DOCSLIB.ORG

Post-Mid-Term Slides 4 Per Page

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Post-Mid-Term Slides 4 Per Page USC CSci530 Computer Security Systems CSci530: Security Systems Lecture notes Lecture 7&8 - October 7&14, 2016 Fall 2016 – Part II Untrusted Computing and Mailicious Code Dr. Clifford Neuman Dr. Clifford Neuman University of Southern California University of Southern California Information Sciences Institute Information Sciences Institute Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Terminology Terminology Vulnerability – A weakness in a system, program, Trusted – Parts of a system that we depend upon for the procedure, or configuration that could allow an proper enforcement of policies, whether or not the code adversary to violate the intended policies of a system. is free of vulnerabilities (almost all systems have Threat – Tools or knowledge (capabilities) that care vulnerabilities). - as compared with capable of exploiting a vulnerability to violate the Trustworthy – our belief that a system is free of intended policies of a system. vulnerabilities that could result in the violation the Attack – An attempt to exploit a vulnerability to violate the relevant security policies. intended policies of a system. Accreditation – A statement by a third party that a system Compromise or intrusion – The successful actions that or software has been found to be trustworthy with violate the intended polices of a system. respect to a particular set of policies and for a particular operational environment. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 1 Incidents and Breaches More Terminology Penetration – A successful attack (intrusion) that exploits Secure – A system is secure if it correctly enforces a a vulnerability in the code base of a system or its correctly stated policy for a system. A system can only configuration. The result will often be to install a be secure with respect to a particular set of policies and subversion. under a set of stated assumptions. There is no system Denial of Service – An attack that prevents authorized that is absolutely secure. access to a resource, by destroying a target or Trusted Computing Base – That part of a system which if overwhelming it with undesired requests. compromised affects the security of the entire system. Subversion - An intentional change to the code base or One often unstated assumption made with respect to a configuration of a system that alters the proper secure system is that the TCB is correctly implemented enforcement of policy. This includes the installation of and has not been compromised. backdoors and other control channels in violation of Attack Surface – The accumulation of all parts of a system the policy relevant to the system. that are exposed to an adversary against which the Subversion vectors – the methods by which subversions adversary can try to find and exploit a vulnerability that are introduced into a system. Often the vectors take will render the system insecure (i.e. violate the security the form of malicious code. policies of the system). Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Categorizing Malicious Code Classes of Malicious Code How propagated The perceived effect • Trojan Horses • Viruses – Embedded in useful program that others will want to run. – Propagation and payload – Covert secondary effect. • Worms • Viruses (an specialization of a Trojan horse) – Propagation and payload – When program started will try to propagate itself. • Spyware • Worms – Reports back to others – Exploits bugs to infect running programs. • Zombies or bots or botnets – Infection is immediate. – Controllable from elsewhere Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 2 Activities of Malicious Code Defenses to Malicious Code • Modification of data • Detection – Propagation and payload – Virus scanning • Spying – Intrusion Detection – Propagation and payload • Least Privilege • Advertising – Don’t run as root – Reports back to others or uses locally – Separate users ID’s • Propagation • Sandboxing – Controllable from elsewhere – Limit what the program can do • Self Preservation • Backup – Covering their tracks – Keep something stable to recover • Subversion Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trojan Horses Security Systems CSci530: • A desirable documented effect Lecture 8 - October 14, 2016 – Is why people run a program Untrusted Computing and • A malicious payload Mailicious Code – An “undocumented” activity Dr. Clifford Neuman that might be counter to the University of Southern California interests of the user. Information Sciences Institute • Examples: Some viruses, much spyware. • Issues: how to get user to run program. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 3 Trojan Horses Viruses • Software that doesn’t come from a • Resides within another program reputable source may embed trojans. – Propagates itself to infect new • Program with same name as one programs (or new instances) commonly used inserted in search path. • May be an instance of Trojan Horse • Depending on settings, visiting a web – Email requiring manual execution site or reading email may cause program – Infected program becomes trojan to execute. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses Viruses • Early viruses used boot sector • Some viruses infect program – Instruction for booting system – Same concept, on start program – Modified to start virus then jumps to code for the virus. system. – Virus may propagate to other – Virus writes itself to boot sector programs then jump back to host. of all media. – Virus may deliver payload. – Propagates by shared disks. