Behind the scenes of IBM’s Trusteer Research
•Download as PPTX, PDF•
1 like•689 views
IBM Security. Trusteer Web Fraud. Behind the scenes of IBM’s Trusteer Research.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Behind the scenes of IBM’s Trusteer Research
Similar to Behind the scenes of IBM’s Trusteer Research (20)
More from IBM Sverige
More from IBM Sverige (20)
Recently uploaded
Recently uploaded (20)
Behind the scenes of IBM’s Trusteer Research
- 1. © 2014 IBM Corporation IBM Security 1 10.00-10.30 Behind the scenes of IBM’s Trusteer Research Ori Bach, Senior Security Strategist Trusteer, IBM Security
- 2. © 2014 IBM Corporation IBM Security 2 Trusteer provides a unique automated threat protection service Trusteer continuously evaluates the threat environment and automatically updates its solutions on behalf of its customers • Stop fraud attacks before they happen • Actionable threat intelligence on real-time threats • Remove and prevent future threats SaaS Service • Threat Intelligence from 400M+ endpoints • Insights from the cybercrime underground Real-time Threat Intelligence Service • Continuous threat monitoring • Rapidly adapt defenses • Hundreds of IBM expert security researchers Expert Research
- 3. © 2014 IBM Corporation IBM Security 3 CLIENT EXAMPLE Trusteer transforms the war against cybercrime with proven results A major European commercial bank transforms the war against Cybercrime in just one month 90% reduction in malware infected device logins fraud cases prevented150 • Faster time-to-value • Adaptive controls • Prevents root cause of fraud
- 4. © 2014 IBM Corporation IBM Security 4 Trusteer response to rapidly evolving malware Retrieve malware, configuration and modules from listening points across the globe Dedicated cross functional team for threat and research Monitor chatter on the darknet Install malware in dedicated lab environment Understand malware operator MO Reverse engineering Propriety decryption tools Versioning Identify incremental changes -> develop & deploy defenses in less then 12 hours Constant monitoring of bypass attempts
- 5. © 2014 IBM Corporation IBM Security 5 Dyre example - consistent detection across malware versions 0 50 100 150 200 250 300 350 400 450 6/26 7/3 7/10 7/17 7/24 7/31 8/7 8/14 8/21 8/28 9/4 9/11 9/18 9/25 10/2 10/9 10/16 10/23 10/30 11/6 11/13 11/20 11/27 12/4 Dyre Detections (June – December 2014) Dyre Version Releases v2410 10/26 v2910 10/31 v3010 11/03 v3011 11/03 v0511 11/06 v0611 11/09 v1311 11/13 v1811 11/19 v2511 11/26 v0812 12/09
- 6. © 2014 IBM Corporation IBM Security 6 Case Study: Trusteer protection against remote overlay attacks Intelligence team acquires toolkit behind attack from the underground Day 3 Listening endpoints pick up new attack MO in LATAM Country Day 0 Attack MO migrates to APAC Day 30 Demo of the attack including fake messages provided to targeted banks Day 4 Malware research team analyzes MO and releases updated defense Day 1 Trusteer endpoints in APAC protected before first attack starts Day 30
- 7. 7 © 2014 IBM Corporation Fraud toolkit for sale
- 8. © 2014 IBM Corporation IBM Security 8 Remote overlay toolkit example
- 9. © 2014 IBM Corporation IBM Security 9 Remote overlay toolkit example
- 10. © 2014 IBM Corporation IBM Security 10 Remote overlay toolkit example
- 11. © 2014 IBM Corporation IBM Security 11 Remote overlay toolkit example
- 12. © 2014 IBM Corporation IBM Security 12 Remote overlay toolkit example
- 13. © 2014 IBM Corporation IBM Security 13 Remote overlay toolkit example
- 14. © 2014 IBM Corporation IBM Security 14 Remote overlay toolkit example - Summary The toolkit circumvents device id and 2FA with physical token Question: how much does this toolkit cost on the underground: A ) 10,000 Euro B) 1000 Euro C) 500 Euro D) Less then 150 Euro
- 15. © 2014 IBM Corporation IBM Security 15 From the lab – Soft biometrics
- 16. © 2014 IBM Corporation IBM Security 16 10.30-10.45 Coffee break
Editor's Notes
- A standard fraud solution offers technology that consolidates data and analyzes it in order to predict the risk of fraud. Many of those solutions either provide only a single layer of protection , take a long time to deploy or do not keep up with changing threats. {Click} In comparison Trusteer technology is adaptive, easy to deploy and provides multiple protection layers. {Click} Not only does Trusteer have the best technology, but it also provides an additional layer of unique services When you deploy a Trusteer product you gain the benefit of a market leading research team that monitors fraud attack and constantly updates protections. {Click} In the fight against cybercrime the more intelligence you have the more effective you are. Our protections are based on analysis of data from over 400 million monitored endpoints as well as intelligence from underground forums
- Source: Presentation by Albert Le Dirac’h, Chairman and CEO, Komerční banka , April 16, 2015. As a result the war against cybercrime is transformed: Our customers report significant decrease in their operational costs due to more accurate detection Many fraud cases are stooped at the root cause and never mature to a fraudulent money transfer - making the fraud prevention seamless to the customers How fast due are customers see this value? I’d like to share some data from a presentation by the CEO of Komerční banka a major commercial bank in the Czech Republic following 1 month of deploying Trusteer: •90% reduction in logins from malware infected devices to the banks website •150 potential fraud cases prevented All this in just 1 month!
- Our wiki page describing the malware encryption can be found here: https://wiki.haifa.ibm.com/doku.php?id=security:malware:configs:dyre In a sentence - Dyre's configuration (and additional data, such as it's VNCm module) is kept on the hard drive, within an encrypted file. The encryption consists of several layers of AES (Advanced Encryption Standard, used in plenty of encryption systems). We are able to decrypt it using tools we developed in lab, following reverse engineering research we conducted here. What changed in the binary
- Day 0 – New MO using fake overlay messages and remote takeover of the computer is used in against LATAM banks. Victims are presented with fake messages asking them for the tokens in order to perform a “security update”. The attack is done via RAT to bypass device ID controls. Trusteer endpoints detect the attack before first victims call in to report unauthorized transactions Day 1 - The Trusteer malware team analyzes the data gathered and releases an updated defense within 24 hours. Ongoing monitoring shows that defense is stopping the new attack MO. Day 3 – Trusteer intelligence team picks up chatter from the underground that a new fraud toolkit is behind the attack. The team is able to acquire the toolkit. Day 4 - The toolkit is installed in Trusteer labs and end to end attack is reproduced and recorded. The demo helps targeted banks understand how their controls are bypassed and how to best educate their customers to identify the fake messages. Day 30- the Fraud toolkit finds it way to a country in APAC As Trusteer already released a global defense update , all attacks against Trusteer protected endpoint fails.