Agenda

• The changing threat landscape

• Malware 101

• Evasion Tactics

• Demo: Using USM to Detect Malware

• Correlation directives

• Detecting communications with a C&C server

• Incident investigation

Malware Detection: How to Spot Infections Early

• More and more organizations are finding

themselves in the crosshairs of various bad

actors for a variety of reasons.

• The number of organizations experiencing

high profile breaches is unprecedented.

• The “security arms race” cannot continue

indefinitely as the economics of securing

your organization is stacked so heavily in

favor of those launching attacks that

incremental security investments are seen

as impractical.

Threat landscape: Our new reality

60%In 60% of cases, attackers

are able to compromise an organization within minutes.

Source: Verizon Data Breach Report, 2015

Malware Detection: How to Spot Infections Early

@AlienVault

“There are two types of companies that use

computers. Victims of crime that know they

are victims of crime and victims of crime that

don’t have a clue yet.”

- Jim Routh

CISO, Aetna

Prevent Detect & Respond

Prevention is elusive

vs

Malware Detection: How to Spot Infections Early

Malware 101 – Terminology

mal·ware

Portmanteau of ‘malicious software’

and is a general term for any

software used to gain unauthorized

access, steal data, or disrupt normal

operation

Common ‘types’ include:

• Virus: malware that spreads

once it establishes a foothold

• Trojan horse: malware disguised

as normal or innocuous

Malware Detection: How to Spot Infections Early

Malware 101 – Terminology

• Rootkit: designed to run with elevated

privileges, either via admin install or

privilege escalation

• Backdoor/RAT: persistent remote

access tool that allows attackers access

after their initial breach

• Ransomware: encrypts a user’s file

system (targeted or complete) and then

demands a ransom for their decryption

Malware Detection: How to Spot Infections Early

Evasion tactics

• Hibernation: allows malware to remain dormant for a period after a breach for

execution later

• Polymorphic code: used to evade signature-based detection methods by changing the

makeup of the software itself

• Service control: starting/stopping/halting services and processes to confuse detection

methods or render them inoperable

• Domain Generation Algorithm (DGA): randomizes the command and control (C&C)

server domain; reduces chance of domain blacklisted, listed on OTX, etc.

• Plugins: ability to modify/update code, download second stage malware easily

Malware Detection: How to Spot Infections Early

Firewalls/Antivirus are not enough

• Firewalls are usually not the target – too difficult to effectively penetrate

• Endpoints are the target, usually via email, url redirects, misc malicious

files, etc.

• With 160,000 new malware samples seen every day, antivirus apps will not

find every threat

• Needs to be bolstered by regular and comprehensive monitoring

Malware Detection: How to Spot Infections Early

Unified Security Management

Unified Security Management Platform

A single platform for simplified, accelerated threat detection, incident response & policy

compliance

AlienVault Labs Threat Intelligence

Correlation rules and directives written by our

AlienVault Labs team and displayed through

the USM interface

Open Threat Exchange

The world’s largest repository of

crowd-sourced threat data providing a

continuous view of real time threats that may

have penetrated the company’s defenses.

Malware Detection: How to Spot Infections Early

AlienVault Labs Threat Intelligence

Weekly updates to correlation directives to detect emerging threats, like:

• Exploitation & Installation, Malicious website -Exploit Kit, Java Rhino

• Exploitation & Installation, Suspicious File, Document with macros

• System Compromise, Trojan infection, Zeus

• System Compromise, Trojan infection, Sc-KeylogKeylogger

• System Compromise, Malware infection, SpeedingUpMyPC.Rootkit

• System Compromise, Trojan infection, Cryptolocker

• System Compromise, Malware RAT, FF-RAT

Malware Detection: How to Spot Infections Early

WWW.ALIENVAULT.COM

888.613.6023

HELLO@ALIENVAULT.COM

Now for some Questions..

Download a Free 30-Day Trial of USM

http://www.alienvault.com/free-trial

Check out our 15-Day Trial of USM for AWS

https://www.alienvault.com/free-trial/usm-for-aws

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Join OTX:

https://www.alienvault.com/open-threat-exchange

Malware Detection: How to Spot Infections Early