Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
2. Defining the “zero-day” (software) threat
The term “zero-day” refers to the number of days that the
software vendor has known about the hole - ZERO.
A security hole in software that
is not yet known to the
software maker or to
Information Security vendors
NO PATCH – NO SIGNATURE
Code that attackers use to take
advantage of a zero-day
vulnerability to compromise a
system for their benefit
DROP - CONTROL - DISABLE
Zero-day vulnerability Zero-day exploit
3. Zero-Day Vulnerability Lifecycle
Lifecycle of a zero-day vulnerability
New vulnerability
discovered “in the wild”
Someone informs the vendor
about the vulnerability
You install patches
and update
signatures
Public is aware of the riskPublic unaware of risk
You are safe…You are vulnerable…
Patch Gap
Most Vulnerable
Vendor releases security
patches to the public,
CVE posted
4. Kill chain analysis of an advanced threat
1
Reconnaissance
Harvesting email and IP addresses,
Surveying defenses
2
Weaponization
Coupling exploit with attack
Infrastructure - deliverable payload
3
Delivery
Delivering weaponized bundle
to the victim via email, web
– drive-by-download
5
Installation
Installing malware on the asset
6
Command & Control (C2)
Command channel for remote
manipulation of victim’s system
or additional malware downloads
7
Action on Objectives
Lateral movement, data
exfiltration, disruption, etc.
4
Exploitation
Exploiting a vulnerability to
execute code on victim’s system
• Zero-day vulnerabilities
• Unpatched vulnerabilities
5. Example of a zero-day vulnerability
‣ Acrobat Reader - CVE-2014-0512 : Adobe Reader 11.0.06 allows attackers to bypass a PDF sandbox protection
mechanism via unspecified vectors
‣ Internet Explorer 9 through 11 Exploit - CVE-2016-0072 Microsoft Internet Explorer 9 through 11 allows
remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web
site, aka "Internet Explorer Memory Corruption Vulnerability,”
‣ Microsoft Server Service Vulnerability - allowed remote code execution if an affected system received a
specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an
attacker could exploit this vulnerability without authentication to run arbitrary code
‣ Wordpress Cross-Site Scripting Vulnerability - allows attackers to execute arbitrary code or cause a denial of
service (memory corruption)
‣ Operation Snowman Exploit - targets IE 10 with Adobe Flash, the vulnerability allows the attacker to modify
one byte of memory at an arbitrary address
‣ Microsoft Office - CVE-2016-0052: allow remote attackers to execute arbitrary code via a crafted Office
document, aka "Microsoft Office Memory Corruption Vulnerability,"
6. Sophisticated breaches can go undetected for a long time
Data breaches tend to continue for
months and even years
18 Days
106 Days
180 Days
246 Days
266 Days
7. US Office of Personnel Management (OPM) Data Breach - Timeline
2014 2015Jul Aug Sep Oct Nov Dec Jan
Initial OPM breach
OPM investigates a breach of its computer networks dating back to July
2014. Authorities trace the intrusion to China.
Inspector General Report
A report by OPM’s Office of the Inspector General on the agency’s
compliance with Federal Information Security Management Act
finds “significant” deficiencies in the department’s IT security.
KeyPoint
Initial Detection
Feb Mar Apr May Jun
KeyPoint, a company that took over background checks for USIS, suffers breach.
OPM states that there is “no conclusive evidence to confirm sensitive information
was removed from the system.”
OPM became aware of an intrusion affecting its systems and data in April 2015 and launched
an investigation with its agency partners, the Department of Homeland Security (DHS) and
the Federal Bureau of Investigation (FBI).
Subsequent Detection
OPM became aware of the potential compromise of data related to
personnel records for current and former Federal employees
Public Disclosure
8. US OPM Sensitive Personal Information (SPI) Data Breach
‣ Who was affected?
• “Current, former, and prospective Federal government employees, and those for whom a Federal
background investigation was conducted”
• Original est. – 4.2M records, adjusted to 18M
‣ What was stolen?
