How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software

How Targeted Attacks Evade Anti-Virus Software

© 2012 Imperva, Inc. All rights reserved.



Compromised insiders defined The anatomy of a compromised insider campaign Non mitigation techniques: Anti-virus Mitigating compromised insiders in theory

+ Real world case study: RSA

Mitigating compromised insiders in practice

2

Agenda

CONFIDENTI



Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva



Insider Threat

Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements.

They do so: + Maliciously + Accidentally + By being compromised

4

Insider threat defined



A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation.

5

Compromised insider defined

Compromised Insider


In recent events …

Saudi Aramco + Malicious Insider,

30,000 computers hacked, full service disruption.

Global Payments + Compromised Insider,

causes 1.5M payment cards compromised.

6 6



Malware: Compromised insiders on the rise

2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches

incorporated Malware”. A 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches

were conducted by implicated internal employees.” A 13% decrease compared to 2011.

Director of National Intelligence • “Almost half of all computers in the United States

have been compromised in some manner and ~60,000 new pieces of malware are identified per day”.


The 1% to be really concerned about

“Less than 1% of your employees may be

malicious insiders, but 100% of your employees have the potential to be compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders



Who does it?

Governments - Stealing Intellectual Property (IP) and raw data, as well as, espionage. - Motivated by politics and nationalism.

Private hackers - Stealing IP and data. - Motivated by profit.

Hacktivists - Exposing IP and data, but also compromising infrastructure. - Motivated by almost anything - have attacked, nations, people, religion, commerce, etc…

9



Multimillion dollar

datacenter

10

Where do they attack?

Desktop and the

user

Well protected

Not well protected

Both access the same data


Anatomy of a Compromised Insider Campaign

11



12

With social networks, smart bombing is not hard



13

With social networks, smart bombing is not hard



14

Industrialized approach

Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing.

How easy is it ? For $700: 3 month license for BlackHole available online. Includes support!



15

Is this real?

Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By.



16

Is this real?

Persistent XSS Vulnerable Sites provide the Infection Platform.

GMAIL, June 2012

TUMBLR, July 2012



17

Is this real?

• “Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the criminals with "complete access“.

• “Unauthorized transactions were preceded by unauthorized

logins that occurred outside of normal business hours” • "The DDoS attacks were likely used as a distraction”

Sep 24th 2012, FBI Issued a warning of Targeted Scams.


Non Mitigations: Anti-Virus

18


The media view

“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/

http://www.wired.com/threatlevel/2012/06/internet-security-fail/


The hacker view

An entire industry exists to bypass anti-virus. Today, anti-virus stops between 6-27%

of viruses.

Source: http://adamonsecurity.com/?p=323


The anti-virus vendor view

Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/

Hackers exploit ‘zero-day' bugs for 10 months on average before they're exposed.

http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/


























Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.

+ Much of security budgets spent on: – Malware detection – Virus prevention

+ Front-line/end-user defenses must be 100% accurate.

– If one mouse gets past them the cheese is gone.

22

Protect and monitor the cheese


Mitigating Compromised Insiders

23



Classify Sensitive Information + Identifying the information within the corporate databases and

file servers allows understanding of risk and severity of data access.

Persistent Security Policy + A good security policy will allow you to put compensating

controls in place while not disrupting business needs and maintaining security.

User Rights + Map your users’ rights. Understand who has access to what,

and why there are dormant accounts?

Analyze, Alert, and Audit on Activity + By keeping track of access and access patterns, it becomes easy

to understand who accessed your data, what was accessed, and why.

24

Step 1: Know what users do with data



What: weirdness probably means trouble.

How: + Profile normal, acceptable

usage and access to sensitive items by

– Volume – Access speed – Privilege level

+ Put in place monitoring or “cameras in the vault.”

25

Step #2: Look for aberrant behavior



Checks the entry method. Legitimate individuals should, typically, access data through a main door.

Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, monitor what they are doing. Malware from spear phishing typically causes unusual behavior.

Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what these privileged users are accessing.

26

Example: Databases



Copying Folders Routine Access

Nonselective All subfolders and files accessed

Selective

Temporally continuous Temporally irregular

Recursive Random order

Directory accessed before its files

Files can be accessed without directory

Example: File Systems

Source: Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012.



28

Conclusion: Rebalance the portfolio



2002

$1.44 Billion

2012 (est.)

$7.84 Billion

29

Worldwide anti virus spend: 2002 vs 2012

A 5x increase without the 5x improvement. Source: Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002


Real World Incident

30



Organizations known to have been compromised:

• Saudi Aramco • Goldman Sachs • Global Payments • SF Computer Systems • Sandia National Labs • CardSystems • EPA • Motorola • Sberbank • Google (Aurora) • RSA • Toyota

The list goes on ….



Mass phishing campaign against RSA employees

32

RSA – phishing mail



Excel file with embedded Flash 0 day Flash vulnerability

33

RSA – the exploit



“With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system.”

34

Proliferation within the network

Source: http://www.pcmag.com/article2/0,2817,2382970,00.asp

http://www.pcmag.com/article2/0,2817,2382970,00.asp














SecureID hacked

35

RSA – the result


Mitigation in Action

36


Imperva SecureSphere – Database coverage

Coverage for Heterogeneous Databases

DB2 DB2 z/OS DB2400 Informix Netezza

DB2 z/OS


Imperva Database Security Products

38

Database Activity Monitoring

Full auditing and visibility into database activities

Discovery & Assessment Server

Vulnerability assessment, configuration management,

database discovery and classification


Users

Deployment options

Management Server (MX)

Agent Auditing

Agent Auditing

Database Activity

Monitoring

Network Auditing Gateway

Network Auditing Gateway

DBA/Sys admin

DBA/Sys admin

Database Activity

Monitoring


Auditing database activity

40

Audit trail captures all database activity, including SELECT, DML, DDL, privileged activities.

Details answer the who?, what?, where?, when? and how?

Privileged Operations

DB2 for z/OS Activity

Who? What?, How? When? Where?

Complete Audit Trail


Audit analytics

Pre-defined audit views provide quick and flexible access to audit details

Graphical Analysis

Drill down to audit data



SecureSphere provides real-time alerts on any security event and policy violation.

Dynamic Profiling enables identification of abnormal behaviors.

Alerts enable immediate response to minimize the impact of a breach.

42

Real-time alerts on security events

Profiling violation – unauthorized database and schema access

Destination

Date and Time

Alert Details

Source application User


Universal user tracking

Universal User Tracking

Full user visibility and accountability • Map application users to database activity

User A

User B

User A User B

Tech User


CONFIDENTIAL - Imperva 44



No need to define special policies for mainframe databases.

Granular policies defined and managed through a centralized, friendly interface.

Preconfigured compliance policies and reports for SOX, PCI, and data privacy.

45

Unified policies across heterogeneous platforms

DB2 for z/OS

Other databases

Define and apply policies to heterogeneous databases


Webinar Materials

46



Webinar materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

www.imperva.com

- CONFIDENTIAL -

How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software

Technology

imperva research

compromised insiders

compromised insider

data breaches

malicious insiders

insider threatsomeone

malicious insider incidents

raw data