Upload
festival-ict-2014
View
268
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
The Custom Defense against Advanced ThreatDeep Discovery
Confidential | Copyright 2012 Trend Micro Inc.
Gastone NenciniTrend Micro Italy Leader and Snr. Technical
Manager Trend Micro Southern Europe
Global Threat Intelligence - Smart Protection Network
10/1/2013 Confidential | Copyright 2012 Trend Micro Inc.
THREAT DATA
CUSTOMERS
THREAT INTELLIGENCE
Identifies
Global
We look in more places
Broad
We look at more threat
vectors
Correlated
We identify all components of an attack
Proactive
We block threats at
their source
1.15B Threat Samples Daily
90K malicious threats daily
200M Threats blocked daily
THREAT-ACTORS
FILES
MOBILE/APPS
EXPLOIT KITS
URLS
IP ADDRESSES
NETWORK TRAFFIC
DOMAINS
VULNERABILITIES
DEPUIS 2008
Today’s Attacks: Social, Sophisticated, Stealthy!
Copyright 2013 Trend Micro Inc.
Attackers
Moves laterally across network seeking valuable data
Establishes link to Command & Control server
Extracts data of interest – can go undetected for months!
$$$$
Gathers intelligence about organization and individuals
Targets individuals using social engineering
Employees
Copyright 2013 Trend Micro Inc.
Attackers
Moves laterally across network seeking valuable data
Establishes link to Command & Control server
Extracts data of interest – can go undetected for months!
$$$$
Gathers intelligence about organization and individuals
Targets individuals using social engineering
EmployeesNetwork Admin
Security
1.8 successful attacks per week / per large organization1
21.6% organizations experienced APT attacks2
Malware engineered and tested to evade your standard gateway/endpoint defenses
���� A custom attack needs a custom defense!1: Source: 2012 Ponemon Study on costs of Cybercrime
2: Source: ISACA APT Awareness Study, 2013
Custom Defense
Network-wideDetection
AdvancedThreat Analysis
Threat Toolsand Services
AutomatedSecurity Updates
ThreatIntelligence
CustomSandboxes
Network Admin
Security
Copyright 2013 Trend Micro Inc.
Cyberwar on your network
More frequent More targeted More money More sophiticated
• 1 new threat each second 1
• 1 cyber-intrusion each 5 minutes 2
• 67 % of infrastructure can’t block a custom & targeted attack 3
• 55 % of companies didn’t detected the breach 1
Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012
Security by signature is not enough
10/1/2013 7Confidential | Copyright 2012 Trend Micro Inc.
Basic malware
PhishingExploitation tools
Malicious website
Commonvulnerabilities
Discovery tools
SWG NGFW
Document exploit
0-DayObfuscatedJavascript
Polymorphicpayload
CryptedRAT
WateringHole Attack
SpearPhishing
C&C communications
IPS AV
Let Me Google That For You
Threat profiling through Smart Protection Network & Threat ConnectOrigin ? Risk ? Channel ?
Trend Micro Custom Defense
10/1/2013 9Confidential | Copyright 2012 Trend Micro Inc.
Advanced network monitoring techcnologies to analyze low signals
(0-day, c2c, sqli, dbdump…)
DETECT ANALYZE
ADAPTRESPONSE
Instant protection through custom signature (IP, dns, url, file…)
Full cleaning with detailed profiling and advanced analysis tools
Catch everythings with Deep Discovery
10/1/2013 10Confidential | Copyright 2012 Trend Micro Inc.
Malicious content• Embedded doc exploits• Drive-by downloads• Zero-day • Malware
Suspicious communication• C&C access• Data stealing• Worms• Backdoor activity…
Attack behavior• Propagation & dropper• Vuln. scan & bruteforce• Data exfiltration…
HTTP
SMTP
TCP
...
SMB
DNS
FTP
P2P
More than80 protocols analyzed
Network Content Inspection Engine
Advanced ThreatSecurity Engine
IP & URL reputation
Virtual Analyzer
Network Content Correlation Engine
Trend Micro Virtual Analyzer
• Custom OS image
• Execution accelerated
• Anti-VM detection
• 32 & 64 bits
• Run binaries, documents, URL...
10/1/2013 11Confidential | Copyright 2012 Trend Micro Inc.
WinXP SP3WinXP SP3 Win7BaseWin7Base
Isolated Network
Your Custom Sandbox
Live monitoring• Kernel integration (hook, dll injection..)
