Intelligent Fighting of Greyware

.

Intelligent Fighting of Greyware

1Robert Leong, Director of Product Management, McAfee LabsVersion 4.0

Will You Be In the Storm? Or in Calm Weather?

.

Speaker

2

Robert LeongDirector of Product Management

McAfee Labs

.

Agenda

• A History Lesson

• How the World Has Changed

• Pop Quiz!

• How Attacks Have Changed and Why

• Success Criteria in the New World of Greyware

• A New Approach

• Would That Work?

• Summary, Takeaways, and Stuff to Think about…

3

.

4

.

The Answer is:

9

• He used a combination of:

• Scams

• Smuggling

• Disguises

• Misdirection

• Inside men

For over 100 years, it was considered to be…

Media Source: www.pond5.com

Edward Pierce, that’s who!

.

The “All-Time Perfect Crime”

10


.

That Took the Whole World by Surprise


11

.

The Biggest Heist the World Had Ever Seen


12

.

The Biggest Heist the World Had Ever Seen…

Media Source: www.pond5.com13

Not

Any

More!

.

Today: 100 Banks, 30 Different Countries…

USA

Brazil

Canada

Morocco

Spain

Iceland

Great Britain

France

Switzerland

Germany

Norway

Czech Republic

Poland

Bulgaria

Ukraine

Russia

Pakistan

India

Nepal

China

Hong Kong

Taiwan

Australia

.

Possibly $1,000,000,000.00 Stolen

Media Source: stockfootageforfree.com

.

16

Media Source: www.pond5.com; Data Source: New York Times, 2015;

The biggest financial theft of all time was done exclusively with “greyware”

.

Carbanak Greyware…

• Since late 2013 (it is ongoing!), an unknown group of hackers has reportedly stolen $1,000,000,000.00 from banks across the world, with majority of the banks being in Russia.

• Hackers send email containing a malware program called “Carbanak” to hundreds of bank employees, hoping to infect a bank’s administrative computer.

• The programs are all ‘Greyware’.

17

Source: New York Times 14 February 2015 “Bank Hackers Steal Millions via Malware”

Infection

.

“It’s all about trust…”What is “Greyware”?

18

• Greyware is defined as an object on the system for which the level of trust is indeterminate at any given point in time

• This could be due to profile information, behavior or actions of the actor, origin information or any other factors that leave the object in an indeterminate state

Media Source: www.pond5.com , PhotoDisc.com

.

Greyware and Screen-Scrapers and Keyboard Loggers, Oh My!

• Programs installed by the malware record keystrokes and also take screen grabs of the bank’s computers

• Hackers spend weeks and months learning proper bank procedures and personnel

• They also enable the hackers to control the bank’s computer’s remotely

19

HarvestingIntelligence

.

https://www.surveymonkey.com/r/top-threats

Guess the Top Cyber-Espionage Target…

20

Real EstateInformationUtilities

ProfessionalPublic Transport

Manufacturing

Financial Education

Medical

.

“Hi My Name is Bill Gates…”

By mimicking the bank procedures that have been learned, the hackers are able to direct the bank’s computers to steal money in a variety of ways, e.g.:

1. Transferring money into hacker’s fraudulent bank accounts

2. Using e-payment systems to send money overseas to fraudulent accounts

3. Directing ATMs to dispense money at set times when “mules” are there to collect

21

Mimicking the Staff


.

It’s Really Cyber-espionage via Malware…

22

Infection Harvesting Intelligence Mimicking the Staff


.

Why Greyware?


23

1.No Physical Risk

2.Hard to Detect, Easy to get Through

3.Profitable

.

https://www.surveymonkey.com/analyze/_2BkWdP92bS9ZaCxGZCSv8fGhZhvwcGpOUb7qc9WHLu3Y_3D

Let’s See How You All Did!

