Protect Your Organization from

Advanced Threats:

The APT and Your Users

ANUP GHOSH, PHD

FOUNDER AND CEO, INVINCEA

Every Organization is Under Attack

NATION STATES CYBER CRIMINALS HACKTIVISTS

Motives

include:

• Cyber

espionage

• Intellectual

Property Theft

• Probing of

Critical

Infrastructures

Motives include:

• Identity theft

• Corporate

financial fraud

• Black market

sales to Nation

States

• Probing of

Financial

Infrastructures

Motives include:

• Political action

• Shaming major

corporations

• Attacking

specific

executives

• Exposing

corporate

trade secrets

Competition Auditors

„11, „12 and ‟13 (so far) bloodiest years on

record… • “White House” eCard (spear-phishing)

• HBGary Federal (social engineering)

• Night Dragon (spear-phishing)

• London Stock Exchange Website (watering-hole)

• French Finance Ministry (spear-phishing)

• Dupont, J&J, GE (spear-phishing)

• Charlieware (poisoned SEO)

• Nasdaq (spear-phishing)

• Office of Australian Prime Minister (spear-phishing)

• RSA (spear-phishing)

• Epsilon (spear-phishing)

• Barracuda Networks (spear-phishing)

• Oak Ridge National Labs (spear-phishing)

• Lockheed Martin (spear-phishing)

• Northrup Grumman (spear-phishing)

• Gannet Military Publications (spear-phishing)

• PNNL (spear-phishing)

• ShadyRAT (spear-phishing)

• DIB and IC campaign (spear-phishing)

• „Voho‟ campaign (watering-holes and spear-phishing)

• „Mirage‟ campaign (spear-phishing)

• „Elderwood‟ campaign (spear-phishing)

• White House Military Office (spear-phishing)

• Telvent‟ compromise (spear-phishing)

• Council on Foreign Relations (watering hole)

• Capstone Turbine (watering hole)

• RedOctober (spear-phishing)

• Speedtest.net (watering-hole/drive-by)

• DoE (spear-phishing)

• Federal Reserve (spear-phishing)

• Bit9 (TBD)

Cannot keep this slide up to date…

A Problem of Pandemic

Proportions

Alarming Malware Statistics

• 280 million malicious programs

detected in April 2012*

• 80,000+ new malware

variants daily **

• 134 million web-borne infections

detected (48% of all threats) in

April 2012*

• 24 million malicious URLs

detected in April 2012*

• 30,000+ new malicious URLs

daily**

• 85.8% of malicious programs on

the Internet involve a malicious

URL*

• Organizations witnessing an

average of 643 malicious URL

events per week***

• 225% increase from 201** * Kaspersky April 2012 Threat Report

** Panda Labs Q1 2012 Internet Threat Report

*** FireEye September 2012 Advanced Threats Report

The Primary Target –

The Unwitting Accomplices

The User The #1 Attack Vector =

• Ubiquitous usage of Internet and

Email has enabled adversaries to

shift tactics

• Prey on human psychology

• Spear Phishing – The New Black

• Drive by Downloads

• Malicious sites

• Weaponized Attachments

• Watering Hole Attacks

• Hijacked trusted sites

• Trust in social networks

• Facebook, Twitter, LinkedIn

• Faith in Internet search engines

• Poisoned SEO

• User Initiated Infections

• Fake A/V and fear

mongering

Enterprise Security Architecture

for Addressing APT

Firewalls/Web

Proxies

Network

Controls

Anti-Virus

Forensics and IR

User Training

In Use | Confidence*

84% 66%

34%

92%

64%

31%

55%

52%

17%

40%

App Whitelisting 22% 49%

*Invincea APT Survey Q4 2012

Mapping the APT Kill Chain

Stage 1: Reconnaissance Research the target

Stage 2: Attack Delivery Spearphish with URL links and/or

attachment

Stage 5: Internal Recon Scan network for targets

Stage 3: Client Exploit &

Compromise Vulnerability exploited or user

tricked into running executable

Stage 8: Stage Data & Exfil

Archive/encrypt, leak to drop

sites

Stage 4: C2 Remote Command & Control.

