weaponised malware & apt attacks: protect against next-generation threats
TRANSCRIPT
Paul ZimskiDean Barnes
Principal Security Manager –
Threat Management
Royal Mail
VP, Solution Marketing,
Lumension
POLL #1
State Sponsored Malware is Officially Out of the Shadows
Google begins alerting Gmail users
to 'state-sponsored' attacks.
Warning: We believe state-sponsored attackers
may be attempting to compromise your account
or computer. Protect yourself now.
…did we get to the point where your
online email provider specifically warns
users of state- sponsored attacks?
HOW…
…a little history.
FIRST…
Event Timeline: Stuxnet
• Publically disclosed 13 months after the first attack against Iran• Designed to sabotage Iranian nuclear refinement plants• Stuxnet attacked Windows systems using an unprecedented four zero-day attacks• First to include a programmable logic controller (PLC) rootkit • Has a valid, but abused digital signature• Payload targeted only Siemens supervisory control and data acquisition (SCADA) systems
2009.06: STUXNET
Event Timeline: Duqu
• Considered to be “next generation Stuxnet” • Believed that Duqu was created by the same authors as Stuxnet• Exploits zero-day Windows kernel vulnerabilities• Components are signed with stolen digital keys• Highly targeted and related to the nuclear program of Iran• Designed to capture information such as keystrokes and system information• Central command and control with modular payload delivery – also capable of attacking
2009.06: STUXNET
2010.09: DUQU
Event Timeline: Flame
• Designed for targeted cyber espionage against Middle Eastern countries• Spreads to systems over a local network (LAN) or via USB stick• Creates Bluetooth beacons to steal data from nearby devices• “Most complex malware ever found”• “Collision" attack on the MD5 algorithm – to create fraudulent Microsoft digital certificates• Utilized multiple zero day exploits
2009.06: STUXNET
2010.09: DUQU
2011.05: FLAME
Common APT Characteristics
10
• Highly Targeted and endpoint focused
• Use Sophisticated and Low-tech techniques
– USB Key Delivery; social engineering
• Zero-day vulnerabilities
• Fraudulent Certificates
• Centralized Command and Control
• Undetected for prolonged periods
– Exfiltration masking
Weaponized - What’s Different?
Development Delivery Detection Command & Control Intent
• Nation-States
• Truly customized payloads
• Zero day propagation
• Multi-vectored: Blue tooth, USB, network
• Digitally signed with compromised certificates
• Outbound ex-filtration masking
• Central command
• Modular payloads
• Surveillance
• Disrupt / Destroy
…should the enterprise care?
WHY…
Why Should the Enterprise Care?
Retaliation RiskUS Admits Stuxnet - expect increasing retaliation risk against
sensitive economic and infrastructure assets
Why Should the Enterprise Care?
Collateral DamageLoss of control of weaponized malware in (once weaponized
malware is released control is effectively lost) – being exposed to
accidentally spreading malware (Stuxnet was discovered after it
escaped its targeted environment and started spreading)
Why Should the Enterprise Care?
Adaptation by Cyber CriminalsTargeted attacks on sensitive information
Variants of Stuxnet already seen
What Should The Enterprise Do?
Know Where the Risk Is
Every endpoint
is an enterprise of ONE.
Need to have
autonomous protection.
Need to have a
layered approach.
POLL #2
Defense in Depth Strategy
Successful risk mitigation starts with a solid
vulnerability management foundation,
together with layered defenses beyond
traditional black-list approaches.
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Device ControlControl the Flow
AVControl the Known
Hard Drive and Media EncryptionControl the Data
Effectiveness of AV?
Pros:
• Stops “background noise” malware
• May detect reused code (low probability)
• Will eventually clean payloads after they are discovered
Cons:
• Not an effective line of defense for proactive detection
• Can degrade overall endpoint performance with little
return on protection
AVControl the Known
Device Control Effectiveness
Device ControlControl the Flow
Pros:
• Can prevent unauthorized devices from delivering
payloads
• Can stop specific file types from being copied to host
machines
• Stops a common delivery vector for evading extensive
physical and technologic security controls
Cons:
• Limited scope for payload delivery interruption
Encryption Effectiveness?
Hard Drive and Media EncryptionControl the Data
Pros:
• Makes lateral data acquisition more difficult
• A good data protection layer outside of APT
Cons:
• Generally will not protect data if endpoint is
compromised at a system level
Application Control Effectiveness
Application ControlControl the Grey
Pros:
• Extremely effective against zero day attacks
• Stops unknown, targeted malware payloads
• Low performance impact on endpoints
Cons:
• Susceptible to compromise as policy flexibility is
increased
• Does not stop memory injections (attacks that do not
escape service memory)
Patch and Configuration Basics
Patch and Configuration ManagementControl the Vulnerability Landscape
Pros:
• Eliminates the attackable surface area that hackers can
target
• Central configuration of native desktop firewalls
• Improves endpoint performance and stability
• Can enable native memory injection protection
Cons:
• Does not stop zero-day vulnerabilities
Defense in Depth Strategy
Successful risk mitigation starts with a solid
vulnerability management foundation,
together with layered defenses beyond
traditional black-list approaches.
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Device ControlControl the Flow
AVControl the Known
Hard Drive and Media EncryptionControl the Data
Employee Education
Often the first and last
line of defense.
lumension.com/how-to-stay-safe-online
Drive-by malware
APT Protection
Patch & Configuration
ManagementLandscape
Application Control
Device Control
AntiVirus
Hard Drive &
Media Encryption
Summary - Defense in Depth Endpoint Strategy
Reduce attackable surface area
Stop un-trusted change
Protect stored data
Enable secure device use
Disinfect generic malware
Insider Risk
Automated attacks
USB Threat VectorsData
Loss
Zero Day
Learn More
Quantify Your IT
Risk with Free
Scanners
Watch the
On-Demand Demos
Get a
Free Trial