Operation Aurora and beyond. your organisation. Raimund Genes CTO. Copyright 2010 Trend Micro Inc.

Transcription

1

2 Operation Aurora and beyond How to avoid that this happens to your organisation Raimund Genes CTO

3 What was Operation Aurora? Industrial Espionage, Nothing new!

4 What was new is that Google disclosed it January 12 th. Jan/13

5 Jan/15 Attack named as Aurora

6 JS Source code of Aurora

7 Definition of the threat APT: Advanced Persistent Threats non-apt hackers - financial data, sensitive customer data APT attackers - espionage

8 Why is it called Aurora? Named by path in VNC type backdoor

9 Attack Playback Step1:Malicious Link Step4:Shell code Step5:Download Step3:IE exploit Step2:Heap Spray Step7:Steal Information Step6:Malicious File

10 What Vulnerabilities have been used Operation Aurora ( Microsoft Security Advisory ) - Vulnerability in Internet Explorer Could Allow Remote Code Execution CVE HTML Object Memory Corruption Vulnerability

11 Aurora JS Code Heap Spraying Prepare for object overwrite Build Img object Free img Overwrite object Call toshell code

12 Aurora exploit Malicious File Drop dlls Write registry entry Inject dropped dlls to some process Collect personal info and send out Create thread for remote access APT attacker

13 How to craft an attack? Get public information! The web knows you! 13 Copyright Trend Micro Inc.

14 How to craft an attack? Get public information! The web knows you! 14 Copyright Trend Micro Inc.

15 How to craft an attack? Get public information! The web knows you! 15 Copyright Trend Micro Inc.

16 How to craft an attack? Get public information! The web knows you! 16 Copyright Trend Micro Inc.

17 And then an with a spoofed sender 17

18 And if Darren clicks on the attachment... 18

19 Threat Predictions No global Outbreaks, but localized and targeted attacks 2. It s all about money, so Cybercrime will not go away 3. Windows 7 will have an impact since it is less secure than Vista in the default configuration 4. Risk Mitigation is not as viable an option anymore even with alternative browsers/alternative operating systems (Oss) 5. Malware is changing it s shape every few hours 6. Drive-By Infections are the norm One web visit is enough to get infected 7. New attack vectors will arise for virtualized/cloud environments 8. Bots can t be stopped anymore, and will be around forever 9. Company/Social networks will continue to be shaken by data breaches 10. Digital Terrorism Attacks on Scada networks?

20 Increase in Malware

21 No Script kiddies and amateurs anymore, professional malware writers who know how to play with the AV- Industry

22 A new malware component is released every 1.5 seconds!

23 URL s instead of Attachments! Waledac Malware

24 Infiltrated Websites!

25 Social Networks as an Attack Vector (11/08/2009)

26 Is it Spam, is it an Attack Vector, is it Social Engineering?

27 Today s Infection Chain Malware Writer Fool the AV Get Updates from Command & Control Wait for Instructions Host Management Infection Vector Activities Criminals Port Scan Vulnerabilities Spam Web Drive By Downloader Spyware/Trojan Downloader Host Infection Recruitment Adware/Clickware Dedicated Denial of Service Spam & Phishing Dt Data Leakage Bot Herder Command & Controller Botnet HTTP IRC DNS

28 How to avoid that this happens to your organisation

29 Pattern Matching is baseline... and the bad guys know this... So should we move to IPS and HIPS?

30 Because traditional Endpoint Security Can t Keep Up anymore Signature file updates take too long Delay yprotection across all clients and servers Leave a critical security gap Require multiple updates a day to keep up with threats, complicating signature management 26,598 16,438 Signature files are becoming too big Increase endpoint memory footprint 10,160 Increase impact on endpoint performance Increase bandwidth utilization Unpredictable increase of client size ,484 6,279 3,881 2, Unique threat samples PER HOUR

31 We need a layered approach, and we need a holistic view for IT Security! And Pattern matching is still needed to proper identify malware and to clean up the damage

32 The Electric Grid - Today Power Station Local connection National Transport System User Advantages 1.No need for large investment 2.On Demand Instant Access 3.Pay as you go

33 A Distributed Electric Grid Trend Micro today Diiferent Power Stations Local connection Solar Panel International Transport System

34 Could we patch fast enough? Or do we need vulnerability shielding accepting that Patch Management is tough!

35 No matter what we do, Smart Protection Network is the key component! Smart Protection Network Community Intelligence (Feedback loop) Monitor File Reputation File Web / URL Domain IP Validation Behavior File Web Domain IP Correlation Incident Trigger Solution Info. Web Reputation Reputation Threat Analytics Service Professional Services Smar rt Protection Network Custome r In-the-Cloud platform Community Intelligence (Feedback loop)

36 We at Trend Micro are not worried about Cybercriminals and their ways to make money! Cause we have prepared ourselves for this! 2005: Reputation ti Services 2006: Web Reputations Services 2008: File Reputation Services

37 So why are we so different Why do we protect well against real life malware? ERS load = 295 GB per day WRS load = 1305 GB per day FRS load = 334 GB per day

38

39 Smart Protection Network Key benefits Threats are blocked before they can infiltrate the network or computer Protects you wherever you connect, at work, at home or on the road Immediate Protection Blocks threats at their source the Internet Trend Micro Smart Protection Network Reduces the need for local signatures Trend Micro manages updates We own all the technology Patent-pending correlation technology analyzes all threat vectors , web, file Available in all solutions Consumer, SMB, Enterprise, Partner, SaaS Powers our SaaS, Gateway, Messaging, Endpoint, Mobile & Partner solutions Local Scan Server improves time to protect Reduces complexity

40 Threat Management Solution Assessment 100% of companies had malware 56% of companies had at least 1 information stealing malware 72% of companies had at least 1 IRC bot 80% of companies had malicious Web downloads 30% of companies had at least 1 network worm Technology used to detect Threats 99% using Smart Protection Network 1% using traditional scanning engines Copyright 2009 Trend Micro Inc.