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 4 Viruses can be Spread by Email Viruses Phases • Self propagating programs • Insertion Phase – Use mailbox and address book for likely – How the virus propagates targets. • Execution phase – Mail program to targeted addresses. – Forge sender to trick recipient to open – Virus performs other malicious program. action – Exploit bugs to cause auto execution on • Virus returns to host program remote site. – Trick users into opening attachments. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Analogy to Real Viruses How Viruses Hide • Self propagating • Encrypted in random key to hide • Requires a host program to replicate. signature. • Similar strategies • Polymorphic viruses changes the – If deadly to start won’t spread code on each infection. very far – it kills the host. • Some viruses cloak themselves by – If infects and propagates before trapping system calls. causing damage, can go unnoticed until it is too late to react. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 5 Macro Viruses Worms • Code is interpreted by common • Propagate across systems by exploiting application such as word, excel, vulnerabilities in programs already postscript interpreter, etc. running. – Buffer overruns on network ports • May be virulent across architectures. – Does not require user to “run” the worm, instead it seeks out vulnerable machines. – Often propagates server to server. – Can have very fast spread times. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delayed Effect Zombies/Bots • Malicious code may go undetected if • Machines controlled remotely effect is delayed until some external – Infected by virus, worm, or trojan event. – Can be contacted by master – A particular time – May make calls out so control is – Some occurrence possible even through firewall. – An unlikely event used to trigger – Often uses IRC for control. the logic. Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Copyright © 1995-2013 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 6 Spyware Some Spyware Local • Infected machine collect data • Might not ship data, but just uses it – Keystroke monitoring
Load more

Recommended publications
  • Internet Infrastructure Review Vol.15 -Infrastructure Security
    1. Infrastructure Security The Revised Unauthorized Computer Access Law In this volume we examine the revised Unauthorized Computer Access Law, and discuss the DNS Changer malware as well as the Ghost Domain Name issue relating to DNS. Infrastructure Security 1.1 Introduction This report summarizes incidents to which IIJ responded, based on general information obtained by IIJ itself related to the stable operation of the Internet, information from observations of incidents, information acquired through our services, and information obtained from companies and organizations with which IIJ has cooperative relationships. This volume covers the period of time from January 1 to March 31, 2012. Following on from the previous period, with an increase in the number of smartphone users, there have been an increasing number of problems related to the handling of information on the devices and user information. Hacktivism-based attacks such as those by Anonymous also continued to occur, and the number of attacks on companies and government agencies remained at a high level. In Middle-Eastern countries and Israel there were a series of hacking incidents and information leaks, as well as DDoS attacks on websites including critical infrastructure. Regarding vulnerabilities, an issue was discovered and fixed in multiple cache DNS server implementations including BIND. As seen above, the Internet continues to experience many security-related incidents. 1.2 Incident Summary Here, we discuss the IIJ handling and response to incidents Other 19.7% Vulnerabilities 20.6% that occurred between January 1 and March 31, 2012. Figure 1 shows the distribution of incidents handled during this period*1.
    [Show full text]
  • Darpa Starts Sleuthing out Disloyal Troops
    UNCLASSIFIED (U) FBI Tampa Division CI Strategic Partnership Newsletter JANUARY 2012 (U) Administrative Note: This product reflects the views of the FBI- Tampa Division and has not been vetted by FBI Headquarters. (U) Handling notice: Although UNCLASSIFIED, this information is property of the FBI and may be distributed only to members of organizations receiving this bulletin, or to cleared defense contractors. Precautions should be taken to ensure this information is stored and/or destroyed in a manner that precludes unauthorized access. 10 JAN 2012 (U) The FBI Tampa Division Counterintelligence Strategic Partnership Newsletter provides a summary of previously reported US government press releases, publications, and news articles from wire services and news organizations relating to counterintelligence, cyber and terrorism threats. The information in this bulletin represents the views and opinions of the cited sources for each article, and the analyst comment is intended only to highlight items of interest to organizations in Florida. This bulletin is provided solely to inform our Domain partners of news items of interest, and does not represent FBI information. In the JANUARY 2012 Issue: Article Title Page NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES: American Jihadist Terrorism: Combating a Complex Threat p. 2 Authorities Uncover Increasing Number of United States-Based Terror Plots p. 3 Chinese Counterfeit COTS Create Chaos For The DoD p. 4 DHS Releases Cyber Strategy Framework p. 6 COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS: United States Homes In on China Spying p. 6 Opinion: China‟s Spies Are Catching Up p. 8 Canadian Politician‟s Chinese Crush Likely „Sexpionage,‟ Former Spies Say p.
