Title of Presentation
advertisement
Slide Heading Malware: Money, Methods, and Trends Daimon Geopfert McGladrey LLP. November 14, 2012 Introduction • McGladrey LLP • 5th largest CPA/consulting firm • 6,500+ professionals and 70 offices in US • 70,000+ professionals internationally • Industries • Manufacturing, Finance, Government, Education, Healthcare, NFP, Consumer Products, Real Estate, etc. • Security and Privacy Services • • • • • Testing Architecture PCI Governance IR/Forensics Introduction • Daimon Geopfert • National Leader, Security and Privacy Services • I like standardized tests • CISSP, CISM, CISA, CEH, GCIH, GREM • I am not an auditor but I play one on your network • • • • Penetration Testing & Vulnerability Assessment Security Monitoring Incident Response Forensics & Investigations • Former DoD, AFOSI-CCI, AIA • All business, all the time Agenda or contents slide Overview of Malware Trends Nature of Attackers A Peek at the Markets Slide Heading Methods of Response and Control Summary Overview of Malware Trends Setting the Stage • Types of Malware • • • • • • • • Virus Worms Trojans Adware and Spyware URL Injectors, Redirectors, and Dialers Backdoors, Rootkits, and Keyloggers Rootkits Wabbits (go ahead and ask) • These are just general categories • Modern malware often fits multiple categories Overview of Malware Trends Traditional Trends • Perimeter attacks • Operating System Focus • Single Shot Virus/Worms • One trick pony • Blatant Trojans • Elf bowling anyone? • Little Detection Avoidance • Directly observable • Outright baiting of system owners • Open C3 • Command, control, communications • Zero-Day Races Overview of Malware Trends Current Trends • Massive increase in attacks against people and processes • Shotgun vs. Sniper • • Widespread, generic attacks are still popular but becoming more automated Targeted, detailed attacks are becoming the norm • Hobby vs. Profession • • Previous: Stereotypical “anti-social teenager” or “hermit living in his mom’s basement” Now: Formally trained developers, professional intelligence and industrial operatives, business managers looking for large scale efficiency • Obfuscation and Long Term Infections • Controls Bypass Methods Demo #1: Snort signature bypass • Setup Attacker: 192.168.10.10 • Food for thought… Target: 192.168.10.204 IDS: Snort Overview of Malware Trends Current Trends • Persistence • Multitude of re-infection methods • Anti-Forensics • Timestomp, VM aware, tailored delivery, forensic tool exploits • Hidden C3 • Encrypted tunnels, hidden, anonymous communications • Research and Custom Solutions • • • Specific fit for specific target Purpose built to avoid known controls, technology, and processes Dedicated zero day attacks • Retaliation • • DoS, destroy systems, encrypt data, etc Attack environment, responders, and managed security Overview of Malware Trends Current Trends • Code is no longer static • Constantly mutating or customized • Attackers can purchase subscriptions and appliances and use them to perform QA of their malware • Avoid AV detection by never touching the disk • AV, a signature based product, is limited to what it knows • Heuristics are utilized by most AVs, but these are not the silver bullet that they were once held out to be • Many organizations are dealing with outbreaks of varying scales on a monthly basis • If you’ve gone a significant amount of time between events it is time to start questioning your ability to identify an event Overview of Malware Trends Current Trends • Lower knowledge thresholds • Kits such as Zeus, Spy Eye, Mpack, etc • • A “bleed over effect” from APT into normal malware Non-targetted malware is built in ways that simulates APT, but the controllers have little or no understanding of how they work • This also means not every APT style threat is a cyber-ninja • • • • We consistently run into adversaries that are almost schizophrenic Elegant, targeted attacks followed by pure script kiddie flailing Powerful, unique tools over which they have only partial control Stealthy infiltration followed by blunt, noisy expansion techniques • Recent engagement saw an attacker almost DoS a network after infiltration because they were doing mass ping sweeps from dozens of compromised systems • Complete waste of unique malware Overview of Malware Trends Current Trends Demo #2: Antivirus bypass • Setup Attacker: 192.168.10.10 • Food for thought… Target: 192.168.10.202 AV: Avast Overview of Malware Trends Current Trends • Change in Delivery Methods – Social Engineering • Fancy name for traditional “con games” • • • The attack vector of choice for many advanced attackers • • Attempts to acquire information via fake emails, texts, and web pages Spear Phishing • • Large scale, unfocused attacks direction users to