Enterprise Malware Defense: Strategies for Thwarting the Latest Attack MethodsChuck Davis, MSIA, CISSP-ISSAP @ckdiii

WHO IS CHUCK DAVIS?

• Executive Security Architect at IBM • Master of Science in Information Assurance: Norwich University • Voting Faculty at Harrisburg University of Science & Technology • Adjunct Professor: University of Denver & Penn State University • Previously worked as:

• Manager of Cyber Defense at The Hershey Company • 14 yrs with IBM, left as a Global Security Operations Mgr.

• Co-authored 2 books on the topic of security. • 5 US Patents, 3 patents-pending & 10 invention disclosures • Twitter: @ckdiii

OverviewMalware is arguably the most prevalent cyber attack method used today and is increasing exponentially each year.

Chuck will give a brief history of malware and cover present-day advanced malware tactics, IoT malware and ransomeware.

He will discuss how organizations continue to make decisions that put their endpoints and enterprise at risk.

Chuck will share a strategy that any company can use to ensure they have adequate enterprise malware defense coverage.

He will also share strategies to isolate and protect home and enterprise assets from IoT and malware attacks.

AgendaThe history of malware

Present-day advanced malware tactics

Companies are making decisions that put their endpoints and enterprise at risk

Strategy that any company can use to ensure they have adequate enterprise malware defense coverage

IoT malware & Ransomeware

History of MalwareAge of Exploration/Discovery

Playful pranks

Elk Cloner

Understanding & testing the landscape

Morris worm

Virus/Worm Era

Malicious code, replication of code.

Spyware & Adware Era

Using social engineering to gain information about end users and make money. Stealing identities, making fast money.

History of Malware…cont.BotNet Era

Using malware to control large numbers of infected system without the knowledge or permission of the systems’ owners.

Targeted/Hybrid Era

Using a combination of social engineering, Trojans, botnets, rootkits, etc. to stealthy infect and control a small, targeted group of systems in order to steal intellectual property, identities, money, etc.

Ransomeware Era

Simple, automated, very successful at making money

IoT/Hybrid Era (Today)

Using and and all attack methods to achieve the directive.

Present-day advanced malware tactics

Memory Resident

Malvertising

Ransomeware

IoT (Internet of Things)

Poor Decisions = High Risk

Using only default OS A/V: Yes OS X does get malware!

Removal of endpoint A/V

Slow response to phishing attacks

Removing malware from infected systems

Relying on network tools to secure endpoints

Strategy

Get organized!

Focus on endpoints, network, and users.

Education/awareness

Prevention, Detection, Analysis, Remediation

The Malware Defense LifeCycle

Prevention

The Prevention phase is used to reduce the risk of malware infection.

Executing policy restrictions like disallowing highly vulnerable and software such as Adobe’s Flash, can greatly reduce the risk.

Other prevention tools are used to limit access to untrusted sites and content.

DetectionThe Detection phase is used to find and react to malware with which a system comes in contact.

The goal is to detect prior to infection but because of the advanced nature of the malware development industry, this phase will often detect already infected systems.

While signature based anti-malware is still relevant, it is only one of the many tools needed in a complete malware defense program.

Some of the newer approaches to malware defense, such as reputation analysis and behavior analysis, sit in this phase.

AnalysisThe Analysis phase includes computer forensic and malware reverse engineering.

The old approach was to collect samples from endpoints and infect a lab system to see what the malware does and how it works and communicates.

Newer approaches have system logging turned on at the endpoint and network, which allows for the playback of activity to see where the malware came from and how it communicated to Internet resources.

Remediation

The Remediation phase includes the recovery of an infection and feeds data about infections to the prevention phase.

For example, during the analysis phase, malware samples are collected and analyzed, then during remediation are submitted to the signature anti-malware vendors and stored in our malware database.

Infected Endpoint?

Did your security tools:

Stop infection? Investigate

Find infection? Investigate, Analysis, Re-image!

Clean infection? Investigate, Analysis, Re-image!

Malware Strategy Table

IoT Malware

The “S” in IoT, stands for Security

Why Should We Be Concerned About IoT?

Not built with security

OS, network communication, cloud storage

Often no way to patch or patching is manual for the end user.

Ring :-)….Netgear :-O…Cheap WebCam :-(

No vendor incentive and no user pressure if we don’t know we’re hacked!

Bruce Schneier Quote“The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

https://www.schneier.com/blog/archives/2016/10/security_econom_1.html

Mirai Botnet Malware9/20/2016: Used to DDoS attack journalist Brian Krebs

9/30/2016: Source code leaked

Google’s “Project Shield” used to absorb malicious traffic and keep Krebs’ site online.

Links:

Krebs on Security https://krebsonsecurity.com/

Google’s Project Shield https://jigsaw.google.com/projects/#project-shield

Mirai cont.

One analysis of a Mirai botnet attack uncovered 49,657 unique IPs hosting Mirai-infected devices

Mostly CCTV camera but also including DVRs and routers.

Reference: Incapsula https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Mirai infection mapWidely dispersed, including 164 countries

Mirai Top Countries of Attack

Analysis of the Mirai Malware

Goals of the malware:

Locate and compromise IoT devices to further grow the botnet.

Runs scans looking for under-secured IoT devices. (factory default login credentials).

Launch DDoS attacks based on instructions received from a remote C&C.

Mirai Is TerritorialThe malware holds several killer scripts meant to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device.

For example, the following scripts close all processes that use SSH, Telnet and HTTP ports:

Coded to locate/eradicate other botnet processes from memory, a technique known as memory scraping

Russian?Written in English with some Russian-language strings

Might indicate at least one Russian-speaking programmer…OR…it’s a smoke screen!

Another bit of code contained Rick Rolls’ jokes next to Russian strings saying “я люблю куриные наггетсы” which translates to “I love chicken nuggets” provide yet more evidence of the Russian heritage of the code authors, as well as their age demographic.

Protection from IoT malwareChange ALL default logins

Close all unnecessary Internet-facing ports

Network Isolation

Regularly scan your network from the Internet.

http://iotscanner.bullguard.com/

Start by securing your home network!

Basic IoT Security Architecture

Ransomeware

How does it happen?

Social engineering: Click the link/visit malvertising page/open attachment, etc

Infected & encrypting in the background

Warning page that shows how to pay

Limited time to pay or lose your data!

Ransomeware

Would You Pay to Get Your Files Back?

IBM asked 600 U.S. business leaders what they would do if they faced this sort of extortion. The survey results show 70 percent of the businesses infected with ransomware had paid a ransom to regain access to their business data and systems. Half of these companies paid more than $10,000 and 20 percent paid more than $40,000.

Nearly half of the executives surveyed said their company had experienced a ransomware attack

Nearly 60 percent indicated they would pay a ransom to recover data

Twenty-five percent said they'd be willing to pay between $20,000 and $50,000, depending on the type of data lost.

Surviving Ransomeware

Step 1: Backup!

Step 2: See Step 1

ReferencesIncapsula Mirai article https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Brian Krebs IoT blog post https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

Bruce Schneier IoT blog post https://www.schneier.com/blog/archives/2016/10/security_econom_1.html

Bullguard IoT Scanner http://iotscanner.bullguard.com/

Bullguard IoT Security Guide https://www.bullguard.com/marketingfiles/ext/web/IoT-Consumer_Guide.pdf

References cont.Forensic Tools • ProDiscover Basic

• Tough to find, free forensic investigation tool for beginners

• Inexpensive Write Blocker Malware Related Books • Rise of the Machines: The Dyn Attac Was

Just a Practice Run (Miri Botnet) • Countdown to Zero Day • Worm: The First Digital World War