Endpoint and Server: The belt and braces anti-malware strategy

Belt & Braces, Server & Endpoint: Why you need multiple levels of malware protection

Stephen Cobb, CISSPSenior Security Researcher, ESET NA

Today’s agenda

+

Today’s agenda• Full spectrum malware defense

Endpoints under attack

• Malware threat shows no signs of retreating

• Attacks come from– Cyber criminals– Hacktivists– Non-state actors– Nation states

Attacks from servers, mobile devices

• We now see large-scale server-based attacks

• In one operation: 1000s of servers taken over

• Used to attack 100s of 1000s of endpoints– Desktops, laptops, mobile devices

• Clearly we need to protect against malware at all levels, across all surfaces

2014 State of Endpoint Risk

• Are security threats created by vulnerabilities to endpoint more difficult to stop/mitigate: 71%

• Have you seen a major increase in malware incidents targeting your endpoints: 41%

• Have your mobile endpoints been the target of malware in the last 12 months: 68%

2014 State of Endpoint Risk, Ponemon Institute

April 2014 GAO report

• Information Security– Federal Agencies Need to

Enhance Responses to Data Breaches

• (GAO-14-487T)

• A lot of work still to be done, across numerous agencies– Improve security– Improve breach response

2009 2010 2011 2012 2013

29,999

41,776 42,85448,562

61,214

The scale of the problem

• Information security incidents reported to US-CERT by all federal agencies, 2009 – 2013

• GAO-14-487T

• Number of incidents way up– More data to defend?– Improved reporting?

Exposure of PII is growing

• More incidents involving Personally Identifiable Information

• Why?– Thriving black market for PII

• Impact– Serious costs/stress for victims– Growing public displeasure– Target CIO and CEO

2009 2010 2011 2012 2013

10,48113,028

15,584

22,156

25,566

A federal PII breach example

• July 2013, hackers get PII of 104,000+ people– From a DOE system

• Social Security numbers, birth dates and locations, bank account numbers– Plus security questions and answers

• DOE Inspector General: cost = $3.7 million– Assisting affected individuals and lost productivity

What happens to the stolen data?

• Sold to criminal enterprises – For identity theft, raiding bank accounts, buying

luxury goods, laundering money

• Lucrative scams like tax identity fraud

The market for stolen data has matured

All driven by proven business strategies

Specialization Modularity

Division of labor Standards

Markets

Market forces in malware strategy

• Dirty deeds that pay well:– Click fraud– DDoS– Spam– Infection

Malware profitability requires:

• Devices that are always on, on good bandwidth

• Was: desktop-based botnets• Now: server-based, website, VPS, etc.• With mobile devices on the rise

Example: Operation Windigo

• 25,000+ servers compromised in last 2 years

• About 10,000 still infected• 35 million spam messages per day• 500,000 web redirects per day• Currently installing

• Click fraud malware • Spam sending malware

• Evolving since 2011 as modular multi-OS design• Apple OS X, OpenBSD, FreeBSD, Microsoft Windows

(Cygwin), Linux, including Linux on ARM

• Stealthy, with strong use of cryptography • Halts operation to avoid detection• Maximizes resources by varying activity

Complex malware infrastructure

Structure

• Bad guys install on root-level compromised hosts:– By replacing SSH related binaries (ssh, sshd, ssh-add, etc.) – Or via a shared library used by SSH (libkeyutils)

• Servers used to: – Serve malware, redirect traffic to infected hosts– Act as domain servers for malicious sites

• Infecting web users through drive-by downloads• Redirect web traffic to advertisement networks

The need for belt and braces is clear

• Endpoint – Scanning all incoming files, as they enter– From email, websites, removable media

• Server– Email, File, Sharepoint, Gateway

• Mobile– Antivirus, remote lock, and wipe

Belt, braces, encryption, authentication

Preferably: One interface to manage them all

Don’t neglect the real end point

Resources to tap

• Industry associations• CompTIA• ISSA, SANS, (ISC)2

• Booth number 826• My talk tomorrow• Websites

Thank you!

• Stephen Cobb• Stephen.cobb@eset.com

• We Live Security• www.welivesecurity.com

• Webinars• www.brighttalk.com/channel/1718

• Booth number 826