malicious websites Phishing • • Typical countermeasures such as firewalls, anti-virus, and intrusion detection systems are almost worthless Pharming • • Attacking an environment via manipulating people Focused on user habits, mannerisms, human nature, entrenched organizational procedures and activities Small scale, focused attacks against a limited audience Whaling • Ultra focused attacks against a high-profile targets Overview of Malware Trends Current Trends • Change in Delivery Methods – Social Engineering • • • Social Networks are easier to target and users are more likely to fall for scams because of inherent trust relationships • Users can receive messages including URLs and attachments • Easier for attackers to find and target individuals in positions of privilege Cyber criminals are increasingly turning to social networks, as opposed to email services, to attack users as it is much more difficult to monitor and control • Attacks are happening “inside the castle” with mainly local anti-virus as the last line of defense which is a scary thought Allows for attacks against browsers (aka. “Drive-bys”) that formerly were only really useful when users went to known, dodgy websites that were traditionally blocked as trusted agents (“friends”) can more easily bait users into clicking URLs Demo #3: Social Media/Engineering • Setup Google Mail Target: 192.168.10.202 OS: Patched WinXP Linkedin.com Attacker: 192.168.10.10 LinkedIn Clone Overview of Malware Trends Current Trends • Change in Delivery Methods – Beyond the OS • Internet Infrastructure • DNS & Routing • Encryption Methods • Certificates • • Sslstrip DigiNotar et al Overview of Malware Trends Current Trends • Change in Delivery Methods – Beyond the OS • Client Side Attacks • • • • • • Java Applets ActiveX Quicktime Flash Browser specific • Business critical/common document types • • • PDF DOC XLS • Many organizations are “fighting the last war” by focusing on OS Demo #4: Web Client Side Attack • Setup Attacker: 192.168.10.10 Malicious Website • Food for thought… Target: 192.168.10.201 Vulnerable IE Overview of Malware Trends Current Trends • Change in Delivery Methods – Mobile • Many of the risks inherent to wireless • • Many of the risks inherent to web/cloud solutions • • Passwords, session management, MitM Portable is Latin for “easy to leave in the back of a taxi” • • • • Interception, plain-text or “crackable” encryption Many high-profile “data breaches” are actually lost or stolen devices Mature encryption policies for laptops, not for tablets & smart phones Easily available software can unlock smartphones in seconds or minutes Attacks • • • • Patching and updates are necessary just as with any other device There are traditional attacks available for these devices Malware… and iOS folks shouldn’t get all high-and-mighty Lack of attacks for Mac/Apple was a function of economics not technology Nature of Attackers Some Misconceptions • “If I’m not a financial organization or contain military secrets they don’t care about me.” • • • You will be hard pressed to make appropriate risk management decisions until you understand who they are and why they act “Attackers” are not a vague, all-encompassing, generic horde Begin to think of attackers as a spectrum rather than a generic entity • • • “Script Kiddies” <- -> APT (Advanced Persistent Threat) Not every attacker is a cyber-ninja, the reality is somewhere between what you hope and what you fear Recognize that attackers have differing, shifting motives • • • • • • Targets of opportunity Bandwidth and equipment Hacktivism Financial data and Intellectual Property* • *#1 asset on underground market Revenge and retribution None of the above Nature of Attackers Some Misconceptions • “We’re too small for anyone to bother with us” • • • • The old threat models no longer apply Historically attackers went after big targets because the payday justified their investment, while small targets consumed similar resources for minimal return That model has flipped, big targets are often “hard” targets while new methods reduce the resource costs for small, “soft” targets Smaller companies often: • • • • • • Use COTS software with many basic, default settings Do not invest in advanced security technologies Do not have security specialists on staff But DO contain highly valuable information, just not in the quantities of a large target Attackers now use a variety of automation techniques to lower the resources necessary to handle large numbers of small hacks Congratulations, you’ve been monetized Nature of Attackers A Look Back • Historical Structures • • • Loan Wolf Attackers Tight-knit “gangs” Historical Motivation of Attackers • • • • Bragging rights Complete destruction Curiosity and research Free stuff • • Pizza, merchandise, phone