1. Cybersecurity: UnderstandingMalware and How to ProtectYour
Business
2. About AppFolio SecureDocsAppFolio SecureDocs is a virtual
data room for sharing andstoring sensitive documents both
internally and withoutside parties.AppFolio, Inc. Company Basics:
Founded by the team that created and launched GoToMyPCand
GoToMeeting Backed by leading technology companies and investors
Web-based business software for financial and
legalprofessionals
3. About Lastline, Inc.Lastlines security products synthesize
and bring tocommercial standards award-winning,
world-renownedacademic research on malware analysis
andcountermeasures. Founded in 2011 by university researchers Engin
Kirda,Christopher Kruegel and Giovanni Vigna Considered to be
todays thought leaders on automated, high-resolution malware
analysis and detection Focused on real-time analysis of advanced
malware and bigdata analytics; leverages this threat intelligence
to createsolutions to protect companies of all sizes.
4. About Giovanni VignaFaculty member of the Computer
ScienceDepartment at the University of California, SantaBarbara and
the CTO/Founder of Lastline, Inc. Recognized expertise in web
security, vulnerability analysis,malware countermeasures, and
intrusion detection. Published more than 100 papers on the subject
of network securityand evasive [email protected][email protected]
7. Targeted attacks are mainstream news.Every week, new
breaches are reported.In the last few months alone Nobody Is
Safe
8. Once Upon a
Timehttp://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html
9. Unhappily Ever After Proliferation of cybercrime for
financial profit ZeuS Targeted attacks look for intelligence Aurora
(Google and others) RSA SecureID Emerging cyber warfare Stuxnet
Flame Steal something valuable
10. Financial Malware What can be monetized? Financial data
Usernames and passwords Virtual goods Online identities
Computational power Emails
13. Targeted Attacks What can be monetized? Intellectual
property Financial information Bids and contracts Organization
structure Visited sites
14. State-level Attacks What can be gained? Intelligence
Destruction of expensiveequipment Influence on financial markets
Shut down of critical infrastructure Fear, insecurity, lack of
trust
15. Attribution, Once Upon a Time
16. Attribution, Today
17. Criminal Groups Well-organized groups with efficient
division of roles andlabor Programmers: develop malware code
(malware, exploit kits) Testers: QA and AV evasion Traffic
generators Botmasters Bot renters Money mules Budget for
acquisition of zero-day exploitsWe are setting aside a $100K budget
to purchase browserand browser plug-in vulnerabilities(Cool
exploitkit
group)http://krebsonsecurity.com/2013/01/crimeware-author-funds-exploit-buying-spree/
18. Underground Markets Virtual places for advertisement and
exchange ofgoods and offering of services IRC channels and online
forums Activities Advertisementsi have boa wells and barclays bank
logins....i need 1 mastercard i give 1 linux hacked root Sensitive
dataCHECKING 123-456-XXXX $51,337.31SAVINGS 987-654-XXXX
$75,299.64http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdfhttp://cseweb.ucsd.edu/~voelker/pubs/forums-imc11.pdfhttp://www.cs.ucsb.edu/~vigna/publications/fakeav_market.pdf
19. Making Sense of Attacks Lots of different vectors, tactics,
specific tricks Two fundamental things to keep in mind: How do
attackers get in? How do they get valuable information out?
23. Anatomy of Exploit The code determines that the victim has
installed avulnerable ActiveX control, e.g., QuickTime The control
is loaded into memory The environment is prepared for the exploit,
forexample, for memory corruption exploits The shellcode is loaded
into memory The heap is sprayed to ensure that control
eventuallyreaches the shellcode The vulnerability is triggered, by
invoking thevulnerable method/property of the ActiveX
controlhttp://www.cs.ucsb.edu/~vigna/publications/iframe11.pdfhttp://cseweb.ucsd.edu/~savage/papers/CCS12Exploit.pdf
27. Luring Users: Watering Holes Sometimes it is difficult
toexploit the target of an attackdirectly Instead compromise a site
thatis likely to be visited by thetarget Council on foreign
relations governmental officials Unaligned Chinese news site
Chinese dissidents iPhone dev web site developers at
Apple,Facebook, Twitter, etc. Nation Journal web site Political
insiders inWashington
28. Document-based Attacks Vulnerabilities in document viewers
can beexploited by malicious documents Office docs PDFs Images
29. What Happens in the Background Analysis engine provides
full emulation of an operating systemenvironment and can detect
what is actually happening in thesystem when a document is opened
Process winword.exe was created: "C:Program Files (x86)Microsoft
OfficeOffice12winword.exe The arguments of this process: "/q
/f"C:UsersuserAppDataRoamingdflt_sample.doc Process winword.exe
drops new files: "C:UsersuserAppDataLocalTempmsmx21.exe Process
winword.exe starts a new process:
"C:UsersuserAppDataLocalTempmsmx21.exe Running Task analyzes
analysis result... ReportScanner: 80 (set([Document: Writes a file
then executes it])) Detections 1 (100.00%, 0 not detected)
30. Spear PhishingFrom: [email protected]:
[email protected]: Monday February 6, 2012 05:51:24Attachment:
23 fdp.scr23/---- Msg sent via @Mail - http://atmail.com/Colleagues
in the code office,Please acknowledge the receipt of thetelegram
No. 23 in attachment.Thanks,Embassy / Abu Dhabi
31. Deceive the user into thinking that somethinguseful is
installed Video players Anti-virus Screen savers Social Engineering
