issa jason dablow

Jason Dablow

Sr. Sales Engineer

What is a Breach? … Exploited Weaknesses of Traditional Security

6/20/2015 Confidential | Copyright 2013 Trend Micro Inc.Copyright 2014 Trend Micro Inc.

Advanced Malware Targeted Attacks

Advanced Malware

Targeted Attacks

Employee Data Leaks

Traditional Malware

Vulnerability Exploits

220K new malware programs daily!

2

Who’s committing Attacks & Why

90% perpetrated by outsiders

10% committed by insiders

Motivating factors:

73% Financial

22% Espionage

5% Ideology/Fun

Copyright 2014 Trend Micro Inc.

Source: http://www.verizonenterprise.com/DBIR/

http://www.verizonenterprise.com/DBIR/

Victim

The Boss

Mercenary

Attackers

Data Fencing

The CaptainGarant

Bullet Proof Hoster

Crime Syndicate (Simplified)

$4

Victim Blackhat SEO

Attacker

$10

Attacker

Keywords

(Botherder)$2

Compromised

Sites (Hacker)

$6

$10

Programmer

$10

Cryptor

$10

Virtest

$5

Worm

Exploit Kit

Bot Reseller$1 $1

$1

Traffic

Direction

System$5

Garant$10

SQL Injection

Kit

$3

Carder$4

Money Mule

Droppers$1

Card Creator$2

Bullet Proof

Hoster

$5

Crime Syndicate (Detailed)

Attack Stages

Confidential | Copyright 2015 Trend Micro Inc.

1. Intelligence GatheringIdentify & research target individuals using public sources (LinkedIn, Facebook, etc) and prepare a customized attack.

2. Point of EntryThe initial compromise is typically malware delivered via social engineering (email/IM or drive by download). A backdoor is created and the network can now be infiltrated.

3. Command & Control (C&C) CommunicationAllows the attacker to instruct and control the compromised machines and malware used for all subsequent phases.

4. Lateral MovementOnce inside the network, attacker compromises additional machines to harvest credentials, escalate privilege levels and maintain persistent control. 5. Asset/Data DiscoverySeveral techniques and tools are used to identify the noteworthy servers and the services that house the data of interest.

6. Data ExfiltrationOnce sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed and often encrypted for transmission to external locations.

Stage 1 - Intelligence Gathering

Acquire strategic information about the targets IT environment and organizational structure.

“res://” protocol


Data at Risk

• Corporate / Financial—board meeting records, legal proceedings, strategic plans, contracts, purchase agreements, pre-earnings announcements, executive salaries, M&A plans and pending patent filings.

• Manufacturing—Intellectual Property and manufacturing methods

• Retail—Financial records & transactions, customer profiles to generate revenue for identity theft

• Internal Organization—employee records and health claims for identity and insurance fraud


Stage 2 - Point of Entry

Gain entry into a target network using weaknesses found.

Weaponized

Attachment

Malicious

URLs

Attack Weakness found in:

• Infrastructure

• Systems

• Applications

• People

• 3rd Party OrganizationsConfidential | Copyright 2015 Trend Micro Inc.

Infection Options

Island HoppingCustomers

Trusted Partner

Attackers

Cloning websites of conferences victims will attend

Craft email for registration and have a fake

registration page (Repeatable)

Watering Hole Attacks

Spearphishing

Arrival Vectors in APT - Email

Attackers Try Everything

Poison Ivy

Multiple Ports

HTTPSHTTPIMAPIMAP

POP3SMTP

DNS

POP3S

HYPER TEXTHTTP_ALT

Monitoring a few ports is

not sufficient

Apps & protocols

Evilgrab

Monitoring a few apps & protocols is

not sufficient

Morphing

IXESHE

It’s extremely difficult to

track the attack

Changes in C&C,

IP addresses,

signatures & behavior

13

Evade detection with customized malware

Attacker

Malicious C&C

websites

Ahnlab's

Update

Servers

wipe

out files

Destroy

MBR

Destroy

MBR

wipe

out files

Unix/Linux Server

Farm

Windows

endpoints

Victimized

Business

A total of 76 tailor-made malware were used, in which

9 were destructive, while the other 67 were used for

penetration and monitoring.


