Gli ultimi ritrovati in termini di attacchi alle aziende

Gli ultimi ritrovati in termini di
attacchi alle aziende e furti di dati,
come combatterli
Roma 18 Giugno 2014
Maurizio Martinozzi
Gli ultimi ritrovati in termini di attacchi alle aziende e furti di
dati
Degli Advanced Persistent Threats (APT) non solo se ne parla ma ad oggi se ne cominciano a contare i danni:
è possibile contrastarli ma la difesa deve essere personalizzata e “tagliata su misura” dell’infrastruttura
dell’azienda.
Una ricerca del Ponemon Institute ha rilevato che il 67% delle aziende ammette che le proprie soluzioni
sicurezza adottate non sono sufficienti a bloccare un attacco mirato. Ma il dato è tragico se consideriamo che il
55% delle aziende non viene nemmeno a conoscenza delle intrusioni subite e, una percentuale bassissima, è
in grado di valutare la portata dell’attacco e, ancora più importante, chi lo ha sferrato.
Per contrastare gli attacchi mirati è necessario adottare tecnologie si sicurezza evolute, quelle tradizionali non
garantiscono più un adeguato livello di protezione. Di fatto le nuove tecnologie devono essere in grado di
gestire la tipologia di attacco, rilevando e analizzando le minacce costanti evolute, ma anche di adattando
rapidamente la protezione e reagendo in maniera proattiva ad attacchi specifici.
La tecnologia deve essere in grado di integrare correttamente software, informazioni globali sulle minacce,
strumenti e servizi specializzati per offrire nozioni personalizzate sulla minaccia specifica e sui criminali
coinvolti. I recenti progressi nella gestione di comando e controllo (C&C) contribuiscono a bloccare i
comportamenti sospetti prima ancora che riescano a compromettere l’obiettivo individuato.
Ma non allarmiamoci: oggi sono disponibili specifiche soluzioni preventive e noi ve le racconteremo: vi
spiegheremo perchè le soluzioni di sicurezza tradizionali non riescono a combattere queste nuove tipologie di
minacce e di attacchi, vi spiegheremo le caratteristiche di queste recenti attività illecite dei cybercriminali e,
soprattutto, vi mostreremo le più recenti e efficienti soluzioni ad oggi disponibili sul mercato per combattere
questi nuovi crimini informatici.
Trend Micro
What We Do
How We Do It
Recognized global leader in
server, virtualization and cloud
security
1,200 threats experts in 12
TrendLabs locations around the
globe; 1492 R&D engineers
Innovative security solutions
$400M USD and 500 engineers
invested over last 4 years to
develop cloud-related solutions
Protecting the exchange of
digital information for businesses
and consumers
Global Threat Intelligence
Who We Are
Eva Chen: CEO and Founder
Co-founded:
Offices:
Global Employees:
Revenue:
Cash Assets:
1988
36
4942
$1.2B USD
$1.65B USD
Operating Income: $330M USD
Headquarters:
3
Tokyo
Gli investimenti in Software
6/23/2014
4
Gli investimenti in Infrastrutture IT
6/23/2014
5
Cyber crime or war??
It does not matter!!
• 1 new threat each second 1
• 1 cyber-intrusion each 5 minutes 2
• 67 % of infrastructure can’t block a custom
& targeted attack 3
• 55 % of companies didn’t detected the
breach 1
More frequent
More targeted
More money
Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012
More sophiticated
Cyber crime or war??
It does not matter!!
Cyber crime or war??
It does not matter!!
Cyber crime or war??
It does not matter!!
Le ‘minacce interne’
• 80% of data
breaches
Authorized
Insiders
– Ponemon
Institute
Study –
10
Insider
Autorizzati
Threat
► Accidental
or
malicious
breach
Outsider
Non-Autorizzati
Threat
► Dati rubati
o persi
Scopo
Scopo
► Monitor, log,
prevent
breaches
► Assess risk continuously
► Educare gli
impegati
► Impedire
l’uso dei
dati a
personale
non
autorizzato
Malware as a Service
6/23/201
4
11
Confidential © 2013
Trend Micro Inc.
