1.
The Custom Defense against Advanced Threat
Deep Discovery
Confidential | Copyright 2012 Trend Micro Inc.
Gastone Nencini
Trend Micro Italy Leader and Snr. Technical
Manager Trend Micro Southern Europe

2.
Global Threat Intelligence - Smart Protection Network
10/1/2013 Confidential | Copyright 2012 Trend Micro Inc.
THREAT DATA
CUSTOMERS
THREAT
INTELLIGENCE
Identifies
Global
We look in
more places
Broad
We look at
more threat
vectors
Correlated
We identify all
components
of an attack
Proactive
We block
threats at
their source
1.15B Threat
Samples Daily
90K malicious
threats daily
200M Threats blocked daily
THREAT-ACTORS
FILES
MOBILE/APPS
EXPLOIT KITS
URLS
IP ADDRESSES
NETWORK
TRAFFIC
DOMAINS
VULNERABILITIES
DEPUIS 2008

3.
Today’s Attacks: Social, Sophisticated, Stealthy!
Copyright 2013 Trend Micro Inc.
Attackers
Moves laterally across network
seeking valuable data
Establishes link to
Command & Control server
Extracts data of interest – can
go undetected for months!
$$$$
Gathers intelligence about
organization and individuals
Targets individuals
using social engineering
Employees

4.
Copyright 2013 Trend Micro Inc.
Attackers
Moves laterally across network
seeking valuable data
Establishes link to
Command & Control server
Extracts data of interest – can
go undetected for months!
$$$$
Gathers intelligence about
organization and individuals
Targets individuals
using social engineering
Employees
Network Admin
Security
1.8 successful attacks per week / per large organization1
21.6% organizations experienced APT attacks2
Malware engineered and tested to evade your standard
gateway/endpoint defenses
A custom attack needs a custom defense!
1: Source: 2012 Ponemon Study on costs of Cybercrime
2: Source: ISACA APT Awareness Study, 2013

5.
Custom Defense
Network-wide
Detection
Advanced
Threat Analysis
Threat Tools
and Services
Automated
Security Updates
Threat
Intelligence
Custom
Sandboxes
Network Admin
Security
Copyright 2013 Trend Micro Inc.

6.
Cyberwar on your network
More frequent More targeted More money More sophiticated
• 1 new threat each second 1
• 1 cyber-intrusion each 5 minutes 2
• 67 % of infrastructure can’t block a custom
& targeted attack 3
• 55 % of companies didn’t detected the
breach 1
Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012

7.
Security by signature is not enough
10/1/2013 7Confidential | Copyright 2012 Trend Micro Inc.
Basic malware
Phishing
Exploitation tools
Malicious website
Common
vulnerabilities
Discovery tools
SWG NG
FW
Document
exploit
0-DayObfuscated
Javascript
Polymorphic
payload
Crypted
RAT
Watering
Hole Attack
Spear
Phishing
C&C
communications
IPS AV

8.
Let Me Google That For You

9.
Threat profiling through Smart Protection
Network & Threat Connect
Origin ? Risk ? Channel ?
Trend Micro Custom Defense
10/1/2013 9Confidential | Copyright 2012 Trend Micro Inc.
Advanced network monitoring
techcnologies to analyze low signals
(0-day, c2c, sqli, dbdump…)
DETECT ANALYZE
ADAPTRESPONSE
Instant protection through custom
signature (IP, dns, url, file…)
Full cleaning with detailed profiling and
advanced analysis tools

10.
Catch everythings with Deep Discovery
10/1/2013 10Confidential | Copyright 2012 Trend Micro Inc.
Malicious content
• Embedded doc exploits
• Drive-by downloads
• Zero-day
• Malware
Suspicious communication
• C&C access
• Data stealing
• Worms
• Backdoor activity…
Attack behavior
• Propagation & dropper
• Vuln. scan & bruteforce
• Data exfiltration…
HTTP
SMTP
TCP
...
SMB
DNS
FTP
P2P
More than
80 protocols analyzed
Network Content
Inspection Engine
Advanced Threat
Security Engine
IP & URL reputation
Virtual Analyzer
Network Content
Correlation Engine

