0 оценок0% нашли этот документ полезным (0 голосов)
35 просмотров18 страниц
Kevin barton, MS, CISSP Associate Professor CISSP 4325 network security. He provides a global perspective of network and information security measures. Barton outlines different types of malware and their propagation.
Kevin barton, MS, CISSP Associate Professor CISSP 4325 network security. He provides a global perspective of network and information security measures. Barton outlines different types of malware and their propagation.
Kevin barton, MS, CISSP Associate Professor CISSP 4325 network security. He provides a global perspective of network and information security measures. Barton outlines different types of malware and their propagation.
Associate Professor kbarton@tamusa.tamus.edu CISA 4325 Network Security Obtain global perspective of network and information security measures Understand malware threats and trends Examine in detail different types of malware and their propagation Examine the motivation behind cyber attacks Survey the techniques to counter security threats 1 Vulnerability A weakness that allows a threat to inflict loss on an asset Software vulnerabilities are weaknesses in software Software vulnerabilities allow attackers access, or to escalate privileges. Exploit A software payload that takes advantage of a vulnerability 2 Network Layers Human Social engineering; Phishing Application PDF obfuscation; injection attacks; Email spoofing Presentation PDF encryption Session SSL Man-in-the-Middle attacks Transport SYN-Fragment attack; SYN flooding; DDoS Network Route injection; IP address spoofing Data Link WEP and WPA attacks; ARP poisoning, Man-in- the-Middle Physical Jamming attacks 3 MALWARE SIGNATURES New signatures increasing at an exponential rate Malware is becoming more and more polymorphic Difficult for current signature and behavior based detection systems to keep pace 4 MALWARE SIGNATURES New signatures increasing at an exponential rate Malware is becoming more and more polymorphic Difficult for current signature and behavior based detection systems to keep pace TARGETS & TECHNIQUES Consumer and business banking accounts Web-based malware used to attack targets Use of multistage Trojan droppers Packaged malware products Phishing kits Botnet deployment kits 5 TECHNIQUES Disposable malware Lifespan of malware dropping average lifespan just 2 hours PDF files used in 49% of all attacks Transitive Trust from social networking sites Domain joined computers exposed to greater threat from worms Trojans much more common in non-domain joined computers 6 BOTNETS A network of host capable of acting upon a set of instructions Often millions of hosts Zombie is the software used to control an Internet host Bot C&C used to manage zombies Often contains authentication key or password IRC C&C utilizes chat to make bot communications more stealthy HTTP also used for C&C C&C server IP addresses hidden through fast-flux DNS Uses short TTL and multiple IP addresses IP addresses are redirects to real C&C server 7 USER MODE Hooks user or application space so that when an application makes a call, the Windows rootkit hijacks the system Rootkit is not visible in Windows Explorer Inefficient method KERNEL MODE Hooks or modifies kernel memory space to avoid detection User applications do not have read privilege to the kernel, and cannot see malware in the kernel Hidden in: Drivers & system32 User temp folder 8 MASTER BOOT RECORD MODE Infects the MBR in the first sector of the disk Modifies other sectors Runs the malware at boot Disables detection software to protect itself 9 DATABASES NIST Mitre Open Sourced Rapid7 10 PURPOSE To evade detection and analysis Polymorphism and metamorphism change form Polymorphism uses encryption Metamorphism changes the virus body by rearranging code or inserting unneeded functions Mutation common in non- executables Packing/compression more common with executables Used by software vendors to protect intellectual property Used by malware developers to hide malware Entry Point Obfuscation changes a location in the host code Relies on hooking/inserting to call malware 11 POLYMORPHISM The decryptor exposes the malware to detection Decryptors are now mutated as well Analysis Standard decryption Heuristics-examines behavior Emulation-runs malware in virtualized sandbox OBFUSCATION Four step process Obfuscation step Modeling step Mutation step Techniques such as permutation of subroutines, insertion of jump instructions, substitution of instructions, etc. 12 MOTIVATION Primarily financial Credit cards Bank accounts Email addresses & accounts Identities Malicious code developers are selling code and tools Like many businesses, developers are not necessarily the users TACTICS Multistage Initial attack gets foothold may use a Trojan Subsequent payloads tailored to the compromised host 13 Asset Robustness: Intrusion Detection Isolation: Firewall Redundancy: Multiple Links Segregation: Separate Control & Corporate Networks The asset is protected by multiple controls meeting various design criteria. Asset Robustness: Intrusion Detection Isolation: Firewall Redundancy: Multiple Links Segregation: Separate Control & Corporate Networks Layered security ensures assets are protected by multiple controls. Attackers must compromise multiple controls to attack an asset. Robust layered security would include deterrent, preventive, detective and corrective technical, administrative and physical controls Deterrent Preventive Detective Technical Admin Physical Technical Admin Physical Technical Admin Physical Access Control Kerberos Locked Facilities Log Analysis Segregation Isolation Redundancy Robustness Redundancy Links Power Supplies Recoverability