December 2010 Cyber attack on Iranian nuclear facilities
January 2011
21-year-old George Hotz
decrypts Sony PS3 root
key
February 2011 HBGary hacked by Anonymous and resulted data leakage
March 2011 Authentication product related information leaked from RSA
April 2011 77 million customers’ data leakage from Sony PSN users
May 2011 360,000 US City Group customers’ data leaked
June 2011 Major US defense contractor Lockheed
Martin attacked
July 2011 leakage of personal data of 35 million users of Korean social network site
August 2011 Japanese defense related firms suffered from cyber attacks
September 2011 Japanese National Personnel Authority
Cabinet Office sites were temporarily unavailable by DDoS attacks
October 2011 PCs in Japanese
by virus; possible data leakage
13
and
House of representatives infected
13
※ These information are all extracts from news
Rivoluzione tecnologica4
L’impatto tecnologico di Virtualizzazione, Cloud, Consumerization sta
rivoluzionando il concetto di perimetro, smaterializzando elementi delle
architetture IT
La crescita del volume di dati creati, scambiati e conservati ha aumentato in
modo significativo la complessità della gestione del rischio informatico per
aziende e governi
La sofisticazione e industrializzazione delle tecnologie Cyber-criminali richiede
competenze sempre più specifiche e capacità d’intelligence per reagire
rapidamente ed efficacemente agli attacchi
RIVOLUZIONE: L’atto di modificare e rinnovare in modo radicale,
profondamente
Dizionario Treccani della Lingua Italiana
6/23/2014
14
Evoluzione del business
Necessità di modelli integrati di governance e di gestione del rischio informatico
adeguati al nuovo scenario, abilitanti al controllo del processo
Valore per il Valore: portare al cliente reali competenze a valore aggiunto,
accreditandosi come consulente, broker tecnologico, partner di progetto
affidabile
Fattori macro-economici attuali e conditio sine qua non di TCO, Riduzione dei
Costi misurabili e concreti
EVOLUZIONE: Ogni processo di trasformazione, graduale e continuo, per
cui una data realtà passa da uno stato all’altro – quest’ultimo inteso
generalmente come più perfezionato – attraverso cambiamenti successivi
Dizionario Treccani della Lingua Italiana
6/23/2014
15
4Evoluzione della Domanda
Le tecnologie restano il motore del business della sicurezza, ma non sono più
sufficienti da sole a coprire le esigenze di un mercato sempre più complesso
Oggi i Clienti
richiedono a
vendor e
partner un
miglior
supporto per
gli impatti
organizzativi e
di processo
6/23/2014
16
Cosa vuol dire
compromettere una
risorsa IT (e come)
17
Network Perimeter is Expanding
Virtualization, Cloud, Consumerization & Mobility
New
Perimeter
IaaS
SaaS
Internet
Old
Perimeter
Mobile
User
Main Campus
Remote Office
Big Data Everywhere
Who is accessing your data from where using what?
Public Cloud
Desktop
Virtualization
Private
Cloud
Server
Virtualization
The Targeted Attack Process
Stage 0
Stage 2
Stage 1
Preparation for
attack
Initial
penetration
Establishment
of attack
platform
As a preparation stage before
they conduct attacks, the
Various methods are used in
the initial penetration stage.
Once the attackers succeed to get
into the system, they quickly
attackers investigate
information of target
organization.
Suspicious (targeted)
email is one such method.
For that, they attack
organizations around
target to collect platform
information for initial intrusion
like Emails exchanges
between that organization and
the target.
Using this information, they
conduct attacks which
increase the success
rate of the initial penetration.
Copyright 2012 Trend Micro Inc.
These methods are used to
deploy viruses deep within the
organization.
In this stage, the attack can
achieve the goal only when
establish a
backdoor for
communication with a server
they prepare. Unlike the traditional
backdoors , this backdoor is the
one that uses HTTP and other
communication protocols that are
used in the business in the target
one employee open that
Email.
organization. Thus it
In the initial penetration stage,
there is no need for virus to
infect many systems. It is
thought that the attack
methods used at this stage are
expected to be detected and
cleaned. That mean they are
disposable.
Using this backdoor, they will add
functions needed for next system
investigation stage, and an attack
platform will be established.
20
cannot be
blocked by a firewall.
Stage 3
Stage 4
System
investigation
Attack on the
ultimate target
Using the attack plat-form
established in the prior stage,
They steal information
the attackers search
In some cases, using information
stolen, they repeat attacks.
for
internal system
information.
via
the backdoor.
used to communicate
APT is the attack which the
attackers keep attack platform
which established in the target
with the attackers and
organizations to repeat
the search will be continued
while confirming system
information.
penetrations and data
thefts.
At this time, a back door is
This attack is the one tend to be
repeated several times.
Source: IPA design/ maintenance guide to aim for the
solution against “new type of attack”.
