CryptoLocker la punta dell iceberg, impariamo a difenderci dagli attacchi mirati. Patrick Gada 18 March 2015 Senior Sales Engineer

Transcription

1 CryptoLocker la punta dell iceberg, impariamo a difenderci dagli attacchi mirati Patrick Gada 18 March 2015 Senior Sales Engineer

2 CryptoLocker Rossi Mario,

3 CryptoLocker

4 CryptoLocker Attacco del 27 gennaio 2015 con allegato.cab

5 CryptoLocker

6 CryptoLocker

7 CryptoLocker

8 Crime Syndicate $1 Exploit Kit $1 Droppers Worm Bot Reseller $1 $1 $4 Carder $4 Money Mule $2 Card Creator Keywords (Botherder) $2 $10 Garant Victim $3 $6 Blackhat SEO Attacker $10 Traffic Direction System $5 Attacker $10 SQL Injection Kit Compromised Sites (Hacker) $5 Virtest $5 Cryptor $10 Programmer $10 Bullet Proof Hoster

9 Today s Enterprise Challenges DMZ IaaS Internet Firewall Anti-malware IDS / IPS Mission Critical Servers Virtualization and Cloud Mobile devices Social Media Endpoints SaaS

10 Today s Targeted Attacks DMZ IaaS Internet Firewall Anti-malware IDS / IPS Mission Critical Servers are Customized to Attack Your Defenses Endpoints SaaS

11 Security by signature is not enough Targeted attacks are different: Target specific people with convincing social engineering and appear to come from a trusted source Target specific people or groups using Watering Hole attacks Use advanced malware: Hidden in Office, PDF documents Zero day vulnerabilities QA tested against security vendors

12 Advanced Methods Can Evade Traditional Defenses Spear-phishing s Watering Hole Attacks Unknown malware & exploits Dynamic C&C servers Stealthy lateral movement and attacker activities BYOD and remote employees Next-gen Firewall Intrusion Detection (IDS) Intrusion Prevention (IPS) Traditional AV /Web Gateways Known threats Traditional Security is Not Enough

13 A Typical Targeted Attack 1. Intelligence Gathering 2. Point of Entry 3. Command & Control (C&C) Communication 4. Lateral Movement 5. Asset/Data Discovery 6. Data Exfiltration

14 Spear Phishing Attack 91% of targeted attacks involve spear phishing s. Trend Labs Nov

15 Watering Hole Attacks: an effective alternative to Spear-Phishing APT attacks 1. Attacker gathers strategic intelligence to determine which sites and victims to target 2. Attacker compromises the site most likely to be visited by the target victims by injecting exploit and unknown malware 3. Target victim visits the trusted site, drive-by downloads the malware, and become compromised 4. Malware connects with C&C server; downloads more malware 5. Attacker establishes backdoor; laterally accesses other accounts/systems 6. Attacker collects and exfiltrates data to external server

16 Deep Discovery Products Network-wide attack detection Inspector Detect and analyze targeted attacks anywhere on your network Analyzer Integrated sandboxing Improve the threat protection of your existing security investments attack protection Inspector Endpoint Sensor Endpoint Investigation Stop the targeted attacks that can lead to a data breach Investigate & respond to attacks with network detection + endpoint intelligence

17 Enhanced Spam Filtering with Newly-born Host Inspection By using a combination of very fast real-time domain lookups with big data correlation techniques, we are able to identify newly-born malicious domains and block messages that contain links to them

18 Enhanced Spam Filtering with Newly-born Host Inspection

19 Using Control Manager for Central Alerting and Management Alert setting for DDI

20 Analyzes Your Attack by Correlating with Threat Intelligence Databases Threat profile: What are characteristics, origins and variants of this malware? Related IPs/Domains: What are the known C&C comms for this attack? Attack Group/Campaign: Who and what is behind this threat? Is it targeted? Containment and remediation: What should I look for to remediate?

21 Detection Technology Used The report show the value of the virtual analyzer to discover unknown threats compare to pattern matching. The unknown threats would have missed with conventional signatures.

22 Deep Discovery Inspector Network-Wide Attack Detection Single appliance Detection across all network traffic Malware, C&C, attacker activity across 80+ protocols and all ports Custom sandboxing analysis provides more accurate detection Global threat intelligence drives rapid assessment and response Handles BYOD and other complex environments Detection beyond Windows: mobile, Mac, Android, legacy systems and specialty devices

23 Deep Discovery Analyzer Integrated Sandboxing Analysis File execution in a safe, virtual machine precisely matching your desktop environments Detailed analysis & reporting Open Web Services API Custom Defense IOC intelligence sharing Specific detection rules for Office, PDF and Flash docs

24 Advanced Protection with Deep Discovery Analyzer Integration InterScan Messaging Security or ScanMail for Exchange/Domino Anti-spam Anti-phishing Enhanced Web Reputation Anti-malware Advanced Threat Detection Threat Analyzer Threat Intelligence Center Deep Discovery Analyzer Blocking of targeted spear phishing s and document exploits via custom sandboxing Central analysis of detections Security Update Server quarantine Automated updates of malicious IP/Domains Signature file updates

25 Deep Discovery Inspector GW Deep Discovery X Attachments: Analyzed with detection engines & sandboxing Passwords: Intelligently derived using heuristics & lists URLs: Reputation, scanning & sandboxing for malware & exploits Custom Sandboxing: Configured to precisely match your systems Server

26 Deep Discovery Endpoint Sensor

27 Deep Discovery Endpoint Sensor Endpoint & Server Attack Detection A context-aware endpoint security monitor designed to speed the discovery, investigation and response to security incidents: Records detailed system activities Performs multi-level search across endpoints Uses rich search criteria including: OpenIOC, Yara, Deep Discovery results Compatible with any AV security solution

28 Investigation Capabilities Multi-level search based on: Communications IP, Port, Domain, DNS Malware or any file Sha1 hash Registry activity Running processes User account activity Input: Individual parameters, YARA and OpenIOC files Available standalone & in Control Manager console 28

29 RetroScan Crafted Document 3/18/2015 Dropper Backdoor C&C 29

30 View additional security threat activities detected by other Trend Micro products 3/18/2015 Confidential Copyright 2012 TrendMicro Inc. 30

31 Difendersi dagli attacchi mirati e da CryptoLocker La sensibilizzazione degli utenti è essenziale per una difesa proattiva Utilizzo dei servizi di Reputation per fornire una protezione in tempo reale (attivare la Smart Protection Network)

32 Difendersi dagli attacchi mirati e da CryptoLocker Attivare su OfficeScan (suite per la protezione delle postazioni di lavoro) la funzionalità Meerkat per la protezione dagli attacchi 0 day. Solution ID: meerkat in officescan (osce) 11.0

33 Difendersi dagli attacchi mirati e da CryptoLocker Attivare su OfficeScan la funzionalità per la protezione dai Ramsomware: la protezione dei documenti da modifiche e cifrature non autorizzate; il blocco dei processi comunemente associati ai Ramsomware

34 Thank You 34

35 CryptoLocker report done by DDAn

36 CryptoLocker report done by DDAn

37 CryptoLocker report done by DDAn

38 CryptoLocker report done by DDAn

39 CryptoLocker report done by DDAn

40 CryptoLocker report done by DDAn

41 CryptoLocker report done by DDAn

42 CryptoLocker report done by DDAn

43 CryptoLocker report done by DDAn

44 Thank You 44