Code for Sale


Ultra Hackers Tools for sale

Price is 0.0797 BTC (bitcoin) = $25 Virus Builders

1. Nathan's Image Worm

2. Dr. VBS Virus Maker

3. p0ke's WormGen v2.0

4. Vbswg 2 Beta

5. Virus-O-Matic Virus Maker

Scanners

1. DD7 Port Scanner

2. SuperScan 4.0

3. Trojan Hunter v1.5

4. ProPort v2.2

5. Bitching Threads v3.1

DoSers, DDoSers, Flooders and Nukers

1. rDoS

2. zDoS

3. Site Hog v1

4. Panther Mode 2

5. Final Fortune 2.4

Fake Programs

1. PayPal Money Hack

2. Windows 7 Serial Generator

3. COD MW2 Keygen

4. COD MW2 Key Generator

5. DDoSeR 3.6

Cracking Tools

1.VNC Crack

2.Access Driver

3.Attack Toolkit v4.1 & source code included

4.Ares

5.Brutus

Analysis :

· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*

· W32Dasm 8.93 - Patched *NEW*

· PEiD 0.93 + Plugins *NEW*

· RDG Packer Detector v0.5.6 Beta - English *NEW*

Rebuilding :

· ImpRec 1.6 - Fixed by MaRKuS_TH-DJM/SnD

*NEW*

· Revirgin 1.5 - Fixed *NEW*

· LordPE De Luxe B *NEW*

LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:

Host Booters

1. MeTuS Delphi 2.8

2. XR Host Booter 2.1

3. Metus 2.0 GB Edition

4. BioZombie v1.5

5. Host Booter and Spammer

Stealers

1. Dark Screen Stealer V2

2. Dark IP Stealer

3. Lab Stealer

4. 1337 Steam Stealer

5. Multi Password Stealer v1.6

Remote Administration Tools/Trojans

1. Cerberus 1.03.4 BETA

2. Turkojan 4 GOLD

3. Beast 2.07

4. Shark v3.0.0

5. Archelaus Beta

Binders:

1. Albertino Binder

2. BlackHole Binder

3. F.B.I. Binder

4. Predator 1.6

5. PureBiND3R by d3will

HEX Editor :

· Biew v5.6.2

· Hiew v7.10 *NEW*

· WinHex v12.5 *NEW*

Decompilers :

· DeDe 3.50.04

· VB ?Decompiler? Lite v0.4 *NEW*

· Flasm

Unpackers :

· ACProtect - ACStripper

· ASPack - ASPackDie

· ASProtect > Stripper 2.07 Final &

Stripper 2.11 RC2 *NEW*

· DBPE > UnDBPE

Keygenning : *NEW*

· TMG Ripper Studio 0.02 *NEW*

Packers :

· FSG 2.0

· MEW 11 1.2 SE

· UPX 1.25 & GUI *NEW*

· SLVc0deProtector 0.61 *NEW*

· ARM Protector v0.3 *NEW*

· WinUpack v0.31 Beta *NEW*

Patchers :

· dUP 2 *NEW*

· CodeFusion 3.0

· Universal Patcher Pro v2.0

· Universal Patcher v1.7 *NEW*

· Universal Loader Creator v1.2 *NEW*

Crypters

1. Carb0n Crypter v1.8

2. Fly Crypter v2.2

3. JCrypter

4. Triloko Crypter

5. Halloween Crypter

6. Deh Crypter

7. Hatrex Crypter

8. Octrix Crypter

9. NewHacks Crypter

10. Refruncy Crypter

100’s of Items

Today’s Reality – One & Done!

99 10% ofmalware

infect < victims

80 1% ofmalware

infect = victim

?


Stage 3 - Command & Control Communications

Ensure continued communication between the compromised target and the attackers.

Common Traits

• Uses typical protocols (HTTP)

• Uses legitimate sites as C&C

• Uses internal systems as C&C

• Uses 3rd party apps as C&C

• May use compromised internal

systems

Advantages

• Maintains persistence

• Avoids detection

Threat

Actor

C&C

Server


Trend Micro C&C Research


54% of C&C Lifespan

< 1 Day

Stage 4 - Lateral Movement

Seek valuable hosts that house sensitive information.

Pass the Hash


Stage 5 - Data Discovery

Noteworthy assets are identified within the infrastructure then isolated for future data exfiltration.

Email servers are identified so attackers can read important email

in order to discover valuable information.

File lists in different directories are sent back so attackers can

identify what are valuable.

Data at Risk

Confidential | Copyright 2015 Trend Micro Inc. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Credit

Cards

Birth & Phone

records

Customer

PII

User

Credentials

Credit

Cards

PII leads

to fraud

Movies,

Ransoms,

Terrorism

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Social Media Accounts


Stage 6 - Exfiltration

Transmit data to a location that the threat actors control.

