sans cyber threat intelligence summit · pdf fileransomware 10 the fastest growing category of...
TRANSCRIPT
McAfee Confidential—Internal Use Only
SANS Cyber Threat Intelligence Summit Recent Threat Trend Analysis
Scott Montgomery
VP, CTO Public Sector
+1 240 498 2941 m
McAfee Confidential—Internal Use Only
A nasty math problem
SERVERS
PC
LAPTOP
DATABASE
USB
SMART
PHONE
ROUTING/
SWITCHING CLOUD
VIRTUAL
ENVIRONMENT
SAN
VOIP
TABLET
EMBEDDED
DEVICES
WIRELESS
APPS
1 BILLION DEVICES
15 BILLION CONNECTED DEVICES
BY 2015
Security Challenges:
469,000 unique malware
samples discovered
weekly
83% organizations hit by
Advanced Persistent
Threats
Flat to down IT/IS budgets
Flat number of trained
practitioners
100 BILLION CONNECTED DEVICES
BY 2020
McAfee Confidential—Internal Use Only
Industrial Attacks Will Mature
Siemens
PLCs
Nuclear
Enrichment
Centrifuges
Stuxnet Proliferation
Stuxnet proved that malicious code can create a real world, kinetic response. Recent incidents directed at water utilities in the United States show that these facilities
are of increasing interest to attackers. The more attention is focused on SCADA and infrastructure systems, the more insecurity seems to come to light. We expect to
see this insecurity lead to greater threats through exploit toolkits and frameworks as well as the increased targeting of utilities and energy ICS systems in particular.
Things to Come
4
Threats Moving To Mobile Devices
Source: McAfee Labs, Q1, 2013
McAfee Confidential
2 billion
new mobile
endpoints in 2013!!
Storage Stack Attacks
6
As operating systems and applications have become more “hardened” against attack, cybercriminals have turned their attention to more
vulnerable subsystems. The “storage stack” is an increasingly popular target as a successful Master Boot Record attack allows the
target to be rooted and either added to a botnet or otherwise compromised.
Rootkit Attacks
7
Subverting Digital Signature Authentication
8
New Signed PC Malware
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013
Autorun Detection
9 February 2012
Ransomware
10
The fastest growing category of non-mobile malware is ransomware. When used against an individual it generally involves encrypting a
user’s hard drive and “ransoming” the key to unlock it. When used against an enterprise it typically involves extorting money in
exchange for not releasing confidential data that has been previously stolen.
New Ransomware Samples
0
50,000
100,000
150,000
200,000
250,000
Q1 2010 Q2 2010 Q3 2010 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012
The leading network threat this quarter came via Microsoft remote procedure calls. This was followed by a very close race between
SQL-injection and cross-site scripting attacks. These two attacks are very much remote in nature, meaning they can be launched at
selected targets around the globe.
Network Threat Trends
11
Browser 15%
CGI Command Execution 12%
Cross-Site Scripting 19%
Remote Procedure Call 26%
Others 7%
SQL Injection 21%
Top Network Threat by Type
APT Network Security Attack
Internet
USERS &
PARTNERS
SaaS
BRANCH
OFFICE
CORPORATE LAN
Maintain Persistence • Revamp Malware to avoid detection
• Utilize other attack methods to maintain presence
• Continue monitoring networks, users, data
Complete Objectives • Ex-filitrate Intellectual Property, Trade Secrets
• Install Trojans in source code
• Control critical systems
Establish Command & Control Infrastructure •Install system admin tools (Keyloggers, Trojans, etc.)
•Establish encrypted SSL tunnel
Establish Covert Backdoor • Gain elevated user privileges
• Laterally move within network & establish backdoors
• Inject additional Malware
Social Engineering Targeted Malware • Phishing email (malicious PDF, DOC, etc. w/shellcode) • Candy drops around blgd (Thumb drives, DVD’s) • Gain physical access (impersonate cleaning crew, etc.)
Reconnaissance •Map org chart (Identify attack targets)
•Social reconnaissance (acquire email, IM, etc.)
•Recruit, blackmail insiders
McAfee Confidential—Internal Use Only
Whitelisting vs. Blacklisting
AD-HOC STATIC PLANNED
NetBook
Consumer PC
Kiosks
Medical Devices
SCADA
Systems
ATMs
Printer
Servers
Corporate
Desktop
13
Rugged Platforms
Tactical Systems