Mitigating the clicker


Published on

My IDC ICT conference presentation for September 26th, 2013 about how new Innovative tools (AMPs) can actually prevent threats today.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mitigating the clicker

  1. 1. Mitigating the CLICK’er how AMP’s (Advanced Malware protection) /Advanced innovative tools can finally help protect your infrastructure Claus Cramon Houmann Banque Öhman 2013-09-25
  2. 2. 2 Öhman Remember: • Never ever rely on a single solution • Defense in depth • Both threat prevention and threat detection are important • If the bad guys want to get in bad enough, they will – be able to reduce the ”dwell time” they have inside your systems • The ”CLICKER” I define as the colleague who just cannot help clicking on that ”interesting link” in a suspicious e-mail, because ”probably nothing will happen” or ”just to see what happens” or doesn’t even think about it... Banque Öhman 2013-09-25
  3. 3. 3 Öhman 1 Single 0-day or unpatched system is all ”they” need Banque Öhman 2013-09-25
  4. 4. 4 Öhman Banque Öhman 2013-09-25 IT Security, a quick overview
  5. 5. 5 Öhman Breach methods • There are many points-of-entry for hackers when breaching a system/network: – Hacking (Fx SQL injection against DB servers) – Malware (fx phishing) – Social engineering – Physical Banque Öhman 2013-09-25
  6. 6. 6 Öhman Banque Öhman 2013-09-25 Source: Verizon’s 2012 Data Breach investigations report
  7. 7. 7 Öhman Protecting against external threats • As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. Most low hanging fruits have been “picked” already • This makes it very hard for “them” to get in via hacking methods • -> they will try malware next Banque Öhman 2013-09-25
  8. 8. 8 Öhman Advanced Malware leveraging fx 0-days= CIO/CISO nightmare • Slowly but steadily 1 thing will make you lose sleep at night. How do you protect against colleagues clicking on phishing emails or visiting bad websites (waterholes fx)? • The CLICKER becomes your biggest external threat! Banque Öhman 2013-09-25
  9. 9. 9 Öhman Banque Öhman 2013-09-25 SO, you can have all this. And it helps you little/nothing
  10. 10. 10 Öhman Mitigating the “CLICKER” • There are now innovative next-generation tools available for advanced threat prevention and/or detection = AMP’s – Microvirtualization – Advanced code handling/analysis/reverse-engineering tools – Network level Sandboxing or detection based on behavioural analysis/packet inspection – System and registry level lockdown of process/user-rights – Cloud based Big Data analytical/defense tools – Whitelisting tech – Others – this “market segment” is booming right now Banque Öhman 2013-09-25
  11. 11. 11 Öhman Why is the AMP market booming? Background • The AV industry in the traditional sense has declared their tools insufficient and the war on malware lost • Hacking is increasing supported by big budgets – think nation- state-sponsored APT’s • 0-days abound in the Wild – being purchased by “hackers” – unofficial hackers or nation-state sponsored hackers alike • The black market cyber-industry is a huge! economy Banque Öhman 2013-09-25
  12. 12. 12 Öhman Baby years • As the AMP industry is in it’s “baby years” you’ve got to make allowances for products being heavily changed/developed still • Immature market • No 100% tools – no one can cover everything. If you meet a vendor that claims they can, don’t trust it • And that said, on to look at the NG tools! Banque Öhman 2013-09-25
  13. 13. 13 Öhman How does Microvirtualization work? • Hardware level virtualization gives complete separation of user tasks in separate individual Hypervisors (Micro-size) Banque Öhman 2013-09-25
  14. 14. 14 Öhman Why Microvirtualization • Mitigates the following threats: – USB sticks with malicious content – Waterholes – Malicious attachments in e-mail – Clicking links leading to malware on websites/e-mails • Pros: + Workflow enabler + Small amount of custom config needed + Disregardable performance impact on endpoints + Unknown by hackers + No depence on traditional ”signature” based methods • Cons: – No server protection vs hacking attemps – Early life cycle stage – unfinished products Banque Öhman 2013-09-25