Common Traits

• Built-in file transfer (RATs)

• FTP, HTTP

• Tor network/Encryption

• Public File Sharing sites


Maintenance Stage (Anti-Forensics)

Maintain persistence within network for future attacks



Source:

http://krebsonsecurity.com/2012/10/the-

scrap-value-of-a-hacked-pc-revisited/

Build an Security Ecosystem


Timely Global Threat Intelligence

Essential Technologies – Combat Current Threat Techniques

Integrated Product Strategy – Automated Protection

150 Million+ Worldwide Sensors

Web Crawler

Trend MicroSolutionsTest Labs

3rd Party Feeds

Honeypot

CDN / xSP Researcher Intelligence


Block malicious URL within 15 minutes once it goes online!

Timely Global Threat Intelligence

Data Science is Multidisciplinary

http://eduardoarea.blogspot.tw/2012/11/el-camino-de-un-data-scientist.html

http://eduardoarea.blogspot.tw/2012/11/el-camino-de-un-data-scientist.html

Essential Technologies


The challenges uncovered during the

stages of a targeted attack demonstrate

the need for sophisticated technologies

and services to secure the enterprise.

Essential Technologies: Community File Reputation

• Determines the prevalence and maturity of PE files

• Prevalence is a statistical concept referring to the number of times a file was detected by Trend Micro sensors at a given time

• If a file has not triggered any detections, we will become suspicious of that file if we have only seen it once or a few times

• Today over 80% of the malware is only seen once

2

Essential Technologies: Social Engineering Attack Protection

35

Essential Technologies:Advanced Threat Scan Engine (ATSE)How does ATSE determine a document is bad?

….d2hi.df..ga

@$#5^%&..so

60788-9-80-

=.//// ..)]}[\.......

Malicious

payloadGotcha!!

• Uses heuristic scanning and employs a rule-based system

– Analyses the document to get malicious/uncommon characteristics

• Payloads, malformed, obfuscation, Name tricks,…etc.

– Uses both CVE rules & heuristic rules• Zero-day exploits are malware taking advantage

of unpatched vulnerabilities but with similar exploitation techniques

• Therefore looking for “characteristics” of an exploit

36

Essential Technologies: Memory Inspection Analysis • Protect against most packer and variation

solution which obfuscate the file but not in memory

37

Execute

UnpackLog prefix with “RAV_”


Essential Technologies: Behavioral Trigger Analysis

Cryptoware Protection

Essential Technologies: URL Time Of Click

• It is important to evaluate URLs not only when they are first received but also when they are accessed, in order to defend against modified URLs.

39

Internet

Trend

Datacenter

Mail ServerMail Gateway

Hosted Email Security

InterScan Messaging

Security

Endpoint

Risk!

No Risk

Block!Mobile

Workers

Web

Gateway

Inside

Customer’s Network Perimeter

Outside

Customer’s Network Perimeter

Risk!

No Risk

Block!

Check URL

Reputation when

Clicked

Check URL

Reputation when

Clicked

Check URL

Reputation

In real time

URL has NO

reputation

Rewrite URL to

point to Trend

Cloud

Essential Technologies:Patching and Intrusion Prevention

• Each stage of an attack uses exploits to reach its goal.

• Typical patching cycle in an enterprise

Risk:

• Window of opportunity for hacker: 1 month, often 2 months

• Potentially “high risk” periods of 1-2 months(public exploit, patch not yet available, or patch not yet installed)

40

Virtual Patching

• In this day and age where new Workloads get instantiated at a high rate, Security Automation is a“must have”

• Operations and Security teams can focus on their core responsibilities

• Without touching the machine, any new VM gets the right protection

• Inventory and ensure protection throughout your environment

41

Essential Technologies: Security Automation

Deep Security

Essential Technologies: Virtual Analyzer/Sandboxing• A virtual environment used to analyze potential

malware samples

• It allows for the observation of file as well as network behavior in order to identify malware via potentially malicious characteristics

• Trend Solutions use custom sandboxes based on our customers environment

– Targeted malware validates it is on the right environment before infecting the machine, whether it is targeted against one company, one geography or one sector.

