Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for...

Malware & APT risks for Critical Infrastructures Ashar Aziz, Founder, CEO & CTO FireEye, Inc. October 18-20, 2011

2 RELIABILITY | ACCOUNTABILITY

The Evolving Threat Landscape

• # of threats are up 10X • Nature of threats changing

– From broad, scattershot to focused, targeted

• Pace of advanced attacks accelerating – High profile attacks

commonplace – RSA, Citicorp, Epsilon,

Lockheed…

“71% of surveyed IT Security Professionals said the ‘changing/evolving nature of threats’ is a major challenge or challenge.” – Forrester, 2011

Advanced Malware Infection Lifecycle

Desktop antivirus Losing the threat arms race

Compromised Web server, or Web 2.0 site

Callback Server

Perimeter Security Signature, rule-based

Other gateway List-based, signatures

System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Socially engineered binaries

Dropper malware installs First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites

Malicious data theft & long-term control established Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system

Email Servers

Anti-spam

Operation Aurora: Case Study in a Zero-Day APT Attack

0-day Web exploit followed by masked binary Operation Aurora attack structure

Desktop antivirus Losing the threat arms race

Malicious Web server

Callback Server

System gets exploited Exploited IE 6 zero-day vulnerability Exploit code contains decryption sw

Web server delivers malware XOR encoded malware EXE delivered Exploit code decrypts binary On the wire looks like .JPG object Second Phase object linked to first phase exploit Dynamic analysis of encrypted binary

not possible (out of context) Static analysis of encrypted binary not

possible (looks like a jpg)

Src Code

Passwords

High Profile Attacks are Increasingly Common

BUT – This is only the Tip of the Iceberg

Headline Grabbing Attacks

Thousands More Below the Surface APT Attacks

Zero-Day Attacks Polymorphic Attacks

Targeted Attacks

Headquarters

Egress Router

Firewall

Core Switch

Users with desktop AV

FireEye POV: MPS systems go in After Existing Defenses

MPS 7000

Internet

Web Proxy with AV, URL blocking (maybe)

IPS (maybe)

If we see it, it’s because everyone else missed it So we don’t have a sample of everything: we have a sample of good new threats that are succeeding

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

So- How Much Malware Do We See?

10 RELIABILITY | ACCOUNTABILITY FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

So- How Much Malware Do We See?

The Long Tail of Malware

How Dynamic is Malware? Binary MD5s

How Dynamic is Malware? Bad Domains

APT Threat Actors & Surprising Collusions

Threat Actors

APT Actors CrimeWare Actors

Hacktivists

APT Actors & Crimeware actors An unholy alliance

APT Actors

Crimeware Actors

Sell compromised systems to

Sell used 0-day exploits

FireEye Case Study: Wermud Trojan

Crimeware elevation to APT [March 2011]

Created and used by APT

[15 March 2011]

FireEye created callback

[April 2011] Wermud

passed to crimeware

actors

[June 2011] Seen used by FakeAV (crimeware)

Summary

• Malware is rampant inside Enterprise networks, easily infiltrating existing defenses

• APT attacks can occur as unique exploits, eg Aurora and RSA attacks

• BUT- If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks

• APT actors may simply leverage your existing crimeware backdoors

• Therefore, you still have to respond to the low grade crimeware attacks, because they can become high grade APTs for a valuable target

QUESTIONS?

Malware & APT risks for Critical Infrastructures Infrastructure...Malware & APT risks for...

Documents

Defeating Advanced Persistent Threat Malware · Solution to APT Malware: A DNS ... An Approach Worth Investigating – Infoblox DNS ... commonly-used description for this category

Malware & APT risks for Critical Infrastructures Infrastructure/2011 NERC GridSecCon... · FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis So- How Much

My First Incident Response Team - smtps.net · My First Incident Response Team DFIR for Beginners ... Analyze APT malware with Cuckoo ... Cuckoo Sandbox

Combatiendo la Última Generación de Malware Avanzado INFOSECURITY 201… · RSA/Lockheed Duqu Flame Gauss NYTimes Adobe ... APT WatchGuard Architecture 3 Year Effort ... network

Automating Linux Malware Analysis Using Limon sandbox · considered as malwares. With new malware attacks making news every day and compromising company’s network and critical infrastructures

For Peer Review Only - Lancaster Universityeprints.lancs.ac.uk/78006/1/s1_ln199646832140517760...For Peer Review Only Malware Detection in Cloud Computing Infrastructures Journal:

PACKAGING DESIGN, ARTWORK & MOCKUPS | PRIVATE CLIENT · Apt. 58 Apt. 5 9 Apt. 5 7 Apt. 5 6 Apt. 55 Apt. 54 1 Apt. 60 2 Apt. 61 1 2 Apt. 1 9 t. 20 1 t. 18Ap t. 2 2 Apt. 17 Apt. 16

Past: Threat Intelligence and · • Past: Threat Intelligence and APT response • Present: Builds algorithms to classify malware in real-time ... Removable Media, Communication

Malware Detection in Cloud Infrastructures June 11, …...2018/06/11 · Cloud malware injection is a threat where an attacker injects a malware to manipulate the victim’s Virtual

Online Malware Detection in Cloud Auto-Scaling Systems ... · Malware will always find a way-in to infect cloud infrastructures. Presence of a gap between malware prevention and malware

PowerPoint Presentationreslife.cofc.edu/halls/warren/Warren - All floors.pdf · apt. 316 apt. 3 apt. 317 1 warren apt. apt. 315 street - third apt. 312 apt. 313 floor plan apt. 311

Advanced Persistent Threat · APT - Overview ySummary / Synopsis –Advanced Persistent Threat yAnatomy yTimeline –Threat Vector Evolution yTools –Malware, Bots yTechniques –OSINT,

Detecting APT Malware Infections Based on …...G. Zhao et al.: Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis the C&C servers, it helps the attacker

APT - Hunting 0Day Malware

Symantec White Paper - Symantec Endpoint Suite Product Guidei.crn.com/custom/Symantec-Endpoint-Suite-Solution-Brief.pdf · Symantec Endpoint Protection--Protect against APT malware

Malware Analysis Report: Dark Caracal APT The Pallas · PDF fileCSE CyberSec Enterprise SPA Via G.B. Martini 6, Rome, Italy Email: info@ Website: ZLAB Malware Analysis Report:

HTTP-Based APT Malware Infection Detection Using URL

Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

Reversing the Inception APT malware | Blue Coat...Finally we can see it’s connecting to webdav.cloudme.com and cleartext credentials in following screenshot. Malware tries to communicate

· AN Florin-Constantin FLORIAN ALEXANDRU VLASE Valentin IRINA ELENA VLEJ GENA MIHAELA NESECRET Rezultatul evaluarii APT APT APT APT APT APT APT APT APT APT APT APT APT APT APT APT