© Copyright 2014 Hewlett -Packard Development Company, L.P. …h41382. · 2014-09-10 · Sandbox – It is flagged as High Risk and it is not distributed • Sandbox analysis reveal

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Trend Micro Deep Discovery & HP Tipping Point Five things you need to know about targeted attacks and how to react David Girard, Threat Expert & Solution Architect

Content

• Five things you need to know about targeted attacks

• Trend Micro’s Solution with HP Tipping Point • Use Case • Conclusion

3

Five things you need to know about targeted attacks (3 min.)

4

1. Everyone could be a target

5

Advanced methods can evade traditional defenses

Next-gen Firewall

Intrusion Detection (IDS)

Intrusion Prevention (IPS)

Traditional AV

Email /Web Gateways

2. They evade conventional security

Spear-phishing emails 91% Embedded payloads Obfuscated exploits Unknown malware & exploits Dynamic command and control

(C&C) servers

6

400 K new samples per day 2/3 of discoveries by External source 4. Persistance 229+ days before Attack discovery –

3. A human is behind it – RAT tools confirm’s it

Unexpected Costs

Unexpected Risks

Unexpected Strategic Impacts

Unexpected Career Impacts

5. Significant collateral damage from targeted attacks & advanced threats

Copyright 2013 Trend Micro Inc.

Data breach of 110M records

2013 profits fell 34%

Total cost to be $1B

80 civil lawsuits

In May, veteran CEO resigns

In March, CIO resigns

8

Trend Micro’s Solution with TippingPoint (7 min.)

9

Deep Discovery – HP TippingPoint Integration

HP Security Management System

Detecting and blocking a targeted attack

ArcSight SIEM

Deep Discovery Inspector

TippingPoint IPS

TippingPoint NGFW


Copyright 2014 TrendMicro Inc.

Network-Wide Attack Detection

Inspects inbound, outbound, internal traffic

Across web, email, 80+ protocols and applications on any ports

Central to enabling a Custom Defense solution

11


12

Malicious content • Embedded document exploits • Drive-by downloads • Zero-day exploits • Malware (unknown and known) Suspicious communication • C&C access • Data stealing • Worms • Backdoor activity… Attack behavior • Propagation & dropper • Vuln. scan & bruteforce • Data exfiltration…

HTTP

SMTP

MSSQL

...

SMB

DNS

FTP

P2P

87 protocols analyzed on ANY ports

Network Content Inspection Engine

Advanced Threat Security Engine

IP & URL reputation

Custom Sandbox

Network Content Correlation Engine

Oracle

File White listing DB / File prevalence DB

Why Custom Sandboxing Is Essential Accurate detection of your attackers • Identify custom malware targeting your organization

– E.g., Your Windows license, language, applications – Handle differing desktop environments across departments

• Triage malware that does not affect your organization – E.g., older/other versions & patches of Windows or key applications

• Thwart evasion techniques based on configuration checks – E.g., Generic Windows license, English language, limited/standard apps

Browsers & Adobe

Custom/Specific Apps

MS Windows & Office

License & Language

Sales & Executives

Browsers & Adobe


MS Windows & Office

License & Language

Customer Support

Specific Config


Windows XP

License & Language

Specialized Devices

…

Threat Connect Information Portal

Threat profile: What are the characteristics, origins and variants of this malware. Related IPs/Domains: What are the known C&C comms for this attack. Attack Group/Campaign: Who and what is behind this threat. Containment and remediation: What to look for, how to remediate and eradicate.

App Server

Storage/ Hypervisor

Inspector

Deep Discovery

Simple & Efficient !

SMTP relay

Web proxy

!

!Mail Server

Endpoint !

Infection & payload

Lateral movement

C&C Callback

East-West

North-South

East-West

North-South

North-South

Asset/Data Discovery East-West

Data Exfiltration North-South

Deep Discovery detection intelligence shared with: • TippingPoint IPS • TippingPoint NGFW • ArcSight SIEM to block further attacks, isolate infected endpoints, record events with SIEM

Deep Discovery – HP TippingPoint Integration

internet

LAN

Datacenter TP IPS

HP Security Management System

TP NGFW

Detecting and blocking a targeted attack

1

2

3

3

ArcSight SIEM

4

Switch


Use Case (15 min.)

