the custom defense - aiea · december 2010 cyber attack on iranian nuclear facilities january 2011...
TRANSCRIPT
The Custom Defense
Copyright 2012 Trend Micro Inc.
The Custom DefenseGastone Nencini – Senior Technical Manager South Europe
Evolution of Security
Integrated & Flexible Threat & Data Protection
Bu
sin
ess F
lexib
ilit
y
Cloud
Virtualization
Cloud-Era Security
Network and Security Evolution / Time
Bu
sin
ess F
lexib
ilit
y
Mobility
3/26/2013 2Confidential | Copyright 2012 Trend Micro Inc.
CRIMEWARE
CO
MP
LE
XIT
Y
Security that Fits: Threat Landscape
Spyware
Intell igent
Botnets
Web Threats
Targeted
Attacks
Evolution to Cybercrime
2001 2003 2004 2005 2007 2012+
Vulnerabil it ies
Worm Outbreaks
Spam
Mass MailersSocial
Engineering
Single Shot Malware
Data Exfiltration
3/26/2013 3Confidential | Copyright 2012 Trend Micro Inc.
December 2010 Cyber attack on Iranian nuclear facilities
January 2011 21-year-old George Hotz decrypts Sony PS3 root key
February 2011 HBGary hacked by Anonymous and resulted data leakage
March 2011 Authentication product related information leaked from RSA
April 2011 77 million customers’ data leakage from Sony PSN users
May 2011 360,000 US City Group customers’ data leaked
4
May 2011 360,000 US City Group customers’ data leaked
July 2011 leakage of personal data of 35 million users of Korean social network site
August 2011 Japanese defense related firms suffered from cyber attacks
September 2011 Japanese National Personnel Authority and Cabinet Office sites were temporarily unavailable by DDoS attacks
June 2011 Major US defense contractor Lockheed Martin attacked
October 2011 PCs in Japanese House of representatives infected by virus; possible data leakage ※ These information are all extracts from news
4
Repeated damages caused by Advanced Persistent Attacks
The series of attacks which intend to penetrate inside of target firms and organizations
using several methods like Emails with malicious program attached or exploiting
vulnerabilities to steal information or hijack computers communicating with the external parties.
Copyright 2012 Trend Micro Inc. 5Advanced
Persistent Attack
・ for fun
・ for a justice
・ for money
・ spying
・ agitation
・ terrorism
< Examples of principal motives >
Exploiting vulnerabilities in public servers, penetrate
into target networks directly from outside.
Using social engineering and other techniques,
penetrate into target network by manipulating users
inside target networks
< 2 typical types of penetration in Advanced Persistent Attack >
Repeated damages caused by Advanced Persistent Attacks
Their technique cunningly exploits not only systems but also human weakness as a means to gain access
Prior to the attack, the attackers confirm that their attack will not detected by major
antivirus solutions
Copyright 2012 Trend Micro Inc. 6
It is difficult to cope with new threats which are born every seconds in real time manner only with pattern file
deployment.
Because the attacker knows the target’s internal environment on attacking, the attack can
be delivered very efficiently.
Because the back door facilitates unauthorized traffic from inside out, it is hard to cope with this by traditional entry solution.
When traffic is encrypted by viruses detection by IDS or IPS is difficult
The Targeted Attack Process
Preparation for
attack
Initial
penetration
Establishment
of attack
platform
System
investigation
Stage 0 Stage 1 Stage 2 Stage 3
As a preparation stage before
they conduct attacks, the
attackers investigate
information of target
organization.For that, they attack
Various methods are used in
the initial penetration stage.
Suspicious (targeted)
email is one such method. These methods are used to
deploy viruses deep within the
Once the attackers succeed to get
into the system, they quickly
establish a backdoor for
communication with a server they prepare. Unlike the traditional
backdoors , this backdoor is the
Using the attack plat-form
established in the prior stage,
the attackers search for
internal system
information.At this time, a back door is
They steal information via
the backdoor. In some cases, using information
stolen, they repeat attacks.
APT is the attack which the
Attack on the
ultimate target
Stage 4
Copyright 2012 Trend Micro Inc. 7
For that, they attack
organizations around
target to collect platform information for initial intrusion
like Emails exchanges
between that organization and
the target.
Using this information, they
conduct attacks which
increase the success
rate of the initial penetration.
deploy viruses deep within the
organization.
