http://www.securedocs.com -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small.
This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
Key takeaways:
What is Cyber Threat Intelligence?
Why should you care about it?
How would you collect it?
How would you generate it?
What would you do with it?
Slides from the first module of the OWASP Ottawa Training Day 2012, "Integrating security and privacy in a web application project" training.
Module 1: before coding (security during inception and design phases)
The training was designed and produced by:
Antonio Fontes (OWASP Geneva) - http://www.slideshare.net/starbuck3000
Philippe Gamache (OWASP Montreal) - http://www.slideshare.net/PhilippeGamache
Sebastien Gioria (OWASP France) - http://www.slideshare.net/SebastienGioria
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Some basic overview about cyber crime @ health industry and 10 cyber security technology controls advises from IT Security system integrator's point of view.
How to build a cyber threat intelligence programMark Arena
Delivered at ACSC in Canberra on 10 April 2018.
Associated intelligence requirements spreadsheet is available for download at https://www.dropbox.com/s/rtisz5zdy5sl1w1/ACSC-Reqs.xlsx?dl=0
Cyber Security Awareness Training by Win-ProRonald Soh
Businesses are becoming more vulnerable to Cyber Security Threats.Especially, Small and Medium Businesses (SMB) that may not have the huge budget to spend more security to protect their business. This cyber security presentation will help to understand and help SMB mitigate risks by making some changes in their business.
Browser isolation (isc)2 may presentation v2Wen-Pai Lu
Browser isolation provides protection for your devices from malware, phishing and many other web-based attacks. The air gaps between your browser and the devices you're on isolate all your browser activities from being affected your devices, thus protect you from malicious attacks.
Key takeaways:
What is Cyber Threat Intelligence?
Why should you care about it?
How would you collect it?
How would you generate it?
What would you do with it?
Slides from the first module of the OWASP Ottawa Training Day 2012, "Integrating security and privacy in a web application project" training.
Module 1: before coding (security during inception and design phases)
The training was designed and produced by:
Antonio Fontes (OWASP Geneva) - http://www.slideshare.net/starbuck3000
Philippe Gamache (OWASP Montreal) - http://www.slideshare.net/PhilippeGamache
Sebastien Gioria (OWASP France) - http://www.slideshare.net/SebastienGioria
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Some basic overview about cyber crime @ health industry and 10 cyber security technology controls advises from IT Security system integrator's point of view.
How to build a cyber threat intelligence programMark Arena
Delivered at ACSC in Canberra on 10 April 2018.
Associated intelligence requirements spreadsheet is available for download at https://www.dropbox.com/s/rtisz5zdy5sl1w1/ACSC-Reqs.xlsx?dl=0
Cyber Security Awareness Training by Win-ProRonald Soh
Businesses are becoming more vulnerable to Cyber Security Threats.Especially, Small and Medium Businesses (SMB) that may not have the huge budget to spend more security to protect their business. This cyber security presentation will help to understand and help SMB mitigate risks by making some changes in their business.
Browser isolation (isc)2 may presentation v2Wen-Pai Lu
Browser isolation provides protection for your devices from malware, phishing and many other web-based attacks. The air gaps between your browser and the devices you're on isolate all your browser activities from being affected your devices, thus protect you from malicious attacks.
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
It’s not news that threats are growing across the IT security landscape. Today’s malware imposes significant business risks due to the highly organized nature of attacks – applications, web sites, and social networks are all subject to attacks and vulnerabilities. Hackers are highly organized professionals with vast networks who are able to precisely target an unsuspecting victim, including many small businesses and their employees. Users may not even realize his/her machine has been compromised for days, weeks, or even months due to the nature of these attacks. During this talk, Mark Villinski will examine what this means for business owners and what IT managers need to look for to stay on top of these threats.
