South Korea Cyber-attack Heightens Changes in Threat Landscape Richard Sheng Sr. Director, Enterprise Security, Asia Pacific
Agenda Anatomy of Targeted Attacks aka. Advanced Persistent Threats Current Gaps & Challenges Trend Micro Approach 9/23/2013 Confidential Copyright 2013 TrendMicro Inc. 2
Anatomy of APTs or Targeted Attacks 9/23/2013 3 Confidential Copyright 2012 Trend Micro Inc.
Destroying 48,700 computers in S. Korea
Impact Disruption in business continuity Banking: ATM, banking operations, and online banking came to a halt. TV/Media: media contents to be broadcasted couldn t be updated. Public facing websites taken down. Data loss Data on compromised systems couldn t be recovered Public Unable to withdraw from ATM Unable to process credit card transactions
Penetration with phishing email Victimized Business Unix/Linux Server Farm Attacker Social engineering emails with malicious attachments wipe out files Destroy MBR Malicious C&C websites Windows endpoints Email is still top attack vector in targeted attack Destroy MBR wipe out files Ahnlab's Update Servers
Evade detection with customized malware Victimized Business Unix/Linux Server Farm Attacker wipe out files Destroy MBR Malicious C&C websites A total of 76 tailor-made malware were used, in which 9 were destructive, while the other 67 were used for penetration and monitoring. Windows endpoints Destroy MBR wipe out files Ahnlab's Update Servers
Compromise internal policy server Victimized Business Unix/Linux Server Farm Attacker wipe out files Destroy MBR Malicious C&C websites Ahnlab's patch/update server didn t require login credentials to access. Windows endpoints Destroy MBR Lack change control on critical server Ahnlab's Update Servers Leverage legitimate update mechanism to deploy malware to endpoints faster wipe out files
Servers breached after credentials compromised Victimized Business Unix/Linux Server Farm Attacker Delete Critical System Files Overwrite MBE Malicious C&C websites Monitored server activities to gain server access right Windows endpoints Gain server login credentials from infected clients to initiate remote attacks Overwrite MBR Remotely wiped MBR on servers Ahnlab's Update Servers Delete Critical System Files
How a Bank Averted this attack with Trend Micro Deep Discovery Inspector (DDI) intercepted potentially malicious content in SMTP traffic Content was detonated in a sandbox C&C communication and sample files were identified Administrator applied custom blacklist to other security control Trend Micro An spearphishing Customized email signatures is were deployed to endpoints for immediate cleanup Deep Discovery detects potential Attachment is sent to an malicious sent to sandbox employee. The content in SMTP for real-time email contained traffic as analysis. a malicious HEUR_NAMETRI attachment. CK.B IT admin obtains results from sandbox, performs necessary steps (URL blocking, etc.). THREAT AVERTED. DEEP DISCOVERY INSPECTOR (DDI) 10
Early detection of spear-phishing email With sandbox analysis, DDI detected the suspicious email and identified its attachment as a Trojan downloader
Sandbox Analysis Provided Actionable Intelligence The sandbox analysis exposed malicious behaviors embedded and C&C communications the bad URL and IP. Administrator updated firewall/ips rules to terminate C&C communications.
The Changing Threat Landscape DAMAGE CAUSED Worm Outbreaks Vulnerabilities CRIMEWARE Spam Mass Mailers Spyware Intelligent Botnets Web Threats Targeted Attacks Financially motivated Targeting valuable information Business discontinuity 2001 2003 2004 2005 2007 Now Copyright 2013 Trend Micro Inc.
Gartner s View on Advanced Persistent Threats Entry Command & Control Lateral Movement Attack or Exfiltrate Data
Challenges with Current Security Controls 9/23/2013 15 Confidential Copyright 2012 Trend Micro Inc.
Data Breach - Top Perceived Threat * 2012 APAC Enterprise IT Security Survey Trend Micro, Oct. 2012 9/23/2013 16 Confidential Copyright 2012 Trend Micro Inc.
Yet, where are organizations investing * 2012 APAC Enterprise IT Security Survey Trend Micro, Oct. 2012 9/23/2013 17 Confidential Copyright 2012 Trend Micro Inc.
Spear-phishing bypass anti-virus and anti-spam Review your email security gateway or software and ensure you are actively blocking phishing attempts. 9/23/2013 18 Confidential Copyright 2012 Trend Micro Inc.
Not Monitoring Critical Servers for Unauthorized changes Deploy endpoint compromise assessment technology and file integrity monitoring technologies onto endpoint systems handling sensitive data to detect potentially malicious changes 9/23/2013 19 Confidential Copyright 2012 Trend Micro Inc.
