1 / 24

Stop Spear-Phishing and Watering Hole Attacks – Put the User in a Bubble

Stop Spear-Phishing and Watering Hole Attacks – Put the User in a Bubble. Darin Dick. Riddle M e This…. Hint: Aka – FRAN or STAN. A Problem of Pandemic Proportions. ‘11, ‘12 and ’13 (so far) bloodiest years on record … “White House” eCard (spear-phishing)

fathia
Download Presentation

Stop Spear-Phishing and Watering Hole Attacks – Put the User in a Bubble

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stop Spear-Phishing and Watering Hole Attacks – Put the User in a Bubble Darin Dick

  2. Riddle Me This… Hint: Aka – FRAN or STAN

  3. A Problem of Pandemic Proportions • ‘11, ‘12 and ’13 (so far) bloodiest years on record… • “White House” eCard(spear-phishing) • HBGaryFederal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Charlieware (poisoned SEO) • Nasdaq(spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing) • ShadyRAT(spear-phishing) • DIB and IC campaign (spear-phishing) • ‘Voho’ campaign(watering-holes and spear-phishing) • ‘Mirage’ campaign(spear-phishing) • ‘Elderwood’ campaign(spear-phishing) • White House Military Office(spear-phishing) • Telvent’ compromise (spear-phishing) • Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober(spear-phishing) • Speedtest.net (watering-hole/drive-by) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • Bit9 (TBD) • NYT, WSJ, WaPO(spear-phishing) Apple, Microsoft, Facebook (watering-hole) • National Journal (watering hole) • FemmeCorp(watering holes) • South Korea (spear-phishing) • 11 Energy Firms (spear-phishing) Cannot keep this slide up to date…

  4. Competitive Futures Are at Stake “Theirs” Ours The good news is…they’re stealing petabytes worth of data… The bad news is…in time, they’ll have sorted through it all

  5. The Primary Target – The Unwitting Accomplices The #1 Attack Vector = The User • Ubiquitous usage of Internet and Email has enabled adversaries to shift tactics • Prey on human psychology • Spear Phishing – The New Black • Drive by Downloads • Malicious sites • Weaponized Attachments • Watering Hole Attacks • Hijacked trusted sites • Trust in social networks • Facebook, Twitter, LinkedIn • Faith in Internet search engines • Poisoned SEO • User Initiated Infections • Fake A/V and fear mongering

  6. Alarming Malware Statistics • 280 million malicious programs detected in April 2012* • 80,000+ new malware variants daily ** • 134 million web-borne infections detected (48% of all threats) in April 2012* • 24 million malicious URLs detected in April 2012* • 30,000+ new malicious URLs daily** • 95% of APTs involve spear- phishing*** • Organizations witnessing an average of 643 malicious URL events per week*** • 225% increase from 2012** * Kaspersky April 2012 Threat Report ** Panda Labs Q1 2012 Internet Threat Report *** FireEye September 2012 Advanced Threats Report ****Both Mandiant and Trend Micro – 2013 Reports

  7. KIA – Mandiant “APT-2” Spear-Phish www.invincea.com/blogor - http://https://www.invincea.com/2013/02/mandiant-report-spear-phishing-campaign-kia-with-invincea-cve-2011-0611/

  8. Java - Getting Bullied…

  9. Enterprise Security Architecture for Addressing APT In Use | Confidence* 84% Firewalls/Web Proxies 66% Network Controls 34% 55% 92% 52% Anti-Virus 22% 49% App Whitelisting User Training 64% 17% Forensics and IR 31% 40% *Invincea APT Survey Q4 2012

  10. Einstein’s Definition of Insanity Patching software as vulnerabilities are made public Security Insanity Cycle Detecting intruders and infected systems after the fact Recovering and restoring the infected machines back to a clean state

  11. Addressing the Critical Vulnerability in Java 7 “Uninstall Java…”

  12. Addressing the Critical Vulnerability in IE “Stop Using IE…”

  13. Addressing the Pandemic of Spear-Phishing “Don’t Click on Links You Don’t Trust…”

  14. An Alternative to Bad Advice Not quite…but pretty darn close…

  15. Rethink Security “Making Prevention Possible Again” If…you could negate user error And…contain malware in a virtual environment And…stop zero-days in their tracks without signatures Then…preventing APTs would be possible

  16. Solve the User Problem Protect the User SOC Server Appliance Enterprise Endpoint Application & Data Collection

  17. Contain the Contaminants Detection Detect zero-day attacks without signatures Prevention Protect every user and the network from their error Pre-Breach Forensics Feed actionable forensic intelligence without the breach

  18. Mapping the APT Kill Chain Stage 3: Client Exploit & CompromiseVulnerability exploited or user tricked into running executable Stage 2: Attack DeliverySpearphish with URL links and/or attachment Stage 1: ReconnaissanceResearch the target Stage 6: Lateral MovementColonize network Stage 5: Internal ReconScan network for targets Stage 4: C2 Remote Command & Control. Stage 9: Incident ResponseAnalysis, remediation, public relations, damage control Stage 8: Stage Data & ExfilArchive/encrypt, leak to drop sites Stage 7: Establish PersistenceRoot presence to re-infect as machines are remediated

  19. Invincea – Breaking the APT Workflow Threat Data Server • Containment | Detection | Prevention | Intelligence • Highly targeted apps run in contained environment • Behavioral based detection spots all malware including 0-days • Automatic kill and remediation to clean state • Forensic intelligence on thwarted attacks fed to broader infrastructure

  20. Real World Results 0days K.I.A.

  21. KIA – Speedtest.net Drive-byJava 7 CVE-2013-0422 www.invincea.com/blogor - http://www.invincea.com/2013/02/popular-site-speedtest-net-compromised-by-exploitdrive-by-stopped-by-invincea/ • Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running for days on Speedtest.net website (boasts 4 BILLION+ visits) • Whitelisted or blacklisted website? More than likely whitelisted • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and forensically analyzed by Invincea

  22. KIA – Adobe Flash CVE-2013-0634 www.invincea.com/blogor - http://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-adobe-flash-exploit-cve-2013-0634/ • Weaponized Office Document (Word) Used to Spread Adobe 0day (CVE 2013-0634) • Spoofed document looking like IEEE as the author (community of interest being targeted) • No protection from anti-virus given 0day nature • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and forensically analyzed by Invincea

  23. KIA – National Journal Website www.invincea.com/blogor - http://www.invincea.com/2013/03/kia-nationaljournal-com-pushing-malware-through-fiesta-ek-killed-with-invincea/ • Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running on National Journal website days AFTER initial disclosure (secondary attack?) • Whitelisted or blacklisted website? More than likely whitelisted • Running Fiesta/ZeroAccess Exploit Kit – attacking 2 Java vulnerabilities • Detected without signatures, immediately killed and forensically analyzed by Invincea

  24. Let’s Get Moving Joseph Lee: darin.dick@invincea.com Go ahead…spear-phish me! www.invincea.comTwitter: @Invincea Want a t-shirt? Drop a note to megan.cavanaugh@invincea.com – only one catch, you’ve got to tweet a pic of you wearing it!

More Related