DECLARATION of MAL(WAR)EThe good, the bad, and the ugly
Who are we?IT Security Consultants @ NetSPIWe help organizations:• Identify vulnerabilities• Determine impact• Develop rem...
Presentation Overview?• What is malware?• Who creates malware?• Why do they create malware?• What skill level is required?...
What is Malware?
What is Malware?Wikipedia definition:…“software used or created by attackers todisrupt computer operation, gathersensitive...
Types of Malware•   Remote Exploits•   Local Exploits•   Trojans•   Backdoors•   Rootkits•   Viruses•   Worms
Malware Kit
Who would dosuch a thing?
Who is Creating Malware?• Organized crime• Governments• Political activist   “hacktivists”• Evil developers• Bored teenage...
Why wouldthey do that?
Why are they Creating Malware?• Sell, sell, sell• Steal money• Steal information• Strategic position• Denial of Service   ...
Who’s got the skills?
What skill level is required?• Malware Developers = Programmers  ‒ More advanced programming skillset  ‒ Create custom mal...
The Malware Lifecycle
The Malware Lifecycle       Malware DevelopmentBadGuys       Malware Deployment        Malware DetectionGoodGuys    Malwar...
Developers!Developers!Developers!
Malware Development• Professional Malware Development  ‒ Often work like software companies  ‒ Often produce very secure m...
Deploy!Deploy!Deploy!
Malware Deployment69%Of all breaches incorporate malwareAs reported in the Verizon Business – 2012 Data Breach Investigati...
Malware Deployment79%Of all breaches were targets of opportunityAs reported in the Verizon Business – 2012 Data Breach Inv...
Malware Deployment• Malware is often deployed via:  ‒ Social engineering – email, phone, physical  ‒ Default passwords on ...
Detect!Correct!Protect!
Detecting Malware?“…the median number of days advancedattackers are on the network beforebeing detected is…”416    As repo...
Detecting Malware?94%Of organizations learn theyare victims of targetedattacks from anexternal entity    As report by Mand...
Detecting Malware!• Where threats being detected:  ‒ Networks  ‒ Servers  ‒ Workstations  ‒ Applications / Databases  ‒ Pe...
Detecting Malware!• Challenges:  ‒Identify signatures related to    •   undocumented malware    •   encrypted traffic  ‒Ke...
Detect!Correct!Protect!
Correcting Affected Assets!• Where does correction occur:  ‒   Networks  ‒   Servers  ‒   Workstations  ‒   Applications /...
Correcting Affected Assets!• Challenges:  ‒Creating patches for exploits before   they are widely used  ‒Patching 3rd part...
Detect!Correct!Protect!
Protecting Assets!• Where are assets protected:  ‒ Networks  ‒ Servers  ‒ Workstations  ‒ Applications / Databases  ‒ Peop...
Protecting Assets!• Challenges:  ‒Security vs. usability  ‒Asset inventory  ‒Managing secure configurations  ‒Communicatio...
Putting it All Together
The Malware Deployment Cycle
The Malware Deployment Cycle       Example         Time
Simplified Network Diagram
Gain Access via Exploit
Escalate Privileges via Exploit
Install Backdoor or Bot
Propagate via Worm or Virus
Command and Control: Phone Home
Command and Control: Get Orders
Good Guys Detect
Good Guys Correct
Good Guys Protect
The Ugly Truth
The Ugly Truth: Bad GuysBad guys are creating Malware that is:• Not going away• Getting more advanced• Getting harder to d...
The Ugly Truth: Good GuysGood guys need to:• Continue to fight the good fight!• Continue to develop new methods of detecti...
What’s Next?What can I do?• Don’t visit sketchy web sites• Don’t open mail from unknown senders• Review links before click...
Questions?   Questions?   Comments?    Quarrels?
Upcoming SlideShare
Loading in...5
×

Declaration of malWARe

421

Published on

This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.

More security blogs by the authors can be found @
https://www.netspi.com/blog/

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
421
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
53
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Declaration of malWARe

