White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal


Published on

The single largest threat your organization faces today is network breach. Spear-phishing, poisoned search results, drive-by downloads, and legitimate sites being compromised to push malware are all part of our current reality. The most successful and common attacks vectors stem from targeted attacks on your employees. Organizations need to utilize solutions that protect their network from user error and support requirements for continuous monitoring, real-time situational awareness and providing actionable threat intelligence for their security teams.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New Normal

  1. 1. 3975 University Drive, Suite 460, Fairfax, Virginia 22030 | 1-855-511-5967 | Invincea.com | @invinceaDETECTION | PREVENTION | INTELLIGENCESpear-Phishing, Watering Hole andDrive-By Attacks: The New NormalSecure the primary vulnerability exploited by your adversaries – protectevery employee
  2. 2. Page 2Executive SummaryThe news over the past 18 to 24 months proves one alarming fact - the single largest threat yourorganization faces today is network breach. Your employees have become the primary target of adiverse set of motivated adversaries bent on one objective: penetrating your network in order to gainaccess to sensitive information including financial data, research and development activities, intellectualproperty, and personally identifiable information on your clients and employees. Today’s most successfuland common attack vectors involve tricking your users into opening the door to your network. Spear-phishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gainingentry into your network by enticing your employees to click on links and open document attachmentsand every time they go to the Internet or open the email client, they put your company at risk.The techniques used by your adversaries include: Spear-phishing emails that deliver the employee to malicious websites that run drive-bydownload exploits or include weaponized document attachments Watering hole attacks that involve hijacking legitimate, trusted sites to push malware tounsuspecting users Poisoning search results behind trending news items on popular engines, such as Google,Yahoo!, and Bing Pushing malware through popular social networks such as Twitter and FacebookYour organization is under a state of constant and sustained attack, and every employee represents apotential point of weakness in your security strategy. Innovation in endpoint security is a critical need.New approaches to insulate the employee against these attacks are required and Invincea is the solution.Diverse Adversaries – Common Objectives – Massive GainsYour adversaries range from nation states seeking to steal government secrets and intellectual property,to organized cyber criminals seeking to perpetrate financial fraud and identity theft, to hacktivistsseeking to disclose your secrets in the public eye in an effort to shame your organization. Regardless ofthe actors, the common denominator is that your employees are the entry point. For nation states andcyber criminals the motivation is clear: massive financial gain on the back of your long-term investments.“Cyber-crime’s estimated cost is more than that of cocaine, heroin, and marijuana trafficking puttogether.”Khoo Boon Hui – President, Interpol
  3. 3. Page 3No One is ImmuneThe question from business leaders to their security teams was once “Can this happen to us?” The newsover the past 18-24 months has answered that question with an emphatic “Yes…no one is immune.”Every organization is at risk for cyber breach. Depending on the size of the organization, the industry,and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses aremost at risk from organized cyber criminals. Enterprises and governments face threats from all three ofthe main adversarial categories – nation states, cyber-crime, and hacktivists. The Hackmageddon blogcovers the motives of adversaries, their targets, and includes a detailed graphic timeline of hackingincidents categorized by month in 2012. Below are a few real-world examples of recent attacks against awide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply toomany examples to cite. Spear-phishing attack against RSA Spear-phishing attack against Oak Ridge National Labs Spear-phishing attacks against global energy companies “Night Dragon” Spear-phishing attacks against dozens of industries “Operation Shady RAT” Spear-phishing attacks against The Wall Street Journal, Washington Post and New York Times Watering hole attacks against Facebook, Twitter and Apple Watering hole attack against the U.S. Department of Labor and Energy Drive-by download attack using popular site Speedtest.net Drive-by download attack using major Washington D.C. area radio station websites Hacktivist attack against Sony PlayStation Network Spear-phishing attacks against private firms, think tanks, government organizations Spear-phishing attacks against gas pipeline firms Cyber-crime attacks against small and medium sized businessesAssessing the Cost of Data BreachThe Ponemon Institute’s “2012 Cost of Cyber Crime” report places the cost of data breach at anaverage of roughly $8.4 million. A hefty sum to be sure; however, recent disclosures are even morealarming. When considering the risk of a breach, look at the following: $66 million in losses at RSA – The Security Division of EMC $171 million in losses suffered at Sony for breach of Sony PlayStation Network
