charles williams sr. sales engineer the evolving threat landscape confidential | copyright 2015...
TRANSCRIPT
Charles Williams
Sr. Sales Engineer
The Evolving Threat Landscape
Confidential | Copyright 2015 Trend Micro Inc.
2015 Attacks
Confidential | Copyright 2015 Trend Micro Inc.
Who’s committing attacks - Verizon
92% perpetrated by outsiders
14% committed by insiders
1% implicated business
partners
7% involved multiple parties
19% attributed to state-affiliated
actors Copyright 2014 Trend Micro Inc.
Source: http://www.verizonenterprise.com/DBIR/
Financially Motivated Cyber Criminal
Copyright 2014 Trend Micro Inc. Source: http://www.verizonenterprise.com/DBIR/
Victim
The Boss
Mercenary Attackers
Data Fencing
The Captain Garant
Bullet Proof Hoster
Crime Syndicate (Simplified)
$4
Victim Blackhat SEOAttacker
$10
Attacker
Keywords(Botherder)
$2
CompromisedSites (Hacker)
$6$10
Programmer$10
Cryptor
$10Virtest
$5
Worm
Exploit Kit
Bot Reseller$1 $1
$1
Traffic DirectionSystem$5
Garant$10
SQL InjectionKit
$3
Carder$4
Money Mule
Droppers$1
Card Creator$2
Bullet ProofHoster
$5
Crime Syndicate (Detailed)
Attack Stages
Confidential | Copyright 2015 Trend Micro Inc.
1. Intelligence GatheringIdentify & research target individuals using public sources (LinkedIn, Facebook, etc) and prepare a customized attack.
2. Point of EntryThe initial compromise is typically malware delivered via social engineering (email/IM or drive by download). A backdoor is created and the network can now be infiltrated.
3. Command & Control (C&C) CommunicationAllows the attacker to instruct and control the compromised machines and malware used for all subsequent phases.
4. Lateral MovementOnce inside the network, attacker compromises additional machines to harvest credentials, escalate privilege levels and maintain persistent control.
5. Asset/Data DiscoverySeveral techniques and tools are used to identify the noteworthy servers and the services that house the data of interest.
6. Data ExfiltrationOnce sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed and often encrypted for transmission to external locations.
Intelligence Gathering
Acquire strategic information about the targets IT environment and organizational structure.
“res://” protocol
Confidential | Copyright 2015 Trend Micro Inc.
Data at Risk
• Corporate / Financial—board meeting records, legal proceedings, strategic plans, contracts, purchase agreements, pre-earnings announcements, executive salaries, M&A plans and pending patent filings.
• Manufacturing—Intellectual Property and manufacturing methods• Retail—Financial records & transactions, customer profiles to generate
revenue for identity theft• Internal Organization—employee records and health claims for identity
and insurance fraud
Confidential | Copyright 2015 Trend Micro Inc.
Point of Entry
Gain entry into a target network using weaknesses found.
Weaponized Attachment
Malicious URLs
Attack Weakness found in:• Infrastructure• Systems• Applications• People• 3rd Party Organizations
Confidential | Copyright 2015 Trend Micro Inc.
Infection Options
Confidential | Copyright 2015 Trend Micro Inc.
Island HoppingCustomers
Trusted Partner
Attackers
Spearphishing
Confidential | Copyright 2015 Trend Micro Inc.
Watering Hole Attacks
Source: Trend Micro Q3’14 Threat Roundup Report Confidential | Copyright 2015 Trend Micro Inc.
Evade detection with customized malware
Attacker
Malicious C&C websites
Ahnlab's Update Servers
wipe out files
Destroy MBR
Destroy MBR
wipe out files
Unix/Linux Server Farm
Windows endpoints
Victimized Business
A total of 76 tailor-made malware were used, in which 9 were destructive, while the other 67 were used for penetration and monitoring.
Confidential | Copyright 2015 Trend Micro Inc.
Code for Sale
Confidential | Copyright 2015 Trend Micro Inc.
