MALWARE THREATS AND TRENDS Chris Blow, Director Dustin Hutchison, Director
WHAT IS MALWARE? Malicious Software Viruses Worms Trojans Rootkits Spyware Ransomware 2
MALWARE ORIGINS Users bring it from home USB drives Pirated software BYOD (or BYOID Bring your own infected device) Social engineering Malicious email attachments Instant messaging Web site drive by s PHP website compromised and malware being served to visitors 3 rd Party ads compromised on legitimate websites Why? Used to be to cause chaos or for fun Now more financially driven Reference: http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-infect-visitors-with-malware/ 3
BROWSER BASED THREATS Browser-based threats is one of the leading sources for malware distribution Largest browser threats in the wild as of Q3 2013 HTTP: Microsoft JPEG Processing Buffer Overrun HTTP: Multiple Browser Window Injection Vulnerability RTSP: Apple QuickTime Overly Long Content-Type Buffer Overflow HTTP: Microsoft Internet Explorer CHTML Use-After- Free Remote Code Execution 4
HISTORICAL APPROACH Proactive OS patching but ignoring 3 rd party patching Anti-Virus (AV) Initial detection rate of new malware is around 3-5% Some AV vendors can take up to 4 weeks to detect new malware from the time of the initial scan AV is part of a layered security approach Help mitigate well-known existing attacks Malware creators/exploit kits are doing what they can to disable or circumvent AV ALL THE TIME AV will not stop targeted malware Corporate AV misconfigurations? Reviewed many help desk forums for popular AV and found many enterprises with misconfigured AV Lack of heuristics enabled Not keeping AV up to date Misconfigured add-ons 5
REACTIONARY MEASURES Specialized Malware Removal Software AV may possibly quarantine the threat, but this removes the payload - which is what continues its propagation Usually complimentary to corporate AV solutions Still doesn t detect targeted malware and/or 0-day threats Examples: MalwareBytes Anti-Malware (MBAM) SpyBot Search & Destroy Ashampoo Anti-Malware Various programs from popular AV brands for specific malware 6
Relying solely on AV is like wearing flip flops in a bar bathroom 7
GENERAL MALWARE THREATS No signs of slowing down - steadily growing 8
PSH I VE GOT A MAC Malware on Macs more than tripled since the end of 2012 9
RANSOMWARE Ransomware has been growing exponentially since Q3 2012 Roughly 320,000 new unique samples at the end of Q2 2013 10
THE STATE OF MOBILE MALWARE Mobile malware is still on the rise By the end of Q2, McAfee Labs has collected as many mobile malware samples as it did in all of 2012 Backdoor Trojans and spyware to steal banking information was the largest area of gain in Q2 2013 Majority of mobile malware is Android-based 11
WHAT CAN WE DO? Defense in depth 12
DEFENSE IN DEPTH Policies, Procedures, and Awareness Physical Security Technical Perimeter Internal Network Host Application Data 13
OPTIONS Firewalls Proxies Unified threat management (UTM) Host based intrusion prevention (HIPS) Network intrusion prevention systems (NIPS) Network intrusion detection systems (NIDS) 14
PREVENTION FAILS (REMEMBER AV?) Firewalls Proxies Unified threat management (UTM) Host based intrusion prevention (HIPS) Network intrusion prevention systems (NIPS) 15
NETWORK SECURITY MONITORING Leverages IDS Relies on signature based identification, but also interactive analysis Full content data 16
NETWORK SECURITY MONITORING 17
EVENT CORRELATION 18
EVENT INVESTIGATION 19
EVENT INVESTIGATION 20
ADDITIONAL BENEFITS Policy violations (installation of unapproved software) Early detection DNS analysis Unexpected services available internally and externally 21
SO YOU VE BEEN BREACHED How long does it normally take to spot a breach? 22
BREACH DETECTION 69% of breaches were spotted by an external party 9% of breaches were spotted by customers 23
WHERE DO WE GO FROM HERE? Baby steps Have AV? Make sure it s functioning and up-to-date! Ensure operating system and applications are up-to date Properly segment your network Regularly scan your environment for vulnerabilities Backups on critical systems Critical asset log monitoring (firewalls, DNS, etc.) Firewall rule review Network Security Monitoring Begin looking at: Application sandboxing, honeypots / darknets 24
Q&A