News of the Flame attack has spread faster than wildfire. While the attack effected only a small number of Endpoints, Flame signifies a new level of cyber threat that all IT security professionals need to understand in-depth. View these presentation slides by IT Security expert, Randy Franklin Smith, as he walks you through the fascinating nuts and bolts of Flame and explains the technical details about how it worked and what lessons can be learned. • Learn the technical details about how Flame worked • How Flame was more than just sophisticated encryption exploits • Take away lessons on how to defend against APTs Take an in-depth look into the entire attack which featured more than just encryption exploits. Randy explores social engineering, removable devices and more.

1. © 2011 Monterey Technology Group Inc.

2. Brought to you by
www.lumension.com
Speaker
 Chris Merritt - Director of Solution Marketing

3. Preview of Key Points
How it worked
Lessons learned
© 2012 Monterey Technology Group Inc.

4. How Flame Worked
24 Command &
Control Servers
84 Domain Names
traffic-spot.bz
trafffic-spot.com
quick-net.info
smart-access.net
chchengingine.com
chchengine.net
flasp.webhop.net
Internal Network
© 2012 Monterey Technology Group Inc.

5. How Flame Worked
Internal Network
© 2012 Monterey Technology Group Inc.

6. How Flame Worked
Flame’s 20MB of Capabilities
• Bluetooth
• Audio
• USB
• Backdoor accounts
• Proxy server
• Windows Update
• Extendable modular architecture
• File system search
• Text summaries of interesting files
• Logging
• Trickle uploader
• Anti-Malware aware
Internal Network
• Compression
• SSL fallback to SSH
© 2012 Monterey Technology Group Inc.

7. How Flame Worked
Internal Network
© 2012 Monterey Technology Group Inc.

8. How Flame Spread via WU
1. Flame activates on first computer (X)
2. Another computer (Y) wants to check for Windows Updates
3. Y defaults to automatic proxy server and broadcasts an
NBNS request for WPAD (Web Proxy Auto-Discovery)
4. X answers back and spoofs itself as a proxy server
5. Y attempts to connect through X to Microsoft’s Windows update
site and retrieve updates
6. X pretends to be Windows Update and sends back a bogus patch
which contains Flame
7. But why does Y’s Windows Update validation logic trust the bogus
patch?
© 2012 Monterey Technology Group Inc.

9. How Flame Spread via WU
8. Flame signs the patch with a certificate that appears to be from Microsoft
9. The certificate was created from a Terminal Services Licensing Service
CAL certificate
10. Then used to sign the patch
11. Why was it possible to do this?
© 2012 Monterey Technology Group Inc.

10. The Incredible Part
All possible because the bad guys pulled
off a highly advanced cryptography trick
Chosen prefix attack on the MD5 hash of
certificate signature
Real Fake
TS Licensing Windows Update
Certificate Certificate
Signature from MS Certificate Authority
© 2012 Monterey Technology Group Inc.

11. What Microsoft Did Wrong
TS Licensing certs included code signing
in the intended uses
TS Licensing certs were ultimately signed
by Microsoft’s Root CA
Windows Update was looking for cert’s
signed by Microsoft
TS Licensing certs used MD5
This allowed the attackers to create a
bogus certificate and forge signatures on
bogus patches
© 2012 Monterey Technology Group Inc.

12. Lessons learned
MD5 was broken a long, long time ago
Stop using technologies theoretically broken
(intersection w/o stoplight syndrome)
PKI is tricky
Who do you trust and for what purposes?
Good security still rules
© 2012 Monterey Technology Group Inc.

13. Lessons learned
 Good security still rules
 Website categorization
 Egress traffic analysis
 Anti-malware
 Whitelisting
 Reduce attack surface
• Turn off unneeded features like WPAD
• Turn off bluetooth
 Device control
 Internally controlled patch management
 Security log monitoring
• New account reconciliation
• New authentication packages
© 2012 Monterey Technology Group Inc.

14. Bottom Line
Endpoint security technologies really work
Whitelisting
Antimalware
Device control
Removable media
Configuration management
Internally controlled patch management
© 2012 Monterey Technology Group Inc.

15. Brought to you by
www.lumension.com
Speaker
 Chris Merritt - Director of Solution Marketing

16. Defense-in-Depth
Tools You Need to
Disrupt Sophisticated
Attacks like Flame
Chris Merritt
Director of Solution Marketing
Lumension

17. Integrated Defense-in-Depth
Unify workflows and technologies to deliver enhanced
endpoint operations and security management capabilities
Endpoint Operations Intelligent Whitelisting Endpoint Security
Patch
Application Control Device Control
Management
Asset Configuration Trusted Anti-Virus /
Change Disk Encryption
Management Management Spyware
Software Power Windows Firewall
Management Management Management
Reporting
» Delivers Comprehensive Security Solution
» Provides Proactive Target Hardening
» Reduces Overall IT Cost and Burden
17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

18. Lumension® Patch and Remediation
Comprehensive and Secure Patch Management
Endpoint Operations » Provides rapid, accurate and secure patch and
configuration management for applications and
Endpoint Operations
Lumension® Patch and Remediation
operating systems:
Lumension® Content Wizard • Comprehensive support for multiple OS types
Lumension® Configuration Mgmt.
(Windows, *nix, Apple), native applications, and
3rd party applications
Lumension® Power Management • Streamline and centralize management of
heterogeneous environments
• Visibility and control of all online or offline endpoints
• Elevate security posture and proactively reduce risk
• Save time and cost through automation
18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