Ultra Hackers Tools for salePrice is 0.0797 BTC (bitcoin) = $25 Virus Builders
1. Nathan's Image Worm2. Dr. VBS Virus Maker3. p0ke's WormGen v2.04. Vbswg 2 Beta5. Virus-O-Matic Virus Maker
Scanners 1. DD7 Port Scanner2. SuperScan 4.03. Trojan Hunter v1.54. ProPort v2.25. Bitching Threads v3.1
DoSers, DDoSers, Flooders and Nukers 1. rDoS2. zDoS3. Site Hog v14. Panther Mode 25. Final Fortune 2.4
Fake Programs 1. PayPal Money Hack2. Windows 7 Serial Generator3. COD MW2 Keygen4. COD MW2 Key Generator5. DDoSeR 3.6
Cracking Tools1.VNC Crack2.Access Driver3.Attack Toolkit v4.1 & source code included4.Ares5.BrutusAnalysis :· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*· W32Dasm 8.93 - Patched *NEW*· PEiD 0.93 + Plugins *NEW*· RDG Packer Detector v0.5.6 Beta - English *NEW*Rebuilding :· ImpRec 1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*· Revirgin 1.5 - Fixed *NEW*· LordPE De Luxe B *NEW*
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Host Booters1. MeTuS Delphi 2.82. XR Host Booter 2.13. Metus 2.0 GB Edition4. BioZombie v1.55. Host Booter and SpammerStealers1. Dark Screen Stealer V22. Dark IP Stealer3. Lab Stealer4. 1337 Steam Stealer5. Multi Password Stealer v1.6
Remote Administration Tools/Trojans1. Cerberus 1.03.4 BETA2. Turkojan 4 GOLD3. Beast 2.074. Shark v3.0.05. Archelaus Beta
Binders:1. Albertino Binder2. BlackHole Binder3. F.B.I. Binder4. Predator 1.65. PureBiND3R by d3will
HEX Editor :· Biew v5.6.2· Hiew v7.10 *NEW*· WinHex v12.5 *NEW*Decompilers :· DeDe 3.50.04· VB ?Decompiler? Lite v0.4 *NEW*· FlasmUnpackers :· ACProtect - ACStripper· ASPack - ASPackDie· ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2 *NEW*· DBPE > UnDBPEKeygenning : *NEW*· TMG Ripper Studio 0.02 *NEW*
Packers :· FSG 2.0· MEW 11 1.2 SE· UPX 1.25 & GUI *NEW*· SLVc0deProtector 0.61 *NEW*· ARM Protector v0.3 *NEW*· WinUpack v0.31 Beta *NEW*Patchers :· dUP 2 *NEW*· CodeFusion 3.0· Universal Patcher Pro v2.0· Universal Patcher v1.7 *NEW*· Universal Loader Creator v1.2 *NEW*
Crypters1. Carb0n Crypter v1.82. Fly Crypter v2.2 3. JCrypter4. Triloko Crypter5. Halloween Crypter6. Deh Crypter7. Hatrex Crypter8. Octrix Crypter9. NewHacks Crypter10. Refruncy Crypter
100’s of Items
Today’s Reality – One & Done!
99 10% of malwareinfect < victims
80 1% of malwareinfect = victim
?
Confidential | Copyright 2015 Trend Micro Inc.
E-Mail with a spoofed sender
Confidential | Copyright 2015 Trend Micro Inc.
And if youser click on the attachment...
Confidential | Copyright 2015 Trend Micro Inc.
Command & Control Communications
Ensure continued communication between the compromised target and the attackers.
Common Traits• Uses typical protocols (HTTP)• Uses legitimate sites as C&C• Uses internal systems as C&C• Uses 3rd party apps as C&C• May use compromised internal
systems
Advantages• Maintains persistence• Avoids detection
ThreatActor
C&CServer
Confidential | Copyright 2015 Trend Micro Inc.
Threat Actor’s Achilles Heal
Confidential | Copyright 2015 Trend Micro Inc.
Reality Bites• Have to maintain connection with
compromised network• Cut off this connection, potentially
stop the attack• Malicious code typically hardcoded
with C&C data
Lateral Movement
Seek valuable hosts that house sensitive information.
Pass the Hash
Confidential | Copyright 2015 Trend Micro Inc.
Data Discovery
Noteworthy assets are identified within the infrastructure then isolated for future data exfiltration.
Confidential | Copyright 2015 Trend Micro Inc.
Data at Risk
Confidential | Copyright 2015 Trend Micro Inc. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Credit Cards
Birth & Phone records
Customer PII
User Credentials
Credit Cards
PII leads to fraud
Movies, Ransoms, Terrorism
Social Media Accounts
Copyright 2014 Trend Micro Inc.
Exfiltration Stage
Transmit data to a location that the threat actors control.
Common Traits• Built-in file transfer (RATs)• FTP, HTTP• Tor network/Encryption• Public File Sharing sites
Confidential | Copyright 2015 Trend Micro Inc.
Customers
FTPAttackers
C&CServer
Confidential | Copyright 2015 Trend Micro Inc.
Maintenance Stage (Anti-Forensics)
Maintain persistence within network for future attacks
Confidential | Copyright 2015 Trend Micro Inc.
Confidential | Copyright 2015 Trend Micro Inc.
Source: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
What Can You Do?
Copyright 2015 Trend Micro Inc.
Copyright 2014 Trend Micro Inc.
Device Control
DLP
Encryption
Behavior Monitoring
Vulnerability Protection
Unpacking
Memory Inspection
Command & Control Blocking
Sandboxing
FileReputation
WebReputation
Email Reputation
Web Gateway
Email Gateway or Server
SharePoint Server
Forensics
Network
ApplicationWhitelisting
Layered Security
Mobile App Reputation
Safe Computing PracticesAll Consumers• Always check who the email sender is.• Double-check the content of the message. • Refrain from clicking links in email.
– use free services such as sitesafety.trendmicro.com.• Always ensure your software is up-to-date. • Backup important data.
Copyright 2015 Trend Micro Inc.
Safe Computing PracticesFor Commercial Businesses• Review your policies regarding email attachments and embedded URLs• Configuring devices for specific purposes and take advantage of certain Windows features
like AppLocker or Trend Micro Application Control• Enable extended threat protection technologies:
– Email Reputation – True File Type Filtering– Web Reputation – Behavior Monitoring– Community File Reputation
• OfficeScan 11 SP1 (Q2-14) will have new Ransomware specific technologies• Backup your backups
Copyright 2015 Trend Micro Inc.
As of Today…
How frequently do you backup data on your PC?How fast can you restore data on your PC?Can employees restore data by themselves?
Copyright 2015 Trend Micro Inc.