Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
Top 5 Modern Malware TrendsData Connectors – September
12, 2013
Frank Salvatore, BCOMMTerritory Manager, Eastern
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security
Tech Week Europe, September 28th 2012
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
"We're moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn't be the foundation on which any security model works." - Chris Young, GVP Cisco Security
Tech Week Europe, September 28th 2012
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
Modern times… call for modern measures...
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Top CISO Priorities – 2013
Secure Data and Policy Controls
Data exfiltration through the use of
multi-protocol outbound channels
challenges traditional controls
Enable Secure Mobility
Mobile devices and policies pose major issues as
organizations need to enable secure access to data
Advanced Attacks
Targeting Data
Ensuring security of data-at-rest and
data-in-motion continues to be challenged with multi-vectored
attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Top 5 Global Risks
Source: World Economic Forum
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Technological Risks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
High Profile APT Attacks Are Increasingly Common
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACEAPT Attacks
Zero-Day AttacksPolymorphic Attacks
Targeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Attacks Increasingly Sophisticated
Dynamic Web Attacks
Malicious Exploits
Spear Phishing Emails
Multi-Vector• Delivered via Web or email
• Blended attacks with email containing malicious URLs
• Uses application/OS exploits
Multi-Stage• Initial exploit stage followed
by malware executable download, callbacks and exfiltration
• Lateral movement to infect other network assets
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
Top 5 Modern Malware Trends
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
Trend #1: Motivation is Data “Capitalization”
• Political, Financial, Intellectual• Nature of threats changing
– From broad, scattershot to advanced, targeted, persistent
• Advanced attacks accelerating– High profile victims common
(e.g., RSA, Symantec, Google)– Numerous APT attacks like
Operation Aurora, Shady RAT, GhostNet, Night Dragon, Nitro
“Organizations face an evolving threat scenario that they are ill-prepared to deal with….advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems.”
Gartner, 2012
2004 2006 2008 2010 2012
Advanced Persistent Threats
Zero-dayTargeted AttacksDynamic Trojans
Stealth Bots
WormsViruses
Disruption Spyware/Bots
Cybercrime
Cyber-espionage and Cybercrime
Dam
age
of A
ttac
ks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
Trend #2: Modern Malware Targets the Application
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
Hacking? Not so much…
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Polymorphism on demand
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
Blog Post?
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
RSS Feed?
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
Trend #3: Socialized Attack Vectors
• Spear-Phishing is a social attack– No real technical countermeasure– Users un(der)trained– Effective way to drive malicious traffic– “Whaling” for high return
• 83% of spam uses URLs– URL shorteners– Social engineering URLs– Still on the decline
• Browser/App Infection Vectors– Browser itself– ActiveX / Java– Plug-ins (PDF, QuickTime)– Adobe Flash– JavaScript/AJAX
Percent of Spam Containing Links
Source: Cisco Systems
18
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
LinkedIn is a Gold Mine…
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
Successful Spear Phish
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
Trend #4: It’s not just about files anymore
• Modern Malware is about a sequence of protocol flows which serve to exploit an application
• A file may be invoked or transported, but usually after a successful exploit
• The new reality of Modern Malware or APT is that file-based analysis is inadequate
Exploit
Downloads
Callback ServerInfection Server
DataExfiltration
Binary DownloadCallbacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
The Attack Life Cycle – Multiple Stages
Exploitation of system1
3 Callbacks and control established
2 Malware executable download
CompromisedWeb Server, or
Web 2.0 Site
1Callback Server
IPS
32Malware spreads laterally
4 Data exfiltration
5
File Share 2
File Share 1
5
4
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
Exploit Detection is Critical
• Malware exploits take a similar form:– Write data to memory– Trick the system to execute that code in memory
• Exploitation of the system is the first stage– Subsequent stages can be hidden– You will miss attacks if relying on object/file
analysis
• Only FireEye detects the exploit stage– Captures resulting stages– Shares globally
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Timed Malware
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
Ho, Ho, Ho…
Timed Malware: December 25th. Where is the IT staff? ;) FireEye works 24/7/365 so you don’t have to. 2000 + events on Xmas.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
Trend #5: Mobile Device Malware
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Trend #5: Mobile Malware Incremental (See Timestamp)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
BYOD = Bring Your own DOOM!
Source: www.bgr.com “Boy Genius”
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
FBI Warning (October 15, 2012)
Source: www.bgr.com
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Thank You!
Frank Salvatore, BCOMM
Territory Manager, Eastern Canada
Top Related