Malware & APT risks for Critical Infrastructures Ashar Aziz, Founder, CEO & CTO FireEye, Inc. October 18-20, 2011

2 RELIABILITY | ACCOUNTABILITY

The Evolving Threat Landscape

• # of threats are up 10X • Nature of threats changing

– From broad, scattershot to focused, targeted

• Pace of advanced attacks accelerating – High profile attacks

commonplace – RSA, Citicorp, Epsilon,

Lockheed…

“71% of surveyed IT Security Professionals said the ‘changing/evolving nature of threats’ is a major challenge or challenge.” – Forrester, 2011

3 RELIABILITY | ACCOUNTABILITY

Advanced Malware Infection Lifecycle

Desktop antivirus Losing the threat arms race

Compromised Web server, or Web 2.0 site

Callback Server

Perimeter Security Signature, rule-based

Other gateway List-based, signatures

System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Socially engineered binaries

Dropper malware installs First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites

Malicious data theft & long-term control established Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system

3

2

1

DMZ

Email Servers

Anti-spam

Operation Aurora: Case Study in a Zero-Day APT Attack

5 RELIABILITY | ACCOUNTABILITY

0-day Web exploit followed by masked binary Operation Aurora attack structure

Desktop antivirus Losing the threat arms race

Malicious Web server

Callback Server

System gets exploited Exploited IE 6 zero-day vulnerability Exploit code contains decryption sw

Web server delivers malware XOR encoded malware EXE delivered Exploit code decrypts binary On the wire looks like .JPG object Second Phase object linked to first phase exploit Dynamic analysis of encrypted binary

not possible (out of context) Static analysis of encrypted binary not

possible (looks like a jpg)

3

2

1

Gmail

Src Code

Passwords

6 RELIABILITY | ACCOUNTABILITY

High Profile Attacks are Increasingly Common

7 RELIABILITY | ACCOUNTABILITY

BUT – This is only the Tip of the Iceberg

Headline Grabbing Attacks

Thousands More Below the Surface APT Attacks

Zero-Day Attacks Polymorphic Attacks

Targeted Attacks

8 RELIABILITY | ACCOUNTABILITY

Headquarters

Egress Router

Firewall

Core Switch

Users with desktop AV

FireEye POV: MPS systems go in After Existing Defenses

8

MPS 7000

Internet

Web Proxy with AV, URL blocking (maybe)

IPS (maybe)

If we see it, it’s because everyone else missed it So we don’t have a sample of everything: we have a sample of good new threats that are succeeding

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

9 RELIABILITY | ACCOUNTABILITY

So- How Much Malware Do We See?

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

10 RELIABILITY | ACCOUNTABILITY FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

So- How Much Malware Do We See?

11 RELIABILITY | ACCOUNTABILITY

The Long Tail of Malware

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

12 RELIABILITY | ACCOUNTABILITY

How Dynamic is Malware? Binary MD5s

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

13 RELIABILITY | ACCOUNTABILITY

How Dynamic is Malware? Bad Domains

FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis

APT Threat Actors & Surprising Collusions

15 RELIABILITY | ACCOUNTABILITY

Threat Actors

APT Actors CrimeWare Actors

Hacktivists

16 RELIABILITY | ACCOUNTABILITY

APT Actors & Crimeware actors An unholy alliance

APT Actors

Crimeware Actors

Sell compromised systems to

Sell used 0-day exploits

17 RELIABILITY | ACCOUNTABILITY

FireEye Case Study: Wermud Trojan

Crimeware elevation to APT [March 2011]

Created and used by APT

[15 March 2011]

FireEye created callback

rules

[April 2011] Wermud

passed to crimeware

actors

[June 2011] Seen used by FakeAV (crimeware)

18 RELIABILITY | ACCOUNTABILITY

Summary

• Malware is rampant inside Enterprise networks, easily infiltrating existing defenses

• APT attacks can occur as unique exploits, eg Aurora and RSA attacks

• BUT- If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks

• APT actors may simply leverage your existing crimeware backdoors

• Therefore, you still have to respond to the low grade crimeware attacks, because they can become high grade APTs for a valuable target

19 RELIABILITY | ACCOUNTABILITY

QUESTIONS?