7 Ways to Stay 7 Years Ahead of the Threat

© 2014 IBM Corporation

IBM Security Systems


7 Ways to Stay 7 Years Ahead of the Threat Protecting your infrastructure with behavior-based protection



We are in an era of continuous breaches.Attackers are relentless, victims are targeted, and the damage toll is rising

Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014

Operational Sophistication

IBM X-Force declared Year of the

Security Breach

Near Daily Leaks of Sensitive Data

40% increase in reported data

breaches and incidents

Relentless Use of Multiple Methods

500,000,000+ records were leaked, while the future

shows no sign of change

2011 2012 2013

SQL injection

Spear phishing

DDoS Third-party software

Physical access

Malware XSS Watering hole

Undisclosed

Attack types

Note: Size of circle estimates relative impact of incident in terms of cost to business.

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov21294&S_TACT=102PW99W



Customers are fighting a losing battle.

Humans will always make mistakes System and application vulnerabilities

continue to emerge Most malware detection is reactive

Adobe Patches Flash Player Zero-Day Used in Watering-hole Attacks

Microsoft Warns of Attacks on IE Zero-Day

Cost of Data Breaches Spikes 15% in Last Year

Windows XP: Microsoft can't wash its hands of the security problem so easily



Large-scale infections create large surface area for new massively-distributed APT style attacks.

New APT attack that can evade AV and standard controlsAttack attempts to set up remote control or steal corporate credentials



The disclosure of the Shellshock bug in September brought immediate exploit attempts.

1992 2014

27 Sep 2014

IBM MSS observes 1000% increase above average of shellcode injection attacks

1992

Vulnerability in Bash shell introduced in Linux v1.14

Patching the original vulnerability was complicated by the development of additional exploit techniques, resulting in additional CVE numbers created.

24 Sep 2014

Shellshock vulnerability disclosed in CVE 2014-6271

Vendor patch for CVE 2014-6271 found insufficient. Add’l CVE 2014-7169 created.

25 Sep 2014

X-Force elevates AlertCon level to a 3

Additional CVEs created to document Shellshock, bringing total to 6



The recommended practices for Shellshock protection did not offer complete coverage.

Apply the vendor patchesSome initial vendor patches were incomplete

Apply WAF/IPS rulesCurrent public rules are lacking, and focus only on a single exploit

Change the shells from bash to alternatives (ksh, sh…)This can break things within the network



The IBM fundamental approach to threat protection

• Stays ahead of the threat with pre-emptive protection that stops things from breaking the window

• Looks for methods that can break the window

• Keeping up can be challenging

IBM protects the vulnerability Other products only block the exploits

IBM PROTECTION vs. OTHER PRODUCTS

? ? ?

VULNERABILITY vs. EXPLOIT

• Can be used to do something unintended

• Can be exploited in multiple ways

• Many different exploits can target a single vulnerability

• Not all exploits are publicly available, and mutation is common

A weakness in a system A method used to gain system entry



IBM has 7 layers of vulnerability and exploit coverage, going beyond pattern matching.

Web Injection Logic

Patented protection against web attacks,

e.g., SQL injection and cross-site scripting

ExploitSignatures

Attack-specific pattern matching

VulnerabilityDecodes

Focused algorithmsfor mutating threats

Application LayerHeuristics

Proprietary algorithms to block malicious use

Protocol Anomaly Detection

Protection against misuse, unknown vulnerabilities,

and tunneling across 230+ protocols

ShellcodeHeuristics

Behavioral protectionto block exploit payloads

ContentAnalysis

File and document inspection and

anomaly detection

Other IPS solutionsstop at pattern matching



Simple mutations will render exploit-matching engines useless

A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless

A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection

Simply adding a comment to a web page results in an attack successfully bypassing signature IPS

Original Variable Names Mutated Variable Names

Shellcode somecode

Block brick

heapLib badLib

Original Class Reference Mutated Class Reference

<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">

<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">

Original Code Mutated Code

var t = unescape;var t = unescape <!— Comment --

>;



X-Force expertise provides a competitive edge in the marketplace

Tolly Group Test Report IBM Delivers Superior Protection from Evolving Threats with

High Levels of Performance. Tests showed that IBM is nearly twice as effective as Snort at stopping ‘mutated’ attacks,

showing the power of X-Force technology.

Independent survey of 458 IT professional, Aug 2012

Top Ranking by CustomersThe IBM Network Security Appliances, for which X-Force

provides protection, is the most highly regarded , as ranked by an Information Week survey of customers. This included top

scores in overall vendor performance, attack blocking and centralized management.

ICSA certification for the GX4By consolidating network demands for data security and

protection for web applications, IBM Security Network Intrusion Prevention System solutions serve as security platforms that

can reduce the cost and complexity of deploying and managing point solutions.



