SlideShare une entreprise Scribd logo

Battling Malware In The Enterprise

A
Ayed Al Qartah
1  sur  29
Télécharger pour lire hors ligne
Ayed Alqarta | @aqarta IT Security Consultant
 Malware trends in 2012  Malware Stats: State of Kuwait  How Malware infiltrates Enterprise Today  Effective Malware Mitigations
Malware Newsws
 Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)  Malicious Trojans will spread in more innovative ways. (Facebook and twitter)  Attacks targeting corporate networks (Espionage)  More malware attacking Mac OS (Flashback)  Web exploits toolkits are on the rise with more zer0- day vulnerabilities
Symantec Intelligence Quarterly: July - September, 2011
Symantec Intelligence Quarterly: July - September, 2011
Botnet C&C Activity by country Source: Umbradata Red countries: over 1,501 vetted C&C
 Top observed botnet families at multiple enterprise customers:  Palevo.C  Palevo.18  Mariposa.P  Mariposa.F  Conficker.B  Conficker.D  Virut  Sality
• Compromised websites (infected with malware) • Malvertising (Malicious Ads) • Malware websites • Software downloads • P2P/Torrent websites • Social Networks • Blogs Web
Email Removable Mobiles Media Laptops ATM (Yes, they (Personal, run Windows Work, Vendor, too !) Contractor) Virtual Private Wireless and Network / 3G/Edge Remote Access
Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
 Multiple layers of mixed-vendor virus scan engines Spam Email File UTM Proxy Endpoints Filter Server Server Defense-in-Depth
 Device & Application control  Block removable drives like “USB Flash” disks to prevent AutoRun attacks.  If not possible, only allow documents and trusted files to run from USB, except executables.  Disable the “Auto Play” functionality in Windows.  Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
 Device & Application control  Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.  App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
 Patch management (OS/Browsers/Apps)  Be up-to-date with latest patch related information from various source  Download patches and run extensive tests to validate the authenticity and accuracy of patches  Install security and critical patches/service packs for OS and 3rd party applications.  Maintain a testing environment to test patches before approving them to production systems.  Generate reports of various patch management tasks  Monitor the patching progress in the enterprise
 Patch management (OS/Browsers/Apps) Top Attacked applications by web exploit kits Kaspersky
Patch management (3d Party Apps) • Java Run Time Environment (JRE) • Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player • Mozilla Firefox • Mozilla Thunderbird • Google Chrome • Apple Safari, iTunes, QuickTime • Microsoft Internet Explorer • Microsoft Office • RealNetworks RealPlayer
 Vulnerabilities Research Resources  http://technet.microsoft.com/en-us/security/bulletin  http://www.kb.cert.org/vuls/  http://secunia.com/community/advisories/  http://www.symantec.com/security_response/landing/vulnerabi lities.jsp  http://tools.cisco.com/security/center/publicationListing  http://www.vupen.com/english/security-advisories/  http://www.us-cert.gov/current/  http://www.adobe.com/support/security/  http://www.verisigninc.com/en_US/products-and- services/network-intelligence-availability/idefense/public- vulnerability-reports/index.xhtml
 Web filtering  Block access to malicious domains (Malware, Phishing, Botnet C&C, Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)  Proxy must include an antivirus/antispyware engine to scan downloaded files  Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)  Generate reports and warn top policy violators  Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
 Geo-based filtering (top-malware hosting countries)  Block inbound/outbound to these countries (China, Russia, Korea, Brazil, Thailand, Taiwan, Japan, Poland, Peru)  Logs (UTM/Proxy) will help detecting possible infections  This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)  A proactive security technique to prevent threats
 Threat Intelligence Feeds / Blacklists  Integrate threat feeds with security products in the enterprise to block traffic from/to bad reputation hosts  Proactively secure the network from zer0-day threats without relying on signatures  Threat intelligence can be integrated with SIEM tools  Threat feeds will contain: ▪ Malicious code senders ▪ Spam senders ▪ Phishing senders ▪ Botnet C&C servers ▪ Compromised Hosts ▪ Malware Domains
 Battling Malware in The Enterprise  Malware Forensics Dojo  Learn from an experienced malware expert  Practical skills and applicable knowledge  Real world scenarios from the field
Thank you @aqarta a.qarta@gmail.com

