In the Cloud Security Greg Day Principal Security Analyst EMEA AVERT member July 28, 2009 The Tsunami • Decades of threats, surely we have a handle on this? • Estimated in excess $1trillion loss through Cybercrime and data loss in 2008 McAfee Unsecured Economies Report 2009 • Q1 2009 - 12 million new IP’s zombied since January! 50 percent increase since 2008 McAfee Quarterly threat Report Q1 2009 • Koobface - more than 800 new variants in March 09! McAfee Quarterly threat Report Q1 2009 2 July 28, 2009 Confidential McAfee Internal Use Only Understand the motivation, to understand the methodology Source: Chat Interview with the Dream Coders Team, the developers of MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/ 3 July 28, 2009 Confidential McAfee Internal Use Only Today anyone can be a cyber criminal! 4 July 28, 2009 Confidential McAfee Internal Use Only Over 20 years of Anti-Virus • Dr Solomon’s Anti-virus from 1990 • Looking for string match against known malware 5 July 28, 2009 Confidential McAfee Internal Use Only The age old question - Is anti-virus dying? Anti-Virus protection (%) of 2003 Medium+ threats 100 80 60 40 y 1991 : Michelangelo : 6 months ? 20 y 1997 : WM/Cap : 2 months ? 0 AV y 1999 : WM/Melissa : 1 Day ? % Proactive protectionAV software% Reactive Protection y 2000 : VBS/Loveletter : 4 hours ? Anti-Virus protection (%) of y 2001 : CodeRed/Nimda : 1 hour ? 2004 Medium+ threats y 2003 : Slammer : 3 mins ? 100 80 y 2008 : Mass Web compromises : secs ? 60 % 40 20 0 AV software % Proactive protection % Reactive Protection 6 July 28, 2009 Confidential McAfee Internal Use Only From Elephant to Chameleon How threats have changed 7 July 28, 2009 Confidential McAfee Internal Use Only Evolution of threats 1987 – Brain & Stoned (Early BSV) 1990 – Vienna modified to be polymorphic 1991 – Polymorphism hits the wild (Tequila) 1995 – WM/Concept (first Macro Virus) 1999 – Melissa Mass Mailer & ExploreZip reply mailer 2000 – Phage (Virus for Palm Pilot) 2001 – CodeRed & Nimda (utilise security vulnerabilities) 2002 – Klez & Elkern, Bugbear (Droppers) 2003 – Slammer (Speed), Slapper (Unix, directed attack) 2004 – Turf wars (Bagle Netsky, Sober, BOTs) 2005 – System & data theft (Trojan’s & Rootkit) 2007 – Rootkits, Packers, Recycling (Threat Longevity) 2008 – Drive-by infections, 8 July 28, 2009 Confidential McAfee Internal Use Only Early proactive techniques 9 July 28, 2009 Confidential McAfee Internal Use Only Heuristics (behavioural analysis) • Positive & Negative analysis • Protection against new file and/or macro viruses • Checks for virus like characteristics • Block execution of possible virus code (OAS) • No cleaning as no exact match • Tangible sample to send to virus lab 10 July 28, 2009 Confidential McAfee Internal Use Only Speed… The blended/zero day attack, bought the new solutions 11 July 28, 2009 Confidential McAfee Internal Use Only 12 July 28, 2009 Confidential McAfee Internal Use Only 13 July 28, 2009 Confidential McAfee Internal Use Only Proactive behavioural protection (HIPS, NIPS, FW, Whitelisting etc…) • Known Vulnerably detection • Behavioural controls – RFC non-compliance – Anomaly detections – Policy controls • Define web/email usage • Lockdown Windows & Windows system folder • Registry Modification • Block un-used ports • Blacklist– Proactive non-corperate or Reactive? high risk apps Conficker – AutoRun.inf 14 July 28, 2009 Confidential McAfee Internal Use Only Proactive Behavioural Controls - limitations • What did I really stop? • Did it stop all of the attack? • What else could it have done? • We still want to identify the threat • We sometimes need to clean up • Assumes clean at point of install 15 July 28, 2009 Confidential McAfee Internal Use Only Volume… 1,500,000+ Source: McAfee Avert Labs 900,000 - 800,000 - 700,000 - • 246% growth from 2006 to 600,000 - 2007 500,000 - 400,000 - ~350,000 projected for ‘08 • 400%+ growth projected # of threats 271,197 300,000 - for 2008 200,000 - 78,381 100,000 - • 2008 exceed projections 0 - 2006 2007 2008 16 July 28, 2009 Confidential McAfee Internal Use Only The Great Zoo: McAfee Known Malware Samples Count of dirty samples/hashes in the McAfee zoo 17 July 28, 2009 Confidential McAfee Internal Use Only Shark – Compliable multi system back door Trojan Now anyone can be a cyber criminal! 4. See what you have! 1. Setup server5. Full control! 