Embed Size (px)
Citation preview
3975 University Drive, Suite 460, Fairfax, Virginia 22030 | 1-855-511-5967 | Invincea.com | @invincea
DETECTION | PREVENTION | INTELLIGENCE
Spear-Phishing, Watering Hole and
Drive-By Attacks: The New Normal
Secure the primary vulnerability exploited by your adversaries – protect
every employee
Page 2
Executive Summary The news over the past 18 to 24 months proves one alarming fact - the single largest threat your
organization faces today is network breach. Your employees have become the primary target of a
diverse set of motivated adversaries bent on one objective: penetrating your network in order to gain
access to sensitive information including financial data, research and development activities, intellectual
property, and personally identifiable information on your clients and employees. Today’s most successful
and common attack vectors involve tricking your users into opening the door to your network. Spear-
phishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gaining
entry into your network by enticing your employees to click on links and open document attachments
and every time they go to the Internet or open the email client, they put your company at risk.
The techniques used by your adversaries include:
Spear-phishing emails that deliver the employee to malicious websites that run drive-by
download exploits or include weaponized document attachments
Watering hole attacks that involve hijacking legitimate, trusted sites to push malware to
unsuspecting users
Poisoning search results behind trending news items on popular engines, such as Google,
Yahoo!, and Bing
Pushing malware through popular social networks such as Twitter and Facebook
Your organization is under a state of constant and sustained attack, and every employee represents a
potential point of weakness in your security strategy. Innovation in endpoint security is a critical need.
New approaches to insulate the employee against these attacks are required and Invincea is the solution.
Diverse Adversaries – Common Objectives – Massive Gains
Your adversaries range from nation states seeking to steal government secrets and intellectual property,
to organized cyber criminals seeking to perpetrate financial fraud and identity theft, to hacktivists
seeking to disclose your secrets in the public eye in an effort to shame your organization. Regardless of
the actors, the common denominator is that your employees are the entry point. For nation states and
cyber criminals the motivation is clear: massive financial gain on the back of your long-term investments.
“Cyber-crime’s estimated cost is more than that of cocaine, heroin, and marijuana trafficking put
together.”
Khoo Boon Hui – President, Interpol
Page 3
No One is Immune
The question from business leaders to their security teams was once “Can this happen to us?” The news
over the past 18-24 months has answered that question with an emphatic “Yes…no one is immune.”
Every organization is at risk for cyber breach. Depending on the size of the organization, the industry,
and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses are
most at risk from organized cyber criminals. Enterprises and governments face threats from all three of
the main adversarial categories – nation states, cyber-crime, and hacktivists. The Hackmageddon blog
covers the motives of adversaries, their targets, and includes a detailed graphic timeline of hacking
incidents categorized by month in 2012. Below are a few real-world examples of recent attacks against a
wide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply too
many examples to cite.
Spear-phishing attack against RSA
Spear-phishing attack against Oak Ridge National Labs
Spear-phishing attacks against global energy companies “Night Dragon”
Spear-phishing attacks against dozens of industries “Operation Shady RAT”
Spear-phishing attacks against The Wall Street Journal, Washington Post and New York Times
Watering hole attacks against Facebook, Twitter and Apple
Watering hole attack against the U.S. Department of Labor and Energy
Drive-by download attack using popular site Speedtest.net
Drive-by download attack using major Washington D.C. area radio station websites
Hacktivist attack against Sony PlayStation Network
Spear-phishing attacks against private firms, think tanks, government organizations
Spear-phishing attacks against gas pipeline firms
Cyber-crime attacks against small and medium sized businesses
Assessing the Cost of Data Breach
The Ponemon Institute’s “2012 Cost of Cyber Crime” report places the cost of data breach at an
average of roughly $8.4 million. A hefty sum to be sure; however, recent disclosures are even more
alarming. When considering the risk of a breach, look at the following:
$66 million in losses at RSA – The Security Division of EMC
$171 million in losses suffered at Sony for breach of Sony PlayStation Network
Page 4
According to an anonymous source in the U.S. Intelligence community quoted in this
Washington Post report, attacks by nation states in the past two years have resulted in:
o Loss of $100 million worth of insecticide research
o Loss of $400 million worth of chemical formulas
o Loss of $600 million worth of proprietary electronics data
“Trade secrets developed over thousands of working hours…are stolen in a split second.”
