Malware & APT risks for Critical Infrastructures Infrastructure/2011 NERC GridSecCon... · FireEye...
Transcript of Malware & APT risks for Critical Infrastructures Infrastructure/2011 NERC GridSecCon... · FireEye...
Malware & APT risks for Critical Infrastructures Ashar Aziz, Founder, CEO & CTO FireEye, Inc. October 18-20, 2011
2 RELIABILITY | ACCOUNTABILITY
The Evolving Threat Landscape
• # of threats are up 10X • Nature of threats changing
– From broad, scattershot to focused, targeted
• Pace of advanced attacks accelerating – High profile attacks
commonplace – RSA, Citicorp, Epsilon,
Lockheed…
“71% of surveyed IT Security Professionals said the ‘changing/evolving nature of threats’ is a major challenge or challenge.” – Forrester, 2011
3 RELIABILITY | ACCOUNTABILITY
Advanced Malware Infection Lifecycle
Desktop antivirus Losing the threat arms race
Compromised Web server, or Web 2.0 site
Callback Server
Perimeter Security Signature, rule-based
Other gateway List-based, signatures
System gets exploited Drive-by attacks in casual browsing Links in Targeted Emails Socially engineered binaries
Dropper malware installs First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites
Malicious data theft & long-term control established Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system
3
2
1
DMZ
Email Servers
Anti-spam
5 RELIABILITY | ACCOUNTABILITY
0-day Web exploit followed by masked binary Operation Aurora attack structure
Desktop antivirus Losing the threat arms race
Malicious Web server
Callback Server
System gets exploited Exploited IE 6 zero-day vulnerability Exploit code contains decryption sw
Web server delivers malware XOR encoded malware EXE delivered Exploit code decrypts binary On the wire looks like .JPG object Second Phase object linked to first phase exploit Dynamic analysis of encrypted binary
not possible (out of context) Static analysis of encrypted binary not
possible (looks like a jpg)
3
2
1
Gmail
Src Code
Passwords
7 RELIABILITY | ACCOUNTABILITY
BUT – This is only the Tip of the Iceberg
Headline Grabbing Attacks
Thousands More Below the Surface APT Attacks
Zero-Day Attacks Polymorphic Attacks
Targeted Attacks
8 RELIABILITY | ACCOUNTABILITY
Headquarters
Egress Router
Firewall
Core Switch
Users with desktop AV
FireEye POV: MPS systems go in After Existing Defenses
8
MPS 7000
Internet
Web Proxy with AV, URL blocking (maybe)
IPS (maybe)
If we see it, it’s because everyone else missed it So we don’t have a sample of everything: we have a sample of good new threats that are succeeding
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
9 RELIABILITY | ACCOUNTABILITY
So- How Much Malware Do We See?
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
10 RELIABILITY | ACCOUNTABILITY FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
So- How Much Malware Do We See?
11 RELIABILITY | ACCOUNTABILITY
The Long Tail of Malware
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
12 RELIABILITY | ACCOUNTABILITY
How Dynamic is Malware? Binary MD5s
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
13 RELIABILITY | ACCOUNTABILITY
How Dynamic is Malware? Bad Domains
FireEye Inc Confidential – Do Not Distribute Based on Preliminary Analysis
16 RELIABILITY | ACCOUNTABILITY
APT Actors & Crimeware actors An unholy alliance
APT Actors
Crimeware Actors
Sell compromised systems to
Sell used 0-day exploits
17 RELIABILITY | ACCOUNTABILITY
FireEye Case Study: Wermud Trojan
Crimeware elevation to APT [March 2011]
Created and used by APT
[15 March 2011]
FireEye created callback
rules
[April 2011] Wermud
passed to crimeware
actors
[June 2011] Seen used by FakeAV (crimeware)
18 RELIABILITY | ACCOUNTABILITY
Summary
• Malware is rampant inside Enterprise networks, easily infiltrating existing defenses
• APT attacks can occur as unique exploits, eg Aurora and RSA attacks
• BUT- If you have a fair amount of common malware infections (crimeware), you may never see unique APT attacks
• APT actors may simply leverage your existing crimeware backdoors
• Therefore, you still have to respond to the low grade crimeware attacks, because they can become high grade APTs for a valuable target