Modern cyber threats_and_how_to_combat_them_panel

Modern Cyber Threats and How To Combat Them An ISACA Panel moderated by Todd Fitzgerald Panelists: Jack Callaghan R. Kinney Wiliams Ramsés Gallego

Topics to be covered by this panel 1. IdenIfy What Threats are Out There in the “Wild” 2. Summarize the Key Steps to an Incident IdenIﬁcaIon 3. UIlize the Tools, Techniques, and TacIcs to Combat Threats 4. Determine What is Really Vulnerable in Their Network

Current Threats • Web 2.0 and client-‐side a[acks • Targeted messaging a[acks • Botnets • Rootkits • Logic Bombs • Data The^ • IdenIty The^

Web 2.0 and client-‐side a[acks • Social network a[acks – Twi[er, MySpace, Facebook, LinkedIn, etc. • Mashup Technology • Dynamic Altering Exploits on sites • Embedded Malware on LegiImate Sites • 50K new malware per week – MulIple vendors

Examples • Mikeyy worm – Twi[er – Apr 09 • Koobface worm – Facebook – Sept 09 • Security researchers -‐ >60K pieces of malware on Twi[er in 2009 • Phishing episodes through Facebook accounts – May 09 • MulIple legiImate sites with malware

Koobface Worm • Koobface, an anagram of Facebook, is a computer worm that targets the Microso^ Windows users of the social networking websites Facebook, MySpace, hi5, Bebo, Friendster and Twi[er. Koobface ulImately a[empts, upon successful infecIon, to gather sensiIve informaIon from the vicIms such as credit card numbers. It was ﬁrst detected in December 2008 and a more potent version appeared in March 2009. • Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-‐party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the ﬁle, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-‐party website on the Facebook wall of the friend the message came from someImes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer. 6

Spear Phishing • TargeIng of speciﬁc person or people – Uses fake email from known person • Family Member • Business Associate – Almost always contains key-‐logger Trojan – Used to retrieve • Corporate Data • Financial Data • Personal Data 7

Spear Phishing 8

Top 10 BotNets • 1. Rustock (genera4ng 43% of all spam) – The current king of spam, its malware employs a kernel-‐mode rootkit, inserts random text into spam and is capable of TLS encrypIon. Concentrates solely on pharmaceuIcal spam. • 2. Mega-‐D (10.2%) – A long-‐running botnet that has had its ups and downs, owing to the a[enIon it a[racts from researchers. Concentrates mostly on pharmaceuIcal spam. • 3. Fes4 (8%) – A newer spambot that employs a kernel mode rootkit and is oên installed alongside Pushdo on the same host. • 4. Pushdo (6.3%) – A mulI-‐faceted botnet or botnets, with many different types of campaigns. A major distributor of malware downloaders and blended threat e-‐mails, but also sends pharma, replica, diploma and other types of spam. • 5. Grum (6.3%) – Also employs a kernel-‐level rootkit. A wide range of spamming templates changes oên, served up by mulIple Web servers. Mostly pharma spam. 9

More Top 10 BotNets • 6. Lethic (4.5%) – The malware acts as a proxy by relaying SMTP from a remote server to its desInaIon. Mostly pharma and replica spam. • 7. Bobax (4.3%) – Another long-‐running botnet that employs sophisIcated methods to locate its command servers. Mostly pharma spam. • 8. Bagle (3.5%) – The name derives from an earlier mass-‐mailing worm. Nowadays, Bagle variants act as proxies for data, and especially spam. • 9. Maazben (2.0%) – By default, uses a proxy-‐based spam engine. However, it may also use a template-‐based spam engine if the bot runs behind a network router. Focuses on Casino spam. • 10. Donbot (1.3%) – Donbot is named a^er the string "don" found in the malware body. Mainly pharma spam. 10

Rootkits • Usually pinpoint focus for target • Hardcore tech-‐driven a[ack • Either ideology, embezzlement, or “genng back at” revenge driven • Hard to isolate • Harder to remove/clean up • DeﬁniIon from Gary Hoagland's book: – "A rootkit is a set of programs and code that allows a permanent and undetectable presence on a computer."

