Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Download as PPTX, PDF2 likes2,191 views
The document outlines the importance of cybersecurity and the evolution of malware, discussing various actors and methods in cybercrime, such as advanced persistent threats (APTs) and targeted attacks. It highlights specific companies, including AppFolio and Lastline, which focus on secure data sharing and advanced malware detection respectively. The document also reviews different strategies for defending against malware threats and emphasizes the necessity for ongoing awareness and improved defenses against increasingly sophisticated cyber threats.
![What Happens in the Background
• Analysis engine provides full emulation of an operating system
environment and can detect what is actually happening in the
system when a document is opened
• Process winword.exe was created:
– "C:Program Files (x86)Microsoft OfficeOffice12winword.exe”
– The arguments of this process: "/q /f
"C:UsersuserAppDataRoamingdflt_sample.doc”
• Process winword.exe drops new files:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Process winword.exe starts a new process:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Running Task analyzes analysis result...
• ReportScanner: 80 (set(['Document: Writes a file then executes it']))
• Detections 1 (100.00%, 0 not detected)](https://image.slidesharecdn.com/intromalwarefinal043013-130501125209-phpapp01/85/Cybersecurity-Malware-Protecting-Your-Business-From-Cyberthreats-29-320.jpg)
![35
Value of the Financial Information
• Symantec [2008] estimates
– Credit card value at $.10 to $25.00
– Bank account at $10.00 to $1,000.00
• Using Symantec estimates,10 days of Torpig
data valued at $83K to $8.3M](https://image.slidesharecdn.com/intromalwarefinal043013-130501125209-phpapp01/85/Cybersecurity-Malware-Protecting-Your-Business-From-Cyberthreats-35-320.jpg)
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
- 1. Cybersecurity: Understanding Malware and How to Protect Your Business
- 2. About AppFolio SecureDocs AppFolio SecureDocs is a virtual data room for sharing and storing sensitive documents both internally and with outside parties. AppFolio, Inc. Company Basics: • Founded by the team that created and launched GoToMyPC and GoToMeeting • Backed by leading technology companies and investors • Web-based business software for financial and legal professionals
- 3. About Lastline, Inc. Lastline’s security products synthesize and bring to commercial standards award-winning, world-renowned academic research on malware analysis and countermeasures. • Founded in 2011 by university researchers Engin Kirda, Christopher Kruegel and Giovanni Vigna • Considered to be today’s thought leaders on automated, high- resolution malware analysis and detection • Focused on real-time analysis of advanced malware and big data analytics; leverages this threat intelligence to create solutions to protect companies of all sizes.
- 4. About Giovanni Vigna Faculty member of the Computer Science Department at the University of California, Santa Barbara and the CTO/Founder of Lastline, Inc. • Recognized expertise in web security, vulnerability analysis, malware countermeasures, and intrusion detection. • Published more than 100 papers on the subject of network security and evasive malware vigna@lastline.com vigna@cs.ucsb.edu
- 5. Targeted Attacks and Cyberwar !!! Cyberattack (R)Evolution Time $$ Damage Millions Hundreds of Thousands Thousands Hundreds Billions Cybercrime $$$Cybervandalism #@!
