malware most wanted: security ecosystem
TRANSCRIPT
It Takes An EcosystemTo Defend Against APT
Fengmin Gong
Chief Strategy Officer
Your speakers today
Dr. Fengmin GongChief Strategy Officer and
Co-Founder
Anthony JamesVP of Products & Marketing
Agenda
o Open Secret: Malware is winning
o Orientation: What’s going on?
o Decision: New defense paradigm
o Action: Building a secure ecosystem
o Tell – The only promise for us to win the war against modern threats is to build an effective security ecosystem of defenders!
o Show – How ecosystem approach works by examples
o Wrap-up and Q&A
Cyp
ho
rt L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
6
Open Secret, Sad Reality
Cyber bad actors are winning
Well known direct victimso Sony: PlayStation network, DDoS, & Sony Pictures breacho Target, 40milion cards+70milion other accounts, CEO oustedo “Nemanja” POS botnets of 1478 hosts in 36 countries
Indirect victimso Card issuers, merchants & consumers
Why So Sad & Bado Too late: discovered after many monthso Too much: name, address, DOB, SSN & driver’s license #o Too little: “Will help you monitor your credit reports!”o Too easy: most attacks did not even use 0-day exploit
7
Not Only The Naïve Fall Victim
What: March 17, 2011, RSA warned of SecurID threats
What’s Stolen: RSA One-Time-Password Sensitive Info
Conclusion: It probably made Rivest, Samir, and Adleman want to withdraw their names from RSA
8
Spear-phising Attack“2011 Recruitment plan.xls”
RSA Pre Office 2010
Flash pre 3/21Patch
RAT
2
Adobe FlashPlayer 0-Day
2-FACTORSECRETS
3
1
Threat Life Cycle – Generic Kill Chain
9
ActionManual and/or auto mitigation and policy enforcement.
ReconnaissanceAttacker analyzes potential targets.Command & Control
Malware misses mom and calls home.
WeaponizeMalware is groomed for success.
InstallMalware installs exploitive features on
system.
DeliverMalware payload infiltrates host system.
ExploitMalware finds access point.
ThreatPotential threat is born or reborn.
.
Exfiltrate:DataTheft
SpamPhishing
DDoSInstall:HTTP
SocialNetP2P
Threat Life Cycle – Detection Insights
10
Download:HTTP
FileShareFTPP2P
• Traffic anomaly• Exec anomaly• Content anomaly• Exploit sig
• App anomaly• Attack sig• Traffic anomaly• Reputation
• Behavior anomaly• Reputation• Malware sig
• CnC sig• Traffic anomaly• Reputation
• App anomaly• CnC sig• Traffic anomaly• Reputation
Infect:Exploit Pack Drive-By
Social EngineeringEmail Target
Modern Threats TTP (Technique, Tactic, & Procedure)
11
o Web Based + Social Engineering
o Multiple Infection Vector
o Obfuscated & Encrypted
o Multi-Component Delivery
o Anti-static analysis & sandboxing
o Network Distributed – Botnets
o Polymorphism & Self Update
1. Hard To Capture Using Simple Sigs
2. Hard To Detect Using Single Approach
3. Impossible To Prevent From A Single Point
Many Actors: Context Is Important
12
CnC
Servers
Upload/
Download
Servers
Legit
Merchants
Financial
Institutions
Consumers
Legit
Corporations
Questionable
Providers
Malware
Writers
Bot
Herders
Spam/Phish
Pushers
Questionable
Advertisers/
Merchants
Illegal
merchants
Pushers
ID/Account
Stealers
Infection
Servers
Espionage
Direct
(Infect)
Victim
Indirect
(Fraud)
Victim
Cri
me
Va
lue
Ch
ain
Users Are A Critical Success Factor
13
Enterprise Security
Challenges
• Advanced TTP• Industrialized cyber crime• Corporate & nation state
actors
• Problems on the ground• Urgency for tools• Expectation for “fit”
• Global• Mobile• Consumerization• Big Data• SaaS Cloud
• Blurred Intra-Extra-Internet
• Virtualization & cloud delivery
• Unified business infrastructure: ERP, ICS & IoT
• SD-X: Software-defined X
SQL Injection
Cross-Site Script
Web plugIn/Apps
Exploit
Social Engineering
User-Gen Content
Malvertizing
Lost Generation, Lost Paradigm
14
SaaSMsg Security
Web Security
Sig
Heuristics
Reputation
Sandboxing
NetworkSMG
SWG
IPS
UTM
NGFW
Sig
Anomaly
Sandboxing
HostAV
IPS
UTM
Sig
Heuristics
MemProt
Virus
OS/Server Exploit
Client Exploits
Network Worm
Mail Worm
Industrialized
Production of
Exploits/Packer/
Coder/Malware
Corporate
Nation State
Multi-vector, targeted, multi-component, network-enabled, & automated AGAINST largely single-method, blind, siloed, & manual
Quick Poll Break
New Paradigm - Security Ecosystem
o An environment in which all security devices & applications can share actionable threat intelligence (ATI) across IT infrastructure, locations, and organization boundaries, to mitigate security threats.
