DECLARATION of MAL(WAR)E The good, the bad, and the ugly

Who are we?

IT Security Consultants @ NetSPI

We help organizations:

• Identify vulnerabilities

• Determine impact

• Develop remediation plans

• Reduce risk

• What is malware?

• Who creates malware?

• Why do they create malware?

• What skill level is required?

• The malware lifecycle

‒The “good” guy’s role

‒The “bad” guy’s role

• The “ugly” truth

Presentation Overview?

What is Malware?

Wikipedia definition:

…“software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems”…

Our definition:

…“software created to do bad

things and is generally a pain in the butt”…

What is Malware?

Types of Malware

• Remote Exploits

• Local Exploits

• Trojans

• Backdoors

• Rootkits

• Viruses

• Worms

Malware Kit

Who would do such a thing?

Who is Creating Malware?

• Organized crime

• Governments

• Political activist

“hacktivists”

• Evil developers

• Bored teenagers

• You?

Why would they do that?

Why are they Creating Malware?

• Sell, sell, sell

• Steal money

• Steal information

• Strategic position

• Denial of Service

• Political gain

• Hacking as a hobby

• Internal employees

. . .

. .

. . .

.

Who’s got the skills?

What skill level is required?

• Malware Developers = Programmers ‒ More advanced programming skillset ‒ Create custom malware

• Less likely to be noticed • Personal use or sold to specific group

‒ Commoditized malware kits • More likely to be noticed • Free and commercial

• Malware Kit Users ‒ Don’t require advanced skillset ‒ Much more likely to cause damage by mistake

The Malware Lifecycle

The Malware Lifecycle

Malware Development

Malware Deployment

Malware Detection

Malware Correction

Malware Protection

Bad Guys

Good Guys

Developers! Developers! Developers!

Malware Development

• Professional Malware Development ‒ Often work like software companies ‒ Often produce very secure malware

• Create different types of malware ‒ Remote exploits ‒ Local exploits ‒ Backdoors, “bots”, and/or rootkits ‒ Worms or viruses ‒ Command and control ‒ Update functions

Deploy! Deploy! Deploy!

Malware Deployment

69% Of all breaches incorporate malware

As reported in the Verizon Business – 2012 Data Breach Investigations Report

Available at www.verizonenterprise.com

Malware Deployment

79% Of all breaches were targets of opportunity

As reported in the Verizon Business – 2012 Data Breach Investigations Report

Available at www.verizonenterprise.com

Malware Deployment

• Malware is often deployed via: ‒ Social engineering – email, phone, physical ‒ Default passwords on management applications ‒ Web application issues ‒ “Water holing” web applications

• Web Browser Issues etc

Email

Users

Apps

Pass Malware Package

Detect! Correct! Protect!

“…the median number of days advanced attackers are on the network before being detected is…”

416

Detecting Malware?

As report by Mandiant in their Annual Threat Report: M-Trends™ 2012

94% Of organizations learn they

are victims of targeted

attacks from an

external entity

Detecting Malware?

As report by Mandiant in their Annual Threat Report: M-Trends™ 2012

Detecting Malware!

• Where threats being detected: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People

• How are threats being detected: ‒ Behavioral / Anomaly based analysis ‒ Signature based analysis ‒ SIEM / Statistics based analysis ‒ Canaries / Honey pots

! Detect

Detecting Malware!

• Challenges: ‒ Identify signatures related to

• undocumented malware • encrypted traffic

‒Keeping up with the amount of malware being released ‒Creating dependable behavioral based profiles ‒Creating useful statistical rules ‒ Identifying malware in memory

! Detect

Detect! Correct! Protect!

Correcting Affected Assets!

• Where does correction occur: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People

• How does correction occur: ‒ Incident response ‒ Patch systems and applications ‒ Code applications securely ‒ Securely configure

• Firewalls • Servers • Applications • User accounts • Training

X Correct

Correcting Affected Assets!

• Challenges: ‒Creating patches for exploits before

they are widely used ‒Patching 3rd party software ‒Creating and managing secure code ‒Legacy and unsupported applications ‒Vendor contracts ‒Providing adequate training

X Correct

Detect! Correct! Protect!

Protecting Assets!

• Where are assets protected: ‒ Networks ‒ Servers ‒ Workstations ‒ Applications / Databases ‒ People

• How are assets being protected:

‒ Build/manage secure configurations ‒ Build/manage secure applications ‒ Network Access Control &

Intrusion Prevention Systems ‒ Proactive exploit development ‒ Proactive vulnerability identification ‒ Development of signatures ‒ 3rd Party Risk assessments

P Protect

Protecting Assets!

• Challenges: ‒Security vs. usability ‒Asset inventory ‒Managing secure configurations ‒Communication/risk related to

partners, contractors, and vendors ‒Cost / Time / Skills ‒Education and training

P Protect

Putting it All Together

The Malware Deployment Cycle

The Malware Deployment Cycle

Example

Time

Simplified Network Diagram

Gain Access via Exploit

Escalate Privileges via Exploit

Install Backdoor or Bot

Propagate via Worm or Virus

Command and Control: Phone Home

Command and Control: Get Orders

Good Guys Detect

Good Guys Correct

Good Guys Protect

The Ugly

Truth

The Ugly Truth: Bad Guys

Bad guys are creating Malware that is:

• Not going away

• Getting more advanced

• Getting harder to detect

• Getting easier to use

• Getting used by more people

The Ugly Truth: Good Guys

Good guys need to: • Continue to fight the good fight! • Continue to develop new methods of detection,

correction, and prevention • Develop better security policies that make attacks:

• Harder to execute • Easier to detect • Easier to respond to and contain

• Focus on proactive vulnerability identification • Get rid of unnecessary sensitive data • Encrypt remaining sensitive data • Educate more users more often That can start with you…

What’s Next?

What can I do?

• Don’t visit sketchy web sites

• Don’t open mail from unknown senders

• Review links before clicking them in emails

• Patch your systems and software

• Validate website before providing sensitive information

Click the “little lock” in your browser

• Don’t create and/or use malware ...

…unless it’s for the good guys

Questions?

Questions?

Comments?

Quarrels?