How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
-
Upload
imperva -
Category
Technology
-
view
2.208 -
download
2
description
Transcript of How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software
![Page 1: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/1.jpg)
How Targeted Attacks Evade Anti-Virus Software
© 2012 Imperva, Inc. All rights reserved.
![Page 2: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/2.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Compromised insiders defined The anatomy of a compromised insider campaign Non mitigation techniques: Anti-virus Mitigating compromised insiders in theory
+ Real world case study: RSA
Mitigating compromised insiders in practice
2
Agenda
CONFIDENTI
![Page 3: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/3.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Research + Directs security strategy + Works with the Imperva Application Defense Center
Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and
Australia
Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva
![Page 4: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/4.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Insider Threat
Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements.
They do so: + Maliciously + Accidentally + By being compromised
4
Insider threat defined
![Page 5: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/5.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation.
5
Compromised insider defined
Compromised Insider
![Page 6: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/6.jpg)
© 2012 Imperva, Inc. All rights reserved.
In recent events …
Saudi Aramco + Malicious Insider,
30,000 computers hacked, full service disruption.
Global Payments + Compromised Insider,
causes 1.5M payment cards compromised.
6 6
![Page 7: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/7.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Malware: Compromised insiders on the rise
2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches
incorporated Malware”. A 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches
were conducted by implicated internal employees.” A 13% decrease compared to 2011.
Director of National Intelligence • “Almost half of all computers in the United States
have been compromised in some manner and ~60,000 new pieces of malware are identified per day”.
![Page 8: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/8.jpg)
© 2012 Imperva, Inc. All rights reserved.
The 1% to be really concerned about
“Less than 1% of your employees may be
malicious insiders, but 100% of your employees have the potential to be compromised insiders.”
Source: http://edocumentsciences.com/defend-against-compromised-insiders
![Page 9: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/9.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Who does it?
Governments - Stealing Intellectual Property (IP) and raw data, as well as, espionage. - Motivated by politics and nationalism.
Private hackers - Stealing IP and data. - Motivated by profit.
Hacktivists - Exposing IP and data, but also compromising infrastructure. - Motivated by almost anything - have attacked, nations, people, religion, commerce, etc…
9
![Page 10: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/10.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Multimillion dollar
datacenter
10
Where do they attack?
Desktop and the
user
Well protected
Not well protected
Both access the same data
![Page 11: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/11.jpg)
© 2012 Imperva, Inc. All rights reserved.
Anatomy of a Compromised Insider Campaign
11
![Page 12: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/12.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
12
With social networks, smart bombing is not hard
![Page 13: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/13.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
13
With social networks, smart bombing is not hard
![Page 14: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/14.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
14
Industrialized approach
Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing.
How easy is it ? For $700: 3 month license for BlackHole available online. Includes support!
![Page 15: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/15.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
15
Is this real?
Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By.
![Page 16: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/16.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
16
Is this real?
Persistent XSS Vulnerable Sites provide the Infection Platform.
GMAIL, June 2012
TUMBLR, July 2012
![Page 17: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/17.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
17
Is this real?
• “Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the criminals with "complete access“.
• “Unauthorized transactions were preceded by unauthorized
logins that occurred outside of normal business hours” • "The DDoS attacks were likely used as a distraction”
Sep 24th 2012, FBI Issued a warning of Targeted Scams.
![Page 18: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/18.jpg)
© 2012 Imperva, Inc. All rights reserved.
Non Mitigations: Anti-Virus
18
![Page 19: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/19.jpg)
© 2012 Imperva, Inc. All rights reserved.
The media view
“Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.” Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
![Page 20: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/20.jpg)
© 2012 Imperva, Inc. All rights reserved.
The hacker view
An entire industry exists to bypass anti-virus. Today, anti-virus stops between 6-27%
of viruses.
Source: http://adamonsecurity.com/?p=323
![Page 21: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/21.jpg)
© 2012 Imperva, Inc. All rights reserved.
The anti-virus vendor view
Source: http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-before-theyre-fixed/
Hackers exploit ‘zero-day' bugs for 10 months on average before they're exposed.
![Page 22: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/22.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.
+ Much of security budgets spent on: – Malware detection – Virus prevention
+ Front-line/end-user defenses must be 100% accurate.
– If one mouse gets past them the cheese is gone.
22
Protect and monitor the cheese
![Page 23: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/23.jpg)
© 2012 Imperva, Inc. All rights reserved.
Mitigating Compromised Insiders
23
![Page 24: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/24.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Classify Sensitive Information + Identifying the information within the corporate databases and
file servers allows understanding of risk and severity of data access.
Persistent Security Policy + A good security policy will allow you to put compensating
controls in place while not disrupting business needs and maintaining security.
User Rights + Map your users’ rights. Understand who has access to what,
and why there are dormant accounts?
Analyze, Alert, and Audit on Activity + By keeping track of access and access patterns, it becomes easy
to understand who accessed your data, what was accessed, and why.
24
Step 1: Know what users do with data
![Page 25: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/25.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
What: weirdness probably means trouble.
