Detecting and Preventing Intruders - M Mastrangelli

7/27/2019 Detecting and Preventing Intruders - M Mastrangelli

1/19

Detecting and Preventing Intruders

Mark Mastrangeli

Sr. Sales Engineer

Government, Healthcare and

Education


2/19

McAfee ConfidentialInternal Use Only

Agenda Detecting and Preventing Intruders

Threat Landscape

Attack Graphing

Protection GraphingAnti-Virus?

HTML 5 Malware with Evasion

Advanced Malware Detection


3/19

Malware Continues to Grow

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

Q12010

Q22010

Q32010

Q42010

Q12011

Q22011

Q32011

Q42011

Q12012

Q22012

Q32012

Q42012

Q12013

14,000,000

Source: McAfee Labs ,2013

New Malware Samples New malware

samples grew

22% from

Q412 to Q113

2012 new

malware sample

discoveries

increased 50%

over 2011.

Malware continues to grow, and getting more

sophisticated


4/19


Attack Graph Overview


5/19


User visits trusted web site

Server compromised

(e.g. PHP vuln)

XSS vulnerability

User visits untrusted web site

Blackhat SEO

Malicious ad

URL in forum posting

Clickjacking

User visits

page with

malicious

content

Convince user to run executable

Video Codec

Game Crack

etc...

File format vulnerabilityMS Office

Adobe Acrobat

etc...

Browser vulnerability

ActiveX or BHO/plugin exploits

Browser exploit

ActiveX unsafe for scripting

(e.g. ADODB)

Malicious

code

execution

Attack Graph Basics


6/19


Malicious ActivityEstablish PresenceLocal ExecutionFirst Contact

Send

unsolicited

message

Facebook

IM

email

PhysicalAccess

to HW

E.g. Stolen

laptop

InsertPhysical

Media

E.g.: USBdrive

User visitsuntrustedweb site

User visitstrustedweb site

Man in themiddle

Wired

Wireless (e.g.Rogue AP)

RemoteExploit

NetworkServiceExploit

ApplicationExploit (e.g.webserver)

User visitspage withmalicious

content

User opens

malicious

message

User visits(apparently)

page controlled

by attacker

Modifyserver

filesystem/

database

Convinceuser to run

executable

File format/

browservulnerability

Phishing

attack

Maliciouscode

execution

Download

and installadditional

malware

Propagateanothersystem

NetworkServiceExploit

etc...

Copy to fileshare

Persist on thesystem

Modifyexistingservice

Add BHO orexplorer

extension

Etc...

Install service

Self-preservation

Disruptsecurity

software orupdates

Rootkittechniques

ProcessInjection

Etc...

Tampering

Malicious

destruction

of files

Ransomware

encrypt/

modify files

Money extorted

to recover files

Destruction or

modification ofusers files

BotservicesRemoteaccess

DDOS

Send spam

Open proxy

Command control

IRC, HTTP, P2P,

twitter etc.

Capture sensitivedata

Keyloggers

Man-in-thebrowser

etc.

Adware/scareware

Browser plugins,toolbars, config

changes

etc.

Transmit

captured

data

Adsdisplayed,click fraud

User pays forFake AV

Bothinstalled &operational

Sell botservices

IntellectualProperty

Theft

IdentityTheft/

FinancialFraud

Malwareremains

active in

system

Accesstargets LAN

Public WAP

Four Stages of Attack


7/19


Example: Stuxnet

Physical Access to HW

E.g.: Stolen laptop

Insert Physical Media

Send Unsolicited message

User visits untrusted site

Access targets LAN

E.g.: USB drive

Facebook

IM

email

E.G.: Blackhat SEO

User visits trusted web site

E.G.: XSS vuln

Public WAP

Compromise another

system

User visits

page with

malicious

content

Road local file

E.g. cookie,

password

cache

Malicious codeexecution

Identity Theft/

Financial

Fraud

Modify server

filesystem/

database

Evil Maid attack

Execute fromremovable media

Message readervulnerability

Convince user to runexecutable

Autorun

OS Exploit

File format/browservulnerability

MITMRemote Exploit

Network Service

Exploit

Application exploit

(.eg. webserver)

LNK exploit (0 day)

CVE-2010-2568

Windows Server Service

RPC exploit CVE-2008-4250Print Spooler

Exploit (0-day)

Use default password

on WinCC MS SQL

database


8/19


Privilegeescalation

Propagate to the system

Transmitcaptured data

Download & Install

additional malware

Persist on the system

Self-preservation

Modify industrial

control system

Bot services

Command control

Adware/scareware

Capture sensitive data

Example: Stuxnet

Ads displayed,click fraud

User pays forFake AV

Malicious

codeexecution

Malware remainsactive on system

Both

installed &

operational

Sell bot

services

IntellectualProperty

Theft

Identity Theft/

Financial Fraud

Industrial,espionage,

sabotage

Hide

Install service

Add BHO or explorerextension

Registry chance

(e.g. Applnit_DLLs)

Etc...

