SlideShare a Scribd company logo

Battling Malware In The Enterprise

A
Ayed Al Qartah

The document discusses trends in malware and effective mitigation strategies. It notes that in 2012, mobile malware increased through SMS and social media. Malware also targeted corporate networks through espionage. The document then provides statistics on prevalent botnet families and malware infiltration methods like compromised websites and social networks. It recommends multiple defenses including device control, application whitelisting, patch management, web filtering, threat intelligence integration, and geo-blocking of high-risk countries.

1 of 29
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Ayed Alqarta | @aqarta IT Security Consultant
 Malware trends in 2012  Malware Stats: State of Kuwait  How Malware infiltrates Enterprise Today  Effective Malware Mitigations
Malware Newsws
 Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)  Malicious Trojans will spread in more innovative ways. (Facebook and twitter)  Attacks targeting corporate networks (Espionage)  More malware attacking Mac OS (Flashback)  Web exploits toolkits are on the rise with more zer0- day vulnerabilities
Symantec Intelligence Quarterly: July - September, 2011
Symantec Intelligence Quarterly: July - September, 2011
Botnet C&C Activity by country Source: Umbradata Red countries: over 1,501 vetted C&C
 Top observed botnet families at multiple enterprise customers:  Palevo.C  Palevo.18  Mariposa.P  Mariposa.F  Conficker.B  Conficker.D  Virut  Sality
• Compromised websites (infected with malware) • Malvertising (Malicious Ads) • Malware websites • Software downloads • P2P/Torrent websites • Social Networks • Blogs Web
Email Removable Mobiles Media Laptops ATM (Yes, they (Personal, run Windows Work, Vendor, too !) Contractor) Virtual Private Wireless and Network / 3G/Edge Remote Access
Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
Battling Malware In The Enterprise
Battling Malware In The Enterprise
Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
Battling Malware In The Enterprise
Battling Malware In The Enterprise
Battling Malware In The Enterprise
 Multiple layers of mixed-vendor virus scan engines Spam Email File UTM Proxy Endpoints Filter Server Server Defense-in-Depth
 Device & Application control  Block removable drives like “USB Flash” disks to prevent AutoRun attacks.  If not possible, only allow documents and trusted files to run from USB, except executables.  Disable the “Auto Play” functionality in Windows.  Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
 Device & Application control  Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.  App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
 Patch management (OS/Browsers/Apps)  Be up-to-date with latest patch related information from various source  Download patches and run extensive tests to validate the authenticity and accuracy of patches  Install security and critical patches/service packs for OS and 3rd party applications.  Maintain a testing environment to test patches before approving them to production systems.  Generate reports of various patch management tasks  Monitor the patching progress in the enterprise
 Patch management (OS/Browsers/Apps) Top Attacked applications by web exploit kits Kaspersky
Patch management (3d Party Apps) • Java Run Time Environment (JRE) • Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player • Mozilla Firefox • Mozilla Thunderbird • Google Chrome • Apple Safari, iTunes, QuickTime • Microsoft Internet Explorer • Microsoft Office • RealNetworks RealPlayer
 Vulnerabilities Research Resources  http://technet.microsoft.com/en-us/security/bulletin  http://www.kb.cert.org/vuls/  http://secunia.com/community/advisories/  http://www.symantec.com/security_response/landing/vulnerabi lities.jsp  http://tools.cisco.com/security/center/publicationListing  http://www.vupen.com/english/security-advisories/  http://www.us-cert.gov/current/  http://www.adobe.com/support/security/  http://www.verisigninc.com/en_US/products-and- services/network-intelligence-availability/idefense/public- vulnerability-reports/index.xhtml
 Web filtering  Block access to malicious domains (Malware, Phishing, Botnet C&C, Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)  Proxy must include an antivirus/antispyware engine to scan downloaded files  Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)  Generate reports and warn top policy violators  Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
 Geo-based filtering (top-malware hosting countries)  Block inbound/outbound to these countries (China, Russia, Korea, Brazil, Thailand, Taiwan, Japan, Poland, Peru)  Logs (UTM/Proxy) will help detecting possible infections  This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)  A proactive security technique to prevent threats
 Threat Intelligence Feeds / Blacklists  Integrate threat feeds with security products in the enterprise to block traffic from/to bad reputation hosts  Proactively secure the network from zer0-day threats without relying on signatures  Threat intelligence can be integrated with SIEM tools  Threat feeds will contain: ▪ Malicious code senders ▪ Spam senders ▪ Phishing senders ▪ Botnet C&C servers ▪ Compromised Hosts ▪ Malware Domains
 Battling Malware in The Enterprise  Malware Forensics Dojo  Learn from an experienced malware expert  Practical skills and applicable knowledge  Real world scenarios from the field
Thank you @aqarta a.qarta@gmail.com

