Battling Malware In The Enterprise

655 views
592 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
655
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Battling Malware In The Enterprise

  1. 1. Ayed Alqarta | @aqartaIT Security Consultant
  2. 2.  Malware trends in 2012 Malware Stats: State of Kuwait How Malware infiltrates Enterprise Today Effective Malware Mitigations
  3. 3. Malware Newsws
  4. 4.  Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye) Malicious Trojans will spread in more innovative ways. (Facebook and twitter) Attacks targeting corporate networks (Espionage) More malware attacking Mac OS (Flashback) Web exploits toolkits are on the rise with more zer0- day vulnerabilities
  5. 5. Symantec Intelligence Quarterly: July - September, 2011
  6. 6. Symantec Intelligence Quarterly: July - September, 2011
  7. 7. Botnet C&C Activity by countrySource: Umbradata Red countries: over 1,501 vetted C&C
  8. 8.  Top observed botnet families at multiple enterprise customers:  Palevo.C  Palevo.18  Mariposa.P  Mariposa.F  Conficker.B  Conficker.D  Virut  Sality
  9. 9. • Compromised websites (infected with malware)• Malvertising (Malicious Ads)• Malware websites• Software downloads• P2P/Torrent websites• Social Networks• Blogs Web
  10. 10. Email Removable Mobiles Media LaptopsATM (Yes, they (Personal, run Windows Work, Vendor, too !) Contractor) Virtual Private Wireless and Network / 3G/Edge Remote Access
  11. 11. Malvertising (from "malicious advertising") is the use of onlineadvertising to spread malware.Internet advertisement networks provide attackers with an effectivevenue for targeting numerous computers through malicious bannerads.Such malvertisements may take the form of Flash programs that looklike regular ads, but contain code that attacks the visitors systemdirectly or redirects the browser to a malicious website.Malicious ads can also be implemented without Flash by simplyredirecting the destination of the ad after the launch of thecampaign.
  12. 12. Exploit kitsA type of crimeware Web application developed to help hackers takeadvantage of unpatched exploits in order to hack computers via maliciousscripts planted on compromised websites. Unsuspecting users visiting thesecompromised sites would be redirected to a browser vulnerability-exploitingmalware portal website in order to distribute banking Trojans or similarmalware through the visiting computer.Most exploit kits are based on PHP and a MySQL backend and incorporatesupport for exploiting the most widely used and vulnerable security flaws inorder to provide hackers with the highest probability of successfulexploitation. The kits typically target versions of the Windows operatingsystem and applications installed on Windows platforms.
  13. 13.  Multiple layers of mixed-vendor virus scan engines Spam Email File UTM Proxy Endpoints Filter Server Server Defense-in-Depth
  14. 14.  Device & Application control  Block removable drives like “USB Flash” disks to prevent AutoRun attacks.  If not possible, only allow documents and trusted files to run from USB, except executables.  Disable the “Auto Play” functionality in Windows.  Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
  15. 15.  Device & Application control  Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.  App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
  16. 16.  Patch management (OS/Browsers/Apps)  Be up-to-date with latest patch related information from various source  Download patches and run extensive tests to validate the authenticity and accuracy of patches  Install security and critical patches/service packs for OS and 3rd party applications.  Maintain a testing environment to test patches before approving them to production systems.  Generate reports of various patch management tasks  Monitor the patching progress in the enterprise
  17. 17.  Patch management (OS/Browsers/Apps) Top Attacked applications by web exploit kitsKaspersky
  18. 18. Patch management (3d Party Apps)• Java Run Time Environment (JRE)• Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player• Mozilla Firefox• Mozilla Thunderbird• Google Chrome• Apple Safari, iTunes, QuickTime• Microsoft Internet Explorer• Microsoft Office• RealNetworks RealPlayer
  19. 19.  Vulnerabilities Research Resources  http://technet.microsoft.com/en-us/security/bulletin  http://www.kb.cert.org/vuls/  http://secunia.com/community/advisories/  http://www.symantec.com/security_response/landing/vulnerabi lities.jsp  http://tools.cisco.com/security/center/publicationListing  http://www.vupen.com/english/security-advisories/  http://www.us-cert.gov/current/  http://www.adobe.com/support/security/  http://www.verisigninc.com/en_US/products-and- services/network-intelligence-availability/idefense/public- vulnerability-reports/index.xhtml
  20. 20.  Web filtering  Block access to malicious domains (Malware, Phishing, Botnet C&C, Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)  Proxy must include an antivirus/antispyware engine to scan downloaded files  Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)  Generate reports and warn top policy violators  Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
  21. 21.  Geo-based filtering (top-malware hosting countries)  Block inbound/outbound to these countries (China, Russia, Korea, Brazil, Thailand, Taiwan, Japan, Poland, Peru)  Logs (UTM/Proxy) will help detecting possible infections  This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)  A proactive security technique to prevent threats
  22. 22.  Threat Intelligence Feeds / Blacklists  Integrate threat feeds with security products in the enterprise to block traffic from/to bad reputation hosts  Proactively secure the network from zer0-day threats without relying on signatures  Threat intelligence can be integrated with SIEM tools  Threat feeds will contain: ▪ Malicious code senders ▪ Spam senders ▪ Phishing senders ▪ Botnet C&C servers ▪ Compromised Hosts ▪ Malware Domains
  23. 23.  Battling Malware in The Enterprise Malware Forensics Dojo  Learn from an experienced malware expert  Practical skills and applicable knowledge  Real world scenarios from the field
  24. 24. Thank you@aqarta a.qarta@gmail.com

×