7 Ways to Stay 7 Years Ahead of the Threat

© 2014 IBM Corporation
IBM Security Systems
7 Ways to Stay 7 Years
Ahead of the Threat
Protecting your infrastructure with behavior-based
protection

We are in an era of continuous breaches.
Attackers are relentless, victims are targeted, and the damage toll is rising
Operational
Sophistication
IBM X-Force declared
Year of the
Security Breach
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
Near Daily Leaks
of Sensitive Data
40% increase
in reported data
breaches and incidents
Relentless Use
of Multiple Methods
500,000,000+ records
were leaked, while the future
shows no sign of change
2011 2012 2013
SQL
injection
Spear
phishing
DDoS Third-party
software
Physical
access
Malware XSS Watering
hole
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business.

Customers are fighting a losing battle.
 Humans will always make mistakes
 System and application vulnerabilities
continue to emerge
 Most malware detection is reactive
Microsoft Warns of Attacks
on IE Zero-Day
Adobe Patches Flash
Player Zero-Day Used in
Watering-hole Attacks
Cost of Data Breaches
Spikes 15% in Last Year
Windows XP: Microsoft can't
wash its hands of the security
problem so easily

Large-scale infections create large surface area for new massively-distributed
APT style attacks.
New APT attack that can evade AV and standard controls
Attack attempts to set up remote control or steal corporate credentials

Patching the original vulnerability was complicated by the development of
additional exploit techniques, resulting in additional CVE numbers created.
The disclosure of the Shellshock bug in September brought
immediate exploit attempts.
1992 2014
27 Sep 2014
IBM MSS
observes 1000%
increase above
average of
shellcode
injection attacks
1992
Vulnerability
in Bash shell
introduced in
Linux v1.14
24 Sep 2014
Shellshock
vulnerability
disclosed in CVE
2014-6271
Vendor patch for
CVE 2014-6271
found
insufficient.
Add’l CVE 2014-
7169 created.
25 Sep 2014
X-Force
elevates
AlertCon
level to a 3
Additional
CVEs
created to
document
Shellshock,
bringing
total to 6

Change the shells from bash to alternatives (ksh, sh…)
The recommended practices for Shellshock protection did not offer
complete coverage.
Apply the vendor patches
Some initial vendor patches were incomplete
This can break things within the network
Apply WAF/IPS rules
Current public rules are lacking, and focus only on a single
exploit

The IBM fundamental approach to threat protection
VULNERABILITY vs. EXPLOIT
A weakness in a system A method used to gain system entry
IBM protects the vulnerability Other products only block the exploits
• Stays ahead of the
threat with pre-emptive
protection that stops
things from breaking
the window
• Looks for methods
that can break
the window
• Keeping up
can be challenging
IBM PROTECTION vs. OTHER PRODUCTS
? ? ?
• Can be used to do
something unintended
• Can be exploited
in multiple ways
• Many different exploits
can target a single
vulnerability
• Not all exploits
are publicly available,
and mutation
is common

Shellcode
Heuristics
Behavioral protection
to block exploit payloads
IBM has 7 layers of vulnerability and exploit coverage, going beyond
pattern matching.
Web Injection Logic
Patented protection
against web attacks,
e.g., SQL injection
and cross-site scripting
Exploit
Signatures
Attack-specific
pattern matching
Vulnerability
Decodes
Focused algorithms
for mutating threats
Application Layer
Heuristics
Proprietary algorithms
to block malicious use
Protocol Anomaly
Detection
Protection against misuse,
unknown vulnerabilities,
and tunneling across
230+ protocols
Content
Analysis
File and document
inspection and
anomaly detection
Other IPS solutions
stop at pattern matching

Simple mutations will render exploit-matching engines useless
A simple change to a
variable name allows the
attack to succeed, while
rendering the protection of a
signature matching engines
useless
A simple change to the
HTML code in a
compromised web page
makes the attack invisible to
signature protection
Simply adding a comment to
a web page results in an
attack successfully
bypassing signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head>
<body><applet
archive="jmBXTMuv.jar"
code="msf.x.Exploit.class"
width="1" height="1"><param
name="data" value=""/><param
name="jar">
<html><head></head>
<body><applet
archive="eXRZLr.jar"
code="msf.x.badguy.class"
width="1" height="1"><param
name="data" value=""/><param
name="jar">
Original Code Mutated Code
var t = unescape; var t = unescape <!— Comment -->;

ICSA certification for the GX4
By consolidating network demands for data security and
protection for web applications, IBM Security Network Intrusion
Prevention System solutions serve as security platforms that
can reduce the cost and complexity of deploying and managing
X-Force expertise provides a competitive edge in the marketplace
Tolly Group Test Report
IBM Delivers Superior Protection from Evolving Threats with
High Levels of Performance. Tests showed that IBM is nearly
twice as effective as Snort at stopping ‘mutated’ attacks,
showing the power of X-Force technology.
Independent survey of 458
IT professional, Aug 2012
point solutions.
Top Ranking by Customers
The IBM Network Security Appliances, for which X-Force
provides protection, is the most highly regarded , as ranked by
an Information Week survey of customers. This included top
scores in overall vendor performance, attack blocking and
centralized management.

