Cyber threats landscape and defense

Cyber Threats:
Landscape and Defense
Ing. Andrea Garavaglia
Andrea Minigozzi, CISSP – OPST
ISIS “C. Facchinetti”
Castellanza – VA
14 – 04 - 2014

Cyber Threats Landscape and Defense
Andrea Minigozzi is a certified CISSP and OPST Security Expert
with fourteen years experience, encompassing SIEM, malware
analysis, investigating security incidents, computer and network
forensics, ISO 27001/NIST/COBIT audits and hardening of various
devices on civil and military programs.
Andrea is the owner of FantaGhost web site and develops
FG-Scanner project.
About US…. #whoami
Andrea Minigozzi – Andrea Garavaglia
Andrea Garavaglia supported for years Law Enforcement
with analysis tools used to discover patterns, trends, associations
and hidden networks in any number and type of data sources.
He worked also with voice and ip interceptions, traffic reconstruction,
forensics analisys.
Actually is a Network Security Monitor lover.

A Real problem for today’s industries

Who can become a Victim ?
Source: http://www.tietoturvapaiva.fi/uploads/Tietoturva%202012/stonesoft.pdf

From virus to Advanced Persistent Threats: the timeline
1971
Creeper
1987
Jerusalem
1982
Elk
Cloner
1992
Michelangelo
2005
MyTob
2000
I love you
2001
Code Red
2004
Sasser
1999
Melissa
2007
Storm
BotNet
2009
Conficker
1970 1980 1990 2000 - 2009
Source: http://blogs.csoonline.com/1421/40_years_after_the_first_computer_virus
1986
Brain

From virus to Advanced Persistent Threats: the timeline
2010 - Today
2010
Stuxnet
2010
VBMania
2010
Kenzero
2010
SpyEye
+ Zeus
2011
Zero
Access
2011
Duqu
2012
Flame
2012
Shamoon
2012
NGRBot
2013
CryptoLocker
2014
................
Source: http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

Terms and definitions: viruses and worms
VIRUS
A program that “infects” computer files, usually executable programs, by
inserting a copy of itself into the file. These copies are usually executed when
the infected files is loaded into memory, allowing the virus to infect other files. A
virus requires human involvement (usually unwitting) to propagate.
WORM
An independent computer program that reproduces by copying itself from
one system to another across a network. Unlike computer viruses, worms do
not require human involvement to propagate and exploit vulnerabilities to
bypass security systems.

Terms and definitions: trojan horses and 0-day exploits
TROJAN HORSE
A computer program that conceals harmful code.
A Trojan horse usually masquerades as a useful program that a user would
wish to execute.
0-DAY EXPLOIT
An exploit that takes advantage of a security vulnerability previously unknown
to the general public. In many cases, the exploit code is written by the same
person who discovered the vulnerability.

Terms and definitions: malware
MALWARE
A program that is inserted into a system, usually covertly, with
the intent of compromising the confidentiality, integrity, or availability of the
victim's data, applications, or operating system or of otherwise annoying
or disrupting the victim and often violates one or more of the following
fundamental principles:
Consent: Malware may be installed even though the user did
not knowingly ask for that to happen.
Privacy-Respectfulness: Malware may violate a user's privacy, perhaps
capturing user passwords or credit card information.
Non-Intrusiveness: Malware may annoy users by popping up
advertisements, changing web browser's home page, making systems slow or
unstable and prone to crash, or interfering with already installed
security software.
Harmlessness: Malware may be software that hurts users (such
as software that damages our system, sends spam emails, or disables security
software).
Respect for User Management: If the user attempts to remove
the software, it may reinstall itself or otherwise override user preferences.
Source: http://itlaw.wikia.com/wiki/Malware

Malicious code spreading vectors and attack surface
1980 1990 2000 - 2014

New malware in the last two years
Andrea Minigozzi – Cyber Threats Landscape and Defense
Source: http://www.mcafee.com/uk/resources/reports/rp-quarterly-threat-q3-2013.pdf

New malwares for emerging operating systems
Andrea Minigozzi – Cyber Threats Landscape and Defense

Global Email Volume, in Trillions of messages

Hacking motivations
HACKERS : They need to understand how the systems works and how to
improve security and performances
HACKTIVISTS: They use computers and computer networks to promote
political ends, chiefly free speech, human rights, and information ethics.
STATE SPONSORED HACKERS: Governments around the globe realize
that it serves their military objectives to be well positioned online.
SPY HACKERS: Corporations hire hackers to infiltrate the competition and
steal trade secrets.
CYBER TERRORISTS: These hackers, generally motivated by religious or
political beliefs, attempt to create fear and chaos by disrupting critical
infrastructures.

