4. Trojans for mobile platforms (SMS to premium
###, defeat SMS-based dual-factore info stealing,
Zeus/SpyEye)
Malicious Trojans will spread in more innovative
ways. (Facebook and twitter)
Attacks targeting corporate networks (Espionage)
More malware attacking Mac OS (Flashback)
Web exploits toolkits are on the rise with more zer0-
day vulnerabilities
9. • Compromised websites
(infected with malware)
• Malvertising (Malicious Ads)
• Malware websites
• Software downloads
• P2P/Torrent websites
• Social Networks
• Blogs
Web
10. Email
Removable
Mobiles
Media
Laptops
ATM (Yes, they
(Personal,
run Windows
Work, Vendor,
too !)
Contractor)
Virtual Private
Wireless and
Network /
3G/Edge
Remote Access
11. Malvertising (from "malicious advertising") is the use of online
advertising to spread malware.
Internet advertisement networks provide attackers with an effective
venue for targeting numerous computers through malicious banner
ads.
Such malvertisements may take the form of Flash programs that look
like regular ads, but contain code that attacks the visitor's system
directly or redirects the browser to a malicious website.
Malicious ads can also be implemented without Flash by simply
redirecting the destination of the ad after the launch of the
campaign.
12.
13.
14. Exploit kits
A type of crimeware Web application developed to help hackers take
advantage of unpatched exploits in order to hack computers via malicious
scripts planted on compromised websites. Unsuspecting users visiting these
compromised sites would be redirected to a browser vulnerability-exploiting
malware portal website in order to distribute banking Trojans or similar
malware through the visiting computer.
Most exploit kits are based on PHP and a MySQL backend and incorporate
support for exploiting the most widely used and vulnerable security flaws in
order to provide hackers with the highest probability of successful
exploitation. The kits typically target versions of the Windows operating
system and applications installed on Windows platforms.
15.
16.
17.
18. Multiple layers of mixed-vendor virus scan engines
Spam Email File
UTM Proxy Endpoints
Filter Server Server
Defense-in-Depth
19. Device & Application control
Block removable drives like “USB Flash” disks to
prevent AutoRun attacks.
If not possible, only allow documents and trusted
files to run from USB, except executables.
Disable the “Auto Play” functionality in Windows.
Consider using “Secure Flash disk”, which has
onboard antivirus scan engine to protect it against
malware.
20. Device & Application control
Use App control solution (standalone / apart of
endpoint security) to lockdown critical systems.
App control policy can protect against all kind of
malware including zer0-day, since there is no need
for signatures (Whitelisting).
21. Patch management (OS/Browsers/Apps)
Be up-to-date with latest patch related information from
various source
Download patches and run extensive tests to validate the
authenticity and accuracy of patches
Install security and critical patches/service packs for OS
and 3rd party applications.
Maintain a testing environment to test patches before
approving them to production systems.
Generate reports of various patch management tasks
Monitor the patching progress in the enterprise
22. Patch management (OS/Browsers/Apps)
Top Attacked applications by web exploit kits
Kaspersky
23. Patch management (3d Party Apps)
• Java Run Time Environment (JRE)
• Adobe Reader, Acrobat, Air, Shockwave Player, Flash Player
• Mozilla Firefox
• Mozilla Thunderbird
• Google Chrome
• Apple Safari, iTunes, QuickTime
• Microsoft Internet Explorer
• Microsoft Office
• RealNetworks RealPlayer
25. Web filtering
Block access to malicious domains (Malware, Phishing, Botnet C&C,
Compromised Websites, Malware hosting, Advertisements,
Pornography, Dynamic DNS, Social Networks Games, Computer
Software, Uncategorized)
Proxy must include an antivirus/antispyware engine to scan
downloaded files
Block downloading suspicious files (.exe, .cmd, .pif, .bat, .scr, .dll, .sys)
Generate reports and warn top policy violators
Manually block domains/URLs which are not-categoriezed by vendor
(blocklist)
26. Geo-based filtering (top-malware hosting
countries)
Block inbound/outbound to these countries (China, Russia, Korea,
Brazil, Thailand, Taiwan, Japan, Poland, Peru)
Logs (UTM/Proxy) will help detecting possible infections
This filtering will stop/decrease (SPAM, Malware, Malicious websites,
Phishing)
A proactive security technique to prevent threats
27. Threat Intelligence Feeds / Blacklists
Integrate threat feeds with security products in the enterprise
to block traffic from/to bad reputation hosts
Proactively secure the network from zer0-day threats without
relying on signatures
Threat intelligence can be integrated with SIEM tools
Threat feeds will contain:
▪ Malicious code senders
▪ Spam senders
▪ Phishing senders
▪ Botnet C&C servers
▪ Compromised Hosts
▪ Malware Domains
28. Battling Malware in The Enterprise
Malware Forensics Dojo
Learn from an experienced malware expert
Practical skills and applicable knowledge
Real world scenarios from the field