Unable to detect Customized Malware The defining aspect of an APT is that it has advanced beyond existing controls and is not detectable using traditional signature-based security protection mechanisms. - Neil MacDonald, VP and Gartner Fellow, Gartner, Inc. 9/23/2013 20 Confidential Copyright 2012 Trend Micro Inc.
Can t Keep up with Vulnerabilities & Zero-day Exploits Start by shutting down the low-hanging vulnerabilities that adversaries will target to deliver the APT. 9/23/2013 21 Confidential Copyright 2012 Trend Micro Inc.
Lack Visibility of Internal Network Activities Lateral Movement involves Reconnaissance Network hierarchy Services and O/S on servers Valued assets Credential Stealing ARP spoofing network sniffing Pass the Hash Brute force attack Infiltrate other hosts Remotely thru stolen credentials 9/23/2013 22 Copyright 2012 Trend Micro Inc.
Organizations don t know they re being targeted Network-based advanced threat detection and prevention technologies have emerged adjacent to IPSs in order to combat the problem of the zeroday polymorphic malware that is often used to deliver the targeted attack. 9/23/2013 23 Confidential Copyright 2012 Trend Micro Inc.
Lack of Incident Response Plan Retain either internal or external resources for executing an incident response plan; specifically target resources with digital forensics and malware analysis knowledge. Improve Your Incident Response Capabilities Acknowledge that [targeted attacks] will compromise 9/23/2013 24 Copyright 2012 Trend Micro Inc.
Trend Micro Approach A Customized attack requires a Custom Defense 9/23/2013 25 Confidential Copyright 2012 Trend Micro Inc.
"We must assume we will be compromised and must have better detection capabilities in place that provide visibility as to when this type of breach occurs. - Neil MacDonald, VP and Gartner Fellow, Gartner, 9/23/2013 26 Copyright 2012 Trend Micro Inc.
A Custom Defense Lifecycle Detect malware, communications and behavior invisible to standard defenses Analyze the risk and characteristics of the attack and attacker Adapt security automatically (IP black lists, custom signatures ) Respond using the insight needed to respond to your specific attackers Network-wide Detection Custom Sandboxes Advanced Threat Analysis Threat Intelligence Automated Security Updates Services and Support Custom Defense Strategy Security Network Admin Copyright 2013 Trend Micro Inc.
Detect Analyze Adapt Respond Local threat intelligence shared across your protection layers Suspicious files Sandbox Analysis CustomBlacklist & Signatures Advance Threat Detection New Drops / C&C Change Control Process Threat Detection Mechanism Botnets Detection FW/IDS/IPS Server/ Endpoint detection External / Internal Security Warning Correlations SIEM / Arcsight Normal security incidents Cyber Threat & Potential Risks SOC Tier1 OP SOC Tier2 OP Improvement Plan Escalation InfoSec Investigation Mitigation & Incident Response Threat Intelligence
Detect Stops Spear-phishing Attacks Integrate Email Gateway Security with Sandbox Technology Mail protection Deep Discovery Advisor File Risk Assessment Advanced threat scan engine Document vulnerability scan File attribution 1 Suspicious quarantine 2 sandbox simulation analysis Win 7 Office10 Custom Win XP Office07 Custom Custom... Deliver? (Risk + policy) 3 <1 min Risk Rating Safe email Other security layers Confidential Copyright 2013 Trend Micro Inc. 9/23/2013 29 4 IP/URL blacklist Custom file signature (future)
Detect Increase Visibility of Internal Network Out-of-band network traffic inspection Malicious content Embedded doc exploits Drive-by downloads Zero-day Malware HTTP SMTP DNS Network Content Inspection Engine Advanced Threat Security Engine Suspicious communication C&C access Data stealing Worms Backdoor activity Trend Micro Deep Discovery Inspector SMB FTP P2P TCP IP & URL reputation Customizable Sandbox Attack behavior Propagation & dropper Vuln. scan & bruteforce Data exfiltration... 80+ protocols Network Content Correlation Engine
Analyze Detection APT network activities Infection & payload Lateral movement C&C callback! Web proxy Dynamic blacklist Storage Mail Server App Server SMTP relay Advisor af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc...! Endpoint! Inspector!
