Detecting and Preventing Intruders

Mark Mastrangeli Sr. Sales Engineer Government, Healthcare and Education

Agenda Detecting and Preventing Intruders

Threat Landscape Attack Graphing Protection Graphing Anti-Virus? HTML 5 Malware with Evasion Advanced Malware Detection

McAfee ConfidentialInternal Use Only

Malware Continues to Grow

New Malware Samples
14,000,000 12,000,000 10,000,000 8,000,000

New malware samples grew 22% from Q412 to Q113 2012 new malware sample discoveries increased 50% over 2011.

6,000,000
4,000,000

2,000,000
0

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2010 2010 2010 2010 2011 2011 2011 2011 2012 2012 2012 2012 2013

Malware continues to grow, and getting more sophisticated

Source: McAfee Labs ,2013

Attack Graph Overview

McAfee ConfidentialInternal Use Only

Attack Graph Basics

Convince user to run executable User visits untrusted web site

Video Codec Game Crack

Blackhat SEO Malicious ad URL in forum posting Clickjacking User visits page with malicious content

etc...

File format vulnerability

MS Office Adobe Acrobat

Malicious code execution

User visits trusted web site

etc...
Browser vulnerability ActiveX or BHO/plugin exploits

Server compromised (e.g. PHP vuln) XSS vulnerability

Browser exploit ActiveX unsafe for scripting (e.g. ADODB)

McAfee ConfidentialInternal Use Only

Four Stages of Attack

First Contact Local Execution Establish Presence Malicious Activity
Bot services Remote access DDOS Send spam Open proxy Command control IRC, HTTP, P2P, twitter etc. Adware/scareware Browser plugins, toolbars, config changes etc. Capture sensitive data Keyloggers Identity Theft/ Financial Fraud Transmit captured data Intellectual Property Theft Both installed & operational

Send unsolicited message Facebook IM email

Insert Physical Media E.g.: USB drive

User opens malicious message

Download and install additional malware Convince user to run executable Malicious code execution

Persist on the system Modify existing service Install service Add BHO or explorer extension Etc... Malware remains active in system

Sell bot services

User visits untrusted web site User visits trusted web site Man in the middle Wired User visits page with malicious content

Ads displayed, click fraud User pays for Fake AV

File format/ browser vulnerability

Selfpreservation Propagate another system Copy to file share Network Service Exploit Disrupt security software or updates Rootkit techniques Process Injection Etc...

Tampering Malicious destruction of files Ransomware encrypt/ modify files

Access targets LAN Public WAP

Wireless (e.g. Rogue AP) Remote Exploit

User visits (apparently) page controlled by attacker

Physical Access to HW E.g. Stolen laptop

Network Service Exploit

Application Exploit (e.g. webserver)

Man-in-the browser
etc.

Modify server filesystem/ database

Phishing attack

etc... Money extorted to recover files

Destruction or modification of users files

McAfee ConfidentialInternal Use Only

Example: Stuxnet
Physical Access to HW E.g.: Stolen laptop Evil Maid attack Insert Physical Media E.g.: USB drive Send Unsolicited message Facebook IM email User visits untrusted site E.G.: Blackhat SEO User visits trusted web site E.G.: XSS vuln Access targets LAN Public WAP Compromise another system User visits page with malicious content Message reader vulnerability Malicious code execution Execute from removable media Autorun OS Exploit LNK exploit (0 day) CVE-2010-2568

Convince user to run executable File format/browser vulnerability Remote Exploit

Road local file E.g. cookie, password cache

Identity Theft/ Financial Fraud

MITM Print Spooler Exploit (0-day)

Network Service Exploit Application exploit (.eg. webserver)

Windows Server Service RPC exploit CVE-2008-4250 Modify server filesystem/ Use default password database on WinCC MS SQL database

McAfee ConfidentialInternal Use Only

Example: Stuxnet
Propagate to the system Persist on the system Install service Add BHO or explorer extension Download & Install additional malware Malicious code execution Registry chance (e.g. Applnit_DLLs) Etc... Self-preservation Disrupt security software or updates Disable admin apps (task manager, safe mode etc. Hide User-mode hook
Hides malicious LNK files Updates and other code can be run Uses RPC to propagate updates to other systems on the LAN

Bot services Remote access DDOS Send spam Open proxy Command control IRC, HTTP, P2P, twitter etc.