24



Manufacturing

Financial Education

Medical

https://www.surveymonkey.com/analyze/_2BkWdP92bS9ZaCxGZCSv8fGhZhvwcGpOUb7qc9WHLu3Y_3D

.

Banking and financial services are not even in the top three…

Ask the Audience!

25

Data Source: 2016 Verizon Data Breach Investigations Report



Manufacturing

Financial Education

Medical

.

The top ten cyberespionage targeted industries (Breach Counts) (n=86)

Cyberespionage 2016

26Numbers within parentheses are the industry NAICS codes

Source: Verizon 2016 Data Breach Investigations Report

2 2 3 3 44

6

10

17

31

0

5

10

15

20

25

30

35

.

The top ten cyberespionage targeted industries (percentage splits) (n=460)

Cyberespionage 2015

27


0.7 0.8 1.3 1.7 1.83.9

6.2

13.3

20.2

27.4

0

5

10

15

20

25

30

.

Variety of data compromised within cyberespionage (%) (n=457)

Cyberespionage

28


0.2 0.4 0.4 0.7 2.4 2.66.6 8.5

11.4

85.8

0

10

20

30

40

50

60

70

80

90

100

.


Cyberespionage 2016

29Top threat action varieties within cyberespionage (n=154)

88

76

68

33

19

10

9

7

3

3

Hacking - use of backdoor or C2

Malware - C2

Social - Phishing

Malware - Backdoor

Hacking - use of stolen creds

Malware - export data

Hacking - footprinting

Social - pretexting

Misc - privilege abuse

Social - bribery

.


Cyberespionage 2015

30Vector of malware cyberespionage (%) (n=361)

39.937.4

16.6

3.62.8 2.2 1.9

0.30

10

20

30

40

50

EmailAttachment

Email Link Web Drive-By Direct Install Download byMalware

WebDownload

RemoteInjection

NetworkPropagation

.

“Dear Sir or Madam…”

31

Media Source: LinkedIn.com; Data Source: Verizon 2015 Data Breach Investigations Report

50%NEARLY 50% OPEN

E-MAILS AND CLICK ON

PHISHING LINKS WITHIN

THE FIRST HOUR.

23%OF RECIPIENTS NOW

OPEN PHISHING

MESSAGES AND

11% CLICK ON

ATTACHMENTS.

70-90%OF MALWARE

SAMPLES ARE

UNIQUE TO AN

ORGANIZATION.

.

An Example of the Exponential Growth of “Greyware”

McAfee Labs saw over 4.5 Million new variants of Ransomware, mostly from CTB-Locker and its “affiliate” program that has flooded the market with phishing campaigns

Key Concepts:

1. Affiliate Program = agreement to

use infrastructure to propagate the

malware with new payment

instructions

2. Obfuscation = Minor changes to

content and cryptography to create

malware with a new, unknown

signature

32

Source: McAfee Labs, 2016

CTB-Locker = Curve-Tor-Bitcoin-Locker

Elliptic Curve Cryptography

C&C servers = Tor Anonymity Network

Ransom is in Bitcoin

.

From One Comes Many…

McAfee Labs researchers estimate that the millions of “Unique Ransomware Samples” are comprised of Ransomware built from only 12-15 different toolkits

Source: McAfee Labs 2016

.

Seventy-four (74) analyzed Carbanak samples: breakdown of behaviors and prevalence:

Let’s look at the Carbanak Greyware…

34

Source: Lastline Labs, 2015 – analysis of 74 Carbanak malware samples in VirusTotal

Number of

Samples

Fraction of

Samples

Suspicious/Malicious

Behavior Category

13 17.57% Evasion

60 81.08% Execution

69 93.24% Packer

70 94.59% Network

70 94.59% Autostart

70 94.59% Stealth

70 94.59% File

72 97.30% Memory


.

“Sub Total”

• Biggest heist of all time was done with malware

• The malware used multiple shades of greyware

• Your industry may in-fact be much higher on the “target list” than you thought

• If targeted, it is highly-likely they will “get in” to your organization

• Growth of “greyware” is exponential and will likely keep going

35

.

