Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defending Workstations - Cyber security webinar part 2


Published on

Cybercrime is a business just like any other. And in business, there are budgets to stick to, and bosses to report to. Therefore, most cyber criminals are after easy money. They want quick wins with minimal effort – just because they can! Mass production is the key to profitability, even in the malware business.
Learn more about the specific actions you can and should take to secure your workstations in the webinar recording in the following link and the presentation slides here.

Published in: Technology
  • Be the first to comment

Defending Workstations - Cyber security webinar part 2

  2. 2. Attackers HaveBossesAnd Budgets Too(@philvenables)  Attackers may seem omnipotent  After all they need to find only one hole, and the defender has to plug them all  In reality attackers are very constrained  Without vulnerability there is no exploit  Commodity exploits work out of the box only on default configuration  Anything that requires custom work is expensive  Attackers comfort zone is unmodified Windows or OSX  Break the attackers budget  Anything out of the ordinary will force the attacker to do custom work  © F-Secure2
  3. 3. Mechanics OfDocument ExploitAttack  In principle document exploit attacks are very simple  The original document that the victim receives contains an exploit  Document reader is taken over and has the same access as the user  Drop payload EXE to some location and execute it  After which the exploited word, acrobat, etc process crashes  Dropped payload drops a clean document  Clean document is loaded to give user the document he was expecting  After which the payload is free to continue in the background  Usually the next action is to connect to C&C, or wait until trigger © F-Secure3
  4. 4. Mechanics OfBrowser BasedAttack  Attacker either directly takes over a web site or uses malwertizing  The compromised web site contains hidden Iframe or plain redirect  Typically one redirect is followed by another  The redirected site contains exploit kit  The exploit kit analyses browser signature and selects suitable exploit  User’s browser is served exploit which takes it over  After that the story continues the same way as with document exploit © F-Secure4
  5. 5. InstallMalware In order to persist, the attacker needs  To drop a malware and run it  Thus he needs a write access  And ability to execute dropped files  The location needs to be writable by normal user, but still one that user does not pay attention to  %TEMP%  C:usersUSER (%userprofile%)  C:usersUSERAppDataRoaming (%appdata%)  C:usersUSERAppDataLocalLow  C:ProgramData  C:Program Files  C:, D:, E:, F:, etc root of any drive this will stop autorun worms  c:UsersUSERAppDataRoaming MicrosoftWindowsStart MenuStartup  c:$Recycle.Bin  C:recovery
  6. 6. Resources NeededBy Attacker  Contact  To be exploited the web browser, PDF reader, etc must load the content  Exploitability  The feature that is targeted by exploit must be enabled  Landing  Attacker must be able to drop and execute malware  Otherwise he will go down with the crashing program  Communication  Without C&C the dropped payload is most likely to be useless © F-Secure6
  7. 7. PreventContact With Hostile Material Attacks are unique only once  Thus any hostile domain is identified and blacklisted in no time Use HTTP connection blocking, scanning and filtering to prevent contact  Web reputation filters our any known attack domain  Content scanning identifies exploits and known dropped components  Content filtering will drop flash,java,Silverlight,exe from unknown domains Filter out suspicious attachments from email  EXEs are straight out  Consider custom stripping for documents, etc © F-Secure7
  8. 8. MakeSure WhatIs Running IsPatched © F-Secure8  Yeah, everyone knows that IT should deploy all patches ASAP  But what about software that users have installed without IT’s knowledge?  If vulnerable software is deployed, it does not matter is it 0-day or not  Verizon reports that 10 vulnerabilities accounted for almost 97% of attacks