    [Show full text]
  • Munkavállalói Adatok Szivárogtak Az Nvidiatól
    Munkavállalói adatok szivárogtak az Nvidiatól 2015.01.05. 09:58 | Csizmazia Darab István [Rambo] | Szólj hozzá! Címkék: nvidia jelszó incidens security adatszivárgás jelszócsere breach welivesecurity.com A nagy adatlopási ügyek mellett történnek azért rendre "kisebb" horderejű, de azért szintén fontos biztonsági incidensek is, amelyek szintén nem tanulság nélkül valóak. Ezúttal az Nvidia háza táján történt olyan, dolgozói adatokat érintő adatlopás még decemberben, amely miatt a cég jelszóváltoztatásra és óvatosságra figyelmeztette saját munkavállalóit. A Forbes beszámolója szerint a jelszavak azonnali megváltoztatása mellett arra is kiemelten felhívták a figyelmet, hogy fokozott óvatossággal kezeljenek minden kéretlen levélben érkező adathalász próbálkozást. Ilyen esetekben ugyanis a kiszivárgott személyes információk birtokában sokszor testre-szabott, személyes hangvételű banki vagy látszólag munkatársak, barátok nevében érkező, és jelszavainkkal kapcsolatos kéréseket tartalmazó phishing megkeresések is érkezhetnek. A fenti hamis megkeresési trükkök mellett a dolgozóknak érdekes módon általában nehezükre esik elfogadni a valóságos belső fenyegetés veszélyét is, pedig a támadások, adatszivárgások alkalmával számos esetben van valamilyen belső szál is. Emellett emlékezetes lehet, hogy annak idején több mint 20 olyan embert azonosítottak, akik simán megadták az azonosítójukat és a jelszavukat Snowdennek, aki kollégái hozzáférését is felhasználta az adatgyűjtései és kiszivárogtatásai során. Mivel az eset több, mint 500 dolgozót is érinthetett,
    [Show full text]
  • An Analysis of the Nature of Groups Engaged in Cyber Crime
    International Journal of Cyber Criminology Vol 8 Issue 1 January - June 2014 Copyright © 2014 International Journal of Cyber Criminology (IJCC) ISSN: 0974 – 2891 January – June 2014, Vol 8 (1): 1–20. This is an Open Access paper distributed under the terms of the Creative Commons Attribution-Non- Commercial-Share Alike License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. This license does not permit commercial exploitation or the creation of derivative works without specific permission. Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime Roderic Broadhurst,1 Peter Grabosky,2 Mamoun Alazab3 & Steve Chon4 ANU Cybercrime Observatory, Australian National University, Australia Abstract This paper explores the nature of groups engaged in cyber crime. It briefly outlines the definition and scope of cyber crime, theoretical and empirical challenges in addressing what is known about cyber offenders, and the likely role of organized crime groups. The paper gives examples of known cases that illustrate individual and group behaviour, and motivations of typical offenders, including state actors. Different types of cyber crime and different forms of criminal organization are described drawing on the typology suggested by McGuire (2012). It is apparent that a wide variety of organizational structures are involved in cyber crime. Enterprise or profit-oriented activities, and especially cyber crime committed by state actors, appear to require leadership, structure, and specialisation. By contrast, protest activity tends to be less organized, with weak (if any) chain of command. Keywords: Cybercrime, Organized Crime, Crime Groups; Internet Crime; Cyber Offenders; Online Offenders, State Crime.
