To Catch a Thief: Detect & Defend Your Network From Targeted Attacks

Dhanya Thakkar Managing Director, Asia Pacific Trend Micro

#CLOUDSEC

2

Look Closer

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

What’s the value of one Tweet?

STOCK:150 POINTS

EQUITY: 136 BILLION

WIPED

SHORT SELLING

Confidential | Copyright 2015 Trend Micro Inc.

Intelligence Gathering

What

•Org Structure • Infrastructure People Geography •Security Enforcing Functions •Networks •Software/hardware

How

• Initial Public Intelligence •Social Engineering •Physical Security Analysis •Network Analysis • Information System Tests

Point of Entry

Point of Entry

Watering Hole

Island Hopping

Confidential | Copyright 2015 Trend Micro Inc.

80 civil

lawsuits

In May,

veteran CEO resigns

$4.2B lost

market value

Data breach

of 110M

records

In March,

CIO resigns

7 board members

now at risk

Total cost to

be $1B 2013 profits

fell 34%

Exploitation

• Advanced Malware

• Utilization of 0-days

• Undetectable by anti-virus

• Able to withstand normal disinfection methods

Weapons Grade Arsenal

Ultra Hackers Tools for sale

Price is 0.0797 BTC (bitcoin) = $25 Virus Builders

1. Nathan's Image Worm

2. Dr. VBS Virus Maker

3. p0ke's WormGen v2.0

4. Vbswg 2 Beta

5. Virus-O-Matic Virus Maker

Scanners

1. DD7 Port Scanner

2. SuperScan 4.0

3. Trojan Hunter v1.5

4. ProPort v2.2

5. Bitching Threads v3.1

DoSers, DDoSers, Flooders and Nukers

1. rDoS

2. zDoS

3. Site Hog v1

4. Panther Mode 2

5. Final Fortune 2.4

Fake Programs

1. PayPal Money Hack

2. Windows 7 Serial Generator

3. COD MW2 Keygen

4. COD MW2 Key Generator

5. DDoSeR 3.6

Cracking Tools

1.VNC Crack

2.Access Driver

3.Attack Toolkit v4.1 & source code included

4.Ares

5.Brutus

Analysis :

· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*

· W32Dasm 8.93 - Patched *NEW*

· PEiD 0.93 + Plugins *NEW*

· RDG Packer Detector v0.5.6 Beta - English *NEW*

Rebuilding :

· ImpRec 1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*

· Revirgin 1.5 - Fixed *NEW*

· LordPE De Luxe B *NEW*

LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:

Host Booters

1. MeTuS Delphi 2.8

2. XR Host Booter 2.1

3. Metus 2.0 GB Edition

4. BioZombie v1.5

5. Host Booter and Spammer

Stealers

1. Dark Screen Stealer V2

2. Dark IP Stealer

3. Lab Stealer

4. 1337 Steam Stealer

5. Multi Password Stealer v1.6

Remote Administration Tools/Trojans

1. Cerberus 1.03.4 BETA

2. Turkojan 4 GOLD

3. Beast 2.07

4. Shark v3.0.0

5. Archelaus Beta

Binders:

1. Albertino Binder

2. BlackHole Binder

3. F.B.I. Binder

4. Predator 1.6

5. PureBiND3R by d3will

HEX Editor :

· Biew v5.6.2

· Hiew v7.10 *NEW*

· WinHex v12.5 *NEW*

Decompilers :

· DeDe 3.50.04

· VB ?Decompiler? Lite v0.4 *NEW*

· Flasm

Unpackers :

· ACProtect - ACStripper

· ASPack - ASPackDie

· ASProtect > Stripper 2.07 Final & Stripper

2.11 RC2 *NEW*

· DBPE > UnDBPE

Keygenning : *NEW*

· TMG Ripper Studio 0.02 *NEW*

Packers :

· FSG 2.0

· MEW 11 1.2 SE

· UPX 1.25 & GUI *NEW*

· SLVc0deProtector 0.61 *NEW*

· ARM Protector v0.3 *NEW*

· WinUpack v0.31 Beta *NEW*

Patchers :

· dUP 2 *NEW*

· CodeFusion 3.0

· Universal Patcher Pro v2.0

· Universal Patcher v1.7 *NEW*

· Universal Loader Creator v1.2 *NEW*

Crypters

1. Carb0n Crypter v1.8

2. Fly Crypter v2.2

3. JCrypter

4. Triloko Crypter

5. Halloween Crypter

6. Deh Crypter

7. Hatrex Crypter

8. Octrix Crypter

9. NewHacks Crypter

10. Refruncy Crypter

Command & Control Communications

Command & Control Communications

Common Traits • Uses typical protocols (HTTP) • Uses legitimate sites as C&C • Uses internal systems as C&C • Uses 3rd party apps as C&C • May use compromised

internal systems Advantages • Maintains persistence • Avoids detection

54% of C&C Lifespan

< 1 Day

Lateral Movement

Data Discovery and Exfiltration

Common Traits • Built-in file transfer

(RATs)

