The Threat Landscape Has Changed: Moving Beyond Anti-Spam and Anti-Virus Eric Hanselman, CISSP Network Protection Architect

Email Management: An Ongoing Problem Has always been an issue Too easy an access path Ubiquitous, anonymous access Too critical to block Cycles of control Problem is getting worse…

Has always been an issue

Too easy an access path

Ubiquitous, anonymous access

Too critical to block

Cycles of control

Problem is getting worse…

The Problem is Complex Spam Attacks Content management Intellectual property Legal liabilities

Spam

Attacks

Content management

Intellectual property

Legal liabilities

Nefarious Goals are Blending Product sales Stock manipulation Money laundering Bot recruitment Data Theft Phishing Keystroke loggers

Product sales

Stock manipulation

Money laundering

Bot recruitment

Data Theft

Phishing

Keystroke loggers

The Mule Trade

Registrant: Said Mahmod abdulla@abdulla.cc +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY , OCCUPIED 7849343 Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15 Record created on 2007/3/2 Record expired on 2008/3/2 Queried whois.apnic.net with " 58.65.236.129 "... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 58.65.232.0 - 58.65.239.255 netname: HOSTFRESH descr: HostFresh descr: Internet Service Provider country: Hong Kong [email_address] .cc - TLD “.CC” is for the Cocos (Keeling) Islands +96.485743234 International Telephone Country Codes +96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman) +964 is for IRAQ

Profit Motivates Innovation There is a lot of money to be made! Senders are smart Techniques are evolving Spam and attack traffic are converging!

There is a lot of money to be made!

Senders are smart

Techniques are evolving

Spam and attack traffic are converging!

Two Traditional Paths of Defense Anti-spam Block known bad senders RBL’s Block known bad words Block known bad paths Anti-Virus Block known bad attachments We expect some will get through!

Anti-spam

Block known bad senders

RBL’s

Block known bad words

Block known bad paths

Anti-Virus

Block known bad attachments

We expect some will get through!

Sender Innovations Spread the senders Botnet spam agents Obscure the words Image spam Multiply the paths Morph the attachments Polymorphic encoding Embed new attacks

Spread the senders

Botnet spam agents

Obscure the words

Image spam

Multiply the paths

Morph the attachments

Polymorphic encoding

Embed new attacks

Image Spam Gets Smarter

Techniques Get Smarter

Avoiding Detection Senders are stealthy No news is good news! Techniques are quieter Stay under the radar Slip between the cracks Targets are smaller Keeping victims quiet Social engineering

Senders are stealthy

No news is good news!

Techniques are quieter

Stay under the radar

Slip between the cracks

Targets are smaller

Keeping victims quiet

Social engineering

A Tale of Two Bots Similar roots Use self-replicating worm techniques to infect hosts via email Establishes connection to bot network for download of additional components Future activities are limitless Stration Great polymorphic encoder SpamThru Brings its own Anti-Virus GIF tools

Similar roots

Use self-replicating worm techniques to infect hosts via email

Establishes connection to bot network for download of additional components

Future activities are limitless

Stration

Great polymorphic encoder

SpamThru

Brings its own Anti-Virus

GIF tools

Masking By Morphing Polymorphic encoder beats Anti-Virus protections High volumes increase success probabilities

Polymorphic encoder beats Anti-Virus protections

High volumes increase success probabilities

Self-Modifying Malware – Stration Number of Variants Captured 8/16/06 to 11/26/06

Number of Variants Captured

8/16/06 to 11/26/06

Next Generation Payloads Script-based obfuscation Payload is hidden by Java script Can pass built-in encoder Additional hiding capabilities Very hard to see in transit Depends on interpretation on the endpoint We can’t count on clean-up We can’t allow any to succeed

Script-based obfuscation

Payload is hidden by Java script

Can pass built-in encoder

Additional hiding capabilities

Very hard to see in transit

Depends on interpretation on the endpoint

We can’t count on clean-up

We can’t allow any to succeed

How to Approach Protection Staunch the flow Better mail stream filtering Limit user choices Protect at the end points The only place to catch them Ultimate user protection

Staunch the flow

Better mail stream filtering

Limit user choices

Protect at the end points

The only place to catch them

Ultimate user protection

Staunching the Flow Traditional techniques need a priori knowledge Elusive at best… Bad Stuff is Hard to Predict Time is required for analysis Delay causes scaling problems Statistical analysis An a posteriori technique Good for large volumes Some still gets through

Traditional techniques need a priori knowledge

Elusive at best…

Bad Stuff is Hard to Predict

Time is required for analysis

Delay causes scaling problems

Statistical analysis

An a posteriori technique

Good for large volumes

Some still gets through

Better Flow Techniques URL references Analyze web links Structure analysis Better capabilities Image analysis Beyond OCR Sender identity control Still a long way off

URL references

Analyze web links

Structure analysis

Better capabilities

Image analysis

Beyond OCR

Sender identity control

Still a long way off

Host-Based Detection Best for executable content analysis Highly scalable Behavioral executable analysis Anti-Virus isn’t enough Poor statistical capabilities Traditional security Patching still required, but…

Best for executable content analysis

Highly scalable

Behavioral executable analysis

Anti-Virus isn’t enough

Poor statistical capabilities

Traditional security

Patching still required, but…

The Risks Have Expanded Our protections need to expand, too! Plan for action today! Review existing protections Coordinate email and host protection planning Keep data security planning on the horizon Risks aren’t standing still!

Our protections need to expand, too!

Plan for action today!

Review existing protections

Coordinate email and host protection planning

Keep data security planning on the horizon

Risks aren’t standing still!

Threats are everywhere… and always evolving. Will you be protected?

Resources Spam and Phishing http://www.antiphishing.org/ http://www.sans.org/ http:// www.secureworks.com/research/threats/spamthru / http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf Security Protections http://xforce.iss.net/ http://www.av-test.org /

Spam and Phishing

http://www.antiphishing.org/

http://www.sans.org/

http:// www.secureworks.com/research/threats/spamthru /

http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf

Security Protections

http://xforce.iss.net/

http://www.av-test.org /

Thank You! Questions?