11.
Trend Micro Virtual Analyzer
• Custom OS image
• Execution accelerated
• Anti-VM detection
• 32 & 64 bits
• Run binaries, documents, URL...
10/1/2013 11Confidential | Copyright 2012 Trend Micro Inc.
WinXP SP3WinXP SP3
Win7
Base
Win7
Base
Isolated Network
Your Custom Sandbox
Live monitoring
• Kernel integration (hook, dll injection..)
• Network flow analysis
• Event correlation
Filesystem
monitor
Registry
monitor
Process
monitor
Rootkit
scanner
Network
driver
Fake
Explorer
Fake
Server
Fake AV
API
Hooks
Win7
Hardened
Win7
Hardened
Core Threat Simulator
LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000
LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000
LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000
key: HKEY_CURRENT_USERLocal
SettingsMuiCache4852C64B7ELanguageList value:
key: HKEY_CURRENT_USERSoftwareMicrosoftOnheem20bi1d4f
Write: path: %APPDATA%Ewadaeqawoc.exe type: VSDT_EXE_W32
Injecting process ID: 2604 Inject API: CreateRemoteThread Target
process ID: 1540 Target image path: taskhost.exe
socket ARGs: ( 2, 2, 0 ) Return value: 28bfe
socket ARGs: ( 23, 1, 6 ) Return value: 28c02
window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, ,
50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2
internet_helper API Name: InternetConnectA ARGs: ( cc0004,
mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008
.......
Modifies file with infectible type : eqawoc.exe
Inject processus : 2604 taskhost.exe
Access suspicious host : mmlzntponzkfuik.biz
Modifies file with infectible type : eqawoc.exe
Inject processus : 2604 taskhost.exe
Access suspicious host : mmlzntponzkfuik.biz
!

12.
Deep Discovery portfolio
10/1/2013 12Confidential | Copyright 2012 Trend Micro Inc.
Deep Discovery Inspector
Threat profil export
(IOC, hash)
• Network Appliance All-in-One
100 Mbps, 250 Mbps, 500 Mbps, 1 Gbps
• Bare Metal (custom appliance)
• Virtual Appliance
Plug & Protect
Deep Discovery Advisor
• Automatic Analysys Labs
• Live detailled dashboard
• Custom reports
• Multi-box (5 nodes, 50k files/day)
Integrated into
Trend Micro solutions
API & scripting

13.
Dynamic blacklist
App Server
Storage
10/1/2013 13Confidential | Copyright 2012 Trend Micro Inc.
Inspector
Advisor
Deep Discovery
Simple & Efficient
!
SMTP relay
Web proxy
!
!
Mail Server
Endpoint
!
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
Infection & payload
Lateral movement
C&C callback
3c4çba176915c3ee3df8
7b9c127ca1a1bcçba17
Custom Signature

14.
Web proxy
ATP Integration
Native Advanced Protection
10/1/2013 14Confidential | Copyright 2012 Trend Micro Inc.
Dynamic blacklist
App Server
Storage
Advisor
!
SMTP relay
Mail Server
Endpoint
!
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
!
ScanMail
IWSva
IMSva
Infection & payload
C&C callback
Endpoint Sensor
OfficeScan *
Deep Security *
3c4çba176915c3ee3df8
7b9c127ca1a1bcçba17
Custom Signature

15.
ATP Integration
Native Advanced Protection
10/1/2013 15Confidential | Copyright 2012 Trend Micro Inc.
Dynamic blacklist
Advisor
!
Mail Server
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
!
ScanMail
Infection & payload
C&C callback
OfficeScan 3c4çba176915c3ee3df8
7b9c127ca1a1bcçba17
Custom Signature
TMCM
CCCA DB
ATSE

16.
Detect…

17.
Detect…

18.
…then React
Human readable

19.
Open architecture
10/1/2013 19Confidential | Copyright 2012 Trend Micro Inc.
Deep Discovery
Dynamic blacklist
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
3c4çba176915c3ee3df8
7b9c127ca1a1bcçba17
Custom Signature
3rd party SIEM
(CEF/LEEF)
WEB API
Web Proxy
SMTP Relay
Network
Capture
Firewall *
Notable
Characteristics
Network packet
DetectionsDetections Threat ProfilesThreat ProfilesAnalysisAnalysis Custom C&CCustom C&C

20.
Why Deep Discovery ?
10/1/2013 20Confidential | Copyright 2012 Trend Micro Inc.
• Multi-engine for analysis and correlation
• Empower Smart Protection Network
• CustomVirtual Analyzer sandbox
• Access to TrendLabs Security Expert
Dynamic advanced security
Plug & Protect
• High Throughput Network Analysis
• Flexible architecture: HW, SW, VM
• Fast forensics & custom signature

21.
Making your Cyber-Defense together
10/1/2013 21Confidential | Copyright 2012 Trend Micro Inc.
21Confidential | Copyright 2012 Trend Micro Inc.
Threat Education Services
Advanced Threat Detection Technology
Threat
Security
Advisor
Threat
Intelligence
Service
Cyber
Attack
Analysis

22.
Thanks