Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
To Catch a Thief: Detect & Defend Your Network From Targeted Attacks
Dhanya Thakkar Managing Director, Asia Pacific Trend Micro
#CLOUDSEC
2
Look Closer
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
What’s the value of one Tweet?
STOCK:150 POINTS
EQUITY: 136 BILLION
WIPED
SHORT SELLING
Confidential | Copyright 2015 Trend Micro Inc.
Intelligence Gathering
What
•Org Structure • Infrastructure People Geography •Security Enforcing Functions •Networks •Software/hardware
How
• Initial Public Intelligence •Social Engineering •Physical Security Analysis •Network Analysis • Information System Tests
Point of Entry
Point of Entry
Watering Hole
Island Hopping
Confidential | Copyright 2015 Trend Micro Inc.
80 civil
lawsuits
In May,
veteran CEO resigns
$4.2B lost
market value
Data breach
of 110M
records
In March,
CIO resigns
7 board members
now at risk
Total cost to
be $1B 2013 profits
fell 34%
Exploitation
• Advanced Malware
• Utilization of 0-days
• Undetectable by anti-virus
• Able to withstand normal disinfection methods
Weapons Grade Arsenal
Ultra Hackers Tools for sale
Price is 0.0797 BTC (bitcoin) = $25 Virus Builders
1. Nathan's Image Worm
2. Dr. VBS Virus Maker
3. p0ke's WormGen v2.0
4. Vbswg 2 Beta
5. Virus-O-Matic Virus Maker
Scanners
1. DD7 Port Scanner
2. SuperScan 4.0
3. Trojan Hunter v1.5
4. ProPort v2.2
5. Bitching Threads v3.1
DoSers, DDoSers, Flooders and Nukers
1. rDoS
2. zDoS
3. Site Hog v1
4. Panther Mode 2
5. Final Fortune 2.4
Fake Programs
1. PayPal Money Hack
2. Windows 7 Serial Generator
3. COD MW2 Keygen
4. COD MW2 Key Generator
5. DDoSeR 3.6
Cracking Tools
1.VNC Crack
2.Access Driver
3.Attack Toolkit v4.1 & source code included
4.Ares
5.Brutus
Analysis :
· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*
· W32Dasm 8.93 - Patched *NEW*
· PEiD 0.93 + Plugins *NEW*
· RDG Packer Detector v0.5.6 Beta - English *NEW*
Rebuilding :
· ImpRec 1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*
· Revirgin 1.5 - Fixed *NEW*
· LordPE De Luxe B *NEW*
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Host Booters
1. MeTuS Delphi 2.8
2. XR Host Booter 2.1
3. Metus 2.0 GB Edition
4. BioZombie v1.5
5. Host Booter and Spammer
Stealers
1. Dark Screen Stealer V2
2. Dark IP Stealer
3. Lab Stealer
4. 1337 Steam Stealer
5. Multi Password Stealer v1.6
Remote Administration Tools/Trojans
1. Cerberus 1.03.4 BETA
2. Turkojan 4 GOLD
3. Beast 2.07
4. Shark v3.0.0
5. Archelaus Beta
Binders:
1. Albertino Binder
2. BlackHole Binder
3. F.B.I. Binder
4. Predator 1.6
5. PureBiND3R by d3will
HEX Editor :
· Biew v5.6.2
· Hiew v7.10 *NEW*
· WinHex v12.5 *NEW*
Decompilers :
· DeDe 3.50.04
· VB ?Decompiler? Lite v0.4 *NEW*
· Flasm
Unpackers :
· ACProtect - ACStripper
· ASPack - ASPackDie
· ASProtect > Stripper 2.07 Final & Stripper
2.11 RC2 *NEW*
· DBPE > UnDBPE
Keygenning : *NEW*
· TMG Ripper Studio 0.02 *NEW*
Packers :
· FSG 2.0
· MEW 11 1.2 SE
· UPX 1.25 & GUI *NEW*
· SLVc0deProtector 0.61 *NEW*
· ARM Protector v0.3 *NEW*
· WinUpack v0.31 Beta *NEW*
Patchers :
· dUP 2 *NEW*
· CodeFusion 3.0
· Universal Patcher Pro v2.0
· Universal Patcher v1.7 *NEW*
· Universal Loader Creator v1.2 *NEW*
Crypters
1. Carb0n Crypter v1.8
2. Fly Crypter v2.2
3. JCrypter
4. Triloko Crypter
5. Halloween Crypter
6. Deh Crypter
7. Hatrex Crypter
8. Octrix Crypter
9. NewHacks Crypter
10. Refruncy Crypter
Command & Control Communications
Command & Control Communications
Common Traits • Uses typical protocols (HTTP) • Uses legitimate sites as C&C • Uses internal systems as C&C • Uses 3rd party apps as C&C • May use compromised
internal systems Advantages • Maintains persistence • Avoids detection
54% of C&C Lifespan
< 1 Day
Lateral Movement
Data Discovery and Exfiltration
Common Traits • Built-in file transfer
(RATs)
• FTP, HTTP
• Tor network/Encryption
• Public File Sharing sites
Next-gen
Firewall
Intrusion
Detection (IDS)