Both installed & operational

Sell bot services Intellectual Property Theft

Simple HTTP protocol. Comm. code injected into IE

Malware remains active on system

Adware/scareware Emulate security software UI

Browser config changes

Ads displayed, click fraud User pays for Fake AV Identity Theft/ Financial Fraud Transmit captured data Industrial, espionage, sabotage

Privilege escalation

Injects code into Step7 Alters code blocks written out to PLC and hides changes from user

Capture sensitive data

Keyloggers Man-in-the browser

Kernel hookSSDT, IDT, IRP etc. Process Injection Use signed driver or binary

Modify industrial control system

Hook comm APIs (user mode)

Read cached passwords from disk Change host file

Drivers signed by Realtek and JMicron

Inject code into PLC programming tool

McAfee ConfidentialInternal Use Only

Four Phases of an Attack

Example: Fake AV

First Contact
Physical Access Unsolicited Message
Malicious Website Network Access
How the attacker first crosses path with target.

Local Execution
Exploit

Establish Presence
Download Malware

Malicious Activity
Propagation
Bot Activities Adware and Adware & Scareware Identity and Financial Fraud Tampering
The business logic, what the attacker wants to accomplish, steal passwords, bank fraud, purchase Fake AV.

Social Engineering
Configuration Error

Escalate Privilege
Persist on System SelfPreservation

How the attacker gets code running first time on target machine.

How the attacker persists code on the system, to survive reboot, stay hidden, hide from user and security software.

Protection Graph

McAfee ConfidentialInternal Use Only

Four Stages of Attack

First Contact

Local Execution

Establish Presence

Malicious Activity

Physical Access Unsolicited Message

Exploit

Download Malware

Propagation Bot Activities

Escalate Privilege Social Engineering Adware & Scareware Persist on System Configuration Error Identity & Financial Fraud Tampering

Website

Network Access

Self-Preservation

McAfee ConfidentialInternal Use Only

4 Phase Protection Methods

First Contact
McAfee SiteAdvisor Website Filtering On-Access Scanning

Local Execution

Establish Presence
McAfee VirusScan Enterprise File Scanning

Malicious Activity
Write Blocking

McAfee Enterprise Mobility Management Mobile Device Management

McAfee Database Activity Monitor

Database Vulnerability Blocking

McAfee Device Control Physical File Transfer

McAfee Deep Defender

Rootkit Prevention

McAfee Desktop Firewall McAfee Desktop Firewall Buffer Overflow Prevention

McAfee Host Intrusion Prevention Behavioral Prevention

Advanced Ant-Malware & Detection Web Filtering Email Filtering

McAfee Application Control for Servers or Desktops Install and Execution Prevention Change Protection

Cost of an AV-Only Strategy: Customer Survey

AV-Only users spent 1.5-times more than leaders

Less efficient leaders deployed security at higher scale and lower cost Less effective AV-only group bore higher costs due to outbreaks

AV-Only users accepted 68% of IT Security-related risk,

Compared to just 58% by the leading performers

Source: Aberdeen Research 3-2012 McAfee Confidential Internal Use Only

Exploit Toolkit Coverage

Todays malware threats, like Blackhole and Phoenix, require full Web Browser emulation.
ECMAScript and W3C (HTML) DOM needs to be simulated correctly, Browser-specific differences also need to be simulated

McAfee ConfidentialInternal Use Only

What is Sandboxing?
UNKNOWN

Sandboxing ?
Run suspect file in safe (virtual) environment Analyze actual behavior of any unknown file Report on intent of any file malicious or not

SANDBOXING

SAFE

MALWARE

MALWARE

McAfee ConfidentialInternal Use Only

Advanced Threat Defense

UNKNOWN

Dynamic Analysis ?
Observe Registry Modifications Observe network communications Observe process activities Observe file system changes

Static Code Analysis

SANDBOXING

MALWARE

Unpacking Static Analysis of disassembled code Discover of latent code Hidden logic paths Graphing

SAFE

MALWARE

McAfee ConfidentialInternal Use Only

Multiple Anti-Malware Methods

Real-time
Down-select process

Duration of Analysis

Advanced Sandboxing Static and dynamic code analysis Emulation engine Anti- Malware

Global file reputation

Anti Virus signatures Anti Virus inspection

Depth of Analysis

McAfee ConfidentialInternal Use Only

Conclusion
Attacks follow four phases Step 1 Lower cost by catching threats earlier Better, Cheaper AV is not sufficient for todays threats Serves its purpose Not all Anti-Malware engines are created equal Multi-Layer protection is needed Defense in Depth

McAfee ConfidentialInternal Use Only