Microsoft Security Response Center (MSRC) Microsoft Malware Protection Center (MMPC)

Similar documents
Microsoft s cybersecurity commitment

isheriff CLOUD SECURITY

TECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains

Operation Liberpy : Keyloggers and information theft in Latin America

Security A to Z the most important terms

Phone Fax

Security Business Review

Microsoft Security Intelligence Report

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

24/7 Visibility into Advanced Malware on Networks and Endpoints

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Security Intelligence Services.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

Current counter-measures and responses by CERTs

Evaluating Microsoft s protection performance and capabilities

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa

MITB Grabbing Login Credentials

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

Threat Spotlight: Angler Lurking in the Domain Shadows

Phishing Activity Trends Report. 1 st Half Committed to Wiping Out Internet Scams and Fraud

Zscaler Cloud Web Gateway Test

Advanced Persistent Threats

Before the DEPARTMENT OF COMMERCE Internet Policy Task Force

Advanced Persistent Threats

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Defending Against Data Beaches: Internal Controls for Cybersecurity

Current Threat Scenario and Recent Attack Trends

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

FIRST WORKING DRAFT FOR PUBLIC COMMENT. StopBadware s Best Practices for Web Hosting Providers: Responding to Malware Reports.

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Breaking the Cyber Attack Lifecycle

The Hillstone and Trend Micro Joint Solution

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

End to End Security do Endpoint ao Datacenter

RSA Security Analytics

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Using big data analytics to identify malicious content: a case study on spam s

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

Innovations in Network Security

Microsoft Security Intelligence Report volume 7 (January through June 2009)

Cisco Security Intelligence Operations

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

What Does DNSChanger Do to My Computer? Am I Infected?

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

ICS-CERT Incident Response Summary Report

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Fast Flux Hosting and DNS ICANN SSAC

A Critical Investigation of Botnet

AVeS Cloud Security powered by SYMANTEC TM

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Information Security for the Rest of Us

Malware Trend Report, Q April May June

Symantec Endpoint Protection Analyzer Report

FBI: Taking down Botnets - Testimony

Cybersecurity Policies and Best Practices: Protecting small firms, large firms, and professional services from malware and other cyber-threats

The Impact of Cybercrime on Business

Unified Security Management and Open Threat Exchange

Korea s experience of massive DDoS attacks from Botnet

KASPERSKY SECURITY INTELLIGENCE SERVICES 2015

After the Attack: RSA's Security Operations Transformed

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Finding Security in the Cloud

Advancements in Botnet Attacks and Malware Distribution

What keep the CIO up at Night Managing Security Nightmares

BotNets- Cyber Torrirism

5 Steps to Advanced Threat Protection

Countermeasures against Bots

Windows Server 2003 End of Support. What does it mean? What are my options?

UNCLASSIFIED. General Enquiries. Incidents Incidents

IBM Security Strategy

About Botnet, and the influence that Botnet gives to broadband ISP

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Enterprise-Grade Security from the Cloud

You ll learn about our roadmap across the Symantec and gateway security offerings.

Factoring Malware and Organized Crime in to Web Application Security

Seminar Computer Security

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

CSIS/DOJ Active Cyber Defense Experts Roundtable March 10, 2015

Cyber Incident Response

Security Toolsets for ISP Defense

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Security from the Cloud

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

U. S. Attorney Office Northern District of Texas March 2013

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Codes of Connection for Devices Connected to Newcastle University ICT Network

Transcription:

Security@Microsoft Trustworthy Computing (TwC) Programs supporting security outreach and engagement Microsoft Active Protections Program (MAPP), Government Security Program (GSP) (was SCP) Microsoft Security Response Center (MSRC) Vulnerabilities in Microsoft software and services (secure@microsoft.com) Digital Crimes Unit (DCU) Botnet takedowns Engage law enforcement Microsoft Malware Protection Center (MMPC) Malicious Software Removal Tool (MSRT monthly scan & remove) RTP - Security Essentials, System Center Endpoint, Windows Defender, Threat Intel 2

MMPC by the numbers Research labs in Redmond, Vancouver, Munich, Melbourne Engineering labs in Redmond and Israel PROTECTION POINTS Windows 8+ Defender 110M System Center EP 11M Microsoft Security Essentials 109M DAILY 700K samples 400M telemetry 12 sig releases 12x/yr engine 3x/yr Client updates Malicious Software Removal Tool 1.2B RESULTS Outlook.com O365 Skype Azure 6.5% encounters 3% infected (1 Malware;2 UwS) 100M unique files 80% running AV

What is CME? A collaboration program sponsored by the Microsoft Malware Protection Center; created in early 2014 Facilitates campaigns targeting specific, pervasive malware families Members of CME use the framework & Microsoft s tools/data/research/capabilities to lead or take part in campaigns against malware families 4

IMAGINE IF WE COORDINATED Digital Crimes Unit Law enforcement seize, prosecute Ad networks Banks, finance, commerce starve Antimalware and security ecosystem identify, block, sinkhole OEMs Vendors shun CERTs, ISPs set policies, takedown Large-scale public services Cloud platform providers identify, block

The CME Framework Process Members of CME use the framework to take part in or lead campaigns against malware families New members are vetted and sign NDA & VIA agreement Decide and organize campaigns Leverage and contribute to campaign documentation and best practices, collaboration tools, and exchange telemetry and forensic data to vet and run campaigns. Use the rolodex and the MS CME support team for additional help as needed Check in with CME support team for guidance Provide reports on campaign health. Coaches CME members to launch campaigns Helps campaigns leverage tools Drives program updates/new tools Reports campaign status to Microsoft leadership 6

