festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro

The Custom Defense against Advanced ThreatDeep Discovery

Confidential | Copyright 2012 Trend Micro Inc.

Gastone NenciniTrend Micro Italy Leader and Snr. Technical

Manager Trend Micro Southern Europe

Global Threat Intelligence - Smart Protection Network

10/1/2013 Confidential | Copyright 2012 Trend Micro Inc.

THREAT DATA

CUSTOMERS

THREAT INTELLIGENCE

Identifies

Global

We look in more places

Broad

We look at more threat

vectors

Correlated

We identify all components of an attack

Proactive

We block threats at

their source

1.15B Threat Samples Daily

90K malicious threats daily

200M Threats blocked daily

THREAT-ACTORS

FILES

MOBILE/APPS

EXPLOIT KITS

URLS

IP ADDRESSES

NETWORK TRAFFIC

DOMAINS

VULNERABILITIES

DEPUIS 2008

Today’s Attacks: Social, Sophisticated, Stealthy!

Copyright 2013 Trend Micro Inc.

Attackers

Moves laterally across network seeking valuable data

Establishes link to Command & Control server

Extracts data of interest – can go undetected for months!

$$$$

Gathers intelligence about organization and individuals

Targets individuals using social engineering

Employees


Attackers

Moves laterally across network seeking valuable data

Establishes link to Command & Control server

Extracts data of interest – can go undetected for months!

$$$$

Gathers intelligence about organization and individuals

Targets individuals using social engineering

EmployeesNetwork Admin

Security

1.8 successful attacks per week / per large organization1

21.6% organizations experienced APT attacks2

Malware engineered and tested to evade your standard gateway/endpoint defenses

�� A custom attack needs a custom defense!1: Source: 2012 Ponemon Study on costs of Cybercrime

2: Source: ISACA APT Awareness Study, 2013

Custom Defense

Network-wideDetection

AdvancedThreat Analysis

Threat Toolsand Services

AutomatedSecurity Updates

ThreatIntelligence

CustomSandboxes

Network Admin

Security


Cyberwar on your network

More frequent More targeted More money More sophiticated

• 1 new threat each second 1

• 1 cyber-intrusion each 5 minutes 2

• 67 % of infrastructure can’t block a custom & targeted attack 3

• 55 % of companies didn’t detected the breach 1

Source : 1: Trend Micro, 2 : US-Cert 2012, 3 : Ponemom Institute 2012

Security by signature is not enough

10/1/2013 7Confidential | Copyright 2012 Trend Micro Inc.

Basic malware

PhishingExploitation tools

Malicious website

Commonvulnerabilities

Discovery tools

SWG NGFW

Document exploit

0-DayObfuscatedJavascript

Polymorphicpayload

CryptedRAT

WateringHole Attack

SpearPhishing

C&C communications

IPS AV

Let Me Google That For You

Threat profiling through Smart Protection Network & Threat ConnectOrigin ? Risk ? Channel ?

Trend Micro Custom Defense


Advanced network monitoring techcnologies to analyze low signals

(0-day, c2c, sqli, dbdump…)

DETECT ANALYZE

ADAPTRESPONSE

Instant protection through custom signature (IP, dns, url, file…)

Full cleaning with detailed profiling and advanced analysis tools

Catch everythings with Deep Discovery


Malicious content• Embedded doc exploits• Drive-by downloads• Zero-day • Malware

Suspicious communication• C&C access• Data stealing• Worms• Backdoor activity…

Attack behavior• Propagation & dropper• Vuln. scan & bruteforce• Data exfiltration…

HTTP

SMTP

TCP

...

SMB

DNS

FTP

P2P

More than80 protocols analyzed

Network Content Inspection Engine

Advanced ThreatSecurity Engine

IP & URL reputation

Virtual Analyzer

Network Content Correlation Engine

Trend Micro Virtual Analyzer

• Custom OS image

• Execution accelerated

• Anti-VM detection

• 32 & 64 bits

• Run binaries, documents, URL...


WinXP SP3WinXP SP3 Win7BaseWin7Base

Isolated Network

Your Custom Sandbox

Live monitoring• Kernel integration (hook, dll injection..)

