The document discusses strategies for cybersecurity defenses against attacks. It notes that while attackers may seem powerful, they are actually constrained by resources and need vulnerabilities to exploit. It recommends techniques like hardening systems, applying patches, minimizing exposed software, using endpoint detection systems, and pretending to be in a malware analysis environment to discourage attacks. The overall message is that simple changes can make a system much harder to attack than the typical unmodified configuration that attackers rely on.

1. © F-Secure Confidential1
DEFENDING
WORKSTATIONS
CYBERSECURITY
WEBINARPART2
JARNONIEMELÄ
F-SECURE
4TH OFJUNE2015

2. Attackers HaveBossesAnd
Budgets Too(@philvenables)
 Attackers may seem omnipotent
 After all they need to find only one hole, and the defender has to plug them all
 In reality attackers are very constrained
 Without vulnerability there is no exploit
 Commodity exploits work out of the box only on default configuration
 Anything that requires custom work is expensive
 Attackers comfort zone is unmodified Windows or OSX
 Break the attackers budget
 Anything out of the ordinary will force the attacker to do custom work
 https://www.troopers.de/media/filer_public/12/29/12298918-04d6-4f26-96d3-4205d09dd70d/andreas_lindhdefendereconomics.pdf
© F-Secure2

3. Mechanics OfDocument
ExploitAttack
 In principle document exploit attacks are very simple
 The original document that the victim receives contains an exploit
 Document reader is taken over and has the same access as the user
 Drop payload EXE to some location and execute it
 After which the exploited word, acrobat, etc process crashes
 Dropped payload drops a clean document
 Clean document is loaded to give user the document he was expecting
 After which the payload is free to continue in the background
 Usually the next action is to connect to C&C, or wait until trigger
© F-Secure3

4. Mechanics OfBrowser
BasedAttack
 Attacker either directly takes over a web site or uses malwertizing
 The compromised web site contains hidden Iframe or plain redirect
 Typically one redirect is followed by another
 The redirected site contains exploit kit
 The exploit kit analyses browser signature and selects suitable exploit
 User’s browser is served exploit which takes it over
 After that the story continues the same way as with document exploit
© F-Secure4

5. InstallMalware
In order to persist, the attacker needs
 To drop a malware and run it
 Thus he needs a write access
 And ability to execute dropped files
 The location needs to be writable by
normal user, but still one that user
does not pay attention to
 %TEMP%
 C:usersUSER (%userprofile%)
 C:usersUSERAppDataRoaming
(%appdata%)
 C:usersUSERAppDataLocalLow
 C:ProgramData
 C:Program Files
 C:, D:, E:, F:, etc root of any drive
this will stop autorun worms
 c:UsersUSERAppDataRoaming
MicrosoftWindowsStart MenuStartup
 c:$Recycle.Bin
 C:recovery

6. Resources NeededBy
Attacker
 Contact
 To be exploited the web browser, PDF reader, etc must load the content
 Exploitability
 The feature that is targeted by exploit must be enabled
 Landing
 Attacker must be able to drop and execute malware
 Otherwise he will go down with the crashing program
 Communication
 Without C&C the dropped payload is most likely to be useless
© F-Secure6

7. PreventContact With
Hostile Material
Attacks are unique only once
 Thus any hostile domain is identified and blacklisted in no time
Use HTTP connection blocking, scanning and filtering to prevent contact
 Web reputation filters our any known attack domain
 Content scanning identifies exploits and known dropped components
 Content filtering will drop flash,java,Silverlight,exe from unknown domains
Filter out suspicious attachments from email
 EXEs are straight out
 Consider custom stripping for documents, etc
© F-Secure7

8. MakeSure WhatIs
Running IsPatched
© F-Secure8
http://www.verizonenterprise.com/DBIR/2015/
 Yeah, everyone knows that IT should deploy all patches ASAP
 But what about software that users have installed without IT’s knowledge?
 If vulnerable software is deployed, it does not matter is it 0-day or not
 Verizon reports that 10 vulnerabilities accounted for almost 97% of attacks

9. MinimizeVulnerable
Attack Surface
Disable all unnecessary content from web browsers
 Disable Java and ActiveX unless you need them for something
 If you really need Java, whitelist specific sites
 Block Flash, Silverlight, etc or use click to play
 If users accept it install no-script with sensible defaults
Disable unnecessary features from office software
 Disable all multimedia, etc plugins from word, excel, Acrobat
 Do you really need PDF or document that runs Flash or ActiveX
 Disable Javascript from Acrobat
 In general, strip out features that users don’t need
© F-Secure9

