Raimund genes from traditional malware to targeted attacks
-
Upload
graeme-wood -
Category
News & Politics
-
view
352 -
download
4
description
Transcript of Raimund genes from traditional malware to targeted attacks
From Traditional Malware
to Targeted Attacks
Raimund Genes
Chief Technology Officer
Trend Micro
Internet
PC
PC
PC
Internet
Gateway
Exchange
Server
150 infected Mails
CRIMEWARE
D
amag
e ca
use
d b
y C
yber
crim
e
2001 2003 2004 2005 2007 2010
Vulner abi l i t i es W orm
Outbreaks
Spam
Mass Mai lers
Spyware
Intel l igent
Botnets
W eb
Threats
Evolution to Cybercrime
2011+
Targeted At tacks
Mobi le At tacks
Trustwave 2013 Global Security Report:
Average time from initial breach to detection was 210 days, more than 35 days longer than in 2011.
Malware / Bot / APT Behavior Comparison Table APT Bot Malware
Distribution With organized planning Mass distribution over regions Mass distribution over regions
Services interruption No No Yes
Attack Pattern Targeted (only a few groups/organizations)
Not targeted (large area spread-out)
Not targeted (large area spread-out)
Target Audience Particular Organization/Company Individual credentials including online banking account information
Random
Frequency of attacks Many times Once Once
Weapon -Zero-day exploit -Drop embedded RAT -Dropper or Backdoor
Multiple-Exploits, All in one By Malware design
Detection Rate Lower than 10% within one month Around 86% within one month Around 99% within one month
Some Documented Advanced Persistent Threat Campaigns (Real-world Examples)
• LURID – threat actors launched around 300 campaigns targeting different industries in different countries
• Luckycat – threat actors used diverse infrastructure (from throwaway free hosting to dedicated VPSs)
• Taidoor – threat actors primarily targeted government organizations located in Taiwan
• IXESHE – threat actors used compromised computers inside the network to evade network detection
Advanced Persistent Threat
Targeted Attacks
The attacker knows what he’s looking for!
South Korea – Hacktivism, Cyber Sabotage, or Cyberterrorism?
Sometimes an “unusual” targets
Typical Industrial Control System (ICS)
• In a small city in US with 8000 citizens
• It has to look like a real system
• And by “accident” the system has a link to the Internet
Let’s simulate a Water Pressure Control station
Building a SCADA Honeypot…
Attacks from
US, 9
LAOS, 6
UK, 4 CHINA, 17
NETHERLANDS, 1
JAPAN, 1
BRAZIL, 2
POLAND, 1
VIETNAM, 1
RUSSIA, 3
PALESTINE, 1 CHILE, 1 CROATIA, 1 NORTH KOREA, 1
What to expect next?
Your phone as your wallet
Android Malware
120,000 350,000
Vehicle past and now TOYOTA'S Vehicle(1955)
TOYOTA'S Hybrid Vehicle(2011)
None of
computers included over 70 of
computers included
Tire Pressure
Monitoring System
UNAUTHORIZED
APPS, Multimedia File
Smartphone,
USB
Immobilizer
Cutter
DOOR LOCKS
Smart Key
CHAdeMO : Quick charging method for battery
powered electric vehicles
KEY
FOB
TELEMATICS
SYSTEM
OBDII , CAN, ECU
Vehicle Area Network
iVehicle
Embedded OS selected by car industry
SELECTED
IVI Standard Organization
Security Assessment
Kernel > 2.6.35.3
Gain Privilege > 18
• All the ECU turned into Fail-Safe-Mode.
• Engine fan and headlamp kept working.
• Meter(e.g. speed) needle keeps wobbling
Overflow attack to CAN bus
If someone wants to get in, he get’s in!
So do we do a lot of stuff just to satisfy the auditors?
LATIN AMERICA
EUROPE
APAC
NORTH AMERICA
GLOBAL
Thank You