Modern cyber threats_and_how_to_combat_them_panel


Published on

I was honored to share a panel with some colleagues at ISRM Conference in Las Vegas (September 2010). I prepared this quick presentation as a guide that I guess might be of some help for others

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Modern cyber threats_and_how_to_combat_them_panel

  1. 1. Modern  Cyber  Threats  and  How  To   Combat  Them An  ISACA  Panel  moderated  by  Todd  Fitzgerald Panelists: Jack  Callaghan R.  Kinney  Wiliams Ramsés  Gallego
  2. 2. Topics  to  be  covered  by  this  panel 1.  IdenIfy  What  Threats  are  Out  There  in  the   “Wild” 2.  Summarize  the  Key  Steps  to  an  Incident   IdenIficaIon 3.  UIlize  the  Tools,  Techniques,  and  TacIcs  to   Combat  Threats 4.  Determine  What  is  Really  Vulnerable  in  Their   Network
  3. 3. Current  Threats • Web  2.0  and  client-­‐side  a[acks • Targeted  messaging  a[acks • Botnets • Rootkits • Logic  Bombs • Data  The^ • IdenIty  The^
  4. 4. Web  2.0  and  client-­‐side  a[acks • Social  network  a[acks  –  Twi[er,  MySpace,   Facebook,  LinkedIn,  etc. • Mashup  Technology • Dynamic  Altering  Exploits  on  sites • Embedded  Malware  on  LegiImate  Sites • 50K  new  malware  per  week  –  MulIple  vendors
  5. 5. Examples • Mikeyy  worm  –  Twi[er  –  Apr  09 • Koobface  worm  –  Facebook  –  Sept  09 • Security  researchers  -­‐  >60K  pieces  of  malware   on  Twi[er  in  2009 • Phishing  episodes  through  Facebook  accounts   –  May  09 • MulIple  legiImate  sites  with  malware
  6. 6. Koobface  Worm • Koobface,  an  anagram  of  Facebook,  is  a  computer  worm  that  targets  the  Microso^   Windows  users  of  the  social  networking  websites  Facebook,  MySpace,  hi5,  Bebo,   Friendster  and  Twi[er.  Koobface  ulImately  a[empts,  upon  successful  infecIon,  to   gather  sensiIve  informaIon  from  the  vicIms  such  as  credit  card  numbers.  It  was   first  detected  in  December  2008  and  a  more  potent  version  appeared  in  March   2009. • Koobface  spreads  by  delivering  Facebook  messages  to  people  who  are  'friends'  of  a   Facebook  user  whose  computer  has  already  been  infected.  Upon  receipt,  the   message  directs  the  recipients  to  a  third-­‐party  website,  where  they  are  prompted  to   download  what  is  purported  to  be  an  update  of  the  Adobe  Flash  player.  If  they   download  and  execute  the  file,  Koobface  is  able  to  infect  their  system.  It  can  then   commandeer  the  computer's  search  engine  use  and  direct  it  to  contaminated   websites.  There  can  also  be  links  to  the  third-­‐party  website  on  the  Facebook  wall  of   the  friend  the  message  came  from  someImes  having  comments  like  LOL  or   YOUTUBE.  If  the  link  is  opened  the  trojan  virus  will  infect  the  computer  and  the  PC   will  become  a  Zombie  or  Host  Computer. 6
  7. 7. Spear  Phishing • TargeIng  of  specific  person  or  people – Uses  fake  email  from  known  person • Family  Member • Business  Associate – Almost  always  contains  key-­‐logger  Trojan – Used  to  retrieve   • Corporate  Data • Financial  Data • Personal  Data 7
  8. 8. Spear  Phishing   8
  9. 9. Top  10  BotNets • 1.  Rustock  (genera4ng  43%  of  all  spam) – The  current  king  of  spam,  its  malware  employs  a  kernel-­‐mode  rootkit,  inserts  random  text  into  spam   and  is  capable  of  TLS  encrypIon.  Concentrates  solely  on  pharmaceuIcal  spam.   • 2.  Mega-­‐D  (10.2%) – A  long-­‐running  botnet  that  has  had  its  ups  and  downs,  owing  to  the  a[enIon  it  a[racts  from   researchers.  Concentrates  mostly  on  pharmaceuIcal  spam.   • 3.  Fes4  (8%) – A  newer  spambot  that  employs  a  kernel  mode  rootkit  and  is  o^en  installed  alongside  Pushdo  on  the   same  host. • 4.  Pushdo  (6.3%) – A  mulI-­‐faceted  botnet  or  botnets,  with  many  different  types  of  campaigns.  A  major  distributor  of  malware   downloaders  and  blended  threat  e-­‐mails,  but  also  sends  pharma,  replica,  diploma  and  other  types  of  spam.   • 5.  Grum  (6.3%) – Also  employs  a  kernel-­‐level  rootkit.  A  wide  range  of  spamming  templates  changes  o^en,  served  up  by  mulIple  Web   servers.  Mostly  pharma  spam.   9
