How Targeted Attacks Evade Anti-Virus Software © 2012 Imperva, Inc. All rights reserved.
Jan 19, 2015
How Targeted Attacks Evade Anti-Virus Software
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Compromised insiders defined The anatomy of a compromised insider campaign Non mitigation techniques: Anti-virus Mitigating compromised insiders in theory
+ Real world case study: RSA
Mitigating compromised insiders in practice
2
Agenda
CONFIDENTI
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Research + Directs security strategy + Works with the Imperva Application Defense Center
Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and
Australia
Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Insider Threat
Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements.
They do so: + Maliciously + Accidentally + By being compromised
4
Insider threat defined
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation.
5
Compromised insider defined
Compromised Insider
© 2012 Imperva, Inc. All rights reserved.
In recent events …
Saudi Aramco + Malicious Insider,
30,000 computers hacked, full service disruption.
Global Payments + Compromised Insider,
causes 1.5M payment cards compromised.
6 6
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Malware: Compromised insiders on the rise
2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches
incorporated Malware”. A 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches
were conducted by implicated internal employees.” A 13% decrease compared to 2011.
Director of National Intelligence • “Almost half of all computers in the United States
have been compromised in some manner and ~60,000 new pieces of malware are identified per day”.
© 2012 Imperva, Inc. All rights reserved.
The 1% to be really concerned about
“Less than 1% of your employees may be
malicious insiders, but 100% of your employees have the potential to be compromised insiders.”
Source: http://edocumentsciences.com/defend-against-compromised-insiders
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Who does it?
Governments - Stealing Intellectual Property (IP) and raw data, as well as, espionage. - Motivated by politics and nationalism.
Private hackers - Stealing IP and data. - Motivated by profit.
Hacktivists - Exposing IP and data, but also compromising infrastructure. - Motivated by almost anything - have attacked, nations, people, religion, commerce, etc…
9
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Multimillion dollar
datacenter
10
Where do they attack?
Desktop and the
user
Well protected
Not well protected
Both access the same data
© 2012 Imperva, Inc. All rights reserved.
Anatomy of a Compromised Insider Campaign
11
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
12
With social networks, smart bombing is not hard
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
13
With social networks, smart bombing is not hard
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
14
Industrialized approach
Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing.
How easy is it ? For $700: 3 month license for BlackHole available online. Includes support!
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
15
Is this real?
Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
16
Is this real?
Persistent XSS Vulnerable Sites provide the Infection Platform.
GMAIL, June 2012
TUMBLR, July 2012
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
17
Is this real?
• “Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the criminals with "complete access“.
• “Unauthorized transactions were preceded by unauthorized
logins that occurred outside of normal business hours” • "The DDoS attacks were likely used as a distraction”
Sep 24th 2012, FBI Issued a warning of Targeted Scams.
© 2012 Imperva, Inc. All rights reserved.
Non Mitigations: Anti-Virus
18
© 2012 Imperva, Inc. All rights reserved.
The media view
“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
© 2012 Imperva, Inc. All rights reserved.
The hacker view
An entire industry exists to bypass anti-virus. Today, anti-virus stops between 6-27%
of viruses.
Source: http://adamonsecurity.com/?p=323
© 2012 Imperva, Inc. All rights reserved.
The anti-virus vendor view
Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/
Hackers exploit ‘zero-day' bugs for 10 months on average before they're exposed.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.
+ Much of security budgets spent on: – Malware detection – Virus prevention
+ Front-line/end-user defenses must be 100% accurate.
– If one mouse gets past them the cheese is gone.
22
Protect and monitor the cheese
© 2012 Imperva, Inc. All rights reserved.
Mitigating Compromised Insiders
23
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Classify Sensitive Information + Identifying the information within the corporate databases and
file servers allows understanding of risk and severity of data access.
Persistent Security Policy + A good security policy will allow you to put compensating
controls in place while not disrupting business needs and maintaining security.
User Rights + Map your users’ rights. Understand who has access to what,
and why there are dormant accounts?
Analyze, Alert, and Audit on Activity + By keeping track of access and access patterns, it becomes easy
to understand who accessed your data, what was accessed, and why.
