If you can't read please download the document
Upload
fausto
View
40
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Modern Malwares… ... Only a few clicks away from you!. Xavier Mertens - Principal Security Consultant “We worried for decades about WMDs – Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs – Weapons of Mass Disruption.” (John Mariotti ). # whoami. - PowerPoint PPT Presentation
Citation preview
Ethical Hackers Are Your Best Friends
Modern Malwares... Only a few clicks away from you!Xavier Mertens - Principal Security Consultant
We worried for decades about WMDs Weapons of Mass Destruction. Now it is time to worry about a new kind of WMDs Weapons of Mass Disruption. (John Mariotti)
Telenet for BusinessTelenet for Business# whoamiXavier Mertens, again!AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
Lets Avoid This!
Me? Breached?In 66% of investigated incidents, detection was a matter of months or even more69% of data breaches are discovered by third parties(Source: Verizon DBIR 2012)Malicious Code is not New2003 - The SQL Slammer worm 2010 Stuxnet is the first worm to attack SCADA systems2011 - SpyEye and Zeus merged code is seen.2013 - The CryptoLocker trojan horse is discovered.1971 - The Creeper system, an experimental self-replicating program, infected DEC PDP-10 computers.1986 - The Brain boot sector virus is released1999 - The Melissa worm targeted Microsoft Word and Outlook systems2000 - The ILOVEYOU worm, also known as Love Letter2014?
Fridge sends spamemails as attack hitssmart gadgets
2014?Target PoS werecompromised
2014?Yahoo! ads networkcompromised toredirect users tomalicious websites
Malware?A malware, or malicious code, is defined assoftware or firmware intended to perform anunauthorized process that will have anadverse impact on confidentiality, integrityand availability of an information system.Understanding ThreatsAttack actors$$$Espionage (industrial or political)HacktivismAttack vectorsMainly: HTTP / SMTPLocal access (USB CIFS)Interactions with humans
WMP
Weapon of Mass PwnageBackdoors in Software
Backdoors in Software
Golden TipsAlways download from official repositories
Always cross-check the MD5/SHA1 hash
Deploy in a lab
Bulk VS. TargetedBulk attacks use a well-known vulnerability in a piece of softwareEx: CVE-2012-4681Lot of computers infected, low revenueMassive pwnage
Targeted attacks uses a 0-day vulnerability in a piece of softwareEx: CVE-2011-0609Limited amount of victims but potentially huge revenue
Easy as 1, 2, 3, ... 4, 5!Step 1 : 0-day attack via phishingStep 2 : Backdoor installed and accessedStep 3 : Privileges escalation & pivotStep 4 : Gather dataStep 5 : ExfiltrateCallbacks...A malware without C&C communications is useless...Callbacks are used to phone homeTo send interesting dataTo ask for what to do?
Below the Radar...Callbacks must be stealthyObfuscated, encrypted and look very commonMultiple channelsJPEG imagesTwitterTorGoogle Drive... Theoretically any web 2.0 app!
AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
Step 1 InfectionRogue e-mailsSecurity awarenessLimit / scan attachmentsMalicious websitesCan be your favourite website visited daily Scan web trafficTrust nobodyPrevent the click-o-mania
Step 2 - Malware BehaviorAlter the OSCreate/alter filesCreate/kill processesWait for eventsWork stealthyNetwork flowContact the C&C
Step 3 Escalation & PivotHardeningRestrict users privilegesUses OS security featuresNetwork segmentationDont put all your eggs in the same bag
Step 4 Data Are ValuableProtect your dataEncrypt themRestrict access to themData at restData in motionData in use
Step 5 ExfiltrationClassify dataNetwork flows
Due Diligence
AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
RRD
NetFlow / Firewall LogsWhy is this server trying to connect to the wild Internet?Why is this laptop trying to connect to China?Why does this protocol suddenly appear?
DNSNo DNS, no Internet!Malwares need DNS to communicate with C&CAlert on any traffic to untrusted DNSInvestigate for suspicious domainsTrack suspicious requests (TXT)
DNS
virustotal.com
urlquery.net
IntelligenceLocal logfilesPublic resourcesSuspicious behaviorAction... Reaction!
IncidentHandlingAgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
Two Approaches
VS.Hashing
Files are extracted fromnetwork flowsHash is computedHash is compared to adatabase (local or remote)File is blocked(know hash) or allowedHashing
Sandbox (Live)
Files are extracted fromnetwork flowsFiles are executed in a sandboxBehavior is analyzed andscore is computedFile is blocked(>score) or allowedSandbox (Live)Score is computed based on actions performed by the malware
If ($score > $threshold) { alert(); }
ActionScoreTry to find a debugger+1Connect to a known IP+2Perform multiple sleep()+1Inject itself into a DLL+3TOTAL+7So what?ProConHashing Speed Privacy Integrated into modern firewalls Less reliable Database growingdaily 0-day or targeted malwares not detectedLive Analysis More reliable Targeted malware detected Resources usage intensive Requires dedicated hardware Privacy issue?AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
Some productsPalo Alto Networks WildfireCheck Point Anti-bot & Threat EmulationFireEye (core-business)Cuckoo (open source project)
AdvantagesPA & CP integrate smoothly with existing infrastructureData is captured live Cloud or Appliance basedData sharingWeb traffic, email protocols (SMTP, IMAP, POP), FTP, and SMB.
Mix Technologies!Inspect traffic with the product proposed by your firewall vendorMix this with off-line tools to inspect network shares or suspicious computersOn demand analysis
AgendaIntroductionHow to fight?Quick winsReal time analysisSolutionsLimitationsConclusions
Cat & Mouse Game
Evasive TechniquesWait for user interactionsLooks at the $ENV: HW devices, MAC addresses, disk size, processes, Use non-standard protocolsUse encryption
Lets tap!Access to malwares in motion?Where to capture the traffic?Malware could be already installed and stealthySandboxesOS & software restricted to Windows
Difficult to deploy your own images with commercial products
Only droppers are analyzed, and after?AgendaIntroductionHow to fight?Quick WinsLive AnalysisSolutionsLimitationsConclusions
ConclusionsYou will be hit by a malware! Be ready or maybe already infected?You already have valuable data, use them to track suspicious activityBest practices might reduce risksBackdoors in software arent reported as suspiciousPatch, patch and patch again
Thank You!
Interested?Contact your AccountManager for moreinformation!