11

Next-Generation Security andthe Problem of Exploitation

April 2015

Matthew Ancelin, CISSP, CNSE

1

2

Network: Old Methods vs. New Methods

• Port and protocol allow/block firewalling• URL filtering, black lists• Blacklisting of IP or range• Standalone signature based IPS• UTM: unified threat management• Web gateways/Proxy

• Visibility and Control• Application based firewalling• Integrated Threat Prevention• SSL decryption/inspection• Automated threat intelligence sharing• Sandboxing

3

Visibility and Control: Application based firewalling, SSL Decryption/Inspection, Integrated Threat Prevention

4

Sharing is Cyber-Caring: Verizon’s 2015 Breach report

Source: Verizon 2015 Data Breach Investigations Report

5

Sharing is Cyber-Caring: Verizon’s 2015 Breach report

Source: Verizon 2015 Data Breach Investigations Report

75% of attacks spread from victim 0 to victim 1 within

24 hours

6

Sandboxing and Threat Intelligence…3 years later

Watchguard- Dimension (threat intel only)

CheckPoint - Threat Emulation(sandbox), ThreatCloud service (intel, MSP)

Cisco(Sourcefire) - Threat Grid and AMP

Palo Alto Networks – WildFire Threat Intelligence Cloud

McAfee – TrustedSource (threat intel only – IP/Domain)

Fortinet – FortiSandbox

FireEye – core product + Threat Intelligence

BlueCoat – Malware Analysis ApplianceSource: www.watchguard.com

7

Sandboxing and Automated Threat Intelligence sharing

AV Signatures DNS Signatures C&C Signatures

Malware URL Filtering

Sandbox

Global install base and Threat Intel Consortium

SIEM

AV dat

a

Network data

other

8

Endpoint Protection

“Anti-virus is Dead”

Source: Wall Street Journal, May 2014

9

Endpoint: Old Methods vs. New Methods

• Signature matching• Heuristics• Kernel-level root-kit protection• Cloud based updates• Web threat protection• IP Reputation services• Registry cleaners

• Micro-virtualization• Task introspection• Process/App whitelisting• Automated threat intelligence• Exploit trapping• Sandboxing• Predictive math modeling• Either Prevent or Detect/Remediate

10

Application Whitelisting

Source: www.talk.pharma-mkting.com

11

Micro virtualization

Source: www.bromium.com

12

Predictive Math Modeling

Source: www.cylance.com

13

Traps - Exploit Trapping by Technique

Individual Attacks

Software Vulnerability Exploits

Thousands of new vulnerabilitiesand exploits per year

1,000s/yrCore Techniques

Exploitation Techniques

In the past 3 years, 2 new techniques have been discovered

1 or 2/yr

Source: www.cvedetails.com

14

Prevention of One Technique in the Chain will Block the Entire Attack

Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques

DLLSecurity

IE Zero DayCVE-2013-3893

Heap SprayDEP

CircumventionROP/UtilizingOS Function

Adobe ReaderCVE-2013-3346

Heap SprayDEP

CircumventionUtilizing

OS Function

Adobe FlashCVE-2015-3010/0311

ROP JiT Spray Utilizing

OS Function

15

Are exploits really the problem?

99.9% of the exploited vulnerabilities were compromised more than 1 year after the CVE was published.

~50% of 2014 CVEs exploited fell within 2 weeks of announcement.

* Source: Verizon 2015 Data Breach Investigations Report

16

How does exploit trapping fare against a sophisticated APT?

17

Traps stops 0-day exploits without prior knowledge of them

18

Attacks LEAD with exploits

Nov 2014: Operation CloudyOmegaNov 2014: Dark Hotel campaignOct 2014: SandWormOct 2014: Hurricane PandaFeb 2014: Operation SnowMan (MS IE 0-day exploit)Sept 2013: Ichitaro Zero DayFeb 2014: IE 0-day, Watering Hole attackFeb 2014: ‘The Mask’ CampaignDec 2013: Operation KeyChangOct 2013: Egobot CampaignSept 2013: Icefog campaignSept 2013: EvilGrab campaignJune 2013: NetTraveler campaign

…this pattern repeats over and over again

19

Social Engineering 101 – determine an Attack Vector

20

Social Engineering 101 – determine an Attack Vector

Upgrade to Office 2010

21

22

23

Social Engineering 101 – deliver the Attack

24

Social Engineering 101 – deliver the Attack

SEND US YOUR RESUME

25