Cognitive Security - Finance & Banking Security ('12)

Gabriel Dusil
VP, Global Sales & Marketing

www.facebook.com/gdusil
cz.linkedin.com/in/gabrieldusil
gdusil.wordpress.com
dusilg@gmail.com

• A bug, glitch, hole, or flaw in • Attack developed to take
a network, application or advantage of a vulnerability
database

• Attack on a selection of • Software designed to fix a
vulnerabilities to control a vulnerability and otherwise
network, device, or asset plug security holes

• Attack against an unknown  Methodical, long-
vulnerability, with no known term covert attacks, using
security fix many tools to steal info

Experts in Network Behavior Analysis
Page 2, www.cognitive-security.com
© 2012, gdusil.wordpress.com

Patch t0
before time
Exploit

Exploit t0
before time
Patch

Exploit
before
Vulnerability time

3 © 2012, gdusil.wordpress.com

% breaches / % records Page 4, www.cognitive-security.com
*Verizon – ‘11 Data Breach Investigations Report © 2012, gdusil.wordpress.com

286 million malware variants 75 million samples expected per
detected in ’10 month by the end of ‘11

McAfee Threats Report, Q1 ‘11 © 2012, gdusil.wordpress.com

Which of the following
sources pose the
greatest threat to your
organization?

Information Week - Strategic Security Survey '11 © 2012, gdusil.wordpress.com

Over 90% of modern
attacks come from
external sources
 “insiders were at least
three times more likely to
steal IP than outsiders”

 “Given enough time… …criminals can breach
virtually any single organization”

Symantec – Internet Security Threat Report ‘11.Apr Page 8, www.cognitive-security.com

Top 7 Attacks discussed in
HackForums.net in the last year
 June ‘10-’11, 241,881 threads

Imperva - Monitoring Hacker Forums (11.Oct) © 2012, gdusil.wordpress.com

Criminals have access to an eMarketplace to serve their needs

McAfee Threats Report, Q1 ‘11 © 2012, gdusil.wordpress.com

Blended • Include embedded URLs that link to an infected Web page
email Threats • Employ social engineering to encourage click-through.

Infected • Victim visits legitimate site infected by malware (eg. Cross Site
Websites Scripting, or iFrame compromise)

Malware • Back-door downloaders, key loggers, scanners &Honeypot
PW stealers
Tools • Polymorphic design to escape AV detection Sandbox
-competition

• Some DDoS attacks Network from internal workstations
Infected • Once inside the, infiltrating or compromising data is easy
PC (bots) can originate
Behavior
Command & •
Analysis
Remote servers operated by attacker control victim PCs
Control (C2) • Activity occurs outside of the normal hours, to evade detection

Management • Interface used to control all aspects of the APT process
Console • Enables attackers to install new malware & measure success


“We see APT as shorthand for
a targeted assault,… , they
seek to stay undetected and
tunnel deeper into the
network, then quietly export
valuable data.”
“after several years of both
our budgets and our data
being under siege, few
organization have the means
to fight off world-class
attackers.”
Information Week - Strategic Security Survey '11 © 2012, gdusil.wordpress.com

“[If] you’re not seeing APT “The key to these intrusions is
attacks in your organization, it that the adversary is motivated
is probably not that they are not by a massive hunger for secrets
occurring or that you’re safe. and intellectual property”
It’s more likely that you may
need to rethink your detection “…every company in every
capabilities” conceivable industry with
“[Using NetFlow]… security significant size & valuable
professionals can improve their intellectual property & trade
ability to spot intrusions and secrets has been compromised
other potentially dangerous (or will be shortly)…”
activity”

McAfee – Revealed, Operation Shady RAT Page 13, www.cognitive-security.com
Cisco - Global Threat Report 2Q11 © 2012, gdusil.wordpress.com

Began appearing in ‘06
 Cost is between €300 & €700
 Kits use exploits with highest ROI
 Now offered as MaaS
 Delivered via spam or a spear
phishing (“blended email threat”)

Victim iFrame Malware Data is
opens Infected updated stolen,
email, & Web site via C2 over days
clicks on installs (C&C)  months
web link Trojan

<body>
<iframe height=“0” frameborder=“0” width=“0” src=http://www.istoleyourmoney.php>

MaaS - Malware-as-a-Service, ROI Return on Investment, Inline Frames (IFrames) Experts in Network Behavior Analysis
are windows cut into a webpage allowing visitors to view another page without Page 14, www.cognitive-security.com
reloading the entire page. M86 - Security labs Report (11.2H) © 2012, gdusil.wordpress.com

Aka: ZeuS-bot or ZBot
 Trojan stealing bank details
 July ’07 - Discovered
 May ‘11 – Source code leaked
≈ Price Feature
€ 2,000 Basic builder kit
ZeuS: 679 C&C servers, 199 online
€ 1,000 Back-connect
€ 1,400 Firefox form grabber
Competitors
€ 300 Jabber (IM) chat notifier
 Sinowal
€ 1,400 Windows 7/Vista Support
© ‘06 © ‘09
€ 6,000 VNC private module
SpyEye Features
ZeuS can easily defeat most  Keylogger, Auto-fill modules, Daily
online banking login backup, Encrypted config, FTP,
mechanisms HTTP & Pop3 grabbers, Zeus killer
http://www.securelist.com/en/analysis/204792107 Page 16, www.cognitive-security.com
VNC - Virtual Network Computing © 2012, gdusil.wordpress.com

