5. Thriving Market
Malware offered for $249 with a service level agreement (SLA)
and replacement warranty if the creation is detected by any
antivirus within 9 months
Copyright 2014 Trend Micro Inc.
6. Malware checking
Botnet Framework
Bulletproof hosting
Exploit Kit
DDOS Attack for 24 hours
Dropper file and crypt
Modules
$30
$125
monthly onetime
$50
$40
$0$52
$38 $120
$0 $20
$205$70
$80$8
Total: $238 $600
Menu for Full Service Hacking
19. Trends of Attack 2015
• IOS will become the bull's-eye
of malware.
• Zero Day’s for Web applications
explode.
• Cloud App Attacks.
• Secondary infections are
leveraged to facilitate long-term
campaigns against the fortune
100.
• Ransomware
• The use of destructive
payloads as part of counter
incident response.
3/19/2015
22. Detect malware, C&C, and
attacker activity invisible to
standard defenses
Analyze the risk, context,
timeline and full extent of
the attack
Respond with automatic
security updates & the
insight to shut down the
attack
Custom Defense is the Foundation
Custom Defense
Advanced Malware
Detection
Contextual
Threat Analysis
Automated
Security Updates
Command & Control
Detection
Attacker
Activity Detection
Threat Impact
Assessment
23. Risk Management
1. Conduct Pen test of all third parties.
2. Use Two-factor authentication.
3. Utilize a host based intrusion prevention system.
4. Deploy file integrity monitoring.
5. Implement virtual shielding for zero day exploits.
6. Deploy both an MDM and Mobile Application Reputation software.
7. Sandbox your cloud apps.
8. Implement whitelisting.
9. Manage the crypto keys for your cloud data.
10. Web Application Security (OWASP).
11. Deploy context aware Threat Intelligence.
12. Utilize a Breach Detection System.
The intent of this slide is to provide the customer with an initial glide path to understand the reasons why targeted attacked can out maneuver their existing defenses. Here are the key points to make:
Attacks have evolved in complexity from being opportunistic to targeted. Malware is being designed and customized to serve a definitive purpose of breaching a specific organization. As such, security defenses which were designed with detecting and stopping ‘mass attacks’ are no longer capable of identifying unknown attacks or evolving attack methods. As such… although they remain of value and a vital part of a layered defense… they need to be enhanced.
Employee Data Leaks ??
Traditional Malware – typically widely distributed and used on for opportunistic attacks. These are a form of ‘virus” with generic functions such as stealing passwords or data. These types of threats are typically dealt with using signatures for purposes of detection and blocking in technologies such as firewalls, intrusion prevention and intrusion detection systems
Vulnerability Exploits – attackers take advantage of buffer overflows, memory dumps and other ‘software and/or security bugs” to encroach on and extract data from a desktop, server or other device. These types of threats are typically address by vulnerability patching, IPS and IDS products.
Advanced Malware – attackers establish a foothold on a trusted device and use it as a launching pad to access other areas of your network and exflitrate information. In addition, this form of malware tends to contain subroutines and processes to create the perception of legitimate access and purpose. The malware can automate the selection of IP addresses, communication protocols and other techniques. Detecting this form of malware requires analysis of network traffic, heuristics, algorithms and malware analysis capabilities.
Targeted Attacks - Similar to a bank heist, attackers research their target and identify the security, processes, and location of what they want to steal. After completing advance reconnaissance they devise a detailed plan of attack, custom design and build their attack code, test their plan of attack and then execute. The key design criteria is to evade detection, enable freedom of movement within your network and access to the assets they wish to target. In so doing attackers will take whatever means are at their disposal. If it is clear that you have a hardened means to monitor web traffic , they will use another protocol. They will determine how your firewall is configured and what ports might yield safe passage. They will attempt to erase their footprints and ensure they can move within your network and improve their intelligence on your environment through every stage of the attack. By the time you are aware they have what they want, have likely already turned it into cash and are either long gone, or have come back for more.
Island Hopping and Secondary Infections: The targeted attacks against the “virtual supply chain” of financial insitutions abound. In addition to this new dynamic of counterparty risk, there is widespread utilization of previously installed backdoors within trusted systems to leverage a secondary infection. Backdoors—applications that open computers to remote access—play a crucial role in targeted attacks. Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network.
Unexpected Impacts
Unexpected Strategic Impacts
Loss of brand equity & revenue (The Interview)
Loss of intellectual property
Deterioration / loss of intangible assets: technology, market, customer, operational practices etc
Erosion of market value (ex: Target)
Unexpected Costs:
internal investigation & post attack clean up
regulatory filings and external investigation.
EMC/RSA breach being estimated at $66 million. Target is claiming over $1 billion
Unexpected Risks:
Litigation by shareholders, customers, employees, or suppliers
Your network being used as a beachhead to launch attacks
Third party access and island hoping
Unexpected Career Impacts:
Scapegoat effect
Resignation of Target CEO and CIO despite being “PCI compliant”
Board of Director’s and Executives face risk to their reputation and personal market value …. they need advise and direction
"control-unit" prisons, or units within prisons, which represent the most secure levels of custody in the prison systems of certain countries. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system—the "worst of the worst" criminals, and those who pose a threat to national and international security.
Although APTs are extremely difficult to detect, the following is a list of common telltale signs that your organization may have been compromised by an APT.
; Finding system exploit code embedded in email attachments or delivered via Web pages.
; Increase in elevated logons late at night.
; Outbound connections to known CnC servers.
; Finding widespread backdoor Trojans on endpoints and/or network file shares.
; Large, unexpected flows of data from within the net- work — from server to server, server to client, client to server, or network to network.
; Discovering large (I’m talking gigabytes, not mega- bytes) chunks of data appearing in places where that data should not exist. Be especially wary if you find compressed data in formats not normally used by your organization. ; ; A major reason why organizations fail to identify APT attacks is because their security devices are only (or mainly) config- ured to examine inbound traffic at the perimeter. Acquiring and/or configuring security solutions to inspect outbound traffic significantly improve your chances of detecting APTs and other cyber attacks.
APTrap is an environment in which analysts can study APT actors’ tools, tactics, and procedures (TTPs). The basic idea behind APTrap is to create a realistic yet isolated environment that APT actors are allowed to breach, move , exploit, and exfiltrate data while all of their actions are captured in non-obvious ways. Analysts can then do a detailed analysis on the data captured to (1) understand the mindset of the attackers, (2) gain insight into what tools they use and how they use them, and (3) learn more about the goals behind the actual intrusion by examining what data they may be searching for and how they exfiltrate it.