calls, storage, CPU time Hack… ?... Profit! • Not what you would call a formal business plan Nature of Attackers Modern Day • • Fortune vs. Fame Botnets and Zombie Herds • • • Spam, music and movies Rental weapon platforms and C3 for malware Lots of “pro-bono” support as well • • Intelligence, warfare, and terrorism • • Very pretty name for very ugly business methods Large Scale Money Laundering • • • Focus on destroying/compromising “enemy” infrastructure “Competitive Intelligence” • • Bit torrents, anonymizers and shadow networks Money/resource transfers EGold, Paypal, Liberty Reserve, WebMoney, etc Profit (pardon the obvious) Nature of Attackers Modern Day • Roles • Reconnaissance • • Developers • • Pull the trigger The guys who get arrested Mules Market Makers • • • • Coders, Hackers, Social Engineers Execution • • • • People, Process, Technology The business leaders Control the pricing a usage of results of the exploit The ones who turn individual crimes into industries Bankers • • Money Laundering Currency/Product exchanges (escrow) Nature of Attackers Modern Day • Hackers get famous, the business leaders get rich • • Most of the actual field work comes from areas of soft legal standards • • They get paid for products Hacking kits/frameworks Custom builds In competition with each other for best products and reputation • Limbo 2 - Guaranteed non-detection with warranty Bankers have multiple layers of legal protection • • • Criminals plan crimes to cross as many borders and jurisdictions as possible Developers hard to punish as they often don’t directly commit a crime, or at least a crime recognized in their jurisdiction • • • • • Stay hands off, field work done by others Nothing different from old school mob money laundering Sleepers Cell structure • Players often don’t even know each other Nature of Attackers The Dreaded APT • Advanced: • The adversary can bring the entire spectrum of computer intrusion to bear against an objective. This can range from trivial exploits that have been known for a decade to never seen before zero-day attacks, social engineering, and unique malware. • Persistent: • Attackers are endeavoring to accomplish a clearly defined mission. They are highly motivated and will not cease their activities if their initial attempts fail, or even if their previously successful pathways into an environment are closed forcing them to APT is about motivation and mindset, not any develop new methods. The title “persistent” applies both to the nature of the particular adversaries to continue attacks over a technology long period of time, as well as the nature of the technical methods they use in order to maintain continuous access to compromised networks. • Threat: • This threat has motivated, thinking, goal-oriented humans on the other end. It is not mindless, bulk code grinding away on the Internet hitting all possible targets of opportunity. These individuals are organized, funded, and work directly or indirectly for major interests such as governments, organized crime, and (rumored) competitive business interests. Nature of Attackers Tactics Nature of Attackers The Wild Card • Hacktivism • • • • Motivation out of line with all other threats Normal risk management often consists of the old joke about “not needing to out-running the bear” That concept does not apply as these attackers of often driven by any variety of emotional and political drivers Hacktivism breaches often differ from normal breaches because the attackers attempt to make it as public as possible A Peek at the Markets About that Profit… • Food For Thought: • Legacy Universe of Attackers Attackers of Concern Attackers with the Skill Attackers with the Motivation • Underground markets bringing the two sides together • Motivated attackers place bounties for the skilled attackers to chase • Skilled attackers breach environments and sell access to motivated A Peek at the Markets • Unique items go for a premium • • • • Intellectual property High profile accounts or identities Access to specialty equipment Anyone surprised by the low value of individual personal data? • Economic slumps and credit crunches are not good for CC data A Peek at the Markets • Possibly the last true free market on earth… • Commercialization • Decreased time to market for exploits • Versioning and standard/gold/platinum editions • Commoditization • What was rare is now commonplace • Competition • What was unique now has competitors • Combined with prior point, this is reflected in pricing: • Zeus in 2008 = $10,000, Zeus in 2012 = $400 • Specialization • Since the foundational elements (malware source code) is so widely available, it has let developers focus on specific offerings such as antivirus bypass, industry specific, and geography specific