Confidential | Copyright 2012 TrendMicro Inc. 17 10/09/2014

Scenario A with conventional security - Financial

• A few employees are targeted and receive Spear Phishing email – PDF or Office Documents go through AV with no

detection – URL in message is not on any Black list

• Customer get infected and no one knows – Infected machine call back C&C servers and start

harvesting data

18

Scenario A with Deep Discovery • A few employees are targeted and receive Spear

Phishing email – PDF or Office Documents go through AV with no detection

but is sent to Deep Discovery Advanced Heuristics and Sandbox – It is flagged as High Risk and it is not distributed

• Sandbox analysis reveal IOC – IP, URL and Domain are sent to HP SMS – HP TippingPoint block a C&C attempt from an Employee

Laptop that just came back to office

19

Scenario B : APT on Telecom company • 5 employees receive different emails • 5 attachements SHA-1 are differents • 5 Sandbox reports are identicals • Threat Intelligence is extracted from files and

sent to HP Security Management System. Further C&C communications are blocked

Copyright 2014 Trend Micro Inc. 20

Scenario C : Global Organization • Global Organization ABC has branches in many

countries • They use non-English Windows OS or English

with local Keyboards (Spanish, Hebrew and Arabic)

• Targeted malware is checking for Spanish OS or Hebrew keyboard to evade generic sandbox


Scenario C : Global Organization • Customer created Custom Sandbox with

Spanish OS and another with English OS but using the local keyboards.

• Malware was executed in custom sandbox and detected. On generic Cloud or on premise Sandbox the malicious code easily evade.


Tip


• Is this a targeted attack or common cyber crime? – If you see a few packets on many IP’s (C&C) then it

is a botnet (common cyber crime) – If you see a lot of packets on a few IP’s then it is

probably a RAT and a Targeted attack

TippingPoint Easy 4 step integration


1. Extract Integration service and configure

Easy 4 step integration


2. Configure HP Tipping Point • Add 2 tag

Categories – Source – Severity



3. Run ServiceDrop.exe (Schedule Job)



4. Tipping Point start receiving Deep Discovery Threat Intelligence

Conclusion What Makes Trend Micro Solution Unique (5 min.)

Confidential | Copyright 2012 TrendMicro Inc. 28 10/09/2014


Why Trend?

Superior Detection

Interconnected Threat Defense

Low Total Cost of Ownership

29

Superior Detection

30

80+ Protocols & Applications

All Network Ports

Attack Evolution

Known Threat Insight

Unknown Threats & Exploits

Software &

Devices

Deep Discovery enables 360 degree detection; no gaps in protection

Superior Detection

31


Low Total Cost of Ownership

32


Single appliance …not one per protocol or monitoring limited ports Zero-cost access to the Trend Micro Smart Protection Network No additional development or fees for custom sandboxes Option to utilize additional sandbox horsepower centrally…not by

protocol specific appliance 1 GB Appliance mean 1GBPS, not 600 MBPS

Low Total Cost of Ownership Deep Discovery

Inspector

33


Collects via global sensornet Honeypots, customers, threat researchers, community… Over 300M nodes; 8.6B threat events daily URLs, vulnerabilities, files, domains, network traffic, threat actors,

mobile apps, IP addresses, exploit kits

Big data analytics Identifies using data mining, machine learning, modeling

and correlation 100 TB data; 500K unique threats identified daily

Global threat intelligence 250M threats blocked daily Email reputation, file reputation, web reputation,

network traffic rules, mobile app reputation, known vulnerabilities/exploits, threat actor research, C&C…

Interconnected Threat Defense

34

Thank You Questions?

COME TO SEE US AT THE BOOTH FOR MORE DETAILS

35 10/09/

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BGL3622 Speaker David Girard

Please give me your feedback


Thank you


Tactics we see to evade detection


• Destruction – Erase files and logs. Erase file system, Wipe memory, Destroy process (batch file)

• Camouflage – Classic Rootkit tactic : Hide in process, hide in deleted files, raw disk sector. Use legitimate Web site for infection. Use multiple

small components/Fragmentation.

• Transformation – Trojan Apps, Steganography (data in JPEG), Encryption (C&C IP encrypted in JPEG), encrypted communications, JiT

packers/Crypters and custom interpreters

• Creation/ – Create fake data to slow down analysis or to generate false positive

• Elimination (does not generate evidence/events) (really devious!)

– Some Rootkit are a good example since they are not seen by the Kernel or the file system. C&C communications while outside the network. Infection while outside the network. Use of Database vulnerability to access (not logged), Use unmanaged device or unmonitored device (proxy exception…Unix computer

hxxp://ubuntuone.com/6WHyFSP6eYK3c16l2m0CyC