NSS Testing Overview and Highlights
The IBM Security Network IPS GX7800 appliance:
• Scored 95.7% in Exploit Block Rate and 8,650 Mbps in NSS Tested Throughput
• Scored 97.7% and 94.1% for Block Rate (Server) and Block Rate (Client) respectively
• Achieved a “PASS” for all tests related to “Stability & Reliability”
• Achieved a “PASS” for all tests related to “Evasions”

Behavioral-based detection blocks attacks that have
never been seen before IBM Protection Disclosed
2006 2014
June 2007 Sept 2014
Shellshock
CVE 2014-6271
MS IE Remote
Exploit
CVE-2012-4781
Java JRE
Code
Execution
CVE-2013-2465
Cisco ASA
Cross-Site
Scripting
CVE-2014-2120
Symantec Live
Update SQL
Injection
CVE-2014-1645
Shell_Command_Injection
April 2006 JavaScript_NOOP_Sled
7.3 years ahead
10 vulnerabilities covered
6.8 years ahead December 2012
Java_Malicious_Applet
March 2013
5 months ahead
November 2008 Cross_Site_Scripting
March 2014
5.5 years ahead
8,500+ vulnerabilities covered
June 2007 March 2014
6.9 years ahead
9,000+ vulnerabilities covered
SQL_Injection
October 2012

Trusteer Apex multi-layered defense architecture
KB to
create
icon
Threat and Risk Reporting
Vulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
Credential
Protection
Exploit Chain
Disruption
Malware
Detection and
Mitigation
Malicious
Communication
Prevention
Lockdown
for Java
Global Threat Research and Intelligence
Global threat intelligence delivered in near-real time from the cloud
• Prevent reuse on
non-corporate
sites
• Protect against
submission on
phishing sites
• Report on
credential usage
• Block anomalous
activity caused by
exploits
• Zero-day defense
by controlling
exploit chain
• Detection and
mitigation of
massively
distributed APTs
• Cloud-based
detection of
known threats
• Block malware
communication
• Disrupt command
and control
• Protects against
data exfiltration
• Block high-risk
actions by
malicious Java
applications
• Administer the
trust level
reducing user
disruption

Trusteer Apex - Corporate Credentials Protection
WWW
Credential theft
via phishing
Corporate
credential reuse
Legitimate
corporate site
Enter Password
Submit: Allow
Phishing
• Detect submission
• Validate destination
site
*******
Unauthorized
legitimate site
Authorized
site

Breach other
programs
Trusteer Apex - Exploit chain disruption
Disrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions
• Apply allow / block controls across the exploit chain
Write files
Alter registry
Other breach
methods
Monitor post-exploit
actions
Evaluate application
states
Application states Exploit propagation
Indicators

Trusteer Apex - Malware Detection and Mitigation
Transparent removal of malware infections
Massively-distributed APT Protection Legacy-threat Protection
Automated Malware Removal 27 Anti-virus Engines
Billions of good files
saved and executed
Billions of malicious
files blocked
Blacklist
Database
Whitelist
Database
• No active scanning = no performance impact
• No signature file update process on the endpoint

Allow low-risk activities
e.g., Display, local calculation
Trusted app
Untrusted app
Monitor and control high-risk activities
Trusteer Apex - Lockdown for Java
Monitor and control high risk Java application actions
Trusted app
Malicious app
Rogue Java app
bypasses Java’s
internal controls
e.g., Write to file system, registry change
Trusted app
Untrusted app
• Malicious activity is blocked while legitimate Java applications are
allowed
• Trust for specific Java apps is granted by Trusteer / IT administrator

Trusteer Apex - Malicious communication blocking
Block suspicious executables that attempt to compromise other applications
or open malicious communication channels
Assess trust level Identify application breach Allow / block
DIRECT
1. Assess process trust level
2. Identify process breach
3. Allow / block external communication
Malicious site
Legitimate site
used as C&C
Direct user
download
Pre-existing
infection
External
Network
Zombie
process
COMMUNICATION
PASS-THROUGH

On the Network On the Endpoint
IBM Security offers 12 layers of protection for your infrastructure.
Vulnerability Decodes
Application Layer Heuristics
Web Injection Logic
Shellcode Heuristics
Content Analysis
Protocol Anomaly Detection
Exploit Signatures
1
2
3
4
5
6
7
1 Credential Protection
2 Exploit Chain Disruption
3 Malware Detection and Mitigation
4 Lockdown for Java
5 Malicious Communication Prevention

Connect with IBM X-Force Research & Development
Twitter
@ibmsecurity and @ibmxforce
IBM X-Force Threat Intelligence
Reports and Research
http://www.ibm.com/security/xforce/
IBM X-Force Security Insights Blog
www.SecurityIntelligence.com/topics/x-force
Find more on SecurityIntelligence.com

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

7 Ways to Stay 7 Years Ahead of the Threat

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Ähnlich wie 7 Ways to Stay 7 Years Ahead of the Threat

Ähnlich wie 7 Ways to Stay 7 Years Ahead of the Threat (20)

Mehr von IBM Security

Mehr von IBM Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

7 Ways to Stay 7 Years Ahead of the Threat