• Network flow analysis

• Event correlation

Filesystemmonitor

Registrymonitor

Processmonitor

Rootkitscanner

Networkdriver

FakeExplorer

FakeServer

Fake AVAPI

Hooks

Win7Hardened

Win7Hardened

Core Threat Simulator

LoadLibraryA ARGs: ( NETAPI32.dll ) Return value: 73 e50000LoadLibraryA ARGs: ( OLEAUT32.dll ) Return value: 75 de0000LoadLibraryA ARGs: ( WININET.dll ) Return value: 777 a0000key: HKEY_CURRENT_USER\Local Settings\MuiCache\48\52C64B7E\LanguageList value:key: HKEY_CURRENT_USER\Software\Microsoft\Onheem\20 bi1d4fWrite: path: %APPDATA%\Ewada\eqawoc.exe type: VSDT_ EXE_W32Injecting process ID: 2604 Inject API: CreateRemoteThr ead Target process ID: 1540 Target image path: taskhost.exesocket ARGs: ( 2, 2, 0 ) Return value: 28bfesocket ARGs: ( 23, 1, 6 ) Return value: 28c02window API Name: CreateWindowExW ARGs: ( 200, 4b2f7c, , 50300104, 0, 0, 250, fe, 301b8, f, 4b0000, 0 ) Retu rn value: 401b2internet_helper API Name: InternetConnectA ARGs: ( cc 0004, mmlzntponzkfuik.biz, 10050, , , 3, 0, 0 ) Return va lue: cc0008.......

Modifies file with infectible type : eqawoc.exeInject processus : 2604 taskhost.exeAccess suspicious host : mmlzntponzkfuik.biz

Modifies file with infectible type : eqawoc.exeInject processus : 2604 taskhost.exeAccess suspicious host : mmlzntponzkfuik.biz

!

Deep Discovery portfolio


Deep Discovery Inspector

Threat profil export(IOC, hash)

• Network Appliance All-in-One 100 Mbps, 250 Mbps, 500 Mbps, 1 Gbps

• Bare Metal (custom appliance)

• Virtual Appliance

Plug & Protect

Deep Discovery Advisor• Automatic Analysys Labs

• Live detailled dashboard

• Custom reports

• Multi-box (5 nodes, 50k files/day)

Integrated into

Trend Micro solutions

API & scripting

Dynamic blacklist

App Server

Storage


Inspector

Advisor

Deep Discovery

Simple & Efficient!

SMTP relay

Web proxy

!

!

Mail Server

Endpoint!

af12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...

Infection & payload

Lateral movement

C&C callback

3c4çba176915c3ee3df87b9c127ca1a1bcçba17

Custom Signature

Web proxy

ATP Integration

Native Advanced Protection


Dynamic blacklist

App Server

Storage

Advisor

!

SMTP relay

Mail Server

Endpoint!


!

ScanMail

IWSva

IMSva

Infection & payload

C&C callback

Endpoint SensorOfficeScan *

Deep Security *


Custom Signature

ATP Integration

Native Advanced Protection


Dynamic blacklist

Advisor

!

Mail Serveraf12e45b49cd23...48.67.234.25:44368.57.149.56:80d4.mydns.ccb1.mydns.cc...

!

ScanMail

Infection & payload

C&C callbackOfficeScan


Custom Signature

TMCM

CCCA DB

ATSE

Detect…

Detect…

…then ReactHuman readable

Open architecture


Deep Discovery

Dynamic blacklist



Custom Signature

3rd party SIEM(CEF/LEEF)

WEB API

Web Proxy

SMTP Relay

Network Capture

Firewall *

NotableCharacteristics

Network packet

DetectionsDetections Threat ProfilesThreat ProfilesAnalysisAnalysis Custom C&CCustom C&C

Why Deep Discovery ?


• Multi-engine for analysis and correlation

• Empower Smart Protection Network

• CustomVirtual Analyzer sandbox

• Access to TrendLabs Security Expert

Dynamic advanced security

Plug & Protect

• High Throughput Network Analysis

• Flexible architecture: HW, SW, VM

• Fast forensics & custom signature

Making your Cyber-Defense together


21Confidential | Copyright 2012 Trend Micro Inc.

Threat Education Services

Advanced Threat Detection Technology

ThreatSecurityAdvisor

ThreatIntelligence

Service

CyberAttack

Analysis

Thanks