Your SlideShare is downloading. ×

Stop Watering Holes, Spear-Phishing and Drive-by Downloads

282
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
282
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • The challenge is that we keep investing millions of dollars into yesterday’s problems. And the target keeps moving. There are more than 80,000 new malware variants and 3,000 malicious websites identified daily, no wonder the traditional defenses like signatures, listing and training do not work. As I stated earlier, the number 1 attack vector is the end user. Your organization has 30,000 employees. From a cyber-criminal’s perspective, that is 30,000 targets.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • The challenge is that we keep investing millions of dollars into yesterday’s problems. And the target keeps moving. There are more than 80,000 new malware variants and 3,000 malicious websites identified daily, no wonder the traditional defenses like signatures, listing and training do not work. As I stated earlier, the number 1 attack vector is the end user. Your organization has 30,000 employees. From a cyber-criminal’s perspective, that is 30,000 targets.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
  • Transcript

    • 1. Stop Watering Holes, Spear-Phishing andDrive-by DownloadsSTEPHEN WARD – VICE PRESIDENT
    • 2. A Crumbling IndustryThe Lost DecadeFailure to innovateSymptoms vs. DiseaseThe Great Malware Arms RaceBusiness RevolutionRush to adoptRisk Acceptance vs. UnderstandingThe Mediocrity of ComplianceClosed CircuitsShame of victimizationClassification vs. CooperationThe Inability to Find Common Purpose
    • 3. Aggressive and PersistentAdversariesNATION STATES CYBER CRIMINALS HACKTIVISTSMotivesinclude:• Cyberespionage• IntellectualPropertyTheft• Probing ofCriticalInfrastructuresMotivesinclude:• Identity theft• Corporatefinancial fraud• Black marketsales to NationStates• Probing ofFinancialInfrastructuresMotivesinclude:• Political action• Shaming majorcorporations• Attackingspecificexecutives• Exposingcorporatetrade secrets
    • 4. Riddle Me This…
    • 5. „11, „12 and ‟13 (so far) bloodiest years onrecord…• “White House” eCard (spear-phishing)• HBGary Federal (social engineering)• Night Dragon (spear-phishing)• London Stock Exchange Website (watering-hole)• French Finance Ministry (spear-phishing)• Dupont, J&J, GE (spear-phishing)• Charlieware (poisoned SEO)• Nasdaq (spear-phishing)• Office of Australian Prime Minister (spear-phishing)• RSA (spear-phishing)• Epsilon (spear-phishing)• Barracuda Networks (spear-phishing)• Oak Ridge National Labs (spear-phishing)• Lockheed Martin (spear-phishing)• Northrup Grumman (spear-phishing)• Gannet Military Publications (spear-phishing)• PNNL (spear-phishing)• ShadyRAT (spear-phishing)• DIB and IC campaign (spear-phishing)• „Voho‟ campaign (watering-holes and spear-phishing)• „Mirage‟ campaign (spear-phishing)• „Elderwood‟ campaign (spear-phishing)• White House Military Office (spear-phishing)• Telvent‟ compromise (spear-phishing)• Council on Foreign Relations (watering hole)• Capstone Turbine (watering hole)• RedOctober (spear-phishing)• DoE (spear-phishing)• Federal Reserve (spear-phishing)• Bit9 (SQL injection)• NYT, WSJ, WaPO (spear-phishing)• South Korea (spear-phishing)• 11 Energy Firms (spear-phishing)• QinetIQ (TBD)• Apple, Microsoft, Facebook (watering-hole)• Speedtest.net (drive-by download)• National Journal (watering hole)• FemmeCorp (watering hole)• Department of Labor / DoE (watering hole)• WTOP and FedNewsRadio (drive-by downloads)No One is ImmuneWhat are we waiting for??
    • 6. Enterprise Security Architecturefor Addressing APTFirewalls/WebProxiesNetworkControlsAnti-VirusForensics andIRUser TrainingIn Use | Confidence*App Whitelisting
    • 7. The Primary Target –The Unwitting AccomplicesThe UserThe #1 Attack Vector =• Ubiquitous usage of Internet andEmail has enabled adversaries toshift tactics• Prey on human psychology• Spear Phishing – The New Black• Drive by Downloads• Malicious sites• Weaponized Attachments• Watering Hole Attacks• Hijacked trusted sites• Trust in social networks• Facebook, Twitter, LinkedIn• Faith in Internet search engines• Poisoned SEO• User Initiated Infections• Fake A/V and fearmongering
    • 8. Competitive Futures Are atStake“Theirs” OursThe good newsis…they‟re stealingpetabytes worth ofdata…The bad newsis…in time, they‟llhave sortedthrough it all
    • 9. Competitive Futures Are atStake
    • 10. Still waiting on some“Digital Pearl Harbor?”99 Red Balloons…$200 Billion Market Shift on the Back of aSpear-Phishing Attack
    • 11. 99 Red Balloons…$45 Million in Financial Fraud from OneATM Scheme Alone…
    • 12. 99 Red Balloons…Watering Hole Attack Hits 3 Major TechCompanies…• 3rd party developer websiteinfected deliberately to targetthese companies• Employees targeted were inR&D/Engineering groups• Well planned, wellexecuted…easy peasy…