    [Show full text]
  • Cisco 2017 Midyear Cybersecurity Report
    Cisco 2017 Midyear Cybersecurity Report 1 Executive Summary Table of Contents Executive Summary ..........................................................03 Vulnerabilities update: Rise in attacks following key disclosures ................................................................ 47 Major Findings ..................................................................05 Don’t let DevOps technologies leave the Introduction ......................................................................07 business exposed ............................................................ 50 Attacker Behavior .............................................................09 Organizations not moving fast enough to patch Exploit kits: Down, but not likely out ................................. 09 known Memcached server vulnerabilities ......................... 54 How defender behavior can shift attackers’ focus ...........11 Malicious hackers head to the cloud to shorten the path to top targets ..................................................... 56 Web attack methods provide evidence of a mature Internet ............................................................. 12 Unmanaged infrastructure and endpoints leave organizations at risk ......................................................... 59 Web block activity around the globe ................................ 13 Security Challenges and Opportunities Spyware really is as bad as it sounds............................... 14 for Defenders ...................................................................61
    [Show full text]
  • (IN)SECURE Magazine Contacts
    It’s February and the perfect time for another issue of (IN)SECURE. This time around we bring you the opinions of some of the most important people in the anti-malware industry, a fresh outlook on social engineering, fraud mitigation, security visualization, insider threat and much more. We’ll be attending InfosecWorld in Orlando, Black Hat in Amsterdam and the RSA Conference in San Francisco. In case you want to show us your products or just grab a drink do get in touch. Expect coverage from these events in the April issue. I’m happy to report that since issue 14 was released we’ve had many new subscribers and that clearly means that we’re headed in the right direction. We’re always on the lookout for new material so if you’d like to present yourself to a large audience drop me an e-mail. Mirko Zorz Chief Editor Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Chief Editor - [email protected] Marketing: Berislav Kucan, Director of Marketing - [email protected] Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. Copyright HNS Consulting Ltd. 2008. www.insecuremag.com Qualys releases QualysGuard PCI 2.0 Qualys announced the availability of QualysGuard PCI 2.0, the second generation of its On Demand PCI Platform. It dramatically streamlines the PCI compliance process and adds new capabilities for large corporations to facilitate PCI compliance on a global scale.
    [Show full text]
  • Advanced Cyber Security Techniques (PGDCS-08)
    Post-Graduate Diploma in Cyber Security Advanced Cyber Security Techniques (PGDCS-08) Title Advanced Cyber Security Techniques Advisors Mr. R. Thyagarajan, Head, Admn. & Finance and Acting Director, CEMCA Dr. Manas Ranjan Panigrahi, Program Officer (Education), CEMCA Prof. Durgesh Pant, Director-SCS&IT, UOU Editor Mr. Manish Koranga, Senior Consultant, Wipro Technologies, Bangalore Authors Block I> Unit I, Unit II, Unit III & Unit Mr. Ashutosh Bahuguna, Scientist- Indian IV Computer Emergency Response Team (CERT-In), Department of Electronics & IT, Ministry of Communication & IT, Government of India Block II> Unit I, Unit II, Unit III & Unit Mr. Sani Abhilash, Scientist- Indian IV Computer Emergency Response Team Block III> Unit I, Unit II, Unit III & Unit (CERT-In), Department of Electronics & IT, IV Ministry of Communication & IT, Government of India ISBN: 978-93-84813-95-6 Acknowledgement The University acknowledges with thanks the expertise and financial support provided by Commonwealth Educational Media Centre for Asia (CEMCA), New Delhi, for the preparation of this study material. Uttarakhand Open University, 2016 © Uttarakhand Open University, 2016. Advanced Cyber Security Techniques is made available under a Creative Commons Attribution Share-Alike 4.0 Licence (international): http://creativecommons.org/licenses/by-sa/4.0/ It is attributed to the sources marked in the References, Article Sources and Contributors section. Published by: Uttarakhand Open University, Haldwani Expert Panel S. No. Name 1 Dr. Jeetendra Pande, School of Computer Science & IT, Uttarakhand Open University, Haldwani 2 Prof. Ashok Panjwani, Professor, MDI, Gurgoan 3 Group Captain Ashok Katariya, Ministry of Defense, New Delhi 4 Mr. Ashutosh Bahuguna, Scientist-CERT-In, Department of Electronics & Information Technology, Government of India 5 Mr.
