From Humble Beginnings(To the Blue Pill of c0nvention )

Professor John Walker CISM CRISC FBCS CITP ITPC Visiting – The School of Science & Technology, Nottingham Trent University

Genesis

From the early days of Fred Cohen discovering the concept of theComputer Virus, to the release of malicious code into the wild. Such as Creeper, Brain, Coffee Shop, Lehigh, Jerusalem, Stoned, to namebut a few - in comparison to modern day threats posed by SmartMalware they were simplistic.

That Insider Threat

The Insider Threat is from OUTSIDE:

Today's Smart Malware is taking advantage of the Insider Role , by Compromising, and Bypassing Perimeter Defences via utilisation of Adverse Logic, and Advanced Threats (e.g. AET’s) - and then Emulating the Privileges and Access rights of the Legitimate owner(s).

The ExposureHaving given a presentation to the London RSA Conference, oneDelegates feedback was:

‘There is too much focus on the topics of insecurity, which placean over emphasis on the adverse events’

Fact of the matter is however, year-on-year, the levels of risk, andassociated vulnerabilities, exposures, and imaginative ways of attacking targets have increased!

In fact in the current day levels of exposure is high - if you are a user of on-line services, connected computer, cell phone, or any other form of connected technology or service, so then by inference, there is a potential for exposure to exist – so we must deal with facts!

Criminal Ingenuity

1) Seek out external intelligence – DNS – MetaData - FOI etc

2) Compromise then upload to Remote Server

3) Obtain Certificates – they are easy to locate

4) Search drives for sensitive files

5) Take Screenshots – audio visual – anything

6) Scan local network for hosts and assets of interest

7) Execute

The Challenge

The Challenge is, there still seems to exist a state of denial thatAdvanced Threats, and AET’s really don’t exist – possibly caused byc0nventional thinking, attitudes, and opinion, and a high very high dependency on Blue Pills!

Time has arrived when we must consider the approach ofUnconventional thinking to close of the h0les, to counter the imaginative threats posed by the attackers – we need to consider taking the plunge, and to Swap out Blue for Red thinking.

Consider the Evidence as to reasons why . . . . .

The EvidenceStill not convinced :

1. VeriSign – successful, and on multiple occasions2. Global Payments3. Barnes & Noble4. RSA5. Northrup6. Grumman7. Lockheed8. L39. Sony10. Pakistan Downed (Microsoft, Google, Apple, eBay)11. Multiples of SME’s

To name but just a few – did they all do security so badly, or does this imply there were other actors involved and at work?

With bad Statistics to match:

a) Circa 2011 – only 6% of attacks self detected!b) Typical attacks continued for 416 days!c) Mistakes made like – dealing with Cyber Criminalsd) High Exposure to Footprinting via DNS & MetaData

Pakistan Downed – Nov 12

Big Name technology firms hit by a Hacking Attack under the Banner of Pakistan Down week commencing 26/11/12, causing websites to be temporarily shut down.

Google, Apple, Yahoo, Microsoft and eBay sites with domain named such as .pk, .com.pk & .org.pk were affected by the incident, which resulted in a redirected to a different page.

The attack featured a picture of two penguins walking across a bridge with slogan: Pakistan Downed

The Motivation

The early motivations of creating, and distributing Viruses was, inthe majority of cases, just for fun. However, in today’s modernLandscape of Cyber Threats posed by distributed Malware, the Motivation falls into the following categories:

a) SME Hackers (Financial Gain)b) Serious & Organised Crime (Financial Gain)c) Government Sponsored (Intelligence Gathering, Direct/Indirect Attack, Industrial Espionage)d) Hacktivist (Mostly Ideological)e) Script Kiddies (In some cases, used as a learning mission)f) Cyber Jihad – (Cyber Terrorism)

Tricks of the Trade

X Y =

0 0 0

0 1 1

1 0 1

1 1 0

XORX Y =

0 0 1

0 1 0

1 0 0

1 1 1

XNOR

There have been many techniques developed over the years to make Malware invisible to detection – one such simplistic methodis that of using XOR, and XNOR to change the profile at rest, oron-the-fly.

