• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013
 

McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013

on

  • 353 views

Diariamente nuevas amenazas y ataques dirigidos afectan a organizaciones, gobiernos o infraestructuras críticas que antes parecían impenetrables. ...

Diariamente nuevas amenazas y ataques dirigidos afectan a organizaciones, gobiernos o infraestructuras críticas que antes parecían impenetrables.
Los dispositivos móviles siguen siendo foco de las nuevas técnicas cibercriminales, pues tan solo de julio a septiembre de 2013, los ataques al sistema Android se incrementaron hasta un 30% y el Spam un 125%.
Por otra parte, las empresas se ven ante el reto de diferenciar entre piezas de código genuinas vs “malware firmado” por certificados apócrifos que han penetrado sus redes. Finalmente el usuario final quien es el más desprotegido, sufre la problemática de pérdida de su información, con nuevas variantes de “ransomware” que están afectando fuertemente el mercado latinoamericano.

Statistics

Views

Total Views
353
Views on SlideShare
353
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013 McAfee Webcast | Un Verano para el cibercrimen, las nuevas tendencias de ataques sofisticados del 2013 Presentation Transcript

    • Un verano para el cibercrimen McAfee Labs Threats Report: Third Quarter 2013 Juan Carlos Vázquez Sales Systems Engineer, LTAM December 10, 2013 McAfee Confidential—Internal Use Only
    • Agenda  Highlights Threats Report Q3 2013  Advanced Malware  McAfee Advanced Threat Defense (MATD)  Find, Freeze & Fix  Demo (Standalone) 2 December 10, 2013 McAfee Confidential—Internal Use Only
    • McAfee Global Threat Intelligence  McAfee Labs identifies more than 200,000 new threats each day. This process begins with 500 threat researchers aided by some of the most sophisticated automated threat identification technology in the industry. The data that drives this research is generated by more than 100 million sensors globally. This threat data is then pumped into the McAfee GTI cloud where it is made available to all McAfee products to enhance their detection effectiveness. McAfee Global Threat Intelligence processes more than 80 billion threat reputation requests each day. 3 December 10, 2013 McAfee Confidential—Internal Use Only
    • Key Trends  Growing focus on subverting the digital signature “trust” upon which the internet has relied for so long:  Digitally “signed” malware samples increased 50 percent, to more than 1.5 million new samples  Attacks undermining digital signature checking process for mobile apps  Attacks on Android based devices increased more than 30%  Global spam volume spikes increasing 125%  20m new Q3 PC malware samples bring total “zoo” to 170m  Use of new digital and virtual currencies by cybercriminals to both execute illegal transactions and to launder profits McAfee Confidential—Internal Use Only
    • Mobile Malware TREND 683,000 new Android malware samples in Q3 RISKS • New signature checking circumvention family discovered • SMS password stealing Trojans (Turkey & UK) • Weaponized versions of legitimate applications POLICIES • No unmanaged devices allowed on corporate nets • No rooted or unlocked devices allowed anywhere • Only approved, signed applications installed PROCEDURES • • • • PRODUCTS • Enterprise Mobility Management • ePolicy Orchestrator • Web Gateway Device management software installed on all devices Password change twice yearly Disable or scrub lost and stolen devices Consider policies to proxy mobile web traffic through web gateway for protection Android malware will be “more advanced” than PC malware. McAfee Confidential—Internal Use Only
    • Android Attacks New Android Malware Samples 1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 2011 2011 2011 2012 2012 2012 2012 2013 2013 2013 6 McAfee Confidential—Internal Use Only
