YOUR BABY MONITOR IS ATTACKING THE GOVERNMENT A perspective on security risks today and a look towards the future
Nick McKerrall | Threat Prevention Team
©2016 Check Point Software Technologies Ltd. 1 2016 Statistics
5.5 million “things” are getting connected 75% of the to the internet every organizations we day perform security checkups on have machines infected Every 32 minutes – Sensitive with bots data is sent outside the org
Every 5 seconds – a host Every 4 minutes - a high accesses a malicious risk application is used website
©2016 Check Point Software Technologies Ltd. September 2016 World Cyber Threat Map
Green – Low Risk Beige – Medium Pink – Higher Red – Highest White – Insufficient Data
RED: Bolivia, Angola, Zambia, Botswana, Uganda, Mongolia, Sri Lanka, Vietnam
©2016 Check Point Software Technologies Ltd. 3 September 2016 ‘Most Wanted’ Malware
1. Conficker Worm – Botnet 2. Sality – Remote Access and Control 3. Locky – Ransomware (via mostly email) 4. Cutwail – Botnet (Spam/DDoS) 5. Zeus – Banking Trojan 6. Chanitor – Downloader 7. Tinba – Banking Trojan 8. Cryptowall – Ransomware (via exploit kits and phishing) 9. Blackhole – Exploit kit 10. Nivdort (Bayrob) – Multipurpose bot September 2016 ‘Mobile Most Wanted’ Malware
1. HummingBad – Android Rootkit 2. Triada – Android Backdoor 3. Ztorg - Application Dropper
©2016 Check Point Software Technologies Ltd. 4 The threat landscape is changing
You need to dynamically adjust to new threat sources
Attacks change geography all the time
Malware is changing constantly Both in signature/variant and purpose
We are seeing new levels of sophistication Malware is becoming big business
Our approach to protecting networks needs to change
©2016 Check Point Software Technologies Ltd. 5 Infected Machines are worth Money Ransomware keeps growing
©2016 Check Point Software Technologies Ltd. 6 Infected Machines are worth Money It’s getting easier to use them to make money
©2016 Check Point Software Technologies Ltd. 7 Infected Machines are worth Money
©2016 Check Point Software Technologies Ltd. 8 ©2016 Check Point Software Technologies Ltd. 9 ©2016 Check Point Software Technologies Ltd. 10 ©2016 Check Point Software Technologies Ltd. 11 A business model as old as the internet
©2016 Check Point Software Technologies Ltd. 12 DDOS
• 665 Gbps DDoS against Krebs Online - large enough to have his hosting provider drop him as a client
• 1 Tbps DDoS against France based hosting provider OVH
©2016 Check Point Software Technologies Ltd. 13 DDOS • Attack against DNS provider DynDNS
• Targeted popular sites like: Amazon, Twitter, Netflix, Etsy, Github, Spotify, NYT, Wired, Reddit
©2016 Check Point Software Technologies Ltd. 14 DDOS • Want your own botnet, just get it off of github
©2016 Check Point Software Technologies Ltd. 15 To complicated? DDOS as a Service
©2016 Check Point Software Technologies Ltd. 16 Don’t think it’s a threat?
• Ontario Education Quality and Accountability office (EQAO) confirmed “intentional, malicious” cyber attack • Students and educators unable to access the system
©2016 Check Point Software Technologies Ltd. 17 Internet of Things • Healthcare – Patient monitoring and controls
• Industrial – ICS/SCADA/Critical infrastructure, inventory management, monitoring, safety
• Wearable tech – Fitness, augmented reality, health
• Home Automation – HVAC, Access Control, Security, lighting, convenience
• Municipal – Traffic control, parking enforcement, utilities, lighting, law enforcement, data collection
• Environmental – Pollution monitoring, water, wildlife tracking, advanced warning systems
©2016 Check Point Software Technologies Ltd. 18 Internet of Things
• Generally insecure • Difficult to update/patch • Can be a target within your environment • Can be used to target you if compromised • Needs to be protected through network security and segmentation
©2016 Check Point Software Technologies Ltd. 19 Mobile Mythbusters • Mobile isn’t a big problem – 1 in 5 organizations have had a mobile breach in the last year. • MDM is enough – MDM helps control devices, but it doesn’t help protect them.
• Secure Containers are safe – Data does not always exist in containers.
©2016 Check Point Software Technologies Ltd. 20 Mobile Mythbusters • IOS is Immune – Side loaded apps, often from MDM’s can be malicious. • Mobile Antivirus is enough – Anything signature based will only detect known malware, unknown malware will slip through until it’s been identified.
©2016 Check Point Software Technologies Ltd. 21 Mobile Devices
• They are the unpatched, unmanaged, unknown devices in your network • Every year they gain more access to corporate resources and they gain more access to personal information • The current iPhone is 120X faster then the first iPhone. It’s a laptop in your pocket. • The attack surface is growing because nobody is really paying attention
©2016 Check Point Software Technologies Ltd. 22 02 “WE ARE STUCK WITH TECHNOLOGY WHEN WHAT WE REALLY WANT IS JUST STUFF THAT WORKS” -Douglas Adams
©2016 Check Point Software Technologies Ltd. HOW TO PROTECT BOUNDLESS ENVIRONMENTS?
[Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 24 SOFTWARE – DEFINED PROTECTION
MANAGEMENT LAYER Integrates security with business process
CONTROL LAYER Delivers real-time protections to the enforcement points
ENFORCEMENT LAYER Inspects traffic and enforces protection in well-defined segments
[Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 25 SEGMENTATION METHODOLOGY
ATOMIC SEGMENTS STEP 1 Elements that share the same policy and protection characteristics
SEGMENT GROUPING STEP 2 Grouping of atomic segments to allow modular protection
CONSOLIDATION STEP 3 Of physical and virtual components, as network security gateways or as host-based software
TRUSTED CHANNELS STEP 4 Protect interactions and data flow between segments
[Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 26 SEGMENTING YOUR NETWORK
Atomic segment
Group of Segments
Consolidation
[Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 27 THREAT INTELLIGENCE
REAL-TIME collaborative and open INTELLIGENCE translate into SECURITY protections.
[Confidential] For designated groups and individuals ©2014 Check Point Software Technologies Ltd. 28 Endpoint Protection • Endpoint is the new perimeter
©2016 Check Point Software Technologies Ltd. 29 Endpoint Protection • AV is not enough, consider the following attack vectors:
Blocking known threats Detecting infected machines -Antivirus -Bot detection
Blocking known Exploits/Attacks Digital media rights access - HIPS Behavior Analysis -Document Protection/DRM
Incident response and analysis Application control -Forensics and behavioral -Application whitelisting
Removable media and port protection Block/control access to web content -Media Security -Web security
Protect data at rest Blocking unknown threats -Full disk encryption -Zero day
©2016 Check Point Software Technologies Ltd. 30 The technology won’t address the risks unless the risks are fully understood
• Many different risk assessment models can be used. ̶ This example uses DREAD: ̶ Damage – how bad would an attack be? ̶ Reproducibility – how easy is it to reproduce the attack? ̶ Exploitability – how much work is it to launch the attack? ̶ Affected users – how many people will be impacted? ̶ Discoverability – how easy is it to discover the threat?
©2016 Check Point Software Technologies Ltd. 31 Threat Modeling - Ransomware
• Hosts might become infected with Ransomware and encrypt important documents ̶ How much damage could be done to the organization on one or more infected machines ̶ How easy is it to get infected? ̶ Is it difficult to launch a ransomware attack? ̶ How many of our users are exposed to this kind of attack? ̶ How easy is it to figure out if we’ve been infected?
©2016 Check Point Software Technologies Ltd. 32 Threat Scoring Do we need to address this right away?
How to Score RISK rating Result 3-high High 12-15 2-medium Medium 8-11 1-low Low 5-7
Ransomware Score Item Rating Damage potential 3 – Could knock out entire groups, could organization back days/weeks Reproducibility 3 – Very easy just run the file Exploitability 3 – Very easy to launch with RaaS like Cerber Affected users 2 – Could be 1 user or could be a entire group Discoverability 1 – Easy to discover user will know they’re infected right away
Score: 12 – HIGH This risk needs to be addressed ASAP
©2016 Check Point Software Technologies Ltd. 33 So what are we doing with our customers?
• Leverage the Cloud for threat intelligence and compute power. There are a lot of threat resources out there, try and consolidate them so they can be easily consumed by your prevention tools
• Zero Trust – Files must prove themselves safe before they are allowed. Using technology like document scrubbing or threat extraction can make sure users are always accessing clean documents
©2016 Check Point Software Technologies Ltd. 34 So what are we doing with our customers?
• Proactive blocking of malicious outbound traffic – If there are bots on your network they can’t just be logged, the C&C must be cut off so they can’t attack anyone else.
• Micro-segmentation with protection and inspection in- between segments. Don’t just rely on VLANs you need to assume threats can come from anywhere
©2016 Check Point Software Technologies Ltd. 35 So what can be done?
• Visibility and Consolidation – Don’t continue adding 1 tool to address 1 problem. Look for areas of consolidation to increase visibility and effectiveness and reduce costs and complexity • If you need to spend money, spend it on prevention, detection isn’t enough anymore. Threats spread to fast, cause to much damage and are coming at to fast of a pace.
©2016 Check Point Software Technologies Ltd. 36 03 “The best way to predict the future is to invent it” -Alan Kay, computer scientist
©2016 Check Point Software Technologies Ltd. What does the future hold?
• End Ransomware on the desktop
• Emergence of Ransomware on the service delivery side
• End to the browser attack vector
• See a rapid acceleration of mobile threats
• See legislation against IT vendors and Organizations if they release vulnerable products or improperly secure their networks. Maybe ban unsafe products from being sold in the country.
• Focus of attacks on disrupting Government and Political operations. This is happening now but they will become more public.
• Legislation of malicious software
• New standards around trust, identity, and access
©2016 Check Point Software Technologies Ltd. 38 THANK YOU
©2016 Check Point Software Technologies Ltd.Ltd. 39