NSS Testing Overview and Highlights

The IBM Security Network IPS GX7800 appliance:

• Scored 95.7% in Exploit Block Rate and 8,650 Mbps in NSS Tested Throughput• Scored 97.7% and 94.1% for Block Rate (Server) and Block Rate (Client) respectively• Achieved a “PASS” for all tests related to “Stability & Reliability”• Achieved a “PASS” for all tests related to “Evasions”



ShellshockCVE 2014-6271

MS IE Remote ExploitCVE-2012-4781

Java JRE Code ExecutionCVE-2013-2465

Cisco ASA Cross-Site ScriptingCVE-2014-2120

Symantec Live Update SQL InjectionCVE-2014-1645

Behavioral-based detection blocks attacks that have never been seen before DisclosedIBM Protection

December 20126.8 years ahead94 vulnerabilities covered

March 20138 vulnerabilities covered

March 2014November 2008

5.5 years ahead

8,500+ vulnerabilities covered

March 2014June 2007

6.9 years ahead

9,000+ vulnerabilities covered

2006 2014

5 months ahead

Cross_Site_Scripting

Java_Malicious_Applet

SQL_Injection

JavaScript_NOOP_SledApril 2006

October 2012

Sept 2014June 2007

7.3 years ahead

10 vulnerabilities covered

Shell_Command_Injection





Trusteer Apex multi-layered defense architecture

KB to create icon

Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting

Advanced Threat Analysis and Turnkey Service

CredentialProtection

Exploit Chain Disruption

Malware Detection and

Mitigation

Malicious Communication

Prevention

Lockdownfor Java

Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud

• Prevent reuse on non-corporate sites

• Protect against submission on phishing sites

• Report on credential usage

• Block anomalous activity caused by exploits

• Zero-day defense by controlling exploit chain

• Detection and mitigation of massively distributed APTs

• Cloud-based detection of known threats

• Block malware communication

• Disrupt command and control

• Protects against data exfiltration

• Block high-risk actions by malicious Java applications

• Administer the trust level reducing user disruption



Trusteer Apex - Corporate Credentials Protection

WWW

Credential theft via phishing

Corporate credential reuse

Legitimate corporate site

Enter Password

Submit: Allow• Detect submission

• Validate destination

Phishingsite

Unauthorized legitimate site

*******

Authorized site



Trusteer Apex - Exploit chain disruptionDisrupt zero day attacks without prior knowledge of the exploit or vulnerability

• Correlate application state with post-exploit actions

• Apply allow / block controls across the exploit chain

Write files

Breach other programs

Alter registry

Other breachmethods

Monitor post-exploit actions

Evaluate application states

Exploit propagationApplication states

Indicators



Massively-distributed APT Protection Legacy-threat Protection

Trusteer Apex - Malware Detection and MitigationTransparent removal of malware infections

Billions of good filessaved and executed

Billions of maliciousfiles blocked

BlacklistDatabase

WhitelistDatabase

• No active scanning = no performance impact

• No signature file update process on the endpoint

Automated Malware Removal 27 Anti-virus Engines



JVM

Trusteer Apex - Lockdown for JavaMonitor and control high risk Java application actions

• Malicious activity is blocked while legitimate Java applications are allowed

• Trust for specific Java apps is granted by Trusteer / IT administrator

Monitor and control high-risk activities

Malicious appRogue Java appbypasses Java’s internal controls

e.g., Display, local calculation

Trusted app

Untrusted app

Allow low-risk activities

e.g., Write to file system, registry change

Trusted app

Untrusted app

Trusted app



Trusteer Apex - Malicious communication blockingBlock suspicious executables that attempt to compromise other applications or open malicious communication channels

1. Assess process trust level

2. Identify process breach

3. Allow / block external communication

Malicious site

Legitimate siteused as C&C

Direct user download

Pre-existing infection

External Network

Zombieprocess

COMMUNICATION

PASS-THROUGH

DIRECT

Identify application breach Allow / blockAssess trust level



IBM Security offers 12 layers of protection for your infrastructure.

Vulnerability Decodes

Application Layer Heuristics

Web Injection Logic

Shellcode Heuristics

Content Analysis

Protocol Anomaly Detection

Exploit Signatures

1

2

3

4

5

6

7

Credential Protection1

Exploit Chain Disruption2

Malware Detection and Mitigation3

Lockdown for Java4

Malicious Communication Prevention5

On the Network On the Endpoint



Connect with IBM X-Force Research & Development

Find more on SecurityIntelligence.com

IBM X-Force Threat Intelligence Reports and Researchhttp://www.ibm.com/security/xforce/

Twitter@ibmsecurity and @ibmxforce

IBM X-Force Security Insights Blogwww.SecurityIntelligence.com/topics/x-force

http://www.ibm.com/security/xforce/

http://www.ibm.com/security/xforce/

https://twitter.com/IBMSecurity

https://twitter.com/IBMSecurity

http://www.twitter.com/ibmxforce

http://www.twitter.com/ibmxforce

http://www.securityintelligence.com/topics/x-force

http://blogs.iss.net/



www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

7 Ways to Stay 7 Years Ahead of the Threat

Technology

ibm mssobserves

ibm corporationprotection

data security andprotection

security platforms thatcan

web attacks

mutated attacks

exploit coverage

web applications