  4. 4. Page 4 According to an anonymous source in the U.S. Intelligence community quoted in thisWashington Post report, attacks by nation states in the past two years have resulted in:o Loss of $100 million worth of insecticide researcho Loss of $400 million worth of chemical formulaso Loss of $600 million worth of proprietary electronics data“Trade secrets developed over thousands of working hours…are stolen in a split second.”Robert “Bear” Bryan – National Counterintelligence ExecutiveThe User as the Unwitting AccompliceWe live in a constantly connected world, and every employee in your organization has multiple ways toaccess your network. They have free reign over the Internet to aide in productivity and are alwaysconnected to the email client, day or night, at work or home. Your adversaries know this and use it totheir advantage. They also know that despite all of the effort you expend attempting to train your usersto make good security decisions; a well-crafted attack has a high likelihood of success. Every employee inthe organization is a potential unwitting accomplice to breach, from the intern to the chief executive.Why? The adversaries also know that internal network security is virtually non-existent. With access to,and residency on, a single machine, they can move laterally to seek out the keys to your kingdom.Looking at the 2011 Investigations report released by the U.S. Computer Emergency Response Team(US-CERT), it is clear that the employee is the primary target. When combining phishing and maliciouswebsite-based attacks (i.e. attacks involving employees), US-CERT found that roughly 58% of incidents in2011 involved direct attacks against the employee.Phishing 55,153 51.20%Virus/Trojan/Worm/Logic Bomb 8,236 7.70%Malicious Website 6,795 6.30%Non Cyber 9,652 9%Policy Violation 7,927 7.40%Equipment Theft/Loss 6,635 6.20%Suspicious Network Activity 3,527 3.30%Total Incidents Reported to US-CERTFY 2011
  5. 5. Page 5(Source: US-CERT FY’2011 Investigations)Fighting an Uphill BattleWhen it comes to defending against today’s adversaries, the burden typically falls on under armed,overworked IT and Information Security teams. Shrinking budgets; limited human resources; wideswathing workloads; lack of innovative new solutions from trusted vendors; and constant push backfrom the business to minimize any changes to employee workflow are all working against these teams intheir fight to protect your organization. When we combine these challenges with the fact that youradversaries are well-funded, staffed, motivated, and constantly evolving their techniques, it is littlewonder that we see the pace of breaches increasing at an exponential rate. Your IT and InformationSecurity teams need help. They need new solutions that can meet the demand of the business to keepthe employee productive and at the same time protect every employee from becoming an unwittingaccomplice to breach. Unfortunately, the adversary has you outnumbered. This isn’t a problem that canbe addressed by scaling your internal team. In fact, every one of your employees is a potential target.This is a problem that demands a technology solution to aid the internal security team in identifying theadversary while not ceding the network to breach.Wash-Rinse-Repeat - The Security Insanity Cycle:Against the backdrop described above, these teams often find themselves in a game of “Whac-A-Mole”with your adversaries. The wash-rinse-repeat cycle of infection detection, remediation, and patchingused to penetrate your network is what Invincea calls the “Security Insanity Cycle.”Attempted Access 863 0.80%Social Engineering 2,573 2.40%Others 6,294 5.80%Total 107,655 100%
  6. 6. Page 6The fundamental problems with this reality are threefold:1. Infections are usually detected months or years after the fact, meaning the damage is long sincedone and the adversary has had ample time to both colonize the network and steal sensitive data.“In over half of the incidents investigated, it took months – sometimes even years – for this realization todawn.” Verizon Business Data Breach Investigations Report - 20122. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organizationthat impact the bottom line and add to the overall cost of network breach. Moreover, these millionsare spent after the damage is done – they do nothing to protect your organization.3. While your teams are fighting the newly discovered fire, the adversary continues to attack other partsof the organization. This is where the “Whac-A-Mole” analogy comes into play. Your adversaries arepersistent – while you clean up one attack, they’ve already pivoted and are launching others againstyou.
