SlideShare ist ein Scribd-Unternehmen logo
1 von 28
Downloaden Sie, um offline zu lesen
Malware Most Wanted: Security Ecosystem
It Takes An Ecosystem
To Defend Against APT
Fengmin Gong
Chief Strategy Officer
Your speakers today
Dr. Fengmin Gong
Chief Strategy Officer and
Co-Founder
Anthony James
VP of Products & Marketing
Agenda
o Open Secret: Malware is winning
o Orientation: What’s going on?
o Decision: New defense paradigm
o Action: Building a secure ecosystem
o Tell – The only promise for us to win
the war against modern threats is to
build an effective security
ecosystem of defenders!
o Show – How ecosystem approach
works by examples
o Wrap-up and Q&A
CyphortLabsT-shirt
Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
6
Open Secret, Sad Reality
Cyber bad actors are winning
Well known direct victims
o Sony: PlayStation network, DDoS, & Sony Pictures breach
o Target, 40milion cards+70milion other accounts, CEO ousted
o “Nemanja” POS botnets of 1478 hosts in 36 countries
Indirect victims
o Card issuers, merchants & consumers
Why So Sad & Bad
o Too late: discovered after many months
o Too much: name, address, DOB, SSN & driver’s license #
o Too little: “Will help you monitor your credit reports!”
o Too easy: most attacks did not even use 0-day exploit
7
Not Only The Naïve Fall Victim
What: March 17, 2011, RSA warned of SecurID threats
What’s Stolen: RSA One-Time-Password Sensitive Info
Conclusion: It probably made Rivest, Samir, and Adleman want to
withdraw their names from RSA 
8
Spear-phising Attack
“2011 Recruitment plan.xls”
RSA Pre Office 2010
Flash pre 3/21
Patch
RAT
2
Adobe Flash
Player 0-Day
2-FACTOR
SECRETS
3
1
Threat Life Cycle – Generic Kill Chain
9
Action
Manual and/or auto mitigation and policy enforcement.
Reconnaissance
Attacker analyzes potential targets.Command & Control
Malware misses mom and calls home.
Weaponize
Malware is groomed for success.
Install
Malware installs exploitive features on
system.
Deliver
Malware payload infiltrates host system.
Exploit
Malware finds access point.
Threat
Potential threat is born or reborn.
.
Exfiltrate:
DataTheft
Spam
Phishing
DDoSInstall:
HTTP
SocialNet
P2P
Threat Life Cycle – Detection Insights
10
Download:
HTTP
FileShare
FTP
P2P
• Traffic anomaly
• Exec anomaly
• Content anomaly
• Exploit sig
• App anomaly
• Attack sig
• Traffic anomaly
• Reputation
• Behavior anomaly
• Reputation
• Malware sig
• CnC sig
• Traffic anomaly
• Reputation
• App anomaly
• CnC sig
• Traffic anomaly
• Reputation
Infect:
Exploit Pack Drive-By
Social Engineering
Email Target
Modern Threats TTP (Technique, Tactic, & Procedure)
11
o Web Based + Social Engineering
o Multiple Infection Vector
o Obfuscated & Encrypted
o Multi-Component Delivery
o Anti-static analysis & sandboxing
o Network Distributed – Botnets
o Polymorphism & Self Update
1.Hard To Capture Using Simple Sigs
2.Hard To Detect Using Single Approach
3.Impossible To Prevent From A Single Point
Many Actors: Context Is Important
12
CnC
Servers
Upload/
Download
Servers
Legit
Merchants
Financial
Institutions
Consumers
Legit
Corporations
Questionable
Providers
Malware
Writers
Bot
Herders
Spam/Phish
Pushers
Questionable
Advertisers/
Merchants
Illegal
merchants
Pushers
ID/Account
Stealers
Infection
Servers
Espionage
Direct
(Infect)
Victim
Indirect
(Fraud)
Victim
CrimeValueChain
Users Are A Critical Success Factor
13
Enterprise
Security
Challenges
• Advanced TTP
• Industrialized cyber crime
• Corporate & nation state
actors
• Problems on the ground
• Urgency for tools
• Expectation for “fit”
• Global
• Mobile
• Consumerization
• Big Data
• SaaS Cloud
• Blurred Intra-Extra-
Internet
• Virtualization &
cloud delivery
• Unified business
infrastructure: ERP,
ICS & IoT
• SD-X: Software-
defined X
SQL Injection
Cross-Site Script
Web plugIn/Apps
Exploit
Social Engineering
User-Gen Content
Malvertizing
Lost Generation, Lost Paradigm
SaaS
Msg Security
Web Security
Sig
Heuristics
Reputation
Sandboxing
Network
SMG
SWG
IPS
UTM
NGFW
Sig
Anomaly
Sandboxing
Host
