Combating Spear-phishing:

Similar documents
AppGuard. Defeats Malware

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Defending Against Cyber Attacks with SessionLevel Network Security


Evolving Threat Landscape

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

An Overview of Large US Military Cybersecurity Organizations

Fighting Advanced Threats

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Defense Security Service

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Invincea Advanced Endpoint Protection

Operationally Focused CYBER Training Framework

RIA SECURITY TECHNOLOGY

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

SANS Top 20 Critical Controls for Effective Cyber Defense

24/7 Visibility into Advanced Malware on Networks and Endpoints

Ray A. Letteer, CISSP, NSA-IAM, ITIL Director, IA Division; USMC SIAO; MCEN DAA Headquarters, US Marine Corps, C4IA

Protecting Your Organisation from Targeted Cyber Intrusion

A Love Affair: Cyber Security, Big-data and Risk

Connected Threat Defense Strategy. Eva Chen, Co-Founder and CEO

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Cyber Situational Awareness - Big Data Solution

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Critical Security Controls

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Getting Ahead of Malware

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

The Importance of Cyber Threat Intelligence to a Strong Security Posture

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Report on CAP Cybersecurity November 5, 2015

Training Employees to Recognise & Avoid Advanced Threats

Breaking the Cyber Attack Lifecycle

Practical Threat Intelligence. with Bromium LAVA

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Working with the FBI

Unified Security, ATP and more

SPEAR-PHISHING ATTACKS

ICS-CERT Incident Response Summary Report

Advanced Endpoint Protection

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Host-based Intrusion Prevention System (HIPS)

Cyber Security Metrics Dashboards & Analytics

BlacKnight. Cyber Security international A BUSINESS / MARKETING PRESENTATION

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

September 20, 2013 Senior IT Examiner Gene Lilienthal

National Cybersecurity & Communications Integration Center (NCCIC)

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Zero day attacks anatomy & countermeasures. By Cade Zvavanjanja Cybersecurity Strategist

High End Information Security Services

Modular Network Security. Tyler Carter, McAfee Network Security

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Post-Access Cyber Defense

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Spear Phishing Attacks Why They are Successful and How to Stop Them

GAO DEFENSE DEPARTMENT CYBER EFFORTS. More Detailed Guidance Needed to Ensure Military Services Develop Appropriate Cyberspace Capabilities

Integrating MSS, SEP and NGFW to catch targeted APTs

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Symantec Endpoint Protection

CYBER SECURITY INFORMATION SHARING & COLLABORATION

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Using big data analytics to identify malicious content: a case study on spam s

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

A Modern Framework for Network Security in Government

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

WRITTEN TESTIMONY OF

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Palo Alto Networks. October 6

Cyber R &D Research Roundtable

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

THE ROLE OF IDS & ADS IN NETWORK SECURITY

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Cyber Security Solutions Integrated. Proactive. Resilient.

Security Analytics for Smart Grid

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Alleged APT Intrusion Set: 1.php Group. Whitepaper: Alleged APT Intrusion Set: 1.php Group Zscaler. All Rights Reserved.

THE TOP 4 CONTROLS.

The Four-Step Guide to Understanding Cyber Risk

All about Threat Central

CERT.AZ description as per RfC 2350

Advanced Threat Protection with Dell SecureWorks Security Services

Transcription:

Combating Spear-phishing: Convergence of Intel, Ops, Forensics, and Vulnerability Management Mr. Billy Rodriguez, GCIH Chief Intrusion Prevention Section Mr. Jacob Stauffer, GCFA, GREM Chief Intrusion Forensics Section

BLUF Air Force networks are constantly under attack Overview of the 33NWS mission Discuss AF vulnerability management Dissect a previous attacks I n t e g r i t y - S e r v i c e - E x c e l l e n c e 2

33 NWS (AFCERT) Vision Air Force network defenders providing Joint War Fighter freedom of action by employing pro-active network defense capabilities. Mission To produce effects for the Air Force and Combatant Commands in, through, and from cyberspace by employing synchronized network defense operations to detect, respond, and prevent network intrusions. I n t e g r i t y - S e r v i c e - E x c e l l e n c e 3

26 NOG Network Defense Team 26 NOS Always On, Always Ready 24x7 AF Network Operations, Support, & Defense 352 NWS Firebirds OPSEC & Force Protection Monitoring, Cyber Data Analysis 68 NWS Purple Dragons OPSEC Monitoring Web Risk Assessment Cyber Battle Damage Assessment Semper Excubia 426 NWS "Committed to Excellence" OPSEC Monitoring OPFOR Analysis Threat Presentation 33NWS (AFCERT) Mighty Griffins 24x7 AF Network Defense -Prevent -Detect -Respond I n t e g r i t y - S e r v i c e - E x c e l l e n c e 4

Partnerships Military USCYBERCOM Army, Navy, Marine CERTs NSA / NTOC Intelligence NSA / NTOC CIA NASIC Law Enforcement AFOSI DHS I n t e g r i t y - S e r v i c e - E x c e l l e n c e 5