• “Name, SSN, date and place of birth and current and former addresses...
could include the type of information you would typically find in a personnel file, such as job assignme
nts, training records
‣ Head scratcher
• "If there is anyone to blame, it is the perpetrators," OPM Director Katherine Archuleta told members of
a Senate panel
9. Black
market
White
market
Gray
market
Zero-day vulnerabilities = $$$ in the marketplaces
• Cybercrime Organizations
• Buy and sell exploit code
• Goal: break into systems, steal data
• Vendor bug bounty programs
• Buy and sell vulnerability info
• Goal: fix security holes
• Military and intelligence agencies
• Buy zero-day exploits and vulnerability info
• Goal: surveillance and offensive ops
10. The market for zero-day exploits
Forbes: Price List for Zero-Day Exploits – Government Agencies
Gray
market
Black
market
White
market
11. Zero Day Disclosure - “Rain Forest Puppy” policy
• Ethical hackers and researchers often follow the
policy and give the vendor five working days to
respond
• The reporter should help the vendor reproduce the
bug
• The reporter should delay notifying the general
community about the bug if the vendor provides
feasible reasons for doing so
• When issuing an alert or fix, the vendor should give
the reporter proper credits about reporting the bug
• If the vendor fails to contact the reporter in those five
days, the recommendation is to disclose
13. Data Breach Trends
• Data breaches are on the rise
• 2014-15 saw a significant jump of
breaches in the retail and
healthcare sectors
• Breach disclosure laws have
contributed to greater exposure
in the mainstream press
• There were more identity breach
victims, but less money was
directly stolen
Source:
http://www.informationisbeautiful.net/visualizations/
worlds-biggest-data-breaches-hacks/
14. SecurityAttackersEnterprises Attacks
2006
2016
Why are Advanced Threats so hard to stop?
Enterprise security has failed to keep pace with the evolving threat landscape
Sedentary Workforce
PCs and laptops
Corporate network
VPN connectivity required for
remote employees
Corp. owned devices
Dynamic Workforce
Smartphones and tablets
Working from free wifi
networks and 3G/4G
connections
BYOD
Rogue Individuals
Motivated by the challenge
No financial gain
Organized Criminals
Well funded
Highly skilled
Criminal organizations
Financial/political gain
Loud and Noisy
Server side vulnerabilities
Attacks were obvious and a
brief duration
Damage could be costly but
easy to clean up
Quiet and stealthy
Exploiting client-side vulns
and social engineering
Leveraging end users as a
catalyst
Goal - data exfiltration
• URL filtering
• Anti-virus
• URL filtering
• Anti-virus
15. Attacks are deeper and more sophisticated than ever before
Loading Stage
Spam & phishing e-mail
Social Networking sites
SEO poisoning
Compromised websites
Malvertising on legitimate sites
Landing Stage
Identification of client side
technologies
O/S, browser and plugins versions
installed
Determine effectiveness of payloads
Often requires no user intervention
Malware Payload Delivery
Anti-VM and Anti-Analysis features
Detection of known antivirus drivers
Multiple levels of highly obfuscated
JavaScript code
Dynamic construction of exploit
payload URLs only when a
vulnerability is found
Short lived exploit payload URLs often
restricted to one visit per IP address
Obfuscated and repackaged
exploit/malware payloads
16. 17,412 new advanced threats detected by Zscaler behavioral
analysis in just 30 days (Jan 2016)
Over 750 billion transactions in one
month
• 2 billion+ threats blocked
• 1,199,188 suspicious objects extracted
from traffic and sent to sandboxes
• 17,412 new advanced threats detected
and blocked for all cloud users
simultaneously
17. Not playing nice in the sandbox
0 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000
Executes massive amount of sleeps in a loop
Dropped PE files which have not been started or loaded
Contains long sleeps
Uploads sensitive system information
Checks for kernel debuggers
Reads the hosts file
Enables driver privileges
Queries the volume information