Requirements to Succeed…

• New endpoint strategy must be able to make things a lot better without starting all over

• Must be able to counter current threats

• Must be able to adapt to new threats

• Must leverage what we already know and have access to

36

What can we do about this?

.

How can we leverage and extend this?

What’s the Endpoint Doing Now?

• Fingerprinting: identify with near certainty that an object is either malicious or clean

• This technique is effective and deterministic by nature

• Technology: hash (signature) scanning, heuristic drivers

• Although very precise, the “greyness” of new attacks provides an opportunity to improve the strategy

Getting high confidence (not total confidence) takes but a

fraction of the effort, and is the basis for a new approach.

37

.

Multiple clues…

The Levels of Grey…

38

Definitely

BadDefinitely

Good

StartHere

Suspicious

Origin

Packed or Encrypted

Suspicious

URLNew

Application

Suspicious

Email

Low Age

Certificate

Document

TypeLow

Prevalence

High # of

Rapid

Changes

Suspicious

Email Link

.

Leveraging Multiple Sources of “Grey”

• New Approach:

• Identify a suspicious characteristic or activity

• Give the object a reputation and confidence level

• Backend automation produces reputations, but they aren’t leveraged by current technologies, e.g. • URL classification

• IP classification

• Many new technologies can be combined to “roll-up” into a combined reputation and confidence level

The key is to combine multiple non-deterministic observations.

Extending the endpoint with what we know…

39

40

.

How to Adapt to Change Needed for “Greyware”

41

Media Source: Pond5.com

High performance, market-competitive detection, cloud-enabled, auto-update, telemetry, safety, etc. Table Stakes

Build reputations of all types (Process, URL, File, Certificate, Age, Prevalence) from multiple sources.Reputation-Aware

Employ scanners which help influence reputations.Multi-Scanner Support:

Protect platform from malicious activity of depending on suspiciousness.

Isolation and Containment

Restore and unwind activities when they are deemed malicious.Auto-Remediation

Turn the Endpoint into part of a “Sensor Network”, and integrate detection and response with network and Cloud resources and capabilities

Combine Intelligence

.

Block?

Allow?

Reputation

Gathering inputs from multiple intelligent sources

Fighting Grey with Intelligence

42


Prevalence Age

(Generic Rule)

.

Block?

Allow?

Reputation



43


Prevalence Age

Enterprise Local Knowledge Endpoint Info

Enterprise Local Knowledge

Generation 1

(Generic Rule)

.

AV Engine(heuristic drivers)

Environmental Info

Static Profiler

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



44


Prevalence Age



Generation 1

(Generic Rule)

.


Environmental Info

Static Profiler

ATD VirusTotalEnterprise

Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



45


Prevalence Age



Generation 1

(Generic Rule)

.

URL Reputations

File/Cert Reputation


Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



46


Prevalence Age



Generation 1

(Generic Rule)

.

URL Reputations



Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



47


Prevalence Age


Global Cloud Intelligence

Endpoint Info


Generation 1 Generation 2

(Generic Rule)Global Cloud Intelligence

.

URL Reputations



Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



48


Prevalence Age



Endpoint Info




(Generic Rule)

HIPS(exploit monitoring)

Behavior Profiler

Disk Filter(storage protection)

Memory Scanning

.

URL Reputations



Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



49


Prevalence Age



Endpoint Info




Behavior Profiler


Memory Scanning


(Generic Rule)

Web GW

Email GW

NextGen

FWSIEM

.

URL Reputations



Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



50


Prevalence Age



Endpoint Info




Behavior Profiler


Memory Scanning


Web GW

Email GW

NextGen

FWSIEM

(Generic Rule)

Behavior Profiler

Behavioral Intelligence

Cloud Classification

.

