420 likes | 502 Views
Slide Heading. Malware: Money, Methods, and Trends. Daimon Geopfert McGladrey LLP. November 14, 2012. Introduction. McGladrey LLP 5 th largest CPA/consulting firm 6,500+ professionals and 70 offices in US 70,000+ professionals internationally Industries
E N D
Slide Heading Malware: Money, Methods, and Trends DaimonGeopfert McGladrey LLP. November 14, 2012
Introduction • McGladrey LLP • 5th largest CPA/consulting firm • 6,500+ professionals and 70 offices in US • 70,000+ professionals internationally • Industries • Manufacturing, Finance, Government, Education, Healthcare, NFP, Consumer Products, Real Estate, etc. • Security and Privacy Services • Testing • Architecture • PCI • Governance • IR/Forensics
Introduction • DaimonGeopfert • National Leader, Security and Privacy Services • I like standardized tests • CISSP, CISM, CISA, CEH, GCIH, GREM • I am not an auditor but I play one on your network • Penetration Testing & Vulnerability Assessment • Security Monitoring • Incident Response • Forensics & Investigations • Former DoD, AFOSI-CCI, AIA • All business, all the time
Agenda or contents slide Slide Heading
Overview of Malware TrendsSetting the Stage • Types of Malware • Virus • Worms • Trojans • Adware and Spyware • URL Injectors, Redirectors, and Dialers • Backdoors, Rootkits, and Keyloggers • Rootkits • Wabbits(go ahead and ask) • These are just general categories • Modern malware often fits multiple categories
Overview of Malware TrendsTraditional Trends • Perimeter attacks • Operating System Focus • Single Shot Virus/Worms • One trick pony • Blatant Trojans • Elf bowling anyone? • Little Detection Avoidance • Directly observable • Outright baiting of system owners • Open C3 • Command, control, communications • Zero-Day Races
Overview of Malware TrendsCurrent Trends • Massive increase in attacks against people and processes • Shotgun vs. Sniper • Widespread, generic attacks are still popular but becoming more automated • Targeted, detailed attacks are becoming the norm • Hobby vs. Profession • Previous: Stereotypical “anti-social teenager” or “hermit living in his mom’s basement” • Now: Formally trained developers, professional intelligence and industrial operatives, business managers looking for large scale efficiency • Obfuscation and Long Term Infections • Controls Bypass Methods
Demo #1: Snort signature bypass • Setup • Food for thought… Target: 192.168.10.204 IDS: Snort Attacker: 192.168.10.10
Overview of Malware TrendsCurrent Trends • Persistence • Multitude of re-infection methods • Anti-Forensics • Timestomp, VM aware, tailored delivery, forensic tool exploits • Hidden C3 • Encrypted tunnels, hidden, anonymous communications • Research and Custom Solutions • Specific fit for specific target • Purpose built to avoid known controls, technology, and processes • Dedicated zero day attacks • Retaliation • DoS, destroy systems, encrypt data, etc • Attack environment, responders, and managed security
Overview of Malware TrendsCurrent Trends • Code is no longer static • Constantly mutating or customized • Attackers can purchase subscriptions and appliances and use them to perform QA of their malware • Avoid AV detection by never touching the disk • AV, a signature based product, is limited to what it knows • Heuristics are utilized by most AVs, but these are not the silver bullet that they were once held out to be • Many organizations are dealing with outbreaks of varying scales on a monthly basis • If you’ve gone a significant amount of time between events it is time to start questioning your ability to identify an event
Overview of Malware TrendsCurrent Trends • Lower knowledge thresholds • Kits such as Zeus, Spy Eye, Mpack, etc • A “bleed over effect” from APT into normal malware • Non-targetted malware is built in ways that simulates APT, but the controllers have little or no understanding of how they work • This also means not every APT style threat is a cyber-ninja • We consistently run into adversaries that are almost schizophrenic • Elegant, targeted attacks followed by pure script kiddie flailing • Powerful, unique tools over which they have only partial control • Stealthy infiltration followed by blunt, noisy expansion techniques • Recent engagement saw an attacker almost DoS a network after infiltration because they were doing mass ping sweeps from dozens of compromised systems • Complete waste of unique malware
Demo #2: Antivirus bypass • Setup • Food for thought… Target: 192.168.10.202 AV: Avast Attacker: 192.168.10.10
