© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends.

Slides:



Advertisements
Similar presentations
and Mitigations Brady Bloxham
Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
By Hiranmayi Pai Neeraj Jain
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Security for Today’s Threat Landscape Kat Pelak 1.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Microsoft Ignite /16/2017 4:54 PM
Chapter 7 HARDENING SERVERS.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Forensic Artifacts From A Pass The Hash (PtH) Attack
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
APT29 HAMMERTOSS Jayakrishnan M.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
WEBSENSE ® SECURITY LABS™ 2006 Semi-Annual Web Security Trends Report OWASP Presentation November 9, 2006 Jim Young (301)
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED Dmitry Kagansky, CTO - Public Sector (Federal) March 14, 2011 Quest Software – APT and the Insider Threat.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
The Changing World of Endpoint Protection
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Advanced Persistent Threats (APT) Sasha Browning.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Marin Frankovic Datacenter TSP
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
NADAV PELEG HEAD OF MOBILE SECURITY The Mobile Threat: Consumer Devices Business Risks David Parkinson MOBILE SECURITY SPECIALIST, NER.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
How to Make Cyber Threat Intelligence Actionable
1 © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL Healthcare Breaches – The Next Digital Epidemic Tim Parisi, Senior Consultant.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Proactive Incident Response
5/15/ :10 PM BRK2059 Your attacker thinks like my attacker: a common threat model to create better defense Elia Florio Jessica Payne Research.
The next frontier in Endpoint security
The Game has Changed… Ready or Not! Andrew Willetts Technologies, Inc.
Configuring Windows Firewall with Advanced Security
Real-time protection for web sites and web apps against ATTACKS
Secure Software Confidentiality Integrity Data Security Authentication
Intelligence Driven Defense, The Next Generation SOC
TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊
Conquering all phases of the attack lifecycle
Dissecting the Cyber Security Threat Landscape
Incident Detection and Response
Cybersecurity Awareness
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Understanding your enemy!
Validating Your Information Security Program (ISP 3 of 3)
Pass-the-Hash.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

© 2014, FireEye, Inc. All rights reserved. 1 Tobin Sears, FireEye Zero-Days, Ghost Malware, and Other Current Trends

© 2014, FireEye, Inc. All rights reserved. 2 FROM THE FRONT LINES: M-TRENDS ® 2015

© 2014, FireEye, Inc. All rights reserved. 3 Agenda  By the Numbers  Trend 1: Struggling with Disclosure  Trend 2: Retail in the Crosshairs  Trend 3: The Evolving Attack Lifecycle  Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook  Ghost Malware and Zero-Days Note: Some information has been sanitized to protect our clients’ interests.

© 2014, FireEye, Inc. All rights reserved. 4 BY THE NUMBERS

© 2014, FireEye, Inc. All rights reserved. 5 Who’s a Target?

© 2014, FireEye, Inc. All rights reserved. 6 How Compromises Are Being Detected

© 2014, FireEye, Inc. All rights reserved. 7 Dwell Time 24 days less than 2013 Longest Presence: 2,982 days

© 2014, FireEye, Inc. All rights reserved. 8 APT Phishing

© 2014, FireEye, Inc. All rights reserved. 9 TREND 1 Struggling with Disclosure

© 2014, FireEye, Inc. All rights reserved. 10 Trend 1: Struggling with Disclosure  Mandiant worked with over 30 companies that publicly disclosed a compromise  Public is asking more informed questions -Attribution -Malware -Attacker TTPs  Public speculation starting to affect investigations

© 2014, FireEye, Inc. All rights reserved. 11 Why the Increase in Notifications?  Mandiant worked an increased number of cases where protected data was lost -Cardholder data, Personally identifiable information (PII), and Protected Health Information (PHI) -Contractual and legal obligation to notify  69% of victims did not self-detect -Increased pressure to notify  More companies willing to notify -Companies feel like it’s the right thing to do -Being a breach victim is less taboo than in the past

© 2014, FireEye, Inc. All rights reserved. 12 Critical Investigation Questions  Questions you should have answers to during the investigation -How did the attacker gain initial access to the environment? -How did the attacker maintain access to the environment? -What is the storyline of the attack? -What data was stolen from the environment? -Have you contained the incident?

