The Threat Landscape Don Murphy Senior Systems Engineer Fortinet, Inc.
The Threat Landscape
Don MurphySenior Systems Engineer
Fortinet, Inc.
The Internet is only 45 Years Old
What was the plan for security?
• Difference between Viruses and Malware• Viruses are a specific type of malware designed to replicate and
spread• Malware is all types of malicious code• Malware can include Viruses, Spyware, Adware, Nagware,
Trojans and Worms• Because Viruses obtained so much press the standard became
Anti-Virus
De-Mystifying Viruses, Malware, and Other Threats
• Delivery Mechanism has yet to be relieved • Creates a network share accessible by all computers• Hosts a web server• Malware attempts to connect to C&C in Italy, Poland or Thailand • Similar to DarkSeoul that struck South Korea last year
Sony Pictures – Wiper Malware
• Attackers gained credentials from a third-party vendor• Exploited third-party vendor’s system and Home Depot’s
network via Microsoft Exploit• A large Apple purchase was made by Home Depot shortly after
Home Depot Breach
• Breached unclassified network used by President’s Senior staff• Discovered in Early October - Alerted by Foreign Government• Hackers appeared to be mapping and probing the network• Hackers are believed to be working for the Russian Government
The White House Breach
• Was not a breach of Apple Systems including iCloud or Find My Phone
• Very targeted attack on user names, passwords, and security questions
• Apple Recommends a strong two factor authentication solution and will also send out more alerts
• Phishing scam came out soon after
iCloud Celebrity Photo Breach
DISGUISE SURVIVABILITY IMPACT
Detect Disguise,Kill the Chain
Reduce Survivability,Break Impact
What are APTs?Defining Advanced Persistent Threats
• Probing of Targets• Information Gathering
APT Stages - Reconnaissance
• Phishing Emails, Malicious Flash or PDFS• Malicious Websites that attack flaws in browsers• Piggybacking mouse clicks
APT Stages - Infiltration
• Callback Attempts are made to Mothership• Low Profile Otherwise
APT Stages – Malware Action
• Delivery of Stolen/Compromised Data
APT Stages – Exfiltration
• Command and Control have established connection to compromised client
• Attacks continue on file shares, cloud-based applications, databases, etc.
• Expect lateral moves within the network to expand reach as well as destruction
APT Stages – Further Exploitation
• Ransomware: Attempts to extort money out of the infected users
• Cryptolocker encrypts locals files or networks • Ransom to unlock the files can be anywhere from $200 to
$2000
Cryptolocker / CryptoWall
• Email attachments: .exe files posing as .pdf• Botnets: a pay-per-install operation
Cryptolocker – How did I get infected?
• Rolling back changes from the infected system itself • Restoring files from external back-ups• Paying the ransom.
Cryptolocker – What can I do if I’m infected?
The HeartBleed Bug
• Why is it call a Bug?»OpenSSL 1.0.1 library implementation
problem• Why should I change my passwords?
»Usernames, Passwords, and Private keys exposed.
• What should I do if my company is effected?»Vendor patches, new certificates, IPS
signatures
2015: What’s Next?
• Mobile»New Milestone 2013 - Mobile Malware in listed Top
10 Virus Index»Custom Polymorphic Malware / Evasion
• Moving beyond applications (APK)
• 2014 Data Security “Breach a month”»Prediction on track so far…
• More Ransomware due to Cryptolocker Success»Estimated at over $40 Million in ransom dollars paid
Zero-Day Trends
Mobile: Android Malware
Mobile: IOS Malware
• Blacklisting C2 servers with Webfiltering• Disrupting Trojan to C2 server communication with IPS/AppCtrl • AV Protection of all known Variants
Cryptolocker – What Fortiguard does to protect and prevent
Case Study: FortiGuard Response
South Korea Attacks
SupiciousActivity
March 12th, 2013
Time BombAttacks
Botnet ServersDeteted
March 20th, 2013Malware Planted
WCF SignaturesAdded
Botnet ServersMitigated
KISA Request(FortiGuard)
MalwareMitigated
+4 Hours
AVSig (Flow)
12 Hours
Botnet FlowMitigated
AV Sig (CPRL)AppCtl (Botnet)
48 Hours
BlogAnalysis
ZERO-DAY MALWARE USED
Overwrote hard drives
Detonated simultaneously
APT Strategy: Multi-Layer Defenses
1) Anti-Virus--------------------------------------
Detect known viruses Detect new variants (emulation and sandboxing)
2) Web Filtering--------------------------------------
Detect connections going to malware sites Typically to download the real malware
4) IPS--------------------------------------
Block known vulnerabilities Including undisclosed vulnerabilities
3) Botnet / AppCtrl--------------------------------------
Detect connections or traffic going to botnet sites Detect known botnet applications
5) Behavioral--------------------------------------
Sandbox analysis Client reputation analysis
www.cyberthreatalliance.org
@Fortinet
@Fortinet
@Fortinet
www.fortinet.com
@ADNETTech
@ADNETTechnologiesLLC
@ADNETTechnologiesLLC
www.thinkADNET.com