• FTP, HTTP

• Tor network/Encryption

• Public File Sharing sites

Next-gen

Firewall

Intrusion

Detection (IDS)

Intrusion

Prevention

(IPS)

Traditional

AV

Email /Web

Gateways

Advanced reconnaissance Spear-phishing emails Embedded payloads Unknown malware & exploits Dynamic command and control

(C&C) servers BYOD and remote employees

create a broad attack surface

Standard Defenses are Insufficient

Essential Technologies Threat Intelligence

Finding Criminals

Global Sensornet

•150 million sensors

•16 billion threat queries daily

•Files, URL’s, vulnerabilities, threat

actors…

Global Threat Intelligence

•100TB of data analyzed daily •300,000 new threats identified daily •Big data analytics and threat expertise

User Traffic / Sourcing

CDN vender

Rating Server for Known Threats

Unknown & Prefilter

Page Download

Threat Analysis

6 billion/day

3 billion/day

300 million/day

50% filtered

90% filtered

50,000 malicious URL /day

99.95% filtered

Trend Micro Products / Technology

CDN Cache

High Throughput Web Service

Hadoop Cluster

Web Crawling

Machine Learning Data Mining

Technology Process Operation

Block malicious URL within 15

minutes once it goes online!

Need for Speed

Essential Technologies Spear Phishing Attack Protection

Copyright 2015 Trend Micro Inc.

Copyright 2014 Trend Micro Inc.

• Blocking of targeted spear phishing emails and document exploits via sandboxing

• Central analysis of detections

• Automated updates of malicious IP/Domains

• Signature file updates

Your Current Email Security

Anti-spam

Web Reputation

Anti-phishing

Advanced Threat Detection

Anti-malware

quarantine

9/10/2015 22 Confidential | Copyright 2012 Trend Micro Inc.

Next Generation Email Defense

Essential Technologies Patching and Intrusion Prevention

24

Then this is: Automated Virtual Patching

So, if this is manual monthly Security Patching

25

Patching and Intrusion Prevention

Essential Technologies Advanced Threat Detection

• Required to detect client-side attacks delivered via the web

• Focus on dynamic behavioural analysis

Advanced Script Analyzer Technology

• Required to detect known and unknown malware

• Focus on heuristic scanning and employ a rule-based system

Advanced Threat Scanning Technology

Advanced Threat Detection

Essential Technologies Breach Detection Solution

Copyright 2014 Trend Micro Inc.

How long before you know

210 Days to Detection

55% Found by Third Party

Importance of East-West

App Server

Storage/ Hypervisor

!

SMTP relay

Web proxy

!

!Mail Server

Endpoint !

Infection & payload

Lateral movement

C&C Callback

East-West

North-South East-West

North-South

North-South

East-West

Data Exfiltration North-South

Asset/Data Discovery

• File as well as network behaviour

• Identification of malicious destinations and command-and-control (C&C) servers

• Prevents Sandbox evasion

• Essential to have a custom sandboxes based on target environment

• Mimics real life environment

• Customer supplied OS language

• Customer supplied applications

• Corporate IT customizations

• Patching level to match environment

Custom Sandboxing

Essential Technologies Interconnected Threat Defense

Copyright 2015 Trend Micro Inc.

Copyright 2014 Trend Micro Inc. 34

Analyze risk and

nature of attack and

attacker, and assess

impact of threats

retrospectively

Update protection automatically,

prioritize areas for remediation and adapt protection

Detect advanced

malware, behavior

and communications

invisible to standard

defenses

Assess potential vulnerabilities and proactively protect endpoints, servers and applications

In Today’s Reality, Customers Need Full Lifecycle of Threat Defense

MONITOR & CONTROL

PREVENT

DETECT

RESPOND

ANALYZE

Copyright 2015 Trend Micro Inc. 36

Sample Threat Types Detected

Presence

Advanced malware 98%

Active botnet 94%

Disruptive applications 88%

Banker malware 75%

Malicious documents 75%

Zero-day malware 49%

Network attacks 84%

Android malware 28% Source: Real-life proof-of-concept sample results (conducted by Trend Micro technical team in 2014)

What’s in Your Organization?

#CLOUDSEC