    • Global Spam Volume Spikes TREND • • RISKS • • • • POLICIES • No endpoint devices on network without client anti-spam on board • All inbound mail to be filtered at least twice (cloud, perimeter, or device) Global spam volume spiked 125% in Q3 China, Italia > 50%, “Snowshoe” spam most popular (it spreads the load across many IP Address to avoid rapid eviction by ISPs) Legitimate email throughput slowed Malicious attachments Fraudulent products and services Phishing attacks designed to steal confidential information or PII PROCEDURES • Deploy anti-spam filters on all endpoint devices and either gateway or cloud • Block access to known spamming SMTP server addresses • Annual email security/hygiene training to cover latest observed targeted attacks and phishing scams PRODUCTS • McAfee Content Security Suite • McAfee Security for Email Servers • McAfee SaaS Web and Email Security Suite McAfee Confidential—Internal Use Only
    • Global Spam Trend Spam Volume Trillions of Messages per Month 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0.0 8 McAfee Confidential—Internal Use Only
    • PC Malware Growth TREND New PC malware 23% to more than 20 million, Malware Zoo 172M RISKS • Confidential data exfiltration • Botnet malware installation followed by total system compromise POLICIES • Endpoint anti-virus, host intrusion prevention, and web security and hygiene products deployed on all corporate network enabled devices • Application/device control deployed on all corporate network enabled devices PROCEDURES • Comprehensive malware protection suites deployed on all endpoint devices • Remote device monitoring and management deployed PRODUCTS • VirusScan Enterprise • Real Time ePO • Host Intrusion Prevention • Enterprise Security Manager • Site Advisor Enterprise • Application Control, Deep Defender • Web Gateway • Advanced Threat Defense • Network Security Platform • Email Gateway McAfee Confidential—Internal Use Only
    • Total Malware Samples The McAfee Malware “Zoo” is currently growing by 200,000 new samples per day. Total PC Malware Samples 200,000,000 180,000,000 160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 10 McAfee Confidential—Internal Use Only
    • Subverting Digital Signature Authentication New Signed PC Malware 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 11 0 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 McAfee Confidential—Internal Use Only Q2 2013 Q3 2013
    • A Day in the Life of some Big Data 12 December 10, 2013 McAfee Confidential—Internal Use Only
    • Visualizing and Mapping MalCerts 13 December 10, 2013 McAfee Confidential—Internal Use Only
    • Highlights • You can quantify if you have a large enough data set: – +-15% of any particular days samples will have markers of “advanced” malware (as defined by APG). • 0.0014% have new Zeus and Citadel markers. • Advanced web injects are consistent at around 0.026%. • Potentially attributable malware like IXSHE, NetTraveler, Taidoor and Preshin, though low numerically, are consistent daily. • 0x20 XOR’d javascript is prevalent and consistent at around 0.126%. – +-0.1045% of any particular days samples will be digitally signed • Almost 29% of those daily signed suspicious samples have a VeriSign cert. • Thwate and Comodo digital cets are the second and third most abused. • Android malware is now the most prevalent signed malware class: 24% 14 December 10, 2013 McAfee Confidential—Internal Use Only
    • Ransomware  312,000 unique samples  Anonymous Payment Services  Global Problem  Mexico (Police virus)  Mass email spamming, tens of millions of UK customers.  Caution with e-mail attachments.  Don’t pay the ransom.  Cryptolocker  TA released by McAfee 15 December 10, 2013 McAfee Confidential—Internal Use Only
    • Highlights  Rootkits (stealth malware) ~75K New samples  Koutodoor - 20K samples Low  Autorun malware (hides on USB drivers) - ~710K samples  New Fake AV - ~380K Low  New Password stealers – >1M  New Mac Malware – 300 samples Low  Top SQL-Injection attackers (US, China, Spain, UK, South Korea)  Top SQL-Injection Victims (US, China, Taiwan, Spain, South Korea)  Top Botnet C&C Servers – UK, Germany, Turkey, China, Rusia, UK)  Location of Servers hosting Malicious Content (Brazil, Arg, Chile)  Top Countries Hosting Phishing URLs (US, Germany, UK, Brazil, Fr) 16 December 10, 2013 McAfee Confidential—Internal Use Only