Robert “Bear” Bryan – National Counterintelligence Executive
The User as the Unwitting Accomplice
We live in a constantly connected world, and every employee in your organization has multiple ways to
access your network. They have free reign over the Internet to aide in productivity and are always
connected to the email client, day or night, at work or home. Your adversaries know this and use it to
their advantage. They also know that despite all of the effort you expend attempting to train your users
to make good security decisions; a well-crafted attack has a high likelihood of success. Every employee in
the organization is a potential unwitting accomplice to breach, from the intern to the chief executive.
Why? The adversaries also know that internal network security is virtually non-existent. With access to,
and residency on, a single machine, they can move laterally to seek out the keys to your kingdom.
Looking at the 2011 Investigations report released by the U.S. Computer Emergency Response Team
(US-CERT), it is clear that the employee is the primary target. When combining phishing and malicious
website-based attacks (i.e. attacks involving employees), US-CERT found that roughly 58% of incidents in
2011 involved direct attacks against the employee.
Phishing 55,153 51.20%
Virus/Trojan/Worm/Logic Bomb 8,236 7.70%
Malicious Website 6,795 6.30%
Non Cyber 9,652 9%
Policy Violation 7,927 7.40%
Equipment Theft/Loss 6,635 6.20%
Suspicious Network Activity 3,527 3.30%
Total Incidents Reported to US-CERT FY 2011
Page 5
(Source: US-CERT FY’2011 Investigations)
Fighting an Uphill Battle
When it comes to defending against today’s adversaries, the burden typically falls on under armed,
overworked IT and Information Security teams. Shrinking budgets; limited human resources; wide
swathing workloads; lack of innovative new solutions from trusted vendors; and constant push back
from the business to minimize any changes to employee workflow are all working against these teams in
their fight to protect your organization. When we combine these challenges with the fact that your
adversaries are well-funded, staffed, motivated, and constantly evolving their techniques, it is little
wonder that we see the pace of breaches increasing at an exponential rate. Your IT and Information
Security teams need help. They need new solutions that can meet the demand of the business to keep
the employee productive and at the same time protect every employee from becoming an unwitting
accomplice to breach. Unfortunately, the adversary has you outnumbered. This isn’t a problem that can
be addressed by scaling your internal team. In fact, every one of your employees is a potential target.
This is a problem that demands a technology solution to aid the internal security team in identifying the
adversary while not ceding the network to breach.
Wash-Rinse-Repeat - The Security Insanity Cycle:
Against the backdrop described above, these teams often find themselves in a game of “Whac-A-Mole”
with your adversaries. The wash-rinse-repeat cycle of infection detection, remediation, and patching
used to penetrate your network is what Invincea calls the “Security Insanity Cycle.”
Attempted Access 863 0.80%
Social Engineering 2,573 2.40%
Others 6,294 5.80%
Total 107,655 100%
Page 6
The fundamental problems with this reality are threefold:
1. Infections are usually detected months or years after the fact, meaning the damage is long since
done and the adversary has had ample time to both colonize the network and steal sensitive data.
“In over half of the incidents investigated, it took months – sometimes even years – for this realization to
dawn.” Verizon Business Data Breach Investigations Report - 2012
2. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organization
that impact the bottom line and add to the overall cost of network breach. Moreover, these millions
are spent after the damage is done – they do nothing to protect your organization.
3. While your teams are fighting the newly discovered fire, the adversary continues to attack other parts
of the organization. This is where the “Whac-A-Mole” analogy comes into play. Your adversaries are
persistent – while you clean up one attack, they’ve already pivoted and are launching others against
you.
