Current Threats and Open Document Formats

Similar documents
RIA SECURITY TECHNOLOGY

Practical Steps To Securing Process Control Networks

Integrating MSS, SEP and NGFW to catch targeted APTs

Symantec Protection Suite Add-On for Hosted and Web Security

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures


Anti-exploit tools: The next wave of enterprise security

Uncover security risks on your enterprise network

Evolving Threat Landscape

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Defending Against Cyber Attacks with SessionLevel Network Security

The Next Generation Security Operations Center

Fighting Advanced Threats

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Securing Cloud-Based

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware

The Hillstone and Trend Micro Joint Solution

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

FROM PRODUCT TO PLATFORM

Where every interaction matters.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

Persistence Mechanisms as Indicators of Compromise

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Recurrent Patterns Detection Technology. White Paper

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Web-Application Security

Conducting a Risk Assessment for Mobile Devices

Critical Security Controls

Lessons Learned CIP Reliability Standards

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY

IT Security & Compliance. On Time. On Budget. On Demand.

Symantec Endpoint Protection

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Cyber Security for Start-ups: An Affordable 10-Step Plan

AppGuard. Defeats Malware

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Palo Alto Networks. October 6

Managing Web Security in an Increasingly Challenging Threat Landscape

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Symantec Advanced Threat Protection: Network

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Attack Intelligence Research Center Monthly Threat Report MalWeb Evolution and Predictions

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Cybersecurity and internal audit. August 15, 2014

Effectiveness of blocking evasions in Intrusion Prevention Systems. White Paper. April, Konstantinos Xynos, Iain Sutherland, Andrew Blyth

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Practical Threat Intelligence. with Bromium LAVA

You ll learn about our roadmap across the Symantec and gateway security offerings.

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

White Paper. How to Effectively Provide Safe and Productive Web. Environment for Today's Businesses

Unified Security, ATP and more

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

LASTLINE WHITEPAPER. Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade

Unknown threats in Sweden. Study publication August 27, 2014

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

ISS X-Force. IBM Global Services. Angel NIKOLOV Country Manager BG, CZ, HU, RO and SK IBM Internet Security Systems

Eight Essential Elements for Effective Threat Intelligence Management May 2015

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Audit summary of Security of Infrastructure Control Systems for Water and Transport

Trend Micro Endpoint Comparative Report Performed by AV Test.org

Malicious Mitigation Strategy Guide

Carbon Black and Palo Alto Networks

Check Point: Sandblast Zero-Day protection

Real World and Vulnerability Protection, Performance and Remediation Report

Perspectives on Cybersecurity in Healthcare June 2015

The case for continuous penetration testing

Getting real about cyber threats: where are you headed?

Cyber-Security. FAS Annual Conference September 12, 2014

Symantec Protection Suite Small Business Edition A simple, effective and affordable solution designed for small businesses

Modular Network Security. Tyler Carter, McAfee Network Security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Dispatch: A Unique Security Solution

Transcription:

Current Threats and Open Document Formats Thomas Caspers Oliver Zendel Federal Office for Information Security 6th ODF Plugfest Berlin,

Targeted Attacks via Email On average between 4 and 5 targeted emails with malicious attachments are detected within German governmental networks per day The attacker sends an email containing direct references to the victim's occupation and function Points of origin for producing the malicious attachments are documents that are available on public websites official letters from governmental organizations internal documents of working groups 2

3

4

Senders of Malicious Emails The sender is chosen meaningfully The sender's name has a direct connection to the document that was found on a public website beforehand The sender's name can be put in the context of a governmental organization easily The sender's name can be found on a members list of a working group The way the email displays the sender's address is plausible A real email account is compromised A new email account is registered with a free webmail service using the sender's name The sender's address is counterfeit 5

BSI Status Report on IT Security 2011 Large waves of malware like Sasser or Loveletter are no longer being observed. A typical malicious program only lasts for a few days and is only targeted at a small group of victims. Targeted attacks for sabotage and espionage purposes increased significantly in the period under review and were carried out with a hitherto unknown professionalism. The BSI is concerned about the ever more widespread use of mobile devices for writing and reading e-mails, as these are often poorly protected due to a lack of suitable protection programs. Source: BSI, The IT Security Situation in Germany 2011 6

Defense against Targeted Attacks Antivirus solutions generally do not come with appropriate signatures that are able to protect from targeted attacks AV solution 1 AV solution 2 AV solution 3 AV solution 4.pdf 65% 85% 80% 55%.doc 90% 20% 10% 5%.xls 50% 65% 15% 10% Source: Christoph Fischer, Effektivität von gängigen Malwarescannern bei dokumentenbasierten Schadprogrammen, 2011 7

File Types Used in Targeted Attacks Source: Symantec MessageLabs Intelligence, February 2011 Intelligence Report 8

Document File Types Used in Targeted Attacks Source: Symantec MessageLabs Intelligence, February 2011 Intelligence Report 9

Challenges: Weaknesses in the Standard Itself Exploitation of the PDF Launch Action (Didier Stevens) 7 0 obj << /Type /Action /S /Launch << /F (cmd.exe) Launch Actions are specified under section 12.6.4.5 in ISO PDF 32000-1:2008 Document management Portable document format http://www.adobe.com/content/dam/adobe/en/devnet/acrobat/pdfs/pdf32000_2008.pdf 10

Possibilities: Enabling the Analysis of Attacks Obfuscating malicious code in PDFs using filters ASCIIHexDecode ASCII85Decode LZWDecode FlateDecode RunLengthDecode CCITTFaxDecode JBIG2Decode DCTDecode JPXDecode Crypt Specified under 7.4 in ISO PDF 32000-1:2008 Document management Portable document format 11

IT Security Advantages of Open Document Formats Open Discussions about weaknesses in document formats Enabling a deeper analysis of techniques used in attacks Development of custom mechanisms to detect attacks Adapting Free Software that is used for rendering and processing of document formats to individually specific purposes also independently from the vendor Prerequisite for software diversity Promotion of a competitive environment for vendors Strengthening IT Security 12

13

14

15

Complexity of IT Systems complexity time 16

Hiding Complexity (Usability) complexity hidden complexity visible complexity time 17

Complexity within Document Formats Document Format # Elements Office Open XML 1792 WordprocessingML 780 OASIS Open Document 530 As of 2006 18

Office 19

Mitigating the Threats Goal: Sanitization of Office Documents Check for weak removal of sensitive information Check for hidden content Check for malicious content Remove unneeded or potential dangerous parts Requirements Fully documented Low complexity (format and semantics) Easy to integrate in 3rd party products Separation of static and dynamic parts Possibility to remove dynamic parts 20

Magic Component trusted compartment Magic Component 21

Contact Federal Office for Information Security (BSI) Thomas Caspers Section C 13 Email thomas.caspers@bsi.bund.de Oliver Zendel Section K 14 Email oliver.zendel@bsi.bund.de Godesberger Allee 185-189 53175 Bonn www.bsi.bund.de 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information