Mission Ops Tempo 1400 1287 1272 1200 1000 800 812 906 600 400 200 0 127 204 204 156 59 429 2008 2009 2010 2011 2012 YTD Incidents CAT VIII Investigations I n t e g r i t y - S e r v i c e - E x c e l l e n c e 6

The Threat I n t e g r i t y - S e r v i c e - E x c e l l e n c e 7

Vulnerability Management Risk Management Monitoring Advisories Patch Management Vulnerability Scanning I n t e g r i t y - S e r v i c e - E x c e l l e n c e 8

Risk Management Know your environment and what matters Common questions to ask What systems do you have? What products do you have? Are you affected by each vulnerability? Does every vulnerability receive a critical designation? How do you prioritize? I n t e g r i t y - S e r v i c e - E x c e l l e n c e 9

Advisories What is your central monitoring capability? Threat Advisories Security Tips Tangible Stories I n t e g r i t y - S e r v i c e - E x c e l l e n c e 10

Patch Management How do you receive your patches? Adobe Microsoft Java Workstation A Workstation B Workstation C I n t e g r i t y - S e r v i c e - E x c e l l e n c e 11

Patch Management (cont d) Adobe Microsoft Java Test System Workstation A Workstation B Workstation C I n t e g r i t y - S e r v i c e - E x c e l l e n c e 12

Vulnerability Scanning How do you know your patches are working? Blue Team Red Team Green Team I n t e g r i t y - S e r v i c e - E x c e l l e n c e 13

The last line of defense! Host Based Security X X Protect your host by analyzing the norm and weeding out the unknown. I n t e g r i t y - S e r v i c e - E x c e l l e n c e 14

Why don t you just educate users? I n t e g r i t y - S e r v i c e - E x c e l l e n c e 15

Spear-phishing Supervisor to subordinate Conference Attendance invites Email from Commander to Squadron I n t e g r i t y - S e r v i c e - E x c e l l e n c e 18

Case Study: Vulnerability Acknowledged I n t e g r i t y - S e r v i c e - E x c e l l e n c e 19

Initial Attacks Observed Days later Federal Tax Law Changes for 2010-2017 AV detected and prevented I n t e g r i t y - S e r v i c e - E x c e l l e n c e 20

Additional Attacks Observed 4 Jan 10 Additional attempts observed on Federal Tax Law Changes for 2010-2017 (Version 2) Highly successful Malware had been modified to evade AV Targeted mainly JA/ADC officers Email was forwarded to friends/coworkers/home I n t e g r i t y - S e r v i c e - E x c e l l e n c e 21

Analysis Begins 5 Jan 10 Malware obtained/analyzed 5 Jan 10 Blackhole listed malicious URL s 7 Jan 10 Developed and pushed the Magic Signature 7 Jan 10 Observed alerts on other spear phishing attacks I n t e g r i t y - S e r v i c e - E x c e l l e n c e 22

Even More Attacks 11-15 Jan 10 Observed 5 additional email subjects/attachments OPM Form 71 Request for Leave/Approved Absence (Jan 2010) (11 Jan) MPUC 2010 (12 Jan) China s Evolving Strategic Strike Capability (13 Jan) News Highlights 13-01-2010 (13 Jan) USEUCOM Intelligence Summit (15 Jan) 12 Jan 10 Adobe released patch 13 Jan 10 AFCERT issued critical TCNO I n t e g r i t y - S e r v i c e - E x c e l l e n c e 23

The Magic Signature Step by Step I n t e g r i t y - S e r v i c e - E x c e l l e n c e 24

The malicious PDF was first opened in WinHex followed by a search for an embedded binary

a review for possible code following EOF tags was done nothing suspicious here

plus, a pattern emerged revealing a portion of a rolling XOR key this looked suspicious however

The full XOR key was uncovered. Using the embedded binary as a starting point, the key began with \x00 and continued in descending order with \xff \xfe \xfd \xfc \FB etc, thus revealing the executable A script was written to apply this XOR key to the PDF and the embedded binary was extracted for analysis More importantly, this led to an extremely valuable IDS signature

first, the offet of the malicious binary was noted (in this case 68CF) then the PDF was converted to Base64 since that s the encoding used when sent as a email attachment however, the size difference between the raw PDF and it s Base64 variant had to be factored in

Since the Base64 variant is 125% larger that the raw PDF (chunks of 4 vice chunks of 3), the raw PDF offset of the malicious binary (68CF) was divided by 3 then multiplied by 4 This procedure giving us was (8FBC) repeated twice by adding one and two offsets to the original PDF, in order to account for the three base64 possibilities This revealed the correct offset in the Base64 version of the PDF to create an IDS signature

Questions? Mighty Griffins - 24x7 AF Network Defense I n t e g r i t y - S e r v i c e - E x c e l l e n c e 31

Contact Information Ms Christi Ruiz, 33 NWS/DOU christi.ruiz@us.af.mil Mr Jacob Stauffer, 33NWS/DOUF jacob.stauffer@us.af.mil Mr Billy Rodriguez, 33NWS/DOUP billy.rodriguez@us.af.mil I n t e g r i t y - S e r v i c e - E x c e l l e n c e 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information