ppt trustwave_aus13.pdf
TRANSCRIPT
-
8/11/2019 PPT Trustwave_Aus13.pdf
1/23
MIND THE BROWSER
Understanding and Defending Against User-Targeted Attacks
-
8/11/2019 PPT Trustwave_Aus13.pdf
2/23
Introductions! Marc Bown
Managing Consultant, Trustwave SpiderLabs
Background in Penetration Testing, Application Security and Incident
Response
!
Rahul Samant
Trustwave Solutions Engineer
Background in web security solutions
-
8/11/2019 PPT Trustwave_Aus13.pdf
3/23
Agenda! Attacker motives
! Reasons to target the end-user
! Trends
!
Vulnerabilities
! Anatomy of a client-side attack
! Mitigation techniques
-
8/11/2019 PPT Trustwave_Aus13.pdf
4/23
What is a User-Targeted Attack?
Corporate NetworkServer Infrastructure
Traditional Attack
User-Targeted Attack
-
8/11/2019 PPT Trustwave_Aus13.pdf
5/23
Examples! Client-side or user-targeted attacks are very common now
-
8/11/2019 PPT Trustwave_Aus13.pdf
6/23
Attacker Motives! Financial
Botnet recruitment
! DDoS
! Bitcoin mining?
IP theft
Payment fraud (Credit Card / Internet banking)
! Intelligence Gathering
! Ideological
-
8/11/2019 PPT Trustwave_Aus13.pdf
7/23
Why the Browser?! Its Easy!
Patch management challenges
Availability of exploit kits
Ubiquity of browsers
! Attacks are difficult to prevent with signature-based A/V
! Users have access to target data
! There are a huge number of potential victims
-
8/11/2019 PPT Trustwave_Aus13.pdf
8/23
Vulnerabilities
31
58
3231
56
32
2 2 1
Microsoft IE Adobe Flash Oracle JRE
Component Vulnerabilities 2012)
CVEs 3rd-party 0-day
-
8/11/2019 PPT Trustwave_Aus13.pdf
9/23
Anatomy of an Attack
1 2
Watering Hole / Drive-By Attack
-
8/11/2019 PPT Trustwave_Aus13.pdf
10/23
Anatomy of an Attack
1
2
3
Targeted E-mail Campaign Including Malicious Link
-
8/11/2019 PPT Trustwave_Aus13.pdf
11/23
Exploit Availability
Jan/12 Feb/12 Mar/12 Apr/12 May/12 Jun/12 Jul/12 Aug/12 Sep/12 Oct/12 Nov/12 Dec/12
CritxPack
Serenity Exploit Pack
Nuclear Exploit Pack
Spack
SAKURA Exploit Kit 1.X
Red Private Kit
Phoenix
Nuclear Pack v2.0
Incognito
Cool Exploit Kit
Bleeding Life 2
Blackhole 2.0.1
Blackhole 1.2.x
-
8/11/2019 PPT Trustwave_Aus13.pdf
12/23
Blackhole 1.2.1
-
8/11/2019 PPT Trustwave_Aus13.pdf
13/23
Blackhole
-
8/11/2019 PPT Trustwave_Aus13.pdf
14/23
Mitigation techniques! Signature based AV
! URL category filtering
!
Reputation filtering
! Sandboxing
! Trustwave Malware Entrapment Engine
-
8/11/2019 PPT Trustwave_Aus13.pdf
15/23
Signature based AV! 2007 : Total signatures 15 Million
! 2013 : Already up to 23 Million
!
>5 Million signatures per year
Code-obfuscation
Document.write(BAD);
Document.write(BA + D);
Document.write(B + AD);
-
8/11/2019 PPT Trustwave_Aus13.pdf
16/23
-
8/11/2019 PPT Trustwave_Aus13.pdf
17/23
Sandboxing! Pros
Can detect previously unknown/unseen malware
Can detect targeted zero-day malware
Excellent discovery, forensics and reporting
!
Cons
Cannot be done inline
Cannot scan 100% traffic
Not preventative
Implementations are fairly complex
-
8/11/2019 PPT Trustwave_Aus13.pdf
18/23
-
8/11/2019 PPT Trustwave_Aus13.pdf
19/23
Trustwave Malware Entrapment Engine! Analyses web pages in order to determine the true intent of the
code
! Deconstructs the web code to its constituent algorithms to detectmalicious intent
Static code analysis Dynamic code analysis
Dynamic web-repair
Virtual vulnerability patching
! Detects activity that leads up to the introduction of a maliciouspayload, rather than just analysing the eventual payload.
-
8/11/2019 PPT Trustwave_Aus13.pdf
20/23
-
8/11/2019 PPT Trustwave_Aus13.pdf
21/23
Real Time Code-Analysis - Pros & Cons! Pros
Done inline for 100% of traffic
Can detect and block previously unknown/unseen malware
Can detect and block targeted zero-day malware
! Cons
Requires more resources in order to maintain low latency
Not a replacement for legacy techniques such as AV
-
8/11/2019 PPT Trustwave_Aus13.pdf
22/23
How effective is it?! 4 Java exploits seen in the wild since last year
CVE-2013-1493
CVE-2013-0422
CVE-2012-4681
CVE-2012-1723
! 3 IE exploits seen in the wild since last year
CVE-2013-1347
CVE-2012-4969
CVE-2012-4792
All detected and blocked out-of-the-box from day zero
No need for signatures/updates/rule changes etc.
-
8/11/2019 PPT Trustwave_Aus13.pdf
23/23
QUESTIONS?