2. Who am I?
» karmour@:/root$ whoami
» Information Security Consultant
» 4 years in security space
» Awkward hugs accepted
21 July 2015 Copyright 2015 eSentire, Inc. 2
3. Agenda
» Introduction
» Threat Landscape
» Preventing the exploitability of hosts
» Ad Blocking
» Exploit Prevention
» Binary Whitelisting
» Browser Hardening
21 July 2015 Copyright 2015 eSentire, Inc. 3
4. Introduction
» The goal of this talk – Protecting people
» Layers of free technologies
» Education of threat landscape
21 July 2015 Copyright 2015 eSentire, Inc. 4
6. Threat Landscape
» What are the main threats for end users on the web?
» Exploit Kits
» Drive By Downloads
» Malvertising
» Social Engineering
» What is the end game for attackers?
» Dropping binaries like it’s hot
21 July 2015 Copyright 2015 eSentire, Inc. 6
7. Exploit Kits
» What is an exploit kit?
» What do they target?
» What is an exploit gate?
» What are the most active exploit kits?
21 July 2015 Copyright 2015 eSentire, Inc. 7
8. Exploits anyone?
Angler EK Nuclear EK Rig EK Magnitude
CVE-2015-0359 – F CVE-2015-0359 – F CVE-2015-0359 – F CVE-2015-0359 – F
CVE-2015-0336 – F CVE-2015-0336 – F CVE-2014-0569 – F CVE-2015-0336 – F
CVE-2015-0313 – F CVE-2015-0311 – F CVE-2014-0515 – F CVE-2014-8439 – F
CVE-2015-0311 – F CVE-2014-8439 – F CVE-2014-0497 – F CVE-2013-2551 – IE
CVE-2015-0310 – F CVE-2014-0556 – F CVE-2014-0322 – F CVE-2013-2471 – J
21 July 2015 Copyright 2015 eSentire, Inc. 8
May Update - http://contagiodata.blogspot.com/2014/12/exploit-kits-2014.html
9. Flash has been targeted
» 3 zero days affects all versions of flash in the past two weeks
» CVE-2015-5119
» CVE-2015-5122
» CVE-2015-5123
» 2 weeks ago Adobe fixed 36 critical vulnerabilities
» Alternatives to flash?
21 July 2015 Copyright 2015 eSentire, Inc. 9
10. Drive-By Downloads
» What is a drive by download?
» How can a drive by download happen?
» Examples of different scenario’s
» Download of software that ends up being spyware
» Compromised Website -> Exploit Kit -> Download
» Compromised Website -> Gate -> Random Exploit Kit -> Download
» Legitimate Website -> Compromised Ad Network -> EK -> Download
21 July 2015 Copyright 2015 eSentire, Inc. 10
11. Malvertising
» What is malvertising?
» What has changed in the past few months?
» What does that mean for end users?
» Legitimate sites are a risk.
21 July 2015 Copyright 2015 eSentire, Inc. 11
12. Social Engineering
» Gaining user trust and taking advantage
» Includes a lot of shotgun malware / spam
» The most realistic method of compromising a specific target
» Restricted local access and user training is the answer
21 July 2015 Copyright 2015 eSentire, Inc. 12
14. Ad Blocking
» Ad Blocking makes everyone more secure
» Network Based Ad Blocking
» Proxy Ad Stripping
» DNS Sinkholing
» Host Based Ad Blocking
» Ad Blocker Plus / uBlock
21 July 2015 Copyright 2015 eSentire, Inc. 14
15. Exploit Prevention
» What can be done to stop software from being exploited?
» Free Anti Exploit Technologies
» EMET – Enhanced Mitigation Experience Toolkit
» Malwarebytes Anti Exploit
» Recently released a version for OSX
» Adding layers is a good thing
21 July 2015 Copyright 2015 eSentire, Inc. 15
16. Application Whitelisting
» What is application whitelisting?
» Why would you want to implement something like this?
» AppLocker
» Windows Server 2008 R2, Windows 7 Ultimate, and Windows 7
Enterprise
» Publisher
» Path
» File Hash
21 July 2015 Copyright 2015 eSentire, Inc. 16
17. Browser Hardening
» What browsers are the “most” secure?
» What can be done to browsers to increase their protection?
» Plugins
» Configuration
» Exploit Protection
» Patching
» General notes for browser hardening
21 July 2015 Copyright 2015 eSentire, Inc. 17
18. Configuration Hardening
» Internet Explorer
» Microsoft Security Zones
» Custom level of protection for each zone
» Local Intranet zone
» Internet Zone
» Restricted sites zone
» Firefox
» Warn me when sites try to install add-ons,
» Block reported attack sites
» Block reported web forgeries
21 July 2015 Copyright 2015 eSentire, Inc. 18
19. Configuration Hardening
» Chrome
» Enable phishing and malware protection
» Block pop-ups
» Block sites from downloading multiple files
» Third Party Applications – Ask to Run/Click to Play
» Chrome
» Firefox
» Internet Explorer
21 July 2015 Copyright 2015 eSentire, Inc. 19
20. Plugins/Extensions
» Firefox / Internet Explorer / Chrome
» NoScript/Scriptsafe – Gives you the ability to control javascript / third
party apps
» BitDefender Trafficlight – Blocks blacklisted sites
» AdBlockPlus/uBlock – Host level Ad blocking
» HTML5 Everywhere – Utilizes new technology over Flash
» HTTPS Everywhere – Enforce encryption when available
» Disconnect
» Cymon Interceptor (Chrome)
21 July 2015 Copyright 2015 eSentire, Inc. 20
21. Introducing Cymon Interceptor
» “Cymon Says this site is potentially dangerous”
