MALWARE THREATS AND TRENDS Chris Blow, Director Dustin Hutchison, Director

WHAT IS MALWARE? •  “Malicious Software”

•  Viruses

•  Worms

•  Trojans

•  Rootkits

•  Spyware

•  Ransomware

2

MALWARE ORIGINS

3

•  Users bring it from home •  USB drives •  Pirated software •  BYOD (or BYOID – Bring your own infected device) •  Social engineering •  Malicious email attachments •  Instant messaging •  Web site “drive by”s

•  PHP website compromised and malware being served to visitors •  3rd Party ads compromised on legitimate websites

•  Why? •  Used to be to cause chaos or for fun •  Now more financially driven

Reference: http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/

BROWSER BASED THREATS •  Browser-based threats is

one of the leading sources for malware distribution

•  Largest browser threats in the wild as of Q3 2013 •  HTTP: Microsoft JPEG

Processing Buffer Overrun •  HTTP: Multiple Browser

Window Injection Vulnerability

•  RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow

•  HTTP: Microsoft Internet Explorer CHTML Use-After-Free Remote Code Execution

4

HISTORICAL APPROACH •  Proactive OS patching

•  …but ignoring 3rd party patching •  Anti-Virus (AV)

•  Initial detection rate of new malware is around 3-5% •  Some AV vendors can take up to 4 weeks to detect new malware

from the time of the initial scan •  AV is part of a layered security approach

•  Help mitigate well-known existing attacks •  Malware creators/Exploit kits are doing what they can to disable

or circumvent AV ALL THE TIME •  AV will not stop targeted malware •  Corporate AV misconfigurations?

•  Reviewed many help desk forums for popular AV and found many enterprises with misconfigured AV

•  Lack of “heuristics” enabled •  Not keeping AV up to date •  Misconfigured “add-ons”

5

•  Specialized Malware Removal Software •  AV may possibly quarantine the threat, but this removes the

payload - which is what continues its propagation •  Usually complimentary to corporate AV solutions •  Still doesn’t detect targeted malware and/or 0-day threats •  Examples:

•  MalwareBytes Anti-Malware (MBAM) •  SpyBot Search & Destroy •  Ashampoo Anti-Malware •  Various programs from popular AV brands for specific malware

6

REACTIONARY MEASURES

7

Relying solely on AV is like wearing flip flops in a bar bathroom

GENERAL MALWARE THREATS •  No signs of slowing down - steadily growing

8

PSH…I’VE GOT A MAC •  Malware on Macs more than tripled since the end of

2012

9

RANSOMWARE •  Ransomware has been growing exponentially since Q3

2012 •  Roughly 320,000 new unique samples at the end of Q2 2013

10

THE STATE OF MOBILE MALWARE •  Mobile malware is still on

the rise •  By the end of Q2, McAfee

Labs has collected as many mobile malware samples as it did in all of 2012

•  “Backdoor” Trojans and spyware to steal banking information was the largest area of gain in Q2 2013

•  Majority of mobile malware is Android-based

11

WHAT CAN WE DO? •  Defense in depth

12

DEFENSE IN DEPTH

13

Policies, Procedures, and Awareness

Physical Security

Technical Perimeter

Internal Network

Host

Application

Data

OPTIONS •  Firewalls •  Proxies

•  Unified threat management (UTM)

•  Host based intrusion prevention (HIPS)

•  Network intrusion prevention systems (NIPS)

•  Network intrusion detection systems (NIDS)

14

PREVENTION FAILS (REMEMBER AV?) •  Firewalls •  Proxies

•  Unified threat management (UTM)

•  Host based intrusion prevention (HIPS)

•  Network intrusion prevention systems (NIPS)

15

NETWORK SECURITY MONITORING •  Leverages IDS •  Relies on signature based identification, but also

interactive analysis

•  Full content data

16

NETWORK SECURITY MONITORING

17

EVENT CORRELATION

18

EVENT INVESTIGATION

19

EVENT INVESTIGATION

20

ADDITIONAL BENEFITS •  Policy violations (installation of unapproved software) •  Early detection

•  DNS analysis

•  Unexpected services available internally and externally

21

SO…YOU’VE BEEN BREACHED •  How long does it normally take to spot a breach?

22

BREACH DETECTION •  69% of breaches were spotted by an external party

•  9% of breaches were spotted by customers

23

WHERE DO WE GO FROM HERE? •  Baby steps

•  Have AV? Make sure it’s functioning and up-to-date! •  Ensure operating system and applications are up-to date •  Properly segment your network

•  Regularly scan your environment for vulnerabilities •  Backups on critical systems •  Critical asset log monitoring

(firewalls, DNS, etc.) •  Firewall rule review •  Network Security Monitoring •  Begin looking at:

Application sandboxing, honeypots / darknets

24

Q&A