Best Practise Sharing in Protection Against Advanced Persistent Threats (APT)--Key_4.Mr.ngovietKhoiTrendMicro

Ngô Việt Khôi | Country Manager

Trend Micro Vietnam & Cambodia

Chủ động phòng chống tấn công có chủ đích (APT)

CRIMEWARE

D

am

age c

aused b

y C

yberc

rim

e

Xu hướng hiểm họa mạng từ sau 2012

2001 2003 2004 2005 2007 2010

Vulnerabi l i t ies

Worm

Outbreaks

Spam

Mass Mailers

Spyware

Intel l igent

Botnets

Web

Threats

Social

Engineering

Single Shot

Malware

Data

Exfiltration

Evolution to Cybercrime

3/17/2014 2 Confidential | Copyright 2012 Trend Micro Inc.

2011+

Targeted

Attacks

Mobile

Threats

Data

Leakage

Proximity

Attacks

BYOD

Copyright 2012 Trend Micro Inc. 3

Repeated damages caused by APT

The series of attacks which intend to penetrate inside of target firms and organizations

using several methods like Emails with malicious program attached or exploiting

vulnerabilities to steal information or hijack computers communicating with the

external parties.

Advanced

Persistent Attack

・ for fun

・ for a justice

・ for money

・ spying

・ agitation

・ terrorism

< Examples of principal motives >

Khai thác các lỗ hổng bảo mất trên các public

server cho các đợt tấn công trực tiếp từ bên ngoài .

Sử dụng các kỹ thuật như social engineering đánh

vào thói quen sử dụng của người dùng để xâm

nhập hệ thống và lây lan trong hệ thống nạn nhân

< 2 typical types of penetration in Advanced Persistent Attack >

Attacker

Gathers intelligence

about organization and

individuals

Employees

Targets individuals

using social engineering

Establishes

Command &

Control server

Moves laterally across

network seeking data of

interest

Extracts data

of interest – can go

undetected for months!

$$$$

Tấn công hiện đại: Thân thiện, Phức tạp, Dai dẳng!

Copyright 2013 Trend Micro Inc.

Attacker

Gathers intelligence

about organization and

individuals

Employees

Targets individuals

using social engineering

Establishes

Command &

Control server

Moves laterally across

network seeking data of

interest

Extracts data

of interest – can go

undetected for months!

$$$$


“Business emails are projected to reach over

143 billion by the end of 2016 1…

…73% of enterprises stated they employ

company email to send highly confidential

information2”

1 http://www.radicati.com/wp/wp-content/uploads/2012/04/Email-Statistics-Report-2012-2016- Executive-Summary.pdf

2 http://www.phonefactor.com/news/survey-reveals-sensitive-email-lacks-critical-security-controls.php

3 http://www.gartner.com/id=2046315

4 http://gcn.com/articles/2009/01/22/aiim-study-on-pdf-format.aspx

Poppular Email attachment:

• Microsoft Word & Microsoft

Office Suites

• Enterprise: 90% of docs

storage in PDF….89% convert

Word file to PDF

Thách thức với ATTT hiện tại

• Firewall and IDS/IPS are complete ineffective

– Open standard ports and protocols for access

• Organizations don’t know they’re being targeted

– Low and Slow – stealthy, unlike a virus outbreak.

• AV just doesn’t work with APT

– 63% of malware used in APT are customized

• Employees are the weakest link in security

– Spear-phishing a common tactic

• Vulnerabilities & Zero-day Exploits

– What percentage of your servers and endpoints are patched?

Thực tế hiểm họa ngày nay - Dễ tấn công và khó bị phát hiện


Verizon 2013 data breach

investigation report

Consumerization

Cloud &

Virtualization

Employees IT

Cyber Threats

Attackers


Consumers

Email &

Messaging

Web

Access

File/Folder &

Removable Media

IT Admin

Employees

Then…


Device Hopping

Consumers

Email &

Messaging

Web

Access

Collaboration

Cloud Sync

& Sharing

Social

Networking File/Folder &

Removable Media

Employees

IT Admin

Now!


Email &

Messaging

Web

Access

Collaboration

Cloud Sync

& Sharing

Social


Removable Media

IT Admin

Security

91% targeted attacks begin with spear-phishing1

1 million malicious Android apps by end of 20132

1 in 5 use Dropbox at work, typically against rules3

1. Trend Micro: “Spear Phishing Email: Most Favored APT Attack Bait”, Nov 2012

2. Trend Micro Threat Predictions for 2013

3. Global survey of 1300 enterprise customers; “Shadow IT in the Enterprise”, Nasuni, Sept 2012

Device Hopping

Employees


Employees

Complete End User Protection

Device Hopping

Email &

Messaging

Web

Access

Collaboration

Cloud Sync

& Sharing

Social


Removable Media

Anti-Malware Encryption Application

Control

Device

Management Data Loss

Prevention

Content

Filtering

IT Admin

Security


Trend Micro | March 22, 2013

Cyber-attacks in S. Korea Heightens Changes in Threat Landscape


Destroying 48,700 computers in SK (PC, Server, Kiosk)

http://news.zum.com/articles/6052921?c=08

http://www.yonhapnews.co.kr/it/2013/04/03/2404000000AKR20130403111251017.HTML 3/17/2014 16 Confidential | Copyright 2013 Trend Micro Inc.