Analyze Analyze customized malware & zero-day exploits Customizable sandbox reflects your true environment Your Custom Sandbox Custom OS Image accelerated time Isolated Network Anti-VM detection WinXP SP3 Win7 Base Win7 Hardened 32 & 64 bits Code execution, documents & URL Live monitoring core integration(hook, dll injection..) Monitoring network flows Correlation of events LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000 LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000 LoadLibraryA Modifies file ARGs: with ( WININET.dll infectible ) Return type value: : eqawoc.exe 777a0000 key: Inject HKEY_CURRENT_USER\Local processus : 2604 taskhost.exe Settings\MuiCache\48\52C64B7E\LanguageList value: key: Access HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f suspicious host : mmlzntponzkfuik.biz Write: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_EXE_W32 Injecting process API ID: 2604 Inject Fake API: CreateRemoteThread Fake Target process Fake AV ID: 1540 Target Hooks image path: Explorer taskhost.exeserver socket ARGs: ( 2, 2, 0 ) Return value: 28bfe socket ARGs: ( 23, 1, 6 ) Return value:! 28c02 window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c,, 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2 internet_helper API Core Name: Threat InternetConnectA Simulator ARGs: ( cc0004, mmlzntponzkfuik.biz, 10050,,, 3, 0, 0 ) Return value: cc0008... Filesystem monitor Registry monitor Process monitor Rootkit scanner Network driver
Adapt Share local threat intelligence across your protection layers - Custom Blacklist & Signatures! standalone / ICAP Web Web Security proxy Dynamic blacklist Storage ScanMail Server App Server Mail SMTP Security relay standalone / MTA relay Deep Discovery Advisor af12e45b49cd23... 48.67.234.25:443 68.57.149.56:80 d4.mydns.cc b1.mydns.cc... Endpoint Sensor OfficeScan * Deep Security *! Endpoint! Infection & payload C&C callback 9/23/201 Confidential Copyright 2012 Trend Micro Inc. 33
Adapt Share local threats intelligence across your protection layers - Custom Blacklist & Signatures Global Detection Deep Discovery Local Detection Web Gateway Email GW & Server Endpoint Security Server Security Network Protection 3 rd Party FW, IPS, AV, Switch Protection Points Control Manager Threat Connect Alerting Intelligence Policy Management Adaptive Updates Detect Analyze Adapt Respond 34
Adapt Shutdown Vulnerabilities with Virtual Patching Physical Virtual Cloud Virtual Patching IDS / IPS Web App. Protection Application Control Firewall Integrity Monitoring Antimalware Log Inspection 35
Adapt Monitor Critical Servers File integrity monitoring Physical Virtual Cloud Virtual Patching IDS / IPS Web App. Protection Application Control Firewall Integrity Monitoring Antimalware Log Inspection 36
Respond Subscribe to Reputation Services Review your current intrusion prevention implementation and, if available, implement blocking capabilities that include reputation-based or real-time block list threat feeds provided by your technology vendor. BIG DATA ANALYTICS (Data Mining, Machine Learning, Modeling, Correlation) Collects Identifies Protects DAILY STATS: 7.2 TB data correlated 1B IP addresses 90K malicious threats identified 100+M good files 9/23/2013 Confidential Copyright 2012 Trend Micro Inc. 37
Respond Augment Security Operation and Incident Response with external security resources Custom Defense Service Menu Critical System Assessment Network Assessment Monthly Advisory Monitoring & Alert Breach Investigation Custom Signature SLO System Cleanup
Trend Micro Deep Discovery Deep Discovery provides the visibility, insight & control you need to protect your company against APTs and targeted attacks Deep Discovery Advisor Deep Discovery Inspector Network traffic inspection Advanced threat detection Real-time analysis & reporting Custom scalable threat simulation Deep investigation & analysis Actionable intelligence & results Targeted Attack/APT Detection In-Depth Contextual Analysis Rapid Containment & Response
Trend Micro Deep Discovery Wins 2013 Best New Product of the Year Gartner Analyst endorsement Copyright 2012 Trend Micro Inc. 40
Analysts and Influencers Urge Action Adoption of Advanced Threat Detection "You need to know what's accessing the data, how the data's being used, and what's happening on your network." John Kindervag Principal Analyst Serving Security & Risk Professionals Forrester Research, Inc. "We must assume we will be compromised and must have better detection capabilities in place that provide visibility as to when this type of breach occurs." Neil MacDonald VP and Gartner Fellow Gartner, Inc. "Hardening existing security defenses... won't be enough to deal with the sophistication and perseverance of APTs." Jon Oltsik Senior Principal Analyst, Enterprise Strategy Group
http://apac.trendmicro.com/apt 9/23/2013 42 Copyright 2012 Trend Micro Inc.
Consultation Tables Table 3 & 4 Stop Spear-Phishing Table 2 & 5 Increase Visibility of Internal Attack Activities Table 1 & 6 Develop in-house capability to analyze zero-day malware Table 7 & 8 Monitor & Patch Mission Critical Servers Table 9 & 10 Assist with Security Operations & Incident Response 9/23/2013 43 Copyright 2012 Trend Micro Inc.
Thank You 9/23/2013 44 Copyright 2012 Trend Micro Inc.