2. Compile6. Enable threat keylogger 7.3. Control Infected processes systems talk home! 18 July 28, 2009 Confidential McAfee Internal Use Only Buy the deployment tools 19 July 28, 2009 Confidential McAfee Internal Use Only Mass infection of public web pages globally (13 March 08 ) • 200,000 web pages compromised – SQL injection – Vuls in .ASP pages running phpBB • Inserted JS to write IFRAME in header or body – MS06-014 – RealPlayer (ActiveX Control) – Baofeng Storm (ActiveX control) – Ourgame GL World GlobalLink Chat (ActiveX Control) • Daisy chains to China server – Drops down loaders – Steals gaming credentials 20 July 28, 2009 Confidential McAfee Internal Use Only Example: IFrame & MPack Booby-trappedBooby-trapped legitimate sites MPackMPack C&CC&C centercenter legitimate sites 1. The victim visits a legitimate site that has been booby-trapped with hidden redirect code (hidden iFrame). 2. They are silently redirected to the server hosting the attack tool. 3. Depending on the browser, various vulnerabilities may be tested. Various malware are (2):(2): silentsilent downloaded and executed. redirectredirect 4. The web pages accessible from the victim's workstation are in turn (3):(3): exploitationexploitation booby-trapped. (1):(1): connectionconnection toto aa legitimatelegitimate sitesite Botnet, RockPhish, Fast-Flux, DDoS, Identity theft, (4):(4): machinemachine (4):(4): HTMLHTML infectioninfection … underunder controlcontrol 21 July 28, 2009 Confidential McAfee Internal Use Only Regular “Protection Gap” Protection gap of 24-72 hours with current solutions t0 t1 t2 t3 t4 Malware in Malware Protection is Protection is Protection is the wild discovered available downloaded deployed 22 July 28, 2009 Confidential McAfee Internal Use Only Security in the Cloud 23 July 28, 2009 Confidential McAfee Internal Use Only Next Gen “In the cloud” detection Internet Fingerprint Database 24 July 28, 2009 Confidential McAfee Internal Use Only What is “in the Cloud scanning”? End-node reporting Very little system overhead Meta-data 25 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Blocking what we already know! Non-replicating malware is static And some replicating is static too (e.g. worms) Can be detected with a fingerprint (MD5,SHA-1,SHA-2, etc.) Black List of fingerprints Replicating vs Non-Replicating Malware 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%26 July 28, 2009 Confidential McAfee Internal Use Only 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 How does in the Cloud anti-virus work? User receives new 1 file via email or web 2 No detection with existing DATs, but Internet the file is “suspicious” Fingerprint of file 3 is created and sent 6 VirusScan processes using Artemis information and removes threat Artemis reviews this 4 fingerprint and other inputs Artemis statistically across threat landscape 5 Artemis Collective Threat identifies threat Intelligence and notifies client 27 July 28, 2009 Confidential McAfee Internal Use Only In the Cloud in action 28 July 28, 2009 Confidential McAfee Internal Use Only In the cloud security - Identifying what we don’t know! Software may be deemed “suspicious” based on Observed behaviours Source Detections by other products Behaviours, sources, detections can be assigned a weight Based on the resulting weight, software may be classified as “suspicious” with different degrees of certainty 29 July 28, 2009 Confidential McAfee Internal Use Only Closing the loop 30 July 28, 2009 Confidential McAfee Internal Use Only Malware case study – Spy-Agent.bw First seen – 15th October 2008, 22:24:28 Auto-blacklisted – 15th October 2008, 22:57:01 Artemis clients sent fingerprints ~2 hours before regular submission saw the file 31 July 28, 2009 Confidential McAfee Internal Use Only Security & privacy Example: U0B6gKhbtiZCoxyh0IneADS/RShS8iRCBSEvwfjekG/q4yDRg qEUXjHWKvnrySGa6QMdftrlpl5pAdJvOUAcNcvCjKvpIfsxv8q Bk4uRQQ60r5StRCXOpiA0Qy3fKmLRUZyNq1EyjLLPKgJDZI 0nqHhRWX+TDgPgXRfW9wD06qE Cryptographically strong actionable responses Query specific Immune to replay attacks 32 July 28, 2009 Confidential McAfee Internal Use Only Cloud security compressed “Protection Gap” Protection delivered in real-time t0 t1 t1 t2 t3 t4 Malware in ProtectionMalware is the wild downloadeddiscovereddeployedavailable Case study – Spy-Agent.bw • Artemis protection – ~32 minutes • Regular protection – ~8.5 hours – Not including deployment time 33 July 28, 2009 Confidential McAfee Internal Use Only I was blind, but now I see Artemis customers Customer SiteAdvisor Vulnerability Internet Research SPAM Malware Research Research Collective Threat Risk and HIPs Compliance Intelligence 34 July 28, 2009 Confidential McAfee Internal Use Only Taking it to the next level 35 July 28, 2009 Confidential McAfee Internal Use Only Collaborative Global Intelligence Physical Deploy agents: Officers around the Interpol globe (MI5, MI6, FBI, CIA, Interpol.) World Global intelligence system: Share intelligence information. (e.g. criminal history, global finger printing system) CIA FBI Results Police Effective - Accurate detection of Stations offenders Police Intelligence Pro-active -