Stage 6: Lateral Movement

Colonize network

Stage 7: Establish Persistence

Root presence to re-infect as

machines are remediated

Stage 9: Incident Response

Analysis, remediation, public

relations, damage control

Einstein‟s Definition of Insanity

Patching software as

vulnerabilities are

made public

Detecting intruders

and infected systems

after the fact

Recovering and restoring

the infected machines back

to a clean state

Security

Insanity

Cycle

Addressing the

Critical Vulnerability in Java 7

“Uninstall Java…”

Addressing the

Critical Vulnerability in IE

“Stop Using IE…”

Addressing the

Pandemic of Spear-Phishing

“Don‟t Click on Links You Don‟t

Trust…”

Protecting the Network from

the User

Time to Rethink Security

If…you could negate user error

And…contain malware in a virtual environment

And…stop zero-days in their tracks without signatures

Then…preventing APT exploits is possible

“Making Prevention Possible Again”

Browser Exploits & SpearPhishing

is Primary Attack Vector

Contain the Contaminants

Prevention

Pre-Breach Forensics

Protect every user and the network from their error

Feed actionable forensic intelligence without the breach

Detection Detect zero-day attacks without signatures

Virtualizing Vulnerable Apps in

Secure Containers

DETECTION | PREVENTION | INTELLIGENCE

Physical Hardware

Incoming Threats

Host Operating System

Invin

cea Iso

lation

} • Invincea builds a contained virtual

environment local to the desktop

• Contained environment runs all

untrusted content

• Behavioral based detection engine

monitors the contained environment

• User receives an alert at point of

infection

• Forensic detail is fed to Invincea

Threat Data Server

• Complete virtual environment is

discarded

Containment and Detection

Central Threat

Data Server

Forensic Detail

Web Browser, Plug-Ins

Acrobat Reader

Virtualized Process Control /

Filesystem / Registry)

Physical Hardware

Host Operating System

• Invincea builds a contained virtual

environment local to the desktop

• Contained environment runs all

untrusted content

• Behavioral based detection engine

monitors the contained environment

• User receives an alert at point of

infection

• Forensic detail is fed to Invincea

Threat Data Server

• Complete virtual environment is

discarded

Containment and Detection

Internet Explorer /

Acrobat Reader

Virtualized Process Control /

Filesystem / Registry)

Physical Hardware

Host Operating System

Invin

cea Iso

lation

}

Automatic Remediation

Virtual

Environment

• Invincea completely rebuilds new

environment

• User is back up and running in a

matter of seconds

Virtual Container restores back to

pristine state off “Gold” image

Breach Prevention

Platform

Breaking the APT Kill Chain

Containment | Detection | Prevention | Intelligence • Highly targeted apps run in contained environment

• Behavioral based detection spots all malware including 0-days

• Automatic kill and remediation to clean state

• Forensic intelligence on thwarted attacks fed to broader

infrastructure

Threat Data Server

Threat Data Server Analytics

Cyber Forensics to Attribution

Peanut Butter &

Chocolate • Real-time forensics from

from corporations and

individuals getting

spearphished or water-

holed

• All Source Intelligence of

active campaigns

• Intel

• LE

• Private Sector

• Together we build

complete story.

• Who has been

targeted

• What was obtained

• TTPs

• Actors

Fusing Forensics with

Intelligence for Attribution

Real-time Forensics is collected globally and sent to Invincea Threat Data Servers

Invincea protected users

Threat Information is shared with partners..

Link Analysis using between C2 domains, IPs, registering entities, addresses, and known campaigns points to adversaries in near real-time

Invincea Threat Data Servers

Every attack is intel gain used to track the

adversary with no breach or loss of data

Improve Efficiency &

Reduce Costs

• Fewer successful intrusions

– Lower incident response costs

– Lower re-imaging costs

• Software patching in scheduled cycles vs. emergency

• Use gathered threat intelligence to improve effectiveness of

existing security infrastructure

• Improve morale and productivity of operational personnel

• Improve national security and reduce data loss

Case Study 1– Speedtest.net

Drive-by Exploit

Drive-by Download/Watering Hole Attack

Exploit running for days on Speedtest.net website

(boasts 4 BILLION+ visits)

• Whitelisted or blacklisted website? More than

likely whitelisted

• Increasingly common poisoning tactic from

adversaries

See http://www.invincea.com/2013/02/popular-site-speedtest-net-compromised-by-

exploitdrive-by-stopped-by-invincea/ or www.invincea.com/blog for analysis

Case Study 2 – Spear Phishing

by Office Document

Weaponized Office Document (Word)

Used to Spread Adobe 0day (CVE 2013-

0634)

• Spoofed document looking like IEEE as the

author (community of interest being

targeted)

• No protection from anti-virus given 0day

nature

• Increasingly common poisoning tactic from

adversaries

See http://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-

adobe-flash-exploit-cve-2013-0634/ or www.invincea.com/blog for analysis

Anup Ghosh:

anup.ghosh@invincea.com

Go ahead…spear-phish me!

www.invincea.com

Twitter: @Invincea

@AnupGhosh_

For Follow-Up