Cyber threats landscape and defense

Cyber Threats:Landscape and DefenseIng. Andrea Garavaglia

Andrea Minigozzi, CISSP – OPST

ISIS “C. Facchinetti”Castellanza – VA14 – 04 - 2014

Cyber Threats Landscape and Defense

Andrea Minigozzi is a certified CISSP and OPST Security Expert with fourteen years experience, encompassing SIEM, malware analysis, investigating security incidents, computer and network forensics, ISO 27001/NIST/COBIT audits and hardening of various devices on civil and military programs.Andrea is the owner of FantaGhost web site and developsFG-Scanner project.

About US…. #whoami

Andrea Minigozzi – Andrea Garavaglia

Andrea Garavaglia supported for years Law Enforcementwith analysis tools used to discover patterns, trends, associationsand hidden networks in any number and type of data sources. He worked also with voice and ip interceptions, traffic reconstruction, forensics analisys.

Actually is a Network Security Monitor lover.

Cyber Threats Landscape and DefenseA Real problem for today’s industries


Cyber Threats Landscape and DefenseWho can become a Victim ?


Source: http://www.tietoturvapaiva.fi/uploads/Tietoturva%202012/stonesoft.pdf

Cyber Threats Landscape and DefenseFrom virus to Advanced Persistent Threats: the timeline

1971Creeper

1987Jerusalem

1982Elk

Cloner

1992Michelangelo

2005MyTob

2000I love you

2001Code Red

2004Sasser

1999Melissa

2007Storm

BotNet

2009Conficker

1970 1980 1990 2000 - 2009

Source: http://blogs.csoonline.com/1421/40_years_after_the_first_computer_virus

1986Brain


Cyber Threats Landscape and DefenseFrom virus to Advanced Persistent Threats: the timeline

2010 - Today

2010Stuxnet

2010VBMania

2010Kenzero

2010SpyEye + Zeus

2011Zero

Access

2011Duqu

2012Flame

2012Shamoon

2012NGRBot

2013CryptoLocker

2014................

Source: http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms


Cyber Threats Landscape and DefenseTerms and definitions: viruses and worms


VIRUS

A program that “infects” computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected files is loaded into memory, allowing the virus to infect other files. A virus requires human involvement (usually unwitting) to propagate.

WORM

An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate and exploit vulnerabilities to bypass security systems.

Cyber Threats Landscape and DefenseTerms and definitions: trojan horses and 0-day exploits

TROJAN HORSE

A computer program that conceals harmful code.A Trojan horse usually masquerades as a useful program that a user would wish to execute.

0-DAY EXPLOIT

An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability.


Cyber Threats Landscape and DefenseTerms and definitions: malware

MALWARE

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or of otherwise annoying or disrupting the victim and often violates one or more of the following fundamental principles:

Consent: Malware may be installed even though the user did not knowingly ask for that to happen.

Privacy-Respectfulness: Malware may violate a user's privacy, perhaps capturing user passwords or credit card information.

Non-Intrusiveness: Malware may annoy users by popping up advertisements, changing web browser's home page, making systems slow or unstable and prone to crash, or interfering with already installed security software.

Harmlessness: Malware may be software that hurts users (such as software that damages our system, sends spam emails, or disables security software).

Respect for User Management: If the user attempts to remove the software, it may reinstall itself or otherwise override user preferences.

Source: http://itlaw.wikia.com/wiki/Malware


Cyber Threats Landscape and DefenseMalicious code spreading vectors and attack surface

1980 1990 2000 - 2014


Cyber Threats Landscape and DefenseNew malware in the last two years

Andrea Minigozzi – Cyber Threats Landscape and Defense

Source: http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q3-2013.pdf

Cyber Threats Landscape and DefenseNew malwares for emerging operating systems

Andrea Minigozzi – Cyber Threats Landscape and Defense


Cyber Threats Landscape and DefenseGlobal Email Volume, in Trillions of messages



Cyber Threats Landscape and DefenseHacking motivations

HACKERS : They need to understand how the systems works and how to improve security and performances

HACKTIVISTS: They use computers and computer networks to promote political ends, chiefly free speech, human rights, and information ethics.

