Peter McNaull Director of Technical Marketing WatchGuard Combating the Next Generation of Advanced Malware Surviving APT Attacks
Current State of AV Solutions Nearly 88% of malware morphs to evade signature-based antivirus solutions*
Attacking the Weakest Link Spear Phishing Watering Holes Chains-of- Trust
Zero Day Threat Curve Zero Day Malware AV Signatures - OS / Application
Opportunistic Attacks Targeted Attacks Malware (R)evolution Antivirus APT Detection NG APT Detection Polymorphic Persistent Threats Fluxing Evasive Threats Plain Virus Packing C&C Simple Threats Sophisticated Threats
Evasion Will Put APT Solutions to the Test Dynamic Evasion Stalling / Looping Checks for Environment Tool Kits Available for Download Defeats sandbox and virtual machines
What s an Advanced Persistent Threat (APT)? An Advanced Persistant Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value political or business target. Three APT Attributes: 1. Targeted 2. Advanced 3. Persistent
Stuxnet: Pandora s Box of APT Four zero day exploits Self replicates over LAN USB exploit jumps air gap P2P update mechanisms Stealthy C&C Kills security processes Kernel Windows rootkit Finds SCADA software (WinCC, Step7) Fingerprints Siemens ICS system First PLC rootkit
The Nation State Tactics for Criminal Gain Breached - Nov. 15, 2014 Disclosed - Dec. 18, 2014 40M CCNs stolen (Track 1 & 2 data) Attackers nabbed encrypted PINs 70M PII records stolen 0day POS Malware (BlackPOS variant) FTP used to exfiltrate data HVAC partner s creds used in attack Started with a spear phishing email Target ignored alerts warning of breach
APT Techniques Trickle Down to SMB Today, normal criminal malware exploits the same advanced tactics as nation-state APTs. Every organization is at risk of advanced threats! Zeus copies Stuxnet 0day Criminals use 0day malware (Cryptolocker) Zeus uses stolen certificates Criminal spear phishing Criminal watering hole attacks
Defending Against Advanced Threats
12 Focus on The Data Adopt Controls and Procedures that work together as a system to protect Data. Appropriate to Risk Appropriate to the Asset Being Protected Balance Access and Security Have a Plan When a Breach Occurs
Security Eco System Expanding Attack Surface Users Applications Connected Devices Expanding Access
Security Eco System Suspension Tires Wipers Headlights Seatbelts Airbags Defense-in-Depth
Advanced Threats Require Defense-in-Depth Advanced threats, by definition, leverage multiple vectors of attack. No single defense will protect you completely from an APT attacks The more layers of security you have, the higher chance an additional protection might catch an advanced threat that other layers might miss.
Best of Breed to Break The Attack Chain
APT Blocker - High-Resolution System Emulation System level Execution Individual CPU instructions Memory Accesses Analysis System Call Analysis Detects Evasion Providing a granularity and fidelity that exceeds competing approaches.
APT Blocker: Virtual Execution Sandbox Virtualizes a full victim system Runs unknown content in protected environment Analyzes behaviors Detects sandbox evasion Tracks additional malware & C&Cs Results Shared with All Sensors Adds Visibility
Actual APT Blocked AT HOME OFFICE! WG SE in Melbourne, Australia Activated APT Blocker What happened? His wife got an email with a PDF attachment (more specifically, a PDF in a zip) Gateway Anti Virus did not tag as malicious APT blocker caught the threat and recognized the PDF as bad
Visibility WatchGuard Dimension Advanced Malware in Security Dashboard 21
Visibility WatchGuard Dimension 22
Visibility WatchGuard Dimension Drill down to find why the activity is determined to be malware 23
Test Drive WatchGuard Dimension online! www.watchguard.com/dimension
Promotions: APT Blocker 30 days for Free Try-before-buy for APT Blocker on XTM APT Blocker comes pre-installed on all WatchGuard Unified Threat Management (UTM) and Next-Gen Firewall (NGFW) appliances with a free 30-day trial.
Evaluation of our solutions before you decide to buy. Proof of Concept
A simple way to evaluate - WatchMode Traffic mirroring XTM850 & Above Collects Data Span port from your existing switch WatchGuard Dimension TM Real time monitoring/reporting of internet traffic Applications, URLs, Intrusions, etc No disruption to the existing network
Sample Report Showing Our Discoveries URL can be provided for you to monitor and track progress real time. Can be exported to a PDF report by yourself!
Please Contact: Check out our new website! www.watchguard.com WatchGuard Technologies, Inc. Hong Kong office Tel: +852.2824.8454 Fax: +852.2124.8376 Email: inquiry.hk@watchguard.com Unit 10-18, 32/F, Tower 1, Millennium City 1 388 Kwun Tong Road, Kwun Tong, Kowloon, Hong Kong