Amit YoranSenior Vice President of Products RSAT04IntermediateADVANCED THREATS AND INTELLIGENT DEFENSE Overview of current threatsDetection and defenseAgenda Crimeware as a Service CaaSDDoS Hackin ID: 842727
Download Pdf The PPT/PDF document "Session IDSession Classification" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 Session ID:Session Classification: Amit
Session ID:Session Classification: Amit YoranSenior Vice President of Products, RSAT04IntermediateADVANCED THREATS AND INTELLIGENT DEFENSE Overview of current threatsDetection and defenseAgenda Crimeware as a Service (CaaS
2 )DDoS, Hacking servicesCrimeware Exploit
)DDoS, Hacking servicesCrimeware Exploit KitsEleanor, Liberty, Blackhole, Poison IvyBotnetsZeus, Andromeda, SpyEyeMalicious Code & Content Networks (Malnets)Fraud Networks (Fraudnets)Laundering NetworksSpam, Spear Phishing
3 and Targeted Phishing Malicious Infecto
and Targeted Phishing Malicious Infector SitesWaterholing Sites APT campaignsSMT campaignsCriminal and subnationalcampaignsThreat Landscape Overview Betting on “Rock Paper Scissors”Scams are getting cooler Usual
4 scam links Manufacturer DDoSedafter Fir
scam links Manufacturer DDoSedafter Firefox announcement Make sure CISO involved inannouncements! Generates fake ID dataBased upon real people, real data formatsData gleaned from social networking sitesFake identities sti
5 ll big business AdvancedPersistent Threa
ll big business AdvancedPersistent ThreatSubversiveMultivectorThreatTargetMilitary,Intelligence, DIBMuchwider realm media, financial servicesMethodsLargely exploitstechnical vulnerabilityUnion of technical,people and proce
6 ss weaknessesAdaptabilityLargelylinear i
ss weaknessesAdaptabilityLargelylinear in nature until goal is reachedHighly dynamic based upon path of least resistanceFrom APTs to SMTsEvolution of advanced threatsAttribution: Gragido/Pirc Discovered in July 2012 by RSA
7 FirstWatchInfrastructure was shared for
FirstWatchInfrastructure was shared for multiple threat campaigns Trojan payload via browserbased exploits to delivers exploits to website visitorsAt first glance appeared to be “garden variety” drive by attackH
8 owever, victims seemed to be geographica
owever, victims seemed to be geographically clusteredFurther research found campaign used brand new attack approach utilizing ‘water holing’ methodMultistage Campaign: Redirection with a heavy dependency on JavaS
9 cript on two specific domains for majori
cript on two specific domains for majority of promulgationExample: The VOHO Campaign? VOHO WaterholingAttack Flow Identify Target compromise hosts Identify Target Websites Create “watering hole” malware site Com
10 promise Websites to redirect to watering
promise Websites to redirect to watering hole Who do I want to compromise? What websites do they frequent? Where can I host my malware? How do I get my victims to the “watering hole” Sample targeted websites (red
11 acted)hxxp://www.xxxxxxxxtrust.comhxxp:/
acted)hxxp://www.xxxxxxxxtrust.comhxxp://xxxxxxxxxcountymd.govhxxp://xxxxxxcenter.orghxxpxxxxxxxpolitics.comhxxp://www.xxxxxantennas.comWater Hole site (redacted)hxxp://xxxxxxxcurling.comVOHO Watering Hole Leveraged Look f
12 or communication with blacklisted hostsK
or communication with blacklisted hostsKnown C2 sitesKnown malware domainsLook for suspect network traffic“Gh0st” or “HTTPS” in first 5 packets of nonRFC compliant session Use of web redirect using xKun
13 gFooscriptDetection Scenario Look for Co
gFooscriptDetection Scenario Look for Command and Control (C2) IP addressesLook for Control Channel IP addressesParser createdIndicators Defined To Help Identify Attack The Cyber Kill Chain Attribution: Lockheed Martin The
14 Traditional Security Paradigm “Sin
Traditional Security Paradigm “Single events are rarely indicative of the scope of an event, and also easily obfuscated.” Content Filtering AntiMalware Intrusion Detection The “Complex Event” Paradigm
15 Forensic Use Case DetectionInvestigate
Forensic Use Case DetectionInvestigate Miss one event, iss everything.Big Data visibility, do you have it?Investigative time is of the essence.Time proven methodology, but the ability to connect kill chain points has lack
16 ed, high potential for failure. To Defen
ed, high potential for failure. To Defend you need Comprehensive Visibility“See everything happening in my environment and normalize it”High Powered Analytics“Give me the speed and smarts to discover and inv
17 estigate potential threats in near real
estigate potential threats in near real time”Big Data Infrastructure“Need a fast and scalable infrastructure to conduct short term and long term analysis” Integrated Intelligence“Help me understand what
18 to look for and what others have discov
to look for and what others have discovered” Defense Architecture Adversary is getting smarterThreats evolving to complex mix of technology people and processDefense is a combination of VisibilityAnalyticsIntelligenc