  7. 7. Page 7The Great Malware Arms RaceOne significant reason that your teams are at a severe disadvantage to your adversaries is that many ofthe technologies they rely upon are reactive. Most require a list of known bad malware or websites inorder to detect or block malware. These technologies no longer work against today’s adversaries whocontinuously morph their signature while standing up and bringing down websites on an hourly basis.Consider the following when looking at the ability of signature-based defenses to protect yourorganization: Malware authors are producing roughly 80,000 new variants per day (McAfee). Malware authors are increasingly utilizing polymorphic techniques in which malware mutatesitself to evade signatures. The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primaryendpoint security solution, yet an alarming (though somewhat dated) Cyveillance study showsthat AV vendors detect less than 19% of attacks on average.Why Current Defenses Fall ShortWhat we need to understand when looking at our defensive strategies is that for all intents andpurposes, the user has become the new perimeter. As we have moved to an always-on, increasinglymobile lifestyle, we have changed the security paradigm. It has evolved from one of protecting assetsthat are statically placed behind our layered defenses to one of protecting those assets wherever theymay be at any given point in time. If we accept the ample evidence that suggests the employee is theprimary target, then we must also protect his or her computing device. To further support thisassertion, consider two recent examples of adversaries targeting employees on the road: Popular IBAHN wireless hotel network attack (December 2011) IC3 warning of attacks through hotel wireless networks (May 2012)
  8. 8. Page 8Assessing the Power of Anti-VirusAnti-virus (AV) software is inherently reactive because it discovers infections after they occur and isunable to detect new malicious code variants. Typically only a handful of the 40+ AV products will knowabout the malware. Again, this is because more than 80,000 new malware variants are being releasedinto the wild on a daily basis and malware writers are now using polymorphic techniques to constantlyavoid detection. Some AV offerings now feature heuristic patterning in which threats are grouped andanalyzed according to common characteristics. However, heuristics are rarely deployed by the AVcompanies because they are subject to false-positives, which can result in severe damage to the system ifa system file is quarantined as a false positive. Some AV vendors augment resident data repositories witha real-time, cloud-based service in order to reduce the time it takes to identify threats and provideupdates to customers. However, the fundamental approach remains unchanged. These tools are stillonly stopping known threats, so they’re missing the most sophisticated elements of the threat landscape.Assessing the Power of FirewallsOne traditional way of protecting the enterprise is to build a wall around the castle – a network firewall.However, firewalls are designed to stop inbound threats to services that should not be offered outsidethe organization. In the context of a Web browser or email client, firewalls are ineffective since theyblock only inbound attacks, and browser malware is initiated by outbound Web page requests that passthrough the firewall. Additionally, email attachment based attacks often penetrate firewalls to reachemployees if the malware is unknown to AV scanners running at firewalls. The bad actor doesn’t needto try to penetrate the network since the user pulls it in from the inside. Firewalls obviously maintain arole in a layered defense approach as they help to prevent inbound attacks against ports and servicesthat should not be exposed to the outside. Also, if an attack occurs at the network layer, firewalls andfiltering proxies can block the connection and prevent the attack from compromising other machineswithin the enterprise. It just isn’t enough against today’s threats, especially if we accept the assertionthat the endpoint is the new perimeter.Assessing the Power of Web GatewaysWeb gateway solutions like Bluecoat, Websense, and those offered by some of the major AV vendorsselectively block Web content from a known malicious source. Their effectiveness revolves around theability to proactively blacklist untrusted sites or, more restrictively, only allow users to visit certainwhitelisted sites so that when a user clicks a link, the gateway may prevent the browser from accessingthe site. Similar to AV solutions, Web gateways need to know what bad is beforehand in order to stopyour employees from accessing it. Gateways definitely deliver a broader solution than AV because theycan blacklist IP addresses and URLs, but they still play a game of cat and mouse with the adversary. Itjust isn’t enough against today’s threats.