Overview of Malware TrendsCurrent Trends • Change in Delivery Methods – Social Engineering • Fancy name for traditional “con games” • Attacking an environment via manipulating people • Focused on user habits, mannerisms, human nature, entrenched organizational procedures and activities • The attack vector of choice for many advanced attackers • Typical countermeasures such as firewalls, anti-virus, and intrusion detection systems are almost worthless • Pharming • Large scale, unfocused attacks direction users to malicious websites • Phishing • Attempts to acquire information via fake emails, texts, and web pages • Spear Phishing • Small scale, focused attacks against a limited audience • Whaling • Ultra focused attacks against a high-profile targets
Overview of Malware TrendsCurrent Trends • Change in Delivery Methods – Social Engineering • Social Networks are easier to target and users are more likely to fall for scams because of inherent trust relationships • Users can receive messages including URLs and attachments • Easier for attackers to find and target individuals in positions of privilege • Cyber criminals are increasingly turning to social networks, as opposed to email services, to attack users as it is much more difficult to monitor and control • Attacks are happening “inside the castle” with mainly local anti-virus as the last line of defense which is a scary thought • Allows for attacks against browsers (aka. “Drive-bys”) that formerly were only really useful when users went to known, dodgy websites that were traditionally blocked as trusted agents (“friends”) can more easily bait users into clicking URLs
Demo #3: Social Media/Engineering • Setup Google Mail Target: 192.168.10.202 OS: Patched WinXP Linkedin.com Attacker: 192.168.10.10 LinkedIn Clone
Overview of Malware TrendsCurrent Trends • Change in Delivery Methods – Beyond the OS • Internet Infrastructure • DNS & Routing • EncryptionMethods • Certificates • Sslstrip • DigiNotar et al
Overview of Malware TrendsCurrent Trends • Change in Delivery Methods – Beyond the OS • Client Side Attacks • Java • Applets • ActiveX • Quicktime • Flash • Browser specific • Business critical/common document types • PDF • DOC • XLS • Many organizations are “fighting the last war” by focusing on OS
Demo #4: Web Client Side Attack • Setup • Food for thought… Target: 192.168.10.201 Vulnerable IE Attacker: 192.168.10.10 Malicious Website
Overview of Malware TrendsCurrent Trends • Change in Delivery Methods – Mobile • Many of the risks inherent to wireless • Interception, plain-text or “crackable” encryption • Many of the risks inherent to web/cloud solutions • Passwords, session management, MitM • Portable is Latin for “easy to leave in the back of a taxi” • Many high-profile “data breaches” are actually lost or stolen devices • Mature encryption policies for laptops, not for tablets & smart phones • Easily available software can unlock smartphones in seconds or minutes • Attacks • Patching and updates are necessary just as with any other device • There are traditional attacks available for these devices • Malware… and iOS folks shouldn’t get all high-and-mighty • Lack of attacks for Mac/Apple was a function of economics not technology
Nature of AttackersSome Misconceptions • “If I’m not a financial organization or contain military secrets they don’t care about me.” • You will be hard pressed to make appropriate risk management decisions until you understand who they are and why they act • “Attackers” are not a vague, all-encompassing, generic horde • Begin to think of attackers as a spectrum rather than a generic entity • “Script Kiddies” <- -> APT (Advanced Persistent Threat) • Not every attacker is a cyber-ninja, the reality is somewhere between what you hope and what you fear • Recognize that attackers have differing, shifting motives • Targets of opportunity • Bandwidth and equipment • Hacktivism • Financial data and Intellectual Property* • *#1 asset on underground market • Revenge and retribution • None of the above
Nature of AttackersSome Misconceptions • “We’re too small for anyone to bother with us” • The old threat models no longer apply • Historically attackers went after big targets because the payday justified their investment, while small targets consumed similar resources for minimal return • That model has flipped, big targets are often “hard” targets while new methods reduce the resource costs for small, “soft” targets • Smaller companies often: • Use COTS software with many basic, default settings • Do not invest in advanced security technologies • Do not have security specialists on staff • But DO contain highly valuable information, just not in the quantities of a large target • Attackers now use a variety of automation techniques to lower the resources necessary to handle large numbers of small hacks • Congratulations, you’ve been monetized
