1 / 29

Anatomy of a Breach: Hydraq

This article explores the Hydraq attack and its implications for enterprises. It provides key facts, defense strategies, and Symantec's defenses against this sophisticated threat.

asolis
Télécharger la présentation

Anatomy of a Breach: Hydraq

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anatomy of a Breach: Hydraq

  2. Before we begin… Symantec is the Voice of Reason in security • Symantec will not “out” victims of these attacks • Symantec will not speculate on the origins of the attack • Symantec will not share sensitive details given to us in confidence • We will not attempt to overstate/understate the risks to sell product

  3. Should Enterprises Be Concerned with Hydraq? • Relatively small number of companies were targeted • Symantec GIN shows a small number of infections in the field However… • Vulnerabilities used in this attack are now in use by others • These attacks have resulted in significant theft of key IP • This is an urgent protection issue for most enterprises • Hydraq is a fresh reminder for companies to: • Carefully review current security polices and procedures • Assess the infosec risks to their business within this new context

  4. Key Facts About Hydraq • Set of attacks against a small number of targeted companies • Social engineering used to aide delivery of the payload • Vulnerabilities and malware used in combination to breach targets • Rapid and synchronized attack plans used on multiple targets • News reports suggest purpose of the attack was to steal IP • Recommend approach to defense in depth for this threat • Both classic AV and IPS are now necessary mainline defenses • HIPS protection on key repositories of IP is highly recommended • Email/web gateway filtering of these threats is fundamental to defense • Real time inspection of traffic flow to identify command-and-control • Methodical approach to deliver patch/upgrades

  5. 3 2 1 4 How Targeted Attacks Work INCURSION Attacker breaks into the network by delivering targeting malware to vulnerable systems and employees CAPTURE Accesses data on unprotected systems Installs malware to secretly acquire crucial data EXFILTRATION Confidential data sent to back to enemy’s “home base” for exploitation and fraud DISCOVERY Hacker then maps organization’s defenses from the inside Creates a battle plan 5

  6. Details of Incursion phase used in this attack Created Vendors Begin Adding Signatures Protection Widely Deployed Highly Sophisticated Aspects of This Incursion • Synchronized Attack Against Multiple Targets • Sharp Social Engineering/Targeting of Key Personnel • Damaging Choices of Vulnerabilities Rapid Threat Evolution Diverse Means of Delivery INCURSION Attacker breaks into the network by delivering targeting malware to vulnerable systems and employees • Email/webmail to targets containing poisoned links • Email with PDF attachments containing malware • IM messages containing poisoned links This attack Normal exploitation pattern of cybercriminals 6

  7. Symantec Defenses Against Incursion • SEP 11 – Up-to-date signatures against IE 0-day exploit via IPS and protection against Hydraq via AV. IPS of SEP 11 crucial here • Symantec Web and Brightmail Gateway – Potentially infected files are scanned for infection and blocked accordingly. • MessageLabs – Saas email infrastructure implements disinfection and novel defenses against PDF/XLS borne attacks • Symantec Managed Services • DeepSight Early Warning – Actionable intelligence on changing nature of threat landscape • Symantec Managed Security Services – Deep bench of analysts watching for incursion throughout your infrastructure INCURSION Attacker breaks into the network by delivering targeting malware to vulnerable systems and employees 7

  8. Relevant Incursion Defenses via SEP • Symantec released/updated AV signatures associated with this attack • Trojan.Pidief.G - July 2, 2009 • Trojan Horse - July 13, 2009 • Bloodhound.Exploit.266 - August 2, 2009 • Trojan Horse - July 13, 2009 • Trojan.Hydraq - January 11, 2010 • Trojan.Hydraq!gen1 - January 14, 2010 • Symantec released/updated IPS signatures associated with this attack • Blocks IE zero-day exploitHTTP MSIE Memory Corruption Code Exec (23599) – January 16, 2010 • Blocks Adobe Acrobat, Reader and Flash vulnerability HTTP Acrobat PDF Suspicious File Download 4 - July 17, 2009 These vital defenses are part of the IPS functionality of SEP 11 and beyond

