Security Threat Presentation

Cyber Security

GiaSpace

2

Security is headline news

3

CYBER SECURITYA New Headline

Every Day

4

Changes in technology

SaaSSubscribe to applications

IaaSRent servers and

storage

CaaSCyberCrime made

easier

5

Hacker Organization Centralized Build from scratch Own servers Expensive Large targets

Crime Ecosystem Distributed Buy or hosted Specialize in areas Cheap Smaller targets

OLD NEWEvolution of cyber crime

6

Job postings Payment systems Marketplaces

Cybercrime is easier than everAnd it’s more accessible to everyone

7

SMB in the crosshairs

PROPORTION OF BREACHES BY ORG

SIZE

15x

1x ORGS WITH 11-100 EMPLOYEES

ORGS WITH <11 or >100 EMPLOYEES2011

41%

TARGETED ATTACKS

AGAINST SMBS

41%36

%18%

2012 2013

41%

First stage of attack: InfectFirst stage of Attack:

Infect

9

Emails more finely tuned to SMB TACTICTrick SMB into opening link or attachment

http://thetechguyblog.com/wp-content/uploads/2012/08/Screen-Shot-2012-08-13-at-7.37.58-AM.png

http://www.onlinethreatalerts.com/article/2013/12/20/at-t-you-have-a-new-voice-mail-virus-email-message/5.jpg

10

Malvertising on the Rise

1. Set up a website with exploit kit

2. Run an ad on Yahoo, AOL or other ad network, with legitimate company creative

3. Ad server redirects users to exploit kit site

4. User gets infected

How does malvertising work? Attn: NYTimes.com readers: Do not click pop-up box warning about a virus -- it’s an unauthorized ad we are working to eliminate.The New York Times

Top websites deliver CryptoWall ransomware via malvertising…Adam GreenbergSC Times

11

Malvertising Targeting SMBs

Image: http://news.softpedia.com/news/CryptoWall-2-0-Delivered-Through-Malvertising-On-Yahoo-and-Other-Large-Sites-462970.shtml#sgal_0

12

Explosion in SaaS/CaaS Plug-and-Play MarketplaceKits cost as little as $200

ANGLERRIGASTRUM

FIESTA

BLEEDING LIFE

BLACKHOLE

CRIMEPACK

DOTKACHEF

FLASHPACK

GONGDA

NITERIS

LIGHTSOUTNUCLEAR

ARCHIE

SWEETORANGE

13

Exploit Kits Are Getting Better

http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

14

Intermediate step: Dropper Malware

15

Increasingly Common Step: DropperIncreasingly Common Option for Ransomware

Bad actor gets a piece of malware on computer

1Malware sits quietly and just phones home; not the flashy/noisy malware

2Bad actor sells or

rents ability to infect computer Malware phones

home Installs main

payload: Ransomware, Keylogger, Spambot

3If contract ends or more capacity, install more malware

4

TACTICMalware that installs other malware

16

ANTIVIRUS

http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html

17Source: krebsonsecurity.com

18

Malware payloadMalware payload

19

TACTICFinancial Fraud

http://news.softpedia.com/news/Price-of-Malware-Drops-SpyEye-Botnet-Available-for-150-114-265986.shtml

20

21

Battle Ground Cinema$81,000 stolenSource: Krebs On Security

Delray Beach Public Library$160,000 stolenSource: Krebs On Security

Brookeland Fresh Water Supply District$35,000 stolenSource: Krebs On Security

Spring Hill Independent School District$30,687 stolenSource: News-Journal

Crystal Lake Elementary School District

47$350,000 stolenSource: McHenry County Blog

DKG Enterprises$100,000 stolenSource: Krebs On Security

Downeast Energy & Building Supply$150,000 stolenSource: Bank Info Security

Little & King LLC$164,000 stolenSource: Krebs On Security

SMB bank account breaches

But this is just the beginning…

What about DOWNTIME & DATA THEFT?

