In the Cloud Security
Greg Day Principal Security Analyst EMEA AVERT member July 28, 2009 The Tsunami
• Decades of threats, surely we have a handle on this?
• Estimated in excess $1trillion loss through Cybercrime and data loss in 2008
McAfee Unsecured Economies Report 2009
• Q1 2009 - 12 million new IP’s zombied since January! 50 percent increase since 2008
McAfee Quarterly threat Report Q1 2009
• Koobface - more than 800 new variants in March 09! McAfee Quarterly threat Report Q1 2009
2 July 28, 2009 Confidential McAfee Internal Use Only Understand the motivation, to understand the methodology
Source: Chat Interview with the Dream Coders Team, the developers of MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
3 July 28, 2009 Confidential McAfee Internal Use Only Today anyone can be a cyber criminal!
4 July 28, 2009 Confidential McAfee Internal Use Only Over 20 years of Anti-Virus
• Dr Solomon’s Anti-virus from 1990
• Looking for string match against known malware
5 July 28, 2009 Confidential McAfee Internal Use Only The age old question - Is anti-virus dying?
Anti-Virus protection (%) of 2003 Medium+ threats
100
80
60 40 y 1991 : Michelangelo : 6 months ? 20 y 1997 : WM/Cap : 2 months ? 0 AV y 1999 : WM/Melissa : 1 Day ? % Proactive protectionAV software% Reactive Protection y 2000 : VBS/Loveletter : 4 hours ?
Anti-Virus protection (%) of y 2001 : CodeRed/Nimda : 1 hour ? 2004 Medium+ threats y 2003 : Slammer : 3 mins ? 100
80 y 2008 : Mass Web compromises : secs ?
60 % 40
20
0 AV software
% Proactive protection % Reactive Protection
6 July 28, 2009 Confidential McAfee Internal Use Only From Elephant to Chameleon How threats have changed
7 July 28, 2009 Confidential McAfee Internal Use Only Evolution of threats
1987 – Brain & Stoned (Early BSV) 1990 – Vienna modified to be polymorphic 1991 – Polymorphism hits the wild (Tequila) 1995 – WM/Concept (first Macro Virus) 1999 – Melissa Mass Mailer & ExploreZip reply mailer 2000 – Phage (Virus for Palm Pilot) 2001 – CodeRed & Nimda (utilise security vulnerabilities) 2002 – Klez & Elkern, Bugbear (Droppers) 2003 – Slammer (Speed), Slapper (Unix, directed attack) 2004 – Turf wars (Bagle Netsky, Sober, BOTs) 2005 – System & data theft (Trojan’s & Rootkit) 2007 – Rootkits, Packers, Recycling (Threat Longevity) 2008 – Drive-by infections,
8 July 28, 2009 Confidential McAfee Internal Use Only Early proactive techniques
9 July 28, 2009 Confidential McAfee Internal Use Only Heuristics (behavioural analysis)
• Positive & Negative analysis • Protection against new file and/or macro viruses • Checks for virus like characteristics • Block execution of possible virus code (OAS) • No cleaning as no exact match • Tangible sample to send to virus lab
10 July 28, 2009 Confidential McAfee Internal Use Only Speed…
The blended/zero day attack, bought the new solutions
11 July 28, 2009 Confidential McAfee Internal Use Only 12 July 28, 2009 Confidential McAfee Internal Use Only 13 July 28, 2009 Confidential McAfee Internal Use Only Proactive behavioural protection (HIPS, NIPS, FW, Whitelisting etc…)
• Known Vulnerably detection • Behavioural controls – RFC non-compliance – Anomaly detections f – Policy controls n.in • Define web/email usage Ru • Lockdown Windows & Windows system folderto • Registry Modification Au • Block un-used ports r – – Proactive or Reactive?icke • Blacklist non-corperatenf high risk apps Co
14 July 28, 2009 Confidential McAfee Internal Use Only Proactive Behavioural Controls - limitations
• What did I really stop? • Did it stop all of the attack? • What else could it have done?
• We still want to identify the threat • We sometimes need to clean up
• Assumes clean at point of install
15 July 28, 2009 Confidential McAfee Internal Use Only Volume…
1,500,000+
Source: McAfee Avert Labs
900,000 - 800,000 - 700,000 - • 246% growth from 2006 to 600,000 - 2007 500,000 - 400,000 - ~350,000 projected for ‘08 • 400%+ growth projected # of threats 271,197 300,000 - for 2008 200,000 - 78,381 100,000 - • 2008 exceed projections 0 - 2006 2007 2008 16 July 28, 2009 Confidential McAfee Internal Use Only The Great Zoo: McAfee Known Malware Samples
Count of dirty samples/hashes in the McAfee zoo
17 July 28, 2009 Confidential McAfee Internal Use Only Shark – Compliable multi system back door Trojan Now anyone can be a cyber criminal!