- 7. Targeted attacks are mainstream news. Every week, new breaches are reported. In the last few months alone … Nobody Is Safe…
- 8. Once Upon a Time… http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html
- 9. Unhappily Ever After… • Proliferation of cybercrime for financial profit – ZeuS • Targeted attacks look for intelligence – Aurora (Google and others) – RSA SecureID • Emerging cyber warfare – Stuxnet – Flame “Steal something valuable”
- 10. Financial Malware • What can be monetized? – Financial data – Usernames and passwords – Virtual goods – Online identities – Computational power – Emails
- 13. Targeted Attacks • What can be monetized? – Intellectual property – Financial information – Bids and contracts – Organization structure – Visited sites
- 14. State-level Attacks • What can be gained? – Intelligence – Destruction of expensive equipment – Influence on financial markets – Shut down of critical infrastructure – Fear, insecurity, lack of trust
- 15. Attribution, Once Upon a Time
- 17. Criminal Groups • Well-organized groups with efficient division of roles and labor – Programmers: develop malware code (malware, exploit kits) – Testers: QA and AV evasion – Traffic generators – Botmasters – Bot renters – Money mules • Budget for acquisition of zero-day exploits “We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities” (Cool exploitkit group) http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
- 18. Underground Markets • Virtual places for advertisement and exchange of goods and offering of services • IRC channels and online forums • Activities – Advertisements “i have boa wells and barclays bank logins....” “i need 1 mastercard i give 1 linux hacked root” – Sensitive data “CHECKING 123-456-XXXX $51,337.31 SAVINGS 987-654-XXXX $75,299.64” http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf http://cseweb.ucsd.edu/~voelker/pubs/forums-imc11.pdf http://www.cs.ucsb.edu/~vigna/publications/fakeav_market.pdf
- 19. Making Sense of Attacks • Lots of different vectors, tactics, specific tricks • Two fundamental things to keep in mind: – How do attackers get in? – How do they get valuable information out?
- 20. Drive-by-download Attack www.badware.com www.semilegit.com www.grayhat.com www.evilbastard.com www.bank.com POST /update?id=5’,’<iframe>..’)-- <iframe src=“http://semilegit.com” height=“0” width=“0”></iframe> Personal Data, Docs
- 22. Exploit
- 23. Anatomy of Exploit • The code determines that the victim has installed a vulnerable ActiveX control, e.g., QuickTime • The control is loaded into memory • The environment is prepared for the exploit, for example, for memory corruption exploits – The shellcode is loaded into memory – The heap is sprayed to ensure that control eventually reaches the shellcode • The vulnerability is triggered, by invoking the vulnerable method/property of the ActiveX control http://www.cs.ucsb.edu/~vigna/publications/iframe11.pdf http://cseweb.ucsd.edu/~savage/papers/CCS12Exploit.pdf
- 24. Luring Users: SEO Read more: http://cseweb.ucsd.edu/users/voelker/pubs/juice-ndss13.pdf http://faculty.cs.tamu.edu/guofei/paper/PoisonAmplifier-RAID12.pdf
- 25. Luring Users: Emails • Email messages containing links…
- 26. Luring Users: Parking Tickets
- 27. Luring Users: Watering Holes • Sometimes it is difficult to exploit the target of an attack directly – Instead compromise a site that is likely to be visited by the target • Council on foreign relations → governmental officials • Unaligned Chinese news site → Chinese dissidents • iPhone dev web site → developers at Apple, Facebook, Twitter, etc. • Nation Journal web site → Political insiders in Washington
- 28. Document-based Attacks • Vulnerabilities in document viewers can be exploited by malicious documents – Office docs – PDFs – Images
- 29. What Happens in the Background • Analysis engine provides full emulation of an operating system environment and can detect what is actually happening in the system when a document is opened • Process winword.exe was created: – "C:Program Files (x86)Microsoft OfficeOffice12winword.exe” – The arguments of this process: "/q /f "C:UsersuserAppDataRoamingdflt_sample.doc” • Process winword.exe drops new files: – "C:UsersuserAppDataLocalTempmsmx21.exe” • Process winword.exe starts a new process: – "C:UsersuserAppDataLocalTempmsmx21.exe” • Running Task analyzes analysis result... • ReportScanner: 80 (set(['Document: Writes a file then executes it'])) • Detections 1 (100.00%, 0 not detected)
