© F-Secure1

Spies On Your Doorstep

How to protect against todays threats

Twitter:@jarnomn

First Some Words About Cyber

Mostly Cyber is a way for consultant to double their fees

• Which is why you hear the world everywhere

The real difference point in cyber threats is the target and effect

• DDOS against a Minecraft server is not a cyber attack

• DDOS against bank which crashes credit card processors and ATM network is a cyber attack

• So cyber is not about the attack or defense, it’s about what attacker does when he gets access to the system

© F-Secure2

Malware Blocked During A Typical Week

© F-Secure

Trojan.LNK.Gen

Win32.Worm.DownadupJob.A

Exploit:SWF/Salama.H

Gen:Variant.Kazy.531178

Worm:W32/Downadup.gen!A

Trojan:HTML/Browlock.H

Trojan:JS/Agent.DVXX

Eh? What Does That Mean?

© F-Secure

USB worm19 %

Web attack31 %

Windows Trojan46 %

Windows Virus4 %

USB worm

Web attack

Windows Trojan

Windows Virus

Web Based ExploitsBased on exploit which targets a vulnerability in web browser or a plugin

• Flash

• Java

• Acrobat

Mostly operated over exploit kits

• Attacker buys a kit from exploit kit author

• Sets up attack servers

• Finds a vulnerable web page

• Inserts a redirect to a redirect which redirects to attack server

• Attack server analyses users web browser settings and offers correct exploit

• Users browser is taken over

• Malware is dropped to disk

© F-Secure

TrojansNowadays trojan means malware which does not self propagate

• If it’s not a virus, worm or exploit, it is a trojan

So basically trojan is what you find from your system after successful attack

• Which means that either web based protection failed

Or malware got in some other way• Email

• USB

• User downloading and installing malware as result of social engineering

© F-Secure

Attack Over USB Or Other Media

USB or other media stick loaded with malware

• USB autoplay (doesn’t work against up to date OS)

• Icon exploit, or exploit media recognition

• Use traditional trick of masking executable as document

• Or just plain document exploit

• Craft special USB that actually acts as USB keyboard and use “type>foo.exe” and then “cmd /c foo.exe” to run it

Introduce USB to victim

• Hope that victim plugs in said USB device• http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

March 11, 2015

7

Espionage And Advanced Malware

Enemies, every company has them• Important companies have enemies who target them specifically

• The rest will be targets of opportunity

Typical non-interesting company has to worry about• Undirected malware attacks

• For profit criminals

• Activists

• Spies

For this presentation I am using spies as model enemy• What hampers spies, will stop less sophisticated attackers

© F-Secure

What Does This Mean In Practice

Just like regular malware, spy needs code running in victim system• To be able to infect at least one device• To be able to move laterally in the victim network• So from defence point of view there is little difference

• Both need Command & Control access• To be able to direct the attack• To be able to leak the stolen goods

• However there are some differences• Spy has move resources 0-Day exploits, and exotic attacks• Spy is patient Infection may lie dormant for long time• So if you use spies as the worst case, you are well prepared for malware

© F-Secure

Basics: Attack Over EmailVictim gets email which contains a document

• The document is from known sender

• Topic of document is what could be expected

• All in all it looks like regular business mail

• Except that it contains a exploit and backdoor

© F-Secure

Basics: Watering Hole Attack Over A Website

Spy infects a victim device with custom 0-day exploit

• Attack is placed into website favoured by victim population• Subcontractor or supplier

• Governmental services

• Political discussion group, news, forum

• Popular development portal

Or alternatively attacker makes use of targeted advertising• Users located in Blagnac, France

• Patria Aerostructures in browsing history

• Context match for text associated with targetfor pressure monitor sensors

© F-Secure11

Exotic: Take Over Equipment

Getting victim to visit exploit may draw attention

• Thus it would be more convenient take over victims router

This can be done by exploiting router

• Or by tampering it before customer gets it

• Also any other equipment can be tampered

© F-Secure

Exotic: Hijack And Modify Traffic On The Fly

Router modification works only with suitable exploit or access to router

• For other targets traffic can be modified with ”lawful” intercept• Technique favored by police in several countries

