One Minute in Cyber Security

Transcription

1 Next Presentation begins at 15:30 One Minute in Cyber Security Simon Bryden

2 Overview Overview of threat landscape Current trends Challenges facing security vendors Focus on malware analysis

3 The year?

4 The Creeper Experimental self-replicating program Written in 1971 by Bob Thomas of BBN Infected DEC PDP-10 computers Just one year after unix epoch began Reaper worm created in 1972 to delete it

5 Crimeware and Crime Services Bank Accounts Credentials & Data Quality Assurance Crypters / Packers Scanners Hosting Infections / Drop Zones Management Botnet Rentals Installs / Spam / SEO / DDoS Money Mules Accounts Receivable Consulting CRIME SERVICES ENABLERS Digital Real Estate Victims Criminal Organizations COMPOUNDED CYBERCRIME Affiliates Exploits Sales, Licensing, Maintenance Special Platforms Source Code Partnerships Copy & paste Junior Developers Affiliate Programs FakeAV Ransomware Botnets Packers Mobile Senior Developers CRIMEWARE PRODUCERS

6 Threat Landscape

7 Point of Sale 2013 was the year of the megabreach Target and Home Depot made the headlines Between them details of 90 million credit cards stolen POS attacks still very prevalent small targets, large scale PCI 3.0 released in 2013 to reinforce protection

8 Server-side Attacks HeartBleed 500,000 Web Servers Affected ShellShock Time to Protect Critical Surge in attacks while fresh Millions of Internet Connected Devices Affected Devices

9 Industrial Malware Havex the sequel to Stuxnet RAT (remote administration tool) Harvests information on hardware control systems (SCADA) OPC OLE for Process Control Communication between Windows and control hardware OPC servers control machines via PLC

10 Trends More attacks More victims More organisation Higher returns

11 Problem: Growing Attack Surface

12 Problem: Growing Attack Vectors An Extensive, Poisoned, Dark, Deep Web

13 Problem: Growing Threat Volume

14 Problem: Growing Malware Sophistication As malware defences improve, malware sophistication increases to match Constant arms race

15 The FortiGuard Minute 5,800 Application control rules 170 Terabytes of threat samples 17,500 Intrusion prevention rules Spam s intercepted 250 Million rated websites in 78 categories 173 Zero-Days discovered Attempts to access malicious websites blocked Network intrusion attempts resisted Website categorization requests Botnet command and control attempts thwarted Malware programs neutralized 8,000 Hours of research in labs around the globe 47 Million New and updated antispam rules 1.3 Million New URL ratings 100 Intrusion prevention rules 2 Million New and updated antivirus definitions

16 FortiGuard Minute Trends Threat Samples (TBytes) IPS detections (x1000/min) 0 May 2013 May 2014 Oct 2014 Jan 2015 Apr 2015 AV updates (x10,000/week)

17 Focus on Malware Analysis

18 Raw Threat Data Sources Collaboration Partners Community Feeds

19 Information vs Intelligence Information raw data Not easily usable Intelligence processed data Actionable can be used to enable protection

20 Malware Signatures Easy way: file hashes Create a hash for each malicious file Fast for small numbers of files Does not scale! Only works for known files!

21 Problem: Polymorphism Hash-based systems are very easy to bypass One byte change completely changes the hash Increases malware volume Increases search time Increases database volume 127ad b2af57e2d2c72136dcd4 b4a7b23b5cb6909f7b38f24768d0e9f2 04a7affb cc23deb9b014f2fd b9361aa0509e9989c780d14f5 55bda387b94e a722da44bce1b 3d18ea8bb288e54e4ea3c129b40bf24b a8ded02ad3fb3de82d564216c f0f4a699f4eeab5ab944142abda39eff 9f48679d9c8fd3b1136fdec8e4e02d15 75b138a918f8a1301b c05c7d d91b31d86b7e280718e26a13a27277a3 d769176ca8a81c252c5a6e08bf8b7fd ed08aaea7d353a85ff43ab2d3c cfac6385a0cdd5f09b2e38c833c93c9d 5ae8c55fbc7b8f5bafa1af cba 1af8e09e41fc850e15ffc4ea0be68c21 ce1ff097a3f0afec3bd5c5f0fb57cfda 80f27e4d562dc4f55e38f e83c bf6ba9baa2e0dcb8d175a4ff594dccd9 2d3003eac7e1b2bf70587f4a7531f927 32e982f6f82812e53f38a916c1721b30

22 Content Pattern Recognition Language Patented Fortinet technology Week Ending New Samples Received Already detected by CPRL CPRL effectivenes s 12/10/ % 12/3/ % 11/26/ % 11/19/ % 50% of New Malware caught by CPRL

23 Malware Analysis Manual Analysis Static analysis Behavioural analysis Very high quality output Doesn t scale well:

24 Sandbox Automated analysis Performs automated behavioural analysis Runs malware in virtual environment and records: File system activity Registry accesses API calls Network activity Sandbox appliance can be combined with traditional AV and community intelligence sharing to enhance response time. Call Back Detection Full Virtual Sandbox Code Emulation Cloud File Query AV Prefilter

25 Big Data Analytics Increasing numbers mean that new methods must be used Correlation is key to identifying threats Having broad visibility is key to correlation Typically, an attack involves multiple steps Each device can act as a sensor Data fed back to FortiGuard This data can then be mined to enhance quality of threat intelligence Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Malicious Malicious Web Site Command & Control Center

26 Example: Exploit Kit Analysis Visit Drive-by sites Malicious URLs Exploit-kit Detection Web Filtering Redirection to landing site Sandbox Analysis Create/refine signatures Malicious samples Update Intrusion Prevention Antivirus IP Reputation IP

27 Empowering the User End-user sandbox provides instant feedback Results can optionally be fed to FortiGuard Alternatively, samples can be sent directly to cloud sandbox Fortigate & everything that can enforce a security policy Hand off High Risk Items Sandbox & Everything that is behavior based Samples can also be submitted directly to an analyst Update prevention rules Provide Ratings & Results FortiGuard teams and automation

28 Summary Attack volume and sophistication is ever-increasing Information volume!= Actionable intelligence Correlation key to breaking through the fog

29 Thank You!