© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Trend Micro Deep Discovery & HP Tipping Point Five things you need to know about targeted attacks and how to react David Girard, Threat Expert & Solution Architect
Content
• Five things you need to know about targeted attacks
• Trend Micro’s Solution with HP Tipping Point • Use Case • Conclusion
3
Five things you need to know about targeted attacks (3 min.)
4
1. Everyone could be a target
5
Advanced methods can evade traditional defenses
Next-gen Firewall
Intrusion Detection (IDS)
Intrusion Prevention (IPS)
Traditional AV
Email /Web Gateways
2. They evade conventional security
Spear-phishing emails 91% Embedded payloads Obfuscated exploits Unknown malware & exploits Dynamic command and control
(C&C) servers
6
400 K new samples per day 2/3 of discoveries by External source 4. Persistance 229+ days before Attack discovery –
3. A human is behind it – RAT tools confirm’s it
Unexpected Costs
Unexpected Risks
Unexpected Strategic Impacts
Unexpected Career Impacts
5. Significant collateral damage from targeted attacks & advanced threats
Copyright 2013 Trend Micro Inc.
Data breach of 110M records
2013 profits fell 34%
Total cost to be $1B
80 civil lawsuits
In May, veteran CEO resigns
In March, CIO resigns
8
Trend Micro’s Solution with TippingPoint (7 min.)
9
Deep Discovery – HP TippingPoint Integration
HP Security Management System
Detecting and blocking a targeted attack
ArcSight SIEM
Deep Discovery Inspector
TippingPoint IPS
TippingPoint NGFW
Deep Discovery Inspector
Copyright 2014 TrendMicro Inc.
Network-Wide Attack Detection
Inspects inbound, outbound, internal traffic
Across web, email, 80+ protocols and applications on any ports
Central to enabling a Custom Defense solution
11
Deep Discovery Inspector
12
Malicious content • Embedded document exploits • Drive-by downloads • Zero-day exploits • Malware (unknown and known) Suspicious communication • C&C access • Data stealing • Worms • Backdoor activity… Attack behavior • Propagation & dropper • Vuln. scan & bruteforce • Data exfiltration…
HTTP
SMTP
MSSQL
...
SMB
DNS
FTP
P2P
87 protocols analyzed on ANY ports
Network Content Inspection Engine
Advanced Threat Security Engine
IP & URL reputation
Custom Sandbox
Network Content Correlation Engine
Oracle
File White listing DB / File prevalence DB
Why Custom Sandboxing Is Essential Accurate detection of your attackers • Identify custom malware targeting your organization
– E.g., Your Windows license, language, applications – Handle differing desktop environments across departments
• Triage malware that does not affect your organization – E.g., older/other versions & patches of Windows or key applications
• Thwart evasion techniques based on configuration checks – E.g., Generic Windows license, English language, limited/standard apps
Browsers & Adobe
Custom/Specific Apps
MS Windows & Office
License & Language
Sales & Executives
Browsers & Adobe
Custom/Specific Apps
MS Windows & Office
License & Language
Customer Support
Specific Config
Custom/Specific Apps
Windows XP
License & Language
Specialized Devices
…
Threat Connect Information Portal
Threat profile: What are the characteristics, origins and variants of this malware. Related IPs/Domains: What are the known C&C comms for this attack. Attack Group/Campaign: Who and what is behind this threat. Containment and remediation: What to look for, how to remediate and eradicate.
App Server
Storage/ Hypervisor
Inspector
Deep Discovery
Simple & Efficient !
SMTP relay
Web proxy
!
!Mail Server
Endpoint !
Infection & payload
Lateral movement
C&C Callback
East-West
North-South
East-West
North-South
North-South
Asset/Data Discovery East-West
Data Exfiltration North-South
Deep Discovery detection intelligence shared with: • TippingPoint IPS • TippingPoint NGFW • ArcSight SIEM to block further attacks, isolate infected endpoints, record events with SIEM
Deep Discovery – HP TippingPoint Integration
internet
LAN
Datacenter TP IPS
HP Security Management System
TP NGFW
Detecting and blocking a targeted attack
1
2
3
3
ArcSight SIEM
4
Switch
Deep Discovery Inspector
Use Case (15 min.)
