Behind the scenes of IBM’s Trusteer Research

© 2014 IBM Corporation

IBM Security

1

10.00-10.30 Behind the scenes of IBM’s Trusteer Research

Ori Bach, Senior Security Strategist Trusteer, IBM Security


IBM Security

2

Trusteer provides a unique automated threat protection service

Trusteer continuously evaluates the threat environment and automatically

updates its solutions on behalf of its customers

• Stop fraud attacks before they happen

• Actionable threat intelligence on real-time

threats

• Remove and prevent future threats

SaaS Service

• Threat Intelligence from 400M+

endpoints

• Insights from the cybercrime

underground

Real-time ThreatIntelligence Service

• Continuous threat monitoring

• Rapidly adapt defenses

• Hundreds of IBM expert security

researchers

ExpertResearch


IBM Security

3

CLIENT EXAMPLE

Trusteer transforms the war against cybercrime with proven results

A major European commercial bank transforms the war against Cybercrime in just one month

90% reduction in malwareinfected device logins

fraud casesprevented150

• Faster time-to-value

• Adaptive controls

• Prevents root cause of fraud


IBM Security

4

Trusteer response to rapidly evolving malware

Retrieve malware, configuration and modules from listening points across the

globe

Dedicated cross functional team for threat and research

Monitor chatter on the darknet

Install malware in dedicated lab environment

Understand malware operator MO

Reverse engineering

Propriety decryption tools

Versioning

Identify incremental changes -> develop & deploy defenses in less then 12 hours

Constant monitoring of bypass attempts


IBM Security

5

Dyre example - consistent detection across malware versions

0

50

100

150

200

250

300

350

400

450

6/26 7/3 7/10 7/17 7/24 7/31 8/7 8/14 8/21 8/28 9/4 9/11 9/18 9/25 10/2 10/9 10/16 10/23 10/30 11/6 11/13 11/20 11/27 12/4

Dyre Detections(June – December 2014)

Dyre Version Releases

v241010/26

v291010/31

v301011/03

v301111/03

v051111/06

v061111/09

v131111/13

v181111/19

v251111/26

v081212/09


IBM Security

6

Case Study: Trusteer protection against remote overlay attacks

Intelligence team acquires toolkit

behind attack from the underground

Day 3

Listening endpoints pick up new attack MO in

LATAM Country

Day 0

Attack MO migrates to APAC

Day 30

Demo of the attack including fake

messages provided to targeted banks

Day 4

Malware research team analyzes MO and releases updated defense

Day 1

Trusteer endpoints in APAC protected before first attack

starts

Day 30

brazilian_remote_overlay_final.mp4


7 © 2014 IBM Corporation

Fraud toolkit for sale


IBM Security

8

Remote overlay toolkit example


IBM Security

9



IBM Security

10



IBM Security

11



IBM Security

12





IBM Security

13



IBM Security

14

Remote overlay toolkit example - Summary

The toolkit circumvents device id and 2FA with physical token

Question: how much does this toolkit cost on the

underground:

A ) 10,000 Euro

B) 1000 Euro

C) 500 Euro

D) Less then 150 Euro


IBM Security

15

From the lab – Soft biometrics


IBM Security

16

10.30-10.45 Coffee break

Data & Analytics

Behind the scenes of IBM’s Trusteer Research