Recommandé

Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remediesManish Kumar
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Introductio to Virus
Introductio to VirusIntroductio to Virus
Introductio to VirusUniversity of Sindh, Jamshoro
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 

Recommandé

Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remediesManish Kumar
 
Malicious software
Malicious softwareMalicious software
Malicious softwareDr.Florence Dayana
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
Computer virus
Computer virusComputer virus
Computer virusFlora Runyenje
 
Introductio to Virus
Introductio to VirusIntroductio to Virus
Introductio to VirusUniversity of Sindh, Jamshoro
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5AfiqEfendy Zaen
 
4 threatsandvulnerabilities
4 threatsandvulnerabilities4 threatsandvulnerabilities
4 threatsandvulnerabilitiesricharddxd
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus softwareShreya Singireddy
 
Anti virus
Anti virusAnti virus
Anti virusMarlon San Luis
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Itc lec 15 Computer security risks
Itc lec 15 Computer security risksItc lec 15 Computer security risks
Itc lec 15 Computer security risksAnzaDar3
 
Spyware
SpywareSpyware
Spywaresubharock
 
Information of Virus
Information of VirusInformation of Virus
Information of Virusjazz_306
 
Computer virus & its cure
Computer virus & its cure Computer virus & its cure
Computer virus & its cure shubhamverma2711
 
How To Protect Your Home PC
How To Protect Your Home PCHow To Protect Your Home PC
How To Protect Your Home PCthatfunguygeek
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Virus presentation1
Virus presentation1Virus presentation1
Virus presentation1Sameep Sood
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Ayed Al Qartah
 
ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1ESET_India
 
Computer viruses
Computer virusesComputer viruses
Computer virusesHarendra Singh
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
How websites are attacked
How websites are attackedHow websites are attacked
How websites are attackedMykonos Software
 
Cscu module 02 securing operating systems
Cscu module 02 securing operating systemsCscu module 02 securing operating systems
Cscu module 02 securing operating systemsSejahtera Affif
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Ch19
Ch19Ch19
Ch19saurabhmittal79
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Identity Theft
Identity TheftIdentity Theft
Identity TheftSimpletel
 
Crimeware Fingerprinting Final
Crimeware Fingerprinting FinalCrimeware Fingerprinting Final
Crimeware Fingerprinting Finaljponnoly
 

Contenu connexe

Tendances

What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?culltdueet65
 
Itc lec 15 Computer security risks
Itc lec 15 Computer security risksItc lec 15 Computer security risks
Itc lec 15 Computer security risksAnzaDar3
 
Information of Virus
Information of VirusInformation of Virus
Information of Virusjazz_306
 
Computer virus & its cure
Computer virus & its cure Computer virus & its cure
Computer virus & its cure shubhamverma2711
 
How To Protect Your Home PC
How To Protect Your Home PCHow To Protect Your Home PC
How To Protect Your Home PCthatfunguygeek
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Virus presentation1
Virus presentation1Virus presentation1
Virus presentation1Sameep Sood
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Ayed Al Qartah
 
ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1ESET_India
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent themkrunal gandhi
 
Cscu module 02 securing operating systems
Cscu module 02 securing operating systemsCscu module 02 securing operating systems
Cscu module 02 securing operating systemsSejahtera Affif
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 

Tendances (20)

Antivirus software
Antivirus softwareAntivirus software
Antivirus software
 
Anti virus
Anti virusAnti virus
Anti virus
 
What Is An Antivirus Software?
What Is An Antivirus Software?What Is An Antivirus Software?
What Is An Antivirus Software?
 
Itc lec 15 Computer security risks
Itc lec 15 Computer security risksItc lec 15 Computer security risks
Itc lec 15 Computer security risks
 
Spyware
SpywareSpyware
Spyware
 
Information of Virus
Information of VirusInformation of Virus
Information of Virus
 
Computer virus & its cure
Computer virus & its cure Computer virus & its cure
Computer virus & its cure
 
How To Protect Your Home PC
How To Protect Your Home PCHow To Protect Your Home PC
How To Protect Your Home PC
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Virus presentation1
Virus presentation1Virus presentation1
Virus presentation1
 
Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0Malware Defense-in-Depth 2.0
Malware Defense-in-Depth 2.0
 
ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1ESET India Cyber Threat Trends Report Q1
ESET India Cyber Threat Trends Report Q1
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Malwares and ways to detect and prevent them
Malwares and ways to detect and prevent themMalwares and ways to detect and prevent them
Malwares and ways to detect and prevent them
 