Attacks
32. After the Infection:A Botnet Case
Studyhttp://www.cs.ucsb.edu/~vigna/publications/ccs09_torpig.pdf
33. Hijacking the Botnet Reverse engineered the DGA used in
Torpig andthe C&C protocol Noticed that domains generated for
1/25/2009 2/15/2009 were unregistered Registered these domains
Controlled the botnet for 10 days Unique visibility into a botnets
operation 180,000 infected hosts 8.7 GB of Apache logs 69 GB pcap
data (containing stolen information)
34. Threats 8,310 unique accounts from 410
financialinstitutions Top 5: PayPal (1,770), Poste Italiane,
Capital One,E*Trade, Chase 38% of credentials stolen from browsers
passwordmanager 1,660 credit cards Top 3: Visa (1,056), Mastercard,
American Express,Maestro, Discover US (49%), Italy (12%), Spain
(8%) Typically, one CC per victim, but there are exceptions
35. 35Value of the Financial Information Symantec [2008]
estimates Credit card value at $.10 to $25.00 Bank account at
$10.00 to $1,000.00 Using Symantec estimates,10 days of Torpigdata
valued at $83K to $8.3M
37. Ideal WorldSecure code Software we use containsno
vulnerability, or Vulnerabilities are mitigatedusing sound security
andengineering principles (leastprivilege, containment,
etc.)Unfortunately currently only ahandful of secure programsand
often in specializedsectors (regulations vs.innovation)User
awareness Users are aware of securitythreats They always make the
rightdecisionUnfortunately experimentsshow users extremely bad
atmaking security decisions(security vs. usability)
38. Law
Enforcementhttp://www.zdnet.com/blog/bott/who-killed-the-fake-antivirus-business/3832Russian
authorities arrestthe co-founder ofChronoPay, the largestonline
payment processor
39. Law Enforcement
40. Law Enforcement
41. Polling Question #3
42. Common Sense Defenses Keep software up to date However,
ineffective against 0-day
43. Common Sense Defenses Dont open links/attachment from
unknown sources However, ineffective against social/targeted
attacks
44. Common Sense Defenses Limit web accesses to
trusted/reputable sites However, ineffective against
waterholeattacks, malicious advertisements, web
sitecompromises
45. Common Sense Defenses Access sensitive services (e.g.,
online banking)from dedicated machine However, inconvenient
46. Current Solutions Are Not Enough Firewalls are not enough
Users actively (and unsuspectingly) go out to the attacker
Attackers use port 80 Intrusion Detection/Prevention (IDS/IPS)
systems are notenough Signatures and blacklists only catch known
attacks Limited insight into downloaded artifacts(binaries,
spear-phishing links, ) and outbound network activity Anti-virus
systems are not enough Artifacts change their appearance at a fast
pace(Signatures and blacklists insufficient, manual analysis of
threatsrequires an enormous amount of resources) AV vendors do not
see the binary used in targeted attacks(They cannot create any
signature)
47. Solutions To Advanced Malware Analysis of incoming
artifacts (what gets in) Web downloads, mail attachments Analysis
of outgoing traffic (what gets out) DNS traffic, web traffic What
gets out Where it goes How it is sent Use of correlation to present
complete picture tothe system administrator But how good is the
analysis?
48. Polling Question #4
49. The Malware (R)evolutionSimple
ThreatsOpportunisticAttacksAPTSolutionsAntivirusSolutionsTargetedAttacksPackingSophisticated
ThreatsPlainVirusPoly-morphicC&CFluxingPersistentThreatsEvasiveThreats
50. Nature of Advanced Malware Static
CodeObfuscationandPolymorphismSource: Binary-CodeObfuscations in
PrevalentPacker Tools, Tech Report,University of Wisconsin,
2012Number of times a hash is seen> 93% of all samples are
uniqueDefeats signature-based anti-virus
51. Nature of Advanced Malware Dynamic evasion checks for
environmentDefeats sandbox andvirtual machines
53. Lessons Learned Attacks are increasingly targeted Attackers
no longer go after your firewall. They goafter your employees
Attackers are persistent and patient Need for constant monitoring
approach to defense Attackers develop custom tools and attacks
after theyhave gained access to a target Global landscape still
matters, but Defenses tailored to local characteristics and
activityare critical Evasive malware Need for next-generation
tools
54. Questions?
55. Backup Slides
56. Lastline Started in 2011 by team of professors andPhDs from
University of California, SantaBarbara and Northeastern University,
Boston Located in Santa Barbara, CA Technology based on 8+ years of
research onadvanced malware Founders include the creators of Anubis
andWepawet analysis tools
57. Previct Anti-Malware SolutionSentinel scans traffic for
signs andanomalies that reveal C&Cconnections and
infectionsLastline proactively scouts theInternet for threats
andupdates the Sentinelknowledge base Manager receivesand
correlates alerts,and producesactionable intelligenceSentinel sends
unknownobjects (programs anddocuments) for highresolution
analysis
58. Key Technology1. High resolution analysis engines CPU
emulation provides deep insights into malware execution Necessary
to detect and bypass evasive checks Expose malicious behaviors that
existing sandboxes dont see2. Big data analytics Anomaly detection
of suspicious outboundcommand-and-control (C&C) flows
Internet-scale, active discovery of threats Correlation of
low-level events into actionable threat intelligence
59. High-Resolution Malware AnalysisVisibility without code
emulation(traditional sandboxing technology)Important behaviors
andevasion happens hereVisibility with code emulation(Lastline
technology)