    • Bitcoin Virtual currency market value $47.5 billion as of 20121 TREND RISKS • Bitcoin “mining” malware installation and operation compromising enterprise laptops POLICIES • Host intrusion prevention, web security and application/device control deployed on all corporate network enabled devices PROCEDURES • Comprehensive malware protection suites deployed on all endpoint devices • Remote device monitoring and management deployed PRODUCTS • Host Intrusion Prevention • Real Time ePO • Site Advisor Enterprise • McAfee Enterprise Security Manager • McAfee Application Control • Network Security Platform • Web Gateway De 139 dólares el 1 de octubre a más de 1,200 dólares el 1 de diciembre @Forbes 1- Yankee Group McAfee Confidential—Internal Use Only
    • Virtual Currencies 18 McAfee Confidential—Internal Use Only
    • APTs, Zero-day and Advanced Malware Total Malware Samples in the McAfee Labs Database 160,000,000 140,000,000 120,000,000 of network security professionals say advanced malware is a major concern 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 JUL 2012 AUG 2012 SEPT 2012 OCT 2012 NOV 2012 DEC 2012 JAN 2013 FEB 2013 MAR 2013 APR 2013 MAY 2013 JUN 2013 McAfee Threat Reports: Second Quarter 2013 of network security professionals spend more than 20 hours a week working on advanced malware Survey of Network Security professionals at Black Hat USA 2013 Malware shows no sign of changing its steady growth, which has risen steeply during the last three quarters. At the end of this quarter we now have more than 170 million samples in our malware “zoo.” 19 December 10, 2013 McAfee Confidential—Internal Use Only
    • WHAT IS ADVANCED MALWARE? EVADES Legacy-Based Defenses • Stealthy • Targeted • Unknown Bottom Line Typically CRIMINAL • Theft • Sabotage • Espionage Discovered • Malware has evolved to become a persistent threat with a potent delivery ecosystem. • Layered defenses are failing to fully contain the risk due to advanced persistent threats (APTs) and other defense challenges. • Enterprises must enhance their vigilance. AFTER THE FACT Truly advanced malware is about a -15% problem. Source: Malware, APTs, and the Challenges of Defense, McAfee Confidential—Internal Use Only Gartner (updated 26 December 2012)
    • ADVANCED MALWARE MARKET WISDOM Signature-Based Defenses Ineffective Against the Unknown UNKNOWN ? ? ? Sandboxing • Run suspect file in safe (virtual) environment ? ? ? • Analyze actual behavior of unknown file Sandboxing • Resource intensive • Not real-time • By itself, dynamic analysis is not effective against all malware 3 Safe Malware Malware SANDBOXING McAfee Confidential—Internal Use Only
    • ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 5 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
    • COMPREHENSIVE APPROACH TO MALWARE ADVANCED THREAT DEFENSE FIND Advanced Threats 24 FREEZE Threats, Stopping Their Infiltration and Spread Within the Infrastructure FIX Impacted Systems by Initiating Remediation McAfee Confidential—Internal Use Only
    • COMPREHENSIVE APPROACH TO MALWARE Faster Time to Malware Conviction, Containment and Remediation McAfee FIND FREEZE FIX McAfee Global Threat Intelligence McAfee ENDPOINT AGENT FREEZE McAfee NETWORK IPS McAfee Solutions Advanced Threat Defense PDF FIND GTI Efficient AV Signatures GTI Reputation Real-Time Emulation Engine Target-Specific Sandboxing McAfee WEB GATEWAY Static Code Analysis McAfee EMAIL GATEWAY 7 McAfee ePO FIX Automated Host Cleaning (McAfee Real Time) Malware Fingerprint Query (McAfee Real Time) McAfee Confidential—Internal Use Only
    • ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 5 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
