Transcript the Presentation

The Evolving Threat Landscape
Charles Williams
Sr. Sales Engineer
Confidential | Copyright 2015 Trend Micro Inc.
2015 Attacks
Confidential | Copyright 2015 Trend Micro Inc.
Who’s committing attacks - Verizon
 92% perpetrated by outsiders
 14% committed by insiders
 1% implicated business partners
 7% involved multiple parties
 19% attributed to state-affiliated
actors
Source: http://www.verizonenterprise.com/DBIR/
Copyright 2014 Trend Micro Inc.
Financially Motivated Cyber Criminal
Copyright 2014 Trend Micro Inc.
Source: http://www.verizonenterprise.com/DBIR/
Crime Syndicate (Simplified)
Data Fencing
Victim
The Captain
Garant
The Boss
Bullet Proof Hoster
Mercenary
Attackers
Crime Syndicate (Detailed)
$1
Droppers
$1
Exploit Kit
Worm
$1
$4
Carder
Bot Reseller
$1
$10
Garant
Keywords
(Botherder)
$2
Victim
Blackhat SEO
Attacker
$3
$6
SQL Injection
Kit
$4
Money Mule
$10
Traffic
Direction
System
$5
Attacker
$10
Compromised
Sites (Hacker)
$5
Bullet Proof
Hoster
Virtest
$5
Cryptor
$10
Programmer
$10
$2
Card Creator
Attack Stages
1. Intelligence Gathering
Identify & research target individuals using public sources (LinkedIn,
Facebook, etc) and prepare a customized attack.
2. Point of Entry
The initial compromise is typically malware delivered via social engineering
(email/IM or drive by download). A backdoor is created and the network
can now be infiltrated.
3. Command & Control (C&C) Communication
Allows the attacker to instruct and control the compromised machines and
malware used for all subsequent phases.
4. Lateral Movement
Once inside the network, attacker compromises additional machines to
harvest credentials, escalate privilege levels and maintain persistent control.
5. Asset/Data Discovery
Several techniques and tools are used to identify the noteworthy servers and
the services that house the data of interest.
6. Data Exfiltration
Once sensitive information is gathered, the data is funneled to an internal
staging server where it is chunked, compressed and often encrypted for
transmission to external locations.
Confidential | Copyright 2015 Trend Micro Inc.
Intelligence Gathering
Acquire strategic
information about the
targets IT environment
and organizational
structure.
“res://” protocol
Confidential | Copyright 2015 Trend Micro Inc.
Data at Risk
• Corporate / Financial—board meeting records, legal proceedings, strategic
plans, contracts, purchase agreements, pre-earnings announcements, executive
salaries, M&A plans and pending patent filings.
• Manufacturing—Intellectual Property and manufacturing methods
• Retail—Financial records & transactions, customer profiles to generate revenue
for identity theft
• Internal Organization—employee records and health claims for identity and
insurance fraud
Confidential | Copyright 2015 Trend Micro Inc.
Point of Entry
Gain entry into a target network using weaknesses found.
Weaponized
Attachment
Malicious
URLs
Attack Weakness found in:
• Infrastructure
• Systems
• Applications
• People
• 3rd Party Organizations
Confidential | Copyright 2015 Trend Micro Inc.
Infection Options
Trusted Partner
Customers
Island Hopping
Confidential | Copyright 2015 Trend Micro Inc.
Attackers
Spearphishing
Confidential | Copyright 2015 Trend Micro Inc.
Watering Hole Attacks
Source: Trend Micro Q3’14 Threat Roundup Report
Confidential | Copyright 2015 Trend Micro Inc.
Evade detection with customized malware
Unix/Linux Server
Farm
Victimized
Business
Attacker
wipe
out files
Windows
endpoints
Malicious C&C
websites
A total of 76 tailor-made malware
were used, in which 9 were
destructive, while the other 67
were used for penetration and
monitoring.
Confidential | Copyright 2015 Trend Micro Inc.
Destroy
MBR
Destroy
MBR
wipe
out files
Ahnlab's
Update
Servers
Code for Sale
LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:
Cracking Tools
Crypters
1.VNC Crack
DoSers, DDoSers, Flooders and Nukers
1. Carb0n Crypter v1.8
2.Access Driver
1. rDoS
2. Fly Crypter v2.2
3.Attack Toolkit v4.1 & source code included
2. zDoS
3. JCrypter
4.Ares
3. Site Hog v1
4. Triloko Crypter
5.Brutus
4. Panther Mode 2
5. Halloween Crypter
Analysis :
5. Final Fortune 2.4
6. Deh Crypter
· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*
7. Hatrex Crypter
· W32Dasm 8.93
- Patched *NEW*
Remote Administration
Tools/Trojans
Host Booters
8. Octrix Crypter
PEiD 0.93
+ Plugins *NEW*
1. Cerberus· 1.03.4
BETA
1. MeTuS Delphi 2.8
9. NewHacks Crypter
·
RDG
Packer
Detector v0.5.6 Beta - English *NEW*
2. Turkojan 4 GOLD
2. XR Host Booter 2.1
10.