Mark Villinski, Kaspersky
Mark Villinski brings more than 12 years of technology sales and marketing experience to Kaspersky. Mark leads Field Marketing efforts for the East Coast and is responsible for increasing awareness and demand for Kaspersky’s Open Space Security Produce Line. Prior to joining Kaspersky, Mark served as Director of Worldwide Channel Operations for Enterasys Networks, where he was responsible for the strategy and day-to- day operation of the Secure Advantage Partner Program. Prior to that role he held a number of channel and field marketing roles at Enterasys and Cabletron Systems. He started his high tech career in sales at Cabletron Systems.
The latest massive IoT DDoS attack from the Mirai botnet that took major websites like Twitter and Reddit offline for hours – has already gained notoriety as one of the worst DDoS strikes in history.
In this webinar Manish Rai & Ty Powers of Great Bay Software will help you understand exactly how the enterprise IoT landscape is changing, and what it means for the assumptions organizations have been making in regards to safeguarding against IoT cyberattacks. You will:
Gain insights into how the recent IoT-based DDoS attacks were launched
How similar attacks could be launched inside enterprise networks
How to safeguard against IoT device compromises
How to reduce your risk, whose job is it anyway?
Learn about what your peers are doing for IoT device security, relevant findings from the 2016 Great Bay Software IoT Security Survey
Watch this ondemand webinar with this link: https://go.greatbaysoftware.com/owb-safeguarding-against-iot-ddos-attacks
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
Webinar - Tips and Tricks on Website SecurityStopTheHacker
Slides of our free webinar on website security tips and tricks together with our friends from Stopbadware.org. The goal was to provide an overview important tips why website get hacked and blacklisted and what each website or blog owner can do to protect his website.
The webinar was moderated and presented by Max Weinstein, President and Executive Director of StopBadware and Anirban Banerjee, Co-founder of StopTheHacker Inc.
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
Zero Day Malware Detection/Prevention Using Open Source Software – Proof of Concept
Fathi Kamil Mohad Zainuddin
Senior Analyst (Malware Research Centre, MyCERT)
Similar to Cybersecurity: Malware & Protecting Your Business From Cyberthreats (20)
Tech M&A Webinar: Unlocking Key Factors that Influence ValuationSecureDocs
In this Webinar, Tech M&A Expert Ed Bryant, President, and CEO of Sampford Advisors Shares:
-What factors contribute to high valuations for technology companies
-How technology companies can build value to prepare for a successful acquisition
-Insight into today’s tech M&A activity and predictions to how long this robust market will last
This slide deck is from the webinar: Start with the Exit in Mind, presented by SecureDocs Virtual Data Room & TechStrat.
TechStrat Founder, Nat Burgess shares helpful, real-world advice on how tech companies can maximize M&A opportunities.
An NDA/CDA is an essential part of doing business, particularly in industries where Intellectual Property is being exchanged. This webinar covers the challenges of managing NDAs: including risks, clauses to be aware of, & processes, & procedures that can help. Contract management software like ContractWorks can support in the overall management of non-disclosure agreements minimizing risk and saving businesses time and money.
Is Your Company's Buyer in Asia? Webinar Slides April 2016SecureDocs
This webinar reviews the growing trend of buyers out of Asia looking to North America and Europe for technology acquisition and investment opportunities. Presenter, Jim Perkins, VP at Corum Group, the leading seller of technology companies worldwide, reviews what these buyers are after, how to reach them, and the potential risks of doing a deal overseas.
Raising Capital from Life Science Investors SecureDocs
This slideshare was originally part of the webinar raising capital from life science investors, hosted by SecureDocs and Life Science Nation. These slides outline the best ways to research, locate, and connect with various types of potential life science investors.
Keys to Successful M&A: Transparency, Security, and ProcessSecureDocs
http://www.securedocs.com - Webinar presented by Nat Burgess and co-hosted by The Corum Group and AppFolio SecureDocs. Learn why the current M&A environment is so favorable to tech company owners and CEOs, the “Eight Stages to Optimal Outcome” from Preparation through Integration, and how to leverage new technology to ensure both transparency and security during a transaction.
