Raimund genes from traditional malware to targeted attacks

36
From Traditional Malware to Targeted Attacks Raimund Genes Chief Technology Officer Trend Micro

description

 

Transcript of Raimund genes from traditional malware to targeted attacks

Page 1: Raimund genes    from traditional malware to targeted attacks

From Traditional Malware

to Targeted Attacks

Raimund Genes

Chief Technology Officer

Trend Micro

Page 2: Raimund genes    from traditional malware to targeted attacks
Page 3: Raimund genes    from traditional malware to targeted attacks

Internet

PC

PC

PC

Internet

Gateway

Exchange

Server

150 infected Mails

Page 4: Raimund genes    from traditional malware to targeted attacks

CRIMEWARE

D

amag

e ca

use

d b

y C

yber

crim

e

2001 2003 2004 2005 2007 2010

Vulner abi l i t i es W orm

Outbreaks

Spam

Mass Mai lers

Spyware

Intel l igent

Botnets

W eb

Threats

Evolution to Cybercrime

2011+

Targeted At tacks

Mobi le At tacks

Page 5: Raimund genes    from traditional malware to targeted attacks

Trustwave 2013 Global Security Report:

Average time from initial breach to detection was 210 days, more than 35 days longer than in 2011.

Page 6: Raimund genes    from traditional malware to targeted attacks

Malware / Bot / APT Behavior Comparison Table APT Bot Malware

Distribution With organized planning Mass distribution over regions Mass distribution over regions

Services interruption No No Yes

Attack Pattern Targeted (only a few groups/organizations)

Not targeted (large area spread-out)

Not targeted (large area spread-out)

Target Audience Particular Organization/Company Individual credentials including online banking account information

Random

Frequency of attacks Many times Once Once

Weapon -Zero-day exploit -Drop embedded RAT -Dropper or Backdoor

Multiple-Exploits, All in one By Malware design

Detection Rate Lower than 10% within one month Around 86% within one month Around 99% within one month

Page 7: Raimund genes    from traditional malware to targeted attacks

Some Documented Advanced Persistent Threat Campaigns (Real-world Examples)

• LURID – threat actors launched around 300 campaigns targeting different industries in different countries

• Luckycat – threat actors used diverse infrastructure (from throwaway free hosting to dedicated VPSs)

• Taidoor – threat actors primarily targeted government organizations located in Taiwan

• IXESHE – threat actors used compromised computers inside the network to evade network detection

Page 8: Raimund genes    from traditional malware to targeted attacks

Advanced Persistent Threat

Targeted Attacks

Page 9: Raimund genes    from traditional malware to targeted attacks

The attacker knows what he’s looking for!

Page 10: Raimund genes    from traditional malware to targeted attacks

South Korea – Hacktivism, Cyber Sabotage, or Cyberterrorism?

Page 11: Raimund genes    from traditional malware to targeted attacks

Sometimes an “unusual” targets

Page 12: Raimund genes    from traditional malware to targeted attacks

Typical Industrial Control System (ICS)

Page 13: Raimund genes    from traditional malware to targeted attacks

• In a small city in US with 8000 citizens

• It has to look like a real system

• And by “accident” the system has a link to the Internet

Let’s simulate a Water Pressure Control station

Page 14: Raimund genes    from traditional malware to targeted attacks

Building a SCADA Honeypot…

Page 15: Raimund genes    from traditional malware to targeted attacks
Page 16: Raimund genes    from traditional malware to targeted attacks

Attacks from

US, 9

LAOS, 6

UK, 4 CHINA, 17

NETHERLANDS, 1

JAPAN, 1

BRAZIL, 2

POLAND, 1

VIETNAM, 1

RUSSIA, 3

PALESTINE, 1 CHILE, 1 CROATIA, 1 NORTH KOREA, 1

Page 17: Raimund genes    from traditional malware to targeted attacks
Page 18: Raimund genes    from traditional malware to targeted attacks

What to expect next?

Page 19: Raimund genes    from traditional malware to targeted attacks
Page 20: Raimund genes    from traditional malware to targeted attacks

Your phone as your wallet

Page 21: Raimund genes    from traditional malware to targeted attacks

Android Malware

120,000 350,000

Page 22: Raimund genes    from traditional malware to targeted attacks

Vehicle past and now TOYOTA'S Vehicle(1955)

TOYOTA'S Hybrid Vehicle(2011)

None of

computers included over 70 of

computers included

Page 23: Raimund genes    from traditional malware to targeted attacks

Tire Pressure

Monitoring System

UNAUTHORIZED

APPS, Multimedia File

Smartphone,

USB

Immobilizer

Cutter

DOOR LOCKS

Smart Key

CHAdeMO : Quick charging method for battery

powered electric vehicles

KEY

FOB

TELEMATICS

SYSTEM

OBDII , CAN, ECU

Vehicle Area Network

Page 24: Raimund genes    from traditional malware to targeted attacks
Page 25: Raimund genes    from traditional malware to targeted attacks

iVehicle

Page 26: Raimund genes    from traditional malware to targeted attacks

Embedded OS selected by car industry

SELECTED

IVI Standard Organization

Page 27: Raimund genes    from traditional malware to targeted attacks

Security Assessment

Kernel > 2.6.35.3

Gain Privilege > 18

Page 28: Raimund genes    from traditional malware to targeted attacks

• All the ECU turned into Fail-Safe-Mode.

• Engine fan and headlamp kept working.

• Meter(e.g. speed) needle keeps wobbling

Overflow attack to CAN bus

Page 29: Raimund genes    from traditional malware to targeted attacks
Page 30: Raimund genes    from traditional malware to targeted attacks

If someone wants to get in, he get’s in!

Page 31: Raimund genes    from traditional malware to targeted attacks
Page 32: Raimund genes    from traditional malware to targeted attacks

So do we do a lot of stuff just to satisfy the auditors?

Page 33: Raimund genes    from traditional malware to targeted attacks
Page 34: Raimund genes    from traditional malware to targeted attacks
Page 35: Raimund genes    from traditional malware to targeted attacks

LATIN AMERICA

EUROPE

APAC

NORTH AMERICA

GLOBAL

Page 36: Raimund genes    from traditional malware to targeted attacks

Thank You