Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

Paul ZimskiDean Barnes

Principal Security Manager –

Threat Management

Royal Mail

VP, Solution Marketing,

Lumension

POLL #1

State Sponsored Malware is Officially Out of the Shadows

Google begins alerting Gmail users

to 'state-sponsored' attacks.

Warning: We believe state-sponsored attackers

may be attempting to compromise your account

or computer. Protect yourself now.

…did we get to the point where your

online email provider specifically warns

users of state- sponsored attacks?

HOW…

…a little history.

FIRST…

Event Timeline: Stuxnet

• Publically disclosed 13 months after the first attack against Iran• Designed to sabotage Iranian nuclear refinement plants• Stuxnet attacked Windows systems using an unprecedented four zero-day attacks• First to include a programmable logic controller (PLC) rootkit • Has a valid, but abused digital signature• Payload targeted only Siemens supervisory control and data acquisition (SCADA) systems

2009.06: STUXNET

Event Timeline: Duqu

• Considered to be “next generation Stuxnet” • Believed that Duqu was created by the same authors as Stuxnet• Exploits zero-day Windows kernel vulnerabilities• Components are signed with stolen digital keys• Highly targeted and related to the nuclear program of Iran• Designed to capture information such as keystrokes and system information• Central command and control with modular payload delivery – also capable of attacking

2009.06: STUXNET

2010.09: DUQU

Event Timeline: Flame

• Designed for targeted cyber espionage against Middle Eastern countries• Spreads to systems over a local network (LAN) or via USB stick• Creates Bluetooth beacons to steal data from nearby devices• “Most complex malware ever found”• “Collision" attack on the MD5 algorithm – to create fraudulent Microsoft digital certificates• Utilized multiple zero day exploits

2009.06: STUXNET

2010.09: DUQU

2011.05: FLAME

Common APT Characteristics

10

• Highly Targeted and endpoint focused

• Use Sophisticated and Low-tech techniques

– USB Key Delivery; social engineering

• Zero-day vulnerabilities

• Fraudulent Certificates

• Centralized Command and Control

• Undetected for prolonged periods

– Exfiltration masking

Weaponized - What’s Different?

Development Delivery Detection Command & Control Intent

• Nation-States

• Truly customized payloads

• Zero day propagation

• Multi-vectored: Blue tooth, USB, network

• Digitally signed with compromised certificates

• Outbound ex-filtration masking

• Central command

• Modular payloads

• Surveillance

• Disrupt / Destroy

…should the enterprise care?

WHY…

Why Should the Enterprise Care?

Retaliation RiskUS Admits Stuxnet - expect increasing retaliation risk against

sensitive economic and infrastructure assets

Why Should the Enterprise Care?

Collateral DamageLoss of control of weaponized malware in (once weaponized

malware is released control is effectively lost) – being exposed to

accidentally spreading malware (Stuxnet was discovered after it

escaped its targeted environment and started spreading)

Why Should the Enterprise Care?

Adaptation by Cyber CriminalsTargeted attacks on sensitive information

Variants of Stuxnet already seen

What Should The Enterprise Do?

Know Where the Risk Is

Every endpoint

is an enterprise of ONE.

Need to have

autonomous protection.

Need to have a

layered approach.

POLL #2

Defense in Depth Strategy

Successful risk mitigation starts with a solid

vulnerability management foundation,

together with layered defenses beyond

traditional black-list approaches.

Patch and Configuration ManagementControl the Vulnerability Landscape

Application ControlControl the Grey

Device ControlControl the Flow

AVControl the Known

Hard Drive and Media EncryptionControl the Data

Effectiveness of AV?

Pros:

• Stops “background noise” malware

• May detect reused code (low probability)

• Will eventually clean payloads after they are discovered

Cons:

• Not an effective line of defense for proactive detection

• Can degrade overall endpoint performance with little

return on protection

AVControl the Known

Device Control Effectiveness

Device ControlControl the Flow

Pros:

• Can prevent unauthorized devices from delivering

payloads

• Can stop specific file types from being copied to host

machines

• Stops a common delivery vector for evading extensive

physical and technologic security controls

Cons:

• Limited scope for payload delivery interruption

Encryption Effectiveness?

Hard Drive and Media EncryptionControl the Data

Pros:

• Makes lateral data acquisition more difficult

• A good data protection layer outside of APT

Cons:

• Generally will not protect data if endpoint is

compromised at a system level

Application Control Effectiveness

Application ControlControl the Grey

Pros:

• Extremely effective against zero day attacks

• Stops unknown, targeted malware payloads

• Low performance impact on endpoints

Cons:

• Susceptible to compromise as policy flexibility is

increased

• Does not stop memory injections (attacks that do not

escape service memory)

Patch and Configuration Basics

Patch and Configuration ManagementControl the Vulnerability Landscape

Pros:

• Eliminates the attackable surface area that hackers can

target

• Central configuration of native desktop firewalls

• Improves endpoint performance and stability

• Can enable native memory injection protection

Cons:

• Does not stop zero-day vulnerabilities

Defense in Depth Strategy

Successful risk mitigation starts with a solid

vulnerability management foundation,

together with layered defenses beyond

traditional black-list approaches.

Patch and Configuration ManagementControl the Vulnerability Landscape

Application ControlControl the Grey

Device ControlControl the Flow

AVControl the Known

Hard Drive and Media EncryptionControl the Data

Employee Education

Often the first and last

line of defense.

lumension.com/how-to-stay-safe-online

Drive-by malware

APT Protection

Patch & Configuration

ManagementLandscape

Application Control

Device Control

AntiVirus

Hard Drive &

Media Encryption

Summary - Defense in Depth Endpoint Strategy

Reduce attackable surface area

Stop un-trusted change

Protect stored data

Enable secure device use

Disinfect generic malware

Insider Risk

Automated attacks

USB Threat VectorsData

Loss

Zero Day

Learn More

Quantify Your IT

Risk with Free

Scanners

Watch the

On-Demand Demos

Get a

Free Trial