Gli ultimi ritrovati in termini di attacchi alle aziende e furti di dati, come combatterli Roma 18 Giugno 2014 Maurizio Martinozzi Gli ultimi ritrovati in termini di attacchi alle aziende e furti di dati Degli Advanced Persistent Threats (APT) non solo se ne parla ma ad oggi se ne cominciano a contare i danni: è possibile contrastarli ma la difesa deve essere personalizzata e “tagliata su misura” dell’infrastruttura dell’azienda. Una ricerca del Ponemon Institute ha rilevato che il 67% delle aziende ammette che le proprie soluzioni sicurezza adottate non sono sufficienti a bloccare un attacco mirato. Ma il dato è tragico se consideriamo che il 55% delle aziende non viene nemmeno a conoscenza delle intrusioni subite e, una percentuale bassissima, è in grado di valutare la portata dell’attacco e, ancora più importante, chi lo ha sferrato. Per contrastare gli attacchi mirati è necessario adottare tecnologie si sicurezza evolute, quelle tradizionali non garantiscono più un adeguato livello di protezione. Di fatto le nuove tecnologie devono essere in grado di gestire la tipologia di attacco, rilevando e analizzando le minacce costanti evolute, ma anche di adattando rapidamente la protezione e reagendo in maniera proattiva ad attacchi specifici. La tecnologia deve essere in grado di integrare correttamente software, informazioni globali sulle minacce, strumenti e servizi specializzati per offrire nozioni personalizzate sulla minaccia specifica e sui criminali coinvolti. I recenti progressi nella gestione di comando e controllo (C&C) contribuiscono a bloccare i comportamenti sospetti prima ancora che riescano a compromettere l’obiettivo individuato. Ma non allarmiamoci: oggi sono disponibili specifiche soluzioni preventive e noi ve le racconteremo: vi spiegheremo perchè le soluzioni di sicurezza tradizionali non riescono a combattere queste nuove tipologie di minacce e di attacchi, vi spiegheremo le caratteristiche di queste recenti attività illecite dei cybercriminali e, soprattutto, vi mostreremo le più recenti e efficienti soluzioni ad oggi disponibili sul mercato per combattere questi nuovi crimini informatici. Trend Micro What We Do How We Do It Recognized global leader in server, virtualization and cloud security 1,200 threats experts in 12 TrendLabs locations around the globe; 1492 R&D engineers Innovative security solutions $400M USD and 500 engineers invested over last 4 years to develop cloud-related solutions Protecting the exchange of digital information for businesses and consumers Global Threat Intelligence Who We Are Eva Chen: CEO and Founder Co-founded: Offices: Global Employees: Revenue: Cash Assets: 1988 36 4942 $1.2B USD $1.65B USD Operating Income: $330M USD Headquarters: 3 Tokyo Gli investimenti in Software 6/23/2014 4 Gli investimenti in Infrastrutture IT 6/23/2014 5 Cyber crime or war?? It does not matter!! • 1 new threat each second 1 • 1 cyber-intrusion each 5 minutes 2 • 67 % of infrastructure can’t block a custom & targeted attack 3 • 55 % of companies didn’t detected the breach 1 More frequent More targeted More money Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012 More sophiticated Cyber crime or war?? It does not matter!! Cyber crime or war?? It does not matter!! Cyber crime or war?? It does not matter!! Le ‘minacce interne’ • 80% of data breaches Authorized Insiders – Ponemon Institute Study – 10 Insider Autorizzati Threat ► Accidental or malicious breach Outsider Non-Autorizzati Threat ► Dati rubati o persi Scopo Scopo ► Monitor, log, prevent breaches ► Assess risk continuously ► Educare gli impegati ► Impedire l’uso dei dati a personale non autorizzato Malware as a Service 6/23/201 4 11 Confidential © 2013 Trend Micro Inc. December 2010 Cyber attack on Iranian nuclear facilities January 2011 21-year-old George Hotz decrypts Sony PS3 root key February 2011 HBGary hacked by Anonymous and resulted data leakage March 2011 Authentication product related information leaked from RSA April 2011 77 million customers’ data leakage from Sony PSN users May 2011 360,000 US City Group customers’ data leaked June 2011 Major US defense contractor Lockheed Martin attacked July 2011 leakage of personal data of 35 million users of Korean social network site August 2011 Japanese defense related firms suffered from cyber attacks