next-generation security and the problem of exploitation
Post on 07-Aug-2015
434 Views
Preview:
TRANSCRIPT
11
Next-Generation Security andthe Problem of Exploitation
April 2015
Matthew Ancelin, CISSP, CNSE
1
2
Network: Old Methods vs. New Methods
• Port and protocol allow/block firewalling• URL filtering, black lists• Blacklisting of IP or range• Standalone signature based IPS• UTM: unified threat management• Web gateways/Proxy
• Visibility and Control• Application based firewalling• Integrated Threat Prevention• SSL decryption/inspection• Automated threat intelligence sharing• Sandboxing
3
Visibility and Control: Application based firewalling, SSL Decryption/Inspection, Integrated Threat Prevention
4
Sharing is Cyber-Caring: Verizon’s 2015 Breach report
Source: Verizon 2015 Data Breach Investigations Report
5
Sharing is Cyber-Caring: Verizon’s 2015 Breach report
Source: Verizon 2015 Data Breach Investigations Report
75% of attacks spread from victim 0 to victim 1 within
24 hours
6
Sandboxing and Threat Intelligence…3 years later
Watchguard- Dimension (threat intel only)
CheckPoint - Threat Emulation(sandbox), ThreatCloud service (intel, MSP)
Cisco(Sourcefire) - Threat Grid and AMP
Palo Alto Networks – WildFire Threat Intelligence Cloud
McAfee – TrustedSource (threat intel only – IP/Domain)
Fortinet – FortiSandbox
FireEye – core product + Threat Intelligence
BlueCoat – Malware Analysis ApplianceSource: www.watchguard.com
7
Sandboxing and Automated Threat Intelligence sharing
AV Signatures DNS Signatures C&C Signatures
Malware URL Filtering
Sandbox
Global install base and Threat Intel Consortium
SIEM
AV dat
a
Network data
other
8
Endpoint Protection
“Anti-virus is Dead”
Source: Wall Street Journal, May 2014
9
Endpoint: Old Methods vs. New Methods
• Signature matching• Heuristics• Kernel-level root-kit protection• Cloud based updates• Web threat protection• IP Reputation services• Registry cleaners
• Micro-virtualization• Task introspection• Process/App whitelisting• Automated threat intelligence• Exploit trapping• Sandboxing• Predictive math modeling• Either Prevent or Detect/Remediate
10
Application Whitelisting
Source: www.talk.pharma-mkting.com
11
Micro virtualization
Source: www.bromium.com
12
Predictive Math Modeling
Source: www.cylance.com
13
Traps - Exploit Trapping by Technique
Individual Attacks
Software Vulnerability Exploits
Thousands of new vulnerabilitiesand exploits per year
1,000s/yrCore Techniques
Exploitation Techniques
In the past 3 years, 2 new techniques have been discovered
1 or 2/yr
Source: www.cvedetails.com
14
Prevention of One Technique in the Chain will Block the Entire Attack
Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques
DLLSecurity
IE Zero DayCVE-2013-3893
Heap SprayDEP
CircumventionROP/UtilizingOS Function
Adobe ReaderCVE-2013-3346
Heap SprayDEP
CircumventionUtilizing
OS Function
Adobe FlashCVE-2015-3010/0311
ROP JiT Spray Utilizing
OS Function
15
Are exploits really the problem?
99.9% of the exploited vulnerabilities were compromised more than 1 year after the CVE was published.
~50% of 2014 CVEs exploited fell within 2 weeks of announcement.
* Source: Verizon 2015 Data Breach Investigations Report
16
How does exploit trapping fare against a sophisticated APT?
17
Traps stops 0-day exploits without prior knowledge of them
18
Attacks LEAD with exploits
Nov 2014: Operation CloudyOmegaNov 2014: Dark Hotel campaignOct 2014: SandWormOct 2014: Hurricane PandaFeb 2014: Operation SnowMan (MS IE 0-day exploit)Sept 2013: Ichitaro Zero DayFeb 2014: IE 0-day, Watering Hole attackFeb 2014: ‘The Mask’ CampaignDec 2013: Operation KeyChangOct 2013: Egobot CampaignSept 2013: Icefog campaignSept 2013: EvilGrab campaignJune 2013: NetTraveler campaign
…this pattern repeats over and over again
19
Social Engineering 101 – determine an Attack Vector
20
Social Engineering 101 – determine an Attack Vector
Upgrade to Office 2010
21
22
23
Social Engineering 101 – deliver the Attack
24
Social Engineering 101 – deliver the Attack
SEND US YOUR RESUME
25
top related