• Network flow analysis
• Event correlation
Filesystemmonitor
Registrymonitor
Processmonitor
Rootkitscanner
Networkdriver
FakeExplorer
FakeServer
Fake AVAPI
Hooks
Win7Hardened
Win7Hardened
Core Threat Simulator
LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73 e50000LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75 de0000LoadLibraryA ARGs: ( WININET.dll ) Return value: 777 a0000key: HKEY_CURRENT_USER\Local Settings\MuiCache\48\52C64B7E\LanguageList value:key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20 bi1d4fWrite: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_ EXE_W32Injecting process ID: 2604 Inject API: CreateRemoteThr ead Target process ID: 1540 Target image path: taskhost.exesocket ARGs: ( 2, 2, 0 ) Return value: 28bfesocket ARGs: ( 23, 1, 6 ) Return value: 28c02window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Retu rn value: 401b2internet_helper API Name: InternetConnectA ARGs: ( cc 0004, mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return va lue: cc0008.......
Modifies file with infectible type : eqawoc.exeInject processus : 2604 taskhost.exeAccess suspicious host : mmlzntponzkfuik.biz
Modifies file with infectible type : eqawoc.exeInject processus : 2604 taskhost.exeAccess suspicious host : mmlzntponzkfuik.biz
!
Deep Discovery portfolio
10/1/2013 12Confidential | Copyright 2012 Trend Micro Inc.
Deep Discovery Inspector
Threat profil export(IOC, hash)
• Network Appliance All-in-One 100 Mbps, 250 Mbps, 500 Mbps, 1 Gbps
• Bare Metal (custom appliance)
• Virtual Appliance
Plug & Protect
Deep Discovery Advisor• Automatic Analysys Labs
• Live detailled dashboard
• Custom reports
• Multi-box (5 nodes, 50k files/day)
Integrated into
Trend Micro solutions
API & scripting
Dynamic blacklist
App Server
Storage
10/1/2013 13Confidential | Copyright 2012 Trend Micro Inc.
Inspector
Advisor
Deep Discovery
Simple & Efficient!
SMTP relay
Web proxy
!
!
Mail Server
Endpoint!
af12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...
Infection & payload
Lateral movement
C&C callback
3c4çba176915c3ee3df87b9c127ca1a1bcçba17
Custom Signature
Web proxy
ATP Integration
Native Advanced Protection
10/1/2013 14Confidential | Copyright 2012 Trend Micro Inc.
Dynamic blacklist
App Server
Storage
Advisor
!
SMTP relay
Mail Server
Endpoint!
af12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...
!
ScanMail
IWSva
IMSva
Infection & payload
C&C callback
Endpoint SensorOfficeScan *
Deep Security *
3c4çba176915c3ee3df87b9c127ca1a1bcçba17
Custom Signature
ATP Integration
Native Advanced Protection
10/1/2013 15Confidential | Copyright 2012 Trend Micro Inc.
Dynamic blacklist
Advisor
!
Mail Serveraf12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...
!
ScanMail
Infection & payload
C&C callbackOfficeScan
3c4çba176915c3ee3df87b9c127ca1a1bcçba17
Custom Signature
TMCM
CCCA DB
ATSE
Detect…
Detect…
…then ReactHuman readable
Open architecture
10/1/2013 19Confidential | Copyright 2012 Trend Micro Inc.
Deep Discovery
Dynamic blacklist
af12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...
3c4çba176915c3ee3df87b9c127ca1a1bcçba17
Custom Signature
3rd party SIEM(CEF/LEEF)
WEB API
Web Proxy
SMTP Relay
Network Capture
Firewall *
NotableCharacteristics
Network packet
DetectionsDetections Threat ProfilesThreat ProfilesAnalysisAnalysis Custom C&CCustom C&C
Why Deep Discovery ?
10/1/2013 20Confidential | Copyright 2012 Trend Micro Inc.
• Multi-engine for analysis and correlation
• Empower Smart Protection Network
• CustomVirtual Analyzer sandbox
• Access to TrendLabs Security Expert
Dynamic advanced security
Plug & Protect
• High Throughput Network Analysis
• Flexible architecture: HW, SW, VM
• Fast forensics & custom signature
Making your Cyber-Defense together
10/1/2013 21Confidential | Copyright 2012 Trend Micro Inc.
21Confidential | Copyright 2012 Trend Micro Inc.
Threat Education Services
Advanced Threat Detection Technology
ThreatSecurityAdvisor
ThreatIntelligence
Service
CyberAttack
Analysis
Thanks