4. See what you have!
1. Setup server5. Full control!
2. Compile6. Enable threat keylogger
7.3. Control Infected processes systems talk home!
18 July 28, 2009 Confidential McAfee Internal Use Only Buy the deployment tools
19 July 28, 2009 Confidential McAfee Internal Use Only Mass infection of public web pages globally (13 March 08 )
• 200,000 web pages compromised – SQL injection – Vuls in .ASP pages running phpBB • Inserted JS to write IFRAME in header or body – MS06-014 – RealPlayer (ActiveX Control) – Baofeng Storm (ActiveX control) – Ourgame GL World GlobalLink Chat (ActiveX Control) • Daisy chains to China server – Drops down loaders – Steals gaming credentials
20 July 28, 2009 Confidential McAfee Internal Use Only Example: IFrame & MPack
Booby-trappedBooby-trapped legitimate sites MPackMPack C&CC&C centercenter legitimate sites 1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame). 2. They are silently redirected to the server hosting the attack tool. 3. Depending on the browser, various vulnerabilities may be tested. Various malware are (2):(2): silentsilent downloaded and executed. redirectredirect 4. The web pages accessible from the victim's workstation are in turn (3):(3): exploitationexploitation booby-trapped. (1):(1): connectionconnection toto aa legitimatelegitimate sitesite Botnet, RockPhish, Fast-Flux, DDoS, Identity theft, (4):(4): machinemachine (4):(4): HTMLHTML infectioninfection … underunder controlcontrol
21 July 28, 2009 Confidential McAfee Internal Use Only Regular “Protection Gap”
Protection gap of 24-72 hours with current solutions
t0 t1 t2 t3 t4 Malware in Malware Protection is Protection is Protection is the wild discovered available downloaded deployed
22 July 28, 2009 Confidential McAfee Internal Use Only Security in the Cloud
23 July 28, 2009 Confidential McAfee Internal Use Only Next Gen “In the cloud” detection
Internet
Fingerprint Database
24 July 28, 2009 Confidential McAfee Internal Use Only What is “in the Cloud scanning”?
End-node reporting
Very little system overhead
Meta-data
25 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Blocking what we already know!
Non-replicating malware is static
And some replicating is static too (e.g. worms)
Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.)
Black List of fingerprints
100% Replicating vs Non-Replicating Malware 90%
80%
70%
60%
50%
40%
30%
20%
10%
0%26 July 28, 2009 Confidential McAfee Internal Use Only 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 How does in the Cloud anti-virus work?
User receives new 1 file via email or web 2 No detection with existing DATs, but Internet the file is “suspicious”
Fingerprint of file 3 is created and sent 6 VirusScan processes using Artemis information and removes threat Artemis reviews this 4 fingerprint and other inputs Artemis statistically across threat landscape
5 Artemis Collective Threat identifies threat Intelligence and notifies client
27 July 28, 2009 Confidential McAfee Internal Use Only In the Cloud in action
28 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Identifying what we don’t know!
Software may be deemed “suspicious” based on Observed behaviours Source Detections by other products
Behaviours, sources, detections can be assigned a weight
Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty
29 July 28, 2009 Confidential McAfee Internal Use Only Closing the loop
30 July 28, 2009 Confidential McAfee Internal Use Only Malware case study – Spy-Agent.bw
First seen – 15th October 2008, 22:24:28 Auto-blacklisted – 15th October 2008, 22:57:01
Artemis clients sent fingerprints ~2 hours before regular submission saw the file
31 July 28, 2009 Confidential McAfee Internal Use Only Security & privacy
Example:
U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRg qEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8q Bk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI 0nqHhRWX+TDgPgXRfW9wD06qE
Cryptographically strong actionable responses
Query specific Immune to replay attacks
32 July 28, 2009 Confidential McAfee Internal Use Only Cloud security compressed “Protection Gap”
Protection delivered in real-time t0 t1 t1 t2 t3 t4 Malware in ProtectionMalware is the wild downloadeddiscovereddeployedavailable Case study – Spy-Agent.bw
• Artemis protection – ~32 minutes • Regular protection – ~8.5 hours – Not including deployment time
33 July 28, 2009 Confidential McAfee Internal Use Only I was blind, but now I see
Artemis customers Customer SiteAdvisor
Vulnerability Internet Research
SPAM Malware Research Research
Collective Threat Risk and HIPs Compliance Intelligence
34 July 28, 2009 Confidential McAfee Internal Use Only Taking it to the next level
35 July 28, 2009 Confidential McAfee Internal Use Only Collaborative Global Intelligence
Physical Deploy agents: Officers around the Interpol globe (MI5, MI6, FBI, CIA, Interpol.) World Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system) CIA FBI Results Police Effective - Accurate detection of Stations offenders Police Intelligence Pro-active - Stop them from coming Police Stations in the country Agents Stations
Cyber Deploy security probes: Around the globe (firewall, email gateways, IntelliCenter World web gateways) Global intelligence system: Share cyber communication info. London (e.g.: hackers, spammers, phishers) Chicago Frankfurt Results San Jose Atlanta Effective - Accurate detection of bad Hong Kong Intelligence IPs, domains Probes Pro-active - Deny connection to intruders to your enterprise
36 McAfee Global Threat Intelligence July 28, 2009 Confidential McAfee Internal Use Only Global Intelligence, Local Protection
REAL-TIMEREAL-TIME GLOBALGLOBAL DATA DATA MONITORING MONITORING AUTOMATEDAUTOMATED ANALYSIS ANALYSIS PROTECTIONPROTECTION PLATFORMS PLATFORMS
Edge / Firewall 10 Billion Enterprise • Traffic Shaping IntelliCenter Messages • Attack Blocking Chicago Analyzed per Month London Web Gateways Portland Atlanta • Anti-Malware Hong Kong • Anti-Spoofing
Ownership Messaging Gateways •Whois • Outbreak • Zone files Detection • Trademark • Anti-Spam Content Dynamic Computation • Images Identity Fraud •Text Of Reputation Score •Links Applications IP Domain URL Image Message • Anti-Phishing Behavior • Zombie Alerts • Social networks • Persistence Bad Good • Longevity
Global Data Monitoring is Fueled by the Network Effect of Real-Time Information Sharing from Thousands of Gateway Security Devices around the World 37 July 28, 2009 Confidential McAfee Internal Use Only Intelligence: How It All Works….