Cyberwarfare - Targeted Attack

3/20, 2 PM 3/19 8 months ago (2012/6/28)

Erase Logs Web server logs,

Firewall logs and Server

logs

Retrieve Admin

Privileges Controlling DNS and Dispatching

malwares

1,590 accesses to FIs using 1,000 IP addresses in 40 countries

overseas

Attack Vulnerabilities Web

servers, PC (admin, users), Internal

servers

http://koreajoongangdaily.joinsmsn.com/news/article/Article.aspx?aid=2969240

http://www.yonhapnews.co.kr/society/2013/04/10/0701000000AKR20130410160500017.HTML

http://article.joinsmsn.com/news/article/article.asp?total_id=11195858&ctg=1000&cloc=joongang|home|newslist1

DETECTED

& BLOCKED

Spear Phishing

Email

Patch? - Server & Endpoint

- Malware (Hidden Trojan)

- Hacker (Remote control)

Password? - Nobody Knows

Internal action

Brute-force Attack

- Decrypted (hash) password

Detectable? - Connecting to suspicious IP

- Normal access with abnormal behavior

Do nothing (just for health check)

Keep querying data

Visibility? - Comprise computers

How to infiltrate?

How severe?

- Steal sensitive data

Data exfiltration?

Data breach?

Have we Prepared?

Are we Targeted?


Attack Characteristics • Spear-Phishing emails

– Arrives via spammed email, connects to malicious URLS • hxxp:// www. Clickflower. net/board/images/start_car.gif

• hxxp:// www .6885 .com/ uploads/fb9c6013f1b269b74c8cd139471b96fc/feng.jpg

• Waterhole Attack – A recent attack method – where legitimate website or servers which

targeted individual will likely to visit, are compromised with malware.

– Upon connecting the sites/servers, client will be compromised and injected with malicious code, such as MBR wiping Trojan, TROJ_KILLMBR.SM

– One of the patch management server breached was related to AhnLab’s (KR’s leading local AV vendor) update server inside customer’s premise

• Self-Destruction – Overwriting of compromised PC’s Master Boot Record (MBR). Making this

difficult to analyze and investigate.

– MBR on server systems were also targeted for deletion. Potentially disrupting mission critical IT services.

19 Copyright 2012 Trend Micro Inc.

http://edition.cnn.com/2013/02/20/tech/web/hacked-apple-facebook-twitter

Kỹ thuật tấn công 1: Social Engineering Email

20 Copyright 2012 Trend

Micro Inc.

Attacker Social engineering

emails with

malicious attachments

Malicious C&C

websites

Ahnlab's Update

Servers

wipe out

files

Destroy

MBR

Destroy

MBR

wipe out

files

Unix/Linux Server Farm

Windows endpoints

Victimized

Business

Email is top attacking

channel in targeted attack

Kỹ thuật tấn công 2: Multiple Custom Malware


Micro Inc.

Attacker

Malicious C&C

websites

Ahnlab's Update

Servers

wipe out

files

Destroy

MBR

Destroy

MBR

wipe out

files


Windows endpoints

Victimized

Business

A total of 76 tailor-made

malware were used, in which

9 were destructive, while the

other 67 were used for

penetration and monitoring.

Kỹ thuật tấn công 3: Watering Hole Attacks


Micro Inc.

Attacker

Malicious C&C

websites

Ahnlab's Update

Servers

Leverage legitimate

update mechanism to

deploy malware to

endpoints faster

wipe out

files

Destroy

MBR

Destroy

MBR

wipe out

files


Windows endpoints

Victimized

Business

Ahnlab's APC server does

not require login credentials

to access.

Kỹ thuật 4: tấn công Server có lựa chọn


Micro Inc.

Attacker

Malicious C&C

websites

Ahnlab's Update

Servers

wipe out

files

Destroy

MBR

Destroy

MBR

wipe out

files


Windows endpoints

Victimized

Business

Gain server login

credentials from infected

clients to initiate remote

attacks Monitoring the server

activities to get the server

access right and send the

damage command to destroy

server system

March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.

Inspiration 1

Có khả năng phát hiện có hiệu

quả các email email attack và

những tấn công khác không?

March 19, 2013

Social engineering emails with malware code

25 March 31, 2013 Confidential | Copyright 2012 Trend Micro Inc.

Inspiration 2

March 19, 2013

Infect the update server to distribute malware

Có khả năng phân tích các

công cụ tấn công ngay tại chỗ

không?


Inspiration 3

Có khả năng liên tục tạo ra

các signature để hệ thống

phòng thủ kịp thích ứng

không?

March 20, 2013

Malicious routine executed on schedule


Inspiration 4

Tổ chức có đủ khả năng để tự

phản ứng với những sự cố

hay phải kêu gọi sự trợ giúp

chuyên nghiệp từ bên ngoài? March 20, 2013

Trend Micro đã bảo vệ khách hàng như thế nào?


