what every employee should know about cyber securit - david o'berry

McAfee Confidential—Internal Use Only

Real World Security: Current Threat and Mitigation State

“What We All Need To Know”

September 6, 2013

David O’Berry CISSP-ISSAP, ISSMP, CSSLP, CRISC, CRMP, MCNE Strategic Technologies McAfee Office of the CTO (OCTO)


• David O’Berry, Previously Director of Strategic Development and ITS for SC Probation, Parole, & Pardon Services

– During my 19+ years with South Carolina – MS-ISAC Executive Board – SC Security Domain Chairman and Collaboration TL – Midland’s ISSA Chapter Founder and President – Trusted Computing Group’s Customer Advisory

Council (TNC-CAC) – Chairman, TOG’s “Improving The Digital EcoSytem

Workgroup” – Chapters Published on IF-MAP, SCAP, TNC and

Standard’s Based Defense/Mitigation (ISMH 09,10,11)

• My Previous Life’s Work and the IT Environment – 800+ users, rapidly growing ext. user-base (1000s) – 100% Mobile capable – Plan started in 2002 – 26 – 30+ Full-time IT including development ,

engineering, help desk, & remote support – Decentralized work force

• Heterogeneous and Open Standards Deployments

– Core: McAfee, Dell, Juniper, APC – Network: Juniper, BlueCoat, Citrix, Imprivata – Data: McAfee EEPC, Device Control, Host DLP – Endpoint: McAfee AV, HIPS, Policy Auditor – Management: McAfee’s ePolicy Platform, STRM,

NSM Manager, Cacti & other “Open Source” products 2


BETTER SECURITY SOLUTIONS & PRODUCTS

POWER EFFICIENT PERFORMANCE

INTERNET CONNECTIVITY

SECURITY

THE THIRD PILLAR OF COMPUTING


Threat Radar = Answering The Question Why?

• Industrial Threats Will Mature

• Hacktivism: Reboot or be Marginalized

• Windows 8: BIOS and Hardware Attacks

• Mobile Botnets, Rootkits, and Attack Surface…Oh MY!

• Rogue CERTs: Rooting Trust


Full Year 2012 Threat Report – Yikes! Key Trends

Source: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf

• Android targeted malware spiked with newly discovered samples doubling in Q4

• Master Boot Record attacks on the PC storage stack increased 27%

• New PC malware returned to its historic growth trend with known samples now totaling more than 110 million

• Signed malware samples hit the “hockey stick” inflection point doubling in three months

• Suspect URLs which are becoming the primary distribution mechanism for malware increased 70% in Q4

• A new Advanced Persistent Threat (APT) known as Blitzkrieg appeared that targets financial services firms and their

customers

http://www.thedarkvisitor.com/wp-content/uploads/2008/01/3800hk6.JPG�

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf�

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf�


Trends Continuing in Q2 - 2013

Aggressive attacks on Android based mobile devices Material expansion of malicious/infected websites High volume spam campaigns against big pharma; but mostly outside of the North America Extensive use of ransomware to drive up currency extraction Operation Troy efforts/residual activity continues in South Korea Digitally signed malware samples increased 50% to 1.2M samples


Global Malware Vision - Scary

(Collection) “The Zoo”

End of 2010

(cumulative)

End of 2011

(cumulative)

End of 2012

(cumulative)

Added in

Q2-2012 Q3-2012 Q4-2012 January 2013

February 2013

Malware Zoo 54,200,000 76,600,000 113,600,000 +9,300,000 +8,600,000 +12,100,000 +4,000,000 +5,300,000

Autorun 5,600,000 8,000,000 12,000,000 +1,240,000 +865,000 +1,300,000 +426,000 +656,000

Exploits 1,820,000 3,000,000 5,400,000 +698,000 +387,000 +868,000 +423,000 +344,000

FakeAV, Scareware

5,500,000 9,200,000 13,100,000 +981,000 +980,000 +1,184,000 +358,000 +313,000

Macintosh 2,160 3,250 4,200 320 210 180 +50 +90

Mobile (*) 14,500 43,000 1,073,000 +52,000 +195,000 +768,000 +111,000 +104,000

PWS & Keyloggers

11,389,000 15,547,000 22,300,000 +1,865,000 +1,662,000 +1,871,000 +655,000 +629,000

Ransomware 132,000 365,000 1,066,000 +151,000 +218,000 +227,000 +66,000 +71,000

Rootkits 1,986,000 2,931,000 3,874,000 +266,000 +276,000 +179,000 +65,000 +55,000

Unix Like 52,000 56,000 64,000 +1,370 +2,020 +3,400 +790 +940

(*): Mobile malware and Potentially Unwanted Program binaries with libraries, unpacked and repacked samples.


