KASPERSKY INTELLIGENCE SERVICES

Transcription

1 KASPERSKY INTELLIGENCE SERVICES Mikhail Nagorny Global Business Development Manager

2 SERVICES MAP URLs of MLW / Phish / Botnet Hashes of MLW files PC / Mob RAW DATA FEEDS Botnet Threat Tracking BRAND REPUTATION INTELLIGENCE REPORTS Financial Threats APT researches EXPERT SERVICES Cybersecurity Awareness Training Cybersecurity Forensics & MA Trainings MLW Analysis MSA 2

3 CYBERSECURITY EDUCATION 3

4 CYBERSECURITY EDUCATION: AN OVERVIEW Level 1 - Beginner CYBERSECURITY AWARENESS Level 2 - Intermediate GENERAL CYBERFORENSICS & MALWARE ANALYSIS Level 3 - Expert ADVANCED CYBERFORENSICS FINANCIAL THREATS ADVANCED MALWARE ANALYSIS & REVERSE ENGINEERING 4

5 LEVEL 1 AND 2: BEGINNER AND INTERMEDIATE COURSE DESCRIPTION COURSE DURATION COURSE AUDIENCE BE ABLE Level 1 cybersecurity awareness Day 1: Cyber-threats and Attacks in the Modern World Day 2: Protecting Against Cyber-threats and Attacks 2 days Staff employees and executives from a broad range of organizations Understand security fundamentals Recognize different types of attacks Classify cyber weapons and malware and understand their goals and working principles Analyze phishing mails Recognize infected or faked websites Protect PCs in the cyber world Level 2 general cyberforensics & malware analysis Day 1: Course Introduction Day 2: Cyber-threats for Businesses Real Examples Day 3: Labs Fundamentals of Malware Analysis Day 4: Labs Real Examples of Malware Analysis Day 5: Labs Cyberforensics Basics / Mobile Infection Examples 5 days Employees and executives with intermediate knowledge of IT security Work on an incident scene Collect digital evidence and deal with it properly Reconstruct an incident and use time stamps Find traces of invasion on investigation artifacts ( HDD images, memory dumps, network traces, Windows registry) Identify main functions of malicious object Conduct malware analysis Show familiarity with the tools and instruments of cyber forensics and malware analysis 5

6 LEVEL 3: CYBERFORENSICS EXPERT IN FINANCIAL THREATS COURSE DESCRIPTION COURSE DURATION COURSE AUDIENCE BE ABLE Level 3 advanced cyberforensics financial threats Day 1: Course Introduction Day 2: Types of Financial Cyber fraud Day 3: Labs Cyberforensics Methodology of Financial Threats in Depth Day 4: Labs Cyberforensics Techniques in Depth examples of real-world online banking attack will be used in labs Day 5: Labs ATM Threats / Mobile Financial Fraud Investigation. Examples of real-world ATM & mtan hijacking attacks will be used in labs 5 days Employees with advanced level knowledge of IT security who need to gain expertise in the cyberforensics of financial threats Conduct live forensic analysis Deeply understand forensic methods for all types of forensic artifacts (HDD images, memory dumps, network traces, Windows registry) Apply timeline analysis to track back both normal and malicious activities in the system Use open source tools in Linux operating system in the analysis process Use KL cyber forensic methodology on financial malware specimens (e.g, banking Trojans; ATM malware; mtan hijacking) Report incidents properly Plan remediation steps after investigation Perform cyber forensics on real examples of banking Trojan 6

7 LEVEL 3: MALWARE ANALYSIS & REVERSE ENGINEERING COURSE DESCRIPTION COURSE DURATION COURSE AUDIENCE BE ABLE Level 3 advanced malware analysis & reverse engineering Day 1: Course Introduction Day 2: Assembler Basics, Windows OS Internals Day 3: PE Format / Malware Analyst s Toolset Day 4: Compilers: Visual Studio; MFC; Visual Basic,.NET Day 5: Compilers: Delphi, GCC Day 6: Reverse Engineering Object Files, Linker, PE Resources Day 7: Reverse Engineering Network Analysis Day 8: Reverse Engineering Malware Protection Techniques Day 9: Reverse Engineering System Drivers Analysis, Rootkits and Bootkits Day 10: Reverse Engineering Vulnerabilities and Exploits / Alternative OS / Web Application Analysis 10 days Employees (mostly from governmental agencies or CERTs) with high level IT security and programming skills who need to gain expertise in malware analysis and reverse engineering Use the methodology of KL malware analysts Identify compilers through analysis of a file metadata Use dumping and debugging tools Apply advanced malware analysis methods to subjects of research (like unpacking techniques; System Driver/ Rootkit/ Bootkit analysis) Analyze malicious documents and exploits Recognize anti-reverse engineering technics Take off popular packers and protectors Use basic assembler to solve real cases Analyze challenging malware examples 7