    • 13. 99 Red Balloons…Watering Hole Targets Department ofLabor website – DoE visitors…
    • 14. Alarming Malware Statistics• 280 million malicious programsdetected in April 2012*• 80,000+ new malwarevariants daily **• 134 million web-borne infectionsdetected (48% of all threats) inApril 2012*• 24 million malicious URLsdetected in April 2012*• 30,000+ new malicious URLsdaily**• 95% of APTs involve spear-phishing***• Organizations witnessing anaverage of 643 malicious URLevents per week***• 225% increase from 2012*** Kaspersky April 2012 Threat Report** Panda Labs Q1 2012 Internet Threat Report*** FireEye September 2012 Advanced Threats Report****Both Mandiant and Trend Micro – 2013 Reports
    • 15. KIA – Mandiant “APT-2”Spear-Phishwww.invincea.com/blogor -http://https://www.invincea.com/2013/02/mandiant-report-spear-phishing-campaign-kia-with-invincea-cve-2011-0611/
    • 16. Java - Getting Bullied…
    • 17. Einstein‟s Definition of InsanityPatching softwareas vulnerabilitiesare made publicDetecting intrudersand infected systemsafter the factRecovering and restoringthe infected machinesback to a clean stateSecurityInsanityCycle
    • 18. Addressing theCritical Vulnerability in Java 7“Uninstall Java…”
    • 19. Addressing theCritical Vulnerability in IE“Stop Using IE…”
    • 20. Addressing thePandemic of Spear-Phishing“Don‟t Click on Links You Don‟tTrust…”
    • 21. An Alternative to Bad AdviceNot quite…but pretty darn close…
    • 22. Rethink SecurityIf…you could negate user errorAnd…contain malware in a virtual environmentAnd…stop zero-days in their tracks without signaturesThen…preventing APTs would be possible“Making Prevention Possible Again”
    • 23. Contain the ContaminantsPreventionPre-Breach ForensicsProtect every user and the network from their errorFeed actionable forensic intelligence without the breachDetectionDetect zero-day attacks without signatures
    • 24. KIA – IE8 0day CVE-2013-1347Watering Hole Attack on DoL subsite thwarted byInvincea Enterprise• Whitelisted or blacklisted website? More than likely whitelisted• Targeted fully patched IE8 browsers on Windows XP platform• Increasingly common poisoning tactic from adversaries• Detected without signatures, immediately killed and forensicallyanalyzed by Invinceawww.invincea.com/blogor -http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/
    • 25. KIA – Dvorak, WTOP &FederalNewsRadioMass Compromise on several media sites includingwtop.com and federalnewsradio.com thwarted byInvincea Enterprise• Whitelisted or blacklisted website? More than likely whitelisted• Exploit Kit (FiestaEK) targeting recent Java vulnerabilities on IEenabled systems only• SAME EK as National Journal discovered by Invincea• Detected without signatures, immediately killed and forensicallyanalyzed by Invinceawww.invincea.com/blogor -http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/
    • 26. Mapping the APT Kill ChainStage 1: ReconnaissanceResearch the targetStage 2: Attack DeliverySpearphish with URL linksand/or attachmentStage 5: Internal ReconScan network for targetsStage 3: Client Exploit &CompromiseVulnerability exploited or usertricked into running executableStage 8: Stage Data &ExfilArchive/encrypt, leak todrop sitesStage 4: C2Remote Command & Control.Stage 6: LateralMovementColonize networkStage 7: Establish PersistenceRoot presence to re-infect asmachines are remediatedStage 9: IncidentResponseAnalysis, remediation,public relations, damagecontrol
    • 27. Invincea – Breaking the APTWorkflowContainment | Detection | Prevention | Intelligence• Highly targeted apps run in contained environment• Behavioral based detection spots all malware including 0-days• Automatic kill and remediation to clean state• Forensic intelligence on thwarted attacks fed to broaderinfrastructureThreat Data Server
    • 28. • Prestigious SANS Institute Calls for DPW type ofcontrols…• Item 5: Malware Defenses• 5.7. Quick wins: Deploy…products that provide sandboxing (e.g.,run browsers in a VM), and other techniques that preventmalware exploitation.• SANS awards NSA a National Security Award forreview of Invincea technology• NSA led a year long analysis of the technology that powers DPW• Endorsed as effective for combatting the advanced threat• SANS viewed as a break-through in endpoint security• Notable Industry Awards• Most Innovative Company of the Year – RSA 2011• GovTek Best Tech Transfer to Startup – 2012• Government Security News‟ “Best Anti-Malware Solution” - 2012Recognized as a GameChanger…
    • 29. Steve Ward:steve.ward@invincea.comGo ahead…spear-phish me!www.invincea.comTwitter: @InvinceaWant a t-shirt? Drop a note to megan.cavanaugh@invincea.com – onlyone catch, you‟ve got to tweet a pic of you wearing it!Let‟s Get Moving