AV
IPS
UTM
Sig
Heuristics
MemProt
Virus
OS/Server Exploit
Client Exploits
Network Worm
Mail Worm
Industrialized
Production of
Exploits/Packer/
Coder/Malware
Corporate
Nation State
Multi-vector, targeted, multi-component, network-enabled, & automated AGAINST largely
single-method, blind, siloed, & manual
Quick Poll Break
New Paradigm - Security Ecosystem
o An environment in which all security devices & applications
can share actionable threat intelligence (ATI) across IT
infrastructure, locations, and organization boundaries, to
mitigate security threats.
o We must focus on minimizing the attack consequences!
16
Practicing Ecosystem Defense
o All solutions support some Threat Intelligence Sharing
protocols/APIs
o All access will be controlled with Strong Authentication
o The Access Control in operation still resides with the
Owner, i.e. customer participating the ecosystem
Security Products Can Support Ecosystem Without Losing
Their Competitive Edge, Customers Will Benefit From All The
Best Of Breed Solutions!
17
Quick Poll Break
Ecosystem Actions By Example
1. BackOff: CnC gen, infection detection, & exfiltration prevention
o First sight, one store; benefit more stores, to stop any infiltration by the
same family
2. Sony Wiper: fingerprinting <dst-IP, initiator-MD5> for forensic
analysis, containment, & cleanup
o First sight, one infected machine; identify & protect all infected in the
organization
3. Infection Site Discovery: advanced warning & threat campaign
tracking
o Early detection of infected site, exploit pack (EP) analysis, global
protection, & campaign trending
19
Backoff: Reliable Snort CnC Rule
20
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BackOff HTTP Callback";
flow:established,to_server; content:”POST”; http_method; content:”$op=”; http_uri;
content:”&id=”; http_uri; content:”&ui=”; http_uri; content:”&wv=“; http_uri; content:”&gr=“;
http_uri; content:”&bv=“; http_uri; content:”/windebug/updcheck.php”; http_uri; classtype:trojan-
activity; sid:891000; rev:2;)
Backoff: Reliable System IOC
o Unique Persistency
o Existence of mutex named “nUndsa8301nskal”
o Existence of file “%APPDATA%nsskrnl”, RC4 encrypted with the
password “Password”
o Existence of clear text file “%APPDATA%OracleJavaLog.txt” for
keystrokes
o ATI Extract & share…
o Verify infiltration of a POS machine by checking the above persistent
artifacts
o Detect & block CnC using the simple Snort rule
o Anyone, anywhere, thereafter shall be protected
21
Sony Wiper: Seeing Once Is Enough
22
Static & Dynamic IOCs
o strings (D1C27EE7CE18675974EDF42D4EEA25C6)
o calc.exe
o 88.53.215.64
o 217.96.33.164
o 203.131.222.102
o igfxtrayex.exe
o net_ver.dat
o process (760c35a80d758f032d02cf4db12d3e55) behavior
o Igfxtrayex.exe creates files “taskhost%random%.exe”
o Igfxtrayex.exe is identical to “taskhost%random%.exe”
o Any EXE with those strings output is suspect; dropped EXE with
the process behavior must be removed!
23
From IOC To Threat Fingerprints
o IOCs so far focus on detecting & verifying any infection
o Threat fingerprinting puts more emphasis on identifying
specifics of particular infection
o Specific TTP
o Malware family
o Actors & intent
o ATI extract & share…
o Host-X: HTTP_connections to dst
{203.131.222.102|217.96.33.164|88.53.215.64}, initiated by process
{Y}, created from image
{filename=“igfxtrayex.exe“|md5=“760c35a80d758f032d02cf4db12d3e5
5”}
24
Global Discovery & Sharing – Better Defense
o Cyphort Crawler Network
o Discovering 1684 infected sites
o Collected 421 bad IPs serving malware
o Collected hundreds of pcaps for web exploit pack
o Sharing ATI, power to all defenders!
25
Infected list for
site owners, site
visitors, SWGs,
threat researchers
IP blacklist for
FW/IPS/NGFW
users, threat
researchers
What EP is active,
used by whom,
targeting whom,
for all defenders
Q and A
o Information sharing and
advanced threats resources
o Blogs on latest threats and
findings
o Tools for identifying malware
Thank You!
Malware Most Wanted: Security Ecosystem

