Your SlideShare is downloading. ×
0
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software

2,580

Published on

Targeted APT and advanced malware attacks leverage social engineering techniques to compromise those individuals already on the inside. The objective of these attacks is clear: identify and compromise …

Targeted APT and advanced malware attacks leverage social engineering techniques to compromise those individuals already on the inside. The objective of these attacks is clear: identify and compromise specific individuals within an organization to obtain high-value data. Are your employees unknowing victims of advanced malware? How do advanced malware and targeted APT attacks bypass traditional security defenses like anti-virus software? This presentation discusses the rise in advanced malware and targeted APT attacks, highlights why anti-virus software is powerless against sophisticated attacks, and provides mitigation strategies for the compromised organization.

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,580
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
117
Comments
0
Likes
9
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. How Targeted Attacks Evade Anti-Virus Software © 2012 Imperva, Inc. All rights reserved.
  2. Agenda  Compromised insiders defined  The anatomy of a compromised insider campaign  Non mitigation techniques: Anti-virus  Mitigating compromised insiders in theory + Real world case study: RSA  Mitigating compromised insiders in practice 2 © 2012 Imperva, Inc. All rights reserved.
  3. Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research + Directs security strategy + Works with the Imperva Application Defense Center Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today Graduated from University of California, Berkeley © 2012 Imperva, Inc. All rights reserved.
  4. Insider threat defined Insider Threat Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements. They do so: + Maliciously + Accidentally + By being compromised 4 © 2012 Imperva, Inc. All rights reserved.
  5. Compromised insider defined Compromised Insider A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation. 5 © 2012 Imperva, Inc. All rights reserved.
  6. In recent events …  Saudi Aramco + Malicious Insider, 30,000 computers hacked, full service disruption.  Global Payments + Compromised Insider, causes 1.5M payment cards compromised. 6 6 © 2012 Imperva, Inc. All rights reserved.
  7. Malware: Compromised insiders on the rise 2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches incorporated Malware”. A 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches were conducted by implicated internal employees.” A 13% decrease compared to 2011. Director of National Intelligence • “Alm ost half of all com puters in the United States have been com prom ised in som e m anner and ~60,000 new pieces of malware are identified per day”. © 2012 Imperva, Inc. All rights reserved.
  8. The 1% to be really concerned about “Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be compromised insiders.” Source: http://edocumentsciences.com/defend-against-compromised-insiders © 2012 Imperva, Inc. All rights reserved.
  9. Who does it? Governments - Stealing Intellectual Property (IP) and raw data, as well as, espionage. - Motivated by politics and nationalism. Private hackers - Stealing IP and data. - Motivated by profit. Hacktivists - Exposing IP and data, but also compromising infrastructure. - Motivated by almost anything - have attacked, nations, people, religion, commerce, etc… 9 © 2012 Imperva, Inc. All rights reserved.
  10. Where do they attack? Desktop Multimillion and the dollar user datacenter Both access the Not well same data Well protected protected 10 © 2012 Imperva, Inc. All rights reserved.
  11. Anatomy of a Compromised Insider Campaign11 © 2012 Imperva, Inc. All rights reserved.
  12. With social networks, smart bombing is not hard 12 © 2012 Imperva, Inc. All rights reserved.
  13. With social networks, smart bombing is not hard 13 © 2012 Imperva, Inc. All rights reserved.
  14. Industrialized approach Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing. How easy is it ? For $700: 3 month license for BlackHole available online. Includes support! 14 © 2012 Imperva, Inc. All rights reserved.
  15. Is this real? Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By. 15 © 2012 Imperva, Inc. All rights reserved.
  16. Is this real? Persistent XSS Vulnerable Sites provide the Infection Platform. GMAIL, June 2012 TUMBLR, July 2012 16 © 2012 Imperva, Inc. All rights reserved.
  17. Is this real? Sep 24th 2012, FBI Issued a warning of Targeted Scams. • “Once compromised, keyloggers and RATs installed on the financial institution employees computer provided the criminals with "complete access“. • “Unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours” • "The DDoS attacks were likely used as a distraction” 17 © 2012 Imperva, Inc. All rights reserved.
  18. Non Mitigations: Anti-Virus18 © 2012 Imperva, Inc. All rights reserved.
  19. The media view “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/ © 2012 Imperva, Inc. All rights reserved.
  20. The hacker view An entire industry exists to bypass anti-virus. Today, anti-virus stops between 6-27% of viruses. Source: http://adamonsecurity.com/?p=323 © 2012 Imperva, Inc. All rights reserved.
  21. The anti-virus vendor view Hackers exploit ‘zero-day bugs for 10 months on average before theyre exposed. Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average- before-theyre-fixed/ © 2012 Imperva, Inc. All rights reserved.
  22. Protect and monitor the cheese  Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese. + Much of security budgets spent on: – Malware detection – Virus prevention + Front-line/end-user defenses must be 100% accurate. – If one mouse gets past them the cheese is gone. 22 © 2012 Imperva, Inc. All rights reserved.
