Embed Size (px)
Citation preview
The changing threat landscape: 2010 and beyond
Chester Wisniewski – Sophos Eamonn Medlar - WPP Moderator: Angela Moscaritolo
Threat landscape splitting in two
2
Opportunistic Targeted
What is an opportunistic attack?
Affiliate marketing
Conficker
Fake-AV
Spam
Phishing
Social media
SEO poisoning
Fake anti-virus: Latest tricks
ДОРВЕЙ (Doorway)
“A web page that is designed to attract traffic from a search
engine and then redirect it to another site or page.”
Black hat SEO
Social network malware
Koobface - Multilingual
Koobface – What can it do?
Steal software keys Upload stored passwords Web server Search hijacking Captcha busting PPC fraud Fake AV Soc Net Spambot
Screenshot courtesy of abuse.ch
Targeted attacks have diverged
Unknown exploit(s)
Unknown malware
Nearly silent
Used for
espionage/cyberwa
rfare
How do we react to this new branch of attack?
MS Advisory for “Aurora” exploit
MS10-046 Shortcut exploit
15 year old bug
Stuxnet, Chymin, etc
Multiple rootkits
Signatures Tiny P2P Comms Exploits
(RCE and EoP) Small (without packers)
Silent, but deadly
The new blended threat – Step 1
The new blended threat – Step 2
Sample Zeus commands
Sethomepage [URL] resetgrab
getmff getcerts
Bc_add [service] [ip] [port] kos
Block_url shutdown
Rexec [url] [args] reboot
Lexec [file] [args] Upcfg [url]
Addsf [filemask] Block_fake
Zeus takes the 3rd step
Law enforcement crackdown Widely decentralized
Image courtesy of krebsonsecurity,com
“It’s mine” Portability Regulation Chain of trust Legacy increases
attacksurface
Challenges to the protector
Creative Commons image courtesy of thetechbuzz's Flickr photostream.
Evolving with the threat
AV good for basic threat
Behavior is key
Collective intelligence
Event correlation
Defense in depth
Data protection is key
Discussion with Eamonn Medlar, WPP
Q&A
19
Summary
Contact:
Proven:25+ years of experience
Integratedthreat detection
SophosLabs
24/7/365
Anti-Malware
Email Protection
Web Filtering
Encryption
Email: [email protected]
Twitter: @chetwisniewski
Blog: http://nakedsecurity.sophos.com
Device/App Control
NAC
