CSO Breakfast in Partnership with ESET - Juraj Malcho Presentation
1.
2. Are we doing enough?
Juraj Malcho
Chief Research Officer
ESET
3. Agenda
• Malware scene of today
• Anything special about Australia?
• Are security solutions dead and ineffective?
• How to manage to survive (and sleep at night)?
• How dark is the future of ICT security?
13. Filecoders prevalence 2015 consumer vs business
Country infection share total share
Australia 2.70% 0.16%
Spain 2.36% 0.16%
Italy 2.44% 0.12%
South Africa 1.47% 0.11%
United States 2.73% 0.10%
Canada 1.81% 0.09%
Belgium 1.50% 0.07%
Malaysia 0.74% 0.07%
United Kingdom 0.98% 0.06%
Russia 0.96% 0.06%
Bulgaria 0.93% 0.06%
Portugal 0.88% 0.06%
United Arab Emirates 0.45% 0.05%
Netherlands 1.18% 0.04%
Country infection share total share
South Africa 1.39% 0.10%
Spain 1.45% 0.09%
United States 1.80% 0.07%
Australia 1.50% 0.07%
Israel 0.82% 0.06%
Canada 1.12% 0.05%
United Kingdom 0.87% 0.05%
Turkey 0.63% 0.05%
Thailand 0.41% 0.05%
New Zealand 1.07% 0.04%
Netherlands 0.97% 0.04%
Italy 0.91% 0.04%
Singapore 0.50% 0.04%
Belgium 0.83% 0.03%
27. Massive spreading not en vogue anymore
• The most burning issues rarely make it to top20
today: ransomware, banking Trojans, targeted
malware
• Top ranks are completely taken by Potentially
Unwanted Software
• Staying under the radar and tailoring malware
for specific targets is the main focus today
28. IoT aka Internet of Threats
• The history repeats again: Time to market is the
most important thing, not security
• Problematic from simple ones to complex ones –
smart sensors, bulbs, intelligent home devices,
smart TVs, internet routers, cars, mobile phones
• Could I get a “non-smart” option, please???
29. Fixing IoT
• Simple ones need strict End of Life policy
– They won’t update, they’re extremely cheap
• Complex ones must be easy to update
– Really? Home routers, cars, mobile phones?
• Are legislation and industry standards going to save
us?
• Endpoint protection is almost impossible
– We hear those saying firewalls are dead
33. APT or TPA?
• If detected out of the box then the attacker failed
• Advanced Persistent Threat is completely wrong
– those threats are usually not advanced, not everything is
Stuxnet
– the malware itself is just a tool to perform an attack
– it’s the attacker who’s persistent
• Targeted Persistent Attack is much more spot on
– Attackers combine different methods when doing
reconnaissance – phishing phone call, targeting email
borne malware to different people in an organization
34. Is AV dead?
• Yes, for about 20 years if you’re talking about the original
technology
• However, it followed malware evolution:
– Network communication inspection – botnets, exploitation,
exfiltration
– Emulation/sandboxing of analyzed code
– Behavioral monitoring and memory scanning
– Exploitation blocking
– Cloud-based reputation systems
– Stealth detections which can’t be tested by malware writers
– Gradual move from automatic to more verbose/interactive solutions
35. Bold words from the other side
• Q: What types of security devices/services/techniques
legitimately make your life harder as a blackhat? Any that you
think are a complete waste of money?
• A: Hmmmm, DDoS protection is a serious knock back,
although as many groups have proven before it’s easy to
bypass – e.g. cloudflare resolver before they changed the
protection method (almost bypassable lol). Things that are a
waste of money… Hmm, anti-virus is completely useless —
yes it may protect you from skids using non-FUD files but
that’s it. Every botnet that gets sold comes FUD as default.
People do it for free, it’s that easy.