This is by no means foolproof, but serves as an example of the evolution of creativity.

Other methods include, but are not limited to:

a) Dynamic Domain Name Services (DDNS) Malware Sample: W32.Reatle.E@mmb) Fast-Fluxc) Single-Fluxd) Double-Fluxe) Browser Exploit Packs

The Techniques

Bogus and malicious parcel tracking confirmations are a common social engineering technique often used by cybercriminals to trick users into clicking on malicious links or executing malicious attachments found in the spamvertised emails.

Credit to: Dancho Danchev

Advanced ThreatsAdvanced Threats in the guise of APT’s (Advanced Persistent Threats), & AET’s (Advanced Evasion Techniques) must be now anticipated to pose very real threat – And going forward Into 2013 (as correctly predicted 2011) should be expected to grow.

In the case of crafted AET attack, by manipulating the TCP/IP Stack,and evading Perimeter Defences, then going on to achieve compromise of target system(s), say by gaining Shell access on the Black side of the Firewall Interface.

From this point forward, there will be a jump point on an internalSystem(s) which, dependent on the profile, and afforded privilegeswill determine the level of compromise the infiltrating Malware agent may enjoy.

Advanced Threats in Action

Here an example of an Advanced (AET) Evader penetration utilising manipulation of the TCP/IP Stack to penetrate a well known, fully up -to-date Firewall application, achieving Shell Access to an internal systems – from here It is a matter of Outsider Threat Manipulation of Insider assets – maybe you have wmic enabled!

Shell

Duqu

Zero-Day type of vulnerability in question was found in the Win32k TrueType font-parsing engine; as such, the vulnerability affects various office programs.

Win32.Duqu.a as well as other malicious programs exploiting the CVE-2011-3402 vulnerability. For example, a specially crafted Microsoft Word document opened on a victim’s machine can be used to elevate privileges and then run arbitrary code.

Remember that Outside Threat! Ephemeris

The protection - 1

At a event I chaired recently, I asked the question of an AV Vendor:

‘Has Anti-Virus – Anti-Malware reached the end of Shelf Life?’

Response:

‘I am representing an Anti-Virus Vendor so am unable to comment’

2 CERTS were published in the UK, and US - November 2012 regarding security vulnerabilities associated with 2 well known, and, up to that point, respected products.

Vulnerability Note VU#662243****** Antivirus contains multiple vulnerabilities

Vulnerability Note VU#985625******* Antivirus products fail to properly handle CAB files

The protection - 2There has also been one AV Vendor who’s product has been badly performing, suffering what seems to be continuous issues, whichrequired resolution over an extended period – again an opportunityto allow exploitation!

Then there is the matter of Detection Rates going as Low as 55.3%in the case of one Big Name Anti-Virus/Malware application, and a Response Time to new finds of, in one case 8 hours - there is thus significant opportunities for Zero Day to enter to a supposedly protected zone – Trust me, I know from painful experience.

Anti-Virus/Malware Protection is still a MUST HAVE, but it is theapproach of utilising c0nvention, to defend against the imaginative ‘Unconventional’ threats that is its most critical flaw.

More = Than =

Be CSIRT EnabledExpect the worse to happen, and be prepared:

Or =

The Future & Survival1) Move away from the tunnelled vision approach taken by c0nventional Pen Testing – Expect your engaged Teams to become unconventional

2) Adopt a Red Team approach with assimilated attacks

3) Employ Situational Awareness focused on your Sectors of Trading

4) Enable established CSIRT Capabilities to respond to events

5) Think out-of-the-box, and if you can’t change the people, then change the people

6) Listen to the next speaker – and keep an open mind

Thank You for Listening

School of Science & Technology