1.
It Takes An Ecosystem
To Defend Against APT
Fengmin Gong
Chief Strategy Officer

2.
Your speakers today
Dr. Fengmin Gong
Chief Strategy Officer and
Co-Founder
Anthony James
VP of Products & Marketing

3.
Agenda
o Open Secret: Malware is winning
o Orientation: What’s going on?
o Decision: New defense paradigm
o Action: Building a secure ecosystem
o Tell – The only promise for us to win
the war against modern threats is to
build an effective security
ecosystem of defenders!
o Show – How ecosystem approach
works by examples
o Wrap-up and Q&A
CyphortLabsT-shirt

4.
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

5.
6

6.
Open Secret, Sad Reality
Cyber bad actors are winning
Well known direct victims
o Sony: PlayStation network, DDoS, & Sony Pictures breach
o Target, 40milion cards+70milion other accounts, CEO ousted
o “Nemanja” POS botnets of 1478 hosts in 36 countries
Indirect victims
o Card issuers, merchants & consumers
Why So Sad & Bad
o Too late: discovered after many months
o Too much: name, address, DOB, SSN & driver’s license #
o Too little: “Will help you monitor your credit reports!”
o Too easy: most attacks did not even use 0-day exploit
7

7.
Not Only The Naïve Fall Victim
What: March 17, 2011, RSA warned of SecurID threats
What’s Stolen: RSA One-Time-Password Sensitive Info
Conclusion: It probably made Rivest, Samir, and Adleman want to
withdraw their names from RSA 
8
Spear-phising Attack
“2011 Recruitment plan.xls”
RSA Pre Office 2010
Flash pre 3/21
Patch
RAT
2
Adobe Flash
Player 0-Day
2-FACTOR
SECRETS
3
1

8.
Threat Life Cycle – Generic Kill Chain
9
Action
Manual and/or auto mitigation and policy enforcement.
Reconnaissance
Attacker analyzes potential targets.Command & Control
Malware misses mom and calls home.
Weaponize
Malware is groomed for success.
Install
Malware installs exploitive features on
system.
Deliver
Malware payload infiltrates host system.
Exploit
Malware finds access point.
Threat
Potential threat is born or reborn.
.

9.
Exfiltrate:
DataTheft
Spam
Phishing
DDoSInstall:
HTTP
SocialNet
P2P
Threat Life Cycle – Detection Insights
10
Download:
HTTP
FileShare
FTP
P2P
• Traffic anomaly
• Exec anomaly
• Content anomaly
• Exploit sig
• App anomaly
• Attack sig
• Traffic anomaly
• Reputation
• Behavior anomaly
• Reputation
• Malware sig
• CnC sig
• Traffic anomaly
• Reputation
• App anomaly
• CnC sig
• Traffic anomaly
• Reputation
Infect:
Exploit Pack Drive-By
Social Engineering
Email Target

10.
Modern Threats TTP (Technique, Tactic, & Procedure)
11
o Web Based + Social Engineering
o Multiple Infection Vector
o Obfuscated & Encrypted
o Multi-Component Delivery
o Anti-static analysis & sandboxing
o Network Distributed – Botnets
o Polymorphism & Self Update
1.Hard To Capture Using Simple Sigs
2.Hard To Detect Using Single Approach
3.Impossible To Prevent From A Single Point

11.
Many Actors: Context Is Important
12
CnC
Servers
Upload/
Download
Servers
Legit
Merchants
Financial
Institutions
Consumers
Legit
Corporations
Questionable
Providers
Malware
Writers
Bot
Herders
Spam/Phish
Pushers
Questionable
Advertisers/
Merchants
Illegal
merchants
Pushers
ID/Account
Stealers
Infection
Servers
Espionage
Direct
(Infect)
Victim
Indirect
(Fraud)
Victim
CrimeValueChain

12.
Users Are A Critical Success Factor
13
Enterprise
Security
Challenges
• Advanced TTP
• Industrialized cyber crime
• Corporate & nation state
actors
• Problems on the ground
• Urgency for tools
• Expectation for “fit”
• Global
• Mobile
• Consumerization
• Big Data
• SaaS Cloud
• Blurred Intra-Extra-
Internet
• Virtualization &
cloud delivery
• Unified business
infrastructure: ERP,
ICS & IoT
• SD-X: Software-
defined X