Refruncy
Crypter
Rebuilding
:
Scanners
3. Beast 2.07
: by MaRKuS_TH-DJM/SnD *NEW*
3. Metus 2.0 GB Edition
· ImpRec Packers
1.6 - Fixed
1. DD7 Port Scanner
4. Shark v3.0.0
·
FSG
2.0
4. BioZombie v1.5
HEX Editor :
· Revirgin
1.5 - Fixed *NEW*
2. SuperScan 4.0
5. Archelaus
Beta
· MEW
SE
5. Host Booter and Spammer
·
Biew
v5.6.2
·
LordPE
De
Luxe11B 1.2
*NEW*
3. Trojan Hunter v1.5
· UPX 1.25 & GUI *NEW*
Stealers
· Hiew v7.10 *NEW*
4. ProPort v2.2
Binders:
· SLVc0deProtector 0.61 *NEW*
1. Dark Screen Stealer V2 · WinHex v12.5 *NEW*
5. Bitching Threads v3.1
1. Albertino Binder
· ARM Protector v0.3 *NEW*
2. Dark IP Stealer
Decompilers :
2. BlackHole Binder
· WinUpack v0.31 Beta *NEW*
3. Lab Stealer
· DeDe 3.50.04
3. F.B.I. Binder
Patchers :
4. 1337 Steam Stealer
· VB ?Decompiler? Lite v0.4 *NEW*
4. Predator 1.6
· dUP 2 *NEW*
5. Multi Password Stealer v1.6
· Flasm
5. PureBiND3R by d3will
Fake Programs
· CodeFusion 3.0
Unpackers
: Hackers Tools for sale
Ultra
1. PayPal Money Hack
· Universal Patcher Pro v2.0
· ACProtect
Price -isACStripper
0.0797 BTC (bitcoin) = $25 Virus Builders
2. Windows 7 Serial Generator
· Universal Patcher v1.7 *NEW*
· ASPack - ASPackDie
1. Nathan's
ImageLoader
WormCreator v1.2 *NEW*
3. COD MW2 Keygen
· Universal
· ASProtect > Stripper 2.07 Final &
2.
Dr.
VBS
Virus
Maker
4. COD MW2 Key Generator
Stripper 2.11 RC2 *NEW*
3. p0ke's WormGen v2.0
5. DDoSeR 3.6
· DBPE > UnDBPE
4. Vbswg 2 Beta
Keygenning : *NEW*
5. Virus-O-Matic Virus Maker
Confidential | Copyright 2015 Trend Micro Inc.
· TMG Ripper Studio 0.02 *NEW*
100’s of Items
Today’s Reality – One & Done!
99
?
80
Confidential | Copyright 2015 Trend Micro Inc.
% of
malware
infect
% of
malware
infect
< 10
= 1
victims
victim
E-Mail with a spoofed sender
Confidential | Copyright 2015 Trend Micro Inc.
And if youser click on the attachment...
Confidential | Copyright 2015 Trend Micro Inc.
Command & Control Communications
Ensure continued communication between the
compromised target and the attackers.
Common Traits
• Uses typical protocols (HTTP)
• Uses legitimate sites as C&C
• Uses internal systems as C&C
• Uses 3rd party apps as C&C
• May use compromised internal
systems
Threat
Actor
Confidential | Copyright 2015 Trend Micro Inc.
C&C
Server
Advantages
• Maintains persistence
• Avoids detection
Threat Actor’s Achilles Heal
Reality Bites
• Have to maintain connection with
compromised network
• Cut off this connection, potentially
stop the attack
• Malicious code typically hardcoded
with C&C data
Confidential | Copyright 2015 Trend Micro Inc.
Lateral Movement
Seek valuable hosts that house sensitive
information.
Pass the Hash
Confidential | Copyright 2015 Trend Micro Inc.
Data Discovery
Noteworthy assets are identified within the infrastructure
then isolated for future data exfiltration.
Confidential | Copyright 2015 Trend Micro Inc.
Data at Risk
Birth & Phone
records
Movies,
Ransoms,
Terrorism
Credit
Cards
User
Credentials
PII leads
to fraud
Customer
PII
Credit
Cards
Confidential | Copyright 2015 Trend Micro Inc.
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Social Media Accounts
Copyright 2014 Trend Micro Inc.
Exfiltration Stage
Transmit data to a location that the threat actors control.
Common Traits
• Built-in file transfer (RATs)
• FTP, HTTP
• Tor network/Encryption
• Public File Sharing sites
Confidential | Copyright 2015 Trend Micro Inc.
Customers
Attackers
FTP
C&C
Server
Confidential | Copyright 2015 Trend Micro Inc.
Maintenance Stage (Anti-Forensics)
Maintain persistence within network for future attacks
Confidential | Copyright 2015 Trend Micro Inc.
Source:
http://krebsonsecurity.com/2012/10/thescrap-value-of-a-hacked-pc-revisited/
Confidential | Copyright 2015 Trend Micro Inc.
What Can You Do?
Copyright 2015 Trend Micro Inc.
Layered Security
Sandboxing
Device Control
Behavior
Monitoring
Forensics
Web
Reputation
Web Gateway
Unpacking
Email
Reputation
Email Gateway
or Server
Memory
Inspection
Command &
Control Blocking
Copyright 2014 Trend Micro Inc.
Network
Vulnerability
Protection
DLP
Encryption
File
Reputation
Application
Whitelisting
Mobile App
Reputation
SharePoint
Server
Safe Computing Practices
All Consumers
• Always check who the email sender is.
• Double-check the content of the message.
• Refrain from clicking links in email.
– use free services such as sitesafety.trendmicro.com.
• Always ensure your software is up-to-date.
• Backup important data.
Copyright 2015 Trend Micro Inc.
Safe
Computing
Practices
For Commercial Businesses
•
•
•
•
•
Review your policies regarding email attachments and embedded URLs
Configuring devices for specific purposes and take advantage of certain Windows features
like AppLocker or Trend Micro Application Control
Enable extended threat protection technologies:
– Email Reputation
– True File Type Filtering
– Web Reputation
– Behavior Monitoring
– Community File Reputation
OfficeScan 11 SP1 (Q2-14) will have new Ransomware specific technologies
Backup your backups
Copyright 2015 Trend Micro Inc.
As of Today…
How frequently do you backup
data on your PC?
How fast can you restore data on
your PC?
Can employees restore data by
themselves?
Copyright 2015 Trend Micro Inc.