Albert Kramer Technical Director Trend Micro

Albert Kramer
Technical Director Trend Micro
Trend Micro
 26 years focused on security software, now largest pure-play
 Consistent – A World Safe for Exchanging Digital Information
 Headquartered in Japan, Tokyo Exchange Nikkei Index (4704)
Enterprise
 8 consecutive years on Dow Jones Sustainability Indexes
 Customers include 48 of top 50 global corporations
 5200+ employees, 38 business units worldwide
Midsize
Business
500k commercial customers &
155M endpoints protected
Small
Business
Consume
Consumers
r
3
Cyber Threats
Attackers
Consumerization
Employees
Cloud &
Virtualization
IT
Attacks, attacks and more attacks
Data at Risk
Movies,
Ransoms,
Terrorism
Birth & Phone
records
Credit
Cards
User
Credentials
PII leads
to fraud
Customer
PII
Credit
Cards
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Changing Threat Landscape
Evolution to Cybercrime
DAMAGE CAUSED
CRIMEWARE
Targeted
Attacks
Intelligent
Botnets
Mobile
Attacks
Web
Threats
Spyware
Worm
Outbreaks
Vulnerabilities
2001
Spam
Mass
Mailers
2003
• Now it’s personal!
• Financially motivated
• Targeting most valuable
information
2004
2005
2007
2011
2014
Social Media Accounts
Devices Surpass Human Population
ICS Attacks Become Mainstream
Modern Maginot Lines
Who’s committing attacks Verizon
 92% perpetrated by outsiders
 14% committed by insiders
 1% implicated business partners
 7% involved multiple parties
 19% attributed to state-affiliated
actors
Source: http://www.verizonenterprise.com/DBIR/
Financially Motivated Cyber
Criminal
Source: http://www.verizonenterprise.com/DBIR/
Hacktivist
Source: http://www.verizonenterprise.com/DBIR/
Nation/State
Source: http://www.verizonenterprise.com/DBIR/
Crime Syndicate (Simplified)
Data Fencing
Victim
The Captain
Garant
The Boss
Bullet Proof Hoster
Mercenary
Attackers
Crime Syndicate (Detailed)
$1
Droppers
$1
Exploit Kit
Worm
Bot Reseller
$1
$1
$4
Carder
$4
Money Mule
$10
Garant
Keywords
(Botherder)
$2
Victim
Blackhat SEO
Attacker
$3
$6
SQL Injection
Kit
$10
Traffic
Direction
System
$5
Attacker
$10
Compromised
Sites (Hacker)
$5
Bullet Proof
Hoster
Virtest
Cryptor
Programmer
$5
$10
$10
$2
Card Creator
Threat is coming from everywhere!
18
The Children of Stuxnet
Attack Stages
1. Intelligence Gathering
Identify & research target individuals using public sources (LinkedIn,
Facebook, etc) and prepare a customized attack.
2. Point of Entry
The initial compromise is typically malware delivered via social engineering
(email/IM or drive by download). A backdoor is created and the network
can now be infiltrated.
3. Command & Control (C&C) Communication
Allows the attacker to instruct and control the compromised machines and
malware used for all subsequent phases.
4. Lateral Movement
Once inside the network, attacker compromises additional machines to
harvest credentials, escalate privilege levels and maintain persistent control.
5. Asset/Data Discovery
Several techniques and tools are used to identify the noteworthy servers and
the services that house the data of interest.
6. Data Exfiltration
Once sensitive information is gathered, the data is funneled to an internal
staging server where it is chunked, compressed and often encrypted for
transmission to external locations.
Intelligence Gathering
Acquire strategic
information about the
target’s IT environment
and organizational
structure.
“res://” protocol
Victim 1
Darren Blank
How to craft an attack?
Get public information! The web knows you!
Copyright 2008 - Trend Micro Inc.
Point of Entry
Gain entry into a target network using weaknesses found.
Weaponized
Attachment
Malicious
URLs
Attack Weakness found in:
• Infrastructure
• Systems
• Applications
• People
• 3rd Party Organizations
Spearphishing
E-Mail with a spoofed sender
And if Darren clicks on the attachment...
Confidential | Copyright 2015 Trend Micro Inc.
