�ݺ�ߣ

Click to edit Master title style

• Click to edit Master text styles
– Second level
• Third level
– Fourth level
Surviving Today's Targeted
» Fifth level

Attacks
How to Escape the Cyberhydra's Poisonous Breath

Stefan Tanase
Senior Security Researcher
Global Research and Analysis Team

June 10th , 2009
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010 place)
Event details (title,

Click to we start
Before edit Master title style

– Second level
• Third level
– Fourth level
» Fifth level

Targeted attacks based on
unpatched vulnerabilities like this one
are happening right now!
Kaspersky Lab International Press Tour, Cyprus, June 3-6, 2010
June 10th , 2009 Event details (title, place)

Click to edit Targeted Attacks
Overview - Master title style

•
• The (R)evolution of malware
Click to edit Master text styles
• Motivation: how cybercriminals make money
– Second level
• • Third attacks: threats to SMBs & enterprises
Targetedlevel
– Fourth level
• So, how do they do it?
» Fifth level

– Targeted attacks in 4 steps
• Live demo
• Targeted attacks becoming mainstream
• Surviving targeted attacks



– Second level
• Third level
– Fourth level
» Fifth level

The (R)evolution of malware

Clickevolution of malware
The to edit Master title style

• 1992 – 2007: about 2M unique malware programs
• In 2009 alone: more than 14M new malicious programs
– Second level
• End of Q1,2010: a total of about 36,2M unique malicious
• Third level
files in the Kaspersky Lab collection
– Fourth level
» Fifth level
New malware samples



– Second level
• Third level
– Fourth level
» Fifth level

Motivation: how cybercriminals make money

Click to edit how cybercriminals make money
Motivation: Master title style

• By stealing, of course
– Stealing directly from the user
– Second level
• Online banking accounts, credit card
• Third level
numbers, electronic money, blackmailing.
– Fourth level
– What if I don’t have money?
» Fifth level

– Providing IT resources to other cybercriminals
• Creating botnets, sending spam, DDoS attacks,
pay-per-click fraud, affiliate networks, renting
computing power, collecting passwords etc.
– Providing access to targeted SMB and enterprise
networks for interested 3rd parties

What are they after?

• What do attackers want?
– sensitive source codes
– Second level
– future product information
• Third level
– 3rd partyFourth level
– data hosted by the victim
» Fifth level
– credentials for production systems
– executive emails
– information about customers
– to explore an intranet for other confidential info
• Easily saleable data is not really targeted



– Second level
• Third level
– Fourth level
» Fifth level

Targeted attacks: threats to SMBs & enterprises


– Second level
• Third level
– Fourth level
» Fifth level


Targeted attacks: threats to SMBs & enterprises

• Click to edit Master text styles More than 1 week!
– Second level
• Third level
– Fourth level
» Fifth level


Targeted to edit Master title style & enterprises
Click attacks: threats to SMBs

– Second level
• Third level
– Fourth level
It only takes a vulnerability
» Fifth level

that has a window of 1 hour


Vulnerabilities – There’s plenty
Click to edit Master title style of them out there

– Second level
• Third level
– Fourth level
» Fifth level

Source: Microsoft Security Intelligence Report Volume 8


Targeted attacks versus classic malware

Lethal injection versus a hail of bullets
• Click to edit Master text not epidemics
• Targeted attacks are styles
– Second level
• One email is enough, instead of tens of thousands
• Third level
• Stay under the radar
– Fourth level
• Targeted organizations are either not aware,
» Fifth level

or don’t publicly disclose information
• It is hard to get samples for analysis
• Classic signature-based AV is useless
• New defense technologies
• Much higher stakes
• Intellectual property theft,
corporate espionage


– Second level
• Third level
– Fourth level
» Fifth level

So, how do they do it?

Targeted attacks in 4 steps

1. Profiling the employees
– Choosing the most
– Second level
vulnerable targets
• Third level
– Reconnaissance via
– Fourth level
social networks, mailing
» Fifth level

list posts, public presentations, etc
– Attackers usually target users in their
own country because of the language barrier
• Attackers are more comfortable in their own language
– Language can offer clues to the origins of the attack
– They worry about getting the good stuff later


2. Developing a new and
• Click malware attack
unique to edit Master text styles
– Second level
– Doesn’t have to bypass
• Third level
all AV solutions, just the
– Fourth level
one used byFifth level
» the victim

– Using social engineering
to get the victim to click on a link
• Gather OS, browser, plug-in versions – useful for
vulnerabilities
– Corporate monoculture leads to problems
• Different employees using the same software


3. Gaining control and
– Second level
maintaining access
• Third level – Initial exploit drops malware
– Fourth level onto victim machine
» Fifth level
– Networks are usually protected
from outside threats
– C&C communication is done
over TLS or TLS-like protocols
• Encryption proves to be a double
edged sword
• Traffic can't be detected


4. Getting the ‘good stuff’ out
– Find an overseas office server
– Second level
to be used as an internal drop
• Third level
• Speed is the key
– Fourth level
– Move data over the corporate
» Fifth level

WAN/intranet to the internal
drop
– Get all of the data out at once
to the external drop server
• Even if traffic is monitored, it
might be too late to react

Click to editattack demo style
A targeted Master title

– Second level
• Third level
– Fourth level
» Fifth level



– Second level
• Third level
– Fourth level
» Fifth level

Targeted attacks becoming mainstream

Personal information becoming public

• So much personal
information becomes
– Second level
public on social
• Third level
networks–right now
Fourth level
» Fifth level
• Advertisers are
already doing it:
targeted ads
– Age, gender, location,
interests, field of work,
browsing habits,
relationships etc.


– Second level
• Third level
– Fourth level
» Fifth level

Before we end

Click to we end

– Second level
• Third level
– Fourth level
» Fifth level


Click to we end

– Second level
• Third level
– Fourth level
A highly sophisticated targeted
» Fifth level

attack will eventually succeed



– Second level
• Third level
– Fourth level
» Fifth level

Surviving targeted attacks

Click to edit Master attacks
Surviving targeted title style

• •Proper security mindset styles
Click to edit Master text
• Lack of userlevel
– Second education and
awareness level
• Third
• Training–and policies
Fourth level
» Fifth level
• Employee reporting process
• Employees should report attempted
attacks
• Companies should have a follow-up
process for such incidents
• 24/7 security team with extremely
fast reaction time

Click to edit Master attacks
Surviving targeted title style

• Minimize the attack surface
•• Fewer 3rd partyMaster text styles
Click to edit plug-ins:
– Second level
Flash, Acrobat, Java
• Use alternative browsers
• Third level
• Frequent– Fourth level patches
updates and
» Fifth level
• Proactive protection technologies provide the necessary
edge for remaining secure
• Sandbox - virtualized execution for applications (isolated
environment)
• HIPS - Host-based Intrusion Prevention System (behavioral
analysis)
• KSN - Kaspersky Security Network (in the cloud services)


– Second level
Thank you! Questions?
• Third level
– Fourth level
» Fifth level
stefant@kaspersky.ro
twitter.com/stefant

Stefan Tanase
Senior Security Researcher
Global Research and Analysis Team

th
June 10 , 2009 Event details (title, place)

Click tolet’s stand up! style
Intro – edit Master title

• “White”, “black”, “pink”… “not wearing any” 
– Second level
• Third level
– Fourth level
» Fifth level


�ݺ�ߣ

Surviving Today's Targeted Attacks

More Related Content

Surviving Today's Targeted Attacks