  15. 15. 15 Öhman How & Why – advanced code handling tools • The similarities across products here are that they employ innovative stragegies to ”identify” bad behaviour despite encryption, obfuscation, fragmented files etc. – methods and tools that malware authors use to hide the true function of their software • Malware can be identified and/or blocked and/or removed efficiently • Pros: + Reduced dwell-time + No dependency on traditional signature methods + Potentially scales very well for large corporations • Cons: – Most tools like these are detection tools and have limited prevention capabilities – Client understanding of how the tool works is minimal Banque Öhman 2013-09-25
  16. 16. 16 Öhman How & Why: Network level sandboxing • The idea here is to catch and analyze malware before it reaches the end users – prevention, but also to do detection. It kind of ”re- plays” malware in a stack of different virtual machines to give it a good chance of hitting an environment that it’s meant to ”go off” in. • Pros: + Threat detection vs clicker-threats • Cons: – Network perimeter technologies cannot protect roaming users – and users are increasingly mobile – Malware is getting smarter. It can evade these tools by waiting for the user to do something (use the mouse/keyboard, for example) – These tools just ALERT you – they do not PROTECT you Banque Öhman 2013-09-25
  17. 17. 17 Öhman System and registry level lockdown of process/user-rights These tools all try to prevent malware by preventing it’s access/rights to drop files, inject DLL’s etc. • Pros: + Tight lock down • Cons: – Configuration “heavy” – Is saying “no” to users the answer? – Change Management becomes somewhat harder Banque Öhman 2013-09-25
  18. 18. 18 Öhman Cloud based Big Data analytical/defense tools • Vendors here try to detect and block threats using Big Data approaches to “Signatures” or “known samples” • Pros: + Potential to see inside virtual switches & traffic between virtual machines – traffic that sometimes never reaches a firewall or network appliance • Cons – Uploading samples identified in your environment to a vendors cloud is a risk in itself – the sample has enumeration data on your environment, and maybe more – Traditional signature approach has limitations, even with a big data approach, since Malware can be adapted to evade Banque Öhman 2013-09-25
  19. 19. 19 Öhman Whitelisting • The Idea behind whitelisting is to block malware by simply only allowing known trusted websites, or trusted applications etc. • Pros: – Whitelisting can be an effective technique for dealing with traditional file based malware such as viruses and spyware. Unsophisticated attacks that rely on downloading and running an arbitrary executable file are generally foiled by whitelisting. – Whitelisting can be particularly effective in “locking down” dedicated appliance like systems that don’t function as general purpose productivity tools. • Cons: – Maintaining what is “trusted” as things change. Operational nightmare? – Vulnerable to unknown/Zero Day attacks, malicious content within whitelisted apps (even “trusted” code can have vulnerabilities…) – Vulnerable to non-file based attacks, which are carried out without ever downloading or executing a file for the whitelist to block (such as memory-only attacks that inject into a running process) – Is saying “no” to users the answer? – Trusting the whitelist – what if it’s compromised? Banque Öhman 2013-09-25
  20. 20. 20 Öhman Conclusion • To efficiently protect against APT’s and Advanced Malware you want to: – Have capabilities within Threat Prevention, Detection, Alerting, Incident Response, maybe even some kind of IOC / Threat sharing community. AMP + more. – Have defense in depth • To efficiently mitigate the risks of the CLICKER you want to – Block not only known threats, but also the unknown while enabling the business to do its “thing” – Be able to detect and efficiently remove threats Banque Öhman 2013-09-25
  21. 21. 21 Öhman About me • Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids • CISSP, ITIL Certified Expert, Prince2 practitioner • You can contact me anytime: – Skype: Claushj0707 – Twitter: @claushoumann or @improveitlux • Sources used: – Verizon: Data Breach investigations report 2012 – @gollmann from IOactive Blog posts Banque Öhman 2013-09-25
  22. 22. 22 Öhman Questions? Banque Öhman 2013-09-25
  23. 23. 23 Öhman More questions? Banque Öhman 2013-09-25