91% of targeted attacks involve spear
phishing emails. – Trend Labs
Watering Hole Attacks
Source: Trend Micro Q3’14 Threat Roundup Report
Arms Bazaar of Attack Code
30
Hacking Services for Hire
31
The Shadoweconomy
32
Copyright 2012 Trend
Code for Sale
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Cracking Tools
1.VNC Crack
DoSers, DDoSers, Flooders and Nukers
2.Access Driver
1. rDoS
3.Attack Toolkit v4.1 & source code included
2. zDoS
4.Ares
3. Site Hog v1
5.Brutus
4. Panther Mode 2
Analysis :
5. Final Fortune 2.4
· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*
· W32Dasm 8.93 - Patched *NEW*
· PEiD 0.93 + Plugins *NEW*
· RDG Packer Detector v0.5.6 Beta - English *NEW*
Rebuilding : Tools/Trojans
Remote Administration
Host Booters
ImpRec
1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*
1. Cerberus· 1.03.4
BETA
1. MeTuS Delphi 2.8
2. Turkojan·4Revirgin
GOLD 1.5 - Fixed *NEW*
2. XR Host Booter 2.1
· LordPE De Luxe B *NEW*
3. Beast 2.07
3. Metus 2.0 GB Edition
Scanners
4. Shark v3.0.0
4. BioZombie v1.5
1. DD7 Port Scanner
5. Archelaus Beta Packers :
· FSG 2.0
2. SuperScan 4.0 5. Host Booter and Spammer
HEX Editor :
· MEW 11 1.2 SE
Stealers
3. Trojan Hunter v1.5
Binders:
· Biew v5.6.2
1. Dark Screen Stealer V2 · Hiew v7.10 *NEW*
4. ProPort v2.2
1. Albertino Binder · UPX 1.25 & GUI *NEW*
Dark IP Stealer
5. Bitching Threads2.v3.1
2. BlackHole Binder · SLVc0deProtector 0.61 *NEW*
· WinHex v12.5 *NEW*
· ARM Protector v0.3 *NEW*
3. Lab Stealer
3. F.B.I. Binder
Decompilers :
· WinUpack v0.31 Beta *NEW*
4. 1337 Steam Stealer
4. Predator 1.6
· DeDe 3.50.04
Patchers :
5. Multi Password Stealer v1.6
5. PureBiND3R by d3will
· VB ?Decompiler? Lite v0.4 *NEW*
· dUP 2 *NEW*
· Flasm
· CodeFusion 3.0
Unpackers :
· Universal Patcher Pro v2.0
· ACProtect - ACStripper
· Universal Patcher v1.7 *NEW*
· ASPack - ASPackDie
Fake Programs
· Universal Loader Creator v1.2 *NEW*
· ASProtect
> Stripper
2.07
Finalfor
& sale
Ultra
Hackers
Tools
1. PayPal Money Hack
Stripper
2.11isRC2
*NEW*
Price
0.0797
BTC (bitcoin) = $25
2. Windows 7 Serial Generator
Virus Builders
·
DBPE
>
UnDBPE
3. COD MW2 Keygen
1. Nathan's Image Worm
Keygenning : *NEW*
4. COD MW2 Key Generator
2. Dr. VBS Virus Maker
· TMG Ripper Studio 0.02 *NEW*
5. DDoSeR 3.6
3. p0ke's WormGen v2.0
4. Vbswg 2 Beta
5. Virus-O-Matic Virus Maker
Crypters
1. Carb0n Crypter v1.8
2. Fly Crypter v2.2
3. JCrypter
4. Triloko Crypter
5. Halloween Crypter
6. Deh Crypter
7. Hatrex Crypter
8. Octrix Crypter
9. NewHacks Crypter
10. Refruncy Crypter
100’s of Items
Evade detection with customized malware
Victimized
Business
Unix/Linux Server
Farm
Attacker
wipe
out files
Windows
endpoints
Malicious C&C
websites
A total of 76 tailor-made malware
were used, in which 9 were
destructive, while the other 67
were used for penetration and
monitoring.
Destroy
MBR
Destroy
MBR
wipe
out files
Ahnlab's
Update
Servers
Offense Must Inform Defense
Confidential | Copyright
36
Advanced Persistent Response
• A new security paradigm: How can we increase the
level of discomfort to the adversary?
Deep Discovery:
Custom Defense
Advanced Threat Detection
Across the Attack Sequence
Malicious Content
•
•
•
•
Threat
Detection
Visualization
Analysis
Alarms
Reporting
Virtual
Analyzer
Watch
List
• Emails containing embedded
document exploits
• Drive-by Downloads
• Zero-day and known malware
Network Visibility,
Analysis & Control
Threat
Connect
Suspect Communication
SIEM
Connect
• C&C communication for any
type of malware & bots
• Backdoor activity by attacker
Network
Inspection
Platform
Network
Inspection
Platform
Attack Behavior
Deep Discovery
• Malware activity: propagation,
downloading, spamming . . .
• Attacker activity: scan, brute
force, service exploitation . . .
• Data exfiltration communication
38
Securing Your Journey
To The Cloud
Dziękuję za uwagę!