8 CYBERSECURITY EDUCATION: CUSTOMER VALUE 1 ANY Security issue Any enterprise company faces a lot of security issues due to a lack of knowledge among its own staff (regular PC users). Issues can be linked to the leakage of confidential information or with a mass malware infection of PCs, etc. ENTERPRISE Value Improved security awareness among non-security staff leads to a minimization of confidential leaks and other security issues. That generates further savings in respect of post-incident costs. 8

9 CYBERSECURITY EDUCATION: CUSTOMER VALUE 2 BANK Security issue Customers (banks, MSSP, law enforcement) spend money to outsource digital forensics and malware analysis. LE MSSP Value Reduced outsourcing costs by training their own security personnel to a higher level 9

10 10 THREAT DATA FEEDS

11 11 THREAT DATA FEEDS: ARCHITECTURE

12 THREAT DATA FEEDS: DESCRIPTION FEED DESCRIPTION UPDATED CONTENTS Malicious URLs a set of URLs covering the most harmful links and websites. Masked and nonmasked records are available Phishing URLs a set of URLs identified by Kaspersky Lab as phishing. Masked and non-masked records are available Botnet C&C URLs a set of URLs of botnet command and control (C&C) servers and related malicious objects. Mobile C&C are included Malware Hashes (ITW) a set of file hashes covering the most dangerous in-the-wild malware encountered by Kaspersky Security Network users over the preceding two weeks. The Base contains hashes with Kaspersky verdicts for each object Every 40 minutes Every 20 minutes Every 2 hours Every hour More than 3M entries About 2M entries About 80K entries About 1M entries Malware Hashes (UDS) a set of file hashes detected by Kaspersky cloud technologies (UDS - Urgent Detection System) based on a file s metadata and statistics (without having the object itself). It allows the system to identify malware that is not detected by other methods. This can also be described as recently identified malware hashes Every 15 minutes About 1M entries HTML Script Hashes a set of hashes of malicious scripts embedded into HTML pages with verdicts according to Kaspersky Lab s classification. This base can detect scripts right after they are processed, without needing to download an entire HTML page to calculate its hash Android Malware Hashes a set of file hashes for detecting malicious objects that infect mobile Android platforms Every hour Every day About 10K entries About 50K entries 12

13 THREAT DATA FEEDS: FORMAT URL feed format domain.com domain.com/get.php?id= *.domain.1143.net.cn/* domain.com/*/abc*.exe (URL database consists of the following fields separated by spaces: - Record type. Unique numbers used to distinguish type of mask of the URL. - Record ID. The unique number of record. - Record. The URL or mask applied to malicious URLs) Malware hashes feed format Windows Malware Hashes (ITW) D65152A3C2D314FC3642B1FD9B2DA Net-Worm.Win32.Kido.ir (Every entry includes object s hash and verdict) Windows Malware Hashes (UDS) DAC9FB7C5434CB668D C (Includes just a hash) HTML Scripts Hashes (ITW) B AA447305A7D9D33C75B86 Trojan-Downloader.JS.Agent.dby (Every entry includes object s hash and verdict)

14 THREAT DATA FEEDS: DELIVERY Threat Intelligence feeds can be delivered via the command line tool on Updater SDK (works under Windows/Linux/FreeBSD/Mac) The utility can download updates for the feeds (diffs) and check the consistency of the updated feeds 14

15 THREAT DATA FEEDS: CUSTOMER VALUE 1 ISP Security issue Customer (ISP, Telco) is wondering about how to improve security protection at the network level. TELCO Value Network devices (gateways, firewalls) have improved security levels after integrating KL feeds and further filtering the network traffic. 15