22

TACTICRansom encrypted data

Fake Anti-Virus FBI Ransomware Cryptovirus

– CryptoLocker– PrisonLocker– HowDecrypt– CryptorBit– CryptoDefense– CryptoWall

Ransomware

http://blogs-images.forbes.com/parmyolson/files/2014/02/cryptolocker.png

23

CryptoVirus workflowInbound and outbound communication

Infect machine with early stage• Email• Exploit kit• Malvertisin

g• Dropper

1Phone home to Command and Control server to get encryption key

2Encrypt local and network share data• May take hours

to days to fully encrypt

• Makes finding a clean restore difficult

3Ransom user• Establish

deadline and threaten permanent data loss

4

TACTICRansom user for encrypted data

24

Signature-based security evasion

25

“Signature-based tools (antivirus, firewalls, and intrusion prevention) are only effective against 30–50% of current security threats.”IDCNovember 2011

26

Getting Around Signatures: Crypters

27

Getting Around Signatures: Crypters

28

Getting Around Signatures

http://buy.aegiscrypter.com/

29

Test Against Signature Based Tools

http://www.aegiscrypter.com/

New Malware executable is testedagainst AV and UTMs.

If detected, crypter runs againto create zero-day FUD

(Fully UnDetectable)

30

Getting Around Signatures: Crypters

31

DarkHotel Attack

OFF NETWORK AND

SUPPLIERS

BRANCH OFFICE/STORE/CLINIC

HQ

Attackers are targeting the

weakest links in the supply

chain

32

SMBs used as launch pads for attacks

33

“60 percent of small firms go out of business within

six months of a data breach.”

Source: National Cyber Security Alliance “America’s Small Businesses Must Take Online Security More Seriously” 2012

THE IMPACT OF A BREACH IS HIGH

34

Strengthening security beyond signatures

35

PREVENT: Malware Protect users across the full infection chain

‒ NOT JUST AN EXECUTABLE OR SIGNATURE Block sites with exploit kits at the network layer

‒ Whether it’s a whole site or an embedded ad Protect users from phishing attacks

‒ To prevent breaches Block malicious links in emails and applications

‒ Because the browser is not the only path of infection

36

CONTAIN: the new preventionPrevent “Phoning home” Block “droppers” from getting malware

‒ Whether it’s ransomware, keyloggers, spam senders or DDoS bots Stop Spyware/Keyloggers from uploading data Prevent Ransomware from getting an Encryption Key Alert – and have team respond to alert

37

Introducing predictive, cloud-delivered security

38

PREDICTIVE INTELLIGENCE

70+ Billion Daily

Requests

Block Threats

Analytics

Automation

39

Machine Learning

Graph Theory

Anomaly Detection

Temporal Patterns

Contextual Search

Visualization

Scoring

Probable malicious sites

Leveraging the Internet to identify suspected threat origins

Ingesting millions of data

points per second

Our security intelligence

WWWp2p

irc

40

Security & risk mitigation: a layered approach

41

Common security challenges

OFF-NETWORK COVERAGE

Few tools protect mobile workers, most users forget to turn on VPN, most new endpoint tools only detect

malware after the fact

APPLIANCES ARE EXPENSIVE & COMPLEX

Operations and management are

difficult or impractical, and are especially

complex for multiple locations

42

The problems with Shadow ITWhat’s under the surface

1 in 5Employees use cloud apps to

share corporatedata

20%Of employees usethose cloud apps

without IT‘s permission

70%Of employees

use mobile devicesfor work

63%Of employees

access corporatedata outside the

network perimeter

Source: http://www.sailpoint.com/blog/wp-content/uploads/MPS-2014-Infographic-v2.png

43

“More than 30% of security controls deployed to the small or midsize business (SMB) segment will be cloud-based by 2015”Gartner Forecast Overview, WW InfoSec2014

44

Thank you