Spear-Phishing, Watering Holes, Drive-by Downloads

The Need for Rapid Endpoint Security Innovation

Security without Limits

Darin Dick

About Invincea

Heritage and Market Presence

Recognition• Spun out of a DARPA funded project focusing on

advanced malware prevention

• Headquartered just outside Washington, D.C.

• Product in market just under 3 years

• Fortune 1,000

• US Federal Government

• DELL OEM to 20+ MILLION machines annually

• Protecting nearly 10,000 organizations around the globe!!

• Management team with successful start-up track records and National Security credentials

• DARPA

• BAE Systems

• RipTech

• NetWitness

• ArcSight

• SINET “Innovator” Award 2010

• Global Security Challenge Eastern Region Winner

• “Most Innovative Company of the Year” – RSA 2011

• SINET “Best in Class” Award 2011

• GOVTek “Top Company to Watch” in 2012

• Governor’s Award 2012– Best Tech Transfer to Start-up

• GOVTek “Best Security Solution” 2013

• Government Security News “Best Anti-Malware Solution” – 2012 & 2013

• NVTC 3024 “Cyber-Innovators” Award

• Awarded $21.4 million research and development contract from DARPA to develop secure Android platform

A Four Letter Word…

How does the adversary enter your

network?

Your New Perimeter

Incidental Contact

How Breaches Happen…

Targeted Attacks

(APTs) Spear-phishing (95% of all APTs*) - Links to drive-by downloads - Weaponized document

attachmentsWatering hole attacks - Hijacked, trusted sites

- Poisoned Search Engine Results - Malicious Websites - Hijacked Legitimate Sites

- 30,000 takeovers DAILY** - Social Networking Worms

*Both Mandiant and Trend Micro – 2013 Reports** Sophos – June 2013

Zero-days and New Malware Strains Targeting Browsers, Plug-ins, PDFs and

Office Docs

‘11, ‘12 and ’13 (so far) bloodiest years on record…

• “White House” eCard (spear-phishing) • HBGary Federal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Nasdaq (spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing)• ShadyRAT (spear-phishing) • DIB and IC campaign (spear-phishing)• ‘Voho’ campaign (watering-holes and spear-phishing) • ‘Mirage’ campaign (spear-phishing) • ‘Elderwood’ campaign (spear-phishing) • White House Military Office (spear-phishing) • Telvent’ compromise (spear-phishing)• Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober (spear-phishing) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • NYT, WSJ, WaPO (spear-phishing)• South Korea (spear-phishing) • 11 Energy Firms (spear-phishing)• QinetIQ (TBD) • Apple, Microsoft, Facebook (watering-hole)• Speedtest.net (gill netting)• National Journal (watering hole) • FemmeCorp (watering hole)• Department of Labor / DoE (watering hole) • WTOP and FedNewsRadio (gill netting)• Retail - spear-phishing • Energy – watering holes • Microsoft – spear-phishing

A Running Theme…

93-95% of all targeted attacks (APTs) involve the user…

(amalgam of Mandiant,VBR,TrendMicro)

Results from Invincea Survey ‘Addressing APTs’

Firewalls/Web Proxies

Network Controls

Anti-Virus

Forensics and IR

User Training

App Whitelisting

In Use

Confidence

85%

85%

95% 10%

35% 75%

85% 5%

65%

45%

65% 85%

The Elephant…

Stop the insanity!“I’m right there in the room…and no one even

acknowledges me.”

Protect the New Perimeter…

Stop the insanity!

“Its the endpoint bro…”

• Top 3 Reasons we avoid the endpoint…

• We don’t realize how bad legacy controls really are…

• We’ve already bogged it

down with a bunch of agents…

• But they AREN’T stopping the threat

• We’re scared of user revolt

• But the user DOESN’T want to be your weakest link!

