effective threat defence against prof....
TRANSCRIPT
Effective Threat Defence
against prof. CyberattacksDetlev Narr,
Sr. Consultant Threat Intelligence Services
neue schädliche Dateien
werden täglich durch
Kaspersky Lab
identifiziert325.0001/3 45
Unser internationales Forschungs- und Analyseteam aus Sicherheitsspezialisten untersucht
und bekämpft laufend hoch entwickelte Cyberbedrohungen
EXPERTISE
Unserer
Mitarbeiter
sind F&E-
Spezialisten
weltweit führende
Sicherheitsexperten:
Unser Elite-Team
Einige unserer wichtigsten Entdeckungen
Cyber-SpionageMalware
Cyberspionage-
Aktionen
Serien von Cyberspionage-
AktionenKampagnen
Klassifizierung
Erkennung
Aktiv seit
FLAME GAUS
S
RED OCTOBER CARETO /THE MASK
> 600ausgesuchte
Ziele
Ein Großteil der Opfer war
ansässig im Libanon
101 - 500Diplomaten und
Behörden
> 10.000 Opferin 31 Ländern
Bis zu 100 Opfer in Telekommunikationsu
nternehmen, staatlichen Stellen,
internationalenBehörden usw.
2007 2012 2004 2014 2003 2002 2014
Wird über lokale Netzwerke oderWechseldaten-träger verbreitet
Nimmt Screenshots,
Audio, Tastaturanschläge
und Netzwerkverkehr
auf
Hochent-wickeltesToolkit mit Modulen,
die eine Reihe von Funktionen
ausführen
Eine der ersten massiven, weltweit
ausgeführten Cyberspionage-
Aktionen
Die Code-Kommentare
enthalten Texte in russischer Sprache
Komplexer Werkzeugsatz mit
Malware,Rootkit und Bootkit,
gilt als einer der bislang raffiniertesten
APT-Angriffe
Attackiert Geräte unterWindows, Mac OS X & Linux
Die erste Plattformfür
Cyberattacken, mit der neben
anderen „standard-mäßigen“ Spionage-aufgaben
auch GSM-Netzwerke
überwacht wurden
Bis zu 1.000hochkarätige Opfer
aus der Nanotechnologie-
und Nuklearbranchesowie Aktivisten, Massenmedien &
weitere
Equation-Malware ist in der Lage, die Firmware
von Festplatten zu infizieren, sie nutzt zur
Infizierung „Interdiktionsverfahren“
und ahmt illegale Malware nach
Malware-Infektionen in Zusammenhang mit den 5+1-
Gesprächen und Konferenzorten für hochkarätige
Treffen zwischen Staatsoberhäuptern
Eine hochentwickelte
Malware-Plattform,die bis zu drei Zero-Day-
Schwachstellen ausnutzt
Beschreibung
Zielgruppen
Mai 2012 Juli 2012 Januar 2013 Februar 2014 Frühjahr 2012 2014 2015
REGIN EQUATION DUQU 2.0
Komplex aufgebautePlattform für
Cyberattacken
SERVICES MAP
8
Cybersecurity Awareness & Fundamentals
Digital Forensics
Malware Analysis & Reverse Engineering
SECURITY EDUCATION
Malware Analysis
Digital Forensics
Incident Response
INVESTIGATION SERVICES
Threat Intel. INFORMATION
Threat Data Feeds (expanding)
APT Threat Intelligence Portal
Client Specific Reporting
Kaspersky Threat Lookup (KTL)
SECURITY ASSESSMENT
Pen Testing
Security Assessment
(incl. ATM, POST or SCADA, ICS)
KIPS
CyberSafety
Games
Online Training
Platform
for Experts
Cybersecurity
Senior
Managers
Line
Managers
All
Employees
CERT
SOC
Short business
simulation game
Face to face
motivational training
Computer-based
on-access
trainings
Classroom
trainings
CYBERSECURITY EXERCISES
http://www.digitalqatar.qa/en/2015/12/16/let-the-cyber-games-commence/
THREAT INTELLIGENCE TO SUPPORT CERT & SOCS
Be one of the first receiving reports
about discovered APTs
Improve your SIEM
with KL intelligence data feeds
• Malicious URLs
• Phishing URLs
• Botnet C&C URLs
• Malware Hashes
• Mobile Malware Hashes
• P-SMS Trojan Feed
• Mobile Botnet C&C URLs
• IP Reputation
Get early warning
about threats targeting
your organization or
your clients
• Detailed information how to identify
threat in your network
• Updating with new uncovered data
• Subscription to repository of Global
Targeted Attacks discovered by
Kaspersky Lab
DATA FEEDS IN JSON FORMAT
13
Available Data Feeds
Malicious URL feed — a set of URL masks with context covering malicious links and websites.
Phishing URL feed — a set of URL masks with context covering phishing links and websites.
Botnet C&C URL Feed — a set of URL masks with context covering desktop botnet C&C servers and related malicious objects.
Malicious Hash Feed — a set of file hashes with corresponding context covering the most dangerous, prevalent and emerging malware.
Mobile Malicious Hash Feed — a set of file hashes with corresponding context for detecting malicious objects that infect mobile Android
and iPhone platforms.
P-SMS Trojan Feed — a set of Trojan hashes with corresponding context for detecting SMS Trojans ringing up premium charges for
mobile users as well as enabling an attacker to steal, delete and respond to SMS messages.
Mobile Botnet Feed — a set of URLs with context covering mobile botnet C&C servers.
IP Reputation Feed – a set of IP addresses with context covering suspicious and malicious hosts.
