330 likes | 496 Views
Stop the Spear Phishing Threat Steve Ward Vice President Invincea , Inc. Confidential and Proprietary. We Must Break the Security Insanity Cycle. Wash, rinse, repeat security Finding out Tuesday that we were pwned on Monday Whack-a-mole problem resolution.
E N D
Stop the Spear Phishing ThreatSteve Ward Vice President Invincea, Inc. Confidential and Proprietary
We Must Break the Security Insanity Cycle • Wash, rinse, repeat security • Finding out Tuesday that we were pwned on Monday • Whack-a-mole problem resolution
Lost Decade of Information Security • Over the last decade the Security industry has fundamentally failed its clients – Governments, Corporations, Individuals • Partial blame to Federal/DoD communities – classifying the interesting exploits and keeping knowledge out of the public domain • Compliance drove mediocrity – checked boxes vs. robust network security
Lost Decade of Information Security • Given up on the notion of prevention – fallen in love with crime scene analytics • List based techniques that cannot keep pace with the pace of change • Bottom-line, it’s time to turn the tide in information security • It’s time to get back to innovation, to engineering resilient networks and systems • The last decade is lost, we can’t afford to lose another…
The Problem is MASSIVE – No One Immune • 2011 so far… • “White House” eCard(spear-phishing) • OddJob • HBGaryFederal (social engineering) • Night Dragon (spear-phishing) • Tatanga • London Stock Exchange Website • French Finance Ministry • Dupont, J&J, GE (spear-phishing) • DroidDream • Charlieware(phishing) • Nasdaq • Office of Australian Prime Minister (spear-phishing) • Comodo • RSA (spear-phishing) • Epsilon (future spear-phishing) • LizaMoon • Barracuda Networks • Oak Ridge National Labs (spear-phishing) • Sony • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • GMAIL (spear-phishing) • Citi • Gannet Military Publications (future spear-phishing) • PNNL (spear-phishing and other methods) • BAH ….this next week will bring more – without question
The Stakes are Enormous “We are on the losing end of the largest transfer of wealth through theft and piracy in the history of the planet.” Senator Sheldon Whitehouse (D-RI) Chair US Senate Select Committee on U.S. Cyber Security 2010
The Stakes are Enormous “It appears that every industry is being victimized by intrusions.”Steven ChabinskyDeputy Assistant Director – FBI
The Stakes are Enormous “To (redacted) it’s personal…they believe their bad guys are the Chinese who want to leapfrog them in the global marketplace.” Leaked HBGary email disclosed in Bloomberg report “Hackers Strike at Major Companies”
The Un-Spoken Truth About Cyber Security “It’s the User…” • Billions invested annually in digital security tools • Core of our nation’s security strategy actually rests with the analog user • Case studies show no matter the tools in place, balance of security rests with each employee • Asking our users to make the correct decision every time is a complete pipe dream “I am not, nor will I ever be a security expert…and there are thousands of me in your network.”
Invincea Addresses a Root Cause… The User is an Unwitting Accomplice • Ubiquitous usage of Internet and Email has enabled adversaries to shift tactics • Full frontal assaults still exist but it is far easier to prey on the psychology of the user • Spear Phishing – The New Black • Drive by Downloads • Malicious sites • Hijacked trusted sites • Trust in social networks • Facebook and Twitter worms • Faith in Internet search engines • Poisoned SEO • User Initiated Infections • Fake A/V and fear mongering • “I don’t know security…but I know what I like. Click, click, click…” • Stan from Accounting| December 2010 Your first line of defense is also your weakest link…how many thousands of users vulnerabilities are in your network?
Key Statistics Related to Breach Total Incidents Reported to US-CERT FY 2010 According to one the of leading IR providers – 95% of incidents they respond to involve the user
A Quick Look at the Spear-Phishing Workflow • Attacker prepares the phish • Searching company websites, job postings, corporate communications, news sites, blog sites, social networking sites • Uses information gathered from previous compromises (i.e. email addresses from Gannett or Epsilon breaches) • Hook, line, sinker • User becomes the unwitting accomplice • Opens email, clicks link or infected attachment • Box is now popped and its on to the network
Existing Defenses are Inadequate Internet Drive-bys TargetedAttacks Incoming Threats APTs Stuxnet Zeus Botnet Firewalls IDS/IPS Web Gateway Anti-Virus Network Firewalls • Perimeter fencing • Only stops “known bad” url requests Network Gateways • Requires signatures of “known bad” • Choke-point for Web traffic – scale? • Requires successful breaches to identify new malware • Misses malware requiring human interaction Anti-virus • Requires signatures of “known bad” • Malware built to avoid AV detection • Signature updates lag by days/weeks
Independent Studies Reveal the AV Gap • Day 1 Anti-Virus “Effectiveness” Average anti-virus detection rate: 19% “Day 1” 62% “Day 30” • Day 30 Anti-Virus “Effectiveness” *Malware Detection Rates for Leading AV Solutions, A Cyveillance Analysis, August 2010
Changing the Game - The Invincea Model Drive real-time situational awareness by making ALL of your desktop browsers malware detectors and forensics agents • Addressing the largest attack surface: • Spear Phishing • Drive bys • Social Network Worms • Poisoned SEO • User Initiated Infections Protect the network from the user and the user from himself…put him in a bubble while on the Internet or interfacing with ANY untrusted content Take Security decisions out of the user’s hands Make the user’s mistakes irrelevant to the security of your network Give the user free reign to complete his mission without fear for your overall security footing – zero trust with zero drag
Invincea Browser Protection • Type II fully virtualized browser environment • Signature-free malware detection • Generates real-time forensic threat intelligence • Easy to use & deploy
UNITED Security Breach Scenario: Detection in Invincea Browser Protection Surfing to the infected website results in drive by infection of the browser Infection is immediately detected by IBP.