Financial Basics for Startups: How to Think Like a CFOSecureDocs
Complete slides from the December 9, 2014 webinar: Financial Basics for Startups: How to Think Like a CFO. Reviews top accounting apps for startups and small businesses as well as the benefits of outsourced controllers.
Slides from our June 12, 2014 webinar focusing Cybersecurity. These slides contain information on risk, legal information, and how to choose an insurance policy covering cybersecurity breaches.
When Should an Early-Stage Company Hire a CFO?SecureDocs
Slides from the webinar, "When Should an Early-Stage Company Hire a CFO?" presented by Walter Tendler and hosted by SecureDocs data room. The slides review the topics covered, focusing on then an early-stage company should hire a CFO and the value a CFO can bring to an early-stage company.
Optimal File Sharing and Storage: Dropbox V. Virtual Data RoomsSecureDocs
www.securedocs.com- Slides from the December 17, 2013 webinar. Outlines some of the differences between popular collaboration solutions like Dropbox and virtual data rooms. Focuses on choosing the best solution for business use cases and evaluating how security concerns influence choosing a solution.
Funding for Life Sciences: SBIR and STTR Grant BasicsSecureDocs
www.securedocs.com- Complete set of slides from a November 21st, 2013 webinar covering the SBIR and STTR Grant application process for Life Science companies. This webinar was presented by Jerry Knotts of the California Coast Venture Forum.
Technology M&A: Deal Preparation and ManagementSecureDocs
www.securedocs.com- Slides from the webinar, "Technology M&A: Deal Preparation and Management." Contains best practices for a successful M&A outcome from three different industry experts- an M&A lawyer, and investment banker, and a private equity firm.
www.securedocs.com- Slides for the webinar, "The Art of the Deal," presented by SecureDocs and Peter Weinstein of One3IP Management. Covers first steps and strategies for negotiating licensing deals, research and collaboration agreements, and other types of partnerships.
Alternative Funding for Life Science Companies- Webinar SlidesSecureDocs
Reviews alternative funding for life science companies beyond venture capital. Covers angel networks, government grants, fundraising in the middle east, and more. Lists several resources for fundraising as well as actionable steps to take.
http://www.securedocs.com -Reviews the business drivers furthering the adoption of the paperless office. Reviews compliance, cost savings, environmental impact, and continuity as the primary factors businesses consider when deciding to go paperless. Presents case studies of real-world businesses that have had success going paperless and achieved a significant ROI.
Keys to Successful M&A: Transparency, Security, and ProcessSecureDocs
http://www.securedocs.com - Webinar presented by Nat Burgess and co-hosted by The Corum Group and AppFolio SecureDocs. Learn why the current M&A environment is so favorable to tech company owners and CEOs, the “Eight Stages to Optimal Outcome” from Preparation through Integration, and how to leverage new technology to ensure both transparency and security during a transaction.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
2. About AppFolio SecureDocs
AppFolio SecureDocs is a virtual data room for sharing and
storing sensitive documents both internally and with
outside parties.
AppFolio, Inc. Company Basics:
• Founded by the team that created and launched GoToMyPC
and GoToMeeting
• Backed by leading technology companies and investors
• Web-based business software for financial and legal
professionals
3. About Lastline, Inc.
Lastline’s security products synthesize and bring to
commercial standards award-winning, world-renowned
academic research on malware analysis and
countermeasures.
• Founded in 2011 by university researchers Engin Kirda,
Christopher Kruegel and Giovanni Vigna
• Considered to be today’s thought leaders on automated, high-
resolution malware analysis and detection
• Focused on real-time analysis of advanced malware and big
data analytics; leverages this threat intelligence to create
solutions to protect companies of all sizes.
4. About Giovanni Vigna
Faculty member of the Computer Science
Department at the University of California, Santa
Barbara and the CTO/Founder of Lastline, Inc.
• Recognized expertise in web security, vulnerability analysis,
malware countermeasures, and intrusion detection.
• Published more than 100 papers on the subject of network security
and evasive malware
vigna@lastline.com vigna@cs.ucsb.edu
7. Targeted attacks are mainstream news.
Every week, new breaches are reported.