More Related Content

PPTX
Types of malicious software and remedies
Manish Kumar
 
PDF
Malicious software
Dr.Florence Dayana
 
PPT
Lecture 12 malicious software
rajakhurram
 
PDF
Computer virus
Flora Runyenje
 
PPTX
Introductio to Virus
University of Sindh, Jamshoro
 
PPT
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
PDF
4 threatsandvulnerabilities
richarddxd
 
PDF
Malicious software
rajakhurram
 
Types of malicious software and remedies
Manish Kumar
 
Malicious software
Dr.Florence Dayana
 
Lecture 12 malicious software
rajakhurram
 
Computer virus
Flora Runyenje
 
Introductio to Virus
University of Sindh, Jamshoro
 
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
4 threatsandvulnerabilities
richarddxd
 
Malicious software
rajakhurram
 

What's hot (20)

DOC
Antivirus software
Shreya Singireddy
 
PPTX
Anti virus
Marlon San Luis
 
PDF
What Is An Antivirus Software?
culltdueet65
 
PPT
Itc lec 15 Computer security risks
AnzaDar3
 
PPT
Spyware
subharock
 
PPT
Information of Virus
jazz_306
 
PPTX
Computer virus & its cure
shubhamverma2711
 
PPTX
How To Protect Your Home PC
thatfunguygeek
 
PDF
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
PDF
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
PPTX
Virus presentation1
Sameep Sood
 
PPTX
Malware Defense-in-Depth 2.0
Ayed Al Qartah
 
PDF
ESET India Cyber Threat Trends Report Q1
ESET_India
 
PPT
Computer viruses
Harendra Singh
 
DOCX
Malwares and ways to detect and prevent them
krunal gandhi
 
PPTX
How websites are attacked
Mykonos Software
 
PDF
Cscu module 02 securing operating systems
Sejahtera Affif
 
PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
PDF
Ch19
saurabhmittal79
 
PDF
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Antivirus software
Shreya Singireddy
 
Anti virus
Marlon San Luis
 
What Is An Antivirus Software?
culltdueet65
 
Itc lec 15 Computer security risks
AnzaDar3
 
Spyware
subharock
 
Information of Virus
jazz_306
 
Computer virus & its cure
shubhamverma2711
 
How To Protect Your Home PC
thatfunguygeek
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Virus presentation1
Sameep Sood
 
Malware Defense-in-Depth 2.0
Ayed Al Qartah
 
ESET India Cyber Threat Trends Report Q1
ESET_India
 
Computer viruses
Harendra Singh
 
Malwares and ways to detect and prevent them
krunal gandhi
 
How websites are attacked
Mykonos Software
 
Cscu module 02 securing operating systems
Sejahtera Affif
 
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Ch19
saurabhmittal79
 
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Ad

Viewers also liked (11)