Examples • TDSS • Gromozon • Mebroot • Fu and FuTo • Agony • AFX • MBR rootkits

Logic Bombs • Disgruntled employee syndrome • Usually discovered a^er employee leaves • Very destrucIve • Hard to detect before ﬁrst “bomb” is triggered

ID The^ methods • Dumpster Diving • Online “phishing” – 11% only • Stealing Wallets/Pocketbooks • Home Stealing • Mailbox Raiding • Address Fraud • PretexIng • Shoulder Surﬁng • “Vishing and Smishing” • Skimming • Data Breach 14

DDOS & Other A[acks • The long standing DDOS a[ack sIll works • Targeted a[acks going for detailed data retrieval and now occurring more frequently • SomeImes a[acks are open and intenIonal – Google issue with Pakistan from several years ago

CombaIng the Threats • User awareness and training • Incident Response capability • In-‐bound & out-‐bound ﬁlters at gateways

Countermeasures • Web 2.0 a[acks detected via behavior based protecIon methods (IDS/IPS like) • Develop and implement IDS and IPS devices to understand scripIng -‐ similar to browsers • UIlize ﬁlter feedbacks to improve ﬁltering • Develop user “distrust by default” on all incoming data (both Internet and e-‐mail based) unIl protecIon methods improve

Threat Analysis • ExaminaIon for detailed evaluaIon – Signiﬁcance – Type of Malware – ProbaIve Value – Meets criteria for inclusion • InterpretaIon is carried out separately

Incident Response Stages 1. PreparaIon 4. EradicaIon 2. IdenIﬁcaIon 5. Recovery 3. Containment 6. Follow-‐Up

Types of Incident Response Tools Needed • File System NavigaIon tool • Hashing tool • Binary Search tool • Imaging tool – Bit Copy – File System • Deep Retrieval tool – Bit Level – File System • File Chain NavigaIon tool • Network Log File Analysis tool

Response Tools Available • MulIple types 1. Tools Used 2. Log Parser – OperaIng System based 3. ProDiscover • Windows – Microso^ 4. TCPView • UNIX – mulIple types 5. Microso^ tools – if Windows • Macintosh 6. TCPDump 7. Sysinternals.com tools – if Windows – Environmental Based 8. Foundstone.com tools – Network Based 9. File control uIliIes – DD, etc. 10. Wireshark (packet sniﬀer) – Management Based 11. Nmap (security) Open Source Network Scanner 21

Understanding the Risk The Market Value of SensiIve Data 980€-4.900€ 147€ Trojan to steal account information Birth certificate 490€ 98€ Credit Card Number Social Security card with PIN 78-294€ 6€-24€ Billing data Credit card number 6€ 147€ PayPal account Driver's license logon and password 22

Malware: what is it really? • Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code • Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software 23

A bigger problem than we think • Malware is now economically motivated and backed by organized crime and foreign interest • The development of highly critical malware such as targeted attacks is also on the rise • The level of sophistication behind malware makes it extremely difficult for traditional solutions to detect and remove • There are many bot networks to de-fraud business models and consumers through sophisticated social engineering 24

What is spyware? • Spyware is software installed on a computer that gathers information without the user's knowledge and relays that information to advertisers or other 3rd parties • Several subcategories of spyware: – Adware • Advertising-supported software that displays pop-up advertisements whenever the program is running. Often collect personal information and web surfing habits – System monitors • Programs that capture everything you do on your computer, from keystrokes, emails and chat room dialogue, to which sites you visit and which programs you run – Trojan horses • Malicious programs that appear harmless but steal or destroy data or provide unauthorised external access 25

How spyware inﬁltrates • People don’t purposefully and knowingly install spyware – Can be included with applicaIons you want to install, such as peer-‐to-‐peer clients or desktop uIliIes – Some silently load when you visit a seemingly-‐innocent Web page (‘The Ghost in the browser’) • Installed silently in the background – most users never know their computers are infected

Spyware threats organizaIons • Wastes compuIng resources – Sends back informaIon periodically, oên daily – Consumes an organisaIon’s bandwidth • Exposes proprietary informaIon – It could send files to a compeItor’s server – It could monitor e-‐mail and send out the contents • Poses serious security risks – It could send emails on behalf of the user – It could provide a spy or hacker with a backdoor into the systems – It could change documents and specificaIons on systems to damage research or other projects • May introduce compliance risks 27

How botnets are used to commit ﬁnancial fraud • A bot network consists of a “controller” and compromised zombie PCs. There have been cases of bot networks containing up to 1.5 Million zombie PCs like in the Dutch botnet case • The bots that infect systems can perform several acIons such as relay spam, launch malware and perform ID the^ • Some of the common methods for bot infecIon is through websites that contain exploits and vulnerabiliIes that acIvely transmit malware to the PC visiIng the site. • Components can also be downloaded such as AcIveX controls, etc that will then deal with the rest of the infecIon process • Social engineering techniques also exist to infect systems through spam, phishing and other content. Once a PC has become infected it can receive remote commands from the “bot master” remotely 28