Le tecnologie
Deep Discovery
Deep Discovery provides the visibility, insight and control you
need to protect your company against APTs and targeted attacks
Deep Discovery
Advisor
Deep Discovery
Inspector
• Network traffic inspection
• Advanced threat detection
• Real-time analysis & reporting
• Custom scalable threat simulation
• Deep investigation & analysis
• Actionable intelligence & results
Targeted Attack/APT Detection
In-Depth Contextual Analysis
Rapid Containment & Response
A Custom Defense for a Smart Protection
DETECT
ANALYZE
ADAPT
RESPONSE
Advanced technologies Threat profiling
Instant protection with
to analyze low signals Origin ? Risk ? Channel ? dynamic signature
Threat infection
containement
• Full visibility with Deep Discovery technologies
• Advanced monitoring with Network and Host Sensor
• Next-gen protection against custom threat & targeted attack
Sandbox
6/23/2014
Protocol
Inspection
Network
Reputation
File
Analysis
Behavioral
Analysis
C&C
Identification
System
Monitoring
What is Deep Discovery ?
• A network & host monitoring solution
designed to provide network-wide visibility,
insight and control against data breaches
and advanced threats.
• Deep Discovery uniquely detects and
identifies evasive threats in real-time, and
provides the in-depth analysis and
actionable intelligence needed to prevent,
discover and contain attacks against
corporate data
6/23/20
14
24
DETECT
Single Appliance for Advanced Protection
Entry point
Lateral
Movement
Deep Discovery
All
protocols
analyzed
HTTP
SMTP
DNS
FTP
on a single box
-----
Inspector
Exfiltration
CIFS
SQL
P2P
Network Content
Inspection Engine
360°Approach
• Appliance All-in-One
• Content
Up to 4 Inspection
Gbps model
•• Document
Bare MetalEmulation
& VA available
••
•
••
Payload
Custom Download
sandboxes
embedded
Behavior
Tracing
Can beDetection
linked to external
Exploit
SB
• Network Monitoring
Advanced Threat
Security Engine
IP & URL reputation
Virtual Analyzer
Network Content
Correlation Engine
6/23/2014
• Detect known,
unknown and custom
Embedded
threats doc exploits
Drive-by downloads
• Dropper
Leverage Trend Micro
Unknown
Threat Malware
Intelligence
C&C
access
technologies
Data stealing
• Worms/Propagation
Adapts and responds
Backdoor
activities
to threats
in your
Data
exfiltration3
unique environment
DETECT
Deeper Look into Deep Discovery
Docode Engine
Win32 DLLs
Advanced File
Emulation
Process
Environment
Virtual Processor
File & Registry
Simulation
Extraction
& Correlation
• Fast analysis
• Shellcode
• Document type
• Exploit data
• Microsoft Office
• Scripts (JS/AS)
• Adobe PDF
• File Structure
• Adobe Flash
Doc
Analyzer
Parser
Extractor
Emulator
• Payload...
High detection rate
6/23/2014
26
ANALYZE
Deeper Look into Deep Discovery
Virtual Analyzer
Your Custom Sandbox
Isolated Network
•
•
•
•
•
Custom OS image
Execution acceleration
Anti-Analysis detection
32 & 64 bits
Execute binaries, documents, URL...
Live monitoring
WinXP SP3
Win7
Base
Hardened
LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73e50000
LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75de0000
Modifies file
with
infectible
type value:
: eqawoc.exe
LoadLibraryA
ARGs:
( WININET.dll
) Return
777a0000
key:
HKEY_CURRENT_USER\Local
Inject
processus : 2604 taskhost.exe
Settings\MuiCache\48\52C64B7E\LanguageList value:
Access suspicious host : mmlzntponzkfuik.biz
key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20bi1d4f
Write: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_EXE_W32
API ID: 2604 Inject
Fake API: CreateRemoteThread
Fake
Injecting process
Target process
Fake AV
Hooks
Explorer
ID: 1540 Target
image path:
taskhost.exeServer
socket ARGs: ( 2, 2, 0 ) Return value: 28bfe
socket ARGs: ( 23, 1, 6 ) Return value: 28c02
window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104,
0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Return value: 401b2
internet_helper API Name: InternetConnectA ARGs: ( cc0004,
mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return value: cc0008
.......
!
Core Threat Simulator
• Kernel integration (hook, dll
injection..)