In the last few months alone …
Nobody Is Safe…
8. Once Upon a Time…
http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html
9. Unhappily Ever After…
• Proliferation of cybercrime for financial profit
– ZeuS
• Targeted attacks look for intelligence
– Aurora (Google and others)
– RSA SecureID
• Emerging cyber warfare
– Stuxnet
– Flame “Steal something valuable”
10. Financial Malware
• What can be monetized?
– Financial data
– Usernames and passwords
– Virtual goods
– Online identities
– Computational power
– Emails
13. Targeted Attacks
• What can be monetized?
– Intellectual property
– Financial information
– Bids and contracts
– Organization structure
– Visited sites
14. State-level Attacks
• What can be gained?
– Intelligence
– Destruction of expensive
equipment
– Influence on financial markets
– Shut down of critical infrastructure
– Fear, insecurity, lack of trust
17. Criminal Groups
• Well-organized groups with efficient division of roles and
labor
– Programmers: develop malware code (malware, exploit kits)
– Testers: QA and AV evasion
– Traffic generators
– Botmasters
– Bot renters
– Money mules
• Budget for acquisition of zero-day exploits
“We are setting aside a $100K budget to purchase browser
and browser plug-in vulnerabilities”
(Cool exploitkit group)
http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
18. Underground Markets
• Virtual places for advertisement and exchange of
goods and offering of services
• IRC channels and online forums
• Activities
– Advertisements
“i have boa wells and barclays bank logins....”
“i need 1 mastercard i give 1 linux hacked root”
– Sensitive data
“CHECKING 123-456-XXXX $51,337.31
SAVINGS 987-654-XXXX $75,299.64”
http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
http://cseweb.ucsd.edu/~voelker/pubs/forums-imc11.pdf
http://www.cs.ucsb.edu/~vigna/publications/fakeav_market.pdf
19. Making Sense of Attacks
• Lots of different vectors, tactics, specific tricks
• Two fundamental things to keep in mind:
– How do attackers get in?
– How do they get valuable information out?
23. Anatomy of Exploit
• The code determines that the victim has installed a
vulnerable ActiveX control, e.g., QuickTime
• The control is loaded into memory
• The environment is prepared for the exploit, for
example, for memory corruption exploits
– The shellcode is loaded into memory
– The heap is sprayed to ensure that control eventually
reaches the shellcode
• The vulnerability is triggered, by invoking the
vulnerable method/property of the ActiveX control
http://www.cs.ucsb.edu/~vigna/publications/iframe11.pdf
http://cseweb.ucsd.edu/~savage/papers/CCS12Exploit.pdf
24. Luring Users: SEO
Read more:
http://cseweb.ucsd.edu/users/voelker/pubs/juice-ndss13.pdf
http://faculty.cs.tamu.edu/guofei/paper/PoisonAmplifier-RAID12.pdf
27. Luring Users: Watering Holes
• Sometimes it is difficult to
exploit the target of an attack
directly
– Instead compromise a site that
is likely to be visited by the
target
• Council on foreign relations
→ governmental officials
• Unaligned Chinese news site
→ Chinese dissidents
• iPhone dev web site
→ developers at Apple,
Facebook, Twitter, etc.
• Nation Journal web site
→ Political insiders in
Washington
29. What Happens in the Background
• Analysis engine provides full emulation of an operating system
environment and can detect what is actually happening in the
system when a document is opened
• Process winword.exe was created:
– "C:Program Files (x86)Microsoft OfficeOffice12winword.exe”
– The arguments of this process: "/q /f
"C:UsersuserAppDataRoamingdflt_sample.doc”
• Process winword.exe drops new files:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Process winword.exe starts a new process:
– "C:UsersuserAppDataLocalTempmsmx21.exe”
• Running Task analyzes analysis result...