This entire process happens constantly, every second, 7x24x365
3 McAfee Threat Intelligence updates records with new Internet reputation info
2 3 Appliance McAfee Threat Intelligence queries returns reputation info McAfee Threat 1 Intelligence Incoming traffic
TS-enabled appliance
38 McAfee Global Threat Intelligence July 28, 2009 Confidential McAfee Internal Use Only Responder Architecture
• Legacy protocol based on customized DNS servers • Enhanced proprietary protocol (UDP over SSL)
Query Data
Analysis Systems Internal & External
Data Sources • Historical data • Message data/metadata Reputation • Neighborhood data
Instant Analysis Data • Ownership data • Spamtraps and honeypots • Blacklists
39 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only What does it monitor?
•Email – IP Reputation
DoS, DDoS, misc – Message Reputation Hack Hacker sites Attack other attacks • Web Other – URL Categories Active Content Compromised or ActiveX, Java, VB – Web Reputation malicious web sites code from infected Web Malware or URLs web sites • Intrusion/FW Dimensions – IP/Protocol Virus Zombies, Botnets, other sources Image spam, Reputation Phishing Virus, worms, Email Trojans – Geo-Location Spam
– IPS Attack Vector IP Attachment Domain Image Correlation URL Message
Connection Reputation Content Reputation
40 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only Message Reputation
5. Unknown sender sends New/New/ different UnknownUnknown message 3. Unknown sender spammerspammer sends similar message KnownKnown spammerspammer 6. Message is associated with new machine in a botnet and blocked 1. Known spammer sends message
2. Message is blocked 4. Message is M recognized and ail Gatew blocked ay Mail Gateway
Allows Reputations to Move Across Identities and Protocols
41 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only TS Web Reputation Breakout
42 TrustedSource Data Mining Technologies July 28, 2009 Confidential McAfee Internal Use Only Building Web Reputation
Reputation Raw Data Analysis Service
Size • TrustedSource for •Correlation Mapping Email (Joint Conditional •75 Million Hosts • Domain Registrations Mapping) •WHOIS data • Support Vector Machine • WebWasher classifiers classification of all • SmartFilter categories parameters • Web access logs • Parked Domain Identifier •Malware URLs • Neighborhood Precision •Phishing URLs Classification •Spam URLs • Real-Time Classifier • Fortune 1000 •GEO Location •More Precise websites • Host information: (-180 - +180) • Blacklists •DNS •Identified zombies, malware, • Whitelists •WHOIS suspicious •OS Reputation •Webserver -180 Range +180
TrustedSource for Web •Certificate information Bad Suspicious Good
43 July 28, 2009 Confidential McAfee Internal Use Only TrustedSource Web Database
• Category-based filtering + reputation based filtering = best protection available
• 96 URL categories
• TrustedSource global intelligence augments numerous categories such as Spam, Malicious Sites, Phishing, Hacking/Computer Crime
• Reputation-based filtering for today’s Web 2.0 threats – Provides an additional layer of security – Malicious sites, Spyware, Hacking, P2P, IM and more
• 31+ Million URLs (contains IPs, HTTP and HTTPS URLs)
• Automated proactive and reactive URL gathering systems
• Human review of URLs by multi-lingual/cultural Web Analysts – Global coverage (language and regions)
• Real-time updates
44 July 28, 200944 Confidential McAfee Internal Use Only TS Web Language breakout
45 Artemis Q2 2009 QBR July 28, 2009 Confidential McAfee Internal Use Only www.TrustedSource.Org
• Public Portal •View reputations for domains, IP addresses or URLs • Sending patterns of the senders • Analytical information: – country of origin – network ownership – hosts for known senders within each domain • Snapshot of global email trends, including a map illustrating country of origin for email attacks • Graphs displaying overall email and spam volume trends • ROI Calculator • ZombieMeter • Domain Health Check • Latest malware threats • Blogs from experts • Top spam senders
46 July 28, 200946 Confidential McAfee Internal Use Only [email protected]
0100011101110010011001010110011101011111010001000110000101111001010000000100 1101011000110100000101100110011001010110010100101110011000110110111101101101