threat landscape

The Threat Landscape

Don MurphySenior Systems Engineer

Fortinet, Inc.

The Internet is only 45 Years Old

What was the plan for security?

• Difference between Viruses and Malware• Viruses are a specific type of malware designed to replicate and

spread• Malware is all types of malicious code• Malware can include Viruses, Spyware, Adware, Nagware,

Trojans and Worms• Because Viruses obtained so much press the standard became

Anti-Virus

De-Mystifying Viruses, Malware, and Other Threats

• Delivery Mechanism has yet to be relieved • Creates a network share accessible by all computers• Hosts a web server• Malware attempts to connect to C&C in Italy, Poland or Thailand • Similar to DarkSeoul that struck South Korea last year

Sony Pictures – Wiper Malware

• Attackers gained credentials from a third-party vendor• Exploited third-party vendor’s system and Home Depot’s

network via Microsoft Exploit• A large Apple purchase was made by Home Depot shortly after

Home Depot Breach

• Breached unclassified network used by President’s Senior staff• Discovered in Early October - Alerted by Foreign Government• Hackers appeared to be mapping and probing the network• Hackers are believed to be working for the Russian Government

The White House Breach

• Was not a breach of Apple Systems including iCloud or Find My Phone

• Very targeted attack on user names, passwords, and security questions

• Apple Recommends a strong two factor authentication solution and will also send out more alerts

• Phishing scam came out soon after

iCloud Celebrity Photo Breach

DISGUISE SURVIVABILITY IMPACT

Detect Disguise,Kill the Chain

Reduce Survivability,Break Impact

What are APTs?Defining Advanced Persistent Threats

• Probing of Targets• Information Gathering

APT Stages - Reconnaissance

• Phishing Emails, Malicious Flash or PDFS• Malicious Websites that attack flaws in browsers• Piggybacking mouse clicks

APT Stages - Infiltration

• Callback Attempts are made to Mothership• Low Profile Otherwise

APT Stages – Malware Action

• Delivery of Stolen/Compromised Data

APT Stages – Exfiltration

• Command and Control have established connection to compromised client

• Attacks continue on file shares, cloud-based applications, databases, etc.

• Expect lateral moves within the network to expand reach as well as destruction

APT Stages – Further Exploitation

• Ransomware: Attempts to extort money out of the infected users

• Cryptolocker encrypts locals files or networks • Ransom to unlock the files can be anywhere from $200 to

$2000

Cryptolocker / CryptoWall

• Email attachments: .exe files posing as .pdf• Botnets: a pay-per-install operation

Cryptolocker – How did I get infected?

• Rolling back changes from the infected system itself • Restoring files from external back-ups• Paying the ransom.

Cryptolocker – What can I do if I’m infected?

The HeartBleed Bug

• Why is it call a Bug?»OpenSSL 1.0.1 library implementation

problem• Why should I change my passwords?

»Usernames, Passwords, and Private keys exposed.

• What should I do if my company is effected?»Vendor patches, new certificates, IPS

signatures

2015: What’s Next?

• Mobile»New Milestone 2013 - Mobile Malware in listed Top

10 Virus Index»Custom Polymorphic Malware / Evasion

• Moving beyond applications (APK)

• 2014 Data Security “Breach a month”»Prediction on track so far…

• More Ransomware due to Cryptolocker Success»Estimated at over $40 Million in ransom dollars paid

Zero-Day Trends

Mobile: Android Malware

Mobile: IOS Malware

• Blacklisting C2 servers with Webfiltering• Disrupting Trojan to C2 server communication with IPS/AppCtrl • AV Protection of all known Variants

Cryptolocker – What Fortiguard does to protect and prevent

Case Study: FortiGuard Response

South Korea Attacks

SupiciousActivity

March 12th, 2013

Time BombAttacks

Botnet ServersDeteted

March 20th, 2013Malware Planted

WCF SignaturesAdded

Botnet ServersMitigated

KISA Request(FortiGuard)

MalwareMitigated

+4 Hours

AVSig (Flow)

12 Hours

Botnet FlowMitigated

AV Sig (CPRL)AppCtl (Botnet)

48 Hours

BlogAnalysis

ZERO-DAY MALWARE USED

Overwrote hard drives

Detonated simultaneously

APT Strategy: Multi-Layer Defenses

1) Anti-Virus--------------------------------------

Detect known viruses Detect new variants (emulation and sandboxing)

2) Web Filtering--------------------------------------

Detect connections going to malware sites Typically to download the real malware

4) IPS--------------------------------------

Block known vulnerabilities Including undisclosed vulnerabilities

3) Botnet / AppCtrl--------------------------------------

Detect connections or traffic going to botnet sites Detect known botnet applications

5) Behavioral--------------------------------------

Sandbox analysis Client reputation analysis

www.cyberthreatalliance.org

Questions?

Don Murphydmurphy@fortinet.com

www.fortinet.com

@Fortinet

@Fortinet

@Fortinet

www.fortinet.com

@ADNETTech

@ADNETTechnologiesLLC

@ADNETTechnologiesLLC

www.thinkADNET.com