  23. Mitigating Compromised Insiders23 © 2012 Imperva, Inc. All rights reserved.
  24. Step 1: Know what users do with data  Classify Sensitive Information + Identifying the information within the corporate databases and file servers allows understanding of risk and severity of data access.  Persistent Security Policy + A good security policy will allow you to put compensating controls in place while not disrupting business needs and maintaining security.  User Rights + Map your users’ rights. Understand who has access to what, and why there are dormant accounts?  Analyze, Alert, and Audit on Activity + By keeping track of access and access patterns, it becomes easy to understand who accessed your data, what was accessed, and why. 24 © 2012 Imperva, Inc. All rights reserved.
  25. Step #2: Look for aberrant behavior  What: weirdness probably means trouble.  How: + Profile normal, acceptable usage and access to sensitive items by – Volume – Access speed – Privilege level + Put in place monitoring or “cameras in the vault.” 25 © 2012 Imperva, Inc. All rights reserved.
  26. Example: Databases  Checks the entry method. Legitimate individuals should, typically, access data through a main door.  Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, monitor what they are doing. Malware from spear phishing typically causes unusual behavior.  Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what these privileged users are accessing. 26 © 2012 Imperva, Inc. All rights reserved.
  27. Example: File Systems Copying Folders Routine Access Nonselective Selective All subfolders and files accessed Temporally continuous Temporally irregular Recursive Random order Directory accessed Files can be accessed before its files without directory Source: Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012. © 2012 Imperva, Inc. All rights reserved.
  28. Conclusion: Rebalance the portfolio 28 © 2012 Imperva, Inc. All rights reserved.
  29. Worldwide anti virus spend: 2002 vs 2012 2002 2012 (est.) $1.44 $7.84 Billion Billion A 5x increase without the 5x improvement. Source: Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002 29 © 2012 Imperva, Inc. All rights reserved.
  30. Real World Incident30 © 2012 Imperva, Inc. All rights reserved.
  31. Organizations known to have been compromised:• Saudi Aramco• Goldman Sachs• Global Payments• SF Computer Systems• Sandia National Labs• CardSystems• EPA• Motorola• Sberbank• Google (Aurora)• RSA• ToyotaThe list goes on …. © 2012 Imperva, Inc. All rights reserved.
  32. RSA – phishing mail  Mass phishing campaign against RSA employees 32 © 2012 Imperva, Inc. All rights reserved.
  33. RSA – the exploit  Excel file with embedded Flash  0 day Flash vulnerability 33 © 2012 Imperva, Inc. All rights reserved.
  34. Proliferation within the network “With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system.” Source: http://www.pcmag.com/article2/0,2817,2382970,00.asp 34 © 2012 Imperva, Inc. All rights reserved.
  35. RSA – the result  SecureID hacked 35 © 2012 Imperva, Inc. All rights reserved.
  36. Mitigation in Action 36 © 2012 Imperva, Inc. All rights reserved.
  37. Imperva SecureSphere – Database coverage Coverage for Heterogeneous Databases DB2 DB2 z/OS DB2400 Informix Netezza © 2012 Imperva, Inc. All rights reserved.
  38. Imperva Database Security Products Database Activity Monitoring Full auditing and visibility into database activities Discovery & Assessment Server Vulnerability assessment, configuration management, database discovery and classification 38 © 2012 Imperva, Inc. All rights reserved.
  39. Deployment options DBA/Sys admin Agent Database Auditing Activity Monitoring Agent Users Network Database Auditing Auditing Activity Gateway Monitoring Management DBA/Sys admin Server (MX) Network Auditing Gateway © 2012 Imperva, Inc. All rights reserved.
  40. Auditing database activity  Audit trail captures all database activity, including SELECT, DML, DDL, privileged activities.  Details answer the who?, what?, where?, when? and how? DB2 for z/OS Activity Complete Audit Trail When? Where? Who? What?, How? Privileged Operations 40 © 2012 Imperva, Inc. All rights reserved.
  41. Audit analytics Pre-defined audit views provide quick and flexible access to audit details Graphical Analysis Drill down to audit data © 2012 Imperva, Inc. All rights reserved.
  42. Real-time alerts on security events Profiling violation – unauthorized database and  SecureSphere provides schema access real-time alerts on any security event and policy violation.  Dynamic Profiling Destination enables identification of abnormal behaviors. User Source application  Alerts enable immediate response to minimize the Alert Details impact of a breach. Date and Time 42 © 2012 Imperva, Inc. All rights reserved.
  43. Universal user tracking Universal User User A Tracking User B Full user visibility and User A accountability • Map application users to database activity Tech User User B © 2012 Imperva, Inc. All rights reserved.
  44. 44 CONFIDENTIAL - Imperva © 2012 Imperva, Inc. All rights reserved.
  45. Unified policies across heterogeneous platforms  No need to define special Define and apply policies to policies for mainframe heterogeneous databases databases.  Granular policies defined and managed through a DB2 for z/OS centralized, friendly interface. Other  Preconfigured compliance databases policies and reports for SOX, PCI, and data privacy. 45 © 2012 Imperva, Inc. All rights reserved.
  46. Webinar Materials46 © 2012 Imperva, Inc. All rights reserved.
  47. Webinar materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2012 Imperva, Inc. All rights reserved.
  48. www.imperva.com- CONFIDENTIAL -

×