One Step Ahead Of Advanced Attacks and Malware · PDF fileOne Step Ahead Of Advanced Attacks and Malware . SPO2-W02 . ... Web Exploitation continues as key vector . 10 ... advanced

SESSION ID:

One Step Ahead Of Advanced Attacks and Malware

SPO2-W02

Jon Paterson Director, Advanced Technology Group

McAfee, an Intel Company

#RSAC

Advanced malware - what are your concerns?

2

Other

3% Detection

35%

Signal / Noise Detection

20% Protection

22%

Timely Response

11%

Damage Repair

9%

Source: McAfee Survey at Black Hat USA 2013

#RSAC

network advanced analysis mail web endpoint

Areas of innovation

3

#RSAC

anti malware core

next generation Endpoint

5

intelligent Trust for known Good

traditional AV

techniques for known

Bad

adaptive behavioral Scanning

for unknown

telemetry and False mitigation

#RSAC

how does it Work?

6

#RSAC

conviction flow via Assessor

7

assessor convict? confirmed? quarantine / delete

end end

yes

yes

no no

telemetry

event store extracted attributes

profiler

#RSAC

“profiler.gen.a” in Action

unique detections

at moment of detection: previously detected and classified by McAfee

proactive (98%)

Multiple Family classifications Zbot (24 variants), ZeroAccess (6 variants),

FakeAlert (6 variants), WinWebsec,Swisyn,vundu

1 2

8

#RSAC

Web Exploitation continues as key vector

10 Images courtesy of kahusecurity.com

#RSAC

Browser DOM specific behavior

11

exception handling as anti-emulation technique

“eval()” reconstructed

#RSAC

Server side polymorphism

12

privilege check bypass

debris

#RSAC

Server side Polymorphism

13

5 / 47 13 / 47

#RSAC

Looking to the future?

malware hidden in HTML design elements

decryption key placed into HTML5 web storage

dynamically reconstructing and deobfuscating malware

14

#RSAC

spear-phishing

“95% of all attacks on enterprise networks are the result of successful spear-phishing.”

SANS Institute via Network World – Mar 2013

SANS Institute via Network World – Mar 2013 16

#RSAC

redirect to web page

block access to webpage

re-check reputation

Realtime emulation

clean

clean

unmask URL, warn

& show preview

user opens message &

clicks on URL

Open Time Scan

Delivery time Scanning?

17

clean

quarantine message

clean

clean

clean

core AV

real-time emulation

sandboxing

reputation service

deliver to user’s inbox

Traditional

#RSAC

huge interest in Sandbox technologies

virtual and safe environment Runtime analysis = monitors behavior computationally expensive not real time sandbox detection / evasion

delayed execution environment detection conditional execution

19

#RSAC

20

known Good and known Bad Emulation Dynamic and Static

blac

klis

t and

whi

telis

t

AV

repu

tatio

n se

rvic

e

Rea

l Tim

e em

ulat

ion

Full

Sam

ple

anal

ysis

Framework For Scalable Advanced Analysis

#RSAC

what if you had a map of the latent code? logical execution

paths

what can you do with that? percentage of latent

code familial resemblance

combining Assembly Code and Dynamic analysis

21

#RSAC

Evasion at the transport

23

#RSAC

HTTP Port 80

SMTP Port 25

FTP Port 20

UDP

Exfiltration and application visibility

24

Web

Google Hangouts Box

Oracle Financials

Exchange Mail

Outlook Sync Backup Service

VoIP/SIP

#RSAC

What can we understand from protocol alone?

25

normal use: ♦ email ♦ database

outlook.exe

oradba.exe

IMAP (port 143)

SQL*Net (port 1521)

outlook.exe

SQL*Net (port 1521)

#RSAC

advanced Application Visibility

Google Hangouts Box

Oracle Financials

Exchange Mail

Outlook Sync Backup Service

VoIP/SIP

• Embedded EXE found • DLL imports found in Executable • Registry Run Entry

YouTubeTemplate.exe

iexplorer.exe

OUTLOOK.exe OUTLOOK.exe

EMC backup

chrome.exe iexplorer.exe chrome.exe BoxSync.exe

Web

26

#RSAC

Point-to-point ecosystems cannot scale

Product Product

Product

Product

Product

Product

Product

Product

Product

#RSAC

asset

threat

identity

activity

BPM

risk

data

location

the Data Exchange Layer

#RSAC

Threat Intelligence Exchange

30

reputation service 3rd party feeds

administrator organizational knowledge

endpoint agent

advanced malware

web gateway

email gateway

NGFW

IPS

#RSAC

Threat Intelligence Exchange - endpoint

31

#RSAC

Threat Intelligence Exchange

32

YES NO

adapt and immunize – from encounter to containment in milliseconds

#RSAC

Threat Intelligence Exchange

33

adapt and immunize – from encounter to containment in milliseconds

#RSAC

No silver bullet here…

We will continue innovation of proactive technologies and connected solutions Make sure you are covering the gaps

Integrate intelligence where possible in your environment

Look at how you can build out a more connected eco-system you will not scale to this challenge without it

34

35