How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software

How Targeted Attacks Evade
Anti-Virus Software

© 2012 Imperva, Inc. All rights reserved.

Agenda

 Compromised insiders defined
 The anatomy of a compromised insider campaign
 Non mitigation techniques: Anti-virus
 Mitigating compromised insiders in theory
+ Real world case study: RSA
 Mitigating compromised insiders in practice

2 © 2012 Imperva, Inc. All rights reserved.

Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva

 Research
+ Directs security strategy
+ Works with the Imperva Application Defense Center
 Security experience
+ Fortify Software and Coverity
+ Helped secure Intel’s supply chain software
+ Extensive international experience in Japan, China, France, and
Australia
 Thought leadership
+ Presented at RSA, InfoSec, OWASP, ISACA
+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
 Graduated from University of California, Berkeley


Insider threat defined

Insider Threat

Someone who has trust and access and acquires
intellectual property and/or data in excess of
acceptable business requirements.

They do so:
+ Maliciously
+ Accidentally
+ By being compromised


Compromised insider defined

Compromised Insider

A 3rd party who gains access and acquires
intellectual property and/or data in excess via client
infection. The client, often employees in
government, military or private industry, are
unknowing accomplices and have no malicious
motivation.


In recent events …

 Saudi Aramco
+ Malicious Insider,
30,000 computers
hacked, full service
disruption.
 Global Payments
+ Compromised Insider,
causes 1.5M payment
cards compromised.

6 6 © 2012 Imperva, Inc. All rights reserved.

Malware: Compromised insiders on the rise

2012 Verizon Data Breach Report
• Malware is on the rise: “69% of all data breaches
incorporated Malware”. A 20% increase over 2011.
• Malicious insider incidents declining: “4% of data breaches
were conducted by implicated internal employees.” A 13%
decrease compared to 2011.

Director of National Intelligence
• “Alm ost half of all com puters in the United States
have been com prom ised in som e m anner and
~60,000 new pieces of malware are identified per day”.


The 1% to be really concerned about

“Less than 1% of your
employees may be
malicious insiders, but
100% of your employees
have the potential to be
compromised insiders.”

Source:
http://edocumentsciences.com/defend-against-compromised-insiders


Who does it?

Governments
- Stealing Intellectual Property (IP) and raw data, as well as,
espionage.
- Motivated by politics and nationalism.

Private hackers
- Stealing IP and data.
- Motivated by profit.

Hacktivists
- Exposing IP and data, but also compromising infrastructure.
- Motivated by almost anything - have attacked, nations, people,
religion, commerce, etc…


Where do they attack?

Desktop Multimillion
and the dollar
user datacenter
Both
access the
Not well same data Well
protected protected


Anatomy of a Compromised Insider Campaign


With social networks, smart bombing is not hard


Industrialized approach

Specialized frameworks and hacking tools, such as BlackHole 2.0
and others, allow easy setup for Host Hijacking and Phishing.

How easy is it ?
For $700: 3 month license for BlackHole available online.
Includes support!


Is this real?

Recent “iPhone 5 Images Leak” was a Trojan Download Drive-By.


Is this real?

Persistent XSS Vulnerable Sites provide the Infection Platform.

GMAIL, June 2012

TUMBLR, July 2012


Is this real?

Sep 24th 2012, FBI Issued a warning of Targeted Scams.

• “Once compromised, keyloggers and RATs installed on the
financial institution employee's computer provided the
criminals with "complete access“.

• “Unauthorized transactions were preceded by unauthorized
logins that occurred outside of normal business hours”

• "The DDoS attacks were likely used as a distraction”

Non Mitigations: Anti-Virus


The media view

“Flame was a failure for the antivirus
industry. We really should have been able
to do better. But we didn’t. We were out of
our league, in our own game.”
Source: http://www.wired.com/threatlevel/2012/06/internet-security-fail/


The hacker view

An entire industry exists to bypass anti-virus.
Today, anti-virus stops between 6-27%
of viruses.

Source:
http://adamonsecurity.com/?p=323


The anti-virus vendor view

Hackers exploit ‘zero-day' bugs for 10
months on average before they're exposed.

Source:
http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-average-
before-theyre-fixed/

Protect and monitor the cheese

 Problem: Most organizations
chase the mice and don’t focus
enough on protecting the cheese.
+ Much of security budgets spent on:
– Malware detection
– Virus prevention
+ Front-line/end-user defenses must
be 100% accurate.
– If one mouse gets past them the cheese
is gone.