16 THREAT DATA FEEDS: CUSTOMER VALUE 2 SIEM VENDOR INTEGRATOR Security issue Customer (SIEM vendor or system integrator) is looking for a link to a feed that can alert network admins when its own users attempt to enter Malware URLs. Value Improving the SIEM solution by integrating with KL feeds can help to raise sales levels for this SIEM. 16

17 THREAT DATA FEEDS: CUSTOMER VALUE 3 ANY ENTERPRISE Security issue Customer (any enterprise) would like to use KL AV, but doesn t want to replace its existing AV solution supplied by a competitor. This double protection can be reached by keeping the rival solution at EP level and integrating KL feeds to customer network gateways. Value Using two AV solutions: KL at network GW level and a competitor s product at EP level. 17

18 THREAT DATA FEEDS: CUSTOMER VALUE 4 LE MSSP Security issue Customer (e.g., law enforcement, MSSP) carries out antimalware research. They lack a regularly updated database of malware and harmful URLs. Value Collaboration with one of the world s biggest AV vendors; access to KL feed database to inform its own research. 18

19 19 BOTNET THREAT TRACKING

20 BOTNET TRACKING: ARCHITECTURE The service is designed to monitor threats against users of online banking or online payment systems 20

21 Standard Premium BOTNET TRACKING: SUBSCRIPTION TYPES Notification in or JSON format 10 brands monitored Decrypted configuration file of related bot Related malware sample (on demand) Geographical distribution of detections for related malware samples Notification in format single brand monitored Target URL (identifying the URL(s) were the bot program is targeting users) Botnet type (e.g., Zeus, SpyEye, Citadel, Kins, etc.) Attack type Attack rules, including: Web data injection; URL, screen, Video capture, etc. C&C address MD5 hashes of related malware Subscription Levels and Deliverables 21

22 BOTNET TRACKING: NOTIFICATION FORMAT Capture URL target: bottype: zeus attack.type: capture.url date: :00:02 MSK c&c: md5: top 10 countries: d5b92d3ffaad09aa18acda2c5e60882a taiwan jordan united arab emirates oman saudi arabia malaysia india turkey bahrain syrian arab republic 22

23 BOTNET TRACKING: NOTIFICATION FORMAT Capture screenshot target: bottype: kins attack.type: capture.screenshot.kins date: :37:36 MSK c&c: md5: top 10 countries: config md5: a0f2f7b6717b573e23a601b No data 12cad769471b8e9c5499aba7dc

24 BOTNET TRACKING: NOTIFICATION FORMAT Web injection target: bottype: zeus attack.type: modify.delimited date: :45:43 MSK rule.data_before: rule.requests: rule.data_inject: rule.flags: rule.data_after: rule.data_before: rule.requests: rule.data_inject: rule.flags: rule.data_after: c&c: md5: top 10 countries: name="panb"*"> GET POST </tr> <tr> <td nowrap> ; <b>clave de Firma.</b> <br> Introduzca su Clave de Firma <dir> <input type="text" name="espass" style="font-weight: normal; FONT-SIZE: 11px; WIDTH: 70px; COLOR: #db0000; BORDER-TOP-STYLE: groove; FONT-STYLE: normal; FONT-FAMILY: arial; BORDER-RIGHT-STYLE: groove; BORDER-LEFT- STYLE: groove; HEIGHT: 20px; TEXT-ALIGN: right; BORDER-BOTTOM-STYLE: groove" ID="Text2"> GP <td align="left" valign="top"> <a href="javascript: GET POST if(document.intelvia.espass.value.length<5){alert('clave de Firma no encontrado.');}else GP c235cb812b1a3cc796f618146fed3b6e saudi arabia singapore kenya config md5: 7bf7017baec17ebfaed3c84d5ea97c41 24

25 BOTNET TRACKING: INJECTED CODE EMULATION Examples of web injection code emulation Popup window A web page before and after injection Authorization check In Order to improve the security of your e- banking your personal data is being checked. Please enter the correct data otherwise your account will be blocked Card number: CVV number: 25

26 BOTNET TRACKING: CUSTOMER VALUE 1 BANK Security issue Customer (bank or online payment) lacks proactive alerts about network attacks against their online user asset. ONLINE PAYMENT Value KL s proactive notifications about botnet threats targeting their brand can prompt the introduction of additional protection for online users. 26