    • COMPREHENSIVE LAYERED APPROACH Advanced Sandboxing Static Code And Dynamic Analysis Emulation Engine Gateway Antimalware Global File Reputation McAfee Global Threat Intelligence Anti Virus Signatures McAfee Anti Virus Inspection Local Lists Known Bad, Known Good Balances Performance and 27 Protection McAfee Confidential—Internal Use Only
    • ATD On Box Analysis order Local white list check (GAM) Emulation Sandbox Analysis 28 GTI reputation Yara rules December 10, 2013 Local black list check MFE AV scan GTI query / update* McAfee Confidential—Internal Use Only
    • DYNAMIC AND STATIC ANALYSIS DYNAMIC ANALYSIS Adobe PE Files • Observe Registry Modifications Reader STATIC ANALYSIS Mobile Microsoft Office Archives • Unpacking • Observe Network Communications • Static Analysis of Disassembled Code • Observe Process Activities • Discovery of Latent Code • Observe File System Changes • Hidden Logic Paths Classification and Report Classification and Report Based on Behavior Only… Based on Observed Behavior and Familiarity of Good, but Not Good Enough! Unexecuted Code McAfee Confidential—Internal Use Only
    • ADVANCED THREAT DEFENSE KEY DIFFERENTIATORS Comprehensive Approach 12 High Detection Accuracy Centralized Deployment McAfee Confidential—Internal Use Only
    • CENTRALIZED DEPLOYMENT PROTOCOL-SPECIFIC DEPLOYMENT Lower Cost of Ownership and Scalability Numerous appliances DMZ Data Center Servers Web Malware Analysis Files Server Malware Analysis FW IPS IPS Email Gateway Email Malware Analysis Web Gateway Email/DNS/App Management and Forensics Network Security Manager End-User Endpoints 13 Malware Analysis/ Forensics ATD ePO Central Manager McAfee Confidential—Internal Use Only Supported versions: NSP 8.0.x and MWG 7.4.x
    • McAfee Advanced Threat Defense (MATD) Use Case: McAfee Network Security Platform File Downloaded from the Internet policy update, enforcement Network Security Platform infected hosts McAfee Network Security Manager MD5 query request McAfee ePO MD5, attack info, reports Individual files sent 32 McAfee Advanced Threat Defense December 10, 2013 McAfee Confidential—Internal Use Only
    • ATD NSM Report Summary • • 33 A summary report can be accessed from the Analysis Tab in the top menu bar and then the Malware Downloads tab in the left menu. Clicking on the Advanced Threat Icon as shown below will bring up the summary report. From this summary report, you will find a link at the bottom directing you to a link to download a Full Analysis Report if required. December 10, 2013 McAfee Confidential—Internal Use Only
    • McAfee Advanced Threat Defense (MATD) Use Case: McAfee Web Gateway Integration (Proposal) File Downloaded from the Internet File Uploaded for Analysis Static / Dynamic Analysis REST API Report Results Returned McAfee Advanced Threat Defense Host Profile Query McAfee Web Gateway McAfee ePO / Common Catalog 34 December 10, 2013 McAfee Confidential—Internal Use Only
    • ATD Web Gateway Configuration File submission to MATD will be another mechanism for analysis. This will trigger the progress page system in McAfee Web Gateway. The file can be set to be held until the sandbox has analyzed it. GAM and other down select mechanisms will be disabled on MATD as these will be run before the decision to be sent to MATD will be made. With McAfee Web Gateway specific conditions can be put in place. E.g. if GAM is 60% sure it is malware, send it to MATD for further analysis. McAfee Web Gateway will communicate over the restful API to MATD. If a sample is sent to MATD for analysis an indicator like the below will appear. 35 December 10, 2013 McAfee Confidential—Internal Use Only
    • ATD available in block pages 36 December 10, 2013 McAfee Confidential—Internal Use Only
    • Analysis Summary • Sample Name, Hash, and File Size • Analysis Environment 37 December 10, 2013 McAfee Confidential—Internal Use Only
