Transcript Slide 1
Enhancing Malware Detection Doug Cooke Director, Sales Engineering Canada July 21, 2015 Malware Evolution Floppy disk attacks 1992-3 File infectors, macro viruses Spy, Adware Obfuscation Email worms 1998 Autorun worms Web 2.0 attacks 2002 2005 Aurora, Conflicker 2008 Poly patching Trojans Hacktivism 2010 StuxNet, Shamoon 2012 Early Days Financially Motivated Targeted Attacks Future Time To React Time to React Floppy disk attacks 1992-3 File infectors, macro viruses Spy, Adware Obfuscation Email worms 1998 Autorun worms Web 2.0 attacks 2002 2005 Aurora, Conflicker 2008 Poly patching Trojans Hacktivism 2010 StuxNet, Shamoon 2012 Early Days Financially Motivated Targeted Attacks Future Case Study: What is Project Blitzkrieg • Code name for a McAfee Labs project monitoring an attack against NA banking community • RAS identified the malware as belonging to the Gozi family and labeled it Prinimalka • Man in the Middle attack targeting banking customers • Banks security measures could not detect or prevent • Incorporates “web injects” – code injected into the browser based on URL • Campaign of attacks started in Spring 2012, continued activity with new variants had continued into 2013. How can we monitor these attack campaigns? How quickly can we identify Patient Zero and stop propagation? Four Phases of an Attack First Contact Local Execution Establish Presence Malicious Activity Download Malware Propagation Physical Access Exploit Bot Activities Unsolicited Message Escalate Privilege Social Engineering Malicious Website Network Access How the attacker first crosses path with target. Adware & Scareware Persist on System Configuration Error How the attacker gets code running first time on target machine Self-Preservation How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software Identity & Financial Fraud Tampering The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV Four Phases of an Attack Example: Fake AV First Contact Local Execution Establish Presence Malicious Activity Download Malware Propagation Physical Access Exploit Bot Activities Unsolicited Message Escalate Privilege Social Engineering Malicious Website Adware & Scareware Persist on System Network Access Configuration Error How the attacker first crosses path with target. How the attacker gets code running first time on target machine Self-Preservation How the attacker persists code on the system, to survive reboot, stay hidden, Hide from user and security software Identity & Financial Fraud Tampering The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV Phase Protection Methods First Contact Local Execution Establish Presence Malicious Activity On Access Scanning File Scanning Write Blocking Website Filtering Endpoint Health Rootkit Prevention Physical File Transfer Firewall Web Filtering Email Filtering Buffer Overflow Prevention Whitelisting Behavioral Prevention Change Protection Evolution of Content Time to Protect Reactive Signatures Months 1992-3 1998 Hours Days 2002 2005 2008 2010 2012 Early Days Financially Motivated Targeted Attacks Future Evolution of Content Reactive Signatures 1992-3 1998 Signatures + Cloud Reputation 2002 2005 2008 2010 2011 Early Days Financially Motivated Targeted Attacks Future Cloud Based Reputation Malicious Code – Anti-Malware – Anti-Spyware – Whitelisting Network IPS Web Gateway File, Mail IP, Domain Geo Location Servers Mail Gateway Mobility Protection – Anti Malware ATMs Network Mobile Devices Hashed File Look Ups Malicious Code – Anti-Malware – Anti-Spyware – Whitelisting Workstations IP and Domain Reputation Queries Time to Protect – Minutes! Internet Evolution of Content Reactive Signatures 1992-3 1998 Signatures + Cloud Reputation 2002 2005 2008 Signatures + Cloud Reputation + Telemetry 2010 2011 Early Days Financially Motivated Targeted Attacks Future US Campaign (victims) – Oct 1st – Nov 30th, 2012 Distribution of C&C Servers Adding Context to the Content • Leverage 100M+ consumers base plus opt-in enterprises • Enhanced scanning engines to collect further data during scanning activities – HASH of malware file & originating IP – file paths, processes, features of the file etc. – upload suspicious file • Enhanced scanning drivers allow specific data to be pulled from specific types of malware – e.g. Blitzkrieg – establish cloud based data for FI to monitor attacking IPs – e.g. SpyEye - pull institution specific data from java scripts • The enriched data introduces the opportunity for greater analysis and correlation of collected data • Expose this data to customers through a service offering Access to Zero Day Attacks as Quickly as Possible Getting Out in Front! Summary • Will use these talking point for previous slide • The malware community will continue to find creative approaches to wreak havoc around the computing community. • New technologies (whitelisting etc.) will help but the opportunity still exists to leverage more sophisticated detection capabilities. • Pulling contextual information from active systems will enhance the effectiveness of cloud based reputation databases.