Your SlideShare is downloading. ×
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro

164
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
164
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Custom Defense against Advanced Threat Deep Discovery Confidential | Copyright 2012 Trend Micro Inc. Gastone Nencini Trend Micro Italy Leader and Snr. Technical Manager Trend Micro Southern Europe
  • 2. Global Threat Intelligence - Smart Protection Network 10/1/2013 Confidential | Copyright 2012 Trend Micro Inc. THREAT DATA CUSTOMERS THREAT INTELLIGENCE Identifies Global We look in more places Broad We look at more threat vectors Correlated We identify all components of an attack Proactive We block threats at their source 1.15B Threat Samples Daily 90K malicious threats daily 200M Threats blocked daily THREAT-ACTORS FILES MOBILE/APPS EXPLOIT KITS URLS IP ADDRESSES NETWORK TRAFFIC DOMAINS VULNERABILITIES DEPUIS 2008
  • 3. Today’s Attacks: Social, Sophisticated, Stealthy! Copyright 2013 Trend Micro Inc. Attackers Moves laterally across network seeking valuable data Establishes link to Command & Control server Extracts data of interest – can go undetected for months! $$$$ Gathers intelligence about organization and individuals Targets individuals using social engineering Employees
  • 4. Copyright 2013 Trend Micro Inc. Attackers Moves laterally across network seeking valuable data Establishes link to Command & Control server Extracts data of interest – can go undetected for months! $$$$ Gathers intelligence about organization and individuals Targets individuals using social engineering Employees Network Admin Security 1.8 successful attacks per week / per large organization1 21.6% organizations experienced APT attacks2 Malware engineered and tested to evade your standard gateway/endpoint defenses A custom attack needs a custom defense! 1: Source: 2012 Ponemon Study on costs of Cybercrime 2: Source: ISACA APT Awareness Study, 2013
  • 5. Custom Defense Network-wide Detection Advanced Threat Analysis Threat Tools and Services Automated Security Updates Threat Intelligence Custom Sandboxes Network Admin Security Copyright 2013 Trend Micro Inc.
  • 6. Cyberwar on your network More frequent More targeted More money More sophiticated • 1 new threat each second 1 • 1 cyber-intrusion each 5 minutes 2 • 67 % of infrastructure can’t block a custom & targeted attack 3 • 55 % of companies didn’t detected the breach 1 Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012
  • 7. Security by signature is not enough 10/1/2013 7Confidential | Copyright 2012 Trend Micro Inc. Basic malware Phishing Exploitation tools Malicious website Common vulnerabilities Discovery tools SWG NG FW Document exploit 0-DayObfuscated Javascript Polymorphic payload Crypted RAT Watering Hole Attack Spear Phishing C&C communications IPS AV
  • 8. Let Me Google That For You
  • 9. Threat profiling through Smart Protection Network & Threat Connect Origin ? Risk ? Channel ? Trend Micro Custom Defense 10/1/2013 9Confidential | Copyright 2012 Trend Micro Inc. Advanced network monitoring techcnologies to analyze low signals (0-day, c2c, sqli, dbdump…) DETECT ANALYZE ADAPTRESPONSE Instant protection through custom signature (IP, dns, url, file…) Full cleaning with detailed profiling and advanced analysis tools
  • 10. Catch everythings with Deep Discovery 10/1/2013 10Confidential | Copyright 2012 Trend Micro Inc. Malicious content • Embedded doc exploits • Drive-by downloads • Zero-day • Malware Suspicious communication • C&C access • Data stealing • Worms • Backdoor activity… Attack behavior • Propagation & dropper • Vuln. scan & bruteforce • Data exfiltration… HTTP SMTP TCP ... SMB DNS FTP P2P More than 80 protocols analyzed Network Content Inspection Engine Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine
