Top Banner

Click here to load reader

Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

Jul 15, 2015

ReportDownload

Documents

lumension

1Paul ZimskiDean Barnes

Principal Security Manager Threat ManagementRoyal MailVP, Solution Marketing, Lumension

2Poll #1State Sponsored Malware is Officially Out of the ShadowsGoogle begins alerting Gmail users to 'state-sponsored' attacks.

Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer. Protect yourself now.4did we get to the point where your online email provider specifically warns users of state- sponsored attacks?HOW5a little history.FIRST6

Event Timeline: StuxnetPublically disclosed 13 months after the first attack against IranDesigned to sabotage Iranian nuclear refinement plantsStuxnet attackedWindowssystems using an unprecedented fourzero-day attacksFirst to include aprogrammable logic controller(PLC)rootkit Has a valid, but abused digital signaturePayload targeted only Siemenssupervisory control and data acquisition(SCADA) systems

2009.06: STUXNET7

Event Timeline: DuquConsidered to be next generation Stuxnet Believed that Duqu was created by the same authors asStuxnetExploitszero-dayWindows kernel vulnerabilitiesComponents are signed with stolen digital keysHighly targeted and related to the nuclear program of IranDesigned to capture information such as keystrokes and system informationCentral command and control with modular payload delivery also capable of attacking

2009.06: STUXNET2010.09: DUQU8

Event Timeline: FlameDesigned for targetedcyber espionageagainst Middle EasterncountriesSpreads to systems over alocal network(LAN) or viaUSB stickCreates Bluetoothbeacons to steal data from nearby devicesMost complex malware ever foundCollision" attack on the MD5 algorithm to create fraudulent Microsoft digital certificatesUtilized multiple zero day exploits

2009.06: STUXNET2010.09: DUQU2011.05: FLAME9Common APT Characteristics10Highly Targeted and endpoint focusedUse Sophisticated and Low-tech techniques USB Key Delivery; social engineeringZero-day vulnerabilitiesFraudulent CertificatesCentralized Command and Control Undetected for prolonged periodsExfiltration masking

Weaponized - Whats Different?DevelopmentDeliveryDetectionCommand & ControlIntentNation-States

Truly customized payloadsZero day propagation

Multi-vectored: Blue tooth, USB, networkDigitally signed with compromised certificates

Outbound ex-filtration maskingCentral command

Modular payloadsSurveillance

Disrupt / Destroy 11should the enterprise care?WHY12Why Should the Enterprise Care? Retaliation RiskUS Admits Stuxnet - expect increasing retaliation risk against sensitive economic and infrastructure assets

13Why Should the Enterprise Care? Collateral DamageLoss of control of weaponized malware in (once weaponized malware is released control is effectively lost) being exposed to accidentally spreading malware (Stuxnet was discovered after it escaped its targeted environment and started spreading)

14Why Should the Enterprise Care? Adaptation by Cyber CriminalsTargeted attacks on sensitive information Variants of Stuxnet already seen

15

What Should The Enterprise Do?Know Where the Risk IsEvery endpoint is an enterprise of ONE.Need to have autonomous protection.Need to have a layered approach.16Poll #2Defense in Depth StrategySuccessful risk mitigation starts with a solid vulnerability management foundation, together with layered defenses beyond traditional black-list approaches.Patch and Configuration ManagementControl the Vulnerability LandscapeApplication ControlControl the GreyDevice ControlControl the FlowAVControl the KnownHard Drive and Media EncryptionControl the DataEffectiveness of AV?Pros:Stops background noise malwareMay detect reused code (low probability)Will eventually clean payloads after they are discovered

Cons:Not an effective line of defense for proactive detectionCan degrade overall endpoint performance with little return on protectionAVControl the KnownDevice Control EffectivenessDevice ControlControl the FlowPros:Can prevent unauthorized devices from delivering payloadsCan stop specific file types from being copied to host machinesStops a common delivery vector for evading extensive physical and technologic security controls

Cons:Limited scope for payload delivery interruption Encryption Effectiveness?Hard Drive and Media EncryptionControl the DataPros:Makes lateral data acquisition more difficultA good data protection layer outside of APT

Cons:Generally will not protect data if endpoint is compromised at a system levelApplication Control EffectivenessApplication ControlControl the GreyPros:Extremely effective against zero day attacksStops unknown, targeted malware payloadsLow performance impact on endpoints

Cons:Susceptible to compromise as policy flexibility is increasedDoes not stop memory injections (attacks that do not escape service memory)Patch and Configuration BasicsPatch and Configuration ManagementControl the Vulnerability LandscapePros:Eliminates the attackable surface area that hackers can targetCentral configuration of native desktop firewallsImproves endpoint performance and stabilityCan enable native memory injection protection

Cons:Does not stop zero-day vulnerabilitiesDefense in Depth StrategySuccessful risk mitigation starts with a solid vulnerability management foundation, together with layered defenses beyond traditional black-list approaches.Patch and Configuration ManagementControl the Vulnerability LandscapeApplication ControlControl the GreyDevice ControlControl the FlowAVControl the KnownHard Drive and Media EncryptionControl the Data

Employee EducationOften the first and last line of defense.

lumension.com/how-to-stay-safe-online25Drive-by malwareAPT ProtectionPatch & Configuration ManagementLandscapeApplication ControlDevice ControlAntiVirusHard Drive &Media EncryptionSummary - Defense in Depth Endpoint StrategyReduce attackable surface areaStop un-trusted changeProtect stored dataEnable secure device useDisinfect generic malwareInsider RiskAutomated attacksUSB Threat VectorsDataLossZero Day26Learn More

Quantify Your IT Risk with Free ScannersWatch the On-Demand DemosGet a Free Trial27

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.