• ReportScanner: 80 (set(['Document: Writes a file then executes it']))
• Detections 1 (100.00%, 0 not detected)
30. Spear Phishing
From: abudhabi@mofa.gov.sy
To: tehran@mofa.gov.sy
Date: Monday February 6, 2012 05:51:24
Attachment: 23 fdp.scr
23
/
---- Msg sent via @Mail - http://atmail.com/
Colleagues in the code office,
Please acknowledge the receipt of the
telegram No. 23 in attachment.
Thanks,
Embassy / Abu Dhabi
31. • Deceive the user into thinking that something
useful is installed
– Video players
– Anti-virus
– Screen savers
– …
Social Engineering Attacks
32. After the Infection:
A Botnet Case Study
http://www.cs.ucsb.edu/~vigna/publications/ccs09_torpig.pdf
33. Hijacking the Botnet
• Reverse engineered the DGA used in Torpig and
the C&C protocol
– Noticed that domains generated for 1/25/2009 –
2/15/2009 were unregistered
– Registered these domains
• Controlled the botnet for 10 days
– Unique visibility into a botnet’s operation
– 180,000 infected hosts
– 8.7 GB of Apache logs
– 69 GB pcap data (containing stolen information)
34. Threats
• 8,310 unique accounts from 410 financial
institutions
– Top 5: PayPal (1,770), Poste Italiane, Capital One,
E*Trade, Chase
– 38% of credentials stolen from browser’s password
manager
• 1,660 credit cards
– Top 3: Visa (1,056), Mastercard, American Express,
Maestro, Discover
– US (49%), Italy (12%), Spain (8%)
– Typically, one CC per victim, but there are exceptions …
35. 35
Value of the Financial Information
• Symantec [2008] estimates
– Credit card value at $.10 to $25.00
– Bank account at $10.00 to $1,000.00
• Using Symantec estimates,10 days of Torpig
data valued at $83K to $8.3M
37. Ideal World
Secure code
• Software we use contains
no vulnerability, or
• Vulnerabilities are mitigated
using sound security and
engineering principles (least
privilege, containment, etc.)
Unfortunately currently only a
handful of “secure programs”
and often in specialized
sectors (regulations vs.
innovation)
User awareness
• Users are aware of security
threats
• They always make the right
decision
Unfortunately experiments
show users extremely bad at
making security decisions
(security vs. usability)
43. Common Sense Defenses
• Don’t open links/attachment from unknown sources
• However, ineffective against social/targeted attacks
44. Common Sense Defenses
• Limit web accesses to trusted/reputable sites
• However, ineffective against waterhole
attacks, malicious advertisements, web site
compromises
45. Common Sense Defenses
• Access sensitive services (e.g., online banking)
from dedicated machine
• However, inconvenient
46. Current Solutions Are Not Enough
• Firewalls are not enough
– Users actively (and unsuspectingly) go out to the attacker
– Attackers use port 80
• Intrusion Detection/Prevention (IDS/IPS) systems are not
enough
– Signatures and blacklists only catch known attacks
– Limited insight into downloaded artifacts
(binaries, spear-phishing links, …) and outbound network activity
• Anti-virus systems are not enough
– Artifacts change their appearance at a fast pace
(Signatures and blacklists insufficient, manual analysis of threats
requires an enormous amount of resources)
– AV vendors do not see the binary used in targeted attacks
(They cannot create any signature)
47. Solutions To Advanced Malware
• Analysis of incoming artifacts (what gets in)
– Web downloads, mail attachments
• Analysis of outgoing traffic (what gets out)
– DNS traffic, web traffic
• What gets out
• Where it goes
• How it is sent
• Use of correlation to present complete picture to
the system administrator
• But how good is the analysis?