BOTNET FEED
14
► id – unique record identifier
► mask – record covering malicious links or websites
► type – record type (matching rules are different for different types)
► first_seen – date when the record was created/detected
► last_seen – date when the record was last encountered by KL users
► IP – Top 10 IPs of the URL/mask within the last 3 months
► popularity – index number defining the record popularity (how many
users were affected by this record). 5 is the most popular, 1 the least
popular
► threat – threat name (class, platform, family – i.e., verdict) according to
Kaspersky Lab classification
► geo – Top 10 countries where KL users were most affected by this record
► MD5 – Top 10 MD5 of bots associated with the C&C URL/mask
► whois - domain Whois and DNS data (see separate slide for more info)
{
"id":"143348",
"mask": “botnetccurl.com",
"type":"1",
"first_seen":"08.04.2014 16:45",
"last_seen":"12.02.2015 13:56",
“IP":“192.168.0.1",
"popularity":“5",
"threat":"CnC.Win32.ZBot",
"geo": "EN,FR,RU,GE,CH“
“files”: [
{
“MD5”: “02d78d904db1d74f51f1553b05257060”
"SHA1": "E325E…D95379D8B4C881E2EBCD0A",
"SHA256": "C8E6D5…7B45456DADFC3916335771"
}]
"whois": {…}
}
JSON formatDescription of fields
TAILORED TI REPORTS
17
Enterprise/Country Treat Landscape
Vulnerabilities (OSINT)
Cybercriminal activity• Botnets/C&C
• Black market
• Phishing
• DDoS
Cyberespionage campaigns
FeaturesQuarterly or Monthly reports
Analyst briefings
Early notifications (C&C/Phishing/Vulns)
APT LANDSCAPE. KL PUBLIC ANNOUNCEMENTS
19
2010 2011 2012 2013 2014 2015
Stuxnet Duqu Flame
GAUSS
Mini Flame
Red October
Teamspy
Mini Duke
Winti
Net Traveller
IceFog
Kimsuki
Epic Turla
Careto
DarkHotel
BlackEnergy2
Animal Farm
CouchingYeti
Syrian EA
Regin
Cloud Atlas
Cosmic Duke
Adwind RAT
Metel
GCMAN
ACECARD
Poseidon Group
ATM Jackpotting
2016
Equation Group
Carbanak
Desert Falcons
Duqu v2.0
Naikon
Cozy Duke
Hellsing
BlueTraveller
What’s NEXT
Xdedic
ProjectSauron
Op Ghoul
22
THREAT LOOKUP SERVICE
Indicators of compromise can belooked up via a web-based interfaceor via RESTful API. The serviceallows to perform the followinglookups:
►MD5, SHA1 or SHA256
►URLs or domains
►IP addresses
The service displays whether theobject is in Good, Bad or Unknownzones while providing a rich set ofcontextual data to answer the who,what, where, when questions whichhelp you to make timely decisionsand actions.
KASPERSKY THREAT LOOKUP SERVICEWEB-BASED ACCESS TO KL DATA ON MALICIOUS AND CLEAN OBJECTS
0x1C06CCEF030CAE94B2A0D6B1DEDE12F5
Backdoor.Win32.Androm.rgx (Kaspersky)
Backdoor:Win32/Fynloski.A (Microsoft)
TR/Rogue.1008839 (Avira)
Threat namesSouth Africa (38%)
Australia (31%)
Indonesia (14%)
China (10%)
Vietnam (7%)
Geography
Urls that host this filehttp://www.jcdc.gov.jm/uploads/firefox.exe
http://shell32.tk/firefox.exeFile names and
pathsFirefox.exe
%System Folder%
Applications that execute
or download this file0x4e9592bb2c100e571f82640e59e9ecd5
0x32732cede2a1106b736ef3d84054ee04
First appearance date: 24.05.2013
Last seen date: 30.05.2013
Total number of users: 48
Prevalence data
Example of metadata on files (hashes)
jcdc.gov.jm
0x1C06CCEF030CAE94B2A0D6B1DEDE12F5
0xA6FF0E175ACC7AAA3C2A855E44B11E3B
0xED3453757622106E1570E563D3BA6442
0x52FDEE2DA05D97BD51EDD214AC673056
Files on this host
Urls on this hosthttp://jcdc.gov.jm/uploads/firefox.exe
http://www.jcdc.gov.jm/uploads/firefox.exe
Threats on this hostBackdoor.Win32.Androm.rgx
Backdoor.Win32.Androm.skh
Exploit.Script.Blocker.U
Example of metadata on domains/urls
KASPERSKY THREAT LOOKUP SERVICEWEB-BASED ACCESS TO KL DATA ON MALICIOUS AND CLEAN OBJECTS
209.185.253.187
209.185.253.188
216.239.33.100
216.239.35.100
216.239.37.100
Related IPs
Domain ID:
D503300000004973840-LRMS
Creation Date: 2016-02-
14T04:10:04Z
Registry Expiry Date: 2017-02-
14T04:10:04Z
Registrant Name: Chen Shao
Registrant
Email: [email protected]
WHOIS info
SERVICES MAP
25
Cybersecurity Awareness & Fundamentals
Digital Forensics
Malware Analysis & Reverse Engineering
SECURITY EDUCATION
Malware Analysis
Digital Forensics
Incident Response
INVESTIGATION SERVICES
Threat Intel. INFORMATION
Threat Data Feeds (expanding)
APT Threat Intelligence Portal
Client Specific Reporting
Kaspersky Threat Lookup (KTL)
SECURITY ASSESSMENT
Pen Testing
Security Assessment
(incl. ATM, POST or SCADA, ICS)