21 July 2015 Copyright 2015 eSentire, Inc. 21
22. What is Cymon?
» Largest tracker of security reports
» Malware
» Phishing
» Botnets
» More than 2 million IPs in the database
» 4 Million unique events
» Almost 200 sources ingested daily
21 July 2015 Copyright 2015 eSentire, Inc. 22
23. What is Cymon Interceptor?
» Prevents web requests to domains that Cymon has deemed
malicious
» Recent events from Cymon are displayed for websites visited
» Ability to whitelist domain at users discretion
21 July 2015 Copyright 2015 eSentire, Inc. 23
24. How it works
» Cymon Interceptor uses Google Chrome's webRequest API to
intercept web requests as they happen
» The API allows requests to be filtered by a collection of URL
patterns, created from the domains in Cymon's database
» Requests can then either be blocked, cancelled, or redirected
21 July 2015 Copyright 2015 eSentire, Inc. 24
25. What have you learned?
» What threats are on the open web
» How to add additional layers of protection
» Cymon interceptor will be pretty sweet
21 July 2015 Copyright 2015 eSentire, Inc. 25
26. Questions?
Thanks for listening!
21 July 2015 Copyright 2015 eSentire, Inc. 26
+1 866 579 2200
sales@esentire.com
www.esentire.com
@eSentire
Editor's Notes
Took my first awkward hug today. Thanks Jayson!
Introduction – Why I am came up with this talk
Threat Landscape – What current threats are out on the web affecting users
The goal of this talk – Protecting people
The most common way for people to get exploited in today’s day and age is through the exploitation of web browsers. Web browsers themselves have come a long way in security and protection and now attackers are targeting third party applications called through the browsers.
Layers of free technologies
As always with security we need to add as many layers as possible to protect against the latest trends in cyber crime. This presentation goes over ways to defend against the latest security threats seen in the wild and attempt to stop exploit kits in their tracks.
Education of threat landscape
I hope that after this presentation you will have a better understand of the ways that you can be compromised and how to limit the attack surface of yourself utilizing the technologies that I outline in this presentation.
Top exploits in exploits kits target flash
Notice a pattern here?
Be quick on this slide
These are some of the more active exploit kits
HTML 5 vs Flash
As more people get fed up with the poor performance and security flaws of Adobe's Flash Player, they are uninstalling the Flash plug-in from their computers. Issues with completely removing flash is that so much video content online utilizes this technology.
HTML5 videos are less resource intensive. They load up faster.
What is a drive by download?
A drive by download refers to the unintentional download of computer software from the internet.
How can a drive by download happen?
Compromised Website -> Exploit Kit -> Download
Compromised Website -> Gate -> Random Exploit Kit -> Download
Legitimate Website -> Compromised Ad Network -> EK -> Download
Compromised Site
Hugo boss cryptowall 3.0 infection via flash zero day
Youtube serving maltising
Malvertising - is the use of online advertising to spread malware
What has changed in the past few months? – We use to be able to trace the redirects and find what ad networks were serving the specific malicious content. Ad networks are now utilizing proper SSL encryption to hide all traffic between the server and the ad network. Making it hard for security analysts to find the originating reason why someone was redirected to an exploit kit.
What does that mean for end users?
In the last few years we have seen an increase in ransomware. In regards to social engineering
Examples of legitimate sites utilizing malicious ads
Application whitelisting allows an administrator to restrict what programs may run on a computer to a trusted list, instead of a normal configuration where all programs are allowed unless explicitly blocked. This is a highly effective way to block malware and unwanted programs from being installed or used on the system. Restricting unknown binaries from executing on host machines.
Applocker is basically a way to control what applications could run on your desktop environments. It contains new extensions that allow you to manage rules on allowing/denying applications as well as giving you the ability to specify which users can run them
With Applocker, you can also:
Establish rules to different users and groups
Control various files (.cmd, .bat, .msi, .dll, .js, etc.)
Create rules based on publisher attribute or specific file versions
Create exception to rules
What browsers are the “most” secure?
Most Research / bug bounty programs
Least amount of RCE exploits
Dedicated security team for improving
What can be done to browsers to increase their protection?
Plugins
Configuration
Exploit Protection.
General notes for browser hardening:
Browser hardening can create a lot of issues for end users. Security is not always friendly with ease of use and optimization of productivity. The issue is that the same technologies attackers target are used on a daily basis for legitimate purposes
Security Settings per Zone
ActiveX
Java
Downloads
NoScript - Decide which sites should be allowed to run JavaScript, including Flash Player content. )
HTML5 – some sites don’t have this support (htm5ify)
Disconnect – Free Blocks malware and tracking, see who is tracking you, keeps your searches private