Invincea Use Case: Spear-Phishing…

Attacks against South Korean banking system

• March 2013 • Widespread attacks

• Banking system • Broadcast networks

• Appear to have originated in China

• North Korea suspected

• Wiper virus similar to Shamoon which attacked Saudi Aramco an other targets

Attacks targeted at Information Security professionals…

• February 2013 • Took advantage of global

media coverage of Mandiant APT-1 report

• Legitimate PDF renamed and weaponized

• Detected in the wild by Invincea – attack stopped at point of opening PDF

$200 Billion market swing…

• April 2013 • Spear-phishing attack

against the Associated Press

• Stolen login credentials for AP Twitter account

• Fake tweet that White House had been bombed sent markets into a tail-spin

Invincea Use Case: Watering Hole Attacks…

Small defense contractor serving the U.S. Intel community…

• March 2013 • FemmeComp website

serving up malware

• Detected in the wild by Invincea – attack stopped within secure virtual container

3rd party software developer website used as watering-hole…

• February 2013 • Software developer used

by three major high tech companies

• Microsoft • Apple • Facebook

Department of Labor website serving DoE Nuclear Researchers…

• May 2013 • Hallmarks of known APT

acting group

• Detected in the wild by Invincea – attack stopped within secure virtual container

• IE-8 zero-day

Endpoint Security Reborn!

Protect the UserEnterprise & Small Business Endpoint Application & Management Server

Recommended System Specs:512 MB RAM, 150 MB free disk space, Intel/AMD x-86 chipset

Supported Operating Systems:Windows XP, Windows 7 32 and 64-bit

Invincea Management Server • Threat Data Server

• Optional integration to other technologies

• Config Management• Track deployments• Manage groups • Maintain audit trail• Schedule software updates • Reporting

• Multiple deployment options • Virtual appliance • Physical appliance

(1u rack-mounted)• Cloud hosted

Invincea FreeSpace• Endpoint application • Priced per seat

• Protection options: • Browser (IE, Firefox,

Chrome) • PDF • Office Suite

• PPT • XLS • DOC

Secure Virtual Container

Hardware

Secure Virtual Container

Operating System…

Secure Virtual Container

Web Browser

Secure Virtual Container

Office ApplicationsExcel, Word, PowerPoint

Secure Virtual Container

Adobe Acrobat Reader…

Secure Virtual Container

Browser Toolbars & Widgets

Secure Virtual Container

Browser Plugins

Secure Virtual Container

Single Sign-on

DLP

Host Security Plug-ins

Anti-Virus…

Secure Virtual Container

Invincea Communications Interface

Secure Virtual Container

• Virtual File System• Behavioral sensors

(process, file, network)• Command and Control• Forensic data capture

Virtual Segregation Shim

Secure Virtual Container

Contained ThreatsAttacks against the browser, PDF reader, Office suite are air-locked from the host operating system. Detection, kill and forensic capture occurs inside the secure virtual container.

• Free the User | Contain the Threat • Protect the mobile workforce left unprotected when they

leave the four walls of the network • Deliver exactly what the business needs!

• Unfettered access for the user – even giving things back

• Protect the network from the user and the user from himself

• Map the Adversary • Real-time vs. post-facto forensics • Intelligence fusing • Mapping the M.O. and opening the attributional gold mine

• Reduce Operational Expenses • Patching

• e.g. old/vulnerable versions of Java that can’t be patched due to legacy app incompatibility

• Incident response • Endpoint reimaging • Employee downtime

• Prevent the Breach! • Brand protection• Mission critical data protection • Millions in breach related expenses

The Power of Invincea FreeSpace

Blazing the Trail

IDC Forecasts $1.17bn in Stand Alone spend on Invincea type services by 2017 • Specialized Threat Analysis and Prevention market • Additive to $10bn endpoint security market

“Endpoint security. Don’t just rely upon network security based controls that detect delivery of malicious code. You should also use the new breed of endpoint solutions that detect exploitation of malicious code on the host.” Rick Holland @ Forrester

SANS 20 Critical Controls

•Item 5: Malware Defenses •5.7. Quick wins: Deploy…products that provide sandboxing (e.g., run browsers in a VM), and other techniques that prevent malware exploitation.

“By year-end 2016, 20% of enterprises will implement Windows containment mechanisms for end users handling untrusted content and code, up from less than 1% in 2013.”

Neil MacDonald @ Gartner

“Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that utilizes "lean forward" technologies at three levels: network, payload and endpoint. “ Lawrence Orens and Jeremy D’Hoinne @ Gartner “In what might be described as a sea change, Dell announced a new security suite for its Precision, Latitude and OptiPlex systems…” Wendy Nather @ 451 Group

Let’s Talk More…

Stop the insanity!

Let’s get moving today!!!

Darin.dick@invincea.com

http://www.invincea.com/get-protected/request-form/