24
Step 1: Know what users do with data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
What: weirdness probably means trouble.
How: + Profile normal, acceptable
usage and access to sensitive items by
– Volume – Access speed – Privilege level
+ Put in place monitoring or “cameras in the vault.”
25
Step #2: Look for aberrant behavior
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Checks the entry method. Legitimate individuals should, typically, access data through a main door.
Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, monitor what they are doing. Malware from spear phishing typically causes unusual behavior.
Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what these privileged users are accessing.
26
Example: Databases
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Copying Folders Routine Access
Nonselective All subfolders and files accessed
Selective
Temporally continuous Temporally irregular
Recursive Random order
Directory accessed before its files
Files can be accessed without directory
Example: File Systems
Source: Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012.
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
28
Conclusion: Rebalance the portfolio
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
2002
$1.44 Billion
2012 (est.)
$7.84 Billion
29
Worldwide anti virus spend: 2002 vs 2012
A 5x increase without the 5x improvement. Source: Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002
© 2012 Imperva, Inc. All rights reserved.
Real World Incident
30
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Organizations known to have been compromised:
• Saudi Aramco • Goldman Sachs • Global Payments • SF Computer Systems • Sandia National Labs • CardSystems • EPA • Motorola • Sberbank • Google (Aurora) • RSA • Toyota
The list goes on ….
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mass phishing campaign against RSA employees
32
RSA – phishing mail
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Excel file with embedded Flash 0 day Flash vulnerability
33
RSA – the exploit
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
“With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system.”
34
Proliferation within the network
Source: http://www.pcmag.com/article2/0,2817,2382970,00.asp
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
SecureID hacked
35
RSA – the result
© 2012 Imperva, Inc. All rights reserved.
Mitigation in Action
36
© 2012 Imperva, Inc. All rights reserved.
Imperva SecureSphere – Database coverage
Coverage for Heterogeneous Databases
DB2 DB2 z/OS DB2400 Informix Netezza
DB2 z/OS
© 2012 Imperva, Inc. All rights reserved.
Imperva Database Security Products
38
Database Activity Monitoring
Full auditing and visibility into database activities
Discovery & Assessment Server
Vulnerability assessment, configuration management,
database discovery and classification
© 2012 Imperva, Inc. All rights reserved.
Users
Deployment options
Management Server (MX)
Agent Auditing
Agent Auditing
Database Activity
Monitoring
Network Auditing Gateway
Network Auditing Gateway
DBA/Sys admin
DBA/Sys admin
Database Activity
Monitoring
© 2012 Imperva, Inc. All rights reserved.
Auditing database activity
40
Audit trail captures all database activity, including SELECT, DML, DDL, privileged activities.
Details answer the who?, what?, where?, when? and how?
Privileged Operations
DB2 for z/OS Activity
Who? What?, How? When? Where?
Complete Audit Trail
© 2012 Imperva, Inc. All rights reserved.
Audit analytics
Pre-defined audit views provide quick and flexible access to audit details
Graphical Analysis
Drill down to audit data
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
SecureSphere provides real-time alerts on any security event and policy violation.
Dynamic Profiling enables identification of abnormal behaviors.
Alerts enable immediate response to minimize the impact of a breach.
42
Real-time alerts on security events
Profiling violation – unauthorized database and schema access
Destination
Date and Time
Alert Details
Source application User
© 2012 Imperva, Inc. All rights reserved.
Universal user tracking
Universal User Tracking
Full user visibility and accountability • Map application users to database activity
User A
User B
User A User B
Tech User
© 2012 Imperva, Inc. All rights reserved.
CONFIDENTIAL - Imperva 44
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
No need to define special policies for mainframe databases.
Granular policies defined and managed through a centralized, friendly interface.
Preconfigured compliance policies and reports for SOX, PCI, and data privacy.
45
Unified policies across heterogeneous platforms
DB2 for z/OS
Other databases
Define and apply policies to heterogeneous databases
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
46
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Webinar materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
www.imperva.com
- CONFIDENTIAL -