1. Mitigating the CLICK’er
how AMP’s (Advanced Malware protection)
/Advanced innovative tools can finally help
protect your infrastructure
Claus Cramon Houmann
Banque Öhman 2013-09-25
2. 2
Öhman
Remember:
• Never ever rely on a single solution
• Defense in depth
• Both threat prevention and threat detection are important
• If the bad guys want to get in bad enough, they will – be able
to reduce the ”dwell time” they have inside your systems
• The ”CLICKER” I define as the colleague who just cannot help
clicking on that ”interesting link” in a suspicious e-mail,
because ”probably nothing will happen” or ”just to see what
happens” or doesn’t even think about it...
Banque Öhman 2013-09-25
5. 5
Öhman
Breach methods
• There are many points-of-entry for hackers when breaching a
system/network:
– Hacking (Fx SQL injection against DB servers)
– Malware (fx phishing)
– Social engineering
– Physical
Banque Öhman 2013-09-25
7. 7
Öhman
Protecting against external threats
• As your organizations “Infosec level” matures – you may be
able to pass or almost pass a pentest. Most low hanging fruits
have been “picked” already
• This makes it very hard for “them”
to get in via hacking methods
• -> they will try malware next
Banque Öhman 2013-09-25
8. 8
Öhman
Advanced Malware
leveraging fx 0-days=
CIO/CISO nightmare
• Slowly but steadily 1 thing will
make you lose sleep at night.
How do you protect against
colleagues clicking on phishing
emails or visiting bad websites
(waterholes fx)?
• The CLICKER becomes your
biggest external threat!
Banque Öhman 2013-09-25
10. 10
Öhman
Mitigating the “CLICKER”
• There are now innovative next-generation tools available for
advanced threat prevention and/or detection = AMP’s
– Microvirtualization
– Advanced code handling/analysis/reverse-engineering tools
– Network level Sandboxing or detection based on behavioural
analysis/packet inspection
– System and registry level lockdown of process/user-rights
– Cloud based Big Data analytical/defense tools
– Whitelisting tech
– Others – this “market segment” is booming right now
Banque Öhman 2013-09-25
11. 11
Öhman
Why is the AMP market booming?
Background
• The AV industry in the traditional sense has declared their
tools insufficient and the war on malware lost
• Hacking is increasing supported by big budgets – think nation-
state-sponsored APT’s
• 0-days abound in the Wild – being purchased by “hackers” –
unofficial hackers or nation-state sponsored hackers alike
• The black market cyber-industry is a huge! economy
Banque Öhman 2013-09-25
12. 12
Öhman
Baby years
• As the AMP industry is in it’s “baby years” you’ve got to make
allowances for products being heavily changed/developed still
• Immature market
• No 100% tools – no one can cover everything. If you meet a
vendor that claims they can, don’t trust it
• And that said, on to look at the NG tools!
Banque Öhman 2013-09-25
13. 13
Öhman
How does Microvirtualization work?
• Hardware level virtualization gives complete separation of
user tasks in separate individual Hypervisors (Micro-size)
Banque Öhman 2013-09-25
14. 14
Öhman
Why Microvirtualization
• Mitigates the following threats:
– USB sticks with malicious content
– Waterholes
– Malicious attachments in e-mail
– Clicking links leading to malware on websites/e-mails
• Pros:
+ Workflow enabler
+ Small amount of custom config needed
+ Disregardable performance impact on endpoints
+ Unknown by hackers
+ No depence on traditional ”signature” based methods
• Cons:
– No server protection vs hacking attemps
– Early life cycle stage – unfinished products
Banque Öhman 2013-09-25
15. 15
Öhman
How & Why – advanced code handling tools
• The similarities across products here are that they employ innovative
stragegies to ”identify” bad behaviour despite encryption, obfuscation,
fragmented files etc. – methods and tools that malware authors use to
hide the true function of their software
• Malware can be identified and/or blocked and/or removed efficiently
• Pros:
+ Reduced dwell-time
+ No dependency on traditional signature methods
+ Potentially scales very well for large corporations
• Cons:
– Most tools like these are detection tools and have limited prevention
capabilities
– Client understanding of how the tool works is minimal
Banque Öhman 2013-09-25
16. 16
Öhman
How & Why: Network level sandboxing
• The idea here is to catch and analyze malware before it reaches the
end users – prevention, but also to do detection. It kind of ”re-
plays” malware in a stack of different virtual machines to give it a
good chance of hitting an environment that it’s meant to ”go off”
in.
• Pros:
+ Threat detection vs clicker-threats
• Cons:
– Network perimeter technologies cannot protect roaming users – and
users are increasingly mobile
– Malware is getting smarter. It can evade these tools by waiting for the
user to do something (use the mouse/keyboard, for example)
– These tools just ALERT you – they do not PROTECT you
Banque Öhman 2013-09-25
17. 17
Öhman
System and registry level lockdown of
process/user-rights
These tools all try to prevent malware by preventing it’s access/rights
to drop files, inject DLL’s etc.
• Pros:
+ Tight lock down
• Cons:
– Configuration “heavy”
– Is saying “no” to users the answer?
– Change Management becomes somewhat harder
Banque Öhman 2013-09-25
18. 18
Öhman
Cloud based Big Data analytical/defense
tools
• Vendors here try to detect and block threats using
Big Data approaches to “Signatures” or
“known samples”
• Pros:
+ Potential to see inside virtual switches & traffic between virtual
machines – traffic that sometimes never reaches a firewall or
network appliance
• Cons
– Uploading samples identified in your environment to a vendors
cloud is a risk in itself – the sample has enumeration data on
your environment, and maybe more
– Traditional signature approach has limitations, even with a big
data approach, since Malware can be adapted to evade
Banque Öhman 2013-09-25
19. 19
Öhman
Whitelisting
• The Idea behind whitelisting is to block malware by simply
only allowing known trusted websites, or trusted applications etc.
• Pros:
– Whitelisting can be an effective technique for dealing with traditional file based malware such
as viruses and spyware. Unsophisticated attacks that rely on downloading and running an
arbitrary executable file are generally foiled by whitelisting.
– Whitelisting can be particularly effective in “locking down” dedicated appliance like systems
that don’t function as general purpose productivity tools.
• Cons:
– Maintaining what is “trusted” as things change. Operational nightmare?
– Vulnerable to unknown/Zero Day attacks, malicious content within whitelisted apps (even
“trusted” code can have vulnerabilities…)
– Vulnerable to non-file based attacks, which are carried out without ever downloading or
executing a file for the whitelist to block (such as memory-only attacks that inject into a
running process)
– Is saying “no” to users the answer?
– Trusting the whitelist – what if it’s compromised?
Banque Öhman 2013-09-25
20. 20
Öhman
Conclusion
• To efficiently protect against APT’s and Advanced Malware
you want to:
– Have capabilities within Threat Prevention, Detection, Alerting,
Incident Response, maybe even some kind of IOC / Threat
sharing community. AMP + more.
– Have defense in depth
• To efficiently mitigate the risks of the CLICKER you want to
– Block not only known threats, but also the unknown while
enabling the business to do its “thing”
– Be able to detect and efficiently remove threats
Banque Öhman 2013-09-25
21. 21
Öhman
About me
• Claus Cramon Houmann, 38, married to Tina and I have 3 lovely
kids
• CISSP, ITIL Certified Expert, Prince2 practitioner
• You can contact me anytime:
– Skype: Claushj0707
– Twitter: @claushoumann or @improveitlux
• Sources used:
– Verizon: Data Breach investigations report 2012
– @gollmann from IOactive Blog posts
Banque Öhman 2013-09-25