• Samples can be submitted by Trend products, via APIs or manually (depending on the implementation)

42

Interconnected Product Strategy –Automated Protection


The Interconnected Threat Response Cycle is

the key to providing real-time response from just

discovered threat information from your own

environment

Midsize &

Enterprise

Business

The Interconnected Threat Response (ITR) Cycle

44

Analyze risk and nature

of attack and attacker,

and assess impact of

threats retrospectively

Update protection automatically,

prioritize areas for remediation and adapt protection

Detect advanced

malware, behavior and

communications

invisible to standard

defenses

Assess potential vulnerabilities and proactively protect endpoints, servers and applications

MONITOR &CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases - PreventSystem Lockdown• Hardens the system by not allowing any new applications

from executing

• Can be used in conjunction with other application control features to have a flexible, layered policy for each user

• Example:

– Lock down the system

– Block all Browsers, P2P and Online Storage apps

– Allow OS updates, IE, Office, Adobe and SafeSync

45

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Application Control

ITR Use Cases - PreventData Discovery and Encryption

46

TMCM OSCE Server

OSCE Client

DLP Data Discovery

SQLlite DB

Data Discovery Policy WCU

Data Discovery Widgets

Data Discovery Log Query

Data Discovery Reports

Database

OSCE proxyOfcCMAgent

Scan Configuration

Scan Report

ScanConfiguration

Scan Report

DLP SDK Interface

Scan Policy & Command

Scan Report

Scan Engine

Match Engine

Policy Engine

Scan ResultCache

LogProcessor

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Midsize &

Enterprise

Business


47







Detect advanced


communications


defenses


MONITOR &CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases – Detect

OfficeScan

USB Sensor

Deep Discovery

Analyzer

IWSVAScanMail

for MS

ExchangeScanMail for

Domino IMSVA

Deep Discover

Inspector

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases - DetectC&C alerting via local intelligence

OfficeScan InterScan

Messaging

Security

Deep

Security

InterScan

Web

Security

Deep

Discovery

Analyzer

1. C&C list shared with local SPN

2. SPN enabled products will

obtain the latest C&C list

SPN Enabled

Trend product

Local SPN

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Custom Defense

ITR Use Cases - DetectSuspicious Object sharing via local intelligence

50

Control Manager

OfficeScan InterScan

Messaging

Security

InterScan

Web

Security

Deep Discovery

Inspector

ScanMailEndpoint

Sensor

1. Suspicious object list

2. Suspicious objects list shared

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

IP

URL

Domain

File hashes

Open IOC information

Midsize &

Enterprise

Business


51







Detect advanced


communications


defenses


MONITOR &CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Analyze Impact and Scope (Endpoints)

52

From

To

To

Confidential | Copyright 2014 | © Trend Micro Inc. | Internal Usage Only.

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Visualize the Attack Phases (Network)MONITOR

&CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Midsize &

Enterprise

Business


54







Detect advanced


communications


defenses


MONITOR &CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases - Respond Outbreak Prevention via Mutex Sharing

55

Deep

Discovery

Inspector/

Analyzer

OfficeScan Endpoint Endpoint EndpointControl Manager

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases - RespondFile Hash Based Blocking

56

Deep

Discovery

Inspector/

Analyzer

Application

Control / Officescan

Endpoint Endpoint EndpointControl Manager

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases – Respond:

Suspicious objects can feed into 3rd

party products to extend protection:

• Bluecoat

• HP SMS/Tipping Point

• Palo Alto Networks

• IBM XGS

• And Others…

57

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

ITR Use Cases – Respond :Outbreak Prevention via NSX Security Tagging

58

• Mechanism: Automatic VM Quarantining

– If Deep Security detects (uncleanable/unblockable) malware (and in 9.5sp1 also IPS rules)

– Then Deep Security adds an NSX tag to the VM

– VMWare NSX adds the VM to a Security Group based on the tag value (dynamic membership)

– This NSX Security group has firewall settings that isolates the VM to a management network for remediation and to prevent further infections

MONITOR &

CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

CENTRALIZED VISIBILITY & CONTROL

60

vCloud Air

Security that Fits

Thank You!

Backup Slides


Deep Discovery – Custom DefenseAdvanced Threat Protection

Across the Attack Sequence

Malicious Content


Suspect Communication

Attack Behavior360 degree view80 + Protocol across all ports

Custom Sandboxing – Windows, Android, Mac

Custom Defense – Gateway, Messaging, Endpoints

Threat Intelligence across platforms – Windows, Mobile, Mac, Linux

Security Echosystem

SOC in a Box

Complete User Protection

Anti-Malware EncryptionApplicationControl

Device Management

Data LossPrevention

ContentFiltering

Employees

IT Admin

Security

Email &Messaging

Web Access Device Hopping

Collaboration

Cloud Sync& Sharing

Social Networking

File/Folder &Removable Media

65

66

Cloud and Data Center Security

Anti-MalwareIntegrity

MonitoringEncryptionSSL

IntrusionPrevention

ApplicationScanning


Data CenterOps

Security

Data Center

Physical Virtual Private Cloud Public Cloud

• Identified 65M unique cyber security

incidents (more than 180K per day on

average) Note: We blocked 80B threats

targeting our customers.