- 30. Spear Phishing From: abudhabi@mofa.gov.sy To: tehran@mofa.gov.sy Date: Monday February 6, 2012 05:51:24 Attachment: 23 fdp.scr 23 / ---- Msg sent via @Mail - http://atmail.com/ Colleagues in the code office, Please acknowledge the receipt of the telegram No. 23 in attachment. Thanks, Embassy / Abu Dhabi
- 31. • Deceive the user into thinking that something useful is installed – Video players – Anti-virus – Screen savers – … Social Engineering Attacks
- 32. After the Infection: A Botnet Case Study http://www.cs.ucsb.edu/~vigna/publications/ccs09_torpig.pdf
- 33. Hijacking the Botnet • Reverse engineered the DGA used in Torpig and the C&C protocol – Noticed that domains generated for 1/25/2009 – 2/15/2009 were unregistered – Registered these domains • Controlled the botnet for 10 days – Unique visibility into a botnet’s operation – 180,000 infected hosts – 8.7 GB of Apache logs – 69 GB pcap data (containing stolen information)
- 34. Threats • 8,310 unique accounts from 410 financial institutions – Top 5: PayPal (1,770), Poste Italiane, Capital One, E*Trade, Chase – 38% of credentials stolen from browser’s password manager • 1,660 credit cards – Top 3: Visa (1,056), Mastercard, American Express, Maestro, Discover – US (49%), Italy (12%), Spain (8%) – Typically, one CC per victim, but there are exceptions …
- 35. 35 Value of the Financial Information • Symantec [2008] estimates – Credit card value at $.10 to $25.00 – Bank account at $10.00 to $1,000.00 • Using Symantec estimates,10 days of Torpig data valued at $83K to $8.3M
- 36. Financial Damage Read more: http://krebsonsecurity.com/category/smallbizvictims/
- 37. Ideal World Secure code • Software we use contains no vulnerability, or • Vulnerabilities are mitigated using sound security and engineering principles (least privilege, containment, etc.) Unfortunately currently only a handful of “secure programs” and often in specialized sectors (regulations vs. innovation) User awareness • Users are aware of security threats • They always make the right decision Unfortunately experiments show users extremely bad at making security decisions (security vs. usability)
- 38. Law Enforcement http://www.zdnet.com/blog/bott/who-killed-the-fake-antivirus-business/3832 Russian authorities arrest the co-founder of ChronoPay, the largest online payment processor
- 39. Law Enforcement
- 40. Law Enforcement
- 42. Common Sense Defenses • Keep software up to date • However, ineffective against 0-day
- 43. Common Sense Defenses • Don’t open links/attachment from unknown sources • However, ineffective against social/targeted attacks
- 44. Common Sense Defenses • Limit web accesses to trusted/reputable sites • However, ineffective against waterhole attacks, malicious advertisements, web site compromises
- 45. Common Sense Defenses • Access sensitive services (e.g., online banking) from dedicated machine • However, inconvenient
- 46. Current Solutions Are Not Enough • Firewalls are not enough – Users actively (and unsuspectingly) go out to the attacker – Attackers use port 80 • Intrusion Detection/Prevention (IDS/IPS) systems are not enough – Signatures and blacklists only catch known attacks – Limited insight into downloaded artifacts (binaries, spear-phishing links, …) and outbound network activity • Anti-virus systems are not enough – Artifacts change their appearance at a fast pace (Signatures and blacklists insufficient, manual analysis of threats requires an enormous amount of resources) – AV vendors do not see the binary used in targeted attacks (They cannot create any signature)
- 47. Solutions To Advanced Malware • Analysis of incoming artifacts (what gets in) – Web downloads, mail attachments • Analysis of outgoing traffic (what gets out) – DNS traffic, web traffic • What gets out • Where it goes • How it is sent • Use of correlation to present complete picture to the system administrator • But how good is the analysis?