Disrupt security

software or updates

Disable admin apps(task manager, safe

mode etc.

User-mode hook

Kernel hook-

SSDT, IDT, IRP etc.

Use signed driver

or binary

Process Injection

Inject code into PLCprogramming tool

Remote access

DDOS

Send spam

Open proxy

IRC, HTTP, P2P,twitter etc.

Emulate securitysoftware UI

Browser configchanges

Keyloggers

Man-in-the browserHook comm APIs

(user mode)

Read cachedpasswords from disk

Change host file

Hides malicious

LNK files

Drivers signed

by Realtek and

JMicron

Simple HTTP protocol.

Comm. code injected

into IE

Updates and other code

can be runUses RPC to propagate

updates to other

systems on the LAN

Injects code into Step7

Alters code blocks

written out to PLC and

hides changes from user


9/19


10/19


Protection Graph


11/19


Four Stages of Attack

First Contact

Physical Access

Unsolicited

Message

Website

Network Access

Local Execution

Exploit

Social

Engineering

Configuration

Error

Establish Presence

Download Malware

Escalate Privilege

Persist on System

Self-Preservation

Malicious Activity

Propagation

Bot Activities

Adware & Scareware

Identity &

Financial Fraud

Tampering


12/19

4 Phase Protection Methods

FirstContact

LocalExecution

EstablishPresence

MaliciousActivity

McAfeeSiteAdvisor

McAfee Enterprise

Mobility Management

McAfee Device Control

McAfee Desktop Firewall

Advanced Ant-Malware &Detection

Website Filtering

Mobile Device Management

Physical File Transfer

McAfee Desktop Firewall

WebFiltering

EmailFiltering

McAfee VirusScanEnterprise

On-Access Scanning File Scanning Write Blocking

McAfee Database Activity Monitor

Database Vulnerability Blocking

McAfee Deep Defender

Rootkit Prevention

McAfee Host Intrusion Prevention

Buffer Overflow Prevention Behavioral Prevention

McAfee Application Control for Servers or Desktops

Install and Execution Prevention Change Protection


13/19


Cost of an AV-Only Strategy:

Customer Survey

AV-Only users spent 1.5-times more than leaders

Less efficient leaders deployed security at higher scale and lower cost

Less effective AV-only group bore higher costs due to outbreaks

AV-Only users accepted 68% of IT Security-related risk,

Compared to just 58% by the leading performers

Source: Aberdeen Research 3-2012


14/19


Exploit Toolkit Coverage

Todays malware threats, like Blackhole and Phoenix, require full

Web Browser emulation.

ECMAScript and W3C (HTML) DOM needs to be simulated correctly,

Browser-specific differences also need to be simulated


15/19


What is Sandboxing?

Sandboxing Run suspect file in safe (virtual)

environment

Analyze actual behavior of any

unknown file

Report on intent of any file

malicious or not

? ? ?

SANDBOXING

SAFE MALWARE MALWARE

UNKNOWN


16/19


Advanced Threat Defense

Dynamic Analysis Observe Registry Modifications

Observe network communications

Observe process activities

Observe file system changes

Static Code Analysis Unpacking

Static Analysis of disassembled code

Discover of latent code

Hidden logic paths

Graphing

? ? ?

SANDBOXING

SAFE MALWARE MALWARE

UNKNOWN


17/19


Multiple Anti-Malware Methods

Anti Virus signatures

Anti Virus inspection

Global file reputation

Emulation engine

Anti- Malware

Advanced SandboxingStatic and dynamic code

analysis

Real-timeDown-select process

Duration

ofAnalysis

Depth of Analysis


18/19


19/19

Detecting and Preventing Intruders - M Mastrangelli

Documents

Transcript of Detecting and Preventing Intruders - M Mastrangelli