© 2014, FireEye, Inc. All rights reserved. 13 The Takeaways  Breaches are inevitable -Have an effective communication strategy available  Consistent communication is key -Based on factual investigative findings  Public speculation will happen -Avoid distracting the investigation CAUTION Investigation Hazard

© 2014, FireEye, Inc. All rights reserved. 14 © 2014, FireEye, Inc. All rights reserved. TREND 2 Retail in the Crosshairs

© 2014, FireEye, Inc. All rights reserved. 15 Trend 2: Retail in the Crosshairs  Retailers thrust into the spotlight in Mandiant responded to many headlines  New groups getting into the game  Small misconfigurations led to greater compromise

© 2014, FireEye, Inc. All rights reserved. 16 Themes of Financial-Motivated Attackers in 2014  Application virtualization servers used as an entry point -Valid credentials used to authenticate -Misconfigurations / lack of network segmentation allowed greater access  New tools, tactics, and procedures -Highly sophisticated malware -Publically available tools  Increased number of attacks against e-commerce in locations that deployed chip-and-PIN technology -Attackers shifting focus to lowest hanging fruit

© 2014, FireEye, Inc. All rights reserved. 17 Initial Access To Environment  Attacker authenticated to a virtual application server -Already had legitimate credentials, no failed logons  Escaped from “jailed” environment to gain additional control over the system  Misconfiguration in virtual application server resulted in greater access to environment -No segmentation  Same local administrator password on all systems -Allowed attacker privileged access to systems

© 2014, FireEye, Inc. All rights reserved. 18 Lateral Movement - Forensic Artifacts  Attacker used the “psexec_command” Metasploit module to execute commands on remote systems -Mimics command execution capability of the SysInternals PsExec utility  Windows 7/Server 2008 System event logs tracked installation of service

© 2014, FireEye, Inc. All rights reserved. 19 Persistence - Sophisticated Malware  Backdoor targeted Windows XP systems  Used a sophisticated packer  Backdoor gets capabilities from shellcode  Ability to download additional shellcode -Makes for a versatile backdoor

© 2014, FireEye, Inc. All rights reserved. 20 Data Theft  Attacker used domain controller as pivot point into retail environment -The retail domain had a two-way trust with the corporate domain -The store registers ran Microsoft Windows XP -The store registers were joined to the retail domain  Deployed card harvesting malware to registers throughout the environment  Malware wrote stolen track data to temporary MSSQL database  Attacker queried database to collect stolen track data  Transferred files off of network using FTP

© 2014, FireEye, Inc. All rights reserved. 21 A Retailer Case Study

© 2014, FireEye, Inc. All rights reserved. 22 Protect Yourself  Secure remote access -Two-factor authentication required  Secure access to the PCI environment -Segment the PCI environment -Require access through internal jump server  Deploy application-whitelisting on critical assets -Protect the POS servers and registers  Managed privileged accounts -Control access

© 2014, FireEye, Inc. All rights reserved. 23 © 2014, FireEye, Inc. All rights reserved. TREND 3 The Evolving Attack Lifecycle

© 2014, FireEye, Inc. All rights reserved. 24 Trend 3: The Evolving Attack Lifecycle  Threat actors have used stealthy new tactics to move laterally and maintain persistence in victim environments.

© 2014, FireEye, Inc. All rights reserved. 25 Attack Lifecycle

© 2014, FireEye, Inc. All rights reserved. 26 Hijacking the VPN  Heartbleed vulnerability  Single-factor authentication & credential theft  Bypassing two-factor authentication Dumping certificates with Mimikatz (Image Source:

© 2014, FireEye, Inc. All rights reserved. 27 Password Harvesting  Clear-text passwords in memory  “Golden Ticket” Kerberos attack  Malicious security packages “Victims quickly learned that the path from a few infected systems to complete compromise of an Active Directory domain could be incredibly short.”