- 49. The Malware (R)evolution Simple Threats OpportunisticAttacks APT Solutions Antivirus Solutions TargetedAttacks Packing Sophisticated Threats Plain Virus Poly- morphic C&C Fluxing Persistent Threats Evasive Threats
- 50. Nature of Advanced Malware • Static Code Obfuscation and Polymorphism Source: Binary-Code Obfuscations in Prevalent Packer Tools, Tech Report, University of Wisconsin, 2012 Number of times a hash is seen > 93% of all samples are unique Defeats signature-based anti-virus
- 51. Nature of Advanced Malware • Dynamic evasion – checks for environment Defeats sandbox and virtual machines
- 52. Nature of Advanced Malware • Dynamic evasion – stalling loops Defeats sandbox and virtual machines
- 53. Lessons Learned • Attacks are increasingly targeted • “Attackers no longer go after your firewall. They go after your employees” • Attackers are persistent and patient • Need for constant monitoring approach to defense • Attackers develop custom tools and attacks after they have gained access to a target • Global landscape still matters, but… • Defenses tailored to local characteristics and activity are critical • Evasive malware • Need for next-generation tools
- 54. Questions?
- 55. Backup Slides
- 56. Lastline • Started in 2011 by team of professors and PhDs from University of California, Santa Barbara and Northeastern University, Boston • Located in Santa Barbara, CA • Technology based on 8+ years of research on advanced malware • Founders include the creators of Anubis and Wepawet analysis tools
- 57. Previct Anti-Malware Solution Sentinel scans traffic for signs and anomalies that reveal C&C connections and infections Lastline proactively scouts the Internet for threats and updates the Sentinel knowledge base Manager receives and correlates alerts, and produces actionable intelligence Sentinel sends unknown objects (programs and documents) for high resolution analysis
- 58. Key Technology 1. High resolution analysis engines – CPU emulation provides deep insights into malware execution – Necessary to detect and bypass evasive checks – Expose malicious behaviors that existing sandboxes don’t see 2. Big data analytics – Anomaly detection of suspicious outbound command-and-control (C&C) flows – Internet-scale, active discovery of threats – Correlation of low-level events into actionable threat intelligence
- 59. High-Resolution Malware Analysis Visibility without code emulation (traditional sandboxing technology) Important behaviors and evasion happens here Visibility with code emulation (Lastline technology)
- 60. Competitive Landscape Simple Threats OpportunisticAttacks APT Solutions Antivirus Solutions TargetedAttacks Sophisticated Threats Packing Plain Virus Poly- morphic C&C Fluxing Persistent Threats Evasive Threats
Editor's Notes
- #8: Case of espionage with likely political motivationAttacks start around time of investigation critical of Chinese prime ministerAttackers use compromised computers at several US universities to cover their tracksMalware initially installed via spear-phishing emailsPerform a deep reconnaissance of the Times networkIdentify domain controller serversBreak passwords for journalists accountsAccess reserved email accounts and steal information from email server45 distinct pieces of malware used: only 1 detected by Symantechttp://www.symantec.com/connect/blogs/symantec-statement-regarding-new-york-times-cyber-attack
- #12: The nortel case: http://online.wsj.com/article/SB10001424052970203363504577187502201577054.htmlHackers had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000.Hackers had almost complete access to the company's systems […] Once you were on the inside of the network, it was soft and gooey.Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes.The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign. On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," A top U.S. intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."
- #18: http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
- #28: http://securitywatch.pcmag.com/none/309121-watering-hole-attacks-scoop-up-everyone-not-just-developers-at-facebook-twitter
- #60: This slide highlights the difference explained before. The graphic shows astream of instructions that might be part of a malware sample. The two sidesshow the subset of instructions that the individual systems are able toobserve.On the left-hand side, one can see introspection offered by a traditionalanalysis engine, as it can only observe instructions that make calls to thelibrary or native system interface. That is, the system might observe that thesample under analysis creates or opens a file and reads data from this file. Itcannot observe, however, what the sample does with the read data.On the right-hand side, one can see the entire trace of execution as seen bythe emulated CPU of an advanced analysis system. The virtual CPU is also able tosee what files are being read, but in addition, it associates data read from thesystem with CPU registers or memory locations and thus track the usage of theread information.