Page 7
The Great Malware Arms Race
One significant reason that your teams are at a severe disadvantage to your adversaries is that many of
the technologies they rely upon are reactive. Most require a list of known bad malware or websites in
order to detect or block malware. These technologies no longer work against today’s adversaries who
continuously morph their signature while standing up and bringing down websites on an hourly basis.
Consider the following when looking at the ability of signature-based defenses to protect your
organization:
Malware authors are producing roughly 80,000 new variants per day (McAfee).
Malware authors are increasingly utilizing polymorphic techniques in which malware mutates
itself to evade signatures.
The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primary
endpoint security solution, yet an alarming (though somewhat dated) Cyveillance study shows
that AV vendors detect less than 19% of attacks on average.
Why Current Defenses Fall Short
What we need to understand when looking at our defensive strategies is that for all intents and
purposes, the user has become the new perimeter. As we have moved to an always-on, increasingly
mobile lifestyle, we have changed the security paradigm. It has evolved from one of protecting assets
that are statically placed behind our layered defenses to one of protecting those assets wherever they
may be at any given point in time. If we accept the ample evidence that suggests the employee is the
primary target, then we must also protect his or her computing device. To further support this
assertion, consider two recent examples of adversaries targeting employees on the road:
Popular IBAHN wireless hotel network attack (December 2011)
IC3 warning of attacks through hotel wireless networks (May 2012)
Page 8
Assessing the Power of Anti-Virus
Anti-virus (AV) software is inherently reactive because it discovers infections after they occur and is
unable to detect new malicious code variants. Typically only a handful of the 40+ AV products will know
about the malware. Again, this is because more than 80,000 new malware variants are being released
into the wild on a daily basis and malware writers are now using polymorphic techniques to constantly
avoid detection. Some AV offerings now feature heuristic patterning in which threats are grouped and
analyzed according to common characteristics. However, heuristics are rarely deployed by the AV
companies because they are subject to false-positives, which can result in severe damage to the system if
a system file is quarantined as a false positive. Some AV vendors augment resident data repositories with
a real-time, cloud-based service in order to reduce the time it takes to identify threats and provide
updates to customers. However, the fundamental approach remains unchanged. These tools are still
only stopping known threats, so they’re missing the most sophisticated elements of the threat landscape.
Assessing the Power of Firewalls
One traditional way of protecting the enterprise is to build a wall around the castle – a network firewall.
However, firewalls are designed to stop inbound threats to services that should not be offered outside
the organization. In the context of a Web browser or email client, firewalls are ineffective since they
block only inbound attacks, and browser malware is initiated by outbound Web page requests that pass
through the firewall. Additionally, email attachment based attacks often penetrate firewalls to reach
employees if the malware is unknown to AV scanners running at firewalls. The bad actor doesn’t need
to try to penetrate the network since the user pulls it in from the inside. Firewalls obviously maintain a
role in a layered defense approach as they help to prevent inbound attacks against ports and services
that should not be exposed to the outside. Also, if an attack occurs at the network layer, firewalls and
filtering proxies can block the connection and prevent the attack from compromising other machines
within the enterprise. It just isn’t enough against today’s threats, especially if we accept the assertion
that the endpoint is the new perimeter.
Assessing the Power of Web Gateways
Web gateway solutions like Bluecoat, Websense, and those offered by some of the major AV vendors
selectively block Web content from a known malicious source. Their effectiveness revolves around the
ability to proactively blacklist untrusted sites or, more restrictively, only allow users to visit certain
whitelisted sites so that when a user clicks a link, the gateway may prevent the browser from accessing
the site. Similar to AV solutions, Web gateways need to know what bad is beforehand in order to stop
your employees from accessing it. Gateways definitely deliver a broader solution than AV because they
can blacklist IP addresses and URLs, but they still play a game of cat and mouse with the adversary. It
just isn’t enough against today’s threats.
