Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

1,296 views
1,180 views

Published on

Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

The weaponisation of software has ushered in a new era of cyber attacks. But with 99% of organizations not prepared for this new front line of cyber-warfare, what does this spell for your business?

• Gain a detailed overview of the next generation of threats out there
• Understand how to detect key threats and attacks before they develop a stranglehold on your business
• Implement the right integrated strategy to keep you safe from cybercriminals on today’s front line

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,296
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
62
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats

  1. 1. Dean Barnes Paul ZimskiPrincipal Security Manager – VP, Solution Marketing,Threat Management LumensionRoyal Mail
  2. 2. POLL #1
  3. 3. State Sponsored Malware is Officially Out of the Shadows Google begins alerting Gmail users to state-sponsored attacks. Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer. Protect yourself now.
  4. 4. HOW……did we get to the point where youronline email provider specifically warnsusers of state- sponsored attacks?
  5. 5. FIRST……a little history.
  6. 6. Event Timeline: Stuxnet • Publically disclosed 13 months after the first attack against Iran • Designed to sabotage Iranian nuclear refinement plants • Stuxnet attacked Windows systems using an unprecedented four zero-day attacks • First to include a programmable logic controller (PLC) rootkit • Has a valid, but abused digital signature • Payload targeted only Siemens supervisory control and data acquisition (SCADA) systems 2009.06: STUXNET
  7. 7. Event Timeline: Duqu • Considered to be “next generation Stuxnet” • Believed that Duqu was created by the same authors as Stuxnet • Exploits zero-day Windows kernel vulnerabilities • Components are signed with stolen digital keys • Highly targeted and related to the nuclear program of Iran • Designed to capture information such as keystrokes and system information • Central command and control with modular payload delivery – also capable of attacking 2010.09: DUQU 2009.06: STUXNET
  8. 8. Event Timeline: Flame • Designed for targeted cyber espionage against Middle Eastern countries • Spreads to systems over a local network (LAN) or via USB stick • Creates Bluetooth beacons to steal data from nearby devices • “Most complex malware ever found” • “Collision" attack on the MD5 algorithm – to create fraudulent Microsoft digital certificates • Utilized multiple zero day exploits 2011.05: FLAME 2010.09: DUQU 2009.06: STUXNET
  9. 9. Common APT Characteristics • Highly Targeted and endpoint focused • Use Sophisticated and Low-tech techniques – USB Key Delivery; social engineering • Zero-day vulnerabilities • Fraudulent Certificates • Centralized Command and Control • Undetected for prolonged periods – Exfiltration masking 10
  10. 10. Weaponized - What’s Different? Development Delivery Detection Command & Control Intent• Nation-States • Zero day • Digitally signed • Central command • Surveillance propagation with compromised• Truly customized certificates • Modular payloads • Disrupt / Destroy payloads • Multi-vectored: Blue tooth, USB, • Outbound ex- network filtration masking
  11. 11. WHY……should the enterprise care?
  12. 12. Why Should the Enterprise Care? Retaliation Risk US Admits Stuxnet - expect increasing retaliation risk against sensitive economic and infrastructure assets
  13. 13. Why Should the Enterprise Care? Collateral Damage Loss of control of weaponized malware in (once weaponized malware is released control is effectively lost) – being exposed to accidentally spreading malware (Stuxnet was discovered after it escaped its targeted environment and started spreading)
  14. 14. Why Should the Enterprise Care? Adaptation by Cyber Criminals Targeted attacks on sensitive information Variants of Stuxnet already seen
  15. 15. What Should The Enterprise Do? Know Where the Risk Is Every endpoint Need to have Need to have a is an enterprise of ONE. autonomous protection. layered approach.
  16. 16. POLL #2
  17. 17. Defense in Depth Strategy AV Successful risk mitigation starts with a solid Control the Known vulnerability management foundation, together with layered defenses beyond traditional black-list approaches. Device Control Control the Flow Hard Drive and Media Encryption Control the Data Application Control Control the Grey Patch and Configuration Management Control the Vulnerability Landscape
  18. 18. Effectiveness of AV? Pros: AV • Stops “background noise” malware Control the Known • May detect reused code (low probability) • Will eventually clean payloads after they are discovered Cons: • Not an effective line of defense for proactive detection • Can degrade overall endpoint performance with little return on protection
  19. 19. Device Control Effectiveness Pros: • Can prevent unauthorized devices from delivering Device Control payloads Control the Flow • Can stop specific file types from being copied to host machines • Stops a common delivery vector for evading extensive physical and technologic security controls Cons: • Limited scope for payload delivery interruption
  20. 20. Encryption Effectiveness? Hard Drive and Media Encryption Control the Data Pros: • Makes lateral data acquisition more difficult • A good data protection layer outside of APT Cons: • Generally will not protect data if endpoint is compromised at a system level
  21. 21. Application Control Effectiveness Application Control Control the Grey Pros: • Extremely effective against zero day attacks • Stops unknown, targeted malware payloads • Low performance impact on endpoints Cons: • Susceptible to compromise as policy flexibility is increased • Does not stop memory injections (attacks that do not escape service memory)
  22. 22. Patch and Configuration Basics Patch and Configuration Management Control the Vulnerability Landscape Pros: • Eliminates the attackable surface area that hackers can target • Central configuration of native desktop firewalls • Improves endpoint performance and stability • Can enable native memory injection protection Cons: • Does not stop zero-day vulnerabilities
  23. 23. Defense in Depth Strategy AV Successful risk mitigation starts with a solid Control the Known vulnerability management foundation, together with layered defenses beyond traditional black-list approaches. Device Control Control the Flow Hard Drive and Media Encryption Control the Data Application Control Control the Grey Patch and Configuration Management Control the Vulnerability Landscape
  24. 24. Employee Education Often the first and last line of defense. lumension.com/how-to-stay-safe-online
  25. 25. Summary - Defense in Depth Endpoint Strategy AntiVirus Disinfect generic malware Drive-by malware USB Device Control Enable secure device use Threat Data Vectors Loss Hard Drive & Insider Risk Media Encryption Protect stored data APTApplication Control Stop un-trusted change Protection Zero DayPatch & Configuration Reduce attackable surface area AutomatedManagement attacksLandscape
  26. 26. Learn More Quantify Your IT Watch the Get a Risk with Free On-Demand Demos Free Trial Scanners

×