© 2014 IBM Corporation IBM Security Systems © 2014 IBM Corporation 7 Ways to Stay 7 Years Ahead of the Threat Protecting your infrastructure with behavior- based protection
Jun 02, 2015
© 2014 IBM Corporation
IBM Security Systems
© 2014 IBM Corporation
7 Ways to Stay 7 Years Ahead of the Threat Protecting your infrastructure with behavior-based protection
© 2014 IBM Corporation
IBM Security Systems
We are in an era of continuous breaches.Attackers are relentless, victims are targeted, and the damage toll is rising
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
Operational Sophistication
IBM X-Force declared Year of the
Security Breach
Near Daily Leaks of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use of Multiple Methods
500,000,000+ records were leaked, while the future
shows no sign of change
2011 2012 2013
SQL injection
Spear phishing
DDoS Third-party software
Physical access
Malware XSS Watering hole
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business.
© 2014 IBM Corporation
IBM Security Systems
Customers are fighting a losing battle.
Humans will always make mistakes System and application vulnerabilities
continue to emerge Most malware detection is reactive
Adobe Patches Flash Player Zero-Day Used in Watering-hole Attacks
Microsoft Warns of Attacks on IE Zero-Day
Cost of Data Breaches Spikes 15% in Last Year
Windows XP: Microsoft can't wash its hands of the security problem so easily
© 2014 IBM Corporation
IBM Security Systems
Large-scale infections create large surface area for new massively-distributed APT style attacks.
New APT attack that can evade AV and standard controlsAttack attempts to set up remote control or steal corporate credentials
© 2014 IBM Corporation
IBM Security Systems
The disclosure of the Shellshock bug in September brought immediate exploit attempts.
1992 2014
27 Sep 2014
IBM MSS observes 1000% increase above average of shellcode injection attacks
1992
Vulnerability in Bash shell introduced in Linux v1.14
Patching the original vulnerability was complicated by the development of additional exploit techniques, resulting in additional CVE numbers created.
24 Sep 2014
Shellshock vulnerability disclosed in CVE 2014-6271
Vendor patch for CVE 2014-6271 found insufficient. Add’l CVE 2014-7169 created.
25 Sep 2014
X-Force elevates AlertCon level to a 3
Additional CVEs created to document Shellshock, bringing total to 6
© 2014 IBM Corporation
IBM Security Systems
The recommended practices for Shellshock protection did not offer complete coverage.
Apply the vendor patchesSome initial vendor patches were incomplete
Apply WAF/IPS rulesCurrent public rules are lacking, and focus only on a single exploit
Change the shells from bash to alternatives (ksh, sh…)This can break things within the network
© 2014 IBM Corporation
IBM Security Systems
The IBM fundamental approach to threat protection
• Stays ahead of the threat with pre-emptive protection that stops things from breaking the window
• Looks for methods that can break the window
• Keeping up can be challenging
IBM protects the vulnerability Other products only block the exploits
IBM PROTECTION vs. OTHER PRODUCTS
? ? ?
VULNERABILITY vs. EXPLOIT
• Can be used to do something unintended
• Can be exploited in multiple ways
• Many different exploits can target a single vulnerability
• Not all exploits are publicly available, and mutation is common
A weakness in a system A method used to gain system entry
© 2014 IBM Corporation
IBM Security Systems
IBM has 7 layers of vulnerability and exploit coverage, going beyond pattern matching.
Web Injection Logic
Patented protection against web attacks,
e.g., SQL injection and cross-site scripting
ExploitSignatures
Attack-specific pattern matching
VulnerabilityDecodes
Focused algorithmsfor mutating threats
Application LayerHeuristics
Proprietary algorithms to block malicious use
Protocol Anomaly Detection
Protection against misuse, unknown vulnerabilities,
and tunneling across 230+ protocols
ShellcodeHeuristics
Behavioral protectionto block exploit payloads
ContentAnalysis
File and document inspection and
anomaly detection
Other IPS solutionsstop at pattern matching
© 2014 IBM Corporation
IBM Security Systems
Simple mutations will render exploit-matching engines useless
A simple change to a variable name allows the attack to succeed, while rendering the protection of a signature matching engines useless
A simple change to the HTML code in a compromised web page makes the attack invisible to signature protection
Simply adding a comment to a web page results in an attack successfully bypassing signature IPS
Original Variable Names Mutated Variable Names
Shellcode somecode
Block brick
heapLib badLib
Original Class Reference Mutated Class Reference
<html><head></head><body><applet archive="jmBXTMuv.jar" code="msf.x.Exploit.class" width="1" height="1"><param name="data" value=""/><param name="jar">
<html><head></head><body><applet archive="eXRZLr.jar" code="msf.x.badguy.class" width="1" height="1"><param name="data" value=""/><param name="jar">
Original Code Mutated Code
var t = unescape;var t = unescape <!— Comment --
>;
© 2014 IBM Corporation
IBM Security Systems
X-Force expertise provides a competitive edge in the marketplace
Tolly Group Test Report IBM Delivers Superior Protection from Evolving Threats with
High Levels of Performance. Tests showed that IBM is nearly twice as effective as Snort at stopping ‘mutated’ attacks,
showing the power of X-Force technology.
Independent survey of 458 IT professional, Aug 2012
Top Ranking by CustomersThe IBM Network Security Appliances, for which X-Force
provides protection, is the most highly regarded , as ranked by an Information Week survey of customers. This included top
scores in overall vendor performance, attack blocking and centralized management.