© 2014, FireEye, Inc. All rights reserved. 28 Persisting with WMI

© 2014, FireEye, Inc. All rights reserved. 29 Persisting with WMI

© 2014, FireEye, Inc. All rights reserved. 30 Persisting with WMI

© 2014, FireEye, Inc. All rights reserved. 31 © 2014, FireEye, Inc. All rights reserved. TREND 4 Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook

© 2014, FireEye, Inc. All rights reserved. 32 Trend 4: Blurred Lines – Criminal and APT Actors Take a Page from Each Others’ Playbook  As actors' tactics merge, discerning their goals becomes critical to gauging the impact of incidents.

© 2014, FireEye, Inc. All rights reserved. 33 Tactical Overlaps between Cybercriminals and APT Groups  Interactive social engineering & social media presence  Custom malware and tools, development on the fly  Effective lateral movement and long-term persistence  Repeated, wide scale data theft

© 2014, FireEye, Inc. All rights reserved. 34 From Russia with Ambiguity: Intent Matters  Russia-based cyber activity -Nation state espionage -Cybercrime -Gray area...  APT28 and “Sandworm” -Use of BlackEnergy (traditionally crimeware) to target Industrial Control Systems  Intent & motive matters

© 2014, FireEye, Inc. All rights reserved. 35 Conclusion  Organizations are under increasing pressure to disclosure details on breaches and provide attribution  Retail remains a top target as attackers found more victims  Threat actors have adopted stealthy new tactics to hide in compromised environments  Attribution is becoming harder as the lines blur between tactics used by cyber criminals and nation- state actors

© 2014, FireEye, Inc. All rights reserved. 36 © 2014, FireEye, Inc. All rights reserved. GHOST MALWARE AND ZERO-DAYS Interesting Data Points and Trends

© 2014, FireEye, Inc. All rights reserved. 37 Malware Lifespan Analysis Total pool of malware samples versus lifespan (in hours)

© 2014, FireEye, Inc. All rights reserved. 38 Ghost Hunting with Antivirus Source - of Malware Exists Only Once of Malware Disappears After One Hour

© 2014, FireEye, Inc. All rights reserved. 39 Malware Lifecycle Development – Supply Chain Comparison Source - Lifecycle – Days to Weeks Lifecycle – Days

© 2014, FireEye, Inc. All rights reserved. 40 Document Exploit Kits  Effective document exploit kits emerging in underground forums  New version of Microsoft Word Intruder (MWI) includes ability to track the effectiveness of the campaign -Marketed as an APT tool. Author limits user base and forbids use as part of spam campaigns. -Allows the operators to track multiple campaigns, conversion rates (i.e. successful exploitations), and information about their victims using MWISTAT package -The latest version of MWI 4.0 has been advertised as containing multiple exploits, including: CVE CVE CVE CVE Payload – Chthonic (Zeus variant with Andromeda packaging characteristics)  Huge increase in macros versus exploits

© 2014, FireEye, Inc. All rights reserved. 41 Flash Exploits in 2015  Web exploit targets in the last few years -Java – packed in 2013 but dropped in January 2014 when Oracle blocked the execution of unsigned applets -Internet Explorer – Decreased in June 2014 when MSFT introduced multiple heap corruption mitigations -Adobe Flash – shift to Flash exploitation starting at the end of 2014 Existing ASLR bypass mechanisms continue to allow for bug exploitation Advanced obfuscation techniques used to avoid detection -Environmental checks (debugger, software version, OS language, browser type, …) -Encryption, compression, FlashVars, data in external resource, … -Multiple commercial Flash obfuscation tools available: DoSWF and SecureSWF »Slows down automated analysis

© 2014, FireEye, Inc. All rights reserved. 42 Flash Campaign to Payload Mappings

© 2014, FireEye, Inc. All rights reserved. 43 VirusTotal (VT) Detection Rates vs Time for earliest samples utilizing high-profile Flash and IE/Flash exploits

© 2014, FireEye, Inc. All rights reserved. 44 © 2014, FireEye, Inc. All rights reserved. THANK YOU

© 2014, FireEye, Inc. All rights reserved. 45 Free Resources  Available on ‒ Redline ‒ IOC Editor ‒ IOC Finder ‒ Memoryze ‒ Memoryze for Mac ‒ Highlighter ‒ ApateDNS ‒ Heap Inspector ‒ PdbXtract

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.