Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stop Watering Holes, Spear-Phishing and Drive-by Downloads


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Stop Watering Holes, Spear-Phishing and Drive-by Downloads

  1. 1. Stop Watering Holes, Spear-Phishing andDrive-by DownloadsSTEPHEN WARD – VICE PRESIDENT
  2. 2. A Crumbling IndustryThe Lost DecadeFailure to innovateSymptoms vs. DiseaseThe Great Malware Arms RaceBusiness RevolutionRush to adoptRisk Acceptance vs. UnderstandingThe Mediocrity of ComplianceClosed CircuitsShame of victimizationClassification vs. CooperationThe Inability to Find Common Purpose
  3. 3. Aggressive and PersistentAdversariesNATION STATES CYBER CRIMINALS HACKTIVISTSMotivesinclude:• Cyberespionage• IntellectualPropertyTheft• Probing ofCriticalInfrastructuresMotivesinclude:• Identity theft• Corporatefinancial fraud• Black marketsales to NationStates• Probing ofFinancialInfrastructuresMotivesinclude:• Political action• Shaming majorcorporations• Attackingspecificexecutives• Exposingcorporatetrade secrets
  4. 4. Riddle Me This…
  5. 5. „11, „12 and ‟13 (so far) bloodiest years onrecord…• “White House” eCard (spear-phishing)• HBGary Federal (social engineering)• Night Dragon (spear-phishing)• London Stock Exchange Website (watering-hole)• French Finance Ministry (spear-phishing)• Dupont, J&J, GE (spear-phishing)• Charlieware (poisoned SEO)• Nasdaq (spear-phishing)• Office of Australian Prime Minister (spear-phishing)• RSA (spear-phishing)• Epsilon (spear-phishing)• Barracuda Networks (spear-phishing)• Oak Ridge National Labs (spear-phishing)• Lockheed Martin (spear-phishing)• Northrup Grumman (spear-phishing)• Gannet Military Publications (spear-phishing)• PNNL (spear-phishing)• ShadyRAT (spear-phishing)• DIB and IC campaign (spear-phishing)• „Voho‟ campaign (watering-holes and spear-phishing)• „Mirage‟ campaign (spear-phishing)• „Elderwood‟ campaign (spear-phishing)• White House Military Office (spear-phishing)• Telvent‟ compromise (spear-phishing)• Council on Foreign Relations (watering hole)• Capstone Turbine (watering hole)• RedOctober (spear-phishing)• DoE (spear-phishing)• Federal Reserve (spear-phishing)• Bit9 (SQL injection)• NYT, WSJ, WaPO (spear-phishing)• South Korea (spear-phishing)• 11 Energy Firms (spear-phishing)• QinetIQ (TBD)• Apple, Microsoft, Facebook (watering-hole)• (drive-by download)• National Journal (watering hole)• FemmeCorp (watering hole)• Department of Labor / DoE (watering hole)• WTOP and FedNewsRadio (drive-by downloads)No One is ImmuneWhat are we waiting for??
  6. 6. Enterprise Security Architecturefor Addressing APTFirewalls/WebProxiesNetworkControlsAnti-VirusForensics andIRUser TrainingIn Use | Confidence*App Whitelisting
  7. 7. The Primary Target –The Unwitting AccomplicesThe UserThe #1 Attack Vector =• Ubiquitous usage of Internet andEmail has enabled adversaries toshift tactics• Prey on human psychology• Spear Phishing – The New Black• Drive by Downloads• Malicious sites• Weaponized Attachments• Watering Hole Attacks• Hijacked trusted sites• Trust in social networks• Facebook, Twitter, LinkedIn• Faith in Internet search engines• Poisoned SEO• User Initiated Infections• Fake A/V and fearmongering
  8. 8. Competitive Futures Are atStake“Theirs” OursThe good newsis…they‟re stealingpetabytes worth ofdata…The bad newsis…in time, they‟llhave sortedthrough it all
  9. 9. Competitive Futures Are atStake
  10. 10. Still waiting on some“Digital Pearl Harbor?”99 Red Balloons…$200 Billion Market Shift on the Back of aSpear-Phishing Attack
  11. 11. 99 Red Balloons…$45 Million in Financial Fraud from OneATM Scheme Alone…
  12. 12. 99 Red Balloons…Watering Hole Attack Hits 3 Major TechCompanies…• 3rd party developer websiteinfected deliberately to targetthese companies• Employees targeted were inR&D/Engineering groups• Well planned, wellexecuted…easy peasy…
  13. 13. 99 Red Balloons…Watering Hole Targets Department ofLabor website – DoE visitors…
