1 / 20

2012 Malnet Report: Breaking the Vicious Cycle

2012 Malnet Report: Breaking the Vicious Cycle. Grant Asplund Senior Technology Evangelist. Average business faces 5,000 threats per month. Stage 1: Build the Infrastructure. Number of malnets has tripled over the last six months. 2/3 of all Web-based attacks will be driven by malnets.

lou
Download Presentation

2012 Malnet Report: Breaking the Vicious Cycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist

  2. Average business faces 5,000 threats per month

  3. Stage 1: Build the Infrastructure Number of malnets has tripled over the last six months

  4. 2/3 of all Web-based attacks will be driven by malnets

  5. INFECT SYSTEMS BECOME PART OF MALNET INFRASTRUCTURE & LAUNCH NEW ATTACKS Stage 1 Stage 5 BUILD The Malnet Infrastructure Stage 4 Stage 2 Stage3 INFECT SYSTEMS STALK USERS Launch ATTACKS

  6. Malnets are how you get infected and botnets are what you are once you’re infected.

  7. Malnets Scale to Support Attacks SHNAKULE TRICKI RUBOL RASKAT RONGDAC Max Hosts Max Hosts Max Hosts Max Hosts 547 476 163 105 Max Hosts 5,005 AVG. Hosts AVG. Hosts AVG. Hosts AVG. Hosts AVG. Hosts 1,717 106 76 50 50 MIN. Hosts 50 MIN. Hosts MIN. Hosts MIN. Hosts MIN. Hosts 4 1 5 1 Drive-by downloads; Fake AV, codecs, Flash and Firefox updates; Botnet C&C controls; pornography; gambling; work-at-home scams Search EnginePoisoning & Relays Spam Ecosystem Search EnginePoisoning & Relays Spam Ecosystem

  8. Internet Watering Holes

  9. Top Malnet Entry Points Search Engine 35.5% Email 11.1% Unrated ? 10.9% Pornography 4.2% XXX Computers/Internet 4.2%

  10. 17 days after Apple issues patch

  11. One Botnet Falls, Others Rise 47% 517% Zeus Aleuron

  12. Eliminating the botnet threat is impossible if you haven’t first solved the malnetproblem

  13. Geographic Distribution of Shnakule CENTRAL ASIA WESTERN EUROPE 0% -54% 98% +4% AMERICAS 42% -22% 6% +3% 0% -1% 5% -4% 1% +1% 3% -57% 37% +32% 90% -2% 37% +17% 33% +6% 1% -5% 40% +37% 67% +58% 17% -1% 1% -2% 3% +3% 0% -2% 18% +1% 0% -9% 2% +2% PORN SEP / RELAY EASTERN EUROPE & MIDDLE EAST EAST/SE ASIA COMMAND & CONTROL SCAMS MALEWARE SERVERS

  14. Mapping Malnets Attack type doesn’t matter. Content doesn’t matter. Zero-day exploits don’t matter. Payload encryption doesn’t matter.

  15. Negative Day Defense Negative Day Defense Identifies and Blocks New Components Negative Day Defense Continues to Block Malnet Infrastructure UTM Policy applied AV Engines Begin Detection Active Threat Phase -30 Days 0 Day +1 Days +30 Days Infrastructure Phase New Subnet, IP Address and Host Name Dynamic Payload Changes Domain Exploit Server Attack Begins Attack Ends

  16. Blocking a Zero-Day Java Exploit Infected systems begin communicating with command and control domain New C&C site comes online ok.aa24.net actively distributes malicious executable that uses zero-day Java exploit New exploit site named ok.aa24.net becomes active Jan -225 Days April -120 Days Aug 26 0 Day Aug 26 0 Day 2012 WebPulse automatically blocks all requests to site WebPulse automatically blocks all requests to domain WebPulse rates IP address as suspicious and begins blocking WebPulserates as malware source & begins blocking

  17. Best Practices for Protecting Businesses Block malnet infrastructures to limit employee exposure to botnet-producing Trojans Block communications from infected end-user systems to command and control servers x Update Web usage policies and keep network/firewall rules current Use a reporting solution that can identify potentially infected end-user systems for quarantine Set and enforce policies that require employees to update browsers and applications with the latest patches and security updates

  18. Download at http://www.bluecoat.com/security/reports

  19. Thank You! Grant Asplund 206-612-8652 grant.asplund@bluecoat.com Twitter: @gasplund

More Related