ICSA certification for the GX4By consolidating network demands for data security and
protection for web applications, IBM Security Network Intrusion Prevention System solutions serve as security platforms that
can reduce the cost and complexity of deploying and managing point solutions.
© 2014 IBM Corporation
IBM Security Systems
NSS Testing Overview and Highlights
The IBM Security Network IPS GX7800 appliance:
• Scored 95.7% in Exploit Block Rate and 8,650 Mbps in NSS Tested Throughput• Scored 97.7% and 94.1% for Block Rate (Server) and Block Rate (Client) respectively• Achieved a “PASS” for all tests related to “Stability & Reliability”• Achieved a “PASS” for all tests related to “Evasions”
© 2014 IBM Corporation
IBM Security Systems
ShellshockCVE 2014-6271
MS IE Remote ExploitCVE-2012-4781
Java JRE Code ExecutionCVE-2013-2465
Cisco ASA Cross-Site ScriptingCVE-2014-2120
Symantec Live Update SQL InjectionCVE-2014-1645
Behavioral-based detection blocks attacks that have never been seen before DisclosedIBM Protection
December 20126.8 years ahead94 vulnerabilities covered
March 20138 vulnerabilities covered
March 2014November 2008
5.5 years ahead
8,500+ vulnerabilities covered
March 2014June 2007
6.9 years ahead
9,000+ vulnerabilities covered
2006 2014
5 months ahead
Cross_Site_Scripting
Java_Malicious_Applet
SQL_Injection
JavaScript_NOOP_SledApril 2006
October 2012
Sept 2014June 2007
7.3 years ahead
10 vulnerabilities covered
Shell_Command_Injection
© 2014 IBM Corporation
IBM Security Systems
© 2014 IBM Corporation
IBM Security Systems
Trusteer Apex multi-layered defense architecture
KB to create icon
Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
CredentialProtection
Exploit Chain Disruption
Malware Detection and
Mitigation
Malicious Communication
Prevention
Lockdownfor Java
Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud
• Prevent reuse on non-corporate sites
• Protect against submission on phishing sites
• Report on credential usage
• Block anomalous activity caused by exploits
• Zero-day defense by controlling exploit chain
• Detection and mitigation of massively distributed APTs
• Cloud-based detection of known threats
• Block malware communication
• Disrupt command and control
• Protects against data exfiltration
• Block high-risk actions by malicious Java applications
• Administer the trust level reducing user disruption
© 2014 IBM Corporation
IBM Security Systems
Trusteer Apex - Corporate Credentials Protection
WWW
Credential theft via phishing
Corporate credential reuse
Legitimate corporate site
Enter Password
Submit: Allow• Detect submission
• Validate destination
Phishingsite
Unauthorized legitimate site
*******
Authorized site
© 2014 IBM Corporation
IBM Security Systems
Trusteer Apex - Exploit chain disruptionDisrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions
• Apply allow / block controls across the exploit chain
Write files
Breach other programs
Alter registry
Other breachmethods
Monitor post-exploit actions
Evaluate application states
Exploit propagationApplication states
Indicators
© 2014 IBM Corporation
IBM Security Systems
Massively-distributed APT Protection Legacy-threat Protection
Trusteer Apex - Malware Detection and MitigationTransparent removal of malware infections
Billions of good filessaved and executed
Billions of maliciousfiles blocked
BlacklistDatabase
WhitelistDatabase
• No active scanning = no performance impact
• No signature file update process on the endpoint
Automated Malware Removal 27 Anti-virus Engines
© 2014 IBM Corporation
IBM Security Systems
JVM
Trusteer Apex - Lockdown for JavaMonitor and control high risk Java application actions
• Malicious activity is blocked while legitimate Java applications are allowed
• Trust for specific Java apps is granted by Trusteer / IT administrator
Monitor and control high-risk activities
Malicious appRogue Java appbypasses Java’s internal controls
e.g., Display, local calculation
Trusted app
Untrusted app
Allow low-risk activities
e.g., Write to file system, registry change
Trusted app
Untrusted app
Trusted app
© 2014 IBM Corporation
IBM Security Systems
Trusteer Apex - Malicious communication blockingBlock suspicious executables that attempt to compromise other applications or open malicious communication channels
1. Assess process trust level
2. Identify process breach
3. Allow / block external communication
Malicious site
Legitimate siteused as C&C
Direct user download
Pre-existing infection
External Network
Zombieprocess
COMMUNICATION
PASS-THROUGH
DIRECT
Identify application breach Allow / blockAssess trust level
© 2014 IBM Corporation
IBM Security Systems
IBM Security offers 12 layers of protection for your infrastructure.
Vulnerability Decodes
Application Layer Heuristics
Web Injection Logic
Shellcode Heuristics
Content Analysis
Protocol Anomaly Detection
Exploit Signatures
1
2
3
4
5
6
7
Credential Protection1
Exploit Chain Disruption2
Malware Detection and Mitigation3
Lockdown for Java4
Malicious Communication Prevention5
On the Network On the Endpoint
© 2014 IBM Corporation
IBM Security Systems
Connect with IBM X-Force Research & Development
Find more on SecurityIntelligence.com
IBM X-Force Threat Intelligence Reports and Researchhttp://www.ibm.com/security/xforce/
Twitter@ibmsecurity and @ibmxforce
IBM X-Force Security Insights Blogwww.SecurityIntelligence.com/topics/x-force
© 2014 IBM Corporation
IBM Security Systems
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.