o We must focus on minimizing the attack consequences!
16
Practicing Ecosystem Defense
o All solutions support some Threat Intelligence Sharing protocols/APIs
o All access will be controlled with Strong Authentication
o The Access Control in operation still resides with the Owner, i.e. customer participating the ecosystem
Security Products Can Support Ecosystem Without Losing Their Competitive Edge, Customers Will Benefit From All The
Best Of Breed Solutions!
17
Quick Poll Break
Ecosystem Actions By Example
1. BackOff: CnC gen, infection detection, & exfiltration preventiono First sight, one store; benefit more stores, to stop any infiltration by the
same family
2. Sony Wiper: fingerprinting <dst-IP, initiator-MD5> for forensic analysis, containment, & cleanupo First sight, one infected machine; identify & protect all infected in the
organization
3. Infection Site Discovery: advanced warning & threat campaign trackingo Early detection of infected site, exploit pack (EP) analysis, global
protection, & campaign trending
19
Backoff: Reliable Snort CnC Rule
20
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BackOff HTTP Callback"; flow:established,to_server; content:”POST”; http_method; content:”$op=”; http_uri; content:”&id=”; http_uri; content:”&ui=”; http_uri; content:”&wv=“; http_uri; content:”&gr=“; http_uri; content:”&bv=“; http_uri; content:”/windebug/updcheck.php”; http_uri; classtype:trojan-activity; sid:891000; rev:2;)
Backoff: Reliable System IOC
o Unique Persistencyo Existence of mutex named “nUndsa8301nskal”o Existence of file “%APPDATA%\nsskrnl”, RC4 encrypted with the
password “Password”o Existence of clear text file “%APPDATA%\OracleJava\Log.txt” for
keystrokes
o ATI Extract & share…o Verify infiltration of a POS machine by checking the above persistent
artifactso Detect & block CnC using the simple Snort ruleo Anyone, anywhere, thereafter shall be protected
21
Sony Wiper: Seeing Once Is Enough
22
Static & Dynamic IOCs
o strings (D1C27EE7CE18675974EDF42D4EEA25C6)o calc.exeo 88.53.215.64o 217.96.33.164o 203.131.222.102o igfxtrayex.exeo net_ver.dat
o process (760c35a80d758f032d02cf4db12d3e55) behavioro Igfxtrayex.exe creates files “taskhost%random%.exe”o Igfxtrayex.exe is identical to “taskhost%random%.exe”
o Any EXE with those strings output is suspect; dropped EXE with the process behavior must be removed!
23
From IOC To Threat Fingerprints
o IOCs so far focus on detecting & verifying any infectiono Threat fingerprinting puts more emphasis on identifying
specifics of particular infectiono Specific TTPo Malware familyo Actors & intent
o ATI extract & share…o Host-X: HTTP_connections to dst
{203.131.222.102|217.96.33.164|88.53.215.64}, initiated by process {Y}, created from image {filename=“igfxtrayex.exe“|md5=“760c35a80d758f032d02cf4db12d3e55”}
24
Global Discovery & Sharing – Better Defense
o Cyphort Crawler Network
o Discovering 1684 infected sites
o Collected 421 bad IPs serving malware
o Collected hundreds of pcaps for web exploit pack
o Sharing ATI, power to all defenders!
25
Infected list for site owners, site visitors, SWGs,
threat researchers
IP blacklist for FW/IPS/NGFW users, threat researchers
What EP is active, used by whom,
targeting whom, for all defenders
Q and A
o Information sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!
