welcome to the age of weaponized malware. what does it mean to your enterprise?
DESCRIPTION
The U.S. has not denied their role in the use of weaponized malware and already, other countries are jumping on board. India recently announced they are empowering government agencies to carry out similar such actions. State-sponsored malware attacks are officially out of the shadows and mainstream for organizations and end users alike. In fact, Google recently announced an alert service for gmail users for “state sponsored attacks”. How exactly did we get to this point and what are the factors and threats that you need to be aware of?TRANSCRIPT
Paul Henry Paul ZimskiRichard Stiennon
Author and Security Industry Expert, IT-Harvest
Security and Forensics Analyst, Lumension
VP, Solution Marketing, Lumension
State Sponsored Malware is Officially Out of the Shadows
Google begins alerting Gmail users to 'state-sponsored' attacks.
Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer. Protect yourself now.
…did we get to the point where your online email provider specifically warns users of state- sponsored attacks?
HOW…
…a little history.
FIRST…
How Big a Problem is Weaponized Malware?Scale vs. Real World Malware
Event Timeline: Stuxnet
• Publically disclosed 13 months after the first attack against Iran• Designed to sabotage Iranian nuclear refinement plants• Stuxnet attacked Windows systems using an unprecedented four zero-day attacks• First to include a programmable logic controller (PLC) rootkit • Has a valid, but abused digital signature• Payload targeted only Siemens supervisory control and data acquisition (SCADA) systems
2009.06: STUXNET
Event Timeline: Duqu
• Considered to be “next generation Stuxnet” • Believed that Duqu was created by the same authors as Stuxnet• Exploits zero-day Windows kernel vulnerabilities• Components are signed with stolen digital keys• Highly targeted and related to the nuclear program of Iran• Designed to capture information such as keystrokes and system information• Central command and control with modular payload delivery – also capable of attacking
2009.06: STUXNET
2010.09: DUQU
Event Timeline: Flame
• Designed for targeted cyber espionage against Middle Eastern countries• Spreads to systems over a local network (LAN) or via USB stick• Creates Bluetooth beacons to steal data from nearby devices• Most complex malware ever found• “Collision" attack on the MD5 algorithm – to create fraudulent Microsoft digital certificates• Utilized multiple zero day exploits
2009.06: STUXNET
2010.09: DUQU
2011.05: FLAME
millions of malware signatures discovered in the last year
Weaponized Malware: Scale vs. Real World Malware
Weaponized Malware: Scale vs. Real World Malware
only a handful of known malware has ever been weaponized
Weaponized vs. General Malware
First, let’s take a look at where we’ve come from. Even the oldest remote access Trojans had convenient surveillance options such as rerecording the victim’s key strokes, turning on the microphone, capturing screens, etc.
All in easy point-and-click interfaces. Anti-virus evasion was trivial through The use of executable “packers” to randomize signatures:
Sub7: 1999Back Orifice: 1998 NetBus: 1998
Weaponized - What’s Different?
Development
• Nation-States
• Truly customized payloads
Weaponized - What’s Different?
Development Delivery
• Nation-States
• Truly customized payloads
• Zero day propagation
• Multi-vectored: Blue tooth, USB, network
Weaponized - What’s Different?
Development Delivery Detection
• Nation-States
• Truly customized payloads
• Zero day propagation
• Multi-vectored: Blue tooth, USB, network
• Digitally signed with compromised certificates
• Outbound ex-filtration masking
Weaponized - What’s Different?
Development Delivery Detection Command & Control
• Nation-States
• Truly customized payloads
• Zero day propagation
• Multi-vectored: Blue tooth, USB, network
• Digitally signed with compromised certificates
• Outbound ex-filtration masking
• Central command
• Modular payloads
Weaponized - What’s Different?
Development Delivery Detection Command & Control Intent
• Nation-States
• Truly customized payloads
• Zero day propagation
• Multi-vectored: Blue tooth, USB, network
• Digitally signed with compromised certificates
• Outbound ex-filtration masking
• Central command
• Modular payloads
• Surveillance
• Disrupt / Destroy
…should the enterprise care?
WHY…
Why Should the Enterprise Care?
Retaliation RiskUS Admits Stuxnet - expect increasing retaliation risk against sensitive economic and infrastructure assets
Why Should the Enterprise Care?
Collateral DamageLoss of control of weaponized malware in (once weaponized malware is released control is effectively lost) – being exposed to accidentally spreading malware (Stuxnet was discovered after it escaped its targeted environment and started spreading)
Why Should the Enterprise Care?
Adaptation by Cyber CriminalsTargeted attacks on sensitive information
Variants of Stuxnet already seen
What Should The Enterprise Do?
Know Where the Risk Is / Endpoint Not Gateway
Every endpoint is an enterprise of ONE.
Need to have autonomous protection.
Need to have a layered approach.
Patch and Configuration ManagementControl the Vulnerability Landscape
Successful risk mitigation relies and solid vulnerability management foundations, together with layered defenses beyond traditional black-list approaches.
Deploy Defense in Depth Strategy
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Successful risk mitigation relies and solid vulnerability management foundations, together with layered defenses beyond traditional black-list approaches.
Deploy Defense in Depth Strategy
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Hard Drive and Media EncryptionControl the Data
Successful risk mitigation relies and solid vulnerability management foundations, together with layered defenses beyond traditional black-list approaches.
Deploy Defense in Depth Strategy
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Device ControlControl the Flow
Hard Drive and Media EncryptionControl the Data
Successful risk mitigation relies and solid vulnerability management foundations, together with layered defenses beyond traditional black-list approaches.
Deploy Defense in Depth Strategy
Patch and Configuration ManagementControl the Vulnerability Landscape
Application ControlControl the Grey
Device ControlControl the Flow
AVControl the Known
Hard Drive and Media EncryptionControl the Data
Successful risk mitigation relies and solid vulnerability management foundations, together with layered defenses beyond traditional black-list approaches.
Deploy Defense in Depth Strategy
Start Managing Risk
28
Business Interests
Compliance Controls
Assessment
Risk Management
Employee Education
Often the first and last
line of defense.
lumension.com/how-to-stay-safe-online
Learn More
Quantify Your IT Risk with Free
Scanners
Watch the On-Demand Demos
Get a Free Trial
Summary
Weaponized malware is a legitimate threat however the “sky is not falling”.
Understand the risk and implement technologies, process and people to mitigate.