Effective Threat Defence

against prof. CyberattacksDetlev Narr,

Sr. Consultant Threat Intelligence Services

KASPERSKY LABAdvanced Threat Research

neue schädliche Dateien

werden täglich durch

Kaspersky Lab

identifiziert325.0001/3 45

Unser internationales Forschungs- und Analyseteam aus Sicherheitsspezialisten untersucht

und bekämpft laufend hoch entwickelte Cyberbedrohungen

EXPERTISE

Unserer

Mitarbeiter

sind F&E-

Spezialisten

weltweit führende

Sicherheitsexperten:

Unser Elite-Team

https://www.NoMoreRansom.org

4

https://SecureList.com

5

Einige unserer wichtigsten Entdeckungen

Cyber-SpionageMalware

Cyberspionage-

Aktionen

Serien von Cyberspionage-

AktionenKampagnen

Klassifizierung

Erkennung

Aktiv seit

FLAME GAUS

S

RED OCTOBER CARETO /THE MASK

> 600ausgesuchte

Ziele

Ein Großteil der Opfer war

ansässig im Libanon

101 - 500Diplomaten und

Behörden

> 10.000 Opferin 31 Ländern

Bis zu 100 Opfer in Telekommunikationsu

nternehmen, staatlichen Stellen,

internationalenBehörden usw.

2007 2012 2004 2014 2003 2002 2014

Wird über lokale Netzwerke oderWechseldaten-träger verbreitet

Nimmt Screenshots,

Audio, Tastaturanschläge

und Netzwerkverkehr

auf

Hochent-wickeltesToolkit mit Modulen,

die eine Reihe von Funktionen

ausführen

Eine der ersten massiven, weltweit

ausgeführten Cyberspionage-

Aktionen

Die Code-Kommentare

enthalten Texte in russischer Sprache

Komplexer Werkzeugsatz mit

Malware,Rootkit und Bootkit,

gilt als einer der bislang raffiniertesten

APT-Angriffe

Attackiert Geräte unterWindows, Mac OS X & Linux

Die erste Plattformfür

Cyberattacken, mit der neben

anderen „standard-mäßigen“ Spionage-aufgaben

auch GSM-Netzwerke

überwacht wurden

Bis zu 1.000hochkarätige Opfer

aus der Nanotechnologie-

und Nuklearbranchesowie Aktivisten, Massenmedien &

weitere

Equation-Malware ist in der Lage, die Firmware

von Festplatten zu infizieren, sie nutzt zur

Infizierung „Interdiktionsverfahren“

und ahmt illegale Malware nach

Malware-Infektionen in Zusammenhang mit den 5+1-

Gesprächen und Konferenzorten für hochkarätige

Treffen zwischen Staatsoberhäuptern

Eine hochentwickelte

Malware-Plattform,die bis zu drei Zero-Day-

Schwachstellen ausnutzt

Beschreibung

Zielgruppen

Mai 2012 Juli 2012 Januar 2013 Februar 2014 Frühjahr 2012 2014 2015

REGIN EQUATION DUQU 2.0

Komplex aufgebautePlattform für

Cyberattacken

SECURITY INTELLIGENCE SERVICES

SERVICES MAP

8

Cybersecurity Awareness & Fundamentals

Digital Forensics

Malware Analysis & Reverse Engineering

SECURITY EDUCATION

Malware Analysis

Digital Forensics

Incident Response

INVESTIGATION SERVICES

Threat Intel. INFORMATION

Threat Data Feeds (expanding)

APT Threat Intelligence Portal

Client Specific Reporting

Kaspersky Threat Lookup (KTL)

SECURITY ASSESSMENT

Pen Testing

Security Assessment

(incl. ATM, POST or SCADA, ICS)