19. Lumension® Content Wizard
Cost-Effectively Streamline Endpoint Management
Endpoint Operations » Simple, wizard-based policy creation and
baseline enforcement – without add’l tools:
Endpoint Operations
Lumension® Patch and Remediation
• Patch Creation
Lumension® Content Wizard • Software Installs and Uninstalls
Lumension® Configuration Mgmt. • Windows Security Policies
• Power Management Policies
Lumension® Power Management
• NEW! Windows Firewall Policies
19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

20. Lumension® Security Configuration Mgmt.
Prevent Configuration Drift and Ensure Policy Compliance
Endpoint Operations » Ensure that endpoint operating systems and
applications are securely configured and in
Endpoint Operations
Lumension® Patch and Remediation
compliance with industry best practices and
Lumension® Content Wizard regulatory standards:
Lumension® Configuration Mgmt. • Security Configuration Management
• Out-of-the-box Checklist Templates
Lumension® Power Management
• NIST Validated Solution
• Continuous Policy Assessment and Enforcement
• Based on Open Standards for Easy Customization
• Security Configuration and Posture Reporting
20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

21. Lumension® Power Management
Optimize Power Savings while Maintaining Security
Endpoint Operations » Enhanced Wake-on-LAN relay architecture
ensures systems are available for maintenance
Endpoint Operations
Lumension® Patch and Remediation
despite being powered down
Lumension® Content Wizard
» Monetizes Power Management Policies:
Lumension® Configuration Mgmt.
• Integrated Power Savings Reports
Lumension® Power Management • Power Monitoring and Savings Calculator
• Uptime Reports
• Dashboard – Uptime or Savings Trends
21
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

22. Lumension® AntiVirus
Multilayered Protection Against Malware
» Based on proven technology from industry Endpoint Security
leader providing complete protection against
Lumension® AntiVirus
known and unknown malware including viruses,
Endpoint Security
worms, Trojans, spyware, adware and more Lumension® Application Control
» Includes a breadth of analysis techniques from Lumension® Device Control
traditional signature matching to behavioral Lumension® Disk Encryption
analysis to effectively protect against zero-day
and evolving threats:
• Antivirus (AV) protection (full signature matching)
• DNA Matching (partial signature matching)
• SandBox (behavioral analysis in an emulated
environment)
• Exploit Detection (find hidden/embedded malware)
» VB100 certified by VirusBulletin
22
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

23. Lumension® Application Control
Proactive Protection Against Malware and More
» Effective Endpoint Security: Block known and Endpoint Security
unknown malware without signatures, and
Lumension® AntiVirus
prevent exploitation of application / configuration
Endpoint Security
vulnerabilities Lumension® Application Control
» Control the Unwanted: Real-time view of all Lumension® Device Control
application inventory, ensuring only approved Lumension® Disk Encryption
software is allowed to run, and denying /
removing all unwanted applications
» Control the Unknown: Enforce, log and audit
all endpoint application change while controlling
end-users with Local Admin rights
» Flexible and Easy-To-Use: Unified solution
workflow via single console with flexible trusted
change management policy
23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

24. Lumension® Device Control
Policy-Based Data Protection and Encryption
» Protect Data from Loss or Theft: Centrally Endpoint Security
enforce usage policies of all endpoint ports and
Lumension® AntiVirus
for all removable devices / media.
Endpoint Security
Lumension® Application Control
» Increase Data Security: Define forced
encryption policy for data flows onto removable Lumension® Device Control
devices / media. Flexible exception Lumension® Disk Encryption
management.
» Improve Compliance: Centrally encrypt
removable devices / media to ensure data
cannot be accessed if they are lost or stolen.
» Continuous Audit Readiness: Monitor all
device usage and data transfers. Track all
transferred files and content. Report on all
data policy compliance and violations.
24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

25. Lumension® Disk Encryption (powered by Sophos)
Transparent Full Disk Encryption for PCs
» Secures all data on endpoint harddrives Endpoint Security
» Provides single sign-on to Windows Lumension® AntiVirus
Endpoint Security
» Enforces secure, user-friendly pre-boot Lumension® Application Control
authentication (multi-factor, multi-user options)
Lumension® Device Control
» Quickly recovers forgotten passwords and data
(local self-help, challenge / response, etc.) Lumension® Disk Encryption
» Automated deployment, management and
auditing via L.E.M.S.S. (integrated version)
25
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

26. Lumension® Endpoint Management and Security Suite
Total Endpoint Protection
Endpoint Operations Endpoint Reporting Services
Lumension® Patch and Remediation Lumension® AntiVirus
Endpoint Security
Lumension® Content Wizard Lumension® Application Control
Lumension® Configuration Mgmt. Lumension® Device Control
Lumension® Power Management Lumension® Disk Encryption
Lumension® Endpoint Management Platform
» Comprehensive suite that unifies IT operational and security functions
» Delivers a more effective defense-in-depth endpoint security solution
» Simplifies endpoint system and agent management thru single console
» Centralizes policy management and reporting
» Expands operational and security visibility
» Reduces technology complexity and integration costs
» Flexible and modularly licensed best-of-breed application modules
» Scalable and agile single-agent, single-server platform architecture
26
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

27. Next Steps
• Free Tools
» http://www.lumension.com/Resources/Premium-Security-Tools.aspx
» Application Scanner – see what applications are running on your network
» Device Scanner – see what removable devices are being used
» Vulnerability Scanner – see what your OS / application risks are
• Whitepapers
» Endpoint Management and Security Buyers Guide
• http://www.lumension.com/Resources/WhitePapers/
Endpoint-Management-and-Security-Buyers-Guide.aspx
• Free Evaluation
» http://www.lumension.com/
endpoint-management-security-suite/free-trial.aspx
27

28. Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com