1. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
Surviving Today's Targeted
» Fifth level
Attacks
How to Escape the Cyberhydra's Poisonous Breath
Stefan Tanase
Senior Security Researcher
Global Research and Analysis Team
June 10th , 2009
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010 place)
Event details (title,
2. Click to we start
Before edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Targeted attacks based on
unpatched vulnerabilities like this one
are happening right now!
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
3. Click to edit Targeted Attacks
Overview - Master title style
•
• The (R)evolution of malware
Click to edit Master text styles
• Motivation: how cybercriminals make money
– Second level
• • Third attacks: threats to SMBs & enterprises
Targetedlevel
– Fourth level
• So, how do they do it?
» Fifth level
– Targeted attacks in 4 steps
• Live demo
• Targeted attacks becoming mainstream
• Surviving targeted attacks
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
4. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
The (R)evolution of malware
June 10th , 2009 Event details (title, place)
5. Clickevolution of malware
The to edit Master title style
• 1992 – 2007: about 2M unique malware programs
• Click to edit Master text styles
• In 2009 alone: more than 14M new malicious programs
– Second level
• End of Q1,2010: a total of about 36,2M unique malicious
• Third level
files in the Kaspersky Lab collection
– Fourth level
» Fifth level
New malware samples
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
6. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Motivation: how cybercriminals make money
June 10th , 2009 Event details (title, place)
7. Click to edit how cybercriminals make money
Motivation: Master title style
• By stealing, of course
• Click to edit Master text styles
– Stealing directly from the user
– Second level
• Online banking accounts, credit card
• Third level
numbers, electronic money, blackmailing.
– Fourth level
– What if I don’t have money?
» Fifth level
– Providing IT resources to other cybercriminals
• Creating botnets, sending spam, DDoS attacks,
pay-per-click fraud, affiliate networks, renting
computing power, collecting passwords etc.
– Providing access to targeted SMB and enterprise
networks for interested 3rd parties
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
8. What are they after?
Click to edit Master title style
• What do attackers want?
• Click to edit Master text styles
– sensitive source codes
– Second level
– future product information
• Third level
– 3rd partyFourth level
– data hosted by the victim
» Fifth level
– credentials for production systems
– executive emails
– information about customers
– to explore an intranet for other confidential info
• Easily saleable data is not really targeted
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
9. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Targeted attacks: threats to SMBs & enterprises
June 10th , 2009 Event details (title, place)
10. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
11. Targeted attacks: threats to SMBs & enterprises
Click to edit Master title style
• Click to edit Master text styles More than 1 week!
– Second level
• Third level
– Fourth level
» Fifth level
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
12. Targeted to edit Master title style & enterprises
Click attacks: threats to SMBs
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
It only takes a vulnerability
» Fifth level
that has a window of 1 hour
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
13. Vulnerabilities – There’s plenty
Click to edit Master title style of them out there
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Source: Microsoft Security Intelligence Report Volume 8
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
14. Targeted attacks versus classic malware
Click to edit Master title style
Lethal injection versus a hail of bullets
• Click to edit Master text not epidemics
• Targeted attacks are styles
– Second level
• One email is enough, instead of tens of thousands
• Third level
• Stay under the radar
– Fourth level
• Targeted organizations are either not aware,
» Fifth level
or don’t publicly disclose information
• It is hard to get samples for analysis
• Classic signature-based AV is useless
• New defense technologies
• Much higher stakes
• Intellectual property theft,
corporate espionage
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
15. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
So, how do they do it?
June 10th , 2009 Event details (title, place)
16. Targeted attacks in 4 steps
Click to edit Master title style
1. Profiling the employees
• Click to edit Master text styles
– Choosing the most
– Second level
vulnerable targets
• Third level
– Reconnaissance via
– Fourth level
social networks, mailing
» Fifth level
list posts, public presentations, etc
– Attackers usually target users in their
own country because of the language barrier
• Attackers are more comfortable in their own language
– Language can offer clues to the origins of the attack
– They worry about getting the good stuff later
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
17. Targeted attacks in 4 steps
Click to edit Master title style
2. Developing a new and
• Click malware attack
unique to edit Master text styles
– Second level
– Doesn’t have to bypass
• Third level
all AV solutions, just the
– Fourth level
one used byFifth level
» the victim
– Using social engineering
to get the victim to click on a link
• Gather OS, browser, plug-in versions – useful for
vulnerabilities
– Corporate monoculture leads to problems
• Different employees using the same software
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
18. Targeted attacks in 4 steps
Click to edit Master title style
3. Gaining control and
• Click to edit Master text styles
– Second level
maintaining access
• Third level – Initial exploit drops malware
– Fourth level onto victim machine
» Fifth level
– Networks are usually protected
from outside threats
– C&C communication is done
over TLS or TLS-like protocols
• Encryption proves to be a double
edged sword
• Traffic can't be detected
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
19. Targeted attacks in 4 steps
Click to edit Master title style
4. Getting the ‘good stuff’ out
• Click to edit Master text styles
– Find an overseas office server
– Second level
to be used as an internal drop
• Third level
• Speed is the key
– Fourth level
– Move data over the corporate
» Fifth level
WAN/intranet to the internal
drop
– Get all of the data out at once
to the external drop server
• Even if traffic is monitored, it
might be too late to react
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
20. Click to editattack demo style
A targeted Master title
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
21. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Targeted attacks becoming mainstream
June 10th , 2009 Event details (title, place)
22. Personal information becoming public
Click to edit Master title style
• So much personal
• Click to edit Master text styles
information becomes
– Second level
public on social
• Third level
networks–right now
Fourth level
» Fifth level
• Advertisers are
already doing it:
targeted ads
– Age, gender, location,
interests, field of work,
browsing habits,
relationships etc.
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
23. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Before we end
June 10th , 2009 Event details (title, place)
24. Click to we end
Before edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
25. Click to we end
Before edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
A highly sophisticated targeted
» Fifth level
attack will eventually succeed
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
26. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Surviving targeted attacks
June 10th , 2009 Event details (title, place)
27. Click to edit Master attacks
Surviving targeted title style
• •Proper security mindset styles
Click to edit Master text
• Lack of userlevel
– Second education and
awareness level
• Third
• Training–and policies
Fourth level
» Fifth level
• Employee reporting process
• Employees should report attempted
attacks
• Companies should have a follow-up
process for such incidents
• 24/7 security team with extremely
fast reaction time
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
28. Click to edit Master attacks
Surviving targeted title style
• Minimize the attack surface
•• Fewer 3rd partyMaster text styles
Click to edit plug-ins:
– Second level
Flash, Acrobat, Java
• Use alternative browsers
• Third level
• Frequent– Fourth level patches
updates and
» Fifth level
• Proactive protection technologies provide the necessary
edge for remaining secure
• Sandbox - virtualized execution for applications (isolated
environment)
• HIPS - Host-based Intrusion Prevention System (behavioral
analysis)
• KSN - Kaspersky Security Network (in the cloud services)
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)
29. Click to edit Master title style
• Click to edit Master text styles
– Second level
Thank you! Questions?
• Third level
– Fourth level
» Fifth level
stefant@kaspersky.ro
twitter.com/stefant
Stefan Tanase
Senior Security Researcher
Global Research and Analysis Team
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
th
June 10 , 2009 Event details (title, place)
30. Click tolet’s stand up! style
Intro – edit Master title
• “White”, “black”, “pink”… “not wearing any”
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)