  10. 10.  More  Top  10  BotNets • 6.  Lethic  (4.5%) – The  malware  acts  as  a  proxy  by  relaying  SMTP  from  a  remote  server  to  its  desInaIon.  Mostly  pharma  and   replica  spam. • 7.  Bobax  (4.3%) – Another  long-­‐running  botnet  that  employs  sophisIcated  methods  to  locate  its  command  servers.  Mostly   pharma  spam. • 8.  Bagle  (3.5%) – The  name  derives  from  an  earlier  mass-­‐mailing  worm.  Nowadays,  Bagle  variants  act  as  proxies  for  data,  and   especially  spam. • 9.  Maazben  (2.0%) – By  default,  uses  a  proxy-­‐based  spam  engine.  However,  it  may  also  use  a  template-­‐based  spam  engine  if  the  bot   runs  behind  a  network  router.  Focuses  on  Casino  spam.   • 10.  Donbot  (1.3%) – Donbot  is  named  a^er  the  string  "don"  found  in  the  malware  body.  Mainly  pharma  spam. 10
  11. 11. Rootkits • Usually  pinpoint  focus  for  target • Hardcore  tech-­‐driven  a[ack • Either  ideology,  embezzlement,  or    “genng   back  at”  revenge  driven • Hard  to  isolate • Harder  to  remove/clean  up • DefiniIon  from  Gary  Hoagland's  book:   – "A  rootkit  is  a  set  of  programs  and  code  that  allows   a  permanent  and  undetectable  presence  on  a   computer."  
  12. 12. Examples • TDSS • Gromozon • Mebroot • Fu  and  FuTo • Agony • AFX • MBR  rootkits
  13. 13. Logic  Bombs • Disgruntled  employee  syndrome • Usually  discovered  a^er  employee  leaves • Very  destrucIve • Hard  to  detect  before  first  “bomb”  is  triggered
  14. 14. ID  The^  methods   • Dumpster  Diving • Online  “phishing”  –  11%  only • Stealing  Wallets/Pocketbooks • Home  Stealing • Mailbox  Raiding • Address  Fraud • PretexIng • Shoulder  Surfing • “Vishing  and  Smishing” • Skimming • Data  Breach 14
  15. 15. DDOS  &  Other  A[acks • The  long  standing  DDOS  a[ack  sIll  works • Targeted  a[acks  going  for  detailed  data   retrieval  and  now  occurring  more  frequently • SomeImes  a[acks  are  open  and  intenIonal   – Google  issue  with  Pakistan  from  several  years  ago
  16. 16. CombaIng  the  Threats • User  awareness  and  training • Incident  Response  capability • In-­‐bound  &  out-­‐bound  filters  at  gateways
  17. 17. Countermeasures • Web  2.0  a[acks  detected  via  behavior  based   protecIon  methods  (IDS/IPS  like) • Develop  and  implement  IDS  and  IPS  devices  to   understand  scripIng    -­‐  similar  to  browsers • UIlize  filter  feedbacks  to  improve  filtering • Develop  user  “distrust  by  default”  on  all   incoming  data  (both  Internet  and  e-­‐mail  based)   unIl  protecIon  methods  improve
  18. 18. Threat  Analysis • ExaminaIon  for  detailed  evaluaIon – Significance – Type  of  Malware   – ProbaIve  Value – Meets  criteria  for  inclusion • InterpretaIon  is  carried  out  separately
  19. 19. Incident  Response  Stages   1. PreparaIon 4.   EradicaIon 2. IdenIficaIon 5.   Recovery 3. Containment 6.   Follow-­‐Up
  20. 20. Types  of  Incident  Response  Tools   Needed • File  System  NavigaIon  tool • Hashing  tool • Binary  Search  tool • Imaging  tool – Bit  Copy – File  System • Deep  Retrieval  tool – Bit  Level – File  System • File  Chain  NavigaIon  tool • Network  Log  File  Analysis  tool
  21. 21. Response  Tools  Available • MulIple  types 1. Tools  Used 2. Log  Parser – OperaIng  System  based   3. ProDiscover • Windows  –  Microso^ 4. TCPView • UNIX  –  mulIple  types 5. Microso^  tools  –  if  Windows • Macintosh 6. TCPDump     7.  tools  –  if  Windows – Environmental  Based 8.  tools – Network  Based 9. File  control  uIliIes  –  DD,  etc. 10. Wireshark  (packet  sniffer) – Management  Based 11. Nmap  (security)  Open  Source   Network  Scanner 21
  22. 22. Understanding  the  Risk The  Market  Value  of  SensiIve  Data 980€-4.900€ 147€ Trojan to steal account information Birth certificate 490€ 98€ Credit Card Number Social Security card with PIN 78-294€ 6€-24€ Billing data Credit card number 6€ 147€ PayPal account Driver's license logon and password 22
  23. 23. Malware:  what  is  it  really? • Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code • Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software 23