  9. 9. MinimizeVulnerable Attack Surface Disable all unnecessary content from web browsers  Disable Java and ActiveX unless you need them for something  If you really need Java, whitelist specific sites  Block Flash, Silverlight, etc or use click to play  If users accept it install no-script with sensible defaults Disable unnecessary features from office software  Disable all multimedia, etc plugins from word, excel, Acrobat  Do you really need PDF or document that runs Flash or ActiveX  Disable Javascript from Acrobat  In general, strip out features that users don’t need © F-Secure9
  10. 10. HardenProcess Memory Handling Harden memory handling of any application that processes external data  Any process that serves network  Acrord32 and other PDF readers  Winzip,7Zip, etc  Excel, Powerpoint, Word, Outlook, Winword.exe  Exlorer.exe, iexplore.exe, Firefox, Chrome  Skype.exe, Wmplayer.exe, VLC, and any other video player  For Windows use Microsoft EMET  It is possible to write exploits so that they bypass EMET  But then attacker has to knowingly try to circumvent EMET  For Linux use GRSecurity © F-Secure10
  11. 11. Configure Your End Point Right You probably have read blogs about “AV being useless”  Partly it is due for being 99% perfect is not enough  And blocking espionage is especially difficult But in corporates it’s mainly due to AV being used wrong  Cloud queries are switched off  Web traffic filtering and scanning is switched off  Behavioral heuristics are switched off  Which means about 90% of protection is disabled © F-Secure11
  12. 12. MakeSure YouHaveA Proper Behavior IDS If exploit runs, it is very unlikely that scanner detects dropped files  But that’s ok, that’s why proper end point security has behavior IDS  Detect change in exploited application behavior  Detect file appearing to disk without good reason to do so  Detect launching unknown file from unusual location  Etc things that are out of place A good IDS is one of the most valuable parts of a proper client based protection  Other important feature is detections that target things needed by exploits  Exploits tend to need libraries and function calls that are not used in clean code  Exploit:SWF/Salama, Exploit:Java/Majava, Exploit:Java/Katala, Exploit:Java/Kavala © F-Secure12
  13. 13. Pretend ToBeMalware Analyst Malware tends to act nice when Analysts are around  A lot of malware check for signs of analysis environment  If malware thinks it is being investigated it does not do anything This makes analysts more difficult, but it can be turned against malware  Add telltale signs of analysis environment to your system  And a lot of malware will fail to run However some malware like W32/Rombertik do retaliate  So make sure you have proper backups  Although I prefer “Format C:” over malware hiding on my system © F-Secure13
  14. 14. FakingMalwareAnalysis EnvironmentCopy registry keys from VMWare tools installation ”HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDiskEnum” field ”0” Value ”VMWare” ”HKEY_LOCAL_MACHINESOFTWAREVMWare, inc.VMWare Tools ” field ”InstallPath” Value ”c:prog…” © F-Secure14 Create dummy processes •Vbox.exe •Vmware.exe •wireshark.exe •regshot.exe •procmon.exe •filemon.exe •regmon.exe •procdump.exe •cports.exe •procexp.exe •squid.exe •dumpcap.exe •sbiectrl.exe Create dummy files •C:Program FilesWinPcaprpcapd.exe •C:Program FilesWireSharkrawshark.exe •C:Program FilesEtherealethereal.html •C:Program Fileswiresharkwireshark.exe •C:Program FilesMicrosoft Network Monitor 3netmon.exe •C:program filesollydbgOllydbg.exe •C:program filessysinternalsProcmon.exe •C:program filessysinternalsProcexp.exe •C:program filessysinternalsDiskmon.exe •C:program filessysinternalsAutoruns.exe •C:program filesdebugging tools for windowsWindbg.exe
  15. 15. Conclusion  Unless attacker go after you personally, he is very restricted  Common criminals - lack know-how and interest for hard targets  Espionage operators also have budgets, and go for easy ROI  That is, attackers prefer to mass produce their attacks  Attackers are very dependent on the victim using standard configuration  So make your setup unique  Avoid being hit by mass production, require artisanal attacks © F-Secure15
  16. 16. QUESTIONS? 16
  17. 17. THANK YOU FOR YOUR PARTICIPATION! 17 STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES: 21 September 2015 at 11.00 EET: “Defending servers” 15 October 2015 at 11.00 EET: “Defending network” 9 November 2015 at 11.00 EET: “Responding to an incident” 3 December 2015 at 11.00 EET: “Building secure systems” The Recording will be available at the BUSINESS SECURITY INSIDER