spear-phishing, watering holes, drive-by downloads the need for rapid endpoint security innovation...
TRANSCRIPT
Spear-Phishing, Watering Holes, Drive-by Downloads
The Need for Rapid Endpoint Security Innovation
Security without Limits
Darin Dick
About Invincea
Heritage and Market Presence
Recognition• Spun out of a DARPA funded project focusing on
advanced malware prevention
• Headquartered just outside Washington, D.C.
• Product in market just under 3 years
• Fortune 1,000
• US Federal Government
• DELL OEM to 20+ MILLION machines annually
• Protecting nearly 10,000 organizations around the globe!!
• Management team with successful start-up track records and National Security credentials
• DARPA
• BAE Systems
• RipTech
• NetWitness
• ArcSight
• SINET “Innovator” Award 2010
• Global Security Challenge Eastern Region Winner
• “Most Innovative Company of the Year” – RSA 2011
• SINET “Best in Class” Award 2011
• GOVTek “Top Company to Watch” in 2012
• Governor’s Award 2012– Best Tech Transfer to Start-up
• GOVTek “Best Security Solution” 2013
• Government Security News “Best Anti-Malware Solution” – 2012 & 2013
• NVTC 3024 “Cyber-Innovators” Award
• Awarded $21.4 million research and development contract from DARPA to develop secure Android platform
A Four Letter Word…
How does the adversary enter your
network?
Your New Perimeter
Incidental Contact
How Breaches Happen…
Targeted Attacks
(APTs) Spear-phishing (95% of all APTs*) - Links to drive-by downloads - Weaponized document
attachmentsWatering hole attacks - Hijacked, trusted sites
- Poisoned Search Engine Results - Malicious Websites - Hijacked Legitimate Sites
- 30,000 takeovers DAILY** - Social Networking Worms
*Both Mandiant and Trend Micro – 2013 Reports** Sophos – June 2013
Zero-days and New Malware Strains Targeting Browsers, Plug-ins, PDFs and
Office Docs
‘11, ‘12 and ’13 (so far) bloodiest years on record…
• “White House” eCard (spear-phishing) • HBGary Federal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Nasdaq (spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing)• ShadyRAT (spear-phishing) • DIB and IC campaign (spear-phishing)• ‘Voho’ campaign (watering-holes and spear-phishing) • ‘Mirage’ campaign (spear-phishing) • ‘Elderwood’ campaign (spear-phishing) • White House Military Office (spear-phishing) • Telvent’ compromise (spear-phishing)• Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober (spear-phishing) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • NYT, WSJ, WaPO (spear-phishing)• South Korea (spear-phishing) • 11 Energy Firms (spear-phishing)• QinetIQ (TBD) • Apple, Microsoft, Facebook (watering-hole)• Speedtest.net (gill netting)• National Journal (watering hole) • FemmeCorp (watering hole)• Department of Labor / DoE (watering hole) • WTOP and FedNewsRadio (gill netting)• Retail - spear-phishing • Energy – watering holes • Microsoft – spear-phishing
A Running Theme…
93-95% of all targeted attacks (APTs) involve the user…
(amalgam of Mandiant,VBR,TrendMicro)
Results from Invincea Survey ‘Addressing APTs’
Firewalls/Web Proxies
Network Controls
Anti-Virus
Forensics and IR
User Training
App Whitelisting
In Use
Confidence
85%
85%
95% 10%
35% 75%
85% 5%
65%
45%
65% 85%
The Elephant…
Stop the insanity!“I’m right there in the room…and no one even
acknowledges me.”
Protect the New Perimeter…
Stop the insanity!
“Its the endpoint bro…”
• Top 3 Reasons we avoid the endpoint…
• We don’t realize how bad legacy controls really are…
• We’ve already bogged it
down with a bunch of agents…
• But they AREN’T stopping the threat
• We’re scared of user revolt
• But the user DOESN’T want to be your weakest link!
