Defending strategies against new age Threats

Expecting the unexpected: Defending strategies
against new age Threats
04 March 2015
Baburaj Varma – Technical Director, SEA and INDIA
Trend Micro
Indonesian CIO Network
High Profile Attacks
Copyright 2015 Trend Micro Inc.
2
Who’s committing attacks - Verizon
 92% perpetrated by outsiders
 14% committed by insiders
 1% implicated business partners
 7% involved multiple parties
 19% attributed to state-affiliated actors
Source: http://www.verizonenterprise.com/DBIR/
Copyright 2015 Trend Micro Inc.
3
Crime Syndicate (Simplified)
Data Fencing
Victim
The Captain
Garant
Mercenary
Attackers
The Boss
Bullet Proof Hoster
Copyright 2015 Trend Micro Inc.
4
Crime Syndicate (Detailed)
$1
Exploit Kit
Worm
Bot Reseller
$1
$1
$4
Carder
$1
Droppers
$4
Money Mule
$2
Card Creator
$10
Garant
Keywords
(Botherder)
$2
Victim
Blackhat SEO
Attacker
$3
$6
SQL Injection
Kit
$10
Traffic
Direction
System
Attacker
$10
$5
Compromised
Sites (Hacker)
$5
Bullet Proof
Hoster
Virtest
Cryptor
Programmer
$5
$10
$10
Copyright 2015 Trend Micro Inc.
5
Vulnerabilities Data
Y 2014
• Average 19 vulnerabilities/day
• 24% critical vulnerabilities
• 83% related to application
• Apple & Linux tops the list for OS
• 44% of breaches constitutes old vulnerabilities
Source: http://www.theregister.co.uk/2015/02/23/hp_hack_vulnerable_threat_study/
Source: NVD and http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
Copyright 2015 Trend Micro Inc.
6
Today’s Attacks: Social, Sophisticated, Stealthy!
Extracts data of interest – can
go undetected for months!
Gathers intelligence about
organization and individuals
Attackers
Targets individuals
using social engineering
$$$$
Establishes link to
Command & Control server
Moves laterally across network
seeking valuable data
Employees
Copyright 2013 Trend Micro Inc.
Taregted Attack Techniques
Spearphishing
8
Copyright 2015 Trend Micro Inc.
Island Hopping
Trusted Partner
Customers
Attackers
Island Hopping
Copyright 2015 Trend Micro Inc.
9
Watering Hole Attacks
Source: Trend Micro Q3’14 Threat Roundup Report
Copyright 2015 Trend Micro Inc.
10
Evade detection with customized malware
Victimized
Business
Unix/Linux Server Farm
Attacker
wipe out
files
Windows
endpoints
Malicious C&C
websites
A total of 76 tailor-made malware
were used, in which 9 were
destructive, while the other 67 were
used for penetration and monitoring.
Destroy
MBR
Destroy
MBR
wipe out
files
Ahnlab's
Update Servers
11
Copyright 2015 Trend Micro Inc.
Code for Sale
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Cracking Tools
1.VNC Crack
DoSers, DDoSers, Flooders and Nukers
2.Access Driver
1. rDoS
3.Attack Toolkit v4.1 & source code included
2. zDoS
4.Ares
3. Site Hog v1
5.Brutus
4. Panther Mode 2
Analysis :
5. Final Fortune 2.4
· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*
· W32Dasm 8.93 - Patched *NEW*
· PEiD 0.93 + Plugins *NEW*
· RDG Packer Detector v0.5.6 Beta - English *NEW*
Rebuilding : Tools/Trojans
Remote Administration
Host Booters
· ImpRec
1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*
1. Cerberus 1.03.4
BETA
1. MeTuS Delphi 2.8
2. Turkojan 4· Revirgin
GOLD 1.5 - Fixed *NEW*
2. XR Host Booter 2.1
3. Beast 2.07· LordPE De Luxe B *NEW*
3. Metus 2.0 GB Edition
Scanners
4. Shark v3.0.0
Packers :
4. BioZombie v1.5
1. DD7 Port Scanner
5. Archelaus Beta
· FSG 2.0
5. Host Booter and Spammer HEX Editor :
2. SuperScan 4.0
· MEW 11 1.2 SE
Stealers
3. Trojan Hunter v1.5
Binders:
· Biew v5.6.2
· UPX 1.25 & GUI *NEW*
1.