The Great Zoo: McAfee Known Malware

Q1/Q2-2011: +12.1 million samples Q3/Q4-2011: +10.3 million samples Q1/Q2-2012: +16.3 million samples Q3/Q4-2012: +20.7 million samples

February 28, 2013: we reach 123 million samples (110k new and unique malicious binaries classified daily)


Quarter per Quarter Exploits Detection


Quarter per Quarter FakeAlert/Scareware


Quarter per Quarter Rootkits Detection


Quarter per Quarter Mobile Detection


Quarter per Quarter Ransomware Detection


Quarter per Quarter Password Stealer & Keylogger Detection


Economic Model of the Attack

Daily new malware threats 10,000 More Malware

Variations

Active new zombies per month 4m Attack Target

Users vs. Machines

New malicious website detected

30 Seconds

Malware is obfuscated 85%

Web 2.0 is the Catalyst!

Toolkits & Obfuscation

Of all threats have been financially motivated

90%


A Better Biz Model Than Most Companies…

A newcomer: Vector Bot 32-64 Bit

[+] Bin Price : 1000 EUR [+] Payment Only Via LR



And…here…we…go


Vulnerabilities – Fuel to the Fire

Overview of vulnerabilities patched by Microsoft

Source: François Paget – McAfee Labs


Vulnerabilities - …more

Overview of vulnerabilities patched by Apple



The Company We All LOVE…

Overview of Adobe Vulnerabilities



Trends To Help You Sleep Better…?!?!?!

Source: https://www.nsslabs.com/news/press-releases/nss-labs-vulnerability-threat-report-sees-significant-rise-vulnerability

Research shows overall vulnerability disclosures rose a staggering 26% in 2012; vulnerabilities in SCADA systems protecting critical infrastructure have

skyrocketed 600% since 2010.

https://www.nsslabs.com/news/press-releases/nss-labs-vulnerability-threat-report-sees-significant-rise-vulnerability�





















ZEUS = 34zY B0tN3Tz Zeus / Zbot Strains

• The source code for Zeus was leaked on the internet in May 2011. • Available on forums, rapid-share, and torrents if you search for it. • Anyone with compiling skills can create infinite Zeus variants. • In a 3 year period, we’ve seen 25,165,306 unique samples. • You read that right, that is over 25 million Zeus variants • Averaging 120,000 – 200,000 new Zeus variants per month for a while now.

Source: Thomas, Vinoo



State Sponsored Hacking Matters Cyberattack leaves natural gas pipelines vulnerable to sabotage

From December 2011 through June 2012, cyberspies targeted 23 gas pipeline companies with e-mails crafted to deceive key personnel into clicking on malicious links or file attachments that let the attackers slip into company networks, says the

Department of Homeland Security (DHS) report.

The report does not mention China, but the digital signatures of the attacks have been identified by independent cybersecurity researchers as belonging to a particular

espionage group recently linked to China’s military.

Source: http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage

http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage�

http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage�


The leading network threat this quarter came via Microsoft remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting

attacks. These two attacks are very much remote in nature, meaning they can be launched at selected targets around the globe.

Network Threat Trends Developers, Developers Developers!!!!

Browser 15%

0%

CGI Command Execution

12%

Cross-Site Scripting

19% Remote

Procedure Call 26%

Others 7%

SQL Injection 21%

Top Network Threat by Type


Sad and Scary Numbers?

80% Of CISOs See Employees As The Greatest Data Threat

73% Of Data Breaches Come From Internal Sources

77% Unable To Audit Or Quantify Loss After A Data Breach

Survey: Dark Reading/InformationWeek Survey: MIS Training Institute at CISO Summit McAfee DatagateReport. Produced by DataMonitor (survey of 1400 IT professionals across UK, US, DR, DE, and Australia)


This was THEN… Literally in Black and White!!!


Next generation data centers - the utility computing vision

switched fabric

processing elements

storage elements

infrastructure on demand

internet

intranet

access tier

web tier

application tier

database tier

edge routers

routing switches authentication, DNS,

intrusion detect, VPN web cache 1st level firewall

2nd level firewall

load balancing switches

web servers

web page storage (NAS)

database SQL servers

storage area network (SAN)

application servers

files (NAS)

switches

switches

large scale virtualized utility fabric

provides application services to millions of users Multi-tiered applications


I/O Memory Disk Network

Display

Virtual Machine

Operating System

Applications/RDBMS

CPU

AV HIPS

BIOS

Infect OS with APT’s resulting in threats hidden

from security products

Traditional attacks—and defenses—focused

primarily on the application layer

Rogue peripherals & firmware bypassing all

other security measures

Attack and disable security products and

hence all protection

Compromise virtual machine and

hence all guest machines within

“Ultimate APT’s” compromise

devices below OS, either before or after shipment

Threats Rapidly Moving Down the Stack


And They Wonder Why We Seldom Sleep Peacefully…?