10. HardenProcess Memory
Handling
Harden memory handling of any application that processes external data
 Any process that serves network
 Acrord32 and other PDF readers
 Winzip,7Zip, etc
 Excel, Powerpoint, Word, Outlook, Winword.exe
 Exlorer.exe, iexplore.exe, Firefox, Chrome
 Skype.exe, Wmplayer.exe, VLC, and any other video player
 For Windows use Microsoft EMET
 It is possible to write exploits so that they bypass EMET
 But then attacker has to knowingly try to circumvent EMET
 For Linux use GRSecurity
© F-Secure10

11. Configure Your End Point
Right
You probably have read blogs about “AV being useless”
 Partly it is due for being 99% perfect is not enough
 And blocking espionage is especially difficult
But in corporates it’s mainly due to AV being used wrong
 Cloud queries are switched off
 Web traffic filtering and scanning is switched off
 Behavioral heuristics are switched off
 Which means about 90% of protection is disabled
© F-Secure11

12. MakeSure YouHaveA
Proper Behavior IDS
If exploit runs, it is very unlikely that scanner detects dropped files
 But that’s ok, that’s why proper end point security has behavior IDS
 Detect change in exploited application behavior
 Detect file appearing to disk without good reason to do so
 Detect launching unknown file from unusual location
 Etc things that are out of place
A good IDS is one of the most valuable parts of a proper client based protection
 Other important feature is detections that target things needed by exploits
 Exploits tend to need libraries and function calls that are not used in clean code
 Exploit:SWF/Salama, Exploit:Java/Majava, Exploit:Java/Katala, Exploit:Java/Kavala
© F-Secure12

13. Pretend ToBeMalware
Analyst
Malware tends to act nice when Analysts are around
 A lot of malware check for signs of analysis environment
 If malware thinks it is being investigated it does not do anything
This makes analysts more difficult, but it can be turned against malware
 Add telltale signs of analysis environment to your system
 And a lot of malware will fail to run
However some malware like W32/Rombertik do retaliate
 So make sure you have proper backups
 Although I prefer “Format C:” over malware hiding on my system
© F-Secure13

14. FakingMalwareAnalysis
EnvironmentCopy registry keys from VMWare tools installation
”HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDiskEnum” field ”0” Value ”VMWare”
”HKEY_LOCAL_MACHINESOFTWAREVMWare, inc.VMWare Tools ” field ”InstallPath” Value ”c:prog…”
© F-Secure14
Create dummy processes
•Vbox.exe
•Vmware.exe
•wireshark.exe
•regshot.exe
•procmon.exe
•filemon.exe
•regmon.exe
•procdump.exe
•cports.exe
•procexp.exe
•squid.exe
•dumpcap.exe
•sbiectrl.exe
Create dummy files
•C:Program FilesWinPcaprpcapd.exe
•C:Program FilesWireSharkrawshark.exe
•C:Program FilesEtherealethereal.html
•C:Program Fileswiresharkwireshark.exe
•C:Program FilesMicrosoft Network Monitor
3netmon.exe
•C:program filesollydbgOllydbg.exe
•C:program filessysinternalsProcmon.exe
•C:program filessysinternalsProcexp.exe
•C:program filessysinternalsDiskmon.exe
•C:program filessysinternalsAutoruns.exe
•C:program filesdebugging tools for
windowsWindbg.exe

15. Conclusion
 Unless attacker go after you personally, he is very restricted
 Common criminals - lack know-how and interest for hard targets
 Espionage operators also have budgets, and go for easy ROI
 That is, attackers prefer to mass produce their attacks
 Attackers are very dependent on the victim using standard configuration
 So make your setup unique
 Avoid being hit by mass production, require artisanal attacks
© F-Secure15

16. QUESTIONS?
16

17. THANK YOU FOR YOUR
PARTICIPATION!
17
STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:
21 September 2015 at 11.00 EET: “Defending servers”
15 October 2015 at 11.00 EET: “Defending network”
9 November 2015 at 11.00 EET: “Responding to an incident”
3 December 2015 at 11.00 EET: “Building secure systems”
The Recording will be available at the BUSINESS SECURITY INSIDER
https://business.f-secure.com