  9. Details About Discovery in this Attack Notable facts about Discovery in this Case • Discovery searched for Intellectual Property • Command-and-control signals from infected machines kept the perpetrators informed of their efforts to further infiltrate the network • Pace of Discovery and later phases was extremely rapid compared to other breaches • Example: Heartland/TJX/Hannaford took many months from Incursion through full Exfiltration • These attacks (from incursion to ultimate theft of data) happened in days DISCOVERY Hacker team maps organization’s defenses from the inside Creates a battle plan 9

  10. Defenses Against Discovery phase of this attack • SEP – Universal deployment of SEP will slow down the infection and further compromise of hosts on the path towards eventual theft of intellectual property • Security Information Manager – Highly effective means to find correlations of network activity indicating probes/attacks into internal systems • Data Loss Prevention – DLP is highly effective at cleaning up “data spills” left in place by well-meaning insiders that are frequently a target of hackers • Managed Security Services Offerings: • DeepSight Early Warning • Symantec Managed Security Services DISCOVERY Hacker team maps organization’s defenses from the inside Creates a battle plan 10

  11. Details about Capture phase of this attack Notable facts about Capture in this Case • Targeted personnel chosen for access to key forms of intellectual property • Systems housing essential intellectual property appear to have been attacked • Exchange Servers • Document Management Systems • Source code repositories • Related breaches to this case seem to also target data-spills left in place by well-meaning insiders CAPTURE Accesses data on unprotected systems Installs malware to secretly acquire crucial data 11

  12. Defenses against the Capture phase of this attack • Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property. Victims of this attack have opted for CSP protection of their key systems. • SEP – Universal deployment of SEP will further impede the compromise of hosts housing intellectual property • Data Loss Prevention – Data exposure events remediated by DLP will make the capture phase of this attack difficult or impossible. CAPTURE Accesses data on unprotected systems Installs malware to secretly acquire crucial data 12

  13. Details about Exfiltration phase of this attack Notable facts about Exfiltration in this case • Port 443 used as a primary channel for upload of stolen data • Connections were established that resembled an SSL key exchange dialogue, but did not result in a fully negotiated SSL channel. • Private ciphers used to encrypt content • This form of Exfiltration is another sign of rising sophistication EXFILTRATION Confidential data sent to back to enemy’s “home base” for exploitation and fraud 13

  14. Defenses against the Exfiltration phase of this attack • Security Information Manager – Watches firewalls and IDS logs for any transmission to known sites where data is uploaded for the purposes of theft • DeepSight Early Warning – Provides actionable intelligence on which protocols/ports are in use for exfiltration operations • Symantec Managed Security Services – Trained analysts carefully examine logs and systems status to watch for suspicious looking attempts at exfiltration EXFILTRATION Confidential data sent to back to enemy’s “home base” for exploitation and fraud 14

  15. Summary • Symantec customers are protected from the Hydraq attack • The IE vulnerability still represents a significant threat • We advise you to, at the very minimum • Patch IE • Use SEP 11 IPS feature • Symantec advises further defense in depth measures

  16. More Information on Hydraq Symantec Security Analyses blog their findings on Hydraq here: http://www.symantec.com/business/security_response/weblog • A special mirco-site has been set up to help educate customers

  17. Supplemental Slides

  18. DeepSight Early Warning ServicesHydraq Notification Timeline • Analyst Journal • Timeline • Threat Alert Initial Alert CVE-2010-0249 Internet Explorer Remote Code Execution Attack • Jan. 14 • New Microsoft IE Vulnerability /Trojan Hydraq • Threat Alert: CVE-2010-0249 – IE Remote Code Execution Attack • BID 37815: IE CVE-2010-0249 Remote Code Execution Vulnerability • Blog: Hydraq - An Attack of Mythical Proportions • Microsoft Security Advisory (979352) • Jan. 15 • Update Alert • Metasploit released exploit • Jan. 16 • Further developments - Microsoft IE vulnerability, Trojan Hydraq • Further Insight into Security Advisory 979352 and Threat Landscape • Microsoft Security Advisory (979352) • Threat Alert: CVE-2010-0249 – IE Remote Code Execution Attack • BID 37815: IE CVE-2010-0249 Remote Code Execution Vulnerability • Trojan.Hydraq Exposed / Trjoan.Hydraq – Part II • IP address associated with Hydraq • Jan. 18 • Jan. 19 • Update Alert • Microsoft to release out-of-band patch • Trojan.Hydraq analysis released • Unpatched local privilege-escalation issue in Microsoft Windows disclosed • Microsoft releases advance notification out-of-band security advisory • Microsoft IE vulnerability and Data Execution Prevention (DEP) • Microsoft to release out-of-band emergency update • Update Alert • Microsoft advance notification / update Security Advisory 979352 • Jan. 20