Deep Discovery Solutions

• Network traffic inspection

• Advanced threat detection

• Real-time analysis & reporting

Deep Discovery

Inspector

Deep Discovery

Advisor

Deep Discovery provides the visibility, insight and control you

need to protect your company against APTs and targeted attacks

Targeted Attack/APT Detection

In-Depth Contextual Analysis

Rapid Containment & Response

• Custom scalable Sandbox

• Deep investigation & analysis

Endpoint

Mail Web

Data Center

Network

Custom Defense Strategy

Deep Discovery Inspector &

Deep Discovery Advisor Cloud Security

30 30 Confidential | Copyright 2013 Trend Micro Inc.

Detect malware,

communications and

behavior invisible to

standard defenses

Analyze the risk and

characteristics of the

attack and attacker

Adapt security

automatically (IP black lists,

custom signatures…)

Respond using the

insight needed to

respond to your specific

attackers

The customized nature of targeted attacks has changed the threat landscape.

there's no silver bullet for advanced threat attack.

Enterprises need to improve abilities to:

Deep Discovery Inspector - Capture all signals


Malicious content

• Embedded doc exploits

• Drive-by downloads

• Zero-day

• Malware

Suspicious

communication

• C&C access

• Data stealing

• Worms

• Backdoor activity…

Attack behavior

• Propagation & dropper

• Vuln. scan & bruteforce

• Data exfiltration…

HTTP

SMTP

TCP

...

SMB

DNS

FTP

P2P

80+

protocols

Network Content

Inspection Engine

Advanced Threat

Security Engine

IP & URL reputation

Virtual Analyzer

Network Content

Correlation Engine

Sandbox analysis Zero day Attack

• Custom OS Image

• accelerated time

• Anti-VM detection

• 32 & 64 bits

• Code execution, documents & URL

3/17/2014 32 Confidential | Copyright 2012 Trend

Micro Inc.

WinXP SP3 Win7 Base

Isolated Network

Your Custom Sandbox

Live monitoring

• core integration(hook, dll injection..)

• Monitoring network flows

• Correlation of events

Filesystem

monitor

Registry

monitor

Process

monitor

Rootkit

scanner

Network

driver

Fake

Explorer

Fake

Server Fake AV

API

Hooks

Win7 Hardened

Core Threat Simulator

LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000

LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000

LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000

key: HKEY_CURRENT_USER\Local

Settings\MuiCache\48\52C64B7E\LanguageList value:

key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f

Write: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_EXE_W32

Injecting process ID: 2604 Inject API: CreateRemoteThread Target process

ID: 1540 Target image path: taskhost.exe

socket ARGs: ( 2, 2, 0 ) Return value: 28bfe

socket ARGs: ( 23, 1, 6 ) Return value: 28c02

window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104,

0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2

internet_helper API Name: InternetConnectA ARGs: ( cc0004,

mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008

.......

Modifies file with infectible type : eqawoc.exe

Inject processus : 2604 taskhost.exe

Access suspicious host : mmlzntponzkfuik.biz

!

DEEP DISCOVERY

INSPECTOR (DDI)

DDI detects the

email and

attachment through

heuristics as

HEUR_NAMETRIC

K.B

Attachment is sent

to Virtual Analyzer

for sandbox

analysis.

IT admin obtains

results from

sandbox , performs

necessary steps

(URL blocking,

etc.). THREAT

AVERTED.

How TrendMicro protects customer from the threat

Deep Discovery Inspector provides visibility of network activity and actionable threat intelligence that IT

administrators can use to implement security measures to prevent further infections.

An email is sent to

an employee,

posing as a

message from a

bank. The email

has malicious

attachment.



With sandbox analysis, DDI detected the suspicious email and

identified its attachment as a Trojan downloader

DDI successfully detect the email attack with Early Warnings

Sandbox Analysis Provided Intelligence for Response

35 C

op

yri

gh

t

20

12

Tr

en

d

Mi

cr

o

In

c.

The sandbox analysis discovered the suspicious behaviors of the Trojan and

provided the malicious URL and IP addresses. The customer then set up a rule

in the firewall/IPS to prevent the attacker from accessing infected machines or

downloading additional malware

• Advanced threat analytics

• Correlating local and global threat intelligence


Analyst endorsement

37 Copyright 2012 Trend Micro Inc.

Gartner

Deep Discovery wins best new product

Korea Deep Discovery customers

Reference

Public Sector FSI Enterprises

Trend Micro Deep Discovery protects

• Major banks

• Government agencies & many more

Over 600 Enterprise and Government

Customers

Global Security

& Logistics Co.

http://www.silgancontainers.com/index.shtml

http://www.praxair.com/praxair.nsf

http://www.teledyne.com/index.asp

http://www.promutuel.ca/en_CA/index.jsp?mn=0

http://enterprise.apac.trendmicro.com/APT/

A Custom Attack Needs a Custom Defense




Thank you


Documents

Best Practise Sharing in Protection Against Advanced Persistent Threats (APT)--Key_4.Mr.ngovietKhoiTrendMicro