37. "HAHAHA THE AVS FELL FOR THE LAST STRING
F*****G ICARUS AND ASQUARED
I JUST WISH NOD32 WOULD LEAVE ME ALONE
FOR A FEW DAT ITS PISSING ME OFF THIS IS
HOW I LIVE"
"THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE-
ME-A-BREAK"
The irritated author of Dorkbot
38. The Irritated Author of Win32/Dorkbot
"HAHAHA THE AVS FELL FOR THE LAST STRING
FUCKING ICARUS AND ASQUARED
I JUST WISH NOD32 WOULD LEAVE ME ALONE
FOR A FEW DAT ITS PISSING ME OFF THIS IS
HOW I LIVE"
"THIS-IS-HOW-I-LIVE-AND-PAY-MY-BILLS-GIVE-
ME-A-BREAK"
HOW CAN I PAY BILLS RENT FOOD WEALTH
AND EVERYTHING NECESSARY IF NOD IS
ALWAYS F******G UP MY CODES
39. What else is out there?
• Endpoint Detection and Response systems provide
insight into behavior of your IT systems, however,
there’s a reporting challenge
• Malware Prevention Systems (automated
sandboxing and analysis)
• Intelligence Services and Managed Security
• Deception techniques
• SIEM
40. How to choose the right solution?
• Consulting analysts such as Gartner or public
testers may help but doesn’t provide definitive
answer and might have bias you’re not aware of
• Internal testing is best but very difficult; you will
likely be biased, too, but aware of it
• Depending also on your needs: not only
detection is important, but footprint, reliability,
manageability, support quality etc
41. What’s the right SMB defense?
• Unless a very specific vertical it’s unlikely that a true high
profile targeted attack would be conducted
• Typically not enough expertise in SMBs
• Automagic solutions work best, but of course can be
bypassed
• If unable to manage more complex/interactive solutions,
look for MSSP
• Cloud-based solutions may help where applicable as
large providers can implement better security measures
42. How about enterprise?
• Defense needs have to adequately cover your
potential adversaries
• Combine different layers and don’t advertise
them; SIEM management
• Educate your teams
• Trust but verify – employ network logging and
look for anomaly
43. Future issues
• When IoT truly lifts off
• When cloud adoption will be massive (access
management, governance, political issues)
• Conflicting legislation: strict privacy and
encryption laws vs lawful(?) surveillance =>
leading to governments attacking security SW
• Global e-conflicts, cyber armies and attribution
44. Solving the situation
• Active & Adequate Cyber Defense
• Training, Education and Awareness
• Responsible design and usage
• Research & Investigation, cooperation with LE
• Hitting criminals’ money flow
• Preventing criminals from becoming criminals
Notas do Editor
Rovnix here – pretty surprising
Development of incident rates in 2013, 2014, 2015
Consumer 9.4%, 6.0%, 4.7%
Business 10.1%, 6.7%, 5.9%
Compared to US the situation is worse, and if we looked at Japan it’s even further away. US incidents under 4%, Japan 2.3% vs 1.6% (B vs C)
IND incident rate 20%
CTB Locker
Torrent Locker
Since March 2014, this Bitcoin wallet has transferred over 82 272 BTC. With 1 BTC currently valued at US$480, the total transactions are roughly equal to 40 millions US$.
Authors - Hesperbot
VirLock is another one…
Parasitic virus - polymorphic
New version of typical police lockscreen…
Some try to scare you…
Some try to scare you…
Some try to scare you…
Some are…mystic
Some are creepy
Not afraid of colors
Something for little kids
Something for older kids
No comment
Overall malware quantity doesn’t seem to rise as it used to, Microsoft is speaking about virtually stopping. We see that in Android malware this year.
Any device that allows user to input sensitive data can be potentially misused – antiphishing protection
Google unable to patch all devices, albeit it’s not exactly their hardware
But what if the device talks to the net via GSM, so that you can’t even sit on a single communication point to analyze traffic anomaly?
Are legislation and standards going to be the solution?
One thing that should be clear about targeted attack: it’s a human perp trying to learn what you have and then break your system, not some super intelligent code itself; if the attacker doesn’t succeed then he’s lame
Dorkbot globally top3 in 2013, top10 in 2014
Now under CME campaign
Of course, with cloud there’s a catch with data protection and recently legislation pressures
Predicting ICT future is hard because it can be influenced by tiny changes – an example about Ransomware and random successful campaign
Cloud adoption – well, if everything is in the cloud then the right solution to attack is physically going after the right people; it is a bit of single point of failure
People work best when they understand each other. Business angle needs to understand and accept security issues, and vice versa.
Last but not least – never trust a guy who’s promising to have the silver bullet. I always tell this specifically to students, explore things yourself and don’t trust anyone, but you. Not even me. ;)Learn, understand and build your own customized defense.
Security folks are an interesting group of people. Security is implemented by people who care, who deeply understand the problem and feel moral responsibility to help out others. Feels good to be a part of the club.