1 / 5

Targeted attacks of recent days

Explore the world of targeted cyber attacks with insights from CrySyS Lab's analysis of Duqu and the development of the innovative DuquDetector Toolkit. Learn about advanced persistent threats, new detection methodologies, and the ongoing fight against sophisticated cyber adversaries. Discover how to enhance your cybersecurity defenses in the face of evolving threats.

kvandiver
Download Presentation

Targeted attacks of recent days

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Targeted attacks of recent days Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics www.crysys.hu this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others

  2. Targeted Attacks • Although many expected, nobody knew how the era of targeted attack, cyber warfare will start. • Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.) • Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, Illinois water system (?),… (Additionally: Anonymous, Lulzsec, etc..) • APT: Advanced Persistent Threat -> this definition emphasizes power of the attacker over of our inability to have control on our system • New approach is needed against APT, Targeted Attacks

  3. What we have done in Duqu case? • Yes, we are the Lab who discovered Duqu. • We will share with you what we can but more information on the ongoing case is under NDA. Technical details are already public. • In early September, during the investigation of an incident CrySyS Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu. • Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantec’s report as an appendix (18/Oct/2011) • We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.

  4. Duqu/Stuxnet comparison at a glance

  5. Duqudetector toolkit – a new way of thinking about threats like Stuxnet • The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011. • We have to go forward and get rid of signature-only approaches • Our tool tries to identify anything suspicious, even if that generates lots of false positive. • Currently the toolkit is “configured” for Duqu, but the aim is a bit more general • Entropy based detection of strange PNF files • Suspicious files with missing counterparts • Search for data files left by keylogger/infostealer/data siphoning tools of the malware by it’s signatures (file name, magic strings) • Our tool might be able to find traces on infections even after the malware was already deleted by self-destructing logics.

More Related