Download ppt - The Threat Landscape Has Changed Beyond Anti Spam And Anti Virus

IBM Global Services

04/08/23 © 2007 IBM Corporation

IBM Internet Security SystemsAhead of the threat.™

The Threat Landscape Has Changed: Moving Beyond Anti-Spam and Anti-Virus

Eric Hanselman, CISSPNetwork Protection Architect

IBM Global Services

© 2007 IBM Corporation2 IBM Internet Security Systems 04/08/23

Email Management: An Ongoing Problem

Has always been an issue

Too easy an access path

–Ubiquitous, anonymous access

Too critical to block

Cycles of control

–Problem is getting worse…

IBM Global Services


The Problem is Complex

Spam

Attacks

Content management

–Intellectual property

–Legal liabilities

IBM Global Services


Nefarious Goals are Blending

Product sales

Stock manipulation

Money laundering

Bot recruitment

Data Theft

– Phishing

– Keystroke loggers

IBM Global Services


The Mule Trade

5

IBM Global Services


Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED

7849343

Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2

Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED

7849343

Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2

Queried whois.apnic.net with "58.65.236.129"...

% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong

Queried whois.apnic.net with "58.65.236.129"...

% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong

[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands

+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ

[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands

+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ

IBM Global Services


Profit Motivates Innovation

There is a lot of money to be made!

Senders are smart

–Techniques are evolving

Spam and attack traffic are converging!

IBM Global Services


Two Traditional Paths of Defense

Anti-spam

– Block known bad senders

• RBL’s

– Block known bad words

– Block known bad paths

Anti-Virus

– Block known bad attachments

We expect some will get through!

IBM Global Services


Sender Innovations

Spread the senders

– Botnet spam agents

Obscure the words

– Image spam

Multiply the paths

Morph the attachments

– Polymorphic encoding

Embed new attacks

IBM Global Services


Image Spam Gets Smarter

IBM Global Services


Techniques Get Smarter

IBM Global Services


Avoiding Detection

Senders are stealthy

– No news is good news!

Techniques are quieter

– Stay under the radar

– Slip between the cracks

Targets are smaller

Keeping victims quiet

– Social engineering

IBM Global Services


A Tale of Two Bots

Similar roots

– Use self-replicating worm techniques to infect hosts via email

– Establishes connection to bot network for download of additional components

• Future activities are limitless

Stration

– Great polymorphic encoder

SpamThru

– Brings its own Anti-Virus

– GIF tools

IBM Global Services


Masking By Morphing

Polymorphic encoder beats Anti-Virus protections

High volumes increase success probabilities

IBM Global Services


Self-Modifying Malware – Stration

Number of Variants Captured

8/16/06 to 11/26/06

IBM Global Services


Next Generation Payloads

Script-based obfuscation

– Payload is hidden by Java script

– Can pass built-in encoder

Additional hiding capabilities

– Very hard to see in transit

– Depends on interpretation on the endpoint

We can’t count on clean-up

We can’t allow any to succeed

IBM Global Services


How to Approach Protection

Staunch the flow

– Better mail stream filtering

– Limit user choices

Protect at the end points

– The only place to catch them

– Ultimate user protection

IBM Global Services


Staunching the Flow

Traditional techniques need a priori knowledge

– Elusive at best…

– Bad Stuff is Hard to Predict

Time is required for analysis

– Delay causes scaling problems

Statistical analysis

– An a posteriori technique

– Good for large volumes

Some still gets through

IBM Global Services


Better Flow Techniques

URL references

– Analyze web links

Structure analysis

– Better capabilities

Image analysis

– Beyond OCR

Sender identity control

– Still a long way off

IBM Global Services


Host-Based Detection

Best for executable content analysis

– Highly scalable

Behavioral executable analysis

– Anti-Virus isn’t enough

Poor statistical capabilities

Traditional security

– Patching still required, but…

IBM Global Services


The Risks Have Expanded

Our protections need to expand, too!

– Plan for action today!

– Review existing protections

– Coordinate email and host protection planning

– Keep data security planning on the horizon

Risks aren’t standing still!

IBM Global Services



Threats are everywhere… and always evolving. Will you be protected?

IBM Global Services


Resources

Spam and Phishing

– http://www.antiphishing.org/

– http://www.sans.org/

– http://www.secureworks.com/research/threats/spamthru/

– http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf

Security Protections

– http://xforce.iss.net/

– http://www.av-test.org/

IBM Global Services



Thank You!

Questions?