Upload
alienvault
View
919
Download
0
Embed Size (px)
Citation preview
Agenda
• The changing threat landscape
• Malware 101
• Evasion Tactics
• Demo: Using USM to Detect Malware
• Correlation directives
• Detecting communications with a C&C server
• Incident investigation
Malware Detection: How to Spot Infections Early
• More and more organizations are finding
themselves in the crosshairs of various bad
actors for a variety of reasons.
• The number of organizations experiencing
high profile breaches is unprecedented.
• The “security arms race” cannot continue
indefinitely as the economics of securing
your organization is stacked so heavily in
favor of those launching attacks that
incremental security investments are seen
as impractical.
Threat landscape: Our new reality
60%In 60% of cases, attackers
are able to compromise an organization within minutes.
Source: Verizon Data Breach Report, 2015
Malware Detection: How to Spot Infections Early
@AlienVault
“There are two types of companies that use
computers. Victims of crime that know they
are victims of crime and victims of crime that
don’t have a clue yet.”
- Jim Routh
CISO, Aetna
Prevent Detect & Respond
Prevention is elusive
vs
Malware Detection: How to Spot Infections Early
Malware 101 – Terminology
mal·ware
Portmanteau of ‘malicious software’
and is a general term for any
software used to gain unauthorized
access, steal data, or disrupt normal
operation
Common ‘types’ include:
• Virus: malware that spreads
once it establishes a foothold
• Trojan horse: malware disguised
as normal or innocuous
Malware Detection: How to Spot Infections Early
Malware 101 – Terminology
• Rootkit: designed to run with elevated
privileges, either via admin install or
privilege escalation
• Backdoor/RAT: persistent remote
access tool that allows attackers access
after their initial breach
• Ransomware: encrypts a user’s file
system (targeted or complete) and then
demands a ransom for their decryption
Malware Detection: How to Spot Infections Early
Evasion tactics
• Hibernation: allows malware to remain dormant for a period after a breach for
execution later
• Polymorphic code: used to evade signature-based detection methods by changing the
makeup of the software itself
• Service control: starting/stopping/halting services and processes to confuse detection
methods or render them inoperable
• Domain Generation Algorithm (DGA): randomizes the command and control (C&C)
server domain; reduces chance of domain blacklisted, listed on OTX, etc.
• Plugins: ability to modify/update code, download second stage malware easily
Malware Detection: How to Spot Infections Early
Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware samples seen every day, antivirus apps will not
find every threat
• Needs to be bolstered by regular and comprehensive monitoring
Malware Detection: How to Spot Infections Early
Unified Security Management
Unified Security Management Platform
A single platform for simplified, accelerated threat detection, incident response & policy
compliance
AlienVault Labs Threat Intelligence
Correlation rules and directives written by our
AlienVault Labs team and displayed through
the USM interface
Open Threat Exchange
The world’s largest repository of
crowd-sourced threat data providing a
continuous view of real time threats that may
have penetrated the company’s defenses.
Malware Detection: How to Spot Infections Early
AlienVault Labs Threat Intelligence
Weekly updates to correlation directives to detect emerging threats, like:
• Exploitation & Installation, Malicious website -Exploit Kit, Java Rhino
• Exploitation & Installation, Suspicious File, Document with macros
• System Compromise, Trojan infection, Zeus
• System Compromise, Trojan infection, Sc-KeylogKeylogger
• System Compromise, Malware infection, SpeedingUpMyPC.Rootkit
• System Compromise, Trojan infection, Cryptolocker
• System Compromise, Malware RAT, FF-RAT
Malware Detection: How to Spot Infections Early
WWW.ALIENVAULT.COM
888.613.6023
Now for some Questions..
Download a Free 30-Day Trial of USM
http://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWS
https://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join OTX:
https://www.alienvault.com/open-threat-exchange
Malware Detection: How to Spot Infections Early