Dark
Screen
Stealer
V2
4. ProPort v2.2
1. Albertino Binder
· Hiew v7.10 *NEW*
2. Dark
IP Stealer
5. Bitching Threads
v3.1
2. BlackHole Binder · SLVc0deProtector 0.61 *NEW*
· WinHex v12.5 *NEW*
· ARM Protector v0.3 *NEW*
3. Lab Stealer
3. F.B.I. Binder
Decompilers :
· WinUpack v0.31 Beta *NEW*
4. 1337 Steam Stealer
4. Predator 1.6
· DeDe 3.50.04
Patchers :
5. Multi Password Stealer v1.6· VB ?Decompiler? Lite v0.4 *NEW*
5. PureBiND3R by d3will
· dUP 2 *NEW*
· Flasm
· CodeFusion 3.0
Unpackers :
· Universal Patcher Pro v2.0
· ACProtect - ACStripper
· Universal Patcher v1.7 *NEW*
Fake Programs
· ASPack - ASPackDie
· Universal Loader Creator v1.2 *NEW*
1. PayPal Money Hack
· ASProtect >Ultra
Stripper
2.07 Final
Stripper
Hackers
Tools&for
sale
2. Windows 7 Serial Generator
2.11 RC2 *NEW*
Price is 0.0797 BTC (bitcoin) = $25
Virus Builders
3. COD MW2 Keygen
· DBPE > UnDBPE
1. Nathan's Image Worm
4. COD MW2 Key Generator
Keygenning : *NEW*
2. Dr. VBS Virus Maker
5. DDoSeR 3.6
· TMG Ripper Studio 0.02 *NEW*
3. p0ke's WormGen v2.0
4. Vbswg 2 Beta
5. Virus-O-Matic Virus Maker
Crypters
1. Carb0n Crypter v1.8
2. Fly Crypter v2.2
3. JCrypter
4. Triloko Crypter
5. Halloween Crypter
6. Deh Crypter
7. Hatrex Crypter
8. Octrix Crypter
9. NewHacks Crypter
10. Refruncy Crypter
100’s of Items
12
Copyright 2015 Trend Micro Inc.
Today’s Reality – One & Done!
99
?
80
% of
malware
infect
< 10
victims
% of
malware
infect
=
victim
1
13
Copyright 2015 Trend Micro Inc.
Command & Control Communications
Ensure continued communication between the
compromised target and the attackers.
Common Traits
• Uses typical protocols (HTTP)
• Uses legitimate sites as C&C
• Uses 3rd party apps as C&C
• May also use compromised internal
systems as C&C
Advantages
• Maintains persistence
• Avoids detection
Threat
Actor
C&C
Server
14
Copyright 2015 Trend Micro Inc.
Trend Micro C&C Research
54% of C&C Lifespan
< 1 Day
Copyright 2015 Trend Micro Inc.
15
Exfiltration Stage
Transmit data to a location that the threat actors control.
Common Traits
• Built-in file transfer (RATs)
• FTP, HTTP
• Tor network/Encryption
• Public File Sharing sites
16
Copyright 2015 Trend Micro Inc.
Customers
Attackers
FTP
C&C
Server
17
Copyright 2015 Trend Micro Inc.
Social Media Accounts
18
Copyright 2015 Trend Micro Inc.
Maintenance Stage (Anti-Forensics)
Maintain persistence within network for future attacks
19
Copyright 2015 Trend Micro Inc.
Smart Protection
begins with Global
Threat Intelligence…
• Email reputation
• File reputation
• Web reputation
•
•
•
•
•
•
•
Whitelisting
Network traffic rules
Mobile app reputation
Vulnerabilities/Exploits
Threat Actor Research
Enhanced File Reputation
Enhanced Web Reputation
BIG DATA
ANALYTICS-DRIVEN
GLOBAL THREAT
INTELLIGENCE
NOW!
CLOUD BASED
GLOBAL THREAT
INTELLIGENCE
2008
SIGNATURE BASED
ANTI-MALWARE
1988 - 2007
20
Global Sensor Network
Collects More Information in More Places
• 100s millions of sensors
• Billions of threat queries daily
• Files, IPs, URL’s, apps, vulnerabilities,
network traffic rules…
Copyright 2015 Trend Micro Inc.
21
*NSS Labs Consumer EPP 2014 Test
150 Million + Worldwide Sensors
Researcher
Intelligence
CDN / xSP
Honeypot
Web Crawler
Trend Micro
Solutions
Test Labs
3rd Party Feeds
22
Copyright 2015 Trend Micro Inc.
Global Threat Intelligence
Global Sensor Network
Accurately Analyzes and Identifies Threats Faster
• 50X faster time-to-protect than average*
• 100TB analyzed, 300,000 new threats identified daily
• Big data analytics and threat expertise
Collects More Information in More Places
• 100s millions of sensors
• Billions of threat queries daily
• Files, IPs, URL’s, apps, vulnerabilities,
network traffic rules…
Copyright 2015 Trend Micro Inc.