CYBERSECURITY EDUCATION

9

KIPS

CyberSafety

Games

Online Training

Platform

for Experts

Cybersecurity

Senior

Managers

Line

Managers

All

Employees

CERT

SOC

Short business

simulation game

Face to face

motivational training

Computer-based

on-access

trainings

Classroom

trainings

CYBERSECURITY EXERCISES

http://www.digitalqatar.qa/en/2015/12/16/let-the-cyber-games-commence/

THREAT INTELLIGENCE TO SUPPORT CERT & SOCS

Be one of the first receiving reports

about discovered APTs

Improve your SIEM

with KL intelligence data feeds

• Malicious URLs

• Phishing URLs

• Botnet C&C URLs

• Malware Hashes

• Mobile Malware Hashes

• P-SMS Trojan Feed

• Mobile Botnet C&C URLs

• IP Reputation

Get early warning

about threats targeting

your organization or

your clients

• Detailed information how to identify

threat in your network

• Updating with new uncovered data

• Subscription to repository of Global

Targeted Attacks discovered by

Kaspersky Lab

THREAT DATA FEEDS

12

DATA FEEDS IN JSON FORMAT

13

Available Data Feeds

Malicious URL feed — a set of URL masks with context covering malicious links and websites.

Phishing URL feed — a set of URL masks with context covering phishing links and websites.

Botnet C&C URL Feed — a set of URL masks with context covering desktop botnet C&C servers and related malicious objects.

Malicious Hash Feed — a set of file hashes with corresponding context covering the most dangerous, prevalent and emerging malware.

Mobile Malicious Hash Feed — a set of file hashes with corresponding context for detecting malicious objects that infect mobile Android

and iPhone platforms.

P-SMS Trojan Feed — a set of Trojan hashes with corresponding context for detecting SMS Trojans ringing up premium charges for

mobile users as well as enabling an attacker to steal, delete and respond to SMS messages.

Mobile Botnet Feed — a set of URLs with context covering mobile botnet C&C servers.

IP Reputation Feed – a set of IP addresses with context covering suspicious and malicious hosts.

BOTNET FEED

14

► id – unique record identifier

► mask – record covering malicious links or websites

► type – record type (matching rules are different for different types)

► first_seen – date when the record was created/detected

► last_seen – date when the record was last encountered by KL users

► IP – Top 10 IPs of the URL/mask within the last 3 months

► popularity – index number defining the record popularity (how many

users were affected by this record). 5 is the most popular, 1 the least

popular

► threat – threat name (class, platform, family – i.e., verdict) according to

Kaspersky Lab classification

► geo – Top 10 countries where KL users were most affected by this record

► MD5 – Top 10 MD5 of bots associated with the C&C URL/mask

► whois - domain Whois and DNS data (see separate slide for more info)

{

"id":"143348",

"mask": “botnetccurl.com",

"type":"1",

"first_seen":"08.04.2014 16:45",

"last_seen":"12.02.2015 13:56",

“IP":“192.168.0.1",

"popularity":“5",

"threat":"CnC.Win32.ZBot",

"geo": "EN,FR,RU,GE,CH“

“files”: [

{

“MD5”: “02d78d904db1d74f51f1553b05257060”

"SHA1": "E325E…D95379D8B4C881E2EBCD0A",

"SHA256": "C8E6D5…7B45456DADFC3916335771"

}]

"whois": {…}

}

JSON formatDescription of fields

Threat Intelligence Reporting

CUSTOMER SPECIFIC REPORTING

16

TAILORED TI REPORTS

17

Enterprise/Country Treat Landscape

Vulnerabilities (OSINT)

Cybercriminal activity• Botnets/C&C

• Black market

• Phishing

• DDoS

Cyberespionage campaigns

FeaturesQuarterly or Monthly reports

Analyst briefings

Early notifications (C&C/Phishing/Vulns)

