Next Presentation begins at 15:30 One Minute in Cyber Security Simon Bryden
Overview Overview of threat landscape Current trends Challenges facing security vendors Focus on malware analysis
The year?
The Creeper Experimental self-replicating program Written in 1971 by Bob Thomas of BBN Infected DEC PDP-10 computers Just one year after unix epoch began Reaper worm created in 1972 to delete it
Crimeware and Crime Services Bank Accounts Credentials & Data Quality Assurance Crypters / Packers Scanners Hosting Infections / Drop Zones Management Botnet Rentals Installs / Spam / SEO / DDoS Money Mules Accounts Receivable Consulting CRIME SERVICES ENABLERS Digital Real Estate Victims Criminal Organizations COMPOUNDED CYBERCRIME Affiliates Exploits Sales, Licensing, Maintenance Special Platforms Source Code Partnerships Copy & paste Junior Developers Affiliate Programs FakeAV Ransomware Botnets Packers Mobile Senior Developers CRIMEWARE PRODUCERS
Threat Landscape
Point of Sale 2013 was the year of the megabreach Target and Home Depot made the headlines Between them details of 90 million credit cards stolen POS attacks still very prevalent small targets, large scale PCI 3.0 released in 2013 to reinforce protection
Server-side Attacks HeartBleed 500,000 Web Servers Affected ShellShock Time to Protect Critical Surge in attacks while fresh Millions of Internet Connected Devices Affected Devices
Industrial Malware Havex the sequel to Stuxnet RAT (remote administration tool) Harvests information on hardware control systems (SCADA) OPC OLE for Process Control Communication between Windows and control hardware OPC servers control machines via PLC
Trends More attacks More victims More organisation Higher returns
Problem: Growing Attack Surface
Problem: Growing Attack Vectors An Extensive, Poisoned, Dark, Deep Web
Problem: Growing Threat Volume
Problem: Growing Malware Sophistication As malware defences improve, malware sophistication increases to match Constant arms race
The FortiGuard Minute 5,800 Application control rules 170 Terabytes of threat samples 17,500 Intrusion prevention rules Spam e-mails intercepted 250 Million rated websites in 78 categories 173 Zero-Days discovered Attempts to access malicious websites blocked Network intrusion attempts resisted Website categorization requests Botnet command and control attempts thwarted Malware programs neutralized 8,000 Hours of research in labs around the globe 47 Million New and updated antispam rules 1.3 Million New URL ratings 100 Intrusion prevention rules 2 Million New and updated antivirus definitions
FortiGuard Minute Trends 800 600 400 200 Threat Samples (TBytes) IPS detections (x1000/min) 0 May 2013 May 2014 Oct 2014 Jan 2015 Apr 2015 AV updates (x10,000/week)
Focus on Malware Analysis
Raw Threat Data Sources Collaboration Partners Community Feeds
Information vs Intelligence Information raw data Not easily usable Intelligence processed data Actionable can be used to enable protection
Malware Signatures Easy way: file hashes Create a hash for each malicious file Fast for small numbers of files Does not scale! Only works for known files!
Problem: Polymorphism Hash-based systems are very easy to bypass One byte change completely changes the hash Increases malware volume Increases search time Increases database volume 127ad2566845b2af57e2d2c72136dcd4 b4a7b23b5cb6909f7b38f24768d0e9f2 04a7affb86301095cc23deb9b014f2fd 5969671b9361aa0509e9989c780d14f5 55bda387b94e7256830a722da44bce1b 3d18ea8bb288e54e4ea3c129b40bf24b 1352033a8ded02ad3fb3de82d564216c f0f4a699f4eeab5ab944142abda39eff 9f48679d9c8fd3b1136fdec8e4e02d15 75b138a918f8a1301b53097138c05c7d d91b31d86b7e280718e26a13a27277a3 d769176ca8a81c252c5a6e08bf8b7fd3 302342ed08aaea7d353a85ff43ab2d3c cfac6385a0cdd5f09b2e38c833c93c9d 5ae8c55fbc7b8f5bafa1af1675478cba 1af8e09e41fc850e15ffc4ea0be68c21 ce1ff097a3f0afec3bd5c5f0fb57cfda 80f27e4d562dc4f55e38f4088251e83c bf6ba9baa2e0dcb8d175a4ff594dccd9 2d3003eac7e1b2bf70587f4a7531f927 32e982f6f82812e53f38a916c1721b30
Content Pattern Recognition Language Patented Fortinet technology Week Ending New Samples Received Already detected by CPRL CPRL effectivenes s 12/10/2014 2014166 851004 42% 12/3/2014 1821935 737431 40% 11/26/2014 1652524 993257 60% 11/19/2014 2090046 1193079 57% 50% of New Malware caught by CPRL
Malware Analysis Manual Analysis Static analysis Behavioural analysis Very high quality output Doesn t scale well:
Sandbox Automated analysis Performs automated behavioural analysis Runs malware in virtual environment and records: File system activity Registry accesses API calls Network activity Sandbox appliance can be combined with traditional AV and community intelligence sharing to enhance response time. Call Back Detection Full Virtual Sandbox Code Emulation Cloud File Query AV Prefilter
Big Data Analytics Increasing numbers mean that new methods must be used Correlation is key to identifying threats Having broad visibility is key to correlation Typically, an attack involves multiple steps Each device can act as a sensor Data fed back to FortiGuard This data can then be mined to enhance quality of threat intelligence Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Malicious Email Malicious Web Site Command & Control Center
Example: Exploit Kit Analysis Visit Drive-by sites Malicious URLs Exploit-kit Detection Web Filtering Redirection to landing site Sandbox Analysis Create/refine signatures Malicious samples Update Intrusion Prevention Antivirus IP Reputation IP
Empowering the User End-user sandbox provides instant feedback Results can optionally be fed to FortiGuard Alternatively, samples can be sent directly to cloud sandbox Fortigate & everything that can enforce a security policy Hand off High Risk Items Sandbox & Everything that is behavior based Samples can also be submitted directly to an analyst Update prevention rules Provide Ratings & Results FortiGuard teams and automation
Summary Attack volume and sophistication is ever-increasing Information volume!= Actionable intelligence Correlation key to breaking through the fog
Thank You!