Weitere ähnliche Inhalte

Was ist angesagt?

Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareCyphort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting CryptowallCyphort
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Jonathan Cran
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...HackIT Ukraine
 
Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Jonathan Cran
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 

Was ist angesagt? (19)

Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting Cryptowall
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown:Invincea FreeSpace vs EMET 5.0Tech ThrowDown:Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction
 
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
Ник Белогорский - Будни Кремниевой Долины. История карьеры Ника, борьба с хак...
 
Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 

Ähnlich wie Malware Most Wanted: Security Ecosystem

Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008tswong
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackEMC
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT securitySophos Benelux
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanCyphort
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 

Ähnlich wie Malware Most Wanted: Security Ecosystem (20)

Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Process Essay
 Process Essay Process Essay
Process Essay
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 

Mehr von Cyphort

MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Cyphort
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
Mmw anti sandbox_techniques
Mmw anti sandbox_techniquesMmw anti sandbox_techniques
Mmw anti sandbox_techniquesCyphort
 
Mmw anti sandboxtricks
Mmw anti sandboxtricksMmw anti sandboxtricks
Mmw anti sandboxtricksCyphort
 
If you have three wishes
If you have three wishesIf you have three wishes
If you have three wishesCyphort
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the TCyphort
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus DissectedCyphort
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing KeynoteCyphort
 
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware  Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware Cyphort
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort
 

Mehr von Cyphort (13)

MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
Mmw anti sandbox_techniques
Mmw anti sandbox_techniquesMmw anti sandbox_techniques
Mmw anti sandbox_techniques
 
Mmw anti sandboxtricks
Mmw anti sandboxtricksMmw anti sandboxtricks
Mmw anti sandboxtricks
 
If you have three wishes
If you have three wishesIf you have three wishes
If you have three wishes
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the T
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus Dissected
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing Keynote
 
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware  Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
 

Kürzlich hochgeladen

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Kürzlich hochgeladen (20)