  14. 14. Alarming Malware Statistics• 280 million malicious programsdetected in April 2012*• 80,000+ new malwarevariants daily **• 134 million web-borne infectionsdetected (48% of all threats) inApril 2012*• 24 million malicious URLsdetected in April 2012*• 30,000+ new malicious URLsdaily**• 95% of APTs involve spear-phishing***• Organizations witnessing anaverage of 643 malicious URLevents per week***• 225% increase from 2012*** Kaspersky April 2012 Threat Report** Panda Labs Q1 2012 Internet Threat Report*** FireEye September 2012 Advanced Threats Report****Both Mandiant and Trend Micro – 2013 Reports
  15. 15. KIA – Mandiant “APT-2” -http://
  16. 16. Java - Getting Bullied…
  17. 17. Einstein‟s Definition of InsanityPatching softwareas vulnerabilitiesare made publicDetecting intrudersand infected systemsafter the factRecovering and restoringthe infected machinesback to a clean stateSecurityInsanityCycle
  18. 18. Addressing theCritical Vulnerability in Java 7“Uninstall Java…”
  19. 19. Addressing theCritical Vulnerability in IE“Stop Using IE…”
  20. 20. Addressing thePandemic of Spear-Phishing“Don‟t Click on Links You Don‟tTrust…”
  21. 21. An Alternative to Bad AdviceNot quite…but pretty darn close…
  22. 22. Rethink SecurityIf…you could negate user errorAnd…contain malware in a virtual environmentAnd…stop zero-days in their tracks without signaturesThen…preventing APTs would be possible“Making Prevention Possible Again”
  23. 23. Contain the ContaminantsPreventionPre-Breach ForensicsProtect every user and the network from their errorFeed actionable forensic intelligence without the breachDetectionDetect zero-day attacks without signatures
  24. 24. KIA – IE8 0day CVE-2013-1347Watering Hole Attack on DoL subsite thwarted byInvincea Enterprise• Whitelisted or blacklisted website? More than likely whitelisted• Targeted fully patched IE8 browsers on Windows XP platform• Increasingly common poisoning tactic from adversaries• Detected without signatures, immediately killed and forensicallyanalyzed by -
  25. 25. KIA – Dvorak, WTOP &FederalNewsRadioMass Compromise on several media sites and thwarted byInvincea Enterprise• Whitelisted or blacklisted website? More than likely whitelisted• Exploit Kit (FiestaEK) targeting recent Java vulnerabilities on IEenabled systems only• SAME EK as National Journal discovered by Invincea• Detected without signatures, immediately killed and forensicallyanalyzed by -
  26. 26. Mapping the APT Kill ChainStage 1: ReconnaissanceResearch the targetStage 2: Attack DeliverySpearphish with URL linksand/or attachmentStage 5: Internal ReconScan network for targetsStage 3: Client Exploit &CompromiseVulnerability exploited or usertricked into running executableStage 8: Stage Data &ExfilArchive/encrypt, leak todrop sitesStage 4: C2Remote Command & Control.Stage 6: LateralMovementColonize networkStage 7: Establish PersistenceRoot presence to re-infect asmachines are remediatedStage 9: IncidentResponseAnalysis, remediation,public relations, damagecontrol
  27. 27. Invincea – Breaking the APTWorkflowContainment | Detection | Prevention | Intelligence• Highly targeted apps run in contained environment• Behavioral based detection spots all malware including 0-days• Automatic kill and remediation to clean state• Forensic intelligence on thwarted attacks fed to broaderinfrastructureThreat Data Server
  28. 28. • Prestigious SANS Institute Calls for DPW type ofcontrols…• Item 5: Malware Defenses• 5.7. Quick wins: Deploy…products that provide sandboxing (e.g.,run browsers in a VM), and other techniques that preventmalware exploitation.• SANS awards NSA a National Security Award forreview of Invincea technology• NSA led a year long analysis of the technology that powers DPW• Endorsed as effective for combatting the advanced threat• SANS viewed as a break-through in endpoint security• Notable Industry Awards• Most Innovative Company of the Year – RSA 2011• GovTek Best Tech Transfer to Startup – 2012• Government Security News‟ “Best Anti-Malware Solution” - 2012Recognized as a GameChanger…
  29. 29. Steve Ward:steve.ward@invincea.comGo ahead…spear-phish me!www.invincea.comTwitter: @InvinceaWant a t-shirt? Drop a note to – onlyone catch, you‟ve got to tweet a pic of you wearing it!Let‟s Get Moving