Filesystem
monitor
• Network flow analysis
• Event correlation
6/23/2014
Win7
27
Registry
monitor
Process
monitor
Rootkit
scanner
Network
driver
ANALYZE
Deeper Look into Deep Discovery
Smart Protection
Network
Mobile Advanced Protection
Cloud Android Sandbox
•
•
•
•
MARS SANDBOX
Crawl & Collect apps from various
market (Play, Amazon, SlideMe3)
Automatic download of unknown
Android app from hosting source
High quantity of Android apps catch
Detection of suspicious behaviours
–
–
–
–
–
–
C&C communications
Data leak transfer
Malware payload
Invalid certificate
Privacy abuse
PermissionX
Static Analyzer
Dynamic Analyzer
Smart Protection
Network
Unpack
Variant
Scanning
UI
Trigger
Syscall
hook
Data
Spoofing
Behavior
Logging
Permission Check
Privacy Data Tracking
Resource Analysis
Log Collector
APK
SINCE 2012
Deep Discovery
6/23/2014
28
ADAPT
Deeper Look into Deep Discovery
C&C Callback Protection
FTP
Multi-Source Scoring
DNS
TCP
UDP
CIFS
ICMP
SQL
HTTP
----SMTP
Protocol Analyzer
•
Virtual Analyzer Feedback
–
–
–
–
•
•
•
Hidden callback
URL
Domain Name
IP:Port
File Signature
Botnet behavior
Trojan identification
Global C&C Live Intelligence
User-Defined C&C List
Content Inspection Rules
Blocking
capabilities
!
6/23/2014
29
TCP Reset
DNS Spoofing
HTTP Redirect
ICMP Code
Deep Discovery
Infection & payload
Simple & Efficient
Lateral movement
C&C callback
Dynamic blacklist
Web proxy
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
SMTP relay
Storage
Mail Server
!
App Server
Inspector
!
Endpoint
!
6/23/2014
!
30
Create your Custom Defense
Integrated into
Analyzer
Trend Micro solutions
•
External sandbox system
•
Automatic Analysis Labs
•
Manual & API submission tools
•
Multi-box (5 nodes, 100k files/day)
Email Inspector
Threat profil export
(IOC, hash)
API & scripting
Threat Intelligence Center
•
Email reputation & attachment analysis
•
Central event dashboards
•
Embedded URL analysis in VA
•
Custom searches & reports
•
MTA (inline) or BCC (monitor) mode
•
Central alerting and reporting
•
Up to 2M mails/day per box
6/23/2014
Confidential | Copyright 2012 Trend
Micro Inc.
31
Get a complete picture of targeted attacks
Deep Discovery Endpoint Sensor
Context-aware endpoint solution designed to speed
the discovery, investigation and response to security
incidents
Accelerate you response process
• Confirm endpoint infiltration alerts from network
security
• Analyze actual malware behavior and results
• See which endpoints have specific malware or
C&C activity
• Discover full context and spread of an attack
Get a full picture of threats
• Records detailed system activities
• Performs multi-level search across endpoints
• Uses rich search criteria
• Compatible with any AV security
solution
Trend Micro Products
Integrated Advanced Protection
!
Dynamic blacklist
Web
proxy
IWSva
IMSvarelay
SMTP
Storage
Analyzer
Mail
Server
ScanMail
App Server
OfficeScan
Deep Security
Infection & payload
Endpoint
!
C&C callback
!
3c4çba176915c3ee3df8
7b9c127ca1a1bcçba17
Custom Signature
6/23/2014
33
af12e45b49cd23...
48.67.234.25:443
68.57.149.56:80
d4.mydns.cc
b1.mydns.cc
...
DetectX
DetectX
XAnalyzeX
Human readable
X React
Copyright 2013 Trend Micro Inc.
• Search summary
• Individual endpoint flow & drilldown
• Context and network aware
37
Why Deep Discovery ?
NSS Labs Breach Detection Tests
Better detection & 360°protection
• Proven results for standard HTTP &
SMTP
• Plus detection for 80+ protocols
& applications across all ports
• Detection of Mac and Mobile malware
• Custom sandboxing
• Attacker activity detection
All at half of the TCO than main competitor
6/23/2014
38
Why Deep Discovery ?
Dynamic advanced security
• Multi-engine for analysis and
correlation
• Leverages Smart Protection Network
• CustomVirtual Analyzer sandbox
• Access to TrendLabs Security Expert
Plug & Protect
• High Throughput Network Analysis
• Flexible architecture: HW, SW, VM
• Fast forensics & custom signature
6/23/2014
39
Il cloud
DAILY:
• Collects 1.15B threat samples
• Correlates 7.2 TB data
• Protects against 200M threats
•
•
•
•
•
•
•
Whitelisting
Network traffic rules
Mobile app reputation
Vulnerabilities/Exploits
Threat Actor Research
Enhanced File Reputation
Enhanced Web Reputation
BIG DATA
ANALYTICS-DRIVEN
GLOBAL THREAT INTELLIGENCE
2012
• Email reputation
• File reputation
• Web reputation
CLOUD BASED
GLOBAL THREAT
INTELLIGENCE
2008
SIGNATURE BASED
ANTI-MALWARE
1988 - 2007
[email protected]