20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

Malware Most Wanted: Security Ecosystem

  • 2. It Takes An Ecosystem To Defend Against APT Fengmin Gong Chief Strategy Officer
  • 3. Your speakers today Dr. Fengmin Gong Chief Strategy Officer and Co-Founder Anthony James VP of Products & Marketing
  • 4. Agenda o Open Secret: Malware is winning o Orientation: What’s going on? o Decision: New defense paradigm o Action: Building a secure ecosystem o Tell – The only promise for us to win the war against modern threats is to build an effective security ecosystem of defenders! o Show – How ecosystem approach works by examples o Wrap-up and Q&A CyphortLabsT-shirt
  • 5. Threat Monitoring & Research team ________ 24X7 monitoring for malware events ________ Assist customers with their Forensics and Incident Response We enhance malware detection accuracy ________ False positives/negatives ________ Deep-dive research We work with the security ecosystem ________ Contribute to and learn from malware KB ________ Best of 3rd Party threat data
  • 6. 6
  • 7. Open Secret, Sad Reality Cyber bad actors are winning Well known direct victims o Sony: PlayStation network, DDoS, & Sony Pictures breach o Target, 40milion cards+70milion other accounts, CEO ousted o “Nemanja” POS botnets of 1478 hosts in 36 countries Indirect victims o Card issuers, merchants & consumers Why So Sad & Bad o Too late: discovered after many months o Too much: name, address, DOB, SSN & driver’s license # o Too little: “Will help you monitor your credit reports!” o Too easy: most attacks did not even use 0-day exploit 7
  • 8. Not Only The Naïve Fall Victim What: March 17, 2011, RSA warned of SecurID threats What’s Stolen: RSA One-Time-Password Sensitive Info Conclusion: It probably made Rivest, Samir, and Adleman want to withdraw their names from RSA  8 Spear-phising Attack “2011 Recruitment plan.xls” RSA Pre Office 2010 Flash pre 3/21 Patch RAT 2 Adobe Flash Player 0-Day 2-FACTOR SECRETS 3 1
  • 9. Threat Life Cycle – Generic Kill Chain 9 Action Manual and/or auto mitigation and policy enforcement. Reconnaissance Attacker analyzes potential targets.Command & Control Malware misses mom and calls home. Weaponize Malware is groomed for success. Install Malware installs exploitive features on system. Deliver Malware payload infiltrates host system. Exploit Malware finds access point. Threat Potential threat is born or reborn. .
  • 10. Exfiltrate: DataTheft Spam Phishing DDoSInstall: HTTP SocialNet P2P Threat Life Cycle – Detection Insights 10 Download: HTTP FileShare FTP P2P • Traffic anomaly • Exec anomaly • Content anomaly • Exploit sig • App anomaly • Attack sig • Traffic anomaly • Reputation • Behavior anomaly • Reputation • Malware sig • CnC sig • Traffic anomaly • Reputation • App anomaly • CnC sig • Traffic anomaly • Reputation Infect: Exploit Pack Drive-By Social Engineering Email Target
  • 11. Modern Threats TTP (Technique, Tactic, & Procedure) 11 o Web Based + Social Engineering o Multiple Infection Vector o Obfuscated & Encrypted o Multi-Component Delivery o Anti-static analysis & sandboxing o Network Distributed – Botnets o Polymorphism & Self Update 1.Hard To Capture Using Simple Sigs 2.Hard To Detect Using Single Approach 3.Impossible To Prevent From A Single Point
  • 12. Many Actors: Context Is Important 12 CnC Servers Upload/ Download Servers Legit Merchants Financial Institutions Consumers Legit Corporations Questionable Providers Malware Writers Bot Herders Spam/Phish Pushers Questionable Advertisers/ Merchants Illegal merchants Pushers ID/Account Stealers Infection Servers Espionage Direct (Infect) Victim Indirect (Fraud) Victim CrimeValueChain
  • 13. Users Are A Critical Success Factor 13 Enterprise Security Challenges • Advanced TTP • Industrialized cyber crime • Corporate & nation state actors • Problems on the ground • Urgency for tools • Expectation for “fit” • Global • Mobile • Consumerization • Big Data • SaaS Cloud • Blurred Intra-Extra- Internet • Virtualization & cloud delivery • Unified business infrastructure: ERP, ICS & IoT • SD-X: Software- defined X