Intrusion
Prevention
(IPS)
Traditional
AV
Email /Web
Gateways
Advanced reconnaissance Spear-phishing emails Embedded payloads Unknown malware & exploits Dynamic command and control
(C&C) servers BYOD and remote employees
create a broad attack surface
Standard Defenses are Insufficient
Essential Technologies Threat Intelligence
Finding Criminals
Global Sensornet
•150 million sensors
•16 billion threat queries daily
•Files, URL’s, vulnerabilities, threat
actors…
Global Threat Intelligence
•100TB of data analyzed daily •300,000 new threats identified daily •Big data analytics and threat expertise
User Traffic / Sourcing
CDN vender
Rating Server for Known Threats
Unknown & Prefilter
Page Download
Threat Analysis
6 billion/day
3 billion/day
300 million/day
50% filtered
90% filtered
50,000 malicious URL /day
99.95% filtered
Trend Micro Products / Technology
CDN Cache
High Throughput Web Service
Hadoop Cluster
Web Crawling
Machine Learning Data Mining
Technology Process Operation
Block malicious URL within 15
minutes once it goes online!
Need for Speed
Essential Technologies Spear Phishing Attack Protection
Copyright 2015 Trend Micro Inc.
Copyright 2014 Trend Micro Inc.
• Blocking of targeted spear phishing emails and document exploits via sandboxing
• Central analysis of detections
• Automated updates of malicious IP/Domains
• Signature file updates
Your Current Email Security
Anti-spam
Web Reputation
Anti-phishing
Advanced Threat Detection
Anti-malware
quarantine
9/10/2015 22 Confidential | Copyright 2012 Trend Micro Inc.
Next Generation Email Defense
Essential Technologies Patching and Intrusion Prevention
24
Then this is: Automated Virtual Patching
So, if this is manual monthly Security Patching
25
Patching and Intrusion Prevention
Essential Technologies Advanced Threat Detection
• Required to detect client-side attacks delivered via the web
• Focus on dynamic behavioural analysis
Advanced Script Analyzer Technology
• Required to detect known and unknown malware
• Focus on heuristic scanning and employ a rule-based system
Advanced Threat Scanning Technology
Advanced Threat Detection
Essential Technologies Breach Detection Solution
Copyright 2014 Trend Micro Inc.
How long before you know
210 Days to Detection
55% Found by Third Party
Importance of East-West
App Server
Storage/ Hypervisor
!
SMTP relay
Web proxy
!
!Mail Server
Endpoint !
Infection & payload
Lateral movement
C&C Callback
East-West
North-South East-West
North-South
North-South
East-West
Data Exfiltration North-South
Asset/Data Discovery
• File as well as network behaviour
• Identification of malicious destinations and command-and-control (C&C) servers
• Prevents Sandbox evasion
• Essential to have a custom sandboxes based on target environment
• Mimics real life environment
• Customer supplied OS language
• Customer supplied applications
• Corporate IT customizations
• Patching level to match environment
Custom Sandboxing
Essential Technologies Interconnected Threat Defense
Copyright 2015 Trend Micro Inc.
Copyright 2014 Trend Micro Inc. 34
Analyze risk and
nature of attack and
attacker, and assess
impact of threats
retrospectively
Update protection automatically,
prioritize areas for remediation and adapt protection
Detect advanced
malware, behavior
and communications
invisible to standard
defenses
Assess potential vulnerabilities and proactively protect endpoints, servers and applications
In Today’s Reality, Customers Need Full Lifecycle of Threat Defense
MONITOR & CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
Copyright 2015 Trend Micro Inc. 36
Sample Threat Types Detected
Presence
Advanced malware 98%
Active botnet 94%
Disruptive applications 88%
Banker malware 75%
Malicious documents 75%
Zero-day malware 49%
Network attacks 84%
Android malware 28% Source: Real-life proof-of-concept sample results (conducted by Trend Micro technical team in 2014)
What’s in Your Organization?
#CLOUDSEC