Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1

Top 5 Modern Malware TrendsData Connectors – September

12, 2013

Frank Salvatore, BCOMMTerritory Manager, Eastern

CanadaFrank.salvatore@FireEye.com

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2

"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security

Tech Week Europe, September 28th 2012

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3

"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security

Tech Week Europe, September 28th 2012

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4

Modern times… call for modern measures...

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5

Top CISO Priorities – 2013

Secure Data and Policy Controls

Data exfiltration through the use of

multi-protocol outbound channels

challenges traditional controls

Enable Secure Mobility

Mobile devices and policies pose major issues as

organizations need to enable secure access to data

Advanced Attacks

Targeting Data

Ensuring security of data-at-rest and

data-in-motion continues to be challenged with multi-vectored

attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6

Top 5 Global Risks

Source: World Economic Forum

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7

Technological Risks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8

High Profile APT Attacks Are Increasingly Common

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9

We Are Only Seeing the Tip of the Iceberg

HEADLINE GRABBING ATTACKS

THOUSANDS MORE BELOW THE SURFACEAPT Attacks

Zero-Day AttacksPolymorphic Attacks

Targeted Attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10

Attacks Increasingly Sophisticated

Dynamic Web Attacks

Malicious Exploits

Spear Phishing Emails

Multi-Vector• Delivered via Web or email

• Blended attacks with email containing malicious URLs

• Uses application/OS exploits

Multi-Stage• Initial exploit stage followed

by malware executable download, callbacks and exfiltration

• Lateral movement to infect other network assets

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11

Top 5 Modern Malware Trends

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12

Trend #1: Motivation is Data “Capitalization”

• Political, Financial, Intellectual• Nature of threats changing

– From broad, scattershot to advanced, targeted, persistent

• Advanced attacks accelerating– High profile victims common

(e.g., RSA, Symantec, Google)– Numerous APT attacks like

Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro

“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”

Gartner, 2012

2004 2006 2008 2010 2012

Advanced Persistent Threats

Zero-dayTargeted AttacksDynamic Trojans

Stealth Bots

WormsViruses

Disruption Spyware/Bots

Cybercrime

Cyber-espionage and Cybercrime

Dam

age

of A

ttac

ks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13

Trend #2: Modern Malware Targets the Application

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14

Hacking? Not so much…

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15

Polymorphism on demand

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16

Blog Post?

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17

RSS Feed?

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18

Trend #3: Socialized Attack Vectors

• Spear-Phishing is a social attack– No real technical countermeasure– Users un(der)trained– Effective way to drive malicious traffic– “Whaling” for high return

• 83% of spam uses URLs– URL shorteners– Social engineering URLs– Still on the decline

• Browser/App Infection Vectors– Browser itself– ActiveX / Java– Plug-ins (PDF, QuickTime)– Adobe Flash– JavaScript/AJAX

Percent of Spam Containing Links

Source: Cisco Systems

18

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19

LinkedIn is a Gold Mine…

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20

Successful Spear Phish

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21

Trend #4: It’s not just about files anymore

• Modern Malware is about a sequence of protocol flows which serve to exploit an application

• A file may be invoked or transported, but usually after a successful exploit

• The new reality of Modern Malware or APT is that file-based analysis is inadequate

Exploit

Downloads

Callback ServerInfection Server

DataExfiltration

Binary DownloadCallbacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22

The Attack Life Cycle – Multiple Stages

Exploitation of system1

3 Callbacks and control established

2 Malware executable download

CompromisedWeb Server, or

Web 2.0 Site

1Callback Server

IPS

32Malware spreads laterally

4 Data exfiltration

5

File Share 2

File Share 1

5

4

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23

Exploit Detection is Critical

• Malware exploits take a similar form:– Write data to memory– Trick the system to execute that code in memory

• Exploitation of the system is the first stage– Subsequent stages can be hidden– You will miss attacks if relying on object/file

analysis

• Only FireEye detects the exploit stage– Captures resulting stages– Shares globally

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24

Timed Malware

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25

Ho, Ho, Ho…

Timed Malware: December 25th. Where is the IT staff? ;) FireEye works 24/7/365 so you don’t have to. 2000 + events on Xmas.

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26

Trend #5: Mobile Device Malware

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27

Trend #5: Mobile Malware Incremental (See Timestamp)

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28

BYOD = Bring Your own DOOM!

Source: www.bgr.com “Boy Genius”

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29

FBI Warning (October 15, 2012)

Source: www.bgr.com

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30

Thank You!

Frank Salvatore, BCOMM

Territory Manager, Eastern Canada

Frank.salvatore@FireEye.com