PDF
Identity Theft
Simpletel
 
PPTX
Crimeware Fingerprinting Final
jponnoly
 
PDF
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Josh Castellano
 
PDF
January 2010 Spam Report
webhostingguy
 
PDF
Xforce 2008 Annual Report
Juan Carlos Carrillo
 
PDF
January 2010 Spam Report
webhostingguy
 
PDF
2010q1 Threats Report
McafeeCareers
 
PDF
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
IHS
 
PPTX
What makes the large enterprise network management, large
ManageEngine, Zoho Corporation
 
DOC
Pruebas funcionales musculares Daniels
airavatar
 
PDF
Running and Developing Tests with the Apache::Test Framework
webhostingguy
 
Identity Theft
Simpletel
 
Crimeware Fingerprinting Final
jponnoly
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Josh Castellano
 
January 2010 Spam Report
webhostingguy
 
Xforce 2008 Annual Report
Juan Carlos Carrillo
 
January 2010 Spam Report
webhostingguy
 
2010q1 Threats Report
McafeeCareers
 
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
IHS
 
What makes the large enterprise network management, large
ManageEngine, Zoho Corporation
 
Pruebas funcionales musculares Daniels
airavatar
 
Running and Developing Tests with the Apache::Test Framework
webhostingguy
 
Ad

Similar to Battling Malware In The Enterprise (20)

PDF
Maximize Computer Security With Limited Ressources
Secunia
 
PPTX
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
PPTX
8 Threats Your Anti-Virus Won't Stop
Sophos
 
PPT
Volume And Vectors 090416
Anthony Arrott
 
PPTX
Spiceworld 2011 - AppRiver breakout session
Shane Rice
 
PPT
091005 Internet Security
dkp205
 
PDF
Declaration of malWARe
Scott Sutherland
 
PDF
2009 Kl Cybercrime Kaspersky
ICTloket.be
 
PPTX
Real Business Threats!
Rochester Security Summit
 
PDF
NIC2012 - System Center Endpoint Protection 2012
Nicolai Henriksen
 
PPT
Trends in network security feinstein - informatica64
Chema Alonso
 
PPTX
ITSolutions|Currie Network Security Seminar
Daniel Versola
 
PPTX
Stopping the Adobe, Apple and Java Software Updater Insanity
Lumension
 
PPT
Information security in todays world
Sibghatullah Khattak
 
PDF
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
PDF
Why Traditional Anti Malware Whitepaper
AVG Technologies
 
PPTX
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
Lumension
 
PDF
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
 
PPTX
2013 Security Threat Report Presentation
Sophos
 
Maximize Computer Security With Limited Ressources
Secunia
 
Kurt baumgartner lan_deskse2012
Kurt Baumgartner
 
8 Threats Your Anti-Virus Won't Stop
Sophos
 
Volume And Vectors 090416
Anthony Arrott
 
Spiceworld 2011 - AppRiver breakout session
Shane Rice
 
091005 Internet Security
dkp205
 
Declaration of malWARe
Scott Sutherland
 
2009 Kl Cybercrime Kaspersky
ICTloket.be
 
Real Business Threats!
Rochester Security Summit
 
NIC2012 - System Center Endpoint Protection 2012
Nicolai Henriksen
 
Trends in network security feinstein - informatica64
Chema Alonso
 
ITSolutions|Currie Network Security Seminar
Daniel Versola
 
Stopping the Adobe, Apple and Java Software Updater Insanity
Lumension
 
Information security in todays world
Sibghatullah Khattak
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
Why Traditional Anti Malware Whitepaper
AVG Technologies
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
Lumension
 
