isaca - evolution of malware and the next generation ... · • malware professionalization • use...

Evolution of Malware and the Next

Generation Endpoint Protection against

Targeted Attacks

02/07/2015Malware Evolution 2

Index

1. Malware volume evolution

2. Malware Eras

3. Panda Adaptive Defense

1. What is it

2. Features & Benefits

3. How does it work

4. Successs Story


Malware samples evolution

Malware

volume

evolution



Malware Eras

1st Era

• Very little samples and Malware families

• Virus created for fun, some very harmful, others harmless, but no ultimate goal

• Slow propagation (months, years) through floppy disks. Some virus are named after the city where it was created or discovered

• All samples are analysed by technicians

• Sample static analysis and disassembling (reversing)



W32.Kriz Jerusalem

2nd Era

• Volume of samples starts growing

• Internet slowly grows popular, macro

viruses appears, mail worm, etc…

• In general terms, low complexity

viruses, using social engineering via

email, limited distribution, they are not

massively distributed

• Heuristic Techniques

• Increased update frequency



Melissa Happy 99

3rd Era• Massive worms apparition overloads the

internet

• Via mail: I Love You

• Via exploits: Blaster, Sasser, SqlSlammer

• Proactive Technologies

• Dynamic: Proteus

• Static: KRE & Heuristics Machine Learning

• Malware process identification by events

analysis of the process:

• Access to mail contact list

• Internet connection through non-standard

port

• Multiple connections through port 25

• Auto run key addition

• Web browsers hook



I love you Blaster

Sasser


Static proactive

technologies

Response times reduced to 0 detecting

unknown malware

Machine Learning algorithms applied to

classic classification problems

Ours is ALSO a “class” problem: malware

vs goodware.


4th Era• Hackers switched their profile: the main

motivation of malware is now an economic

benefit, using bank trojans and phishing

attacks.

• Generalization of

droppers/downloaders/EK

• The move to Collective Intelligence

• Massive file classification.

• Knowledge is delivered from the cloud



Banbra Tinba


El salto a la

Inteligencia

Colectiva

La entrega del conocimiento desde la

nube como alternativa al fichero de

firmas.

Escalabilidad de los servicios de

entrega de firmas de malware a los

clientes mediante la automatización

completa de todos los procesos de

backend (procesado, clasificación y

detección).

Big Data

arrival

Current working set of 12 TB

400K million registries

600 GB of samples per day

400 million samples stored

Innovation: to make viable the data

processing derived from Collective

Intelligence strategy, applying Big Data

technologies.


5th Era• First massive cyber-attack against a country,

Estonia from Russia.

• Anonymous starts a campaign against

several organizations (RIAA, MPAA, SGAE, and

others)

• Malware professionalization

• Use of marketing techniques in spam

campaigns

• Country/Time based malware variant

distribution

• Ransomware

• APTs

• Detection by context

• Apart from analysing what a process does,

the context of execution is also taken into

account…



Reveton Ransomware

APTs…



- November / December 2013

- 40 millions credit/debit cards stolen

- Attack made through the A/C

maintenance company

- POS

- Unknown author

- Information deletion

- TB of information stolen

Sony Pictures computer system down after reported hackHackers threaten to release 'secrets' onto web


Carbanak

- Year 2013/2014

- 100 affected entities

- Countries affected: Russia, Ukraine,

USA, Germany, China

- ATMs: 7.300.000 US$

- Transfer: 10.000.000 US$

- Total estimated: 1.000.000.000 US$

02/07/2015Adaptive Defense 24

What is Panda Adaptive Defense?

The Next Generation Endpoint Protection


Panda Adaptive Defense is a new security model

which can guarantee complete protection for

devices and servers by classifying 100% of the

processes running on every computer throughout

the organization and monitoring and controlling

their behavior.

More than 1.2 billion applications already classified.

Adaptive Defense new version (1.5) also includes

AV engine, adding the disinfection capability.

Adaptive Defense could even replace the

company antivirus.