    [Show full text]
  • ERT Threat Alert Opisrael2016 Update April 5, 2016
    ERT Threat Alert OpIsrael2016 Update April 5, 2016 Abstract With the stated goal of “erasing Israel from the internet” in protest against claimed crimes against the Palestinian people, Anonymous will launch its yearly operation against Israel. Named OpIsrael, it is a cyber-attack timed for April 7th by an array of hacktivist groups that join forces with the greater Anonymous collective (see Figure 1). For this year’s attack, hackers have provided tools and technical guidance for the execution of OpIsrael. Figure 1: OpIsrael Announcement In past years, Israel has seen moderate attacks launched against its networks and infrastructure. Organizations should take precautions and make sure they are prepared for OpIsrael2016. Since the previous ERT alert outlining OpIsrael, Radware’s Emergency Response Team has identified new hacktivist groups planning to partake in these cyber assaults and new attack vectors/tools that will be used. This alert enhances our initial findings and is updated to provide guidance on how targeted organizations can keep their networks and applications protected from these attacks. Background Ideological, political and religious differences are at the core of this operation. Since 2012, Anonymous has launched a yearly campaign in protest against the Israeli governments conduct in the Israeli- Palestinian conflict. Every year, OpIsrael calls for dozens of different hacktivist groups to “hack, deface, hijack, leak databases, admin takeover and DNS terminate” targets associated with Israel. Well known for its advanced technological capabilities, Israel poses a challenge for hackers. Those that attempt and overcome those challenges win prestige and recognition for their expertise inside their communities. In previous years Israel and Israelis have seen modems hacked, credit card data breached government and personal information posted, Facebook accounts hijacked, websites defaced, emails leaked and a series of network crippling denial of service attacks.
    [Show full text]
  • [Recognising Botnets in Organisations] Barry Weymes Number
    [Recognising Botnets in Organisations] Barry Weymes Number: 662 A thesis submitted to the faculty of Computer Science, Radboud University in partial fulfillment of the requirements for the degree of Master of Science Eric Verheul, Chair Erik Poll Sander Peters (Fox-IT) Department of Computer Science Radboud University August 2012 Copyright © 2012 Barry Weymes Number: 662 All Rights Reserved ABSTRACT [Recognising Botnets in Organisations] Barry WeymesNumber: 662 Department of Computer Science Master of Science Dealing with the raise in botnets is fast becoming one of the major problems in IT. Their adaptable and dangerous nature makes detecting them difficult, if not impossible. In this thesis, we present how botnets function, how they are utilised and most importantly, how to limit their impact. DNS Dynamic Reputations Systems, among others, are an innovative new way to deal with this threat. By indexing individual DNS requests and responses together we can provide a fuller picture of what computer systems on a network are doing and can easily provide information about botnets within the organisation. The expertise and knowledge presented here comes from the IT security firm Fox-IT in Delft, the Netherlands. The author works full time as a security analyst there, and this rich environment of information in the field of IT security provides a deep insight into the current botnet environment. Keywords: [Botnets, Organisations, DNS, Honeypot, IDS] ACKNOWLEDGMENTS • I would like to thank my parents, whom made my time in the Netherlands possible. They paid my tuition, and giving me the privilege to follow my ambition of getting a Masters degree. • My dear friend Dave, always gets a mention in my thesis for asking the questions other dont ask.
    [Show full text]
  • Sonicwall Cyber Threat Report
    2020 SONICWALL CYBER THREAT REPORT sonicwall.com I @sonicwall TABLE OF CONTENTS 3 A NOTE FROM BILL 4 CYBERCRIMINAL INC. 11 2019 GLOBAL CYBERATTACK TRENDS 12 INSIDE THE SONICWALL CAPTURE LABS THREAT NETWORK 13 KEY FINDINGS FROM 2019 13 SECURITY ADVANCES 14 CRIMINAL ADVANCES 15 FASTER IDENTIFICATION OF ‘NEVER-BEFORE-SEEN’ MALWARE 16 TOP 10 CVES EXPLOITED IN 2019 19 ADVANCEMENTS IN DEEP MEMORY INSPECTION 23 MOMENTUM OF PERIMETER-LESS SECURITY 24 PHISHING DOWN FOR THIRD STRAIGHT YEAR 25 CRYPTOJACKING CRUMBLES 27 RANSOMWARE TARGETS STATE, PROVINCIAL & LOCAL GOVERNMENTS 31 FILELESS MALWARE SPIKES IN Q3 32 ENCRYPTED THREATS GROWING CONSISTENTLY 34 IOT ATTACK VOLUME RISING 35 WEB APP ATTACKS DOUBLE IN 2019 37 PREPARING FOR WHAT’S NEXT 38 ABOUT SONICWALL 2 A NOTE FROM BILL The boundaries of your digital empire are In response, SonicWall and our Capture Labs limitless. What was once a finite and threat research team work tirelessly to arm defendable space is now a boundless organizations, enterprises, governments and territory — a vast, sprawling footprint of businesses with actionable threat devices, apps, appliances, servers, intelligence to stay ahead in the global cyber networks, clouds and users. arms race. For the cybercriminals, it’s more lawless And part of that dedication starts now with than ever. Despite the best intentions of the 2020 SonicWall Cyber Threat Report, government agencies, law enforcement and which provides critical threat intelligence to oversight groups, the current cyber threat help you better understand how landscape is more agile than ever before. cybercriminals think — and be fully prepared for what they’ll do next.