Page 9
Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway when
taking into account some of this recent news:
30,000 new malicious sites stood up on a daily basis
“Lizamoon” attack infects millions of legitimate websites
Amnesty International website hijacked to push malware
High-ranked sites hijacked and blacklisted by Google
Assessing the Power of Application Whitelisting
While application whitelisting is effective at preventing standalone malware executables from running,
most attacks exploit known trusted applications including the browser, document readers, and
document editors. Microsoft Internet Explorer, Adobe Reader and, increasingly, Microsoft Office
documents are the most vulnerable, targeted, and widely used applications on the desktop. These
applications present a rich environment for attackers to find and exploit vulnerabilities. They also
provide fertile ground for adversaries to dupe users into clicking on links and opening documents. As
malware exploits those applications, the cyber adversary gains a foothold in the enterprise via the
whitelisted application. The malware has access to that machine, the data on that machine, and all
network devices to which that machine is connected.
A paper recently presented at SchmooCon 2012 entitled “Raising the White Flag” detailed the security
gaps in leading whitelisting tools including:
ActiveX controls
PDF documents
Office documents
Shellcode injection
Java
Javascript
Browser exploits
Browser extensions
Scripting
Page 10
Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions and
plug-ins of whitelisted applications including the browser and document readers and editors. This
includes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applications
themselves. Unfortunately, these are the most common real-world exploits. Most exploits work by
either using a spear-phish to direct the user to click on a link or directing the user to open an
attachment. Users also get infected using more opportunistic methods like poisoned search engine
results or simply browsing the Web. It’s not unusual for malware to leverage a browser vulnerability to
directly inject itself into the memory of a running process, such as an operating system service. In all of
these cases, the exploited or infected process has been whitelisted and therefore is allowed to run with
full and normal privileges.
Assessing the Power of Network-Based Malware Detection
Recently there has been a push for perimeter security solutions that promise to do behavioral analysis
of content using virtual machines. However, there are fundamental limitations with this approach based
on content analysis and scalability and they have already been circumvented by several countermeasures,
some of which are quite simple.
Network Boundary Limitations for In-Line Analysis:
The fundamental limitation on deployments in practice is making the network appliance the bottleneck
for all inbound content. While deep packet inspection (DPI) technologies have made progress to being
able to do in-line inspection at gigabit speeds, DPI devices are doing pattern matching on hardware
optimized for the purpose of matching network streams against known attack patterns, i.e., signature
matching against known threats. Network appliances that attempt to run content in a virtual machine
(VM) at the network boundary before passing on the content face a fundamental limitation on
introducing unacceptable latency for each session or content type that must be analyzed prior to passing
the content to the user.
To do in-line monitoring with a VM-based technique, you will need to create a VM for each session
nominally, and likely for each content type. For instance, if a user browses to a website and the device
attempts to determine if that website is malicious, it will also need to browse to the website and
attempt to observe any malicious behavior. Clearly the latency to perform this action pro-actively is
infeasible, so best case is it determines the site is malicious while the breach happens or after the breach
occurs. For example, in analyzing the content attached to an email, a VM must be created for each
content type. If the email has a PowerPoint, Word, and .zip archive with executable type programs
embedded, then a VM must be created for each of these content types – and that is just for a single
email for a single user.
There are significant scalability issues that arise with this approach:
1. Scaling to number of users
2. Scaling to number of sessions and emails per user
Page 11
3. Scaling to content types
4. Scaling to versions of software for each content type (e.g., Adobe 8.x, Adobe 9.x) to
determine if a vulnerability is being exploited
5. Scaling within acceptable latency bounds for delaying delivery of content
Points 1, 2, and 3 above set the requirement for a certain number of VMs to be created per user in your
organization based on the network sessions they have and content type. Point 4 exacerbates this
problem severely because most exploits are both specific to a particular version of the application
running the content type and the operating system that runs the application. In other words, an in-line
solution will need to include every version of every application/operating system combination present
within the network to determine if it may be exploited by the untrusted content. The final point, Point
5, is extremely difficult to overcome because it cannot scale with hardware. The adversary can
introduce arbitrary delays in running malicious code. For instance, when opening a Word or PDF
document, the malicious code may choose to wait 15 or 20 minutes before running. Some exploits we
have observed in practice will require a system reboot before running the malicious code. Finally,
archiving content in a compressed, encrypted, or password-protected format where the password or
key is shared with the user defeats in-line approaches, simply because the content cannot be scanned at
the gateway. These tactics are all within control of the adversary and make in-line analysis of content
fundamentally unscalable.
