fight back against java exploits, spear-phishing, watering hole attacks, drive-by downloads,...
TRANSCRIPT
![Page 1: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/1.jpg)
Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by
Downloads, Scare-ware, Ransomware, Social
Networking Worms…ah….
CHADD MILTON
![Page 2: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/2.jpg)
Riddle Me This…
Hint: Aka – FRAN or STAN
![Page 3: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/3.jpg)
‘11, ‘12 and ’13 (so far) bloodiest years on record…
• “White House” eCard (spear-phishing) • HBGary Federal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Charlieware (poisoned SEO) • Nasdaq (spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing)• ShadyRAT (spear-phishing) • DIB and IC campaign (spear-phishing)• ‘Voho’ campaign (watering-holes and spear-phishing) • ‘Mirage’ campaign (spear-phishing) • ‘Elderwood’ campaign (spear-phishing) • White House Military Office (spear-phishing) • Telvent’ compromise (spear-phishing)• Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober (spear-phishing) • Speedtest.net (watering-hole/drive-by) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • Bit9 (TBD) • NYT, WSJ, WaPO (spear-phishing)
Apple, Microsoft, Facebook (watering-hole) • National Journal (watering hole) • FemmeCorp (watering holes)• South Korea (spear-phishing) • 11 Energy Firms (spear-phishing)
Cannot keep this slide up to date…
A Problem of Pandemic Proportions
![Page 4: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/4.jpg)
Competitive Futures Are at Stake
“Theirs” Ours
The good news is…they’re stealing petabytes worth of data…
The bad news is…in time, they’ll have sorted through it all
![Page 5: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/5.jpg)
The Primary Target – The Unwitting Accomplices
The UserThe #1 Attack Vector =
• Ubiquitous usage of Internet and Email has enabled adversaries to shift tactics
• Prey on human psychology
• Spear Phishing – The New Black • Drive by Downloads
• Malicious sites • Weaponized
Attachments • Watering Hole Attacks
• Hijacked trusted sites
• Trust in social networks • Facebook, Twitter,
LinkedIn• Faith in Internet search
engines• Poisoned SEO
• User Initiated Infections • Fake A/V and fear
mongering
![Page 6: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/6.jpg)
Alarming Malware Statistics
• 280 million malicious programs detected in April 2012*• 80,000+ new malware
variants daily **
• 134 million web-borne infections detected (48% of all threats) in April 2012*
• 24 million malicious URLs detected in April 2012* • 30,000+ new malicious
URLs daily**
•95% of APTs involve spear- phishing***
•Organizations witnessing an average of 643 malicious URL events per week***
•225% increase from 2012*** Kaspersky April 2012 Threat Report** Panda Labs Q1 2012 Internet Threat Report*** FireEye September 2012 Advanced Threats Report ****Both Mandiant and Trend Micro – 2013 Reports
![Page 7: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/7.jpg)
KIA – Mandiant “APT-2” Spear-Phish
www.invincea.com/blog
or -
http://https://www.invincea.com/2013/02/mandiant-report-spear-phishing-campaign-kia-with-invincea-cve-2011-0611/
![Page 8: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/8.jpg)
Java - Getting Bullied…
![Page 9: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/9.jpg)
Enterprise Security Architecture for Addressing
APT
Firewalls/Web Proxies
Network Controls
Anti-Virus
Forensics and IR
User Training
In Use | Confidence*
84%
66%
34%
92%
64%
31%
55%
52%
17%
40%
App Whitelisting
22% 49%
*Invincea APT Survey Q4 2012
![Page 10: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/10.jpg)
Einstein’s Definition of Insanity
Patching software as vulnerabilities are made public
Detecting intruders and
infected systems after the fact
Recovering and restoring the infected machines back to a
clean state
Security Insanity
Cycle
![Page 11: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/11.jpg)
Addressing the Critical Vulnerability in Java 7
“Uninstall Java…”
![Page 12: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/12.jpg)
Addressing the Critical Vulnerability in IE
“Stop Using IE…”
![Page 13: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/13.jpg)
Addressing the Pandemic of Spear-Phishing
“Don’t Click on Links You Don’t Trust…”
![Page 14: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/14.jpg)
An Alternative to Bad Advice
Not quite…but pretty darn close…
![Page 15: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/15.jpg)
Rethink Security
If…you could negate user error
And…contain malware in a virtual environment
And…stop zero-days in their tracks without signatures Then…preventing APTs would be possible
“Making Prevention Possible Again”
![Page 16: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/16.jpg)
Solve the User Problem
Protect the UserSOC Server Appliance Enterprise Endpoint Application & Data Collection
![Page 17: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/17.jpg)
Contain the Contaminants
Prevention
Pre-Breach Forensics
Protect every user and the network from their error
Feed actionable forensic intelligence without the breach
DetectionDetect zero-day attacks without signatures
![Page 18: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/18.jpg)
Mapping the APT Kill Chain
Stage 1: ReconnaissanceResearch the target
Stage 2: Attack DeliverySpearphish with URL links and/or attachment
Stage 5: Internal ReconScan network for targets
Stage 3: Client Exploit & CompromiseVulnerability exploited or user tricked into running executable
Stage 8: Stage Data & ExfilArchive/encrypt, leak to drop sites
Stage 4: C2 Remote Command & Control.
Stage 6: Lateral MovementColonize network
Stage 7: Establish PersistenceRoot presence to re-infect as machines are remediated
Stage 9: Incident ResponseAnalysis, remediation, public relations, damage control
![Page 19: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/19.jpg)
Invincea – Breaking the APT Workflow
Containment | Detection | Prevention | Intelligence• Highly targeted apps run in contained environment• Behavioral based detection spots all malware including
0-days • Automatic kill and remediation to clean state • Forensic intelligence on thwarted attacks fed to
broader infrastructure
Threat Data Server
![Page 20: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/20.jpg)
Real World Results 0days K.I.A.
![Page 21: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/21.jpg)
KIA – Speedtest.net Drive-byJava 7 CVE-2013-0422
Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running for days on Speedtest.net website
(boasts 4 BILLION+ visits) • Whitelisted or blacklisted website? More than likely
whitelisted • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and
forensically analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/02/popular-site-speedtest-net-compromised-by-exploitdrive-by-stopped-by-invincea/
![Page 22: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/22.jpg)
KIA – Adobe Flash CVE-2013-0634
Weaponized Office Document (Word) Used to Spread Adobe 0day (CVE 2013-0634) • Spoofed document looking like IEEE as the author
(community of interest being targeted) • No protection from anti-virus given 0day nature • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and
forensically analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-adobe-flash-exploit-cve-2013-0634/
![Page 23: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/23.jpg)
KIA – National Journal Website
Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running on National Journal website days AFTER
initial disclosure (secondary attack?) • Whitelisted or blacklisted website? More than likely
whitelisted• Running Fiesta/ZeroAccess Exploit Kit – attacking 2
Java vulnerabilities • Detected without signatures, immediately killed and
forensically analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/03/kia-nationaljournal-com-pushing-malware-through-fiesta-ek-killed-with-invincea/
![Page 24: Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by Downloads, Scare-ware, Ransomware, Social Networking Worms…ah…. CHADD](https://reader038.vdocuments.mx/reader038/viewer/2022110116/551702b455034603568b5054/html5/thumbnails/24.jpg)
Chadd Milton: [email protected]
Go ahead…spear-phish me!
www.invincea.com Twitter: @Invincea
Want a t-shirt? Drop a note to [email protected] – only one catch, you’ve
got to tweet a pic of you wearing it!
Let’s Get Moving