  9. 9. Page 9Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway whentaking into account some of this recent news: 30,000 new malicious sites stood up on a daily basis “Lizamoon” attack infects millions of legitimate websites Amnesty International website hijacked to push malware High-ranked sites hijacked and blacklisted by GoogleAssessing the Power of Application WhitelistingWhile application whitelisting is effective at preventing standalone malware executables from running,most attacks exploit known trusted applications including the browser, document readers, anddocument editors. Microsoft Internet Explorer, Adobe Reader and, increasingly, Microsoft Officedocuments are the most vulnerable, targeted, and widely used applications on the desktop. Theseapplications present a rich environment for attackers to find and exploit vulnerabilities. They alsoprovide fertile ground for adversaries to dupe users into clicking on links and opening documents. Asmalware exploits those applications, the cyber adversary gains a foothold in the enterprise via thewhitelisted application. The malware has access to that machine, the data on that machine, and allnetwork devices to which that machine is connected.A paper recently presented at SchmooCon 2012 entitled “Raising the White Flag” detailed the securitygaps in leading whitelisting tools including: ActiveX controls PDF documents Office documents Shellcode injection Java Javascript Browser exploits Browser extensions Scripting
  10. 10. Page 10Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions andplug-ins of whitelisted applications including the browser and document readers and editors. Thisincludes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applicationsthemselves. Unfortunately, these are the most common real-world exploits. Most exploits work byeither using a spear-phish to direct the user to click on a link or directing the user to open anattachment. Users also get infected using more opportunistic methods like poisoned search engineresults or simply browsing the Web. It’s not unusual for malware to leverage a browser vulnerability todirectly inject itself into the memory of a running process, such as an operating system service. In all ofthese cases, the exploited or infected process has been whitelisted and therefore is allowed to run withfull and normal privileges.Assessing the Power of Network-Based Malware DetectionRecently there has been a push for perimeter security solutions that promise to do behavioral analysisof content using virtual machines. However, there are fundamental limitations with this approach basedon content analysis and scalability and they have already been circumvented by several countermeasures,some of which are quite simple.Network Boundary Limitations for In-Line Analysis:The fundamental limitation on deployments in practice is making the network appliance the bottleneckfor all inbound content. While deep packet inspection (DPI) technologies have made progress to beingable to do in-line inspection at gigabit speeds, DPI devices are doing pattern matching on hardwareoptimized for the purpose of matching network streams against known attack patterns, i.e., signaturematching against known threats. Network appliances that attempt to run content in a virtual machine(VM) at the network boundary before passing on the content face a fundamental limitation onintroducing unacceptable latency for each session or content type that must be analyzed prior to passingthe content to the user.To do in-line monitoring with a VM-based technique, you will need to create a VM for each sessionnominally, and likely for each content type. For instance, if a user browses to a website and the deviceattempts to determine if that website is malicious, it will also need to browse to the website andattempt to observe any malicious behavior. Clearly the latency to perform this action pro-actively isinfeasible, so best case is it determines the site is malicious while the breach happens or after the breachoccurs. For example, in analyzing the content attached to an email, a VM must be created for eachcontent type. If the email has a PowerPoint, Word, and .zip archive with executable type programsembedded, then a VM must be created for each of these content types – and that is just for a singleemail for a single user.There are significant scalability issues that arise with this approach:1. Scaling to number of users2. Scaling to number of sessions and emails per user