UNITED Security Breach Scenario: What did the attack do to the victim system? • Attack was delivered as a combination of a Java program and an associated exe (ccIjZzzz.exe) • IE is exploited to deliver payload • IE writes attack exe (ccIjZzzz.exe) • IE launches Java • Java program launches attack exe (ccIjZzzz.exe) which then establishes a TCP connection to db.digitaloffense.net on port 1028
UNITED Security Breach Scenario: Is it a known attack? Hash signature of attack payload (ccIjZzzz.exe) is unknown on Virus Total
Case Study: Hacking a Security Company RSA – The Security Division of EMC • Two different phishing emails sent to a small group of RSA employees • Titled “2011 Recruitment Plan” • Stoke curiosity • User actually retrieved from junk email • Use curiosity to kill the cat…i.e. pwn the network • Attached document with zero-day Adobe Flash exploit • Malicious link embedded in email • Establish contact with C&C server • Scope targets for lateral movement • Get to the data and exfiltrate Every organization has users…existing preventative solutions are failing us all.
Case Study: Hacking a National Lab Oak Ridge National Laboratories • 527 employees targeted • 10% click through rate • Email spoofed to come from HR • Directed users to a website link for more information • Drive by infection - click…click…boom! • Caused the Lab to completely cut off Internet and external Email while remediating the breach NOTE: This is the SECOND time ORNL has dealt with this issue…only this time, we have a solution.
Case Study: A Coordinated Attack on the US DIB • Inbound email targeting the DIB – spoofed to look like it came from IARPA • URL link – actually a .zip file that offers what appears to be a .xls file for download • Legitimate IARPA Project Day roster is presented – but this is smoke and mirrors for .exe running in the background • ACTIVE campaign with eerie similarities to the massive Shady RAT campaign disclosed by McAfee
Case Study: How They Tried to Pwn Our CEO… • Targeted and well crafted inbound email sent to personal email account • Lowered security in home environment • Easy path for lateral movement • Localized – referencing DC • Socially engineered – spoofed to look like it came from a friend • Referenced birthday party over the summer • Referenced the name of one of my friends’ daughters • Similar to ORNL – directed to a drive by download site • Very aggressive malware – designed to exfiltrate
Stop Web-Borne Attacks
Essential Elements to Secure Browsing Exceptional Protection and Detection • Isolate browser operation utilizing full local virtualization/run in secure “guest” OS • Identify introduction of malicious code without any prior malware knowledge • Behavior based vs. Signature based malware detection
Essential Elements to Secure Browsing Remediation | Restoration | Threat Feeds • Automatically eradicate all malware code and artifacts • Restore the end user environment to a “gold master” pristine state • Automatically collect data (real-time) on the malware attack and feed to central DB
Essential Elements to Secure Browsing Ease of Use and Deployment • Support browser personalization – retain favorites, bookmarks, homepage, proxy settings, etc. • Deploy centrally just as you would any Windows application • Support for IE6, 7 and 8 (Firefox coming soon)
Invincea Browser Protection www.malware.com Web gateway Site Blocked by Web Gateway IDS Firewall Current Endpoint Security Suite Invincea Threat Server
Breaking the Cycle – Case Study Enterprise Wide Invincea Deployment • Spear phishing attacks resulted in large quantities of sensitive data being exfiltrated • Whole divisions had to be taken off of the Internet – thousands of people • Client engaged outside firm for complete network remediation • Appropriately set sights to preventing re-infection (often overlooked) • Complete protection of the end user against myriad of attacks through enterprise wide deployment of Invincea • Client has broken out of the Security Insanity Cycle
Invincea as a Game Changer SC Magazine “First Look” “Invincea effectively stops zero-day malware in its tracks.” “Take a very close look at this. It is from a brand new company and I predict big things for it if the management team continues down the road they're on now.” “What we didn't like: Nothing. This product does exactly what it claims to do and is completely transparent to the user.” • Winner – RSA 2011 Security Innovators Sandbox • Winner – 2010 US East Coast Global Security Challenge • Finalist – 2010 Global Security Challenge • Finalist – 2010 SC Magazine Innovators Throwdown • Finalist – SC Magazine 2010 Rookie Security Company of the Year