Germany
Russia 8%
Ukraine
United 17%
Top 10 ZeuS C2 7%
States Azerbaijan
hosting countries 
44% 6%
Canada United
Italy
ZeuS modifications 2% Netherlands Kingdom
Romania 4%
per month  3% 4%
5%

There are over 40,000
variants of ZeuS

Kaspersky - ZeuS on the Hunt (10.Apr) Page 17, www.cognitive-security.com
Zeustracker.abuse.ch © 2012, gdusil.wordpress.com

 Top 7
ZeuS
builds &
variants
Antivirus detection rates
for new variants of
the ZeuS Trojan 

Average Anti-Virus Detection Rate is only 36.3%

Zeustracker.abuse.ch © 2012, gdusil.wordpress.com

Build/Maintain a Secure Implement Strong Access
Network Control
 1: Install & maintain a FW configs  7: Restrict access to cardholder
to protect cardholder data data by business need-to-know
 2: Do not use vendor-supplied  8: Assign a unique ID to each
defaults for system passwords person with computer access
 9: Restrict physical access to
Protect Cardholder Data cardholder data
 3: Protect stored cardholder data
 4: Encrypt transmission of
cardholder data Regularly Monitor and Test
Networks
Maintain a Vulnerability  10: Track & monitor all access to
Management Program resources & cardholder data
 5: Use & regularly update AV  11: Regularly test security &
 6: Develop & maintain secure processes
systems & apps  12: Maintain policies for Info-sec

• Sensitive data • Fines from Visa 
spread over the • Compliant but acquiring bank 
enterprise, or in still breached merchant -  to
unknown places 14m €/year
• Increased fees

• Plan exists but
never practiced.
• PCI is serious
about I-R
• DSS is based on
actual breeches.
• Not used to
• Refusal to spend on proactive monitoring
compliance or log review
• Ignore resources • Can’t be done at the
needed to secure data last minute
• “We’ll deal with it once
we have a breach”

Protect corporate & client data
 Enable international locations to
connect to the Internet without
compromising security
 Understand & protect against the
latest vulnerabilities
 Protect sensitive client info

Secure mission-critical
applications
 Remediate before significant Value Proposition
damage is done by the attacker  Protect critical business assets
 Help to ensure compliance from modern sophisticated attacks,
• PCI DSS by detecting threats quickly, and
• EU Data Protection & Privacy allowing swift remediation


Infrastructure The Identification Banking Suspected
Security anomalies of deployed services (malicious)
using detected by malware will calls clients traffic is
Network NBA can be help single- to confirm, blocked,
Behavior cross- out the identify & filtered, or
Analysis referenced malicious eliminate diverted from
observe data by SIEM software malicious the infected
to identify correlation & implement behavior. device.
irregularities tools to detect mitigating Network
which may be sophisticated steps to traffic can be
due to the modern protect clients optimized &
malware attacks. modeled in
activity order to
improve
reliability.


Spear Phishing, Exploit Spear Phishing, Exploit Scripts written on-the-fly,
Kits, Trojans, MaaS Kits, Trojans, Malware Malware portfolio

Global Bots & C2 Regional Bots & APT, Advanced Persistent
dedicated C2 Threats
1st tier - Low Hanging fruit focused on 2nd & 3rd tier Targets specific companies
targets targets or industries
Exploits vulnerabilities with Exploits vulnerabilities with High expertise (eg. writing)
highest financial returns medium returns
Steals ID, credit cards, Exploits specific banks & Uses stealth, Time &
account details their vulnerabilities Reconnaissance
Criminal eMarketplace – Membership or referral Individuals, organize
authors, stealers, mules, etc. access only hacktivism, or governments

Attacks take days Attacks take days Attacks take weeks to years


http://gdusil.wordpress.com/2013/03/08/finance-and-ba…ng-security-
12/


 Bank managers face complex challenges in balancing security spending
against the evolving risks of internet commerce. The criminal community
have managed to change the battlefield in the war on cybercrime, to the
extent that the enterprise community have not yet realized. Highly intelligent
exploit kits, and trojans seemingly bypass layers of security with ease. To
prepare for these new adversaries, new and advanced levels of protection are
needed to facilitate current and future security objectives. Expert
Security addresses the need to implement more robust and cost effective
levels of expertise, and also helps to bridge the gap to more expensive - and
often culturally adverse – cloud-based solutions. It’s no longer about adding
many layers of protection that fits within a security budget – it’s ensuring that
the layers that exist are clever enough to mitigate against modern
sophisticated attacks. it is paramount in ensure asset protection. Network
Behavior Analysis are the building blocks of Expert Security, and offers a
viable solution for state-of-the-art cyber-attacks. This presentation was
prepared at Cognitive Security to outline some of these threats and how we
are protecting banking clients from future modern sophisticated attacks.


Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis,
Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident
Response, Security as a Service, SaaS, Managed Security Services,
MSS, Monitoring & Management, Advanced Persistent Threats, APT,
Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern
Sophisticated Attacks, MSA, Non-Signature Detection, Artificial
Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive
Security, Cognitive Analyst, Forensics analysis


Cognitive Security - Finance & Banking Security ('12)

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (6)

Último

Último (20)

Cognitive Security - Finance & Banking Security ('12)