  11. 11. Page 113. Scaling to content types4. Scaling to versions of software for each content type (e.g., Adobe 8.x, Adobe 9.x) todetermine if a vulnerability is being exploited5. Scaling within acceptable latency bounds for delaying delivery of contentPoints 1, 2, and 3 above set the requirement for a certain number of VMs to be created per user in yourorganization based on the network sessions they have and content type. Point 4 exacerbates thisproblem severely because most exploits are both specific to a particular version of the applicationrunning the content type and the operating system that runs the application. In other words, an in-linesolution will need to include every version of every application/operating system combination presentwithin the network to determine if it may be exploited by the untrusted content. The final point, Point5, is extremely difficult to overcome because it cannot scale with hardware. The adversary canintroduce arbitrary delays in running malicious code. For instance, when opening a Word or PDFdocument, the malicious code may choose to wait 15 or 20 minutes before running. Some exploits wehave observed in practice will require a system reboot before running the malicious code. Finally,archiving content in a compressed, encrypted, or password-protected format where the password orkey is shared with the user defeats in-line approaches, simply because the content cannot be scanned atthe gateway. These tactics are all within control of the adversary and make in-line analysis of contentfundamentally unscalable.In addition to all these drawbacks, hardware isn’t cheap. With a robustly configured server, you can hostat least 64 and at best 128 virtual machines. Once you start to do the math on how many simultaneousvirtual machines need to be created for your users, how many sessions will take place, and whichcontent types will be used, this approach gets unscalable and uneconomical quite rapidly.As a result, the market quickly concluded that running this class of solution that inspects inboundcontent via virtualization at the network perimeter is infeasible. Because in-line analysis has becomeuntenable, these devices are now being configured to examine outbound connections only. What thismeans in practice is the device can look at outbound connections (primarily http) to attempt todetermine if an internal machine is communicating with a known command and control network. In thiscase, the device has simply become another pattern matching machine that is driven by the latest lists ofknown botnet command and control networks. Likewise, abandoning the virtualization approach forbehavioral analysis is often used to simply compare signatures of content such as executable type filesagainst known malicious signatures. Unfortunately this means the device has become another in a longlist of security appliances that are reactive and can only detect known threats.If the detection efforts fail, then the effort becomes about the post facto discovery of the malware thattakes root within the IT infrastructure. Network colonization by the adversary and the requirednetwork remediation to address the problem can be very expensive, typically costing seven figures to ridthe network of an infection.
  12. 12. Page 12A final point to consider with network boundary devices is the case of the mobile user outside of thenetwork. When this user is simply online on the road or at home, not VPN’d into the corporatenetwork, they are essentially bypassing any protection provided by network perimeter devices. With theexpansion of the mobile work force and personal email services, this is becoming a significant risk forenterprise security managers.The Invincea SolutionInvincea addresses the gaps left by other security solutions by protecting the most important attacksurface in the enterprise – the employee. Invincea employs application virtualization to create aprotective “bubble” around applications that run untrusted content – including Web browsers, PDFreaders, the Office suite, .zip and .exes files. We protect users against both known and zero-daymalware delivered via spear-phishing, watering holes, drive-by downloads, social networking worms,fake anti-virus and other online threats. By creating secure virtual containers and running each of theseapplications in its own virtual environment on the endpoint, Invincea has created an enterprise “airlock”that seals the potential attack vector off from infecting the endpoint and prohibiting lateral movement inyour network.Endpoint Security Software:Invincea deploys as a lightweight Windows application. This application is licensed on a subscription basiswith flexible renewal options to meet your specific needs. The application has the ability to protect yourusers against all untrusted content by moving browsers, PDF readers, Office suite, .zip files andexecutables into a contained, virtual environment. You simply tell us which applications you wantprotected and we turn on the virtual environment to support. The endpoint solution deploys quicklyand easily, just as you would push any Windows-based application.Threat Intelligence Appliance:To gather the rich pre-breach forensic intelligence your teams need related to thwarted attacks, theInvincea platform also includes our Threat Data Server, which is licensed and available on-premise as aphysical or virtual appliance or as a cloud-based service. The Threat Data Server is built with scalabilityin mind, which means you won’t have to rack and stack large amounts of new gear.