September 2011 Japanese National Personnel Authority Cabinet Office sites were temporarily unavailable by DDoS attacks October 2011 PCs in Japanese by virus; possible data leakage 13 and House of representatives infected 13 ※ These information are all extracts from news Rivoluzione tecnologica4 L’impatto tecnologico di Virtualizzazione, Cloud, Consumerization sta rivoluzionando il concetto di perimetro, smaterializzando elementi delle architetture IT La crescita del volume di dati creati, scambiati e conservati ha aumentato in modo significativo la complessità della gestione del rischio informatico per aziende e governi La sofisticazione e industrializzazione delle tecnologie Cyber-criminali richiede competenze sempre più specifiche e capacità d’intelligence per reagire rapidamente ed efficacemente agli attacchi RIVOLUZIONE: L’atto di modificare e rinnovare in modo radicale, profondamente Dizionario Treccani della Lingua Italiana 6/23/2014 14 Evoluzione del business Necessità di modelli integrati di governance e di gestione del rischio informatico adeguati al nuovo scenario, abilitanti al controllo del processo Valore per il Valore: portare al cliente reali competenze a valore aggiunto, accreditandosi come consulente, broker tecnologico, partner di progetto affidabile Fattori macro-economici attuali e conditio sine qua non di TCO, Riduzione dei Costi misurabili e concreti EVOLUZIONE: Ogni processo di trasformazione, graduale e continuo, per cui una data realtà passa da uno stato all’altro – quest’ultimo inteso generalmente come più perfezionato – attraverso cambiamenti successivi Dizionario Treccani della Lingua Italiana 6/23/2014 15 4Evoluzione della Domanda Le tecnologie restano il motore del business della sicurezza, ma non sono più sufficienti da sole a coprire le esigenze di un mercato sempre più complesso Oggi i Clienti richiedono a vendor e partner un miglior supporto per gli impatti organizzativi e di processo 6/23/2014 16 Cosa vuol dire compromettere una risorsa IT (e come) 17 Network Perimeter is Expanding Virtualization, Cloud, Consumerization & Mobility New Perimeter IaaS SaaS Internet Old Perimeter Mobile User Main Campus Remote Office Big Data Everywhere Who is accessing your data from where using what? Public Cloud Desktop Virtualization Private Cloud Server Virtualization The Targeted Attack Process Stage 0 Stage 2 Stage 1 Preparation for attack Initial penetration Establishment of attack platform As a preparation stage before they conduct attacks, the Various methods are used in the initial penetration stage. Once the attackers succeed to get into the system, they quickly attackers investigate information of target organization. Suspicious (targeted) email is one such method. For that, they attack organizations around target to collect platform information for initial intrusion like Emails exchanges between that organization and the target. Using this information, they conduct attacks which increase the success rate of the initial penetration. Copyright 2012 Trend Micro Inc. These methods are used to deploy viruses deep within the organization. In this stage, the attack can achieve the goal only when establish a backdoor for communication with a server they prepare. Unlike the traditional backdoors , this backdoor is the one that uses HTTP and other communication protocols that are used in the business in the target one employee open that Email. organization. Thus it In the initial penetration stage, there is no need for virus to infect many systems. It is thought that the attack methods used at this stage are expected to be detected and cleaned. That mean they are disposable. Using this backdoor, they will add functions needed for next system investigation stage, and an attack platform will be established. 