In addition to all these drawbacks, hardware isn’t cheap. With a robustly configured server, you can host
at least 64 and at best 128 virtual machines. Once you start to do the math on how many simultaneous
virtual machines need to be created for your users, how many sessions will take place, and which
content types will be used, this approach gets unscalable and uneconomical quite rapidly.
As a result, the market quickly concluded that running this class of solution that inspects inbound
content via virtualization at the network perimeter is infeasible. Because in-line analysis has become
untenable, these devices are now being configured to examine outbound connections only. What this
means in practice is the device can look at outbound connections (primarily http) to attempt to
determine if an internal machine is communicating with a known command and control network. In this
case, the device has simply become another pattern matching machine that is driven by the latest lists of
known botnet command and control networks. Likewise, abandoning the virtualization approach for
behavioral analysis is often used to simply compare signatures of content such as executable type files
against known malicious signatures. Unfortunately this means the device has become another in a long
list of security appliances that are reactive and can only detect known threats.
If the detection efforts fail, then the effort becomes about the post facto discovery of the malware that
takes root within the IT infrastructure. Network colonization by the adversary and the required
network remediation to address the problem can be very expensive, typically costing seven figures to rid
the network of an infection.
Page 12
A final point to consider with network boundary devices is the case of the mobile user outside of the
network. When this user is simply online on the road or at home, not VPN’d into the corporate
network, they are essentially bypassing any protection provided by network perimeter devices. With the
expansion of the mobile work force and personal email services, this is becoming a significant risk for
enterprise security managers.
The Invincea Solution
Invincea addresses the gaps left by other security solutions by protecting the most important attack
surface in the enterprise – the employee. Invincea employs application virtualization to create a
protective “bubble” around applications that run untrusted content – including Web browsers, PDF
readers, the Office suite, .zip and .exes files. We protect users against both known and zero-day
malware delivered via spear-phishing, watering holes, drive-by downloads, social networking worms,
fake anti-virus and other online threats. By creating secure virtual containers and running each of these
applications in its own virtual environment on the endpoint, Invincea has created an enterprise “airlock”
that seals the potential attack vector off from infecting the endpoint and prohibiting lateral movement in
your network.
Endpoint Security Software:
Invincea deploys as a lightweight Windows application. This application is licensed on a subscription basis
with flexible renewal options to meet your specific needs. The application has the ability to protect your
users against all untrusted content by moving browsers, PDF readers, Office suite, .zip files and
executables into a contained, virtual environment. You simply tell us which applications you want
protected and we turn on the virtual environment to support. The endpoint solution deploys quickly
and easily, just as you would push any Windows-based application.
Threat Intelligence Appliance:
To gather the rich pre-breach forensic intelligence your teams need related to thwarted attacks, the
Invincea platform also includes our Threat Data Server, which is licensed and available on-premise as a
physical or virtual appliance or as a cloud-based service. The Threat Data Server is built with scalability
in mind, which means you won’t have to rack and stack large amounts of new gear.
Page 13
How it Works
Containment
Invincea takes the most highly targeted applications in your network (the Web browser, PDF reader,
Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time the
Web browser is opened, or anytime an attachment comes from outside the network, Invincea creates a
segregated environment for these applications to operate. By creating this specialized virtual
environment, Invincea contains all malware – whether zero-day or known – and prevents it from
attacking the host operating system as a pathway for breach and lateral movement in your network.