13.
SQL Injection
Cross-Site Script
Web plugIn/Apps
Exploit
Social Engineering
User-Gen Content
Malvertizing
Lost Generation, Lost Paradigm
SaaS
Msg Security
Web Security
Sig
Heuristics
Reputation
Sandboxing
Network
SMG
SWG
IPS
UTM
NGFW
Sig
Anomaly
Sandboxing
Host
AV
IPS
UTM
Sig
Heuristics
MemProt
Virus
OS/Server Exploit
Client Exploits
Network Worm
Mail Worm
Industrialized
Production of
Exploits/Packer/
Coder/Malware
Corporate
Nation State
Multi-vector, targeted, multi-component, network-enabled, & automated AGAINST largely
single-method, blind, siloed, & manual

14.
Quick Poll Break

15.
New Paradigm - Security Ecosystem
o An environment in which all security devices & applications
can share actionable threat intelligence (ATI) across IT
infrastructure, locations, and organization boundaries, to
mitigate security threats.
o We must focus on minimizing the attack consequences!
16

16.
Practicing Ecosystem Defense
o All solutions support some Threat Intelligence Sharing
protocols/APIs
o All access will be controlled with Strong Authentication
o The Access Control in operation still resides with the
Owner, i.e. customer participating the ecosystem
Security Products Can Support Ecosystem Without Losing
Their Competitive Edge, Customers Will Benefit From All The
Best Of Breed Solutions!
17

17.
Quick Poll Break

18.
Ecosystem Actions By Example
1. BackOff: CnC gen, infection detection, & exfiltration prevention
o First sight, one store; benefit more stores, to stop any infiltration by the
same family
2. Sony Wiper: fingerprinting <dst-IP, initiator-MD5> for forensic
analysis, containment, & cleanup
o First sight, one infected machine; identify & protect all infected in the
organization
3. Infection Site Discovery: advanced warning & threat campaign
tracking
o Early detection of infected site, exploit pack (EP) analysis, global
protection, & campaign trending
19

19.
Backoff: Reliable Snort CnC Rule
20
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BackOff HTTP Callback";
flow:established,to_server; content:”POST”; http_method; content:”$op=”; http_uri;
content:”&id=”; http_uri; content:”&ui=”; http_uri; content:”&wv=“; http_uri; content:”&gr=“;
http_uri; content:”&bv=“; http_uri; content:”/windebug/updcheck.php”; http_uri; classtype:trojan-
activity; sid:891000; rev:2;)

20.
Backoff: Reliable System IOC
o Unique Persistency
o Existence of mutex named “nUndsa8301nskal”
o Existence of file “%APPDATA%nsskrnl”, RC4 encrypted with the
password “Password”
o Existence of clear text file “%APPDATA%OracleJavaLog.txt” for
keystrokes
o ATI Extract & share…
o Verify infiltration of a POS machine by checking the above persistent
artifacts
o Detect & block CnC using the simple Snort rule
o Anyone, anywhere, thereafter shall be protected
21

21.
Sony Wiper: Seeing Once Is Enough
22

22.
Static & Dynamic IOCs
o strings (D1C27EE7CE18675974EDF42D4EEA25C6)
o calc.exe
o 88.53.215.64
o 217.96.33.164
o 203.131.222.102
o igfxtrayex.exe
o net_ver.dat
o process (760c35a80d758f032d02cf4db12d3e55) behavior
o Igfxtrayex.exe creates files “taskhost%random%.exe”
o Igfxtrayex.exe is identical to “taskhost%random%.exe”
o Any EXE with those strings output is suspect; dropped EXE with
the process behavior must be removed!
23

23.
From IOC To Threat Fingerprints
o IOCs so far focus on detecting & verifying any infection
o Threat fingerprinting puts more emphasis on identifying
specifics of particular infection
o Specific TTP
o Malware family
o Actors & intent
o ATI extract & share…
o Host-X: HTTP_connections to dst
{203.131.222.102|217.96.33.164|88.53.215.64}, initiated by process
{Y}, created from image
{filename=“igfxtrayex.exe“|md5=“760c35a80d758f032d02cf4db12d3e5
5”}
24

24.
Global Discovery & Sharing – Better Defense
o Cyphort Crawler Network
o Discovering 1684 infected sites
o Collected 421 bad IPs serving malware
o Collected hundreds of pcaps for web exploit pack
o Sharing ATI, power to all defenders!
25
Infected list for
site owners, site
visitors, SWGs,
threat researchers
IP blacklist for
FW/IPS/NGFW
users, threat
researchers
What EP is active,
used by whom,
targeting whom,
for all defenders

25.
Q and A
o Information sharing and
advanced threats resources
o Blogs on latest threats and
findings
o Tools for identifying malware

26.
Thank You!