20 cannot be blocked by a firewall. Stage 3 Stage 4 System investigation Attack on the ultimate target Using the attack plat-form established in the prior stage, They steal information the attackers search In some cases, using information stolen, they repeat attacks. for internal system information. via the backdoor. used to communicate APT is the attack which the attackers keep attack platform which established in the target with the attackers and organizations to repeat the search will be continued while confirming system information. penetrations and data thefts. At this time, a back door is This attack is the one tend to be repeated several times. Source: IPA design/ maintenance guide to aim for the solution against “new type of attack”. Le tecnologie Deep Discovery Deep Discovery provides the visibility, insight and control you need to protect your company against APTs and targeted attacks Deep Discovery Advisor Deep Discovery Inspector • Network traffic inspection • Advanced threat detection • Real-time analysis & reporting • Custom scalable threat simulation • Deep investigation & analysis • Actionable intelligence & results Targeted Attack/APT Detection In-Depth Contextual Analysis Rapid Containment & Response A Custom Defense for a Smart Protection DETECT ANALYZE ADAPT RESPONSE Advanced technologies Threat profiling Instant protection with to analyze low signals Origin ? Risk ? Channel ? dynamic signature Threat infection containement • Full visibility with Deep Discovery technologies • Advanced monitoring with Network and Host Sensor • Next-gen protection against custom threat & targeted attack Sandbox 6/23/2014 Protocol Inspection Network Reputation File Analysis Behavioral Analysis C&C Identification System Monitoring What is Deep Discovery ? • A network & host monitoring solution designed to provide network-wide visibility, insight and control against data breaches and advanced threats. • Deep Discovery uniquely detects and identifies evasive threats in real-time, and provides the in-depth analysis and actionable intelligence needed to prevent, discover and contain attacks against corporate data 6/23/20 14 24 DETECT Single Appliance for Advanced Protection Entry point Lateral Movement Deep Discovery All protocols analyzed HTTP SMTP DNS FTP on a single box ----- Inspector Exfiltration CIFS SQL P2P Network Content Inspection Engine 360°Approach • Appliance All-in-One • Content Up to 4 Inspection Gbps model •• Document Bare MetalEmulation & VA available •• • •• Payload Custom Download sandboxes embedded Behavior Tracing Can beDetection linked to external Exploit SB • Network Monitoring Advanced Threat Security Engine IP & URL reputation Virtual Analyzer Network Content Correlation Engine 6/23/2014 • Detect known, unknown and custom Embedded threats doc exploits Drive-by downloads • Dropper Leverage Trend Micro Unknown Threat Malware Intelligence C&C access technologies Data stealing • Worms/Propagation Adapts and responds Backdoor activities to threats in your Data exfiltration3 unique environment DETECT Deeper Look into Deep Discovery Docode Engine Win32 DLLs Advanced File Emulation Process Environment Virtual Processor File & Registry Simulation Extraction & Correlation • Fast analysis • Shellcode • Document type • Exploit data • Microsoft Office • Scripts (JS/AS) • Adobe PDF • File Structure • Adobe Flash Doc Analyzer Parser Extractor Emulator • Payload... High detection rate 6/23/2014 26 ANALYZE Deeper Look into Deep Discovery Virtual Analyzer Your Custom Sandbox Isolated Network • • • • • Custom OS image Execution acceleration Anti-Analysis detection 32 & 64 bits Execute binaries, documents, URL... Live monitoring WinXP SP3 Win7 Base Hardened LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000 LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000 Modifies file with infectible type value: : eqawoc.exe LoadLibraryA ARGs: ( WININET.dll ) Return 777a0000 key: HKEY_CURRENT_USER\Local Inject processus : 2604 taskhost.exe Settings\MuiCache\48\52C64B7E\LanguageList value: Access suspicious host : mmlzntponzkfuik.biz key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f Write: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_EXE_W32 API ID: 2604 Inject Fake API: CreateRemoteThread Fake Injecting process Target process Fake AV Hooks Explorer ID: 1540 Target image path: taskhost.exeServer socket ARGs: ( 2, 2, 0 ) Return value: 28bfe socket ARGs: ( 23, 1, 6 ) Return value: 28c02 window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2 internet_helper API Name: InternetConnectA ARGs: ( cc0004, mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008 ....... ! Core Threat Simulator • Kernel integration (hook, dll injection..) Filesystem monitor • Network flow analysis • Event correlation 6/23/2014 Win7 27 Registry monitor Process monitor Rootkit scanner