Joining VIA (and CME) The Virus Information Alliance (VIA) is an antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers. http://aka.ms/mmpcpartner Eligibility requirements posted on website Membership application form available online at http://aka.ms/viaapply

Completed Campaigns Ramnit SMN Hesperbot Lecpetex Simda

Simda Detected since 2009 Primarily distributed by exploit kits (Blackhole, Styx, Magnitude, Fiesta) Behaviors: Internet traffic manipulation HOSTS File Distribute Other Malware Miuref / Claretore / Haglacod Anti-emulation Older behaviors: Password stealer Banking trojan Backdoor Estimated Reach: 770K last six months

Simda campaign overview Targeting info PR Communications Run Sinkhole INTERPOL (FBI, NCA, Dutch High Tech Crimes Unit) Attribution Coordinate C&C IP addresses, physical server seizures Law Enforcement communications and logistics Execute and Analyze Simda Samples Long Term Analysis AV Cleaning Solution Execute and Analyze Simda Samples Long Term Analysis AV Cleaning Solution Execute and Analyze Simda Samples Long Term Analysis

Simda.AT Takedown: IP s Status Netherlands Check In C2 s: 8 Module C2 s: 3 Total IP s Taken Down: 16 Total ISP s: 9 MMPC Blog Luxembourg Check In C2 s: 1 Total Countries: 5 New Samples: 1 Truncated Copy of an Old Sample Russia Check In C2 s: 1 Poland Module C2 s: 1 United States Check In C2 s: 1 Module C2 s: 1

Simda.AT post-takedown Cloud Telemetry We believe the bot is dismantled No new Simda.AT files have been observed. Infected computers still need cleaning for the host file. Families Encounters Actives Errors simda 78,359 57.0% 47.1%

Ramnit Detected since 2011 Distribution Methods: Viral spread in HTML and PE Infected USB Email attachments / SPAM / URL Social networks Exploits Modules / behaviors: Banking credential stealer FTP application credential stealer Hook and spy / web inject Cookie stealer Anti-AV / tampering VNC backdoor Drive Scan Estimated reach: 3.2 million

Ramnit campaign overview Seize 7, register 289 domains Coordinate existing sinkholes Operate DNS, sinkhole traffic, reporting EC3-European Computer Crime Center Physical server criminal seizure Lead attribution work, assist Europol on forensic analysis Coordinate PR communications Symantec Technical review, telemetry. Industry outreach Technical legal declaration. Coordinate PR communications FS-ISAC Co-plaintiff Coordinate communications with financial sector. Coordinate PR communications

Ramnit Takedown: C&C Status 217.23.11.117 95.141.36.218 ANXSMQYFY.com Current C2 Server=bot registration, configuration, and modules. 95.141.36.218 93.190.138.126 Knpqxlxcwtlvgrdyhd.com Backup C2 server Santabellasedra.com EXPIRED 14 Feb 2015 Infected Host 148.251.35.151 5.9.224.198 Web inject server Campbrusderapp.com Online 15 Feb 2015 Web inject server Blue=Current IP Red=Old IP

Ramnit post-takedown We believe the bot is dismantled No new Ramnit flies have been observed. Infected computers still need cleaning. Families Encounters Actives Errors ramnit 568,280 18.5% 1.5%

Campaign process Initiation Formation Plan Execution Review CME member(s) initiate campaign Actions Pick malware Initial malware investigation Members respond Actions Form the group Select campaign leader Feasibility Study & Plan Actions Strategy defined: tactics, and metrics defined Team rounded out to fill gaps Campaign Begins Actions Regular checkins Build, measure, learn Adjustments as necessary Campaign Ends Actions PR (if desired) Post-mortem, lessons learned Success measurements

Initiation Let s eradicate this malware!

Formation Call for Participation Creates visibility Great source of information Selectively build a group Expedites the decision making process Add group members as needed Law enforcement as a partner

Communication Document sharing Sample sharing Conference software Secure email communication

Building the plan: Identifying malware s attack points Reconnaissance Malware development Distribute and vector Command and control Monetization model What sources does the malware use to reach victims? Who are the actors? How is malware tested and packed? How do they infect their victims? What else is in the infection chain? Does it remotely control the boxes? Are there C&C servers? P2P? How does it monetize? How diverse is the infection chain?

Defining goals Set an end goal Disrupt & remediate Put attackers behind bars Build intel to stay ahead of the curve Build a timeline Campaigns can go on forever May deal with a moving target Iterate

Campaign state In progress Stalled Failed

Build the plan Ethical considerations Stakeholders How do you do X?

Building the plan: Develop a joint PR plan Does your org want to be publicly tied to this effort/operation? When will this happen? Do you plan on pushing out any form of outward communications around this operation? Do you have a dedicated person or team to handle PR/Outward coms? Who are they? Do you plan on attributing these threats to any organization or part of the world? Do you plan on doing any media interviews, or responding to media inquiries about this op?

Abuse notification Build templates and process around abuse notification Incorporate explicitly what should/shouldn t happen

Measure success Success Impact to the family Impact to the ecosystem Impact to my ecosystem 30

Post mortem Assess each phase Planning PR Etc. Focus on the good and bad Involve all campaign members Communicate learnings to VIA membership

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information