STATE SPONSORED HACKERS: Governments around the globe realize that it serves their military objectives to be well positioned online.

SPY HACKERS: Corporations hire hackers to infiltrate the competition and steal trade secrets.

CYBER TERRORISTS: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures.


Cyber Threats Landscape and DefenseAttack Diagram: the past




Attack Diagram: the present

Cyber Threats Landscape and DefenseTerms and definitions: advanced persistent threats

ADVANCED PERSISTENT THREATS

Advanced Persistent Threat (APT) is a set of stealthy and continuous hacking processes often orchestrated by human targeting a specific entity.

APT usually targets organizations and or nations for business or political motives. APT processes require high degree of covertness over a long period of time.

Source: https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT

The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems and Advanced Evasion Technique to avoid detection.

The persistent process suggests that an external command and control is continuously monitoring and extracting data off a specific target.

The threat process indicates human involvement in orchestrating the attack




APT Teams and Connections

B-TeamA-TeamMore senior? Malware writers?

Beaconing & Latching

Command & Control; Agent

transfer

Command & Control; Agent

transfer

www.hackedsite1.com

Agent Download & Install

www.hackedsite2.com

Data transfer

Data transfer

Stage 0Infection

Stage 1Generate

Intermediaries

Stage 2Setup

Relay Agents

Stage 3Data

Exfiltration

RDP & Other

VPN Transfer HostIntermediary HostFootholdHost

Data Host

Cyber Threats Landscape and DefenseAdvanced Persistent Threats LifeCycle

Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat#History_and_targets


Cyber Threats Landscape and DefenseA great video from TrendMicro explain how the attacks works

Source: http://www.youtube.com/watch?v=fpeMR1214t0


This video describe a real successful attack happended

some time ago:

the attacked company lost about 60 Million dollar$

Cyber Threats Landscape and DefenseLive Demo


Cyber Threats Landscape and DefenseQR Codes and Shortened URLs: when the threats get short !

http://goo.gl/pJ0sKw



STAY AWAY FROM MALICIOUS QR CODES!

Scanning QR codes in the form of stickers placed randomly on the street's walls is most dangerous. It is a very common way that scammers use to get people scan the code just because of curiosity. Reports say, “46% just said they were curious what this odd little jumbled cube could do.”So, we should not scan any QR codes that are not from trusted sources.

LOOK CLOSELY TO A QR CODE BEFORE DO ANYTHING ELSE!


The are few apps on the stores you can use to analyze the Qrcode.....



http://goo.gl/ZFm5u6

Are you able to see if the two shortened URLs above lead us to trusted websites?


http://goo.gl/ZFm5u6

Malicious URL

FantaGhost Web Page



Are there any solutions for this problem?

YES! WE SHOULD PREVIEW THE SHORTENED URLS BEFORE USING THEM.

Several website tools help us to get a full URL address from the shortened URL, an example is http://unshort.me/

In addition, some URL shortening services, such as goo.gl, give us an option to preview the shortened URL first by add a “+” at the end of the URL.


Cyber Threats Landscape and DefenseThe most dangerous (and commons) vulnerabilities

1. Email Social Engineering/Spear Phishing

2. Infection Via a Drive-By Web Download: Watering Hole Attack

3. USB Key Malware

4. Scanning Networks for Vulnerabilities and Exploitment

5. Guessing or Social Engineering Passwords

6. Wifi Compromises

7. Stolen Credentials From Third-Party Sites

8. Compromising Web-Based Databases

9. Exploiting Password Reset Services to Hijack Accounts

10. Insiders


Cyber Threats Landscape and DefenseUnderstanding HeartBleed Bug


CVE-2014-0160

Source: http://www.xkcd.com/1354 - http://regmedia.co.uk/2014/04/09/openssl_haertbleed_diagram.png

Cyber Threats Landscape and DefenseQuestions ?


@[email protected]://www.fantaghost.com

THANK YOU!

Ing. Andrea Garavaglia Andrea Minigozzi, CISSP - OPST

[email protected]

Cyber threats landscape and defense

Internet

Transcript of Cyber threats landscape and defense