spam URLs•Fortune 1000 websites
•Blacklists•Whitelists
•Correlation Mapping (Joint Conditional Mapping)
•Support Vector Machine classification of all parameters
•Parked Domain Identifier•Neighborhood Classification
•Real-Time Classifier•GEO Location•Host information:
•DNS•WHOIS•OS•Webserver•Certificate information
•75 Million Hosts
•More Precise(-180 - +180)
•Identified zombies, malware, suspicious
AnalysisRaw DataReputation
Service
Tru
sted
So
urc
e f
or
Web
Building Web Reputation
-180
Bad
+180
GoodSuspicious
Reputation Range
July 28, 200944 Confidential McAfee Internal Use Only44
TrustedSource Web Database
• Category-based filtering + reputation based filtering = best protection available
• 96 URL categories
• TrustedSource global intelligence augments numerous categories such as Spam, Malicious Sites, Phishing, Hacking/Computer Crime
• Reputation-based filtering for today’s Web 2.0 threats– Provides an additional layer of security– Malicious sites, Spyware, Hacking, P2P, IM and more
• 31+ Million URLs (contains IPs, HTTP and HTTPS URLs)
• Automated proactive and reactive URL gathering systems
• Human review of URLs by multi-lingual/cultural Web Analysts
– Global coverage (language and regions)
• Real-time updates
44
July 28, 200945 Confidential McAfee Internal Use OnlyJuly 28, 2009Artemis Q2 2009 QBR45
TS Web Language breakout
July 28, 200946 Confidential McAfee Internal Use Only46
www.TrustedSource.Org• Public Portal• View reputations for domains, IP
addresses or URLs• Sending patterns of the senders• Analytical information:
– country of origin– network ownership– hosts for known senders within each
domain
• Snapshot of global email trends, including a map illustrating country of origin for email attacks
• Graphs displaying overall email and spam volume trends
• ROI Calculator• ZombieMeter• Domain Health Check• Latest malware threats • Blogs from experts• Top spam senders
46
Greg_Day@McAfee.com01000111011100100110010101100111010111110100010001100001011110010100000001001101011000110100000101100110011001010110010100101110011000110110111101101101