How websites are attacked
How websites are attackedHow websites are attacked
How websites are attacked
 
Cscu module 02 securing operating systems
Cscu module 02 securing operating systemsCscu module 02 securing operating systems
Cscu module 02 securing operating systems
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Ch19
Ch19Ch19
Ch19
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 

En vedette

Identity Theft
Identity TheftIdentity Theft
Identity TheftSimpletel
 
Crimeware Fingerprinting Final
Crimeware Fingerprinting FinalCrimeware Fingerprinting Final
Crimeware Fingerprinting Finaljponnoly
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Josh Castellano
 
January 2010 Spam Report
January 2010 Spam ReportJanuary 2010 Spam Report
January 2010 Spam Reportwebhostingguy
 
January 2010 Spam Report
January 2010 Spam ReportJanuary 2010 Spam Report
January 2010 Spam Reportwebhostingguy
 
2010q1 Threats Report
2010q1 Threats Report2010q1 Threats Report
2010q1 Threats ReportMcafeeCareers
 
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...IHS
 
What makes the large enterprise network management, large
What makes the large enterprise network management, largeWhat makes the large enterprise network management, large
What makes the large enterprise network management, largeManageEngine, Zoho Corporation
 
Pruebas funcionales musculares Daniels
Pruebas funcionales musculares DanielsPruebas funcionales musculares Daniels
Pruebas funcionales musculares Danielsairavatar
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 

En vedette (11)

Identity Theft
Identity TheftIdentity Theft
Identity Theft
 
Crimeware Fingerprinting Final
Crimeware Fingerprinting FinalCrimeware Fingerprinting Final
Crimeware Fingerprinting Final
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
 
January 2010 Spam Report
January 2010 Spam ReportJanuary 2010 Spam Report
January 2010 Spam Report
 
Xforce 2008 Annual Report
Xforce 2008 Annual ReportXforce 2008 Annual Report
Xforce 2008 Annual Report
 
January 2010 Spam Report
January 2010 Spam ReportJanuary 2010 Spam Report
January 2010 Spam Report
 
2010q1 Threats Report
2010q1 Threats Report2010q1 Threats Report
2010q1 Threats Report
 
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
Resilient Supply Chains: How to Dynamically Manage Risk, Opportunity, and Bus...
 
What makes the large enterprise network management, large
What makes the large enterprise network management, largeWhat makes the large enterprise network management, large
What makes the large enterprise network management, large
 
Pruebas funcionales musculares Daniels
Pruebas funcionales musculares DanielsPruebas funcionales musculares Daniels
Pruebas funcionales musculares Daniels
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 

Similaire à Battling Malware In The Enterprise

The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementMuhammad FAHAD
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Computers.ppt
Computers.pptComputers.ppt
Computers.pptSdhrYdv1
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Satria Ady Pradana
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeMangesh wadibhasme
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesAlireza Ghahrood
 

Similaire à Battling Malware In The Enterprise (20)

The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
Mitppt
MitpptMitppt
Mitppt
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
Computers.ppt
Computers.pptComputers.ppt
Computers.ppt
 
Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)Malware: To The Realm of Malicious Code (Training)
Malware: To The Realm of Malicious Code (Training)
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
 
