apt - eicar › files › eicar_wg2_2015... · our motivation for apt detection traditional...
TRANSCRIPT
![Page 1: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/1.jpg)
24.02.2015© IKARUS Security Software GmbH 1
APT
![Page 2: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/2.jpg)
24.02.2015© IKARUS Security Software GmbH 2
Agenda
![Page 3: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/3.jpg)
24.02.2015© IKARUS Security Software GmbH 3
What is APT
Staying inside a network as long as possible without
detection to grab tons of information
Something special for everyone and yet another
„special“ product
From back then until today
– Since malware is/was born
– Spear phishing / social engineering
Marketing & scaring of businesses
– Stoned Bootkit, Conficker, Stuxnet, Operation Shady RAT…
![Page 4: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/4.jpg)
24.02.2015© IKARUS Security Software GmbH 4
1st. Apt?
![Page 5: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/5.jpg)
24.02.2015© IKARUS Security Software GmbH 5
1st AV solution (1986)
![Page 6: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/6.jpg)
24.02.2015© IKARUS Security Software GmbH 6© 2012 IKARUS Security Software GmbH
1 Year present in each AV-Vendors Virus Database without knowing the potential
Stuxnet.
![Page 7: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/7.jpg)
24.02.2015© IKARUS Security Software GmbH 7
Comparison Industry Computer - PC
Industry Computer
Priority on stability
Usage > 20 years
24/7 uptime
Updates dangerous/impossible
System designed for stability, not security
Proprietary systems and protocols
Standalone concept, no network connection planned
Little knowledge about the complete system
PC
5-6 years lifetime
24/7 uptime not necessary
Updates possible
System designed for stability AND security
Standard protocols
Networking integral part of the system
Good knowledge about the complete system
![Page 8: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/8.jpg)
24.02.2015© IKARUS Security Software GmbH 8
Why is APT detection relevant?
Industry espionage through targeted attacks
Little awareness for threats and security practices (APT
detection „software as a service“ based)
No basis for decisions for further actions
– Which hosts have been infected?
– What has happened? Has customer data been affected?
![Page 9: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/9.jpg)
24.02.2015© IKARUS Security Software GmbH 9
Open Problems 08/15 AV
Is my network currently compromised?
Has my network been compromised in the past?
Track attack over time
Provide good basis for further decisions
External contractors cost a lot of money (forensic
analysis)
![Page 10: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/10.jpg)
24.02.2015© IKARUS Security Software GmbH 10
Our motivation for APT detection
Traditional solutions have limitations
– Targeted attacks are hard to detect
– Detection, containment and cleanup are costly
– Total number of malware rising fast
– AV-vendor have to generate detection fast enough
Enhance visibility and transparence
Extensive and universal endpoint monitoring in contrast
to special-case protection mechanisms
![Page 11: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/11.jpg)
24.02.2015© IKARUS Security Software GmbH 11
Cyber Kill Chain
1. Reconnaissance
2. Craft an attack
3. Deliver the malware
4. Exploit security holes
5. Install malware
6. Command & Control
7. Perform malicious acts
![Page 12: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/12.jpg)
24.02.2015© IKARUS Security Software GmbH 12
Cyber Kill Chain for 08/15 AV solution
1.
2.
3. Deliver: Scan engine, (Spam/URL Filter, FW)
4.
5. Install: Scan engine
6.
7.
![Page 13: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/13.jpg)
24.02.2015© IKARUS Security Software GmbH 13
Behavior-based Solutions
Collect a lot of data
– Network data (Appliance, endpoint)
– Host data
Detection info database
– Cloud service containing detection information (not real-time)
– Local detection information
Detection/prevention:
– Use IOCs to block delivery or execution of malware
– Use data to notify about suspicious behavior
(Live) inspection
Forensic and time-line information
![Page 14: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/14.jpg)
24.02.2015© IKARUS Security Software GmbH 14
Predictive solutions
Collection
– Collect malware
– Algorithms forecast future malware, generate derivatives
– Collect behavior information
Analysis
– Derivatives and behavior information are used to train detectors
Protect
– Protect endpoints from future versions of malware
![Page 15: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/15.jpg)
24.02.2015© IKARUS Security Software GmbH 15
IKARUS APT
Host-based solution, not based on network traffic
Collect data
Provide visibility
Machine learning
Detect deviations
![Page 16: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/16.jpg)
24.02.2015© IKARUS Security Software GmbH 16
Data collection
Process activities
Thread activities
Network connections
Registry access
File access
…
![Page 17: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/17.jpg)
24.02.2015© IKARUS Security Software GmbH 17
Anomaly detection
Use collected data to learn benign behavior of a user
Once normal and abnormal behavior is known, any
deviations are considered suspicious
Send notification once suspicious behavior is detected
Future steps
– Block execution of unwanted programs
– Generate IOCs to detect actively detect malicious behavior
Example:
– A user always uses certain programs each day
– An executable that has never before been executed is started
– Create notification about that event
![Page 18: APT - EICAR › files › eicar_wg2_2015... · Our motivation for APT detection Traditional solutions have limitations –Targeted attacks are hard to detect –Detection, containment](https://reader033.vdocuments.mx/reader033/viewer/2022052611/5f0482417e708231d40e51f6/html5/thumbnails/18.jpg)
24.02.2015© IKARUS Security Software GmbH 18
The End!
“I think it’s important to recognize that you can’t have 100
per cent security and also then have 100 per cent privacy
and zero inconvenience”Barack Obama about the NSA, San Jose, California, on June 7, 2013