  13. 13. Page 13How it WorksContainmentInvincea takes the most highly targeted applications in your network (the Web browser, PDF reader,Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time theWeb browser is opened, or anytime an attachment comes from outside the network, Invincea creates asegregated environment for these applications to operate. By creating this specialized virtualenvironment, Invincea contains all malware – whether zero-day or known – and prevents it fromattacking the host operating system as a pathway for breach and lateral movement in your network.DetectionUnlike other solutions, Invincea does not rely on malware signatures for detection. Instead, itautomatically identifies malware attacks based on behaviors and actions inside the contained, controlled,and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart thoseattacks with ease.
  14. 14. Page 14PreventionOver the past few years, we’ve been taught by repeated assertion from those that benefit fromremediation and network forensic professional services that the breach cannot be stopped and that postfacto detection is the new prevention. We can’t blame our fellow security professionals for their cynicismbecause the truth is that the prevention security industry has utterly failed us, our governments,corporations, and citizens. Reactive list-based approaches can no longer stop the threat; thereforethe logical conclusion drawn and promulgated is that you can only attempt to detect the intruder inyour network. Perhaps this conclusion was accurate at that point in time, but with the innovationsdelivered by Invincea’s breach prevention platform this is no longer a reality. When we detect aninfection inside our contained environment, we immediately alert the user, discard the taintedenvironment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detailrelated to the attack and feed it on to your broader security infrastructure.Intelligence – The Invincea Threat Data ServerNot only do we detect and prevent breaches from occurring, we capture rich forensic intelligence onevery attempted attack at the point of detection and feed this to other leading security technologies.The primary value Invincea delivers is that we actually stop the attack at the point of detection. We takeevery one of your users and put them in an environment that protects them from spear-phishing, drive-by downloads, poisoned search engine results, malicious websites, sites that have been hijacked, etc. Wetake it one step further than even that: we turn your users into part of an enterprise-wide malwaredetection network. The instant that malicious activity is detected in the Invincea breach preventionplatform, we begin collecting forensic information.
  15. 15. Page 15We isolate and identify: Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe filethat triggered the infection Timeline of Attack: We dissect the actions of the malware – what it did when it opened,unpacked, how it cleaned up after itself, etc. Registry Changes: We capture all changes the malware attempted to make to the registry Connections: We identify any and all connections – whether inbound or outbound showingyou the command and control channels the adversary attempted to createThis information is fed to the Invincea Threat Data Server where it is integrated with your SecurityInformation and Event Management (SIEM) and presented for your teams in a single interface.Understanding that you need a method to push this information on to the rest of your infrastructure,we have integrated with a number of other leading security technologies such as: McAfee ePO ArcSight Splunk Q1 Radar NetWitness ThreatGridThe threat information, including command and control server IPs and domain names, combined withindicators of compromise including file names, hashes, and registry values are matched against Invinceapartners’ threat intelligence feed to provide adversarial attribution and cross-vendor intelligence onadversarial motives.The Benefit of Invincea Invincea protects the new perimeter – the endpoint – with an innovative solution that requiresno signatures and keeps malware in an airlock Invincea addresses zero-days and APTs and stops them dead in their tracks Breaks the “Security Insanity Cycle” – eliminating costly detection, remediation, and patching cycles Every employee in the organization is protected wherever they go A single user virtual infection protects the entire enterprise by feeding rich forensic data to therest of your security infrastructure to block requests from all users to URLs that infected theuser that clicked on the link Invincea’s threat data feeds extend the power and life of your current investments Every enterprise license agreement includes licenses for home use, meaning your employees areprotected both at work and at home
  16. 16. Page 16Put Invincea to WorkTo find out more about how to deploy Invincea and feel the safety our solutions provide, contact ustoday at 1-855-511-5967.Learn MoreVisit our website at www.invincea.com for product summaries, video demonstrations, Invincea newsstories, and much more. While you are there, check out the Invincea Blog for breakdowns of trendingsecurity news articles and why they are important to you and your organization athttps://www.invincea.com/newsroom/blog/.Where to Find UsFor information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life atInvincea, “like” our Invincea, Inc Facebook page. Or, check out what we are talking about on ourInvincea YouTube channel. You can also find us here:Invincea, Inc.3975 University Drive, Suite 460Fairfax, VA 22030