Confidential | Copyright 2012 TrendMicro Inc. 17 10/09/2014
Scenario A with conventional security - Financial
• A few employees are targeted and receive Spear Phishing email – PDF or Office Documents go through AV with no
detection – URL in message is not on any Black list
• Customer get infected and no one knows – Infected machine call back C&C servers and start
harvesting data
18
Scenario A with Deep Discovery • A few employees are targeted and receive Spear
Phishing email – PDF or Office Documents go through AV with no detection
but is sent to Deep Discovery Advanced Heuristics and Sandbox – It is flagged as High Risk and it is not distributed
• Sandbox analysis reveal IOC – IP, URL and Domain are sent to HP SMS – HP TippingPoint block a C&C attempt from an Employee
Laptop that just came back to office
19
Scenario B : APT on Telecom company • 5 employees receive different emails • 5 attachements SHA-1 are differents • 5 Sandbox reports are identicals • Threat Intelligence is extracted from files and
sent to HP Security Management System. Further C&C communications are blocked
Copyright 2014 Trend Micro Inc. 20
Scenario C : Global Organization • Global Organization ABC has branches in many
countries • They use non-English Windows OS or English
with local Keyboards (Spanish, Hebrew and Arabic)
• Targeted malware is checking for Spanish OS or Hebrew keyboard to evade generic sandbox
Copyright 2014 Trend Micro Inc. 21
Scenario C : Global Organization • Customer created Custom Sandbox with
Spanish OS and another with English OS but using the local keyboards.
• Malware was executed in custom sandbox and detected. On generic Cloud or on premise Sandbox the malicious code easily evade.
Copyright 2014 Trend Micro Inc. 22
Tip
Copyright 2014 Trend Micro Inc. 23
• Is this a targeted attack or common cyber crime? – If you see a few packets on many IP’s (C&C) then it
is a botnet (common cyber crime) – If you see a lot of packets on a few IP’s then it is
probably a RAT and a Targeted attack
TippingPoint Easy 4 step integration
Copyright 2014 Trend Micro Inc. 24
1. Extract Integration service and configure
Easy 4 step integration
Copyright 2014 Trend Micro Inc. 25
2. Configure HP Tipping Point • Add 2 tag
Categories – Source – Severity
Easy 4 step integration
Copyright 2014 Trend Micro Inc. 26
3. Run ServiceDrop.exe (Schedule Job)
Easy 4 step integration
Copyright 2014 Trend Micro Inc. 27
4. Tipping Point start receiving Deep Discovery Threat Intelligence
Conclusion What Makes Trend Micro Solution Unique (5 min.)
Confidential | Copyright 2012 TrendMicro Inc. 28 10/09/2014
Copyright 2014 Trend Micro Inc.
Why Trend?
Superior Detection
Interconnected Threat Defense
Low Total Cost of Ownership
29
Superior Detection
30
80+ Protocols & Applications
All Network Ports
Attack Evolution
Known Threat Insight
Unknown Threats & Exploits
Software &
Devices
Deep Discovery enables 360 degree detection; no gaps in protection
Superior Detection
31
Copyright 2014 Trend Micro Inc.
Low Total Cost of Ownership
32
Copyright 2014 Trend Micro Inc.
Single appliance …not one per protocol or monitoring limited ports Zero-cost access to the Trend Micro Smart Protection Network No additional development or fees for custom sandboxes Option to utilize additional sandbox horsepower centrally…not by
protocol specific appliance 1 GB Appliance mean 1GBPS, not 600 MBPS
Low Total Cost of Ownership Deep Discovery
Inspector
33
Copyright 2014 Trend Micro Inc.
Collects via global sensornet Honeypots, customers, threat researchers, community… Over 300M nodes; 8.6B threat events daily URLs, vulnerabilities, files, domains, network traffic, threat actors,
mobile apps, IP addresses, exploit kits
Big data analytics Identifies using data mining, machine learning, modeling
and correlation 100 TB data; 500K unique threats identified daily
Global threat intelligence 250M threats blocked daily Email reputation, file reputation, web reputation,
network traffic rules, mobile app reputation, known vulnerabilities/exploits, threat actor research, C&C…
Interconnected Threat Defense
34
Thank You Questions?
COME TO SEE US AT THE BOOTH FOR MORE DETAILS
35 10/09/
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BGL3622 Speaker David Girard
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Tactics we see to evade detection
Copyright 2014 Trend Micro Inc. 39
• Destruction – Erase files and logs. Erase file system, Wipe memory, Destroy process (batch file)
• Camouflage – Classic Rootkit tactic : Hide in process, hide in deleted files, raw disk sector. Use legitimate Web site for infection. Use multiple
small components/Fragmentation.
• Transformation – Trojan Apps, Steganography (data in JPEG), Encryption (C&C IP encrypted in JPEG), encrypted communications, JiT
packers/Crypters and custom interpreters
• Creation/ – Create fake data to slow down analysis or to generate false positive
• Elimination (does not generate evidence/events) (really devious!)
– Some Rootkit are a good example since they are not seen by the Kernel or the file system. C&C communications while outside the network. Infection while outside the network. Use of Database vulnerability to access (not logged), Use unmanaged device or unmonitored device (proxy exception…Unix computer
hxxp://ubuntuone.com/6WHyFSP6eYK3c16l2m0CyC