SESSION ID:
One Step Ahead Of Advanced Attacks and Malware
SPO2-W02
Jon Paterson Director, Advanced Technology Group
McAfee, an Intel Company
#RSAC
Advanced malware - what are your concerns?
2
Other
3% Detection
35%
Signal / Noise Detection
20% Protection
22%
Timely Response
11%
Damage Repair
9%
Source: McAfee Survey at Black Hat USA 2013
#RSAC
anti malware core
next generation Endpoint
5
intelligent Trust for known Good
traditional AV
techniques for known
Bad
adaptive behavioral Scanning
for unknown
telemetry and False mitigation
#RSAC
conviction flow via Assessor
7
assessor convict? confirmed? quarantine / delete
end end
yes
yes
no no
telemetry
event store extracted attributes
profiler
#RSAC
“profiler.gen.a” in Action
unique detections
at moment of detection: previously detected and classified by McAfee
proactive (98%)
Multiple Family classifications Zbot (24 variants), ZeroAccess (6 variants),
FakeAlert (6 variants), WinWebsec,Swisyn,vundu
1 2
8
#RSAC
Browser DOM specific behavior
11
exception handling as anti-emulation technique
“eval()” reconstructed
#RSAC
Looking to the future?
malware hidden in HTML design elements
decryption key placed into HTML5 web storage
dynamically reconstructing and deobfuscating malware
14
#RSAC
spear-phishing
“95% of all attacks on enterprise networks are the result of successful spear-phishing.”
SANS Institute via Network World – Mar 2013
SANS Institute via Network World – Mar 2013 16
#RSAC
redirect to web page
block access to webpage
re-check reputation
Realtime emulation
clean
clean
unmask URL, warn
& show preview
user opens message &
clicks on URL
Open Time Scan
Delivery time Scanning?
17
clean
quarantine message
clean
clean
clean
core AV
real-time emulation
sandboxing
reputation service
deliver to user’s inbox
Traditional
#RSAC
huge interest in Sandbox technologies
virtual and safe environment Runtime analysis = monitors behavior computationally expensive not real time sandbox detection / evasion
delayed execution environment detection conditional execution
19
#RSAC
20
known Good and known Bad Emulation Dynamic and Static
blac
klis
t and
whi
telis
t
AV
repu
tatio
n se
rvic
e
Rea
l Tim
e em
ulat
ion
Full
Sam
ple
anal
ysis
Framework For Scalable Advanced Analysis
#RSAC
what if you had a map of the latent code? logical execution
paths
what can you do with that? percentage of latent
code familial resemblance
combining Assembly Code and Dynamic analysis
21
#RSAC
HTTP Port 80
SMTP Port 25
FTP Port 20
UDP
Exfiltration and application visibility
24
Web
Google Hangouts Box
Oracle Financials
Exchange Mail
Outlook Sync Backup Service
VoIP/SIP
#RSAC
What can we understand from protocol alone?
25
normal use: ♦ email ♦ database
outlook.exe
oradba.exe
IMAP (port 143)
SQL*Net (port 1521)
outlook.exe
SQL*Net (port 1521)
#RSAC
advanced Application Visibility
Google Hangouts Box
Oracle Financials
Exchange Mail
Outlook Sync Backup Service
VoIP/SIP
• Embedded EXE found • DLL imports found in Executable • Registry Run Entry
YouTubeTemplate.exe
iexplorer.exe
OUTLOOK.exe OUTLOOK.exe
EMC backup
chrome.exe iexplorer.exe chrome.exe BoxSync.exe
Web
26
#RSAC
Point-to-point ecosystems cannot scale
Product Product
Product
Product
Product
Product
Product
Product
Product
#RSAC
Threat Intelligence Exchange
30
reputation service 3rd party feeds
administrator organizational knowledge
endpoint agent
advanced malware
web gateway
email gateway
NGFW
IPS
#RSAC
Threat Intelligence Exchange
32
YES NO
adapt and immunize – from encounter to containment in milliseconds
#RSAC
Threat Intelligence Exchange
33
adapt and immunize – from encounter to containment in milliseconds
#RSAC
No silver bullet here…
We will continue innovation of proactive technologies and connected solutions Make sure you are covering the gaps
Integrate intelligence where possible in your environment
Look at how you can build out a more connected eco-system you will not scale to this challenge without it
34