Post on 19-May-2015
EMERGING THREATS & THREAT LANDSCAPE
Fighting Today’s CybercrimeAnthony Arrott,Trend Micro
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
overwhelming volume of threat
1
Triple challenge to IT security
• Changing ITBEFORE:80%+ of daily info available inside the enterpriseNOW:80%+ of daily info comes from outside the enterprise
• Changing cybercrimeBEFORE:vandalism, simple fraud, opportunistic data theftNOW:high tech organized crime for huge profits
• Changing protectionBEFORE:latest threat info deployed to each computerNOW:computers query a cloud database about suspected threats
disappearing network boundaries
overwhelming volume of threat
cloud-client protection networks
1
Traditional AVoverwhelmed by the volume of new threats
4
AV
> 2000new threats
per hour
> 2000new threats
per hour
Threats now mostly from the Internet
5
How threats arrive on PCs
1. Visits to malicious websites
( 42% )2. Downloaded by other
malware( 34% )
3. E-mail attachments & links
( 9% )4. Transfers from
removable disks( 8% )
5. Other (mostly via Internet)
( 7% )
source: Trend Micro
AV
Use multiple layers of reputation services
4
Exposure Layerinspection based on source (URL, domain)
http://abc.com/xyz.exe
Infection Layerinspection based on file
content (code, hash)
Infection Layerinspection based on file
content (code, hash)
http://abc.com/xyz.exe
9
John Dillinger,Flamboyant Bank Robber
Meyer Lansky,Quiet Mobster
10
John Dillinger,Flamboyant Bank Robber
Meyer Lansky,Quiet Mobster
• 8 years in prison• killed by US
federal agents• died age 31
11
John Dillinger,Flamboyant Bank Robber
Meyer Lansky,Quiet Mobster
• 8 years in prison• killed by US
federal agents• died age 31
• 0 years in prison• listed in Forbes 400
richest Americans• died age 80
12
John Dillinger,Flamboyant Bank Robber
Meyer Lansky,Quiet Mobster
• 8 years in prison• killed by US
federal agents• died age 31
think: VIRUS OUTBREAK
• 0 years in prison• listed in Forbes 400
richest Americans• died age 80
13
John Dillinger,Flamboyant Bank Robber
Meyer Lansky,Quiet Mobster
• 8 years in prison• killed by US
federal agents• died age 31
think: VIRUS OUTBREAK
think: BOTNET SPAM ENGINE
• 0 years in prison• listed in Forbes 400
richest Americans• died age 80
Popular conception of cybercrime
But like Prohibition, we’re not the main victims …
… more likely, we’re unwitting accessories.
Today‘s Infection Chain
Spyware/TrojanDownloader
Web Drive ByDownloader
Email Spam
Port ScanVulnerabilities
Infection Vector
Spam & Phishing
Dedicated Denial of Service
Data Leakage
Adware/Clickware
Recruitment
Activities
MalwareWriter
Wait for Instructions
Get Updates from Command & Control
Fool the AV HostManagement
HostInfection
HTTPIRCDNS
BotHerder
Botnet
Command &Controller
Criminals
Canadian IP addresses generating spam
Worldwide IP addresses generating spam
Q22009
Q32009
Q42009
Q12010
19
Breakdown of compromised IP’s
Business
Consumer
EMAIL REPUTATION
Top 5 spam generators as of April 2009
Top 5 spam generators as of April 2009
Turkey ? #2 ?
Top 5 spam generators as of April 2009
Trend Micro begins working with Turkish ISP
Top 5 spam generators as of April 2009
Start seeing dramatic reductions
Top 5 spam generators as of April 2009
Turkey: from #2 to #21
Popular conception of cybercrime
Not just botnet spam engines
… and no small amount of money
Online ad revenues ofGoogle, Yahoo, Microsoft, & AOLare more than $8b per quarter …
… click fraud is more than $5b per year.
Obscured network boundaries
Where’s my data?
Deceptive information transactions
Who am I sharing information with?
Disguised website identities
Is this the web address I think it is?
and track cyber-criminal operations
… billions of times a day
E-mail reputation queries
6.2 billionE-mail reputation blocks
4.4 billion
Web reputation queries
41 billionWeb reputation blocks
585 million
Trend MicroSmart Protection NetworkTuesday, 14 Sep. 2010
Protection from the Cloud
E-mail (IP) Reputation Load295 GB per day
Web (URL) Reputation Load1305 GB per day
File (MD5) Reputation Load334 GB per day
Trend Micro internal use only34
Thank You