    [Show full text]
  • Automatic Detection of Malware-Generated Domains with Recurrent Neural Models
    Automatic Detection of Malware-Generated Domains with Recurrent Neural Models Pierre Lison1, Vasileios Mavroeidis2 1Norwegian Computing Center, Oslo, Norway 2University of Oslo, Oslo, Norway Abstract Modern malware families often rely on domain-generation algorithms (DGAs) to determine rendezvous points to their command-and-control server. Traditional defence strategies (such as blacklisting domains or IP addresses) are inadequate against such techniques due to the large and continuously changing list of domains produced by these algorithms. This paper demonstrates that a machine learning approach based on recurrent neural networks is able to detect domain names generated by DGAs with high precision. The neural models are estimated on a large training set of domains generated by various malwares. Experimental results show that this data-driven approach can detect malware-generated domain names with a F1 score of 0.971. To put it differently, the model can automatically detect 93 % of malware-generated domain names for a false positive rate of 1:100. 1 Introduction Most malware need to find a way to connect compromised machines with a command- and-control (C2) server in order to conduct their operations (such as launching denial- of-service attacks, executing ransomware, stealing user data, etc.). To establish such a communication channel, older families of malware relied on static lists of domains or IP addresses that were hardcoded in the malware code running on the infected hosts. Once a given malware was discovered, it could then be neutralised by blocking the connections to these network addresses to prevent further communications between the infected hosts and the C2 server.
    [Show full text]
  • 2019 Esentire Annual Threat Intelligence Report
    2019 eSentire Annual Threat Intelligence Report: 2019 Perspectives and 2020 Predictions Table of Contents 05 EXECUTIVE SUMMARY 07 INTRODUCTION: CYBERSECURITY AND RISK MANAGEMENT 08 LOOKING AHEAD TO 2020: PREDICTIONS FOR CYBERSECURITY 1 0 NATION STATE ACTIVITY: PATIENCE AND DATA EXFILTRATION 1 0 Attribution Challenges 11 Espionage Reigns Supreme 11 PlugX: Remote Access and Modular Extensibility 13 ORGANIZED CYBERCRIME FOR FINANCIAL GAIN 13 Commodity Malware 16 Changing Tactics within a Dark Trial 20 The Rise of “Hands-on-Keyboard” Ransomware 20 The Major Players 23 PHISHING: ABUSING TRUST 23 Industry Vulnerability 24 Tactical Evolution 24 Cloud-Hosted Phishing 26 Defense Recommendations 27 INITIAL ACCESS: ESTABLISHING A BEACHHEAD 27 Valid Accounts 28 Defense Recommendations 2019 eSENTIRE ANNUAL THREAT INTELLIGENCE REPORT: 2019 PERSPECTIVES AND 2020 PREDICTIONS Table of Contents 28 Business Email Compromise 28 Account Takeover 28 Account Impersonation 29 External Remote Services 30 Defense Recommendations 30 Drive-By Compromise 30 Defense Recommendations 30 Malicious Documents 31 Defense Recommendations 32 GENERAL RECOMMENDATIONS 32 Train Your People and Enforce Best Practices 32 Limit Your Threat Surface 33 Invest in a Modern Endpoint Protection Platform 33 Employ Defense in Depth 2019 eSENTIRE ANNUAL THREAT INTELLIGENCE REPORT: 2019 PERSPECTIVES AND 2020 PREDICTIONS PREFACE eSentire Managed Detection and Response (MDR) is an all-encompassing cybersecurity service that detects and responds to cyberattacks. Using signature, behavioral and anomaly detection capabilities, plus forensic investigation tools and threat intelligence, our Security Operations Center (SOC) analysts hunt, investigate and respond to expected and unexpected cyberthreats in real-time, 24x7x365. This report provides a snapshot of events investigated by the eSentire SOC in 2019.
    [Show full text]