malware & apt risks for critical infrastructures infrastructure...malware & apt risks for...
TRANSCRIPT
![Page 1: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/1.jpg)
Malware & APT risks for Critical Infrastructures Ashar Aziz, Founder, CEO & CTO FireEye, Inc. October 18-20, 2011
![Page 2: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/2.jpg)
2 RELIABILITY | ACCOUNTABILITY
The Evolving Threat Landscape
• # of threats are up 10X • Nature of threats changing
– From broad, scattershot to focused, targeted
• Pace of advanced attacks accelerating – High profile attacks
commonplace – RSA, Citicorp, Epsilon,
Lockheed…
“71% of surveyed IT Security Professionals said the ‘changing/evolving nature of threats’ is a major challenge or challenge.” – Forrester, 2011
![Page 3: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/3.jpg)
3 RELIABILITY | ACCOUNTABILITY
Advanced Malware Infection Lifecycle
Desktop antivirus Losing the threat arms race
Compromised Web server, or Web 2.0 site
Callback Server
Perimeter Security Signature, rule-based
Other gateway List-based, signatures
System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Socially engineered binaries
Dropper malware installs First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites
Malicious data theft & long-term control established Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system
3
2
1
DMZ
Email Servers
Anti-spam
![Page 4: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/4.jpg)
Operation Aurora: Case Study in a Zero-Day APT Attack
![Page 5: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/5.jpg)
5 RELIABILITY | ACCOUNTABILITY
0-day Web exploit followed by masked binary Operation Aurora attack structure
Desktop antivirus Losing the threat arms race
Malicious Web server
Callback Server
System gets exploited Exploited IE 6 zero-day vulnerability Exploit code contains decryption sw
Web server delivers malware XOR encoded malware EXE delivered Exploit code decrypts binary On the wire looks like .JPG object Second Phase object linked to first phase exploit Dynamic analysis of encrypted binary
not possible (out of context) Static analysis of encrypted binary not
possible (looks like a jpg)
3
2
1
Gmail
Src Code
Passwords
![Page 6: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/6.jpg)
6 RELIABILITY | ACCOUNTABILITY
High Profile Attacks are Increasingly Common
![Page 7: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/7.jpg)
7 RELIABILITY | ACCOUNTABILITY
BUT – This is only the Tip of the Iceberg
Headline Grabbing Attacks
Thousands More Below the Surface APT Attacks
Zero-Day Attacks Polymorphic Attacks
Targeted Attacks
![Page 8: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/8.jpg)
8 RELIABILITY | ACCOUNTABILITY
Headquarters
Egress Router
Firewall
Core Switch
Users with desktop AV
FireEye POV: MPS systems go in After Existing Defenses
8
MPS 7000
Internet
Web Proxy with AV, URL blocking (maybe)
IPS (maybe)
If we see it, it’s because everyone else missed it So we don’t have a sample of everything: we have a sample of good new threats that are succeeding
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
![Page 9: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/9.jpg)
9 RELIABILITY | ACCOUNTABILITY
So- How Much Malware Do We See?
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
![Page 10: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/10.jpg)
10 RELIABILITY | ACCOUNTABILITY FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
So- How Much Malware Do We See?
![Page 11: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/11.jpg)
11 RELIABILITY | ACCOUNTABILITY
The Long Tail of Malware
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
![Page 12: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/12.jpg)
12 RELIABILITY | ACCOUNTABILITY
How Dynamic is Malware? Binary MD5s
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
![Page 13: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/13.jpg)
13 RELIABILITY | ACCOUNTABILITY
How Dynamic is Malware? Bad Domains
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
![Page 14: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/14.jpg)
APT Threat Actors & Surprising Collusions
![Page 15: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/15.jpg)
15 RELIABILITY | ACCOUNTABILITY
Threat Actors
APT Actors CrimeWare Actors
Hacktivists
![Page 16: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/16.jpg)
16 RELIABILITY | ACCOUNTABILITY
APT Actors & Crimeware actors An unholy alliance
APT Actors
Crimeware Actors
Sell compromised systems to
Sell used 0-day exploits
![Page 17: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/17.jpg)
17 RELIABILITY | ACCOUNTABILITY
FireEye Case Study: Wermud Trojan
Crimeware elevation to APT [March 2011]
Created and used by APT
[15 March 2011]
FireEye created callback
rules
[April 2011] Wermud
passed to crimeware
actors
[June 2011] Seen used by FakeAV (crimeware)
![Page 18: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/18.jpg)
18 RELIABILITY | ACCOUNTABILITY
Summary
• Malware is rampant inside Enterprise networks, easily infiltrating existing defenses
• APT attacks can occur as unique exploits, eg Aurora and RSA attacks
• BUT- If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks
• APT actors may simply leverage your existing crimeware backdoors
• Therefore, you still have to respond to the low grade crimeware attacks, because they can become high grade APTs for a valuable target
![Page 19: Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for Critical Infrastructures. Ashar Aziz, Founder, CEO & CTO . FireEye, Inc. October 18-20, 2011](https://reader036.vdocuments.mx/reader036/viewer/2022081522/5f026b367e708231d4042de6/html5/thumbnails/19.jpg)
19 RELIABILITY | ACCOUNTABILITY
QUESTIONS?