Attack Diagram: the past

Attack Diagram: the present

Terms and definitions: advanced persistent threats
ADVANCED PERSISTENT THREATS
Advanced Persistent Threat (APT) is a set of stealthy and continuous hacking
processes often orchestrated by human targeting a specific entity.
APT usually targets organizations and or nations for business or political
motives. APT processes require high degree of covertness over a long period of
time.
Source: https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT
The advanced process signifies sophisticated techniques using malware to
exploit vulnerabilities in systems and Advanced Evasion Technique to avoid
detection.
The persistent process suggests that an external command and control is
continuously monitoring and extracting data off a specific target.
The threat process indicates human involvement in orchestrating the attack

APT Teams and Connections
B-TeamA-Team
More senior? Malware writers?
Beaconing &
Latching
Command &
Control; Agent
transfer
Command &
Control; Agent
transfer
www.hackedsite1.com
Agent Download
& Install
www.hackedsite2.com
Data transfer
Data transfer
Stage 0
Infection
Stage 1
Generate
Intermediaries
Stage 2
Setup
Relay Agents
Stage 3
Data
Exfiltration
RDP & Other
Transfer HostIntermediary HostFoothold
Host
Data Host

Advanced Persistent Threats LifeCycle
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat#History_and_targets

A great video from TrendMicro explain how the attacks works
Source: http://www.youtube.com/watch?v=fpeMR1214t0
This video describe a real
successful attack happended
some time ago:
the attacked company lost
about 60 Million dollar$

Live Demo

QR Codes and Shortened URLs: when the threats get short !
http://goo.gl/pJ0sKw

STAY AWAY FROM MALICIOUS QR CODES!
Scanning QR codes in the form of stickers placed randomly on
the street's walls is most dangerous. It is a very common way
that scammers use to get people scan the code just because
of curiosity. Reports say, “46% just said they were curious
what this odd little jumbled cube could do.”
So, we should not scan any QR codes that are not from
trusted sources.
LOOK CLOSELY TO A QR CODE BEFORE DO ANYTHING ELSE!
The are few apps on the stores you can
use to analyze the Qrcode.....

http://goo.gl/ZFm5u6
Are you able to see if the two shortened URLs above lead us to
trusted websites?
http://goo.gl/ZFm5u6
Malicious URL
FantaGhost Web Page

Are there any solutions for this problem?
YES! WE SHOULD PREVIEW THE SHORTENED URLS BEFORE USING THEM.
Several website tools help us to get a full URL address from the shortened URL,
an example is http://unshort.me/
In addition, some URL shortening services, such as goo.gl, give us an option to
preview the shortened URL first by add a “+” at the end of the URL.

The most dangerous (and commons) vulnerabilities
1. Email Social Engineering/Spear Phishing
2. Infection Via a Drive-By Web Download: Watering Hole Attack
3. USB Key Malware
4. Scanning Networks for Vulnerabilities and Exploitment
5. Guessing or Social Engineering Passwords
6. Wifi Compromises
7. Stolen Credentials From Third-Party Sites
8. Compromising Web-Based Databases
9. Exploiting Password Reset Services to Hijack Accounts
10. Insiders

Understanding HeartBleed Bug
CVE-2014-0160
Source: http://www.xkcd.com/1354 - http://regmedia.co.uk/2014/04/09/openssl_haertbleed_diagram.png

Questions ?

@FantaGhost
andrea@fantaghost.com
http://www.fantaghost.com
THANK YOU!
Ing. Andrea Garavaglia Andrea Minigozzi, CISSP - OPST
garanews@gmail.com

Cyber threats landscape and defense

More Related Content

Cyber threats landscape and defense