  24. 24. A bigger problem than we think • Malware is now economically motivated and backed by organized crime and foreign interest • The development of highly critical malware such as targeted attacks is also on the rise • The level of sophistication behind malware makes it extremely difficult for traditional solutions to detect and remove • There are many bot networks to de-fraud business models and consumers through sophisticated social engineering 24
  25. 25. What  is  spyware? • Spyware is software installed on a computer that gathers information without the user's knowledge and relays that information to advertisers or other 3rd parties • Several subcategories of spyware: – Adware • Advertising-supported software that displays pop-up advertisements whenever the program is running. Often collect personal information and web surfing habits – System monitors • Programs that capture everything you do on your computer, from keystrokes, emails and chat room dialogue, to which sites you visit and which programs you run – Trojan horses • Malicious programs that appear harmless but steal or destroy data or provide unauthorised external access 25
  26. 26. How  spyware  infiltrates • People  don’t  purposefully  and  knowingly  install  spyware – Can  be  included  with  applicaIons  you  want  to  install,  such  as  peer-­‐to-­‐peer   clients  or  desktop  uIliIes – Some  silently  load  when  you  visit  a  seemingly-­‐innocent  Web  page  (‘The   Ghost  in  the  browser’) • Installed  silently  in  the  background  –  most  users  never  know   their  computers  are  infected
  27. 27. Spyware  threats  organizaIons • Wastes  compuIng  resources – Sends  back  informaIon  periodically,  o^en  daily – Consumes  an  organisaIon’s  bandwidth • Exposes  proprietary  informaIon – It  could  send  files  to  a  compeItor’s  server   – It  could  monitor  e-­‐mail  and  send  out  the  contents • Poses  serious  security  risks – It  could  send  emails  on  behalf  of  the  user – It  could  provide  a  spy  or  hacker  with  a  backdoor  into  the  systems – It  could  change  documents  and  specificaIons  on  systems  to  damage  research  or   other  projects • May  introduce  compliance  risks 27
  28. 28. How  botnets  are  used  to  commit   financial  fraud •  A  bot  network  consists  of  a  “controller”  and  compromised  zombie  PCs.  There  have   been  cases  of  bot  networks  containing  up  to  1.5  Million  zombie  PCs  like  in  the  Dutch   botnet  case •  The  bots  that  infect  systems  can  perform  several  acIons  such  as  relay  spam,  launch   malware  and  perform  ID  the^ •  Some  of  the  common  methods  for  bot  infecIon  is  through  websites  that  contain   exploits  and  vulnerabiliIes  that  acIvely  transmit  malware  to  the  PC  visiIng  the  site.   •  Components  can  also  be  downloaded  such  as  AcIveX  controls,  etc  that  will  then   deal  with  the  rest  of  the  infecIon  process •  Social  engineering  techniques  also  exist  to  infect  systems  through  spam,  phishing   and  other  content.  Once  a  PC  has  become  infected  it  can  receive  remote  commands   from  the  “bot  master”  remotely 28
  29. 29. And  they  are  using  new   methods •  Botnets  are  beginning  to  use  P2P  networks  to  gain   control  of  more  computers •  Researchers  were  previously  able  to  shut  down  a   botnet  by  targeIng  its  Command  &  Control  center   (and  IRC  channel  or  website).  Hackers  are  now  using   P2P  networks  to  connect  bots  in  a  more  “horizontal,”   peer  manner,  which  makes  shunng  down  the  botnets   much  more  difficult 29
  30. 30. The  problem  of  keylogging • Keyloggers  are  programs  that  run  in  the  background   recording  all  keystrokes  and  which  may  also  send  those   keystrokes  (potenIally  including  passwords  or   confidenIal  informaIon)  to  an  external  party • 2  types  of  Keylogger  programs: – Commercial   – Viral  (included  as  part  of  blended  threat  with  Worm,  Trojan  Horse,  BOT,  etc.. 30
  31. 31. Commercial  Keylogger Example 31
  32. 32. Commercial  Keylogger Example 32
  33. 33. Commercial  Keylogger Example 33