Invincea Use Case: Spear-Phishing…
Attacks against South Korean banking system
• March 2013 • Widespread attacks
• Banking system • Broadcast networks
• Appear to have originated in China
• North Korea suspected
• Wiper virus similar to Shamoon which attacked Saudi Aramco an other targets
Attacks targeted at Information Security professionals…
• February 2013 • Took advantage of global
media coverage of Mandiant APT-1 report
• Legitimate PDF renamed and weaponized
• Detected in the wild by Invincea – attack stopped at point of opening PDF
$200 Billion market swing…
• April 2013 • Spear-phishing attack
against the Associated Press
• Stolen login credentials for AP Twitter account
• Fake tweet that White House had been bombed sent markets into a tail-spin
Invincea Use Case: Watering Hole Attacks…
Small defense contractor serving the U.S. Intel community…
• March 2013 • FemmeComp website
serving up malware
• Detected in the wild by Invincea – attack stopped within secure virtual container
3rd party software developer website used as watering-hole…
• February 2013 • Software developer used
by three major high tech companies
• Microsoft • Apple • Facebook
Department of Labor website serving DoE Nuclear Researchers…
• May 2013 • Hallmarks of known APT
acting group
• Detected in the wild by Invincea – attack stopped within secure virtual container
• IE-8 zero-day
Endpoint Security Reborn!
Protect the UserEnterprise & Small Business Endpoint Application & Management Server
Recommended System Specs:512 MB RAM, 150 MB free disk space, Intel/AMD x-86 chipset
Supported Operating Systems:Windows XP, Windows 7 32 and 64-bit
Invincea Management Server • Threat Data Server
• Optional integration to other technologies
• Config Management• Track deployments• Manage groups • Maintain audit trail• Schedule software updates • Reporting
• Multiple deployment options • Virtual appliance • Physical appliance
(1u rack-mounted)• Cloud hosted
Invincea FreeSpace• Endpoint application • Priced per seat
• Protection options: • Browser (IE, Firefox,
Chrome) • PDF • Office Suite
• PPT • XLS • DOC
Secure Virtual Container
Hardware
Secure Virtual Container
Operating System…
Secure Virtual Container
Web Browser
Secure Virtual Container
Office ApplicationsExcel, Word, PowerPoint
Secure Virtual Container
Adobe Acrobat Reader…
Secure Virtual Container
Browser Toolbars & Widgets
Secure Virtual Container
Browser Plugins
Secure Virtual Container
Single Sign-on
DLP
Host Security Plug-ins
Anti-Virus…
Secure Virtual Container
Invincea Communications Interface
Secure Virtual Container
• Virtual File System• Behavioral sensors
(process, file, network)• Command and Control• Forensic data capture
Virtual Segregation Shim
Secure Virtual Container
Contained ThreatsAttacks against the browser, PDF reader, Office suite are air-locked from the host operating system. Detection, kill and forensic capture occurs inside the secure virtual container.
• Free the User | Contain the Threat • Protect the mobile workforce left unprotected when they
leave the four walls of the network • Deliver exactly what the business needs!
• Unfettered access for the user – even giving things back
• Protect the network from the user and the user from himself
• Map the Adversary • Real-time vs. post-facto forensics • Intelligence fusing • Mapping the M.O. and opening the attributional gold mine
• Reduce Operational Expenses • Patching
• e.g. old/vulnerable versions of Java that can’t be patched due to legacy app incompatibility
• Incident response • Endpoint reimaging • Employee downtime
• Prevent the Breach! • Brand protection• Mission critical data protection • Millions in breach related expenses
The Power of Invincea FreeSpace
Blazing the Trail
IDC Forecasts $1.17bn in Stand Alone spend on Invincea type services by 2017 • Specialized Threat Analysis and Prevention market • Additive to $10bn endpoint security market
“Endpoint security. Don’t just rely upon network security based controls that detect delivery of malicious code. You should also use the new breed of endpoint solutions that detect exploitation of malicious code on the host.” Rick Holland @ Forrester
SANS 20 Critical Controls
•Item 5: Malware Defenses •5.7. Quick wins: Deploy…products that provide sandboxing (e.g., run browsers in a VM), and other techniques that prevent malware exploitation.
“By year-end 2016, 20% of enterprises will implement Windows containment mechanisms for end users handling untrusted content and code, up from less than 1% in 2013.”
Neil MacDonald @ Gartner
“Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that utilizes "lean forward" technologies at three levels: network, payload and endpoint. “ Lawrence Orens and Jeremy D’Hoinne @ Gartner “In what might be described as a sea change, Dell announced a new security suite for its Precision, Latitude and OptiPlex systems…” Wendy Nather @ 451 Group
Let’s Talk More…
Stop the insanity!
Let’s get moving today!!!
http://www.invincea.com/get-protected/request-form/