offerings • Fraud as a Service • Niche service companies: native language translation, bulletproof hosts Methods of Response and Control • Risk management applies to security not just finance • Necessary to create APPROPRIATE controls • Horses and fences… • It is not meant to bring risk to zero • It is only meant to create a rational, non-emotional External Drivers approach to managing risk • Notice the loop… Industry Regulatory Threats Risk Management Oversight Internal Drivers Business Processes Policies and Procedures Metrics Resources Deploy and Educate Implement Analyze and Design Methods of Response and Control An Ounce of Prevention… • • We all know the quote… Basic stuff first • • • • • • Don’t try to build the roof until you’ve laid the foundation Participation in security community • • Patching Access control and segregation of duties Architecture and defense in depth Inventory and asset control Conferences, newsletters, whitepapers, RSS feeds, blogs, etc Planning • • • IR/DRCOOP Backup strategies Legal and public relations Methods of Response and Control • • Understand that modern threats are built to bypass preventative controls, but many organization place almost 100% reliance on these mechanisms for their security You must have robust detective and corrective controls Critical Data and Systems Threat Complexity Vulnerability Management Patch Management Access and Authentication IPS Configuration Management AV Blocking SIEM & MSSP IDS DB Activity Monitoring Compliance Monitoring Operational Monitoring AV Host & Network Alerts Incident Response Forensics AV Quarantine Isolation DR/BC Admin/Legal Actions Methods of Response and Control • • • • Heavy focus on security monitoring Log more. Bring it together. Use it. Period. Treat technical limitations as vulnerabilities. If the response is “the app isn’t robust enough for us to turn on logging” then that should be sending up flares that the app isn’t robust enough for normal use. “87% percent of victims had evidence of the breach in their log files, yet missed it.“ Verizon 2010 Data Breach Report Methods of Response and Control • What is going to cause us problems? • Impact of monitoring on critical technologies • • The volume of raw events • • • “Tuning” Generic, non-tailored signatures Validating that monitoring solutions stay in place • • • Storage, transmission, review Reliance on Off-the-Shelf tech without modification • • • Exercise for the day: Go ask your DBAs to turn on all native logging in the DB Troubleshooting Step #2: disable logging “Boy, that’s a chatty rule… off you go.” Do you know what you have, where it is at, what it does, who does it, and what it is all worth? The Mike Tyson effect… Methods of Response and Control • • Plan for failure. Make your goal to fail gracefully and minimize damage. Comprehensive IR plans • Formal and Preplanned • Assigned Roles: Tech, PR, Legal, Overall Lead • Develop Scenarios • • • • • • What if we want to prosecute? What if we think sensitive data has been exposed? Customer data? What if it can’t be contained? What if we can’t trust our own systems? What if it got into our financial/accounting/reporting/payment systems? Good Example: Fortune Top 100 Bank – IR plans undergo “table top” exercise twice a year, IR plans include pre-built PR announcements, media scripts, letters to regulators, etc. Bad Example: Sony – PlayStation breach was a PR disaster followed by an insurance nightmare Methods of Response and Control Methods of Response and Control Insurance • Policies can cover hazards which can cause security/privacy losses: • • • • • • • Virus/malicious code Denial of service attacks Hacker attacks/unauthorized access Malicious hardware Physical theft of device/media Accidental release and rouge employees Social engineering In a recent PwC security survey (which included more than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 135 countries) almost half (46%) responded that they have an insurance policy that protects it from theft or misuse of assets such as electronic data or customer records. 17% of the respondents had made a claim against the policy and 13% had collected on it. Summary • Don’t Panic • Plan to fail, but plan to fail gracefully • Ability to know when a control has failed • Ability to recover quickly and with minimal damage • We’ve pointed out methods to bypass individual types of controls on a case by case basis • Consolidated, robust controls in a defense-in-depth manner are effective • Do not become a “hacker snack” Slide Heading • Hard and crunchy on the outside, soft and gooey in the middle • Every hoop you force the attacker to jump through is a chance for you to detect them… if you are watching • You don’t need to out run the bear… Questions? Daimon.Geopfert@McGladrey.com
