Fight Back Against Java Exploits, Spear-Phishing, Watering Hole Attacks, Drive-by

Downloads, Scare-ware, Ransomware, Social

Networking Worms…ah….

PJ BIHUNIAK

Riddle Me This…

Hint: Aka – FRAN or STAN

‘11, ‘12 and ’13 (so far) bloodiest years on record…

• “White House” eCard (spear-phishing) • HBGary Federal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Charlieware (poisoned SEO) • Nasdaq (spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing)• ShadyRAT (spear-phishing) • DIB and IC campaign (spear-phishing)• ‘Voho’ campaign (watering-holes and spear-phishing) • ‘Mirage’ campaign (spear-phishing) • ‘Elderwood’ campaign (spear-phishing) • White House Military Office (spear-phishing) • Telvent’ compromise (spear-phishing)• Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober (spear-phishing) • Speedtest.net (watering-hole/drive-by) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • Bit9 (TBD) • NYT, WSJ, WaPO (spear-phishing)

Apple, Microsoft, Facebook (watering-hole) • National Journal (watering hole) • FemmeCorp (watering holes)• South Korea (spear-phishing) • 11 Energy Firms (spear-phishing)

Cannot keep this slide up to date…

A Problem of Pandemic Proportions

Competitive Futures Are at Stake

“Theirs” Ours

The good news is…they’re stealing petabytes worth of data…

The bad news is…in time, they’ll have sorted through it all

The Primary Target – The Unwitting Accomplices

The UserThe #1 Attack Vector =

• Ubiquitous usage of Internet and Email has enabled adversaries to shift tactics

• Prey on human psychology

• Spear Phishing – The New Black • Drive by Downloads

• Malicious sites • Weaponized

Attachments • Watering Hole Attacks

• Hijacked trusted sites

• Trust in social networks • Facebook, Twitter,

LinkedIn• Faith in Internet search

engines• Poisoned SEO

• User Initiated Infections • Fake A/V and fear

mongering

Alarming Malware Statistics

• 280 million malicious programs detected in April 2012*• 80,000+ new malware

variants daily **

• 134 million web-borne infections detected (48% of all threats) in April 2012*

• 24 million malicious URLs detected in April 2012* • 30,000+ new malicious

URLs daily**

•95% of APTs involve spear- phishing***

•Organizations witnessing an average of 643 malicious URL events per week***

•225% increase from 2012*** Kaspersky April 2012 Threat Report** Panda Labs Q1 2012 Internet Threat Report*** FireEye September 2012 Advanced Threats Report ****Both Mandiant and Trend Micro – 2013 Reports

KIA – Mandiant “APT-2” Spear-Phish

www.invincea.com/blog

or -

http://https://www.invincea.com/2013/02/mandiant-report-spear-phishing-campaign-kia-with-invincea-cve-2011-0611/

Java - Getting Bullied…

Enterprise Security Architecture for Addressing

APT

Firewalls/Web Proxies

Network Controls

Anti-Virus

Forensics and IR

User Training

In Use | Confidence*

84%

66%

34%

92%

64%

31%

55%

52%

17%

40%

App Whitelisting

22% 49%

*Invincea APT Survey Q4 2012

Einstein’s Definition of Insanity

Patching software as vulnerabilities are made public

Detecting intruders and

infected systems after the fact

Recovering and restoring the infected machines back to a

clean state

Security Insanity

Cycle

Addressing the Critical Vulnerability in Java 7

“Uninstall Java…”

Addressing the Critical Vulnerability in IE

“Stop Using IE…”

Addressing the Pandemic of Spear-Phishing

“Don’t Click on Links You Don’t Trust…”

An Alternative to Bad Advice

Not quite…but pretty darn close…

Rethink Security

If…you could negate user error

And…contain malware in a virtual environment

And…stop zero-days in their tracks without signatures Then…preventing APTs would be possible

“Making Prevention Possible Again”

Solve the User Problem

Protect the UserSOC Server Appliance Enterprise Endpoint Application & Data Collection

Contain the Contaminants

Prevention

Pre-Breach Forensics

Protect every user and the network from their error

Feed actionable forensic intelligence without the breach

DetectionDetect zero-day attacks without signatures

Mapping the APT Kill Chain

Stage 1: ReconnaissanceResearch the target

Stage 2: Attack DeliverySpearphish with URL links and/or attachment

Stage 5: Internal ReconScan network for targets

Stage 3: Client Exploit & CompromiseVulnerability exploited or user tricked into running executable

Stage 8: Stage Data & ExfilArchive/encrypt, leak to drop sites

Stage 4: C2 Remote Command & Control.

Stage 6: Lateral MovementColonize network

Stage 7: Establish PersistenceRoot presence to re-infect as machines are remediated

Stage 9: Incident ResponseAnalysis, remediation, public relations, damage control

Invincea – Breaking the APT Workflow

Containment | Detection | Prevention | Intelligence• Highly targeted apps run in contained environment• Behavioral based detection spots all malware including

0-days • Automatic kill and remediation to clean state • Forensic intelligence on thwarted attacks fed to

broader infrastructure

Threat Data Server

Real World Results 0days K.I.A.

KIA – Speedtest.net Drive-byJava 7 CVE-2013-0422

Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running for days on Speedtest.net website

(boasts 4 BILLION+ visits) • Whitelisted or blacklisted website? More than likely

whitelisted • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and

forensically analyzed by Invincea

www.invincea.com/blog

or -

http://www.invincea.com/2013/02/popular-site-speedtest-net-compromised-by-exploitdrive-by-stopped-by-invincea/

KIA – Adobe Flash CVE-2013-0634

Weaponized Office Document (Word) Used to Spread Adobe 0day (CVE 2013-0634) • Spoofed document looking like IEEE as the author

(community of interest being targeted) • No protection from anti-virus given 0day nature • Increasingly common poisoning tactic from adversaries • Detected without signatures, immediately killed and

forensically analyzed by Invincea

www.invincea.com/blog

or -

http://www.invincea.com/2013/02/exploit-down-analysis-and-protection-against-adobe-flash-exploit-cve-2013-0634/

KIA – National Journal Website

Drive-by Download/Watering Hole Attack Thwarted by Invincea • Exploit running on National Journal website days AFTER

initial disclosure (secondary attack?) • Whitelisted or blacklisted website? More than likely

whitelisted• Running Fiesta/ZeroAccess Exploit Kit – attacking 2

Java vulnerabilities • Detected without signatures, immediately killed and

forensically analyzed by Invincea

www.invincea.com/blog

or -

http://www.invincea.com/2013/03/kia-nationaljournal-com-pushing-malware-through-fiesta-ek-killed-with-invincea/

Steve Ward: pj.bihuniak@invincea.com

Go ahead…spear-phish me!

www.invincea.com Twitter: @Invincea

Want a t-shirt? Drop a note to megan.cavanaugh@invincea.com – only one catch, you’ve

got to tweet a pic of you wearing it!

Let’s Get Moving