23
*NSS Labs Consumer EPP 2014 Test
Global Threat Intelligence
Global Sensor Network
Accurately Analyzes and Identifies Threats Faster
• 50X faster time-to-protect than average*
• 100TB analyzed, 300,000 new threats identified daily
• Big data analytics and threat expertise
Collects More Information in More Places
• 100s millions of sensors
• Billions of threat queries daily
• Files, IPs, URL’s, apps, vulnerabilities,
network traffic rules…
Proactive Protection
Blocks Real-World Threats Sooner
• 500,000+ businesses
• Millions of consumers
• 250M threats blocked daily
Copyright 2015 Trend Micro Inc.
24
*NSS Labs Consumer EPP 2014 Test
Use our Threat Intelligence to Fight the Bad Guys
“Cyber Criminal Pleads
Guilty to Developing and
Distributing Notorious
Spyeye Malware”
-- January, 2014
++
Copyright 2014 Trend Micro Inc.
Empower the business:
Improve business agility by providing quick
and intuitive access to the right information,
tools and applications
CIO
Mitigate risk:
Protect sensitive information to maintain brand
and comply with regulations, while controlling
costs
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
26
Empowering the Business…
Copyright 2015 Trend Micro Inc.
27
Cyber Threats
Attackers
Cloud &
Virtualization
Consumerization
IT
Employees
Copyright 2015 Trend Micro Inc.
28
Then…
Email &
Messaging
Web
Access
File/Folder &
Removable Media
Employees
IT Admin
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
29
Now!
Email &
Messaging
Web
Access
Device Hopping
Cloud Sync
& Sharing
Collaboration
Social
Networking
File/Folder &
Removable Media
Employees
IT Admin
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
30
Web
Access
Email &
Messaging
Device Hopping
Cloud Sync
& Sharing
Collaboration
Social
Networking
File/Folder &
Removable Media
Employees
Anti-Malware
Content
Filtering
Data Loss
Prevention
Encryption
Device
Management
Application
Control
Complete User Protection
Security
IT Admin
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
31
Cyber Threats
Attackers
Cloud &
Virtualization
IT
Copyright 2015 Trend Micro Inc.
32
Partners
Employees
Customers
Productivity
CRM
Supply Chain
HR
Commerce
Finance
Customer
Support
Business
App Owners
Data Center
Ops
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
33
Data Center
Productivity
CRM
Supply Chain
HR
Commerce
Finance
Customer
Support
Data Center
Ops
Copyright 2015 Trend Micro Inc.
34
Data Center
Virtual
Physical
Anti-Malware
Application
Scanning
Intrusion
Prevention
Private Cloud
Integrity
Monitoring
SSL
Public Cloud
Encryption
Cloud and Data Center Security
Security
Data Center
Ops
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
35
Cyber Threats
Attackers
Copyright 2015 Trend Micro Inc.
36
Extracts data of interest – can
go undetected for months!
Gathers intelligence about
organization and individuals
Attackers
Targets individuals
using social engineering
$$$$
Establishes link to
Command & Control server
Malware engineered and tested to evade your standard
Moves laterally across network
gateway/endpoint defenses
seeking valuable data
It is only a matter of time until you are breached
 A custom attack needs a custom defense!
Security
Employees
Network Admin
Copyright 2015 Trend Micro Inc.
Network
Ports
Communication
Protocols
Known
Threats
Unknown
Threats
Network
Traffic
Network-wide
Detection
Evolving
Threats
Custom Smart
Sandboxes
Threat
Intelligence
Advanced
Automated
Threat Analysis Security Updates
Threat
Services
Custom Defense
Security
Network Admin
Copyright 2013 Trend Micro Inc.
Copyright 2015 Trend Micro Inc.
38
Custom Defense with Interconnected
Threat Response
Inspector
Analyzer
Email Inspector
Endpoint Sensor
IOC
Open Web Services API
CEF / LEEF & more
XGS
OfficeScan
Copyright 2015 Trend Micro Inc.
ScanMail
InterScan
Messaging
& Web Security
Deep
Security
Deep
Discovery
39
Trend Micro
How We Do It
What We Do
Recognized global leader in server,
virtualization and cloud security
1,200 threats experts in 12
TrendLabs locations around the
globe; 1,492 R&D engineers
Innovative security solutions
$400M USD and 500 engineers
invested over last 4 years to
develop cloud-related solutions
Protecting the exchange of digital
information for businesses and
consumers
Global Threat Intelligence
Who We Are
Eva Chen: CEO and Founder
Co-founded:
Offices:
Global Employees:
Revenue:
1988
36
4942
$1.2B USD
Cash Assets:
$1.65B USD
Operating Income:
$330M USD
Headquarters:
Trend Micro is the largest independent security provider
Protecting 48 of 50 top global corporations
Tokyo
Thank You
See you in our next event
Call us at 0818102085 or talk to us via
[email protected]
BBM 7EFD4F3E