This document discusses advanced persistent threats (APTs) and how they have evolved to target users through spear phishing, watering hole attacks, and drive-by downloads. It outlines the tactics, techniques, and motivations of aggressive adversaries like nation states, cyber criminals, and hacktivists. It argues that current security practices are insufficient and that a new approach is needed to contain malware, detect zero-day attacks without signatures, and prevent APTs by negating user error and containing infections in a virtual environment. It promotes the Invincea security product as a solution to break the APT workflow through containment, detection, prevention, and intelligence capabilities.

1. Stop Watering Holes, Spear-Phishing and
Drive-by Downloads
STEPHEN WARD – VICE PRESIDENT

2. A Crumbling Industry
The Lost Decade
Failure to innovate
Symptoms vs. Disease
The Great Malware Arms Race
Business Revolution
Rush to adopt
Risk Acceptance vs. Understanding
The Mediocrity of Compliance
Closed Circuits
Shame of victimization
Classification vs. Cooperation
The Inability to Find Common Purpose

3. Aggressive and Persistent
Adversaries
NATION STATES CYBER CRIMINALS HACKTIVISTS
Motives
include:
• Cyber
espionage
• Intellectual
Property
Theft
• Probing of
Critical
Infrastructure
s
Motives
include:
• Identity theft
• Corporate
financial fraud
• Black market
sales to Nation
States
• Probing of
Financial
Infrastructures
Motives
include:
• Political action
• Shaming major
corporations
• Attacking
specific
executives
• Exposing
corporate
trade secrets

4. Riddle Me This…

5. „11, „12 and ‟13 (so far) bloodiest years on
record…
• “White House” eCard (spear-phishing)
• HBGary Federal (social engineering)
• Night Dragon (spear-phishing)
• London Stock Exchange Website (watering-hole)
• French Finance Ministry (spear-phishing)
• Dupont, J&J, GE (spear-phishing)
• Charlieware (poisoned SEO)
• Nasdaq (spear-phishing)
• Office of Australian Prime Minister (spear-phishing)
• RSA (spear-phishing)
• Epsilon (spear-phishing)
• Barracuda Networks (spear-phishing)
• Oak Ridge National Labs (spear-phishing)
• Lockheed Martin (spear-phishing)
• Northrup Grumman (spear-phishing)
• Gannet Military Publications (spear-phishing)
• PNNL (spear-phishing)
• ShadyRAT (spear-phishing)
• DIB and IC campaign (spear-phishing)
• „Voho‟ campaign (watering-holes and spear-phishing)
• „Mirage‟ campaign (spear-phishing)
• „Elderwood‟ campaign (spear-phishing)
• White House Military Office (spear-phishing)
• Telvent‟ compromise (spear-phishing)
• Council on Foreign Relations (watering hole)
• Capstone Turbine (watering hole)
• RedOctober (spear-phishing)
• DoE (spear-phishing)
• Federal Reserve (spear-phishing)
• Bit9 (SQL injection)
• NYT, WSJ, WaPO (spear-phishing)
• South Korea (spear-phishing)
• 11 Energy Firms (spear-phishing)
• QinetIQ (TBD)
• Apple, Microsoft, Facebook (watering-hole)
• Speedtest.net (drive-by download)
• National Journal (watering hole)
• FemmeCorp (watering hole)
• Department of Labor / DoE (watering hole)
• WTOP and FedNewsRadio (drive-by downloads)
No One is Immune
What are we waiting for??

6. Enterprise Security Architecture
for Addressing APT
Firewalls/Web
Proxies
Network
Controls
Anti-Virus
Forensics and
IR
User Training
In Use | Confidence*
App Whitelisting

7. The Primary Target –
The Unwitting Accomplices
The User
The #1 Attack Vector =
• Ubiquitous usage of Internet and
Email has enabled adversaries to
shift tactics
• Prey on human psychology
• Spear Phishing – The New Black
• Drive by Downloads
• Malicious sites
• Weaponized Attachments
• Watering Hole Attacks
• Hijacked trusted sites
• Trust in social networks
• Facebook, Twitter, LinkedIn
• Faith in Internet search engines
• Poisoned SEO
• User Initiated Infections
• Fake A/V and fear
mongering

8. Competitive Futures Are at
Stake
“Theirs” Ours
The good news
is…they‟re stealing
petabytes worth of
data…
The bad news
is…in time, they‟ll
have sorted
through it all

9. Competitive Futures Are at
Stake

10. Still waiting on some
“Digital Pearl Harbor?”
99 Red Balloons…
$200 Billion Market Shift on the Back of a
Spear-Phishing Attack

11. 99 Red Balloons…
$45 Million in Financial Fraud from One
ATM Scheme Alone…

12. 99 Red Balloons…
Watering Hole Attack Hits 3 Major Tech
Companies…
• 3rd party developer website
infected deliberately to target
these companies
• Employees targeted were in
R&D/Engineering groups
• Well planned, well
executed…easy peasy…

13. 99 Red Balloons…
Watering Hole Targets Department of
Labor website – DoE visitors…

