• 570 likes • 760 Vues
Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0. Introductions. Tim Roddy Senior Director, Product Marketing McAfee Tim_roddy@mcafee.com. Agenda. Overview of Security Challenges Then and Now Business Value of Web 2.0
E N D
Stopping Blended Threats: Securing Data, Applications and Information in the Age of Web 2.0
Introductions Tim Roddy Senior Director, Product Marketing McAfee Tim_roddy@mcafee.com
Agenda • Overview of Security Challenges Then and Now • Business Value of Web 2.0 • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion
Threat Growth by Type Malware Growth (Main Variations) Threats 2,000,000 Virus and Bots PUP Trojan 1,800,000 3,900 % increase since 2006!!! 1,600,000 400,000 200,000 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 Source: McAfee Avert Labs
Business Value of Web 2.0 New Marketing Channels Employee Life/Work Balance Collaboration Tools Find Employees
Forrester’s survey 9% 12% 40% 14% 14% 12% • Online survey of IT decision-makers • Firms with 500 or more internet users • 253 respondents:
“If access to social networking sites, such as MySpace and Facebook, is blocked, how would this impact your organization?” Base: 253 global IT decision makers Source: A commissioned study by Forrester Research on behalf of Secure Computing
Data leak tops the list of web security concerns Data Leak Considerations Base: 253 global IT decision makers Source: A commissioned study by Forrester Research on behalf of Secure Computing
Agenda • Overview of Security Challenges Then and Now • The Growing Value of Web 2.0 Applications • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion
Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter
Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter
Social Engineering Title of presentation
“Whaling” & “spear phishing” attacks on the increase • Targeted attacks at senior executives • Email addresses accurate • Small numbers of mails sent • Many government and financial organisations targeted in US and EMEA • Attack vectors: • Documents with embedded malware • URL links to malware • Data stolen: • Keystrokes • Screenshots • PGP keys • Passwords
Combined attack - Storm • This Storm campaign temps user to click on a link ‘FBI wants instant access to Facebook’ – users are tempted to download ‘fbi_facebook.exe’ • In addition, the malicious Web site serves up a host of browser exploits Your download will start shortly. If you are unable to read the article,save itand run it on your computer.
Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging
Types of Attack Malicious Ads • Requires user to click on executable Transparent (Drive-By) Attacks • Malvertizing • Script insertion via SQL Injection • Remote access toolkit (RAT) exploitation of Web 2.0 applications
And on that note… • 214 of 2157 pages delivering malware • 721 script exploits and 4 trojans • http://blogs.zdnet.com/security/?p=1902 , Sept 15, 2008
What is Operation Aurora? • A coordinated attack targeting a rapidly growing list of companies, including Google, Adobe, Juniper, and others • Exploits a zero-day vulnerability in Microsoft IE • Lures users to malicious websites, installs Trojan malware on systems, uses Trojan to gain remote access • Uses remote access to gain entry to corporate systems, steal intellectual property (including source code), and penetrate user accounts McAfee provided multiple zero-day protections 23
Steps of the Cyber Attack 1 2 3 1. Attack initiated.User with IE vulnerability visits website infected with Operation Aurora malware. 2. Attack in progress.Website exploits vulnerability; malware (disguised as JPG) downloaded to user system. 3. Attack setup complete.Malware installed on user system; malware opens back door (using custom protocol acting like SSL) that gives access to sensitive data. Zero-day products: Web Gateway, Network Threat Response Zero-day products: Firewall, Web Gateway, Application Control, Network Data Loss Prevention 24
Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter
Social Engineering • Video links resulting in requirement to download fake flash player updates
TrustedSource Reputation Not youtube!