  • 11. Trend Micro Virtual Analyzer • Custom OS image • Execution accelerated • Anti-VM detection • 32 & 64 bits • Run binaries, documents, URL... 10/1/2013 11Confidential | Copyright 2012 Trend Micro Inc. WinXP SP3WinXP SP3 Win7 Base Win7 Base Isolated Network Your Custom Sandbox Live monitoring • Kernel integration (hook, dll injection..) • Network flow analysis • Event correlation Filesystem monitor Registry monitor Process monitor Rootkit scanner Network driver Fake Explorer Fake Server Fake AV API Hooks Win7 Hardened Win7 Hardened Core Threat Simulator LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000 LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000 LoadLibraryA ARGs: ( WININET.dll ) Return value: 777a0000 key: HKEY_CURRENT_USERLocal SettingsMuiCache4852C64B7ELanguageList value: key: HKEY_CURRENT_USERSoftwareMicrosoftOnheem20bi1d4f Write: path: %APPDATA%Ewadaeqawoc.exe type: VSDT_EXE_W32 Injecting process ID: 2604 Inject API: CreateRemoteThread Target process ID: 1540 Target image path: taskhost.exe socket ARGs: ( 2, 2, 0 ) Return value: 28bfe socket ARGs: ( 23, 1, 6 ) Return value: 28c02 window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2 internet_helper API Name: InternetConnectA ARGs: ( cc0004, mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008 ....... Modifies file with infectible type : eqawoc.exe Inject processus : 2604 taskhost.exe Access suspicious host : mmlzntponzkfuik.biz Modifies file with infectible type : eqawoc.exe Inject processus : 2604 taskhost.exe Access suspicious host : mmlzntponzkfuik.biz !
  • 12. Deep Discovery portfolio 10/1/2013 12Confidential | Copyright 2012 Trend Micro Inc. Deep Discovery Inspector Threat profil export (IOC, hash) • Network Appliance All-in-One 100 Mbps, 250 Mbps, 500 Mbps, 1 Gbps • Bare Metal (custom appliance) • Virtual Appliance Plug & Protect Deep Discovery Advisor • Automatic Analysys Labs • Live detailled dashboard • Custom reports • Multi-box (5 nodes, 50k files/day) Integrated into Trend Micro solutions API & scripting
  • 13. Dynamic blacklist App Server Storage 10/1/2013 13Confidential | Copyright 2012 Trend Micro Inc. Inspector Advisor Deep Discovery Simple & Efficient ! SMTP relay Web proxy ! ! Mail Server Endpoint ! af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... Infection & payload Lateral movement C&C callback 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature
  • 14. Web proxy ATP Integration Native Advanced Protection 10/1/2013 14Confidential | Copyright 2012 Trend Micro Inc. Dynamic blacklist App Server Storage Advisor ! SMTP relay Mail Server Endpoint ! af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... ! ScanMail IWSva IMSva Infection & payload C&C callback Endpoint Sensor OfficeScan * Deep Security * 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature
  • 15. ATP Integration Native Advanced Protection 10/1/2013 15Confidential | Copyright 2012 Trend Micro Inc. Dynamic blacklist Advisor ! Mail Server af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... ! ScanMail Infection & payload C&C callback OfficeScan 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature TMCM CCCA DB ATSE
  • 16. Detect…
  • 17. Detect…
  • 18. …then React Human readable
  • 19. Open architecture 10/1/2013 19Confidential | Copyright 2012 Trend Micro Inc. Deep Discovery Dynamic blacklist af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature 3rd party SIEM (CEF/LEEF) WEB API Web Proxy SMTP Relay Network Capture Firewall * Notable Characteristics Network packet DetectionsDetections Threat ProfilesThreat ProfilesAnalysisAnalysis Custom C&CCustom C&C
  • 20. Why Deep Discovery ? 10/1/2013 20Confidential | Copyright 2012 Trend Micro Inc. • Multi-engine for analysis and correlation • Empower Smart Protection Network • CustomVirtual Analyzer sandbox • Access to TrendLabs Security Expert Dynamic advanced security Plug & Protect • High Throughput Network Analysis • Flexible architecture: HW, SW, VM • Fast forensics & custom signature
  • 21. Making your Cyber-Defense together 10/1/2013 21Confidential | Copyright 2012 Trend Micro Inc. 21Confidential | Copyright 2012 Trend Micro Inc. Threat Education Services Advanced Threat Detection Technology Threat Security Advisor Threat Intelligence Service Cyber Attack Analysis
  • 22. Thanks