Module 5.pdf
Module 5.pdfModule 5.pdf
Module 5.pdf
 
Module 5.Malware
Module 5.MalwareModule 5.Malware
Module 5.Malware
 

Battling Malware In The Enterprise

  • 1. Ayed Alqarta | @aqarta IT Security Consultant
  • 2. Malware trends in 2012  Malware Stats: State of Kuwait  How Malware infiltrates Enterprise Today  Effective Malware Mitigations
  • 4. Trojans for mobile platforms (SMS to premium ###, defeat SMS-based dual-factore info stealing, Zeus/SpyEye)  Malicious Trojans will spread in more innovative ways. (Facebook and twitter)  Attacks targeting corporate networks (Espionage)  More malware attacking Mac OS (Flashback)  Web exploits toolkits are on the rise with more zer0- day vulnerabilities
  • 5. Symantec Intelligence Quarterly: July - September, 2011
  • 6. Symantec Intelligence Quarterly: July - September, 2011
  • 7. Botnet C&C Activity by country Source: Umbradata Red countries: over 1,501 vetted C&C
  • 8. Top observed botnet families at multiple enterprise customers:  Palevo.C  Palevo.18  Mariposa.P  Mariposa.F  Conficker.B  Conficker.D  Virut  Sality
  • 9. • Compromised websites (infected with malware) • Malvertising (Malicious Ads) • Malware websites • Software downloads • P2P/Torrent websites • Social Networks • Blogs Web
  • 10. Email Removable Mobiles Media Laptops ATM (Yes, they (Personal, run Windows Work, Vendor, too !) Contractor) Virtual Private Wireless and Network / 3G/Edge Remote Access
  • 11. Malvertising (from "malicious advertising") is the use of online advertising to spread malware. Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor's system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.
  • 12.
  • 13.
  • 14. Exploit kits A type of crimeware Web application developed to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. Most exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
  • 15.
  • 16.
  • 17.
  • 18.  Multiple layers of mixed-vendor virus scan engines Spam Email File UTM Proxy Endpoints Filter Server Server Defense-in-Depth
  • 19. Device & Application control  Block removable drives like “USB Flash” disks to prevent AutoRun attacks.  If not possible, only allow documents and trusted files to run from USB, except executables.  Disable the “Auto Play” functionality in Windows.  Consider using “Secure Flash disk”, which has onboard antivirus scan engine to protect it against malware.
  • 20. Device & Application control  Use App control solution (standalone / apart of endpoint security) to lockdown critical systems.  App control policy can protect against all kind of malware including zer0-day, since there is no need for signatures (Whitelisting).
  • 21. Patch management (OS/Browsers/Apps)  Be up-to-date with latest patch related information from various source  Download patches and run extensive tests to validate the authenticity and accuracy of patches  Install security and critical patches/service packs for OS and 3rd party applications.  Maintain a testing environment to test patches before approving them to production systems.  Generate reports of various patch management tasks  Monitor the patching progress in the enterprise
  • 22. Patch management (OS/Browsers/Apps) Top Attacked applications by web exploit kits Kaspersky
  • 23. Patch management (3d Party Apps) • Java Run Time Environment (JRE) • Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player • Mozilla Firefox • Mozilla Thunderbird • Google Chrome • Apple Safari, iTunes, QuickTime • Microsoft Internet Explorer • Microsoft Office • RealNetworks RealPlayer
  • 24. Vulnerabilities Research Resources  http://technet.microsoft.com/en-us/security/bulletin  http://www.kb.cert.org/vuls/  http://secunia.com/community/advisories/  http://www.symantec.com/security_response/landing/vulnerabi lities.jsp  http://tools.cisco.com/security/center/publicationListing  http://www.vupen.com/english/security-advisories/  http://www.us-cert.gov/current/  http://www.adobe.com/support/security/  http://www.verisigninc.com/en_US/products-and- services/network-intelligence-availability/idefense/public- vulnerability-reports/index.xhtml
  • 25. Web filtering  Block access to malicious domains (Malware, Phishing, Botnet C&C, Compromised Websites, Malware hosting, Advertisements, Pornography, Dynamic DNS, Social Networks Games, Computer Software, Uncategorized)  Proxy must include an antivirus/antispyware engine to scan downloaded files  Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)  Generate reports and warn top policy violators  Manually block domains/URLs which are not-categoriezed by vendor (blocklist)
  • 26. Geo-based filtering (top-malware hosting countries)  Block inbound/outbound to these countries (China, Russia, Korea, Brazil, Thailand, Taiwan, Japan, Poland, Peru)  Logs (UTM/Proxy) will help detecting possible infections  This filtering will stop/decrease (SPAM, Malware, Malicious websites, Phishing)  A proactive security technique to prevent threats
  • 27. Threat Intelligence Feeds / Blacklists  Integrate threat feeds with security products in the enterprise to block traffic from/to bad reputation hosts  Proactively secure the network from zer0-day threats without relying on signatures  Threat intelligence can be integrated with SIEM tools  Threat feeds will contain: ▪ Malicious code senders ▪ Spam senders ▪ Phishing senders ▪ Botnet C&C servers ▪ Compromised Hosts ▪ Malware Domains
  • 28. Battling Malware in The Enterprise  Malware Forensics Dojo  Learn from an experienced malware expert  Practical skills and applicable knowledge  Real world scenarios from the field
  • 29. Thank you @aqarta a.qarta@gmail.com