Checks free space
Looks for software installed
Contains strings which match to known bank URLs
Requests potentially dangerous permissions
Uses a known web browser user agent for HTTP communication
Creates mutexes
Executes native commands
Tries to load missing DLLs
Kills processes
Tries to detect sandboxes and other dynamic analysis tools
Top Malware Behaviors Monitored in Sandbox
18. Case Study: Chinese APT Group Emissary Panda
Chinese APT group “Emissary Panda”, known for
stealing Intellectual Property data from target
companies
Attacks seen on Zscaler Cloud
• Investigation started with ABA block on content
from a compromised Government site (watering
hole)
• Attack Chain shows use of Hacking Team’s leaked 0-
day exploits
• Installs a SSL based Remote Access Trojan (RAT)
upon success
Multiple Industries Targeted
• Energy & Construction
• Financial Services Firm
• Pharmaceutical
More at – research.zscaler.com (Aug ‘15)
210.209.89.162
/rs/ie.html
210.209.89.162
/rs/swfobject.js
210.209.89.162
/rs/out.swf
210.209.89.162
/rs/svchost.exe
reis.railnet.gov.in/
APT attack infrastructure
Compromised
site
19. Case Study: CryptoWall
• Version 3.0 first observed June 2015, version 4.0 Nov 2015
• Binary digitally signed (MDG Advertising)
• Uses strong encryption to encrypt all files on HDD,
attached devices and network shares
• Imagine a domain admin getting infected…
• CryptoWall features:
• Asymmetric (public-key) encryption to encrypt user
documents, making recovery infeasible
• Ransom starts at U$500 and increases over time
• One file will be decrypted for free…
• Ransom collected in bitcoins or as pre-paid cash
vouchers / cards
• Usage of anonymizing networks like Tor & i2p
• New versions even have chat-based support!
21. How good are my defenses?
Current security controls are not working
93% of organizations had infected computers
communicating with C&C servers
of malware coming in the network was unknown
to antivirus vendors52%
79% of organizations were experiencing data
exfiltration
Source: KPMG enterprise security, August 2014
22. Think encryption is going to keep you safe?
‣ SSL traffic is becoming pervasive, but most
organizations are blind to it
• 40% percent of Internet traffic is now encrypted
with SSL, growing to more than 50% in 2016
‣ The most sophisticated threats are using SSL
• 16% of all traffic blocked uses SSL
• 54% of advanced threats use SSL
‣ If your policies do not include SSL inspection,
all your security tools are half-blind
SSL traffic on
enterprise
networks is
growing rapidly &
creating security
blind spots
23. Strategies based on alerting are doomed to failure
‣ Alerting allows infections to happen –
with no guarantee you’ll notice them
‣ Alerting based strategies lead to SOC
overload – which of the 1,000 alerts do
you pay attention to?
‣ All threats and violations must be
automatically blocked
Missed Alarms and 40 Million Stolen Credit
Card Numbers: How Target Blew It
Alert Fatigue
24. Kill chain analysis of an advanced threat
Malicious websites can be
blocked – “sometimes”
Identify and block outbound
data exfiltration
Behavioral Analysis can detect
malicious behavior
By definition, can’t identify
zero-day vulnerability
Identify and block outbound
CnC communications
1
Reconnaissance
Harvesting email and IP addresses,
Surveying defenses
2
Weaponization
Coupling exploit with attack
Infrastructure - deliverable payload
3
Delivery
Delivering weaponized bundle
to the victim via email, web
– drive-by-download
5
Installation
Installing malware on the asset
6
Command & Control (C2)
Command channel for remote
manipulation of victim’s system
or additional malware downloads
7
Action on Objectives
Lateral movement, data
exfiltration, disruption, etc.
4
Exploitation
Exploiting a vulnerability to
execute code on victim’s system
25. Best practices for stopping APTs in Internet traffic
Defense in depth
Inline Antivirus & Anti-spyware
Deep Content Inspection
Browser and Plugin Vulnerabilities
Page-Level Risk Analysis
Block Malicious URLs and Files
Sandboxing
Botnet calls, malicious URLs,
data exfiltration, SSL, etc.