How: + Profile normal, acceptable
usage and access to sensitive items by
– Volume – Access speed – Privilege level
+ Put in place monitoring or “cameras in the vault.”
25
Step #2: Look for aberrant behavior
![Page 26: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/26.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Checks the entry method. Legitimate individuals should, typically, access data through a main door.
Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, monitor what they are doing. Malware from spear phishing typically causes unusual behavior.
Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what these privileged users are accessing.
26
Example: Databases
![Page 27: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/27.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Copying Folders Routine Access
Nonselective All subfolders and files accessed
Selective
Temporally continuous Temporally irregular
Recursive Random order
Directory accessed before its files
Files can be accessed without directory
Example: File Systems
Source: Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012.
![Page 28: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/28.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
28
Conclusion: Rebalance the portfolio
![Page 29: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/29.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
2002
$1.44 Billion
2012 (est.)
$7.84 Billion
29
Worldwide anti virus spend: 2002 vs 2012
A 5x increase without the 5x improvement. Source: Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002
![Page 30: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/30.jpg)
© 2012 Imperva, Inc. All rights reserved.
Real World Incident
30
![Page 31: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/31.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Organizations known to have been compromised:
• Saudi Aramco • Goldman Sachs • Global Payments • SF Computer Systems • Sandia National Labs • CardSystems • EPA • Motorola • Sberbank • Google (Aurora) • RSA • Toyota
The list goes on ….
![Page 32: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/32.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Mass phishing campaign against RSA employees
32
RSA – phishing mail
![Page 33: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/33.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Excel file with embedded Flash 0 day Flash vulnerability
33
RSA – the exploit
![Page 34: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/34.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
“With the trojan downloaded, the attackers then started harvesting credentials and made their way up the RSA food chain via both IT and non-IT personnel accounts, until they finally obtained privileged access to the targeted system.”
34
Proliferation within the network
Source: http://www.pcmag.com/article2/0,2817,2382970,00.asp
![Page 35: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/35.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
SecureID hacked
35
RSA – the result
![Page 36: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/36.jpg)
© 2012 Imperva, Inc. All rights reserved.
Mitigation in Action
36
![Page 37: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/37.jpg)
© 2012 Imperva, Inc. All rights reserved.
Imperva SecureSphere – Database coverage
Coverage for Heterogeneous Databases
DB2 DB2 z/OS DB2400 Informix Netezza
DB2 z/OS
![Page 38: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/38.jpg)
© 2012 Imperva, Inc. All rights reserved.
Imperva Database Security Products
38
Database Activity Monitoring
Full auditing and visibility into database activities
Discovery & Assessment Server
Vulnerability assessment, configuration management,
database discovery and classification
![Page 39: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/39.jpg)
© 2012 Imperva, Inc. All rights reserved.
Users
Deployment options
Management Server (MX)
Agent Auditing
Agent Auditing
Database Activity
Monitoring
Network Auditing Gateway
Network Auditing Gateway
DBA/Sys admin
DBA/Sys admin
Database Activity
Monitoring
![Page 40: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/40.jpg)
© 2012 Imperva, Inc. All rights reserved.
Auditing database activity
40
Audit trail captures all database activity, including SELECT, DML, DDL, privileged activities.
Details answer the who?, what?, where?, when? and how?
Privileged Operations
DB2 for z/OS Activity
Who? What?, How? When? Where?
Complete Audit Trail
![Page 41: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/41.jpg)
© 2012 Imperva, Inc. All rights reserved.
Audit analytics
Pre-defined audit views provide quick and flexible access to audit details
Graphical Analysis
Drill down to audit data
![Page 42: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/42.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
SecureSphere provides real-time alerts on any security event and policy violation.
Dynamic Profiling enables identification of abnormal behaviors.
Alerts enable immediate response to minimize the impact of a breach.
42
Real-time alerts on security events
Profiling violation – unauthorized database and schema access
Destination
Date and Time
Alert Details
Source application User
![Page 43: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/43.jpg)
© 2012 Imperva, Inc. All rights reserved.
Universal user tracking
Universal User Tracking
Full user visibility and accountability • Map application users to database activity
User A
User B
User A User B
Tech User
![Page 44: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/44.jpg)
© 2012 Imperva, Inc. All rights reserved.
CONFIDENTIAL - Imperva 44
![Page 45: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/45.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
No need to define special policies for mainframe databases.
Granular policies defined and managed through a centralized, friendly interface.
Preconfigured compliance policies and reports for SOX, PCI, and data privacy.
45
Unified policies across heterogeneous platforms
DB2 for z/OS
Other databases
Define and apply policies to heterogeneous databases
![Page 46: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/46.jpg)
© 2012 Imperva, Inc. All rights reserved.
Webinar Materials
46
![Page 47: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/47.jpg)
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.
Webinar materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
![Page 48: How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software](https://reader034.fdocuments.us/reader034/viewer/2022042623/54bcb3674a795918308b45f7/html5/thumbnails/48.jpg)
www.imperva.com
- CONFIDENTIAL -