Network driver ANALYZE Deeper Look into Deep Discovery Smart Protection Network Mobile Advanced Protection Cloud Android Sandbox • • • • MARS SANDBOX Crawl & Collect apps from various market (Play, Amazon, SlideMe3) Automatic download of unknown Android app from hosting source High quantity of Android apps catch Detection of suspicious behaviours – – – – – – C&C communications Data leak transfer Malware payload Invalid certificate Privacy abuse PermissionX Static Analyzer Dynamic Analyzer Smart Protection Network Unpack Variant Scanning UI Trigger Syscall hook Data Spoofing Behavior Logging Permission Check Privacy Data Tracking Resource Analysis Log Collector APK SINCE 2012 Deep Discovery 6/23/2014 28 ADAPT Deeper Look into Deep Discovery C&C Callback Protection FTP Multi-Source Scoring DNS TCP UDP CIFS ICMP SQL HTTP ----SMTP Protocol Analyzer • Virtual Analyzer Feedback – – – – • • • Hidden callback URL Domain Name IP:Port File Signature Botnet behavior Trojan identification Global C&C Live Intelligence User-Defined C&C List Content Inspection Rules Blocking capabilities ! 6/23/2014 29 TCP Reset DNS Spoofing HTTP Redirect ICMP Code Deep Discovery Infection & payload Simple & Efficient Lateral movement C&C callback Dynamic blacklist Web proxy af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... SMTP relay Storage Mail Server ! App Server Inspector ! Endpoint ! 6/23/2014 ! 30 Create your Custom Defense Integrated into Analyzer Trend Micro solutions • External sandbox system • Automatic Analysis Labs • Manual & API submission tools • Multi-box (5 nodes, 100k files/day) Email Inspector Threat profil export (IOC, hash) API & scripting Threat Intelligence Center • Email reputation & attachment analysis • Central event dashboards • Embedded URL analysis in VA • Custom searches & reports • MTA (inline) or BCC (monitor) mode • Central alerting and reporting • Up to 2M mails/day per box 6/23/2014 Confidential | Copyright 2012 Trend Micro Inc. 31 Get a complete picture of targeted attacks Deep Discovery Endpoint Sensor Context-aware endpoint solution designed to speed the discovery, investigation and response to security incidents Accelerate you response process • Confirm endpoint infiltration alerts from network security • Analyze actual malware behavior and results • See which endpoints have specific malware or C&C activity • Discover full context and spread of an attack Get a full picture of threats • Records detailed system activities • Performs multi-level search across endpoints • Uses rich search criteria • Compatible with any AV security solution Trend Micro Products Integrated Advanced Protection ! Dynamic blacklist Web proxy IWSva IMSvarelay SMTP Storage Analyzer Mail Server ScanMail App Server OfficeScan Deep Security Infection & payload Endpoint ! C&C callback ! 3c4çba176915c3ee3df8 7b9c127ca1a1bcçba17 Custom Signature 6/23/2014 33 af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc ... DetectX DetectX XAnalyzeX Human readable X React Copyright 2013 Trend Micro Inc. • Search summary • Individual endpoint flow & drilldown • Context and network aware 37 Why Deep Discovery ? NSS Labs Breach Detection Tests Better detection & 360°protection • Proven results for standard HTTP & SMTP • Plus detection for 80+ protocols & applications across all ports • Detection of Mac and Mobile malware • Custom sandboxing • Attacker activity detection All at half of the TCO than main competitor 6/23/2014 38 Why Deep Discovery ? Dynamic advanced security • Multi-engine for analysis and correlation • Leverages Smart Protection Network • CustomVirtual Analyzer sandbox • Access to TrendLabs Security Expert Plug & Protect • High Throughput Network Analysis • Flexible architecture: HW, SW, VM • Fast forensics & custom signature 6/23/2014 39 Il cloud DAILY: • Collects 1.15B threat samples • Correlates 7.2 TB data • Protects against 200M threats • • • • • • • Whitelisting Network traffic rules Mobile app reputation Vulnerabilities/Exploits Threat Actor Research Enhanced File Reputation Enhanced Web Reputation BIG DATA ANALYTICS-DRIVEN GLOBAL THREAT INTELLIGENCE 2012 • Email reputation • File reputation • Web reputation CLOUD BASED GLOBAL THREAT INTELLIGENCE 2008 SIGNATURE BASED ANTI-MALWARE 1988 - 2007 maurizio_martinozzi@trendmicro.it
© Copyright 2024 Paperzz