50. Nature of Advanced Malware
• Static Code
Obfuscation
and
Polymorphism
Source: Binary-Code
Obfuscations in Prevalent
Packer Tools, Tech Report,
University of Wisconsin, 2012
Number of times a hash is seen
> 93% of all samples are unique
Defeats signature-based anti-virus
51. Nature of Advanced Malware
• Dynamic evasion – checks for environment
Defeats sandbox and
virtual machines
52. Nature of Advanced Malware
• Dynamic evasion – stalling loops
Defeats sandbox and
virtual machines
53. Lessons Learned
• Attacks are increasingly targeted
• “Attackers no longer go after your firewall. They go
after your employees”
• Attackers are persistent and patient
• Need for constant monitoring approach to defense
• Attackers develop custom tools and attacks after they
have gained access to a target
• Global landscape still matters, but…
• Defenses tailored to local characteristics and activity
are critical
• Evasive malware
• Need for next-generation tools
56. Lastline
• Started in 2011 by team of professors and
PhDs from University of California, Santa
Barbara and Northeastern University, Boston
• Located in Santa Barbara, CA
• Technology based on 8+ years of research on
advanced malware
• Founders include the creators of Anubis and
Wepawet analysis tools
57. Previct Anti-Malware Solution
Sentinel scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively scouts the
Internet for threats and
updates the Sentinel
knowledge base Manager receives
and correlates alerts,
and produces
actionable intelligence
Sentinel sends unknown
objects (programs and
documents) for high
resolution analysis
58. Key Technology
1. High resolution analysis engines
– CPU emulation provides deep insights into malware execution
– Necessary to detect and bypass evasive checks
– Expose malicious behaviors that existing sandboxes don’t see
2. Big data analytics
– Anomaly detection of suspicious outbound
command-and-control (C&C) flows
– Internet-scale, active discovery of threats
– Correlation of low-level events into actionable threat intelligence
59. High-Resolution Malware Analysis
Visibility without code emulation
(traditional sandboxing technology)
Important behaviors and
evasion happens here
Visibility with code emulation
(Lastline technology)
Case of espionage with likely political motivationAttacks start around time of investigation critical of Chinese prime ministerAttackers use compromised computers at several US universities to cover their tracksMalware initially installed via spear-phishing emailsPerform a deep reconnaissance of the Times networkIdentify domain controller serversBreak passwords for journalists accountsAccess reserved email accounts and steal information from email server45 distinct pieces of malware used: only 1 detected by Symantechttp://www.symantec.com/connect/blogs/symantec-statement-regarding-new-york-times-cyber-attack
The nortel case: http://online.wsj.com/article/SB10001424052970203363504577187502201577054.htmlHackers had apparently obtained the passwords of seven top officials, including a previous CEO. The hackers had been infiltrating Nortel's network, from China-based Internet addresses, at least as early as 2000.Hackers had almost complete access to the company's systems […] Once you were on the inside of the network, it was soft and gooey.Every month or so, a few computers on the network were sending small bursts of data to one of the same Internet addresses in Shanghai involved in the password-hacking episodes.The spyware unearthed in 2009 was a sophisticated mix. On both computers, researchers found a particularly malicious and hard-to-spot spying tool, namely "rootkit" software that can give a hacker full control over a computer and enables them to conceal their spying campaign. On one computer, hackers had set up an encrypted communications channel to an Internet address near Beijing. On the other computer, the investigators found a program that hackers were likely using to sniff out other security weaknesses within Nortel's networks. The hackers had created a "reliable back door," A top U.S. intelligence official said Nortel's hacking experience is representative of the types of incidents he sees. "That is consistent with what we've seen in long-term, multipronged attacks," he said. "If I'm looking to get a jump on my R&D, that's a good way to do it."
This slide highlights the difference explained before. The graphic shows astream of instructions that might be part of a malware sample. The two sidesshow the subset of instructions that the individual systems are able toobserve.On the left-hand side, one can see introspection offered by a traditionalanalysis engine, as it can only observe instructions that make calls to thelibrary or native system interface. That is, the system might observe that thesample under analysis creates or opens a file and reads data from this file. Itcannot observe, however, what the sample does with the read data.On the right-hand side, one can see the entire trace of execution as seen bythe emulated CPU of an advanced analysis system. The virtual CPU is also able tosee what files are being read, but in addition, it associates data read from thesystem with CPU registers or memory locations and thus track the usage of theread information.