Typical Blended Threats? Attackers want end users to click on a web link (a URL) or execute a binary: • Email with Links or attachments • Malware infected Websites and ads • Links in Blogs, Wikis and social networking sites • Instant Messaging and Twitter
Twitter • 900 percent growth in users last year • Beginning to see use as new promotion and marketing tool • Security Risks • Malicious Links • Tweets have 141 character limit • URL shortened to TinyURL • Users can’t tell where URL goes when mouse/scroll over • Exploits “trust” : “message is from my friend” • Now being used for phishing • Tweets with TinyURL to visit certain blogs • Bogus URL leads to login page to steal login credentials • Twitter site hacked in Early January • One individual compromised the system • Hacked Britney Spears, CNN’s Rick Sanchez and Barack Obama’s Twitter sites • 33 accounts hacked
Koobface uses Twitter to Attack • MacWorld, July 10, 2009 • Koobface replicates by checking to see if user of infected PC is logged into Twitter or other social networking app • Posts fraudulent messages with tiny URL link • Link leads to malicious web site • Web site link is to “video” • Trick user into Flash Video Upgrade
Four Characteristics of a Blended Threat A blended threat typically includes: More than one means of propagation -- for example, distributing a hybrid virus/worm via email that will self-replicate and infect a Web server, so that contagion will spread through all visitors to a particular site; Exploitation of vulnerabilities, which may be preexisting or even caused by malware distributed as part of the attack; The intent to cause real harm (rather than just causing minor computer problems for victims), for example, by launching a denial of service (DOS) attack against a target, or delivering a Trojan horse that will be activated at some later date; Automationthat enables increasing contagion without requiring user actions, such as opening attachments 1 2 3 4 Searchsecurity.com Definition: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci961251,00.html
Today’s Threat Lifecycle More Malware Variations Malicious Code Threats in 12 months 133% 68% of top Malware infections exposed confidential data Web 2.0is the Catalyst! Increasing Attack Success! of Malware infections are Web application exploits 80% of Vulnerable Websites get fixed! 4% Attack TargetUsers vs Machines 500% Increase in Phishing Sites!
Case Study: The Cost of Malware • Mounds View School District • 10,000 students and 1,400 staff • 3,500 computers 40 servers required rebuilding • 3 hrs per computer to reformat • ~10,500 hours of work • At $30 per hour that is $315K • At $50 per hour that is $525K • Between Feb 10 and Feb 18 12 staff members working 15 hour days • Source: startribune.com and twincities.com, Feb 19, 2009
“In the past fiscal year, how much did your organization spend on malware cleanup?” Base: 253 global IT decision makers Source: A commisioned study by Forrester Research on behalf of Secure Computing
Agenda • Overview of Security Challenges Then and Now • The Growing Value of Web 2.0 Applications • Blended Threat Overview • How to Stop Blended Threats • McAfee’s Comprehensive Technologies & Solutions • Discussion
What is the norm? • BLOCKING ACCESS is the norm at the Web gateway • URL filtering enforces the “block/allow” rules of the Web Acceptable Use Policy • Authentication controls “block/allow” rights to Web access • Anti-Virus protection (if used) completely “blocks” access to infected sites TYPICAL ENTERPRISE DEPLOYMENTS INTERNET TRAFFIC URL FILTERING Incomplete Active Content Protection Firewall End Users Proxy servers WEB GATEWAY Web 1.0 Security is based upon “Blocking” access
Creating a culture of “YES”! In the Language of Security • Negative Security Models (known bad) can only BLOCK access and CANNOT scale and protect against these new threats – Infinity and Invisibility cannot be effectively blocked • A new Positive Security (defined good) PARADIGM is the only practical solution that enables Web 2.0 applications access • Web 2.0 access can be successfully enabled by: • Global Reputation • Local Intent Analysis
Protecting against Blended Threats • Deploy proactive protection on email • Minimize SPAM exposure with 99%+ detection capability • Stop zero hour mail threat with Reputation based protection • Deploy proactive protection on web access • Deploy reputation based Web filtering • Filtering incoming web pages, on all web protocols, proactively for malware, including encrypted traffic • Apply protection to http, https and ftp traffic • Apply reputation based Web filtering and malware protection on IM traffic • Inspect all outbound email, web and IM traffic for data leakage • Define DLP policy • Detect possible policy violations • Enforce • Audit and Report
