mitigating the clicker

12023-04-08

Mitigating the CLICK’er

how AMP’s (Advanced Malware protection) /Advanced innovative tools can finally help protect your infrastructure

Claus Cramon Houmann

Banque Öhman

2Öhman

Banque Öhman 2023-04-08

Remember:

• Never ever rely on a single solution• Defense in depth• Both threat prevention and threat detection are important• If the bad guys want to get in bad enough, they will – be able

to reduce the ”dwell time” they have inside your systems• The ”CLICKER” I define as the colleague who just cannot help

clicking on that ”interesting link” in a suspicious e-mail, because ”probably nothing will happen” or ”just to see what happens” or doesn’t even think about it...

3Öhman


1 Single 0-day or unpatched system is all ”they” need

4Öhman


IT Security, a quick overview

5Öhman


Breach methods

• There are many points-of-entry for hackers when breaching a system/network:– Hacking (Fx SQL injection against DB servers)– Malware (fx phishing)– Social engineering – Physical

6Öhman


Source: Verizon’s 2012 Data Breach investigations report

7Öhman


Protecting against external threats• As your organizations “Infosec level” matures – you may be

able to pass or almost pass a pentest. Most low hanging fruits have been “picked” already

• This makes it very hard for “them” to get in via hacking methods

• -> they will try malware next

8Öhman


Advanced Malware leveraging fx 0-days= CIO/CISO nightmare

• Slowly but steadily 1 thing will make you lose sleep at night. How do you protect against colleagues clicking on phishing emails or visiting bad websites (waterholes fx)?

• The CLICKER becomes your biggest external threat!

9Öhman


SO, you can have all this. And it helps you little/nothing

10Öhman


Mitigating the “CLICKER”

• There are now innovative next-generation tools available for advanced threat prevention and/or detection = AMP’s– Microvirtualization– Advanced code handling/analysis/reverse-engineering tools– Network level Sandboxing or detection based on behavioural

analysis/packet inspection– System and registry level lockdown of process/user-rights– Cloud based Big Data analytical/defense tools– Whitelisting tech– Others – this “market segment” is booming right now

11Öhman


Why is the AMP market booming? Background

• The AV industry in the traditional sense has declared their tools insufficient and the war on malware lost

• Hacking is increasing supported by big budgets – think nation-state-sponsored APT’s

• 0-days abound in the Wild – being purchased by “hackers” – unofficial hackers or nation-state sponsored hackers alike

• The black market cyber-industry is a huge! economy

12Öhman


Baby years

• As the AMP industry is in it’s “baby years” you’ve got to make allowances for products being heavily changed/developed still

• Immature market• No 100% tools – no one can cover everything. If you meet a

vendor that claims they can, don’t trust it

• And that said, on to look at the NG tools!

13Öhman


How does Microvirtualization work?• Hardware level virtualization gives complete separation of

user tasks in separate individual Hypervisors (Micro-size)

14Öhman


Why Microvirtualization

• Mitigates the following threats:– USB sticks with malicious content– Waterholes– Malicious attachments in e-mail– Clicking links leading to malware on websites/e-mails

• Pros:+ Workflow enabler+ Small amount of custom config needed+ Disregardable performance impact on endpoints+ Unknown by hackers+ No depence on traditional ”signature” based methods

• Cons:– No server protection vs hacking attemps– Early life cycle stage – unfinished products

15Öhman


How & Why – advanced code handling tools

• The similarities across products here are that they employ innovative stragegies to ”identify” bad behaviour despite encryption, obfuscation, fragmented files etc. – methods and tools that malware authors use to hide the true function of their software

• Malware can be identified and/or blocked and/or removed efficiently• Pros:

+ Reduced dwell-time+ No dependency on traditional signature methods+ Potentially scales very well for large corporations

• Cons:– Most tools like these are detection tools and have limited prevention

capabilities– Client understanding of how the tool works is minimal

16Öhman


How & Why: Network level sandboxing• The idea here is to catch and analyze malware before it reaches the

end users – prevention, but also to do detection. It kind of ”re-plays” malware in a stack of different virtual machines to give it a good chance of hitting an environment that it’s meant to ”go off” in.

• Pros:+ Threat detection vs clicker-threats

• Cons:– Network perimeter technologies cannot protect roaming users – and

users are increasingly mobile– Malware is getting smarter. It can evade these tools by waiting for the

user to do something (use the mouse/keyboard, for example)– These tools just ALERT you – they do not PROTECT you

17Öhman


System and registry level lockdown of process/user-rightsThese tools all try to prevent malware by preventing it’s access/rights

to drop files, inject DLL’s etc.

• Pros:+ Tight lock down

• Cons:– Configuration “heavy”– Is saying “no” to users the answer? – Change Management becomes somewhat harder

18Öhman


Cloud based Big Data analytical/defense tools

• Vendors here try to detect and block threats using Big Data approaches to “Signatures” or “known samples”

• Pros:+ Potential to see inside virtual switches & traffic between virtual

machines – traffic that sometimes never reaches a firewall or network appliance

• Cons– Uploading samples identified in your environment to a vendors

cloud is a risk in itself – the sample has enumeration data on your environment, and maybe more

– Traditional signature approach has limitations, even with a big data approach, since Malware can be adapted to evade

19Öhman


Whitelisting

• The Idea behind whitelisting is to block malware by simply only allowing known trusted websites, or trusted applications etc.

• Pros:– Whitelisting can be an effective technique for dealing with traditional file based malware such

as viruses and spyware. Unsophisticated attacks that rely on downloading and running an arbitrary executable file are generally foiled by whitelisting.

– Whitelisting can be particularly effective in “locking down” dedicated appliance like systems that don’t function as general purpose productivity tools.

• Cons:– Maintaining what is “trusted” as things change. Operational nightmare?– Vulnerable to unknown/Zero Day attacks, malicious content within whitelisted apps (even

“trusted” code can have vulnerabilities…)– Vulnerable to non-file based attacks, which are carried out without ever downloading or

executing a file for the whitelist to block (such as memory-only attacks that inject into a running process)

– Is saying “no” to users the answer?– Trusting the whitelist – what if it’s compromised?

20Öhman


Conclusion

• To efficiently protect against APT’s and Advanced Malware you want to:– Have capabilities within Threat Prevention, Detection, Alerting,

Incident Response, maybe even some kind of IOC / Threat sharing community. AMP + more.

– Have defense in depth• To efficiently mitigate the risks of the CLICKER you want to

– Block not only known threats, but also the unknown while enabling the business to do its “thing”

– Be able to detect and efficiently remove threats

21Öhman


About me

• Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids

• CISSP, ITIL Certified Expert, Prince2 practitioner• You can contact me anytime:

– Skype: Claushj0707– Twitter: @claushoumann or @improveitlux

• Sources used:– Verizon: Data Breach investigations report 2012– @gollmann from IOactive Blog posts

22Öhman


Questions?

23Öhman


More questions?

mitigating the clicker

Technology