14. Alarming Malware Statistics
• 280 million malicious programs
detected in April 2012*
• 80,000+ new malware
variants daily **
• 134 million web-borne infections
detected (48% of all threats) in
April 2012*
• 24 million malicious URLs
detected in April 2012*
• 30,000+ new malicious URLs
daily**
• 95% of APTs involve spear-
phishing***
• Organizations witnessing an
average of 643 malicious URL
events per week***
• 225% increase from 2012**
* Kaspersky April 2012 Threat Report
** Panda Labs Q1 2012 Internet Threat Report
*** FireEye September 2012 Advanced Threats Report
****Both Mandiant and Trend Micro – 2013 Reports

15. KIA – Mandiant “APT-2”
Spear-Phish
www.invincea.com/blog
or -
http://https://www.invincea.com/2
013/02/mandiant-report-spear-
phishing-campaign-kia-with-
invincea-cve-2011-0611/

16. Java - Getting Bullied…

17. Einstein‟s Definition of Insanity
Patching software
as vulnerabilities
are made public
Detecting intruders
and infected systems
after the fact
Recovering and restoring
the infected machines
back to a clean state
Security
Insanity
Cycle

18. Addressing the
Critical Vulnerability in Java 7
“Uninstall Java…”

19. Addressing the
Critical Vulnerability in IE
“Stop Using IE…”

20. Addressing the
Pandemic of Spear-Phishing
“Don‟t Click on Links You Don‟t
Trust…”

21. An Alternative to Bad Advice
Not quite…but pretty darn close…

22. Rethink Security
If…you could negate user error
And…contain malware in a virtual environment
And…stop zero-days in their tracks without signatures
Then…preventing APTs would be possible
“Making Prevention Possible Again”

23. Contain the Contaminants
Prevention
Pre-Breach Forensics
Protect every user and the network from their error
Feed actionable forensic intelligence without the breach
Detection
Detect zero-day attacks without signatures

24. KIA – IE8 0day CVE-2013-1347
Watering Hole Attack on DoL subsite thwarted by
Invincea Enterprise
• Whitelisted or blacklisted website? More than likely whitelisted
• Targeted fully patched IE8 browsers on Windows XP platform
• Increasingly common poisoning tactic from adversaries
• Detected without signatures, immediately killed and forensically
analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/05/
part-2-us-dept-labor-watering-
hole-pushing-poison-ivy-via-ie8-
zero-day/

25. KIA – Dvorak, WTOP &
FederalNewsRadio
Mass Compromise on several media sites including
wtop.com and federalnewsradio.com thwarted by
Invincea Enterprise
• Whitelisted or blacklisted website? More than likely whitelisted
• Exploit Kit (FiestaEK) targeting recent Java vulnerabilities on IE
enabled systems only
• SAME EK as National Journal discovered by Invincea
• Detected without signatures, immediately killed and forensically
analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/05/
k-i-a-wtop-com-fednewsradio-
and-tech-blogger-john-dvorak-
blog-site-hijacked-exploits-java-
and-adobe-to-distribute-fake-av-
2/

26. Mapping the APT Kill Chain
Stage 1: Reconnaissance
Research the target
Stage 2: Attack Delivery
Spearphish with URL links
and/or attachment
Stage 5: Internal Recon
Scan network for targets
Stage 3: Client Exploit &
Compromise
Vulnerability exploited or user
tricked into running executable
Stage 8: Stage Data &
Exfil
Archive/encrypt, leak to
drop sites
Stage 4: C2
Remote Command & Control.
Stage 6: Lateral
Movement
Colonize network
Stage 7: Establish Persistence
Root presence to re-infect as
machines are remediated
Stage 9: Incident
Response
Analysis, remediation,
public relations, damage
control

27. Invincea – Breaking the APT
Workflow
Containment | Detection | Prevention | Intelligence
• Highly targeted apps run in contained environment
• Behavioral based detection spots all malware including 0-days
• Automatic kill and remediation to clean state
• Forensic intelligence on thwarted attacks fed to broader
infrastructure
Threat Data Server

28. • Prestigious SANS Institute Calls for DPW type of
controls…
• Item 5: Malware Defenses
• 5.7. Quick wins: Deploy…products that provide sandboxing (e.g.,
run browsers in a VM), and other techniques that prevent
malware exploitation.
• SANS awards NSA a National Security Award for
review of Invincea technology
• NSA led a year long analysis of the technology that powers DPW
• Endorsed as effective for combatting the advanced threat
• SANS viewed as a break-through in endpoint security
• Notable Industry Awards
• Most Innovative Company of the Year – RSA 2011
• GovTek Best Tech Transfer to Startup – 2012
• Government Security News‟ “Best Anti-Malware Solution” - 2012
Recognized as a Game
Changer…

29. Steve Ward:
steve.ward@invincea.com
Go ahead…spear-phish me!
www.invincea.com
Twitter: @Invincea
Want a t-shirt? Drop a note to megan.cavanaugh@invincea.com – only
one catch, you‟ve got to tweet a pic of you wearing it!
Let‟s Get Moving