  19. Enterprise Security Practice ServicesGuard Against Future Exposure and Risk Presentation Identifier Goes Here

  20. Managed Security ServicesHydra Response Security Response • DeepSightHydra Alert received • Update MSS detection capabilities – targeted Trojan.Hydra and exploits against IE vulnerability MSS SOC • Emerging threat notification delivered to MSS customers • Real-time monitoring and correlationof customer IDS, IPS, Firewalls, web proxies, system logs, and endpoint protection - including identification of unpatched IE vulnerabilities, malicious behavior, anomalous traffic • Direction provided to customers to mitigate IE vulnerability; prevent further infection, exploits • Trending and reporting to show security posture over time • Continue to evolve detection capabilities as threat evolves Symantec Managed Security Services

  21. Symantec Protection Suite • The Hydraq attacks were targeted at the core security infrastructure of organizations. Multiple layers of defense bolster an organization's ability to defend against such attacks. SPS users have a robust defense at the gateway with Brightmail for email security, along with Web Gateway for Web security, ensuring organizations can monitor all incoming and outgoing mail and web traffic – constantly stopping threats. Finally, Protection Suite ensures endpoints are clean with its market-leading Endpoint Security product.

  22. Symantec Security Information Manager • SIM can effectively collect and prioritize malware activity events as they occur across the layered security solutions needed to confront this broad variety of attack vectors. Early detection of single exploited attack vectors may provide preemptive visibility to attacks before they can fully execute. SIM is already updated with a deep knowledge of what channels of communication are used by Hydraq.

  23. DeepSight Early Warning Services • Symantec DeepSight Early Warning Services provides actionable intelligence covering the complete threat lifecycle, from initial vulnerability to active attack. DeepSight Analysts continue to provide updates to this evolving threat as new information becomes available. DeepSight subscribers benefit from personalized notifications and expert analysis (including patches, countermeasures and workarounds) to better protect critical information assets against a potential attack.

  24. Symantec Managed Security Services • Symantec Managed Security Services monitors more than 800 customers (including 92 of the Fortune 500). In response to this threat, Symantec MSS updated our detection capabilities for both the targeted Trojan.Hydraq, as well as exploits against the recent IE vulnerability. This monitoring includes customers’ firewalls, intrusion detection sensors, web proxies and system logs. Our SOC Analysts are available to work with customers to take proactive steps to mitigate the IE vulnerability within their enterprise as needed.

  25. Symantec Critical Systems Protection • The focus of these attacks was to steal intellectual property. Symantec Critical Systems Protection plays a significant role in defending this data by placing constraints around which users and applications have access to sensitive data. Any unauthorized users or applications would have been denied access to the data and an alert would have been generated by making the attempt. Also, Symantec Critical Systems Protection provides out-of-the-box protection against both known and unknown remote code execution attempts.

  26. Altiris Total Management Suite • With this attack, Total Management Suite customers benefit from the ability to gain complete visibility into their IT environment. Users run accurate asset inventory reports to react quickly to threats and vulnerabilities and take the necessary steps to remediate. Total Management Suite will have quickly found the necessary software updates and/or patches then run automatic processes for all assets – like upgrading to IE 8 in this case. Total Management Suite also generates reports to ensure successful updates or migrations, and update asset inventory reports to prepare for ongoing management.

  27. Symantec Hosted Services • Trojan.Hydraq spans multiple communication protocols and can evade signature-based detection. Symantec Hosted Services help protect against converged threats that span email, web, and instant messaging. Our proprietary heuristic technology for malware and spam filtering, captures and shares threat intelligence across these protocols and provides identification of previously unseen threats. All managed via a single, integrated security management console that simplifies administration while increasing visibility and control.

  28. Symantec Data Loss Prevention • Network Discover finds repositories of confidential data left exposed by well-meaning insiders. Internal data spills are a frequent target of hackers in attacks such as this one, and Symantec DLP can be a powerful way to clean these up.

More Related