And they are using new methods • Botnets are beginning to use P2P networks to gain control of more computers • Researchers were previously able to shut down a botnet by targeIng its Command & Control center (and IRC channel or website). Hackers are now using P2P networks to connect bots in a more “horizontal,” peer manner, which makes shunng down the botnets much more diﬃcult 29

The problem of keylogging • Keyloggers are programs that run in the background recording all keystrokes and which may also send those keystrokes (potenIally including passwords or conﬁdenIal informaIon) to an external party • 2 types of Keylogger programs: – Commercial – Viral (included as part of blended threat with Worm, Trojan Horse, BOT, etc.. 30

Commercial Keylogger Example 31

SophisIcated Social Engineering • Common social engineering techniques: – Spear-‐Phishing and other highly targeted scams – Spam with exploits – Phishing emails that direct users to web-‐sites with hidden Trojans – Malware through IM channels 34

No real bank would do this! 35

InfecIon strategies used by hackers • Common infecIon strategies used by hackers – A web site is physically hacked and seeded with Trojans (i.e. Superbowl website case) – Phishing emails with exploits – Malware through IM channels – Malware a[ached to freeware and shareware – Malware in the form of video codecs – InfecIon through botnets 36

Overview of Targeted A[acks • CharacterisIcs of Targeted A[acks: – Involve “Highly CriIcal” malware tailored towards a[acking a specific target (i.e. Bank Of America) – Such malware target a specific set of confidenIal informaIon to capture and send to a 3rd party – Targeted a[acks always involve a hacker hired to design malware to bypass specific defenses – A[acks are very localized; therefore, distribuIon is limited. In most cases AV labs do not receive a sample which results in no signature file – Current security soluIons will not detect the malware because the hacker has prepared against commonly used AV programs – Hackers are using sophisIcated stealth techniques such as rootkits to hide the presence of malware 37

InformaIon? Ready available! • IT departments know about sites...but so do all the other departments! – QuesIon is…do we know who, when, where and how? – More importantly…do we have the means to stop it? • InformaIon is easy to ﬁnd! (131,000,000 results returned on Google when the search term ‘How To Hack’ is used) • Hacking tools can be easy to use – Some don’t require any programming skills at all! (Keyloggers can come with nice user interfaces, such as ‘ The Perfect Keylogger’) with a ‘Next’, ‘Next’, ‘Next’ install! 38

…step-‐by-‐step guides available! • You no longer need to go underground or to university to learn how to become a successful hacker! 39

Do it yourself! Incredible! 41

Example -‐ Denial of Service • You visit a web site and click on a link • A few seconds later, many applications start to run in the computer • You can only close the program to prevent the attack. The machine does not work 42

Example RedirecIon of sites • You connect to online banking to see your accounts • A hostile applet sends an identical page • You introduce your credentials while a hacker is receiving them or they are being sent to an Internet directory 43

Example Sending ﬁles in background • A postcard is received by email • An applet executes an animation • That applet is copying the last Word document and is sending it in the background to the Internet 44

Example Harm exectutables • There is type of attack that seems to be from known companies who invite to install the last security patch or Service Pack • The executable file is a Trojan or malicious code that puts our environment at risk 45

Example -‐ Phising and scam • Pakistan Earthquake – We found the URL h[p:// pakistanhelp.com • We analyzed it and we saw that there were signs of phising • In this case, the ‘help’ options include the download of an Excel file to be sent by fax • A real and legal organization would never do this…. 46

Strategy: Protect every vector Antivirus/ Antispyware Data Leak Prevention Secure Content Manager Firewall VPN 47

Strategy: Consider other approaches Internet • Effectiveness vs. Efficiency • SaaS approach • UTM devices • More than one solution will leverage your security • Education, education, education • Centralised management 48

THANK YOU Modern Cyber Threats and How To Combat Them An ISACA Panel moderated by Todd Fitzgerald Panelists: Jack Callaghan R. Kinney Wiliams Ramsés Gallego

Modern cyber threats_and_how_to_combat_them_panel

by Ramsés Gallego

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Modern cyber threats_and_how_to_combat_them_panel Presentation Transcript