© 2014 IBM Corporation IBM Security 1 10.00-10.30 Behind the scenes of IBM’s Trusteer Research Ori Bach, Senior Security Strategist Trusteer, IBM Security
© 2014 IBM Corporation
IBM Security
1
10.00-10.30 Behind the scenes of IBM’s Trusteer Research
Ori Bach, Senior Security Strategist Trusteer, IBM Security
© 2014 IBM Corporation
IBM Security
2
Trusteer provides a unique automated threat protection service
Trusteer continuously evaluates the threat environment and automatically
updates its solutions on behalf of its customers
• Stop fraud attacks before they happen
• Actionable threat intelligence on real-time
threats
• Remove and prevent future threats
SaaS Service
• Threat Intelligence from 400M+
endpoints
• Insights from the cybercrime
underground
Real-time ThreatIntelligence Service
• Continuous threat monitoring
• Rapidly adapt defenses
• Hundreds of IBM expert security
researchers
ExpertResearch
© 2014 IBM Corporation
IBM Security
3
CLIENT EXAMPLE
Trusteer transforms the war against cybercrime with proven results
A major European commercial bank transforms the war against Cybercrime in just one month
90% reduction in malwareinfected device logins
fraud casesprevented150
• Faster time-to-value
• Adaptive controls
• Prevents root cause of fraud
© 2014 IBM Corporation
IBM Security
4
Trusteer response to rapidly evolving malware
Retrieve malware, configuration and modules from listening points across the
globe
Dedicated cross functional team for threat and research
Monitor chatter on the darknet
Install malware in dedicated lab environment
Understand malware operator MO
Reverse engineering
Propriety decryption tools
Versioning
Identify incremental changes -> develop & deploy defenses in less then 12 hours
Constant monitoring of bypass attempts
© 2014 IBM Corporation
IBM Security
5
Dyre example - consistent detection across malware versions
0
50
100
150
200
250
300
350
400
450
6/26 7/3 7/10 7/17 7/24 7/31 8/7 8/14 8/21 8/28 9/4 9/11 9/18 9/25 10/2 10/9 10/16 10/23 10/30 11/6 11/13 11/20 11/27 12/4
Dyre Detections(June – December 2014)
Dyre Version Releases
v241010/26
v291010/31
v301011/03
v301111/03
v051111/06
v061111/09
v131111/13
v181111/19
v251111/26
v081212/09
© 2014 IBM Corporation
IBM Security
6
Case Study: Trusteer protection against remote overlay attacks
Intelligence team acquires toolkit
behind attack from the underground
Day 3
Listening endpoints pick up new attack MO in
LATAM Country
Day 0
Attack MO migrates to APAC
Day 30
Demo of the attack including fake
messages provided to targeted banks
Day 4
Malware research team analyzes MO and releases updated defense
Day 1
Trusteer endpoints in APAC protected before first attack
starts
Day 30
© 2014 IBM Corporation
IBM Security
12
Remote overlay toolkit example
© 2014 IBM Corporation
IBM Security
14
Remote overlay toolkit example - Summary
The toolkit circumvents device id and 2FA with physical token
Question: how much does this toolkit cost on the
underground:
A ) 10,000 Euro
B) 1000 Euro
C) 500 Euro
D) Less then 150 Euro