The Future of Cyberattacks What you should know about Flame and other Advanced Persistent Threats Harry Sverdlove January 10, 2013 2013 Bit9. All Rights Reserved
The Advanced Threat Landscape Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources
Deluge of IP Loss What s been going on over the last few years in the networks is the greatest theft that we ve seen in history. What we re losing in intellectual property is astounding. - U.S. Cyber Command General Keith Alexander, September 2011 The extent of what is going on is astonishing - Director General of MI5, Jonathan Evans, June 2012
Impact on Economies and Governments United States reserves the right to use military force against a nation that launches a cyberattack on the country.
2010: A Watershed Year for Security January 2010: Operation Aurora Targeted over 3 dozen Silicon Valley companies, including Google, Adobe, and Juniper Networks Mainstreamed the term Advanced Persistent Threat (APT) Raised awareness of cyber-espionage June 2010: Stuxnet Targeted industrial control systems in Iran Leveraged 4 zero-days, Deemed a cyber superweapon Raised awareness of cyber-sabotage
Past Two Years at a Glance 2010 2011 2012 Duqu (Sep 2010) Primarily targeting Iran, related to Stuxnet Night Dragon (Feb 2011) Several energy and petrochemical companies RSA Breach (Mar 2011) Up to 700 companies, multi-stage campaign Gmail Hacking (Jun 2011) Email of gov, military and political activists Shady RAT (Aug 2011) 70+ companies, 32 categories, 14+ countries Black Tulip (Sep 2011) Attack on certificate authority DigiNotar Nitro (Oct 2011) 48+ companies, chemical industry, 20 countries Flame (May 2012) Middle East, comprehensive espionage kit SPE/miniFlame (Jul 2012) Lighter weight remote control backdoor Gauss (Aug 2012) Primarily Lebonese banks, related to Flame
Anatomy of a Targeted Attack Phishing and 0-Day Attack 1 2 3 4 5 Handful of users are targeted by phishing attacks; one user opens zero day payload Back Door Victim s machine is accessed remotely by a remote admin tool Lateral Movement Attacker elevates access to important services and accounts, and specific systems Data Gathering Data is acquired from target systems and staged for exfiltration Exfiltration Data is exfiltrated via encrypted files or hidden in plain sight to external machine RSA Attack Example 2011 Recruitment Plan email with XLS Contains Flash 0-day (CVE- 02011-0609) Dropped Poison Ivy RAT Harvested access credentials and moved laterally Set up internal staging servers Aggregated, compressed and encrypted data FTP used to transfer password-protected RAR
Common Characteristics of Advanced Attacks Target people not technology Use social engineering to walk through front door Manually controlled Attacks are interactive - human operator on other end Long term campaigns Establish foothold, expand, hide in plain sight, persist
Enter Flame A cyber espionage toolkit Most comprehensive malware Over 20MB in total payload, 100x typical size WiFi, Bluetooth, Network, USB, Keyboard, Screen, Microphone Large command-and-control (C&C) infrastructure 80+ domains through 20+ registration companies Rotating IP addresses Sophisticated cryptographic attack Able to spoof Microsoft Windows Updates with forged certificates Around anywhere from 2 to 5+ years
Multi-Dimensional Attack Some of the components of Flame: Code Name Beetlejuice Microbe Infectmedia Limbo Frog Munch Snack Weasel Gator Security Description Enumerate and attack Bluetooth devices Records audio Select removable media infection method (autorun, Euphoria) Creates backdoor accounts Infect machines using backdoor accounts Responds to remote requests Listen/collect network data Captures directory listing Connects to CnC, gets updates, uploads collected data Identifies existing security programs e.g. AV and firewall Source: Laboratory of Cryptography and System Security (CrySyS Lab), http://www.crysys.hu/
Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Commercialization of malware
Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Both the concepts and the techniques are now freely available IP is no longer just electronic documents Potential information extending from the virtual to the physical Microphones, cameras, GPS,
Flame Changes the Rules The bar was just raised Barrier to entry in the cyber arms race is a search engine Both the concepts and the techniques are now freely available IP is no longer just electronic documents Potential information extending from the virtual to the physical Microphones, cameras, GPS, It s not only what you know, it s who you know Relationships are stepping stones for multi-stage cyber attacks
Failure of Traditional Security Due to its extreme complexity, plus the targeted nature of the attacks, no security software detected [Flame]. - Kaspersky Lab, May 28, 2012 The truth is, consumer-grade antivirus products can t protect well against targeted malware created by well-resourced nation-states with bulging budgets. It s not a fair war between the attackers and the defenders when the attackers have access to our weapons. - Mikko Hypponen, F-Secure, June 2, 2012
Traditional Security Approaches are Insufficient 400M+ variants Cloud-based servers Mobile Anti virus Downloads Phishing Web drive by Database Applications Email Storage VDI Domain Controllers Desktops/laptops Mac PC Firewall HIPS Zero-day attacks Installs Social engineering Fixed-function Memory infections Virtual/physical servers ATMs Kiosks Email gateway Other threats Point of sale Updates
Failed Approach: Focus on Detect/Reject Bad 400M+ variants Mobile it s Cloud-based clear that blacklistbased antivirus is fighting a servers losing battle Forrester Research Database Applications Email Storage VDI Domain Controllers Sept 2012 Desktops/laptops ATMs PC Mac We re fighting a new war with old weapons CISO Fixed-function Fortune 100 company Virtual/physical servers Point of sale Kiosks Anti virus Firewall HIPS Email gateway Downloads Phishing Web drive by Zero-day attacks Installs Social engineering Memory infections Other threats Updates
Better Approach: Focus on Trusted Software Database Applications Email Storage VDI Domain Controllers Only trusted software PROACTIVE Cloud-based servers Virtual/physical servers Desktops/laptops PC Mac Fixed-function ATMs Mobile Point of sale Kiosks Anti virus Firewall HIPS Email gateway EVERYTHING ELSE IS UNTRUSTED By 2015, more than 50% of Downloads organizations will have instituted a default Phishing deny application management Web drive by policy. Gartner Research Zero-day attacks June 2012 Installs Application control and whitelisting provide the advanced weapons needed to counter advanced Other threats threats. Bloor Research Updates Dec 2012 Social engineering Memory infections
Most Companies are not Prepared
Applying Trust to Incident Response / Forensics Application control is a DVR for your endpoints Database Applications Email Storage VDI Domain Controllers Cloud-based servers Virtual/physical servers Desktops/laptops PC Mac Fixed-function ATMs Mobile Point of sale Kiosks Real-time detection of Creation/execution of untrusted software Suspicious registry changes Unauthorized USB devices Unauthorized process access File integrity changes OS/application tampering User session changes Knowledge is power What arrived on a system? Who created it? Did it execute? What did it do? Where else is it?
Understanding the Threat Landscape Increase in sophistication and frequency of APTs and targeted attacks in recent years Every sector, every location, every company size is a potential target We are all reluctant warriors on the cyber battlefield Cyberattacks can be both virtual and kinetic The bar is raising Perimeters are dissolving
Combatting the Threats with Technology There is no silver bullet Understand the threat and your risks Prioritize investments against those risks Invest in response and intelligence, not just defense Security really is about defense in depth New technologies based on trust are needed
Questions? Harry Sverdlove Chief Technology Officer Bit9, Inc.