27 BOTNET TRACKING: CUSTOMER VALUE 2 MSSP Security issue Customer (MSSP) lacks proactive alerts about network attacks against online users of their enterprise-customers. Value Using KL s proactive notifications enhances the quality of the customer s own security services and helps to boost sales. 27

28 BOTNET TRACKING: CUSTOMER VALUE 3 LE Security issue Customer (law enforcement) lacks proactive alerts about network attacks against online users in the target region. Value Raised levels of awareness about botnets targeting online users in the target region. 28

29 29 INTELLIGENCE REPORTS

30 YET ANOTHER WAY TO DELIVER INTELLIGENCE APT research report subscription. Description of the malicious tools and statistics along with indicators of compromise Financial (banking) threat report subscription. Description of the most sophisticated and dangerous threats along with customer s vulnerability audit 30

31 Fin Fraud APT INTELLIGENCE REPORTS: SUBSCRIPTION TYPES 1-year subscription to APT RESEARCH reports (quarterly) Executive summary Deep analysis of malicious tools and statistics Deep analysis of the C&C The indicators of compromise 1-year subscription to FINANCIAL THREAT reports (quarterly) Executive summary Description of the most recent and dangerous threats Cyber threat statistics Audit of recent vulnerabilities in customer-defined SW Subscription Levels and Deliverables 31

32 INTELLIGENCE REPORTS: CUSTOMER VALUE 1 BANK Security issue Customer (bank) lacks up-to-date information about security trends and needs detailed analysis of most sophisticated banking malware threats. Value Reduced expenses thanks to following security trend analyses and recommendations. 32

33 INTELLIGENCE REPORTS: CUSTOMER VALUE 2 MSSP Security issue Customer (MSSP) lacks up-to-date information about security trends and detailed analysis of the most sophisticated threats in the requested segment. Value Using KL information in its own reports to corporate customers enhances the quality of the customer s security services. 33

34 INTELLIGENCE REPORTS: CUSTOMER VALUE 3 LE Security issue Customer (law enforcement) lacks up-to-date information about security trends and detailed analysis of the most sophisticated threats in the requested segment. Value Raise levels of awareness in the requested segment, offering further help for law enforcement to react promptly to incidents. 34

35 35 MALWARE ANALYSIS

36 36 MALWARE ANALYSIS: SUBSCRIPTION TYPES Fully understand the behavior and objectives of specific malware files that target your organization The service gives you the opportunity to put a specific suspicious file directly under the microscope of KL s threat intelligence expertise. Your Technical Account Manager (TAM) will work on your behalf with Malware Researchers and Analysts from Kaspersky Lab s Global Emergency Response Team - up to 40 hours of malware research engineering expertise will be devoted to dissecting and analyzing the components of your suspicious sample. The scope of the report The service SLA Sample properties: a short description of the sample and a verdict on its malware classification. Detailed malware description: the report will go on to provide a detailed analysis of your malware sample s functions, threat behavior and objectives, arming you with the information required to neutralize its activities. Remediation scenario: the report will suggest steps to fully secure your organization against this and similar threats. 1-year subscription 8x5 phone support by TAM Delivery of analysis report within 5 working days Subscription options 10 research analysis reports 20 research analysis reports

37 MALWARE ANALYSIS: CUSTOMER VALUE ANY ENTERPRISE Security issue Customer (any enterprise) can face problems due to disruption of work processes, leakage of confidential data or other malwarerelated issues. Value Professional help with analyzing malware can minimize customer expenses in response to any incidents. 37

38 38 SUCCESS STORIES

39 SUCCESS STORY TELEFONICA Ongoing subscription to intelligence services Country Spain Customer Telefonica Scope of Intelligence services 1-year subscription to: Feeds, Botnet Tracking, Reports

40 SUCCESS STORY COLP Paid education services Country UK Customer The City of London Police (COLP) Training type Level 2 General Cyberforensics & MA

41 AVAILABLE MARKETING MATERIALS Available at Additional materials Can be requested from Raw Data Feeds URLs of MLW / Phish / Botnet Hashes of MLW files PC / Mob Brand reputation Botnet Threat Tracking Intelligence reports Financial Threats APT researches Expert services Cybersecurity Awareness Training Cybersecurity Forensics & MA Trainings MLW Analysis & Incident Investigation MSA 41

42 CONTACTS Mikhail Nagorny Global Business Development Manager 42