APT INTELLIGENCE PORTAL

18

APT LANDSCAPE. KL PUBLIC ANNOUNCEMENTS

19

2010 2011 2012 2013 2014 2015

Stuxnet Duqu Flame

GAUSS

Mini Flame

Red October

Teamspy

Mini Duke

Winti

Net Traveller

IceFog

Kimsuki

Epic Turla

Careto

DarkHotel

BlackEnergy2

Animal Farm

CouchingYeti

Syrian EA

Regin

Cloud Atlas

Cosmic Duke

Adwind RAT

Metel

GCMAN

ACECARD

Poseidon Group

ATM Jackpotting

2016

Equation Group

Carbanak

Desert Falcons

Duqu v2.0

Naikon

Cozy Duke

Hellsing

BlueTraveller

What’s NEXT

Xdedic

ProjectSauron

Op Ghoul

GReAT APT Threat Intel Portal

20 European Strategic Session

KASPERSKYTHREAT LOOKUP SERVICE

21

22

THREAT LOOKUP SERVICE

Indicators of compromise can belooked up via a web-based interfaceor via RESTful API. The serviceallows to perform the followinglookups:

►MD5, SHA1 or SHA256

►URLs or domains

►IP addresses

The service displays whether theobject is in Good, Bad or Unknownzones while providing a rich set ofcontextual data to answer the who,what, where, when questions whichhelp you to make timely decisionsand actions.

KASPERSKY THREAT LOOKUP SERVICEWEB-BASED ACCESS TO KL DATA ON MALICIOUS AND CLEAN OBJECTS

0x1C06CCEF030CAE94B2A0D6B1DEDE12F5

Backdoor.Win32.Androm.rgx (Kaspersky)

Backdoor:Win32/Fynloski.A (Microsoft)

TR/Rogue.1008839 (Avira)

Threat namesSouth Africa (38%)

Australia (31%)

Indonesia (14%)

China (10%)

Vietnam (7%)

Geography

Urls that host this filehttp://www.jcdc.gov.jm/uploads/firefox.exe

http://shell32.tk/firefox.exeFile names and

pathsFirefox.exe

%System Folder%

Applications that execute

or download this file0x4e9592bb2c100e571f82640e59e9ecd5

0x32732cede2a1106b736ef3d84054ee04

First appearance date: 24.05.2013

Last seen date: 30.05.2013

Total number of users: 48

Prevalence data

Example of metadata on files (hashes)

jcdc.gov.jm

0x1C06CCEF030CAE94B2A0D6B1DEDE12F5

0xA6FF0E175ACC7AAA3C2A855E44B11E3B

0xED3453757622106E1570E563D3BA6442

0x52FDEE2DA05D97BD51EDD214AC673056

Files on this host

Urls on this hosthttp://jcdc.gov.jm/uploads/firefox.exe

http://www.jcdc.gov.jm/uploads/firefox.exe

Threats on this hostBackdoor.Win32.Androm.rgx

Backdoor.Win32.Androm.skh

Exploit.Script.Blocker.U

Example of metadata on domains/urls

KASPERSKY THREAT LOOKUP SERVICEWEB-BASED ACCESS TO KL DATA ON MALICIOUS AND CLEAN OBJECTS

209.185.253.187

209.185.253.188

216.239.33.100

216.239.35.100

216.239.37.100

Related IPs

Domain ID:

D503300000004973840-LRMS

Creation Date: 2016-02-

14T04:10:04Z

Registry Expiry Date: 2017-02-

14T04:10:04Z

Registrant Name: Chen Shao

Registrant

Email: 1123454545@tt.com

WHOIS info

SERVICES MAP

25

Cybersecurity Awareness & Fundamentals

Digital Forensics

Malware Analysis & Reverse Engineering

SECURITY EDUCATION

Malware Analysis

Digital Forensics

Incident Response

INVESTIGATION SERVICES

Threat Intel. INFORMATION

Threat Data Feeds (expanding)

APT Threat Intelligence Portal

Client Specific Reporting

Kaspersky Threat Lookup (KTL)

SECURITY ASSESSMENT

Pen Testing

Security Assessment

(incl. ATM, POST or SCADA, ICS)

KICSKasperksyIndustrial Cyber Security

KESSKASPERSKYEMBEDDED SYSTEMS SECURITY

Vielen Dank für Ihre Aufmerksamkeit !

Sprechen Sie mit uns in Halle 6, Stand H 18