Mitigating Compromised Insiders


Step 1: Know what users do with data

 Classify Sensitive Information
+ Identifying the information within the corporate databases and
file servers allows understanding of risk and severity of data
access.
 Persistent Security Policy
+ A good security policy will allow you to put compensating
controls in place while not disrupting business needs and
maintaining security.
 User Rights
+ Map your users’ rights. Understand who has access to what,
and why there are dormant accounts?
 Analyze, Alert, and Audit on Activity
+ By keeping track of access and access patterns, it becomes easy
to understand who accessed your data, what was accessed, and
why.

Step #2: Look for aberrant behavior

 What: weirdness probably
means trouble.
 How:
+ Profile normal, acceptable
usage and access to sensitive
items by
– Volume
– Access speed
– Privilege level
+ Put in place monitoring or
“cameras in the vault.”


Example: Databases

 Checks the entry method. Legitimate individuals
should, typically, access data through a main door.
 Monitor the activity of the individuals. If employees
have been granted miscellaneous access permissions,
monitor what they are doing. Malware from spear
phishing typically causes unusual behavior.
 Monitor the activity of privileged users. Database
controls should track the activity of the privileged users
and monitor what these privileged users are accessing.


Example: File Systems

Copying Folders Routine Access
Nonselective Selective
All subfolders and files accessed

Temporally continuous Temporally irregular

Recursive Random order

Directory accessed Files can be accessed
before its files without directory
Source:
Catching Insider Data Theft with Stochastic Forensics, presented at Black Hat USA August 2012.

Conclusion: Rebalance the portfolio


Worldwide anti virus spend: 2002 vs 2012

2002 2012 (est.)

$1.44 $7.84
Billion Billion
A 5x increase without the 5x improvement.
Source:
Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 and 2002


Real World Incident


Organizations known to have been compromised:

• Saudi Aramco
• Goldman Sachs
• Global Payments
• SF Computer Systems
• Sandia National Labs
• CardSystems
• EPA
• Motorola
• Sberbank
• Google (Aurora)
• RSA
• Toyota

The list goes on ….

RSA – phishing mail

 Mass phishing campaign against RSA employees


RSA – the exploit

 Excel file with embedded Flash
 0 day Flash vulnerability


Proliferation within the network

“With the trojan
downloaded, the attackers
then started harvesting
credentials and made their
way up the RSA food chain
via both IT and non-IT
personnel accounts, until
they finally obtained
privileged access to the
targeted system.”

Source:
http://www.pcmag.com/article2/0,2817,2382970,00.asp


RSA – the result

 SecureID hacked


Mitigation in Action

36

Imperva SecureSphere – Database coverage

Coverage for Heterogeneous Databases

DB2
DB2 z/OS
DB2400
Informix
Netezza


Imperva Database Security Products

Database Activity
Monitoring
Full auditing and visibility into
database activities

Discovery & Assessment
Server
Vulnerability assessment,
configuration management,
database discovery and classification


Deployment options

DBA/Sys admin
Agent
Database Auditing
Activity
Monitoring

Agent
Users Network Database Auditing
Auditing Activity
Gateway
Monitoring

Management DBA/Sys admin
Server (MX) Network
Auditing
Gateway


Auditing database activity

 Audit trail captures all database activity, including SELECT,
DML, DDL, privileged activities.
 Details answer the who?, what?, where?, when? and how?
DB2 for z/OS Activity

Complete Audit Trail
When? Where? Who? What?, How?

Privileged Operations


Audit analytics

Pre-defined audit views provide quick and flexible access to audit details

Graphical Analysis

Drill down to audit data


Real-time alerts on security events

Profiling violation – unauthorized database and
 SecureSphere provides schema access

real-time alerts on any
security event and policy
violation.
 Dynamic Profiling Destination
enables identification of
abnormal behaviors.
User Source application
 Alerts enable immediate
response to minimize the Alert Details

impact of a breach. Date and Time


Universal user tracking

Universal User
User A
Tracking User B

Full user visibility and
User A
accountability
• Map application users to
database activity

Tech User

User B


44 CONFIDENTIAL - Imperva

Unified policies across heterogeneous platforms

 No need to define special Define and apply policies to
policies for mainframe heterogeneous databases
databases.
 Granular policies defined
and managed through a DB2 for z/OS
centralized, friendly
interface. Other
 Preconfigured compliance databases

policies and reports for
SOX, PCI, and data
privacy.


Webinar Materials


Webinar materials

Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…

Answers to
Post-Webinar
Attendee
Discussions
Questions

Webinar
Join Group
Recording Link


www.imperva.com

- CONFIDENTIAL -

How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software

Recommended

Recommended

More Related Content

More from Imperva

More from Imperva (20)

Recently uploaded

Recently uploaded (20)

How Targeted APT and Advanced Malware Attacks Evade Anti-virus Software