OUTBOUND TRAFFICINBOUND TRAFFIC
Viruses, APTs, Adware, Spyware,
Malicious Javascript, Exploits,
Malformed Files, XSS, etc
Known Threats
Unknown ThreatsZero-day threats
26. Zscaler Advanced Threat Protection
Protect – stop infections from happening
‣ Always in-line – can always block
‣ Multiple layers of security with automated in-
line SSL inspection
‣ Behavioral analysis for zero day files
‣ File quarantine - first global victim is protected
‣ Instant cloud-wide blocking of new threats
‣ Lock down all ports & protocols with built-in
NG firewall
27. Zscaler Advanced Threat Protection
Detect – identify compromised devices
‣ Monitor infection trends
‣ Isolate infected machines
‣ Identify types of attacks
‣ Track users with risky
behavior
‣ Show value of the solution to
the CxO
28. Zscaler Advanced Threat Protection
Remediate – minimize impact and heal
‣ Stop data exfiltration attempts,
including over SSL
‣ Lock down unauthorized ports and
protocols
‣ Block botnet CnC communications
‣ Complete visibility, even to cloud
applications
‣ Easy to use, detailed forensics
‣ Correlation across users /devices /
locations
29. How Zscaler sandboxing works
Block or Allow “known” files:
• Malware identified by AV, threat database,
or static analysis
• Benign files identified by whitelist or file
type
Unknown files go through Behavioral
Analysis :
• “Detonate” in a virtual sandbox
• Capture and analyze behavior
• Identify malware vs benign
• Update threat database
• Automatically block malware
• Automatically pass benign files
30. Zscaler APT Protection Key Highlights:
Behavioral Analysis Report
Quarantine – ensures no one gets infected with
zero day attack
Forensics analysis with key features to make
remediation easy:
• Screen captures during malware execution
• Packet captures for detailed analysis
• Detection evading techniques used
• Memory and process analysis
• Networking level activity
32. Backhaul traffic through the data center
Slow,
complex, &
expensive
Mobile HQ Remote Offices
Too many
gateways to buy,
deploy & manage
Build a perimeter around every office
HQ Remote Offices
Security appliances: two challenging choices
33. Exploits APTMalware
Public Cloud
SaaS
Private Cloud
Botnets
Real-time global visibility
(threats, apps, users)
Single policy definition
point (context)
Mobile Employee
HQ
Remote Offices
Full inline inspection (SSL)
All ports, all protocols
Off Network
PAC / Mobile Agent
On Network
GRE/IPSEC
Traffic forwarding
Two use cases:
Zscaler: putting a perimeter around the Internet
So you don’t need to put a perimeter around every office and every device
34. Web security Advanced
threat
protection
Cloud app
visibility &
control
Cloud
Firewall
Bandwidth
Controls
Data loss
prevention
Context-aware policies Global real-time analytics SSL inspection Threat Correlation
Multi-tenant distributed carrier-grade cloud (Peering relationships)
Zscaler cloud security platform
Cloud
Sandbox
Purpose-built, integrated services consolidate and simplify the appliance mess
35. Industry analysts agree…
“…on-premises web content security
can’t protect digital business…”
“…largest global cloud footprint with
more than 100 enforcement nodes…”
36. Zscaler delivers value to all stakeholders
CISO: BETTER SECURITY
Scan and score every byte (SSL)
Always up-to-date
Correlation of threat prevention techniques
Consistent policies globally
Full audit controls- every user, device, & app in all
locations
CIO/CTO: SIMPLIFICATION
No patch management or EOS issues
No shipping, staging, updating
Checkbox to enable new features
No maintenance windows
Elastic scale
CFO: FASTER ROI
Minimize CAPEX investment – no
boxes to purchase
Reduce OPEX – no boxes to maintain
END USER: IMPROVED EXPERIENCE
Faster response times
Localized Internet content
Single admin console
Real-time global reports
Performance SLA
37. Consider Three Users…
• We must seek security solutions that ensure consistent policy,
protection and visibility, regardless of device or location.
• Cloud provides the opportunity to level the playing field.
Office Coffee Shop Airport
Device PC / Laptop Laptop Tablet/
smartphone
Protection IDS, IPS, FW,
SWG, DLP, etc.
Host based AV
and firewall
Nothing
Visibility Location based
reporting
Nothing Nothing
38. Next Steps
37
Free Security Health Check
Risk free evaluation of your security infrastructure
Go to: http://www.zscaler.com/securitypreview
Live Product Demos
Register here: https://www.zscaler.com/productdemos