the threat landscape has changed beyond anti spam and anti virus
DESCRIPTION
INBOX The Messaging Industry Event Track: SECURITY, PRIVACY, COMPLIANCE | 10:15 AM - 11:15 AM S1: The Threat Landscape has Changed: Moving Beyond Anti-spam and Anti-virus Today, email filtering is more than just anti-spam and anti-virus. Complex threats, combined with the fact that many spammers are also hackers, means organizations need to take a preemptive, multi-layered approach to email security to keep business-critical email flowing. This session will examine in-depth the latest preemptive techniques for staying ahead of email threats, such as profiling malicious behavior to identify, analyze and block suspicious behaviors in file attachments and executable code before they can infiltrate the network. The discussion will focus on how companies can leverage these techniques to proactively address entire classes of threats, rather than on a case by case basis, which is where the future of email security lies. SPEAKER: Eric Hanselman, Network Protection Architect, IBM Internet Security SystemsTRANSCRIPT
IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
The Threat Landscape Has Changed: Moving Beyond Anti-Spam and Anti-Virus
Eric Hanselman, CISSPNetwork Protection Architect
IBM Global Services
© 2007 IBM Corporation2 IBM Internet Security Systems 04/08/23
Email Management: An Ongoing Problem
Has always been an issue
Too easy an access path
–Ubiquitous, anonymous access
Too critical to block
Cycles of control
–Problem is getting worse…
IBM Global Services
© 2007 IBM Corporation3 IBM Internet Security Systems 04/08/23
The Problem is Complex
Spam
Attacks
Content management
–Intellectual property
–Legal liabilities
IBM Global Services
© 2007 IBM Corporation4 IBM Internet Security Systems 04/08/23
Nefarious Goals are Blending
Product sales
Stock manipulation
Money laundering
Bot recruitment
Data Theft
– Phishing
– Keystroke loggers
IBM Global Services
© 2007 IBM Corporation5 IBM Internet Security Systems 04/08/23
The Mule Trade
5
IBM Global Services
© 2007 IBM Corporation6 IBM Internet Security Systems 04/08/236
Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED
7849343
Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2
Registrant: Said Mahmod [email protected] +96.485743234 Said Mahmod inc. Gavi-ayesh 34 21 Reeayad, Reeayad, PALESTINIAN TERRITORY, OCCUPIED
7849343
Domain Name: elxtrading.com Record last updated at 2007-03-02 10:27:15Record created on 2007/3/2Record expired on 2008/3/2
Queried whois.apnic.net with "58.65.236.129"...
% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong
Queried whois.apnic.net with "58.65.236.129"...
% [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.65.232.0 - 58.65.239.255netname: HOSTFRESHdescr: HostFreshdescr: Internet Service Providercountry: Hong Kong
[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands
+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ
[email protected] - TLD “.CC” is for the Cocos (Keeling) Islands
+96.485743234International Telephone Country Codes+96x is for the “Middle East” (Iraq, Jordan, Kuwait, Lebanon, Maldeves, Oman, Saudi Arabia, Syria, Yeman)+964 is for IRAQ
IBM Global Services
© 2007 IBM Corporation7 IBM Internet Security Systems 04/08/23
Profit Motivates Innovation
There is a lot of money to be made!
Senders are smart
–Techniques are evolving
Spam and attack traffic are converging!
IBM Global Services
© 2007 IBM Corporation8 IBM Internet Security Systems 04/08/23
Two Traditional Paths of Defense
Anti-spam
– Block known bad senders
• RBL’s
– Block known bad words
– Block known bad paths
Anti-Virus
– Block known bad attachments
We expect some will get through!
IBM Global Services
© 2007 IBM Corporation9 IBM Internet Security Systems 04/08/23
Sender Innovations
Spread the senders
– Botnet spam agents
Obscure the words
– Image spam
Multiply the paths
Morph the attachments
– Polymorphic encoding
Embed new attacks
IBM Global Services
© 2007 IBM Corporation10 IBM Internet Security Systems 04/08/23
Image Spam Gets Smarter
IBM Global Services
© 2007 IBM Corporation11 IBM Internet Security Systems 04/08/23
Techniques Get Smarter
IBM Global Services
© 2007 IBM Corporation12 IBM Internet Security Systems 04/08/23
Avoiding Detection
Senders are stealthy
– No news is good news!
Techniques are quieter
– Stay under the radar
– Slip between the cracks
Targets are smaller
Keeping victims quiet
– Social engineering
IBM Global Services
© 2007 IBM Corporation13 IBM Internet Security Systems 04/08/23
A Tale of Two Bots
Similar roots
– Use self-replicating worm techniques to infect hosts via email
– Establishes connection to bot network for download of additional components
• Future activities are limitless
Stration
– Great polymorphic encoder
SpamThru
– Brings its own Anti-Virus
– GIF tools
IBM Global Services
© 2007 IBM Corporation14 IBM Internet Security Systems 04/08/23
Masking By Morphing
Polymorphic encoder beats Anti-Virus protections
High volumes increase success probabilities
IBM Global Services
© 2007 IBM Corporation15 IBM Internet Security Systems 04/08/23
Self-Modifying Malware – Stration
Number of Variants Captured
8/16/06 to 11/26/06
IBM Global Services
© 2007 IBM Corporation16 IBM Internet Security Systems 04/08/23
Next Generation Payloads
Script-based obfuscation
– Payload is hidden by Java script
– Can pass built-in encoder
Additional hiding capabilities
– Very hard to see in transit
– Depends on interpretation on the endpoint
We can’t count on clean-up
We can’t allow any to succeed
IBM Global Services
© 2007 IBM Corporation17 IBM Internet Security Systems 04/08/23
How to Approach Protection
Staunch the flow
– Better mail stream filtering
– Limit user choices
Protect at the end points
– The only place to catch them
– Ultimate user protection
IBM Global Services
© 2007 IBM Corporation18 IBM Internet Security Systems 04/08/23
Staunching the Flow
Traditional techniques need a priori knowledge
– Elusive at best…
– Bad Stuff is Hard to Predict
Time is required for analysis
– Delay causes scaling problems
Statistical analysis
– An a posteriori technique
– Good for large volumes
Some still gets through
IBM Global Services
© 2007 IBM Corporation19 IBM Internet Security Systems 04/08/23
Better Flow Techniques
URL references
– Analyze web links
Structure analysis
– Better capabilities
Image analysis
– Beyond OCR
Sender identity control
– Still a long way off
IBM Global Services
© 2007 IBM Corporation20 IBM Internet Security Systems 04/08/23
Host-Based Detection
Best for executable content analysis
– Highly scalable
Behavioral executable analysis
– Anti-Virus isn’t enough
Poor statistical capabilities
Traditional security
– Patching still required, but…
IBM Global Services
© 2007 IBM Corporation21 IBM Internet Security Systems 04/08/23
The Risks Have Expanded
Our protections need to expand, too!
– Plan for action today!
– Review existing protections
– Coordinate email and host protection planning
– Keep data security planning on the horizon
Risks aren’t standing still!
IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Threats are everywhere… and always evolving. Will you be protected?
IBM Global Services
© 2007 IBM Corporation23 IBM Internet Security Systems 04/08/23
Resources
Spam and Phishing
– http://www.antiphishing.org/
– http://www.sans.org/
– http://www.secureworks.com/research/threats/spamthru/
– http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf
Security Protections
– http://xforce.iss.net/
– http://www.av-test.org/
IBM Global Services
04/08/23 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Thank You!
Questions?