malware threats and trends - home - pondurance...chris blow, director ... • users bring it from...
TRANSCRIPT
MALWARE THREATS AND TRENDS Chris Blow, Director Dustin Hutchison, Director
WHAT IS MALWARE? • “Malicious Software”
• Viruses
• Worms
• Trojans
• Rootkits
• Spyware
• Ransomware
2
MALWARE ORIGINS
3
• Users bring it from home • USB drives • Pirated software • BYOD (or BYOID – Bring your own infected device) • Social engineering • Malicious email attachments • Instant messaging • Web site “drive by”s
• PHP website compromised and malware being served to visitors • 3rd Party ads compromised on legitimate websites
• Why? • Used to be to cause chaos or for fun • Now more financially driven
Reference: http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/
BROWSER BASED THREATS • Browser-based threats is
one of the leading sources for malware distribution
• Largest browser threats in the wild as of Q3 2013 • HTTP: Microsoft JPEG
Processing Buffer Overrun • HTTP: Multiple Browser
Window Injection Vulnerability
• RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow
• HTTP: Microsoft Internet Explorer CHTML Use-After-Free Remote Code Execution
4
HISTORICAL APPROACH • Proactive OS patching
• …but ignoring 3rd party patching • Anti-Virus (AV)
• Initial detection rate of new malware is around 3-5% • Some AV vendors can take up to 4 weeks to detect new malware
from the time of the initial scan • AV is part of a layered security approach
• Help mitigate well-known existing attacks • Malware creators/Exploit kits are doing what they can to disable
or circumvent AV ALL THE TIME • AV will not stop targeted malware • Corporate AV misconfigurations?
• Reviewed many help desk forums for popular AV and found many enterprises with misconfigured AV
• Lack of “heuristics” enabled • Not keeping AV up to date • Misconfigured “add-ons”
5
• Specialized Malware Removal Software • AV may possibly quarantine the threat, but this removes the
payload - which is what continues its propagation • Usually complimentary to corporate AV solutions • Still doesn’t detect targeted malware and/or 0-day threats • Examples:
• MalwareBytes Anti-Malware (MBAM) • SpyBot Search & Destroy • Ashampoo Anti-Malware • Various programs from popular AV brands for specific malware
6
REACTIONARY MEASURES
7
Relying solely on AV is like wearing flip flops in a bar bathroom
GENERAL MALWARE THREATS • No signs of slowing down - steadily growing
8
PSH…I’VE GOT A MAC • Malware on Macs more than tripled since the end of
2012
9
RANSOMWARE • Ransomware has been growing exponentially since Q3
2012 • Roughly 320,000 new unique samples at the end of Q2 2013
10
THE STATE OF MOBILE MALWARE • Mobile malware is still on
the rise • By the end of Q2, McAfee
Labs has collected as many mobile malware samples as it did in all of 2012
• “Backdoor” Trojans and spyware to steal banking information was the largest area of gain in Q2 2013
• Majority of mobile malware is Android-based
11
WHAT CAN WE DO? • Defense in depth
12
DEFENSE IN DEPTH
13
Policies, Procedures, and Awareness
Physical Security
Technical Perimeter
Internal Network
Host
Application
Data
OPTIONS • Firewalls • Proxies
• Unified threat management (UTM)
• Host based intrusion prevention (HIPS)
• Network intrusion prevention systems (NIPS)
• Network intrusion detection systems (NIDS)
14
PREVENTION FAILS (REMEMBER AV?) • Firewalls • Proxies
• Unified threat management (UTM)
• Host based intrusion prevention (HIPS)
• Network intrusion prevention systems (NIPS)
15
NETWORK SECURITY MONITORING • Leverages IDS • Relies on signature based identification, but also
interactive analysis
• Full content data
16
NETWORK SECURITY MONITORING
17
EVENT CORRELATION
18
EVENT INVESTIGATION
19
EVENT INVESTIGATION
20
ADDITIONAL BENEFITS • Policy violations (installation of unapproved software) • Early detection
• DNS analysis
• Unexpected services available internally and externally
21
SO…YOU’VE BEEN BREACHED • How long does it normally take to spot a breach?
22
BREACH DETECTION • 69% of breaches were spotted by an external party
• 9% of breaches were spotted by customers
23
WHERE DO WE GO FROM HERE? • Baby steps
• Have AV? Make sure it’s functioning and up-to-date! • Ensure operating system and applications are up-to date • Properly segment your network
• Regularly scan your environment for vulnerabilities • Backups on critical systems • Critical asset log monitoring
(firewalls, DNS, etc.) • Firewall rule review • Network Security Monitoring • Begin looking at:
Application sandboxing, honeypots / darknets
24
Q&A