Célzott informatikai támadások napjainkban Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.

Slides:



Advertisements
Similar presentations
Next Generation Threat Protection
Advertisements

Text mining Gergely Kótyuk Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics
Targeted attacks of recent days Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics.
Stuxnet, Duqu és társai – kifinomult internetes kártevők kifejlesztése, átalakítása, továbbfejlesztése Stuxnet, Duqu and others – development and operation.
Kriptográfia - a legerősebb láncszem a kiberbiztonság gyakorlatában? Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest.
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
CLEARER: Security and Privacy Research Roadmap for the CrySyS Lab Levente Buttyán, Márk Félegyházi, Boldizsár Bencsáth Laboratory of Cryptography and System.
Cyber Insurance for Data Breaches Márk Félegyházi Laboratory of Cryptography and System Security (CrySyS Lab) Department of Telecommunications Budapest.
Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Abusing Duqu, Flame, MiniFlame Boldizsár Bencsáth PhD Budapest University of Technology and Economics Department of Telecommunications Laboratory of Cryptography.
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Novel Information Attacks From “Carpet Bombings” to “Smart Bombs”
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Advanced Persistent Threats CS461/ECE422 Spring 2012.
How Stuxnet changed the landscape for plant engineers Richard Trout, Director for Client Solutions, Trout I.T.
A sophisticated Malware Arpit Singh CPSC 420
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
By: Sharad Sharma, Somya Verma, and Taranjit Pabla.
Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
Introducing the CrySyS Lab Félegyházi Márk Laboratory of Cryptography and System Security (CrySyS Lab) Budapest University of Technology and Economics.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
SEC835 Practical aspects of security implementation Part 1.
MALWARE : STUXNET CPSC 420 : COMPUTER SECURITY PRINCIPLES Somya Verma Sharad Sharma Somya Verma Sharad Sharma.
Introduction to InfoSec – Recitation 07 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
Lessons from Stuxnet Matthew McNeill. Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller.
Version Number Authentication and Local Key Agreement Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology.
Technical analysis and information sharing in the handling of high-profile targeted attacks Boldizsár Bencsáth Laboratory of Cryptography and System Security.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
THE THREAT LANDSCAPE FROM CYBERCRIME TO CYBER-WAR David Emm Global Research and Analysis Team.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
AUB Department of Electrical and Computer Engineering Imad H. Elhajj American University of Beirut Electrical and Computer Engineering
Advanced Persistent Threats (APT) Sasha Browning.
Lecture 18 Windows – NT File System (NTFS)
Flame: Modern Warfare Matthew Stratton. What is Flame? How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications.
Stuxnet.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
NATIONAL CYBER SECURITY GOVERNANCE & EMERGING CYBER SECURITY THREATS
Chapter 5 Initial Development of Leads Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.
Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.
How a presumably military grade malware sabotaged the Iranian nuclear program W32.Stuxnet Presenter: Dolev Farhi |
Proactive Incident Response
Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain
Botnets A collection of compromised machines
W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi |
Executive Director and Endowed Chair
A lustrum of malware network communication: Evolution & insights
Malware Reverse Engineering Process
Malware Reverse Engineering Process
Active Cyber Security, OnDemand
Lesson Objectives Aims You should be able to:
Botnets A collection of compromised machines
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
Practical Rootkit Detection with RAI
Territorial Dispute – NSA’s perspective on APT landscape
Cyber Education & Research
Julius Inigo MIS 304 November 10, 2011
Presentation transcript:

Célzott informatikai támadások napjainkban Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 2 Targeted Attacks Although many expected, nobody knew how the era of targeted attack, cyber warfare will start. Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.) Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, water systems (Additionally: Anonymous, Lulzsec, etc..) APT: Advanced Persistent Threat -> this definition emphasizes power of the attacker over of our inability to have control on our system New approach is needed against APT, Targeted Attacks

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 3 What we have done in Duqu case? Yes, we are the Lab who discovered Duqu. We will share with you what we can but more information on the ongoing case is under NDA. Technical details are already public. In early September, during the investigation of an incident CrySyS Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu. Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantecs report as an appendix (18/Oct/2011) We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 4 Duqu/Stuxnet comparison at a glance FeatureStuxnetDuqu Modular malware Kernel driver based rootkit very similar Valid digital signature on driverRealtek, JMicronC-Media Injection based on A/V list seems based on Stux. Imports based on checksum different alg. 3 Config files, all encrypted, etc. almost the same Keylogger moduleDuqu PLC functionality (different goal) Stuxnet Infection through local shares Possible – Symantec Exploits, 0-day Zero-day word, win32k.sys DLL with modules as resources (many) (one) RPC communication Port 80/443, TLS based C&C? similar Special magic keys, e.g , AE lots of similar Virtual file based access to modules Careful error handling Initial, dropper, deactivation timer Configurable starting in safe mode/dbg (exactly same mech.)

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 5 Duqudetector toolkit – a new way of thinking about threats like Stuxnet The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011. We have to go forward and get rid of signature-only approaches Our tool tries to identify anything suspicious, even if that generates lots of false positive. Currently the toolkit is configured for Duqu, but the aim is a bit more general

Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium 6 Whats new Entropy based detection of strange PNF files (most important, makes it possible to detect Stuxnet and Duqu) Suspicious files with missing counterparts (PNF without INF) Search for data files left by keylogger/infostealer/data siphoning tools of the malware by its signatures (file name, magic strings) Our tool might be able to find traces on infections even after the malware was already deleted by self-destructing logics. This OSS/ keep it simple, stupid/ do not care about false positives mechanism might work in CI environment We continue to work on this