With MITM capability attacker can inject traffic

• Exploits into any web page

• On the fly trojanizing of software updates or other executables

© F-Secure

C&CAfter successful attack the attacker needs to be able to talk to the payload

Which means that he needs some way to communicate

• HTTP(s) C&C (simple domain, fast flux, compromised site)

• Skype, IRC, Messenger, ICQ, etc chat connections

• Twitter, facebook, social networks

• FTP, Dropbox, file-leave, file sharing sites

• SMTP

• Anything else that looks like regular user activity

• For example embedding commands in JPEG or PNG is popular

• Exotic attacks leak over USB, compromised router, radio implants, etc

Lateral MovementIn order to find interesting stuff attackers need to move

This means they need to be able to take over other hosts

Typical way for this is to crack user or admin password hash

After attacker has the password he can use psexec or “at” commandto execute files on a remote systems

Also remote login products commonly used by IT are frequenly used

Point of entryAdmin password hash

Another workstationBackdoor executed

Psexec

Preparation Is Best Defense• Install a proper End point protection

• Patch everything

• Minimize attack surface

• Harden OS and apps

• Make backups

• Know your system

• Create system baseline with checksum tool

• Get familiar what processes are normally running in the system

© F-Secure16

http://www.av-test.org/

What Is Proper Endpoint Protection

Old fashioned Anti-Virus is simply not enough

• That’s why we haven’t made one since 2010

First and foremost, trust leverage professional testing organizations• www.av-test.de, www.av-comparatives.org

• Make sure the software has following functionality• URL filtering to block known attack sites• Web traffic scanning and exploit protection• Behavior based exploit detection• File reputation queries• Runtime behavioral heuristics• File scanner (the traditional AV)

© F-Secure

Minimize Vulnerable Attack Surface

Disable all unnecessary content from web browsers

• Disable Java and ActiveX unless you need them for something

• If you really need Java whitelist specific sites

• Block Flash, Silverlight, etc or use click to play

• If users accept it install no-script with sensible defaults

Disable unnecessary and dangerous features from office software

• Disable all multimedia, etc plugins from word, excel, Acrobat

• Do you really need PDF or document that runs Flash or ActiveX

• Disable Javascript from Acrobat

• In general, strip out features that users don’t need

Make Sure What Is Running Is Patched

Yeah, everyone knows that IT should deploy all patches ASAP

• But what about software that users have installed without IT knowledge?

Thus you need to run a software verifier/updater to update everything

© F-Secure

Harden Client Application Memory Handling

Enhanced Mitigation Experience Toolkit

Harden memory handling of any application that processes external data

• Acrord32 and other PDF readers

• Winzip,7Zip, etc

• Excel, Powerpoint, Word, Outlook, Winword.exe

• Exlorer.exe, iexplore.exe, Firefox, Chrome

• Skype.exe

• Wmplayer.exe, VLC, and any other video player

It is possible to write exploits so that they bypass EMET

• But then attacker has to knowingly try to circumvent EMET

How To Do Cyber SecurityMostly cyber security is about doing your basic security properly

• System that cannot be infected, cannot be used as beachhead

• Cyber attackers need to be able to move laterally, so deny that

But do pay extra attention to critical production infrastructure• Isolate production if possible, if not make it difficult to identify netblock

• Make sure that production and visible servers have different network connections

• Make your production self monitoring, have watchdogs and alarms

• Create and maintain file and system integrity database

© F-Secure21

ConclusionThere is a very little difference in InfoSec, APT, and CyberSec

Attack vectors are the same• Exploits over web, email and any communication channels

• Social engineering

• USB

About the only difference is the attacker and target choice• Attackers are more patient and better equipped

• Once the attacker gets into the target the effects are more dramatic

Thus defense methods are pretty much the same as before• We just need to be more diligent, and react using multiple layers and methods

© F-Secure