Emerging Threats จตุพร พึ่งเสือ, system engineer [email protected] Agenda Wha t an d Where are Threa ts Threat Trends Year in Review Conclusion Who we are/ How Cisco can help BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Wha t an d Where are Threa ts Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 What? Where? Why? Wha t is a Threa t? An indication or warning of probable trouble Where are Threats? Everywhere you can, and more importantly, cannot think of Why are there Threats? • The almighty dollar (or euro), the underground cyber criidtiime industry is a growth in dus try • Political and nationalistic motivations BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Examples of Threats TtdHkiTargeted Hacking Vulnerability Exploitation Malware Outbreaks Economic Espionage Intellectual Property Theft or Loss Network Access Abuse Theft of IT Resources Denial of Service BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Areas of Opportunity Users k cc sta Applications ee th pp Network Services g u nn Operating Systems ovi MM BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Operational Evolution of Threats Emerging Threat Nuisance Threat Threat Evolution Unresolved Threat n Policy and oo Process Reactive Process Socialized Process Formalized Process Definition Reacti Mitigation Technology Manual Process Human “In the Automated Loop” Response Burden Evolution perational OO End-User ort End-User en No End-User “Help-Desk” Aware— pp Increasingly Self- Awareness Knowledge Know Enough to Call Burd Reliant Sup BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Operational Evolution of Threats Emerging Threat Nuisance Threat Threat Evolution Unresolved Threat n Policy and oo Process Reactive Process Socialized Process Formalized Process Definition Reacti Mitigation Technology Manual Process Human “In the Automated Loop” Response Burden Evolution perational OO End-User ort End-User en No End-User “Help-Desk” Aware— pp Increasingly Self- Awareness Knowledge Know Enough to Call Burd Reliant Sup “New”, Unknown, or Largest Volume of Problems PblProblems WHWe Haven ’t FfMtfDtDFocus of Most of Day to Day Solved Yet Security Operations BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Threa t T rend s Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Trends Evolution of intent The cybercrime industry Botnets Blended attacks/Next Generation Spam Phishing Port 80 Web 2. 0 abuse BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Evolution of Intent 2003 2004 2005 2006 2007 2008 2009 2010 Notoriety SQL Slammer Netsky, Bagle, MyDoom Fame Zotob Money Conficker, ZeuS, Koobface = Major Media Event BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Cybercrime Industry: In the Past Writers Asset End Value Tool and Toolkit Writers Compromise Fame Individual Host or Application Theft Malware Writers Worms Espionage Compromise (Corporate/ Viruses Environment Government) Trojans BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Cybercrime Industry: Today First Stage Second Stage Writers Abusers Middle Men Abusers End Value Tool and Hacker / Direct Fame Toolkit Attack Compromised Writers Host and Theft Application Malware Extortionist/ Espionage Writers (Corporate/ Machine DDoS-for- Bot-Net Creation Hire Government) Worms Harvesting Spammers/ Extorted Pay-Offs Viruses Bot-Net Management: Affiliates For Rent, for Lease, Commercial Sales Trojans for Sale Phishers Information FdltSlFraudulent Sales Spyware Personal Harvesting Information Pharmer/DNS Poisoning Click-Through Revenue Information Brokerage Internal Theft: Identity Theft Financial Fraud Abuse of Privilege Electronic IP Leakage $$$ Flow of Money $$$ BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 “Noise” Level Large Scale Worms Public Awareness Targeted Attacks 2000 2008 Time BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Cyber Crime Profit Level Targeted Illicit Dollars Attacks Gained Large Scale Worms 2000 2008 Time Source: ICR 2001, 2007 BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Botnets Botnet: A collection of compromised machines running programs under a common command and control infrastructure Building the Botnet: Many, many malcode vectors Controlling the Botnet: CtCovert-channe l o f some form; typ ica lly IRC or cus tom IRC-like c hanne l Historically have used free DNS hosting services to point bots to the IRC server Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems Control services increasingly placed on compromised high-speed machines Redundant systems and blind connects are implemented for resilience (fast-flux) DkifBtlDo you know if Bots are loose on your ne tk?twork? See Infiltrating a Botnet http://www.cisco.com/web/about/security/intelligence/bots.html Source: www.wikipedia.com BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Next Generation Spam Growing in sophistication Targeted Blending email and web New vectors include: SMS vishing IM SPAM (SPIM) Extensive use of social engineering 3rd Generation SPAM doesn’t embed malcode or links (please open service ports into your network) 50% of users still open SPAM or click links BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Phishing and Its Variants Traditional phishing still in use Spear-ppghishing Targeted phishing attempts IT Admins Specific job roles Spppecific companies Whaling Phishinggp attempts specifically targeting a high value target C level execs BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Port 80 —The New Internet 50% of traffic is “easy to classify” Predictable traffic, Recognized domains 50% of traffic is “hardtoclassifyhard to classify” 110M sites, growing 40% annually Mixture of legitimate sites, spyware and malware e mm Big Head raffic Volu raffic TT Long Tail # of Sites BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Malware Threat Distribution Malware Infections EilEmail VtVector Web Vector Time Malware infection vectors are shifting from email to web BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Web 2 . 0 Abuse Commercial tools for account creation, posting, CAPTCHA*, IP rotation are readily available Targets popular sites and blogs including Gmail, Yahoo!, Twitter, Facebook and Craigslist Enables abuse of many services including webmail account creation for spamming *Completely Automated Public Turing test to tell Computers and Humans Apart. BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 What Does This Mean? Threats and criminals are faster, smarter & more covert Criminals have more vulnerabilities to exploit Criminals are evolving their thitechniques, users mus ttt stay current BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 YiRiYear in Review Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Cisco Cybercrime ROI Matrix BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Cybercrime Product of the Year! Fake AV is 15% of all malware - “Antivirus XP has found 2794 Google threats. It is recommended to proceed with removal” BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Criminal SaaS Offerings Expand Service dedicated to checking if a malware executable is detectable by AV engines: BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Cisco Cybercrime Showcase Winner Most Audacious Criminal Operation ZeuS BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 ZeuS: Banking Trojan prime example “$10 million lost in one 24-hour period.” “…[C]riminals have used the Internet to steal more than $100 million from U.S. banks so far this year and they did it without ever having to draw a gun or pass a note to a teller…I've seen attacks where there's been $10 million lost in one 24-hour period.” -Sean Henry, an assistant director of the FBI in charge of the bureau's cyber division. BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Automation of Targeted & Blended Attacks BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Why ZeuS? BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 What Happened in Kentucky? County treasurer had ZeuS malware on his PC Criminals stole credentials and logged in to bank accounts from treasurer’s PC Reconnaissance used to plan theft Mule recruitment via Careerbuilder.com Created mules as fictitious employees Mules receive $9700 and sent $8700 to Ukraine via Western Union Transactions were wire transfers <$10,000 Total of $415k stolen BRKSEC 2001 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Screen Injection Your browser NOT on ZeuS: Your browser on ZeuS: Courtesy Silver Tail Systems BRKSEC 2001 © 2010 Cisco and/or its affiliates. All