    • Reports – Analysis Tab – Analysis • Family Classification • Processes analyzed in sample • Classification / Thread Score Family Classification is based on the similarity that the piece of malware had with other code in the wild. An example would be Zeus. (http://en.wikipedia.org/wiki/ Zeus_%28Trojan_horse%29 ) or Voter_1 in this example. The Classification and Thread Score gives the user a better idea of what the malware was and it’s intent. 38 December 10, 2013 In this example, “setup_361.exe” was initially loaded to MATD’s analyzer. It subsequently created “vstart.exe” which created “update .exe. The level color shows the severity of the sample. Yellow is low, orange is medium and red is high. McAfee Confidential—Internal Use Only
    • Analysis Summary • Behavior Summary • Severity Levels The Behavior Summary illustrates that when the Malware was run in The Severity the code was actually executed. This was done the sandbox, 57% of Levels show what analyzed the sample (GTI, GAM, a throughcombinationanalysis. This also gives the user a was the final severity static code of multiple down-selects) and what high level of rating and if the e.g. was malicious or not. The Final Score is based what the malware did. file “Hide file by changing its attribute” or on the combination of System Directory”. These Behaviors “Created content or Windows scores from the down-selects. come directly from the YARA Rule correlation . 39 December 10, 2013 McAfee Confidential—Internal Use Only
    • Analysis Summary Individual File Analysis and Detail 40 December 10, 2013 McAfee Confidential—Internal Use Only
    • Disassembly Listing • ATD adds comments in the Disassembly Listing as shown. 41 December 10, 2013 McAfee Confidential—Internal Use Only
    • Execution Path Listing • • • • Execution Path Listing Download a free GML viewer at yWorks. Open .gml file and change the view to Hierarchical from the Layout Menu Select the defaults and click ok 42 December 10, 2013 McAfee Confidential—Internal Use Only
    • Execution Path Listing • After changing the layout, you will get a large summary layout • This can be zoomed in/out on by clicking the zoom button(s) 43 December 10, 2013 McAfee Confidential—Internal Use Only
    • Execution Path Listing • The execution path can be zoomed down into multiple times • The blue paths show what was executed in the sandbox and the red paths were not • This will show what functions were called as well for example “CopyFIleA” 44 December 10, 2013 McAfee Confidential—Internal Use Only
    • Hardware Chassis High end (LHP) 32 Cores Chassis Form Factor 1U 2U 16 128GB Common 32 256GB Common SAS 6g Raid 10 interface; 1GB Cache Disk space HDD 2 x 2TB 4 x 2TB SSD (VM Image repository) 20-30VMs, 25K files/day dynamic analysis Low end (GP) 16 cores 400GB 600GB AC Redundant, Hot Swappable On Board 10/100/1000 mbps RJ45 4 ports Yes Worldwide AC Redundant Hot Swappable On Board 10/100/1000 mbps RJ45 4 ports Yes Worldwide 150,000 total objects / day; 25,000 dynamically 250,000 total objects / day; 50,000 dynamically Cores Memory Disk Controller equivalent to a Intel Part Number RMS25PB040 Power Supplies 40-60VMs, 50K files/day dynamic analysis Network Interfaces RMM Regulatory Compliance for Safety and EMI Scanning Capacity McAfee Confidential—Internal Use Only
    • MCAFEE ADVANCED THREAT DEFENSE Faster Time to Malware Conviction, Containment, and Remediation Comprehensive Approach High Detection Centralized Better Detection, Accuracy Deployment Better Protection Lower Total Cost of Ownership 14 McAfee Confidential—Internal Use Only
    • I have a question… • • • • • • • 47 How do you collect samples for analysis? What malware detection techniques do you implement? • Blacklisting • Whitelisting • Sandboxing • Code emulation • Code disassembly Can your product unpack samples, if required? How do you determine the environment (OS & applications) in which to sandbox a sample? What provisions do you have to block further instances of malware, once detected? Once detected, can you find malware elsewhere in the estate? What is your approach to product integration? December 10, 2013 McAfee Confidential—Internal Use Only
    • 48 December 10, 2013 McAfee Confidential—Internal Use Only
    • 15 December 10, 2013 McAfee Confidential—Internal Use Only