RESPONSE…

and forensic

information

to analyze

each

attempted

attack in

detail

VISIBILITY… and

traceability of each

action taken by the

applications running on a

system

PREVENTION… and

blockage of applications

and isolation of systems to

prevent future attacks

DETECTION…

and blockage

of Zero-day and

targeted

attacks in real-

time without the

need for

signature files


Features and benefits

Daily and on-demand reports

Simple, centralized

administration from a Web

console

Better service, simpler

management

Detailed and configurable monitoring

of running applications

Protection of vulnerable systems

Protection of intellectual assets against

targeted attacks

Forensic report

Protection

ProductivityIdentification and blocking of

unauthorized programs

Light, easy-to-deploy solution

Management

Key Differentiators- Categorizes all running processes on the endpoint

minimizing risk of unknown malware: Continuous

monitoring and attestation of all processes fills the

detection gap of AV products.

- Automated investigation of events significantly

reduces manual intervention by the security team:

Machine learning and collective intelligence in the

cloud definitively identifies goodware & blocks

malware.

- Integrated remediation of identified malware:

Instant access to real time and historical data

provides full visibility into the timeline of malicious

endpoint activity.

- Minimal endpoint performance impact (<3%)



New malware detection capability*Traditional

Antivirus (25)

Standard Model Extended Model

New malware blocked during the first 24 hours 82% 98,8% 100%

New malware blocked during the first 7 days 93% 100% 100%

New malware blocked during the first 3 months 98% 100% 100%

% detections by Adaptive Defense detected by no other antivirus 3,30%

Suspicious detections YES NO (no uncertainty)

File ClassificationUniversal

Agent**

Files classified automatically 60,25% 99,56%

Classification certainty level 99,928% 99,9991%

< 1 error / 100.000 files

* Viruses, Trojans, spyware and ransomware received in our Collective Intelligence platform. Hacking tools, PUPS and cookies were not included in this study.

Adaptive Defense vs Traditional Antivirus

** Universal Agent technology is included as endpoint protection in all Panda Security solutions


Adaptive Defense vs Other Approaches

AV vendors WL vendors* New ATD vendors**

Detection gap

Do not classify all applicationsManagement of WLs required

Not all infection vectors covered

(i.e. USB drives)

No transparent to end-users and admin (false

positives, quarantine administration,… )Complex deployments required

Monitoring sandboxes is not as effective as

monitoring real environments

Expensive work overhead involved ATD vendors do not prevent/block attacks

* WL=Whitelisting. Bit9, Lumension, etc

** ATD= Advanced Threat Defense. FireEye, Palo Alto, Sourcefire, etc


How does Adaptive Defense work?

A brand-new three phased cloud-based

security model


1st Phase:

Comprehensive monitoring of all

the actions triggered by

programs on endpoints

2nd Phase:

Analysis and correlation of all

actions monitored on customers'

systems thanks to Data Mining

and Big Data Analytics

techniques

3rd Phase:

Endpoint hardening &

enforcement: Blocking of all

suspicious or dangerous

processes, with notifications to

alert network administrators


Panda

Adaptive

Defense

Architecture


Success Story

Adaptive Defense

in figures

+1,2 billion applications already

categorized

+100 deployments. Malware

detected in 100% of scenarios

+100,000 endpoints and servers

protected

+200,000 security breaches mitigated

in the past year

+230,000 hours of IT resources saved

estimated cost reduction of

14,2M€

Lest’s see an example…



Scenario

Description

Concept Value

PoC length 60 days

Machines currently monitored +/- 690

Machines with malware 73

Machines with malware executed 15

Machines with PUP found 91

Executed PUP files 13

Executed files classified 27.942

Concept Value

Malware blocked 160

PUP blocked 623

TOTAL threats mitigated 783


Software vendor distribution over 100% of

executable files


Skillbrains Igor Pavilov


Sandboxie Holdings

LLCEolsoft


Opera SoftwareDropbox Inc.


Vulnerable

applications

Vulnerable applications activity:

- …

- (22 vulnerable applications in ALL seats = 2074)

Vulnerable applications inventory:

- Excel v14.0.7 - v15.0 (279)

- Firefox v34.0 - v36 (178)

- Java v6 – v7 (80)


Top Malware


PUP (Spigot)


Potentially confidential information extraction


+

Thank you

isaca - evolution of malware and the next generation ... · • malware professionalization • use...

Documents