In this stage, the attack can
achieve the goal only when
one employee open that
Email.In the initial penetration stage,
there is no need for virus to
infect many systems. It is
thought that the attack
methods used at this stage are
expected to be detected and
cleaned. That mean they are
disposable.
backdoors , this backdoor is the
one that uses HTTP and other
communication protocols that are
used in the business in the target
organization. Thus it cannot be
blocked by a firewall.Using this backdoor, they will add
functions needed for next system
investigation stage, and an attack
platform will be established.
At this time, a back door is
used to communicate
with the attackers and the search will be continued
while confirming system
information.
APT is the attack which the
attackers keep attack platform
which established in the target
organizations to repeat
penetrations and data
thefts. This attack is the one tend to be
repeated several times.
Source: IPA design/ maintenance guide to aim for the
solution against “new type of attack”.
What actually happens at each stages?
Preparation for
attack
Initial
penetration
Establishment
of attack
platform
System
investigation
Stage 0 Stage 1 Stage 2 Stage 3
Attack on the
ultimate target
Stage 4
Direct attack
exploiting system
vulnerabilities
Investigation of IP,
applications, used
updated status etc.
Unauthorized
exporting of key dataExecution of initial
stage virus.
Searching for server
vulnerabilities and
spreading viruses
Copyright 2012 Trend Micro Inc. 8
Email with malicious
PDF attachment
sent from attacker
which pretend to be
come from a
superior or a
business contact
Penetration via USB
memory
Penetration via PC
brought into
organization
Penetration into
affiliated companies,
overseas branches
etc..
Assuming rules for
generating email
addresses.
Information about
target organization
gathered via
Facebook or other
social media
Communication with
external command
server and new
malicious activity
Using target as a
springboard for
attacking other
systems
Downloading bots
and other new
viruses
Download and
execution of
backdoor virus
Exporting ID,
passwords etc..
Accessing confidential
data by exploiting
acquired ID and
password
System
falsification
Installing key logger
and obtaining
sysadmin authority
The type of malicious files attached
Preparation for
attack
Initial
penetration
Establishment
of attack
platform
System
investigation
Stage 0 Stage 1 Stage 2 Stage 3
Attack on the
ultimate target
Stage 4
Direct attack
exploiting system
vulnerabilities
Investigation of IP,
applications, used
updated status etc.
Unauthorized
exporting of key dataExecution of initial
stage virus.
Searching for server
vulnerabilities and
spreading viruses
Types of malicious attachments
Copyright 2012 Trend Micro Inc. 2
Email with malicious
PDF attachment
sent from attacker
which pretend to be
come from a
superior or a
business contact
Penetration via USB
memory
Penetration via PC
brought into
organization
Penetration into
affiliated companies,
overseas branches
etc..
Assuming rules for
generating email
addresses.
Information about
target organization
gathered via
Facebook or other
social media
Communication with
external command
server and new
malicious activity
Using target as a
springboard for
attacking other
systems
Downloading bots
and other new
viruses
Download and
execution of
backdoor virus
Exporting ID,
passwords etc..
Accessing confidential
data by exploiting
acquired ID and
password
System
falsification
Installing key logger
and obtaining
sysadmin authority
Email with malicious
PDF attachment
sent from attacker
which pretend to be
come from a
superior or a
business contactDocument files like PDF, Word and EXCEL
70%
Executables 30%
Source: Trend Micro
How we can prevent them?
Preparation for
attack
Initial
penetration
Establishment
of attack
platform
System
investigation
Stage 0 Stage 1 Stage 2 Stage 3
Attack on the
ultimate target
Stage 4
Direct attack
exploiting system
vulnerabilities
Investigation of IP,
applications, used
updated status etc.
Unauthorized
exporting of key dataExecution of initial
stage virus.
Searching for server
vulnerabilities and
spreading viruses
Copyright 2012 Trend Micro Inc. 2
Email with malicious
PDF attachment
sent from attacker
which pretend to be
come from a
superior or a
business contact
Penetration via USB
memory
Penetration via PC
brought into
organization
Penetration into
affiliated companies,
overseas branches
etc..
Assuming rules for
generating email
addresses.
Information about
target organization
gathered via
Facebook or other
social media
Communication with
external command
server and new
malicious activity
Using target as a
springboard for
attacking other
systems
Downloading bots
and other new
viruses
Download and
execution of
backdoor virus
Exporting ID,
passwords etc..
Accessing confidential
data by exploiting
acquired ID and
password
System
falsification
Installing key logger
and obtaining
sysadmin authority
ISACA & Trend MicroISACA & Trend MicroISACA & Trend MicroISACA & Trend Micro
Advanced Persistent Threat Awareness
Study Results
© 2013 ISACA. All rights reserved
questions & commentsquestions & comments
Copyright 2011 Trend Micro Inc.