• Discovered 65M unique malware infections

due to ALL activity (almost 180K per day on

average)

• Logged over 160 million command-and-

control (CnC) communications (more than

five every second on average)

• Analyzed 39,504 unique cyber security

incidents (more than 100 per day on

average)

• Discovered 17,995 unique malware

infections due to APT activity (almost 50

per day on average)

• Logged over 22 million command-and-

control (CnC) communications (less

than one every second on average)

Source: https://www2.fireeye.com/advanced-threat-report-2013.htmlConfidential | Copyright 2014 Trend Micro Inc.

https://www2.fireeye.com/advanced-threat-report-2013.html

Smart Protection Network – Web Requests/Day

Source: http://www.symantec.com/security_response/publications/threatreport.jsp

6,000,000,0001,700,000,000

0

10,000,000,000

Trend Micro Symantec


http://www.symantec.com/security_response/publications/threatreport.jsp

https://www.google.com.tw/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=G65fg-wf1QF8MM&tbnid=-yEm9sbIjcGX3M:&ved=0CAUQjRw&url=https://plus.google.com/+FrancisBrunelle&ei=4vFuU9rrMsGEkQWsl4GgDQ&psig=AFQjCNGUDhh-gA_hk7NGEMIkDmDePkZLPg&ust=1399865837091025




Smart Protection Network – Web Attacks Blocked/Day

Source: http://www.symantec.com/security_response/publications/threatreport.jsp

13,700,000568,000

0

10,000,000

20,000,000

Trend Micro SymantecConfidential | Copyright 2014 Trend Micro Inc.

http://www.symantec.com/security_response/publications/threatreport.jsp





Why Trend Micro Over McAfee?

480 BILLION

Queries/Month

6B Queries/Day

150M Nodes

Confidential/Copyright 2014 Trend Micro Inc.

2.5B

Queries/Day

120M Nodes

Broader Coverage


Consumers Government

AgenciesSMB Partners & OEMEnt/VLE

Endpoints Servers Virtual

Servers

Messaging Network SaaSGateway

6 Billion URLs Processed Daily

User Traffic / Sourcing

CDN vender

Rating Server for Known Threats

Unknown & Prefilter

Page Download

ThreatAnalysis

6 billion/day

3 billion/day

300 million/day

50% filtered

90% filtered

50,000 malicious URL /day

99.95% filtered

Trend Micro Products / Technology

CDN Cache

High Throughput Web Service

Hadoop Cluster

Web Crawling

Machine LearningData Mining

Technology Process Operation

Block malicious URL within 15 minutes once it goes online!


Endpoint Security -- Consumer Products

2009

5.2 h

38.0 h

15.6 h

7.5 h

19.6 h

39.5 h

46.1 h

31.9 h

30.5 h

0 h 5 h 10 h 15 h 20 h 25 h 30 h 35 h 40 h 45 h 50 h

Trend Micro

Kaspersky

Norton

McAfee

Norman

F‐Secure

AVG

Panda

ESET

Average time to protect

New socially engineered malware

Average time to protect

2010

New socially engineered malware

2014

2014 Tests

Co

py

99.60%

70.53%

95.52%

70.00%

80.00%

90.00%

100.00%

Trend Micro Microsoft VendorAverage

0-Day Protection: 2014

99.83%

86.10%

96.60%

85.00%

90.00%

95.00%

100.00%

Trend Micro Microsoft(Baseline)

VendorAverage

Real-World Protection 2014 Averages (Mar-Nov)

99.99%

96.99%

95.00%

96.00%

97.00%

98.00%

99.00%

100.00%

Trend Micro Vendor Average

Malicious Apps - Avg Nov'13 - Nov'14 98.31%

97.20%

98.06% 97.34%96.64%

97.09%

97.40%

93.55% 93.67%

94.56% 94.63%93.68% 95.00%

95.77%

90.00%

92.00%

94.00%

96.00%

98.00%

100.00%

Q1'12 Q2'12 Q4'12 Q1'13 Q2'13 Q2'14 Q3'14

Opus One Anti-Spam Results Q1'12-Q3'14

Trend Micro Vendor Average

2014 Tests Cont’d

Co

py

2015 Attacks


issa jason dablow

Technology

trend micro

ideologyfun copyright

data exfiltration

new malware programs

boss mercenary attackers

target network

point of entry gain

attacker keywords botherder