Detection
Unlike other solutions, Invincea does not rely on malware signatures for detection. Instead, it
automatically identifies malware attacks based on behaviors and actions inside the contained, controlled,
and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart those
attacks with ease.
Page 14
Prevention
Over the past few years, we’ve been taught by repeated assertion from those that benefit from
remediation and network forensic professional services that the breach cannot be stopped and that post
facto detection is the new prevention. We can’t blame our fellow security professionals for their cynicism
because the truth is that the prevention security industry has utterly failed us, our governments,
corporations, and citizens. Reactive list-based approaches can no longer stop the threat; therefore
the logical conclusion drawn and promulgated is that you can only attempt to detect the intruder in
your network. Perhaps this conclusion was accurate at that point in time, but with the innovations
delivered by Invincea’s breach prevention platform this is no longer a reality. When we detect an
infection inside our contained environment, we immediately alert the user, discard the tainted
environment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detail
related to the attack and feed it on to your broader security infrastructure.
Intelligence – The Invincea Threat Data Server
Not only do we detect and prevent breaches from occurring, we capture rich forensic intelligence on
every attempted attack at the point of detection and feed this to other leading security technologies.
The primary value Invincea delivers is that we actually stop the attack at the point of detection. We take
every one of your users and put them in an environment that protects them from spear-phishing, drive-
by downloads, poisoned search engine results, malicious websites, sites that have been hijacked, etc. We
take it one step further than even that: we turn your users into part of an enterprise-wide malware
detection network. The instant that malicious activity is detected in the Invincea breach prevention
platform, we begin collecting forensic information.
Page 15
We isolate and identify:
Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe file
that triggered the infection
Timeline of Attack: We dissect the actions of the malware – what it did when it opened,
unpacked, how it cleaned up after itself, etc.
Registry Changes: We capture all changes the malware attempted to make to the registry
Connections: We identify any and all connections – whether inbound or outbound showing
you the command and control channels the adversary attempted to create
This information is fed to the Invincea Threat Data Server where it is integrated with your Security
Information and Event Management (SIEM) and presented for your teams in a single interface.
Understanding that you need a method to push this information on to the rest of your infrastructure,
we have integrated with a number of other leading security technologies such as:
McAfee ePO
ArcSight
Splunk
Q1 Radar
NetWitness
ThreatGrid
The threat information, including command and control server IPs and domain names, combined with
indicators of compromise including file names, hashes, and registry values are matched against Invincea
partners’ threat intelligence feed to provide adversarial attribution and cross-vendor intelligence on
adversarial motives.
The Benefit of Invincea
Invincea protects the new perimeter – the endpoint – with an innovative solution that requires
no signatures and keeps malware in an airlock
Invincea addresses zero-days and APTs and stops them dead in their tracks
Breaks the “Security Insanity Cycle” – eliminating costly detection, remediation, and patching cycles
Every employee in the organization is protected wherever they go
A single user virtual infection protects the entire enterprise by feeding rich forensic data to the
rest of your security infrastructure to block requests from all users to URLs that infected the
user that clicked on the link
Invincea’s threat data feeds extend the power and life of your current investments
Every enterprise license agreement includes licenses for home use, meaning your employees are
protected both at work and at home
Page 16
Put Invincea to Work
To find out more about how to deploy Invincea and feel the safety our solutions provide, contact us
today at 1-855-511-5967.
Learn More
Visit our website at www.invincea.com for product summaries, video demonstrations, Invincea news
stories, and much more. While you are there, check out the Invincea Blog for breakdowns of trending
security news articles and why they are important to you and your organization at
https://www.invincea.com/newsroom/blog/.
Where to Find Us
For information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life at
Invincea, “like” our Invincea, Inc Facebook page. Or, check out what we are talking about on our
Invincea YouTube channel. You can also find us here:
Invincea, Inc.
3975 University Drive, Suite 460
Fairfax, VA 22030