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
 
2013 Security Threat Report Presentation
Sophos
 

Battling Malware In The Enterprise

  • 1. Ayed Alqarta | @aqarta IT Security Consultant
  • 2. Malware trends in 2012  Malware Stats: State of Kuwait  How Malware infiltrates Enterprise Today  Effective Malware Mitigations
  • 4. Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)  Malicious Trojans will spread in more innovative ways. (Facebook and twitter)  Attacks targeting corporate networks (Espionage)  More malware attacking Mac OS (Flashback)  Web exploits toolkits are on the rise with more zer0- day vulnerabilities
  • 5. Symantec Intelligence Quarterly: July - September, 2011
  • 6. Symantec Intelligence Quarterly: July - September, 2011
  • 7. Botnet C&C Activity by country Source: Umbradata Red countries: over 1,501 vetted C&C
  • 8. Top observed botnet families at multiple enterprise customers:  Palevo.C  Palevo.18  Mariposa.P  Mariposa.F  Conficker.B  Conficker.D  Virut  Sality
  • 9. • Compromised websites (infected with malware) • Malvertising (Malicious Ads) • Malware websites • Software downloads • P2P/Torrent websites • Social Networks • Blogs Web
  • 10. Email Removable Mobiles Media Laptops ATM (Yes, they (Personal, run Windows Work, Vendor, too !) Contractor) Virtual Private Wireless and Network / 3G/Edge Remote Access
  • 11. Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
  • 14. Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
  • 18.  Multiple layers of mixed-vendor virus scan engines Spam Email File UTM Proxy Endpoints Filter Server Server Defense-in-Depth
  • 19. Device & Application control  Block removable drives like “USB Flash” disks to prevent AutoRun attacks.  If not possible, only allow documents and trusted files to run from USB, except executables.  Disable the “Auto Play” functionality in Windows.  Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
  • 20. Device & Application control  Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.  App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
  • 21. Patch management (OS/Browsers/Apps)  Be up-to-date with latest patch related information from various source  Download patches and run extensive tests to validate the authenticity and accuracy of patches  Install security and critical patches/service packs for OS and 3rd party applications.  Maintain a testing environment to test patches before approving them to production systems.  Generate reports of various patch management tasks  Monitor the patching progress in the enterprise
  • 22. Patch management (OS/Browsers/Apps) Top Attacked applications by web exploit kits Kaspersky
  • 23. Patch management (3d Party Apps) • Java Run Time Environment (JRE) • Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player • Mozilla Firefox • Mozilla Thunderbird • Google Chrome • Apple Safari, iTunes, QuickTime • Microsoft Internet Explorer • Microsoft Office • RealNetworks RealPlayer
  • 24. Vulnerabilities Research Resources  http://technet.microsoft.com/en-us/security/bulletin  http://www.kb.cert.org/vuls/  http://secunia.com/community/advisories/  http://www.symantec.com/security_response/landing/vulnerabi lities.jsp  http://tools.cisco.com/security/center/publicationListing  http://www.vupen.com/english/security-advisories/  http://www.us-cert.gov/current/  http://www.adobe.com/support/security/  http://www.verisigninc.com/en_US/products-and- services/network-intelligence-availability/idefense/public- vulnerability-reports/index.xhtml
  • 25. Web filtering  Block access to malicious domains (Malware, Phishing, Botnet C&C, Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)  Proxy must include an antivirus/antispyware engine to scan downloaded files  Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)  Generate reports and warn top policy violators  Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
  • 26. Geo-based filtering (top-malware hosting countries)  Block inbound/outbound to these countries (China, Russia, Korea, Brazil, Thailand, Taiwan, Japan, Poland, Peru)  Logs (UTM/Proxy) will help detecting possible infections  This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)  A proactive security technique to prevent threats
  • 27. Threat Intelligence Feeds / Blacklists  Integrate threat feeds with security products in the enterprise to block traffic from/to bad reputation hosts  Proactively secure the network from zer0-day threats without relying on signatures  Threat intelligence can be integrated with SIEM tools  Threat feeds will contain: ▪ Malicious code senders ▪ Spam senders ▪ Phishing senders ▪ Botnet C&C servers ▪ Compromised Hosts ▪ Malware Domains
  • 28. Battling Malware in The Enterprise  Malware Forensics Dojo  Learn from an experienced malware expert  Practical skills and applicable knowledge  Real world scenarios from the field
  • 29. Thank you @aqarta a.qarta@gmail.com