  • 14. SQL Injection Cross-Site Script Web plugIn/Apps Exploit Social Engineering User-Gen Content Malvertizing Lost Generation, Lost Paradigm SaaS Msg Security Web Security Sig Heuristics Reputation Sandboxing Network SMG SWG IPS UTM NGFW Sig Anomaly Sandboxing Host AV IPS UTM Sig Heuristics MemProt Virus OS/Server Exploit Client Exploits Network Worm Mail Worm Industrialized Production of Exploits/Packer/ Coder/Malware Corporate Nation State Multi-vector, targeted, multi-component, network-enabled, & automated AGAINST largely single-method, blind, siloed, & manual
  • 16. New Paradigm - Security Ecosystem o An environment in which all security devices & applications can share actionable threat intelligence (ATI) across IT infrastructure, locations, and organization boundaries, to mitigate security threats. o We must focus on minimizing the attack consequences! 16
  • 17. Practicing Ecosystem Defense o All solutions support some Threat Intelligence Sharing protocols/APIs o All access will be controlled with Strong Authentication o The Access Control in operation still resides with the Owner, i.e. customer participating the ecosystem Security Products Can Support Ecosystem Without Losing Their Competitive Edge, Customers Will Benefit From All The Best Of Breed Solutions! 17
  • 19. Ecosystem Actions By Example 1. BackOff: CnC gen, infection detection, & exfiltration prevention o First sight, one store; benefit more stores, to stop any infiltration by the same family 2. Sony Wiper: fingerprinting <dst-IP, initiator-MD5> for forensic analysis, containment, & cleanup o First sight, one infected machine; identify & protect all infected in the organization 3. Infection Site Discovery: advanced warning & threat campaign tracking o Early detection of infected site, exploit pack (EP) analysis, global protection, & campaign trending 19
  • 20. Backoff: Reliable Snort CnC Rule 20 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BackOff HTTP Callback"; flow:established,to_server; content:”POST”; http_method; content:”$op=”; http_uri; content:”&id=”; http_uri; content:”&ui=”; http_uri; content:”&wv=“; http_uri; content:”&gr=“; http_uri; content:”&bv=“; http_uri; content:”/windebug/updcheck.php”; http_uri; classtype:trojan- activity; sid:891000; rev:2;)
  • 21. Backoff: Reliable System IOC o Unique Persistency o Existence of mutex named “nUndsa8301nskal” o Existence of file “%APPDATA%nsskrnl”, RC4 encrypted with the password “Password” o Existence of clear text file “%APPDATA%OracleJavaLog.txt” for keystrokes o ATI Extract & share… o Verify infiltration of a POS machine by checking the above persistent artifacts o Detect & block CnC using the simple Snort rule o Anyone, anywhere, thereafter shall be protected 21
  • 22. Sony Wiper: Seeing Once Is Enough 22
  • 23. Static & Dynamic IOCs o strings (D1C27EE7CE18675974EDF42D4EEA25C6) o calc.exe o 88.53.215.64 o 217.96.33.164 o 203.131.222.102 o igfxtrayex.exe o net_ver.dat o process (760c35a80d758f032d02cf4db12d3e55) behavior o Igfxtrayex.exe creates files “taskhost%random%.exe” o Igfxtrayex.exe is identical to “taskhost%random%.exe” o Any EXE with those strings output is suspect; dropped EXE with the process behavior must be removed! 23
  • 24. From IOC To Threat Fingerprints o IOCs so far focus on detecting & verifying any infection o Threat fingerprinting puts more emphasis on identifying specifics of particular infection o Specific TTP o Malware family o Actors & intent o ATI extract & share… o Host-X: HTTP_connections to dst {203.131.222.102|217.96.33.164|88.53.215.64}, initiated by process {Y}, created from image {filename=“igfxtrayex.exe“|md5=“760c35a80d758f032d02cf4db12d3e5 5”} 24
  • 25. Global Discovery & Sharing – Better Defense o Cyphort Crawler Network o Discovering 1684 infected sites o Collected 421 bad IPs serving malware o Collected hundreds of pcaps for web exploit pack o Sharing ATI, power to all defenders! 25 Infected list for site owners, site visitors, SWGs, threat researchers IP blacklist for FW/IPS/NGFW users, threat researchers What EP is active, used by whom, targeting whom, for all defenders
  • 26. Q and A o Information sharing and advanced threats resources o Blogs on latest threats and findings o Tools for identifying malware

Hinweis der Redaktion

  1. About Cyphort Labs