  1. 1. DECLARATION of MAL(WAR)EThe good, the bad, and the ugly
  2. 2. Who are we?IT Security Consultants @ NetSPIWe help organizations:• Identify vulnerabilities• Determine impact• Develop remediation plans• Reduce risk
  3. 3. Presentation Overview?• What is malware?• Who creates malware?• Why do they create malware?• What skill level is required?• The malware lifecycle ‒The “good” guy’s role ‒The “bad” guy’s role• The “ugly” truth
  4. 4. What is Malware?
  5. 5. What is Malware?Wikipedia definition:…“software used or created by attackers todisrupt computer operation, gathersensitive information, or gain access toprivate computer systems”…Our definition:…“software created to do badthings and is generally a pain in the butt”…
  6. 6. Types of Malware• Remote Exploits• Local Exploits• Trojans• Backdoors• Rootkits• Viruses• Worms
  7. 7. Malware Kit
  8. 8. Who would dosuch a thing?
  9. 9. Who is Creating Malware?• Organized crime• Governments• Political activist “hacktivists”• Evil developers• Bored teenagers• You?
  10. 10. Why wouldthey do that?
  11. 11. Why are they Creating Malware?• Sell, sell, sell• Steal money• Steal information• Strategic position• Denial of Service .. .. .• Political gain• Hacking as a hobby . .• Internal employees . .
  12. 12. Who’s got the skills?
  13. 13. What skill level is required?• Malware Developers = Programmers ‒ More advanced programming skillset ‒ Create custom malware • Less likely to be noticed • Personal use or sold to specific group ‒ Commoditized malware kits • More likely to be noticed • Free and commercial• Malware Kit Users ‒ Don’t require advanced skillset ‒ Much more likely to cause damage by mistake
  14. 14. The Malware Lifecycle
  15. 15. The Malware Lifecycle Malware DevelopmentBadGuys Malware Deployment Malware DetectionGoodGuys Malware Correction Malware Protection
  16. 16. Developers!Developers!Developers!
  17. 17. Malware Development• Professional Malware Development ‒ Often work like software companies ‒ Often produce very secure malware• Create different types of malware ‒ Remote exploits ‒ Local exploits ‒ Backdoors, “bots”, and/or rootkits ‒ Worms or viruses ‒ Command and control ‒ Update functions
  18. 18. Deploy!Deploy!Deploy!
  19. 19. Malware Deployment69%Of all breaches incorporate malwareAs reported in the Verizon Business – 2012 Data Breach Investigations Report Available at www.verizonenterprise.com
  20. 20. Malware Deployment79%Of all breaches were targets of opportunityAs reported in the Verizon Business – 2012 Data Breach Investigations Report Available at www.verizonenterprise.com
  21. 21. Malware Deployment• Malware is often deployed via: ‒ Social engineering – email, phone, physical ‒ Default passwords on management applications ‒ Web application issues ‒ “Water holing” web applications • Web Browser Issues etc Email Apps Users Malware Pass Package
  22. 22. Detect!Correct!Protect!
  23. 23. Detecting Malware?“…the median number of days advancedattackers are on the network beforebeing detected is…”416 As report by Mandiant in their Annual Threat Report: M-Trends™ 2012
  24. 24. Detecting Malware?94%Of organizations learn theyare victims of targetedattacks from anexternal entity As report by Mandiant in their Annual Threat Report: M-Trends™ 2012
  25. 25. Detecting Malware!• Where threats being detected: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People• How are threats being detected: ‒ Behavioral / Anomaly based analysis ‒ Signature based analysis ‒ SIEM / Statistics based analysis ‒ Canaries / Honey pots ! Detect
  26. 26. Detecting Malware!• Challenges: ‒Identify signatures related to • undocumented malware • encrypted traffic ‒Keeping up with the amount of malware being released ! ‒Creating dependable behavioral based profiles ‒Creating useful statistical rules ‒Identifying malware in memory Detect
  27. 27. Detect!Correct!Protect!
  28. 28. Correcting Affected Assets!• Where does correction occur: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People• How does correction occur: ‒ Incident response ‒ Patch systems and applications ‒ Code applications securely ‒ Securely configure • • • • • Firewalls Servers Applications User accounts Training X Correct
  29. 29. Correcting Affected Assets!• Challenges: ‒Creating patches for exploits before they are widely used ‒Patching 3rd party software ‒Creating and managing secure code ‒Legacy and unsupported applications ‒Vendor contracts ‒Providing adequate training X Correct
  30. 30. Detect!Correct!Protect!
  31. 31. Protecting Assets!• Where are assets protected: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People• How are assets being protected: ‒ Build/manage secure configurations ‒ Build/manage secure applications ‒ Network Access Control & Intrusion Prevention Systems ‒ Proactive exploit development ‒ Proactive vulnerability identification ‒ Development of signatures ‒ 3rd Party Risk assessments P Protect
  32. 32. Protecting Assets!• Challenges: ‒Security vs. usability ‒Asset inventory ‒Managing secure configurations ‒Communication/risk related to partners, contractors, and vendors ‒Cost / Time / Skills ‒Education and training P Protect
  33. 33. Putting it All Together
  34. 34. The Malware Deployment Cycle
  35. 35. The Malware Deployment Cycle Example Time
  36. 36. Simplified Network Diagram
  37. 37. Gain Access via Exploit
  38. 38. Escalate Privileges via Exploit
  39. 39. Install Backdoor or Bot
  40. 40. Propagate via Worm or Virus
  41. 41. Command and Control: Phone Home
  42. 42. Command and Control: Get Orders
  43. 43. Good Guys Detect
  44. 44. Good Guys Correct
  45. 45. Good Guys Protect
  46. 46. The Ugly Truth
  47. 47. The Ugly Truth: Bad GuysBad guys are creating Malware that is:• Not going away• Getting more advanced• Getting harder to detect• Getting easier to use• Getting used by more people
  48. 48. The Ugly Truth: Good GuysGood guys need to:• Continue to fight the good fight!• Continue to develop new methods of detection, correction, and prevention• Develop better security policies that make attacks: • Harder to execute • Easier to detect • Easier to respond to and contain• Focus on proactive vulnerability identification• Get rid of unnecessary sensitive data• Encrypt remaining sensitive data• Educate more users more oftenThat can start with you…
  49. 49. What’s Next?What can I do?• Don’t visit sketchy web sites• Don’t open mail from unknown senders• Review links before clicking them in emails• Patch your systems and software• Validate website before providing sensitive information Click the “little lock” in your browser• Don’t create and/or use malware ... …unless it’s for the good guys 
  50. 50. Questions? Questions? Comments? Quarrels?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×