-100 -200 -350 • No of transactions • Timely payments • Late payments 1 10 Credit Score Physical World - What is Your Reputation? Length:I do not pay bills on time. Width:I short pay my bills. Height: I have been doing this for 20 years! CREDIT AGENCY Length: How many tardy payment records do we have?Height: How long has this behavior been recognized? MonitorBusinesses Globally Credit Score created using the multiple dimensions. This score dynamically changes over time with improved or worsened behavior. Analysis using Global Intelligence Credit score dictates the terms and conditions that companies are willing to transact business. Proactive Protection Deny/Approve Loan, Terms
-100 -200 -350 • Connection volume • Behavior patterns • Location 1 10 Credit Score Physical World - What is Your Reputation? Length: How long has the domain or site existed? Width: How active is it? Height: Associated with spam or malware? REPUTATION SYSTEM Length: How long has the domain existed?Height: How long has this behavior been recognized? MonitorGlobalInternet Reputation Score created using multiple dimensions. This score dynamically changes over time with improved or worsened behavior. Analysis using Global Intelligence Reputation score used to decide whether the email is received or web page viewed. Proactive Protection Deny/Approve network connections
Reputation Based Anti-Spam Protection GLOBAL LOCAL Statistical & Heuristic Protection Connection Protection 99.5%+ Spam removed Message Reputation IP Reputation INTERNET Spam Blocked ~ 99.5+% Spam Blocked ~ 90% Spam Blocked ~ 80% Spam Blocked ~ 50%
Web 1.0 URL Filter Overview Web Filter • Increase employee Productivity • Reduce Liability • Manage Bandwidth • Security to Prevent access to malicious sites Shopping Gambling Business IM Porn Security Business FilteringDatabase SecurityPornographyHate SitesGamblingShoppingBusinessIM
Reputation-Based Web Filtering: How it Works Reputation Enhanced URL Filtering Traditional URL Filtering 100% eBay.com Amazon.com ActionAllow Porn.com XXX.com • Playboy.com • Hustler.com • Porn.com • XXX.com TrustworthyThreshold bobsbikeshop.com Online advertisements ActionBlock 0% “PORN” “ONLINE SHOPPING” Reputation based filtering adds a second dimension of scoring: The Trustworthiness of a web site. http://www.networkworld.com/news/2008/013008-expedia-rhapsody-malware.html
Anti-Malware Protection for Web 2.0 Visual Basic for Apps macros in Office documents JavaScript (in HTML, Stand-alone, in PDF).Visual Basic Script Windows Executables& Dynamic LinkLibraries Java Applets &Applications ActiveX Controls &Browser Helper Objects • Buffer overflow exploit detection • Generic Trojan downloader detection • Shell code detection • Several other detection algorithms Intent Analysis: Active code Fragments extracted or blocked Security Policy maps classification into action Local Intent Analysis engines enforce the conditions set by the site’s reputation, protecting from malicious active scripts, determining Intent when a signature cannot exist. “Local Enforcement of Global Reputation.”
Anti-Malware is More Than Anti-Virus Signature based detection is not enough to cover today’s targeted Malware attacks Anti-Malware Anti-Virus Intent Analysis • Prevents OS, browser and application exploits as a result of: • Protects from known malicious code • Protects from unknown malicious mobile code for which no signature exists • Signature based Anti-Virus is important part of Anti-malware protection • Stops “known threats” • However it is only a single aspect of the complete solution • Signature based detection is not enough to cover today’s targeted Web 2.0 Malware attacks • Code authentication – Checks for Digital Signature on active code • Media Type Filter -verification via “magic byte” analysis not MIME • Behavioral Malware detector - scans for malicious script intent and removes offending function calls • Behavioral exploit detector – inspects code for hostile behavior like buffer overflows, etc. = + … Anti-Malware is a unique combination of Signature-based Anti-Virus PLUS intent analysis of mobile code
Enabling Web 2.0 Applications via SSL The invisible “privacy” tunnel is a wonderful means to deliver malware from “compromised” Web 2.0 applications What is currently in place to mitigate risks delivered via SSL? • Block SSL Traffic (port 443) • Prohibitively conservative • Impractical as more business applications use SSL • URL Filtering Databases to block SSL URLS • New SSL URLS every day • Not a 100% solution • Does not address the content transferred • Ignore • Live with the risks of unmanaged SSL traffic • Deal with malware or content leak when it occurs • 30-40% of Web traffic
The Solution to the SSL Blindspot 3 HTTPS Proxy Web Server 2 1 Client Internet 6 4 McAfee Web Gateway(Webwasher) 5 Client/Proxy handshake Proxy/Web server handshake Certificate verification Web site sends encrypted content Decrypted content scanned at the proxy Re-encrypted content sent to client No decrypted content on the wire at any time!