McAfee Confidential—Internal Use Only

SANS Cyber Threat Intelligence Summit Recent Threat Trend Analysis

Scott Montgomery

VP, CTO Public Sector

scott_montgomery@mcafee.com

+1 240 498 2941 m

McAfee Confidential—Internal Use Only

A nasty math problem

SERVERS

PC

LAPTOP

EMAIL

DATABASE

USB

SMART

PHONE

ROUTING/

SWITCHING CLOUD

VIRTUAL

ENVIRONMENT

SAN

VOIP

TABLET

EMBEDDED

DEVICES

WIRELESS

APPS

1 BILLION DEVICES

15 BILLION CONNECTED DEVICES

BY 2015

Security Challenges:

469,000 unique malware

samples discovered

weekly

83% organizations hit by

Advanced Persistent

Threats

Flat to down IT/IS budgets

Flat number of trained

practitioners

100 BILLION CONNECTED DEVICES

BY 2020

McAfee Confidential—Internal Use Only

Industrial Attacks Will Mature

Siemens

PLCs

Nuclear

Enrichment

Centrifuges

Stuxnet Proliferation

Stuxnet proved that malicious code can create a real world, kinetic response. Recent incidents directed at water utilities in the United States show that these facilities

are of increasing interest to attackers. The more attention is focused on SCADA and infrastructure systems, the more insecurity seems to come to light. We expect to

see this insecurity lead to greater threats through exploit toolkits and frameworks as well as the increased targeting of utilities and energy ICS systems in particular.

Things to Come

4

Threats Moving To Mobile Devices

Source: McAfee Labs, Q1, 2013

McAfee Confidential

2 billion

new mobile

endpoints in 2013!!

Storage Stack Attacks

6

As operating systems and applications have become more “hardened” against attack, cybercriminals have turned their attention to more

vulnerable subsystems. The “storage stack” is an increasingly popular target as a successful Master Boot Record attack allows the

target to be rooted and either added to a botnet or otherwise compromised.

Rootkit Attacks

7

Subverting Digital Signature Authentication

8

New Signed PC Malware

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013

Autorun Detection

9 February 2012

Ransomware

10

The fastest growing category of non-mobile malware is ransomware. When used against an individual it generally involves encrypting a

user’s hard drive and “ransoming” the key to unlock it. When used against an enterprise it typically involves extorting money in

exchange for not releasing confidential data that has been previously stolen.

New Ransomware Samples

0

50,000

100,000

150,000

200,000

250,000

Q1 2010 Q2 2010 Q3 2010 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012

The leading network threat this quarter came via Microsoft remote procedure calls. This was followed by a very close race between

SQL-injection and cross-site scripting attacks. These two attacks are very much remote in nature, meaning they can be launched at

selected targets around the globe.

Network Threat Trends

11

Browser 15%

CGI Command Execution 12%

Cross-Site Scripting 19%

Remote Procedure Call 26%

Others 7%

SQL Injection 21%

Top Network Threat by Type

APT Network Security Attack

Internet

USERS &

PARTNERS

SaaS

BRANCH

OFFICE

CORPORATE LAN

Maintain Persistence • Revamp Malware to avoid detection

• Utilize other attack methods to maintain presence

• Continue monitoring networks, users, data

Complete Objectives • Ex-filitrate Intellectual Property, Trade Secrets

• Install Trojans in source code

• Control critical systems

Establish Command & Control Infrastructure •Install system admin tools (Keyloggers, Trojans, etc.)

•Establish encrypted SSL tunnel

Establish Covert Backdoor • Gain elevated user privileges

• Laterally move within network & establish backdoors

• Inject additional Malware

Social Engineering Targeted Malware • Phishing email (malicious PDF, DOC, etc. w/shellcode) • Candy drops around blgd (Thumb drives, DVD’s) • Gain physical access (impersonate cleaning crew, etc.)

Reconnaissance •Map org chart (Identify attack targets)

•Social reconnaissance (acquire email, IM, etc.)

•Recruit, blackmail insiders

McAfee Confidential—Internal Use Only

Whitelisting vs. Blacklisting

AD-HOC STATIC PLANNED

NetBook

Consumer PC

Kiosks

Medical Devices

SCADA

Systems

ATMs

Printer

Servers

Corporate

Desktop

13

Rugged Platforms

Tactical Systems