Nature of AttackersA Look Back • Historical Structures • Loan Wolf Attackers • Tight-knit “gangs” • Historical Motivation of Attackers • Bragging rights • Complete destruction • Curiosity and research • Free stuff • Pizza, merchandise, phone calls, storage, CPU time • Hack… ?... Profit! • Not what you would call a formal business plan
Nature of AttackersModern Day • Fortune vs. Fame • Botnets and Zombie Herds • Spam, music and movies • Rental weapon platforms and C3 for malware • Lots of “pro-bono” support as well • Bit torrents, anonymizers and shadow networks • Intelligence, warfare, and terrorism • Focus on destroying/compromising “enemy” infrastructure • “Competitive Intelligence” • Very pretty name for very ugly business methods • Large Scale Money Laundering • Money/resource transfers • EGold, Paypal, Liberty Reserve, WebMoney, etc • Profit (pardon the obvious)
Nature of AttackersModern Day • Roles • Reconnaissance • People, Process, Technology • Developers • Coders, Hackers, Social Engineers • Execution • Pull the trigger • The guys who get arrested • Mules • Market Makers • The business leaders • Control the pricing a usage of results of the exploit • The ones who turn individual crimes into industries • Bankers • Money Laundering • Currency/Product exchanges (escrow)
Nature of AttackersModern Day • Hackers get famous, the business leaders get rich • Stay hands off, field work done by others • Most of the actual field work comes from areas of soft legal standards • Criminals plan crimes to cross as many borders and jurisdictions as possible • Developers hard to punish as they often don’t directly commit a crime, or at least a crime recognized in their jurisdiction • They get paid for products • Hacking kits/frameworks • Custom builds • In competition with each other for best products and reputation • Limbo 2 - Guaranteed non-detection with warranty • Bankers have multiple layers of legal protection • Nothing different from old school mob money laundering • Sleepers • Cell structure • Players often don’t even know each other
Nature of AttackersThe Dreaded APT • Advanced: • The adversary can bring the entire spectrum of computer intrusion to bear against an objective. This can range from trivial exploits that have been known for a decade to never seen before zero-day attacks, social engineering, and unique malware. • Persistent: • Attackers are endeavoring to accomplish a clearly defined mission. They are highly motivated and will not cease their activities if their initial attempts fail, or even if their previously successful pathways into an environment are closed forcing them to develop new methods. The title “persistent” applies both to the nature of the adversaries to continue attacks over a long period of time, as well as the nature of the technical methods they use in order to maintain continuous access to compromised networks. • Threat: • This threat has motivated, thinking, goal-oriented humans on the other end. It is not mindless, bulk code grinding away on the Internet hitting all possible targets of opportunity. These individuals are organized, funded, and work directly or indirectly for major interests such as governments, organized crime, and (rumored) competitive business interests. APT is about motivation and mindset, not any particular technology
Nature of AttackersThe Wild Card • Hacktivism • Motivation out of line with all other threats • Normal risk management often consists of the old joke about “not needing to out-running the bear” • That concept does not apply as these attackers of often driven by any variety of emotional and political drivers • Hacktivism breaches often differ from normal breaches because the attackers attempt to make it as public as possible
A Peek at the MarketsAbout that Profit… • Food For Thought: • Legacy Universe of Attackers • Underground markets bringing the two sides together • Motivated attackers place bounties for the skilled attackers to chase • Skilled attackers breach environments and sell access to motivated Attackers of Concern
A Peek at the Markets • Unique items go for a premium • Intellectual property • High profile accounts or identities • Access to specialty equipment • Anyone surprised by the low value of individual personal data? • Economic slumps and credit crunches are not good for CC data