URL Reputations



Environmental Info

Static Profiler


Reputation

LocalEnterprise

Local Knowledge

Global

Cloud Intelligence

Block?

Allow?

Reputation



51


Prevalence Age



Endpoint Info




Behavior Profiler


Memory Scanning


Web GW

Email GW

NextGen

FWSIEM

(Generic Rule)

Behavior Profiler

Behavioral Intelligence

Cloud Classification

.

Kernel Rights Restriction

Firewall Rules

Disk Filter

Registry Filter

Containment

Object

Path-based Repair

Generic Repair

OS Restore Point

On-Disk Protection

On-Disk Rollback

Sandboxing Restore

Remediation

Object

Allow

Containment and remediation

The Future of Endpoint Protection Technologies

52


Suspicious

Process/File

Identified

Process/File

Determined

to be Malicious

CONTAINMENT minimizes adverse impact

Methodology leveraged will depend on observed actions and reputation.

REMEDIATIONreverses unwanted changes

.

53

What Are We Showing Here?Intelligence Fabric Demonstration

1. Shows “Behind the Scenes” decision-making on the endpoint

2. Using multiple “Blades” for threat intelligence, protection, detection, remediation to “figure out the right thing to do” when encountering greyware on the Endpoint

3. This is a debug console output that would be hidden from the user but shows how things work when endpoint encounters “Zero-Day” Ransomware

Robert Leong, Intel Security - McAfee Labs

.

54

Next

Endpoint has

multiple “Blades” it

can use to perform

Greyware security

functions…

User surfs to

‘Grey’ URL and

downloads some

Greyware…

.

55

Next

Endpoint sees new

file download,

default reputation =

50 (unknown)

Threat Prevention blade can

tell age and prevalence is

low, file is packed.

Therefore, decrease score

to 38 (might be malicious)

.

56

Next

User decides to run

the file, and yes, it’s

clearly malicious

We artificially sped up

the “demand screen” just

to show it

.

57

Next

Endpoint tracks the created

process, performs behavioral

scanning and high-speed

memory scanning (plus

containment)

RealProtect and Clifton come back with

data that file is malicious. System

drops score to 1 (definitely malicious!)

Note endpoint has option to do

remediation if needed.

.

Check against Carbanak…

Would this work?

58


Suspicious/Malicious

Behavior Category New Generation Approach

EvasionBehavior, Containment and Remediation Objects would detect and

remove. It’s NOT a “Sandbox” or “Virtual Environment”

Execution Behavioral Trace would detect abnormal process spawning

Packer Post-Execution Scanners and Analysis would “unmask” Packed binaries

Network Behavioral Comparison with known malware activities catches

Autostart Memory Scanning and Process Monitoring catches

Stealth Memory Scans and Behavioral Tracing catches

File Comparison with known malicious file activities would catch

Memory Caught by Memory Scanning

.

This Meets All Requirements for Success

59

Media Source: Pond5.com

Builds on top of the existing protection capabilitiesTable Stakes AV:

Leverages Reputations from all sources: Local, Network, Global.Reputation-Aware:

Allows “Mix and Match” Multi-Scanner Support.Multi-Scanner Support:

Enables use of “Let it run, figure out if its bad, keep it from doing bad things…”

Isolation and Containment

Put the endpoint back to the previous state without the user needing to do anything special. Auto-Remediation:

Turn the Endpoint into part of a “Sensor Network”, and integrate detection and response with network and Cloud resources and capabilities

Combine Intelligence

.

Conclusion

• Situational audit of your own organization

• Are you in the top-targeted industries

• If you were attacked in the ways noted here, would you have a chance to avoid an incident?

• Does your security posture include “leveraging the grey”?

60

.

Questions & Answers

61

.

Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2016 McAfee, Inc.

Date post:	10-Apr-2017
Category:	Services
Upload:	mcafee
View:	698 times
Download:	0 times

Intelligent Fighting of Greyware

Services