  34. 34. SophisIcated  Social   Engineering • Common  social  engineering  techniques: – Spear-­‐Phishing  and  other  highly  targeted  scams – Spam  with  exploits – Phishing  emails  that  direct  users  to  web-­‐sites  with  hidden  Trojans – Malware  through  IM  channels 34
  35. 35. No real bank would do this! 35
  36. 36. InfecIon  strategies  used  by   hackers • Common  infecIon  strategies  used  by  hackers – A  web  site  is  physically  hacked  and  seeded  with   Trojans  (i.e.  Superbowl  website  case) – Phishing  emails  with  exploits – Malware  through  IM  channels – Malware  a[ached  to  freeware  and  shareware – Malware  in  the  form  of  video  codecs – InfecIon  through  botnets 36
  37. 37. Overview  of  Targeted  A[acks • CharacterisIcs  of  Targeted  A[acks: – Involve  “Highly  CriIcal”  malware  tailored  towards  a[acking  a  specific  target   (i.e.  Bank  Of  America) – Such  malware  target  a  specific  set  of  confidenIal  informaIon  to  capture  and   send  to  a  3rd  party – Targeted  a[acks  always  involve  a  hacker  hired  to  design  malware  to  bypass   specific  defenses – A[acks  are  very  localized;  therefore,  distribuIon  is  limited.  In  most  cases  AV   labs  do  not  receive  a  sample  which  results  in  no  signature  file – Current  security  soluIons  will  not  detect  the  malware  because  the  hacker   has  prepared  against  commonly  used  AV  programs – Hackers  are  using  sophisIcated  stealth  techniques  such  as  rootkits  to  hide   the  presence  of  malware 37
  38. 38. InformaIon?  Ready  available!   • IT  departments  know  about  sites...but  so  do  all  the  other  departments! – QuesIon  is…do  we  know  who,  when,  where  and  how? – More  importantly…do  we  have  the  means  to  stop  it? • InformaIon  is  easy  to  find!  (131,000,000  results  returned  on  Google  when   the  search  term  ‘How  To  Hack’  is  used) • Hacking  tools  can  be  easy  to  use – Some  don’t  require  any  programming  skills  at  all!  (Keyloggers  can  come   with  nice  user  interfaces,  such  as  ‘ The  Perfect  Keylogger’)  with  a  ‘Next’,   ‘Next’,  ‘Next’  install! 38
  39. 39. …step-­‐by-­‐step  guides  available!   • You  no  longer  need  to  go  underground  or  to  university  to   learn  how  to  become  a  successful  hacker! 39
  40. 40. 40
  41. 41. Do it yourself! Incredible! 41
  42. 42. Example  -­‐  Denial  of  Service • You visit a web site and click on a link • A few seconds later, many applications start to run in the computer • You can only close the program to prevent the attack. The machine does not work 42
  43. 43. Example RedirecIon  of  sites • You connect to online banking to see your accounts • A hostile applet sends an identical page • You introduce your credentials while a hacker is receiving them or they are being sent to an Internet directory 43
  44. 44. Example Sending  files  in  background • A postcard is received by email • An applet executes an animation • That applet is copying the last Word document and is sending it in the background to the Internet 44
  45. 45. Example Harm  exectutables • There is type of attack that seems to be from known companies who invite to install the last security patch or Service Pack • The executable file is a Trojan or malicious code that puts our environment at risk 45
  46. 46. Example  -­‐  Phising  and  scam • Pakistan  Earthquake  –  We  found  the  URL  h[p://   • We  analyzed  it  and  we  saw  that  there  were  signs  of   phising • In this case, the ‘help’ options include the download of an Excel file to be sent by fax • A real and legal organization would never do this…. 46
  47. 47. Strategy: Protect every vector Antivirus/ Antispyware Data Leak Prevention Secure Content Manager Firewall VPN 47
  48. 48. Strategy: Consider other approaches Internet • Effectiveness vs. Efficiency • SaaS approach • UTM devices • More than one solution will leverage your security • Education, education, education • Centralised management 48
  49. 49. THANK  YOU Modern  Cyber  Threats  and  How  To   Combat  Them An  ISACA  Panel  moderated  by  Todd  Fitzgerald Panelists: Jack  Callaghan R.  Kinney  Wiliams Ramsés  Gallego