Around the World Social Media Popularity

Source: http://resources.infosecinstitute.com/social-media-use-in-the-military-sector/

200 million announced on February 14 ?


http://resources.infosecinstitute.com/social-media-use-in-the-military-sector/�















Hacktivism Networks Will Continue to Evolve

McAfee believes the historical “Anonymous” syndicate will reinvent itself or die out. The people leading digital disruptions will become better engaged with the people leading physical demonstrations. For political and ideological ends, the private lives of public figures—politicians, industry leaders, judges, and law-enforcement and security officers—will be disclosed this year more than in the past. Some hacktivists will operate along the same lines as the various “cyberarmies” that primarily flourish in nondemocratic or nonsecular states.

.

.


Anonymous + SCADA


Industrial Attacks Will Mature

Siemens PLCs

Nuclear Enrichment Centrifuges

Stuxnet Proliferation

Stuxnet proved that malicious code can create a real world, kinetic response. Recent incidents directed at water utilities in the United States show that these facilities are of increasing interest to attackers. The more attention is focused on SCADA and infrastructure systems, the more insecurity seems to come to light. We expect to see this insecurity lead to greater threats through exploit toolkits and frameworks as well as the increased targeting of utilities and energy ICS systems in particular.


Around the World Mandiant accuses of hacking the People's Liberation Army Unit 61398

Source: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

The report, by Mandiant, identifies the People's Liberation Army's (PLA)

Shanghai-based Unit 61398 as the most likely perpetrators of the hacking. The company said it believed the unit had

carried out "sustained" attacks on a wide range of industries.

"The nature of Unit 61398's work is

considered by China to be a state secret; however, we believe it engages in

harmful computer network operations," Mandiant said. "It is time to acknowledge

the threat that is originating in China, and we wanted to do our part to arm and prepare security professionals to combat

that threat effectively."


http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf�


Anonymous Doxing


The Goal of Radical Consumerization is…?

Secure

Access to a

Ubiquitous

Computing

Environment

The Mobility “Explosion”!


FROM

TO

to 50 Billion


Lost Smartphone Protection Employees consistently fail to protect their mobile devices

4%

5%

11%

17%

19%

31%

57%

0% 10% 20% 30% 40% 50% 60%

Other

Anti-virus/anti-malware

Client firewall

Password or keypad lock

Encryption

Anti-theft device

No protection


Rogue Certificates

• Threats such as Flame, Stuxnet, and Duqu used rogue certificates to great effect to evade detection. Although this is not the first time we have seen this behavior (fake AV, certain Zeus variants, Conficker, and even some old Symbian malware used them), we expect to see this trend increase in 2012 and beyond.

• We need to be aware and very concerned about the implications of large-scale rogue certificates on the whitelisting and application control technologies that use these certs.

• Wide-scale targeting of certificate authorities and the broader use of fraudulent, yet valid digital certificates has ramifications for public-key infrastructure, secure browsing, and transactions


Countermeasures Trends: Intelligence, Response, and Red Teams

Partnerships for information sharing

Extensive Red Teaming and SE Testing

Develop Operational Readiness

Focus on OSINT analysis and Forensics

Extensive Internal CERT Team investments


Coordinated Security

Routing Server or

Cloud Security IDS Switching Wireless Firewalls

IPAM

SIM / SEM

Asset Management

System

AAA

ICS/SCADA

Security

Physical

Security

Endpoint

Security

(via NAC)

Open Infterfaces

IF-MAP Protocol

Nitro, ePO, MAP Servers


• The New Biz World Requires More Devices (Mobile etc.) Therefore Usually More Work

• Nothing Is Getting Easier

• Endpoints And Flowpoints Were/Are Unmanageable With Technology That Does Not Scale From A Visibility Perspective

• Standardize Where/What You Can

• BOTH Modularity And Scalability Of Both Product And Aggregator Of Relevant Data Required

• Slow Adoption Of Standard Solutions Cripples Innovation and Impacts Efficiency of the Overall Digital Ecosystem Safety

• We Are All Part Of One Organism In This Digital Ecosystem

• Immune System Concept, If Extremities Get An Infection It Can Easily Become Systemic

• “Digital Feudalism” or Castle And Moat Were Reasonable In The Past

• Now The “Barbarians” Can Draft Your Citizens, Dogs, Cats, Livestock, Refrigerators, etc. Into Service Against You

• Bad Security Threatens Innovation Which In Turn Threatens Productivity

• Don’t Give Anyone An Excuse – No to So…

42

The Industry - Refocused

what every employee should know about cyber securit - david o'berry

Documents

mcafee eepc

mcafee av

signed malware samples

malware zoo

new pc malware

known samples

android targeted malware

discovered samples