A Peek at the Markets • Possibly the last true free market on earth… • Commercialization • Decreased time to market for exploits • Versioning and standard/gold/platinum editions • Commoditization • What was rare is now commonplace • Competition • What was unique now has competitors • Combined with prior point, this is reflected in pricing: • Zeus in 2008 = $10,000, Zeus in 2012 = $400 • Specialization • Since the foundational elements (malware source code) is so widely available, it has let developers focus on specific offerings such as anti-virus bypass, industry specific, and geography specific offerings • Fraud as a Service • Niche service companies: native language translation, bulletproof hosts
Methods of Response and Control • Risk management applies to security not just finance • Necessary to create APPROPRIATE controls • Horses and fences… • It is not meant to bring risk to zero • It is only meant to create a rational, non-emotional approach to managing risk • Notice the loop…
Methods of Response and ControlAn Ounce of Prevention… • We all know the quote… • Basic stuff first • Patching • Access control and segregation of duties • Architecture and defense in depth • Inventory and asset control • Don’t try to build the roof until you’ve laid the foundation • Participation in security community • Conferences, newsletters, whitepapers, RSS feeds, blogs, etc • Planning • IR/DRCOOP • Backup strategies • Legal and public relations
Methods of Response and Control • Understand that modern threats are built to bypass preventative controls, but many organization place almost 100% reliance on these mechanisms for their security • You must have robust detective and corrective controls
Methods of Response and Control • Heavy focus on security monitoring • Log more. Bring it together. Use it. Period. • Treat technical limitations as vulnerabilities. If the response is “the app isn’t robust enough for us to turn on logging” then that should be sending up flares that the app isn’t robust enough for normal use. • “87% percent of victims had evidence of the breach in their log files, yet missed it.“ Verizon 2010 Data Breach Report
Methods of Response and Control • What is going to cause us problems? • Impact of monitoring on critical technologies • Exercise for the day: Go ask your DBAs to turn on all native logging in the DB • The volume of raw events • Storage, transmission, review • Reliance on Off-the-Shelf tech without modification • “Tuning” • Generic, non-tailored signatures • Validating that monitoring solutions stay in place • Troubleshooting Step #2: disable logging • “Boy, that’s a chatty rule… off you go.” • Do you know what you have, where it is at, what it does, who does it, and what it is all worth? • The Mike Tyson effect…
Methods of Response and Control • Plan for failure. Make your goal to fail gracefully and minimize damage. • Comprehensive IR plans • Formal and Preplanned • Assigned Roles: Tech, PR, Legal, Overall Lead • Develop Scenarios • What if we want to prosecute? • What if we think sensitive data has been exposed? Customer data? • What if it can’t be contained? What if we can’t trust our own systems? • What if it got into our financial/accounting/reporting/payment systems? • Good Example: Fortune Top 100 Bank – IR plans undergo “table top” exercise twice a year, IR plans include pre-built PR announcements, media scripts, letters to regulators, etc. • Bad Example: Sony – PlayStation breach was a PR disaster followed by an insurance nightmare
Methods of Response and ControlInsurance • Policies can cover hazards which can cause security/privacy losses: • Virus/malicious code • Denial of service attacks • Hacker attacks/unauthorized access • Malicious hardware • Physical theft of device/media • Accidental release and rouge employees • Social engineering In a recent PwC security survey (which included more than 12,840 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 135 countries) almost half (46%) responded that they have an insurance policy that protects it from theft or misuse of assets such as electronic data or customer records. 17% of the respondents had made a claim against the policy and 13% had collected on it.
Summary Slide Heading • Don’t Panic • Plan to fail, but plan to fail gracefully • Ability to know when a control has failed • Ability to recover quickly and with minimal damage • We’ve pointed out methods to bypass individual types of controls on a case by case basis • Consolidated, robust controls in a defense-in-depth manner are effective • Do not become a “hacker snack” • Hard and crunchy on the outside, soft and gooey in the middle • Every hoop you force the attacker to jump through is a chance for you to detect them… if you are watching • You don’t need to out run the bear…
Questions? Daimon.Geopfert@McGladrey.com