Cyber CrimePast, Present and Future!Jibran IlyasSenior Incident Response ConsultantMSIT 2009Twitter: @jibranilyasAgenda• About Trustwave’s SpiderLabs and Source of Data• Global view of Cyber Crime • Reactive Engagements: Incident Response• Proactive Engagements: Penetration Testing•Malware Landscape TodayCopyright Trustwave 2010Confidential•Malware Landscape Today• Anatomy of a Successful Malware Attack• Sample Analysis + Victim + Demo• Sample SL2010-018 – Windows Credential Stealer• Sample SL2009-143 – Network Sniffer Rootkit• Sample SL2010-007 – Client-side PDF Attack• ConclusionsAbout SpiderLabs and Source of DataAbout SpiderLabsSpiderLabs is the advanced security team at Trustwave focused on incident response, penetration testing, application security and security research.In addition, SpiderLabs provides thought leadership to the entire Trustwave organization and our clients.Copyright Trustwave 2010ConfidentialSpiderLabs has responded to hundreds of security incidents, performed thousands of penetration tests and security tests hundreds of business applications for organizations ranging from the largest companies to nimble start-ups.Members of the SpiderLabs teams are frequently asked to speak at global security conferences such as Black Hat, OWASP, SANS, and DEFCON.Global Security Report 2010Incident Response – About the Sample SetIn 2009, SpiderLabs performed 218 breach investigations in 24 countriesAustraliaBelgiumCanadaChileChinaCyprusDenmarkDominican RepublicEcuadorMalaysiaPuerto RicoSaudi ArabiaSouth AfricaSri LankaSwitzerlandUkraineUnited Arab EmiratesUnited Copyright Trustwave 2010ConfidentialEcuadorGermanyGreeceIrelandLuxembourgUnited KingdomUnited StatesVirgin IslandsAnatomy of a Data BreachThree Components:1. Initial Entry2. Data Harvesting3. ExfiltrationCopyright Trustwave 2010ConfidentialAnatomy of a Data Breach – Initial EntryTop Methods of Entry Included:• Remote Access Applications• Remote Desktop, VNC, pcAnywhere• 3rdParty Connections–MPLS, ATM, frame relayCopyright Trustwave 2010Confidential–MPLS, ATM, frame relay• SQL Injection• Email Trojan– We will see an example soon• Physical AccessAnatomy of a Data Breach – Data HarvestingTop Methods of Harvesting (using Malware):Copyright Trustwave 2010ConfidentialIn 54% of our case, attackers used Malware to harvest data in transit.Anatomy of a Data Breach – ExfiltrationTop Methods of Data Exfiltration:Copyright Trustwave 2010ConfidentialNetwork Shares were used to transfer data between organization that had “trusted” links with each other.Penetration Tests – About the Sample SetIn 2009, SpiderLabs performed 1,894 penetration tests in 51 countriesAustraliaArgentinaBelgiumBrazilBulgariaCanadaChileChinaColombiaCroatiaDenmarkDominican MacedoniaMalaysiaMaltaMexicoMoldovaNetherlandsNigeriaRep. of Cape VerdeRomaniaRussian FederationCopyright Trustwave 2010ConfidentialDominican RepublicEcuadorEgyptFranceGeorgiaGermanyGreeceHungaryHong KongIndiaJapanIcelandIrelandLithuaniaLuxembourgFederationSaudi ArabiaSingaporeSouth AfricaSri LankaSwedenSwitzerlandTaiwanTurkeyUkraineUnited Arab EmiratesUnited KingdomUnited StatesMost tests were performed remotely by the SpiderLabs team.Penetration Tests – Top 10 – Internal NetworkRank Vulnerability Name Circa Attack Difficulty1 Address Resolution Protocol (ARP) Cache Poisoning 1999 Medium2 Microsoft SQL Server with Weak Creds for Admin 1979 Trivial3 Weak Password for Admin Level System Account 1979 Trivial4 Client Sends LM Response for NTLM Authentication 1997 Medium5Crypto Keys Stored Alongside Encrypted Data1974EasyCopyright Trustwave 2010Confidential5Crypto Keys Stored Alongside Encrypted Data1974Easy6 Cached Domain Credentials Enabled on Hosts 1999 Easy7 NFS Export Share Unprotected 1989 Medium8 Sensitive Information Transmitted Unencrypted 1991 Trivial9 Sensitive Info Stored Outside Secured Zone 1993 Trivial10 VNC Authentication Bypass 2006 TrivialPenetration Tests – Top 10 – ApplicationRank Vulnerability Name Circa Attack Difficulty OWASP (2010)1 SQL Injection 1998 Medium A12 Logic Flaw 1985 Easy None3 Authorization Bypass 1997 Easy A34 Authentication Bypass 1960 Easy A4/A75Session Handling1997MediumA3Copyright Trustwave 2010Confidential5Session Handling1997MediumA36 Cross-Site Scripting (XXS) 2000 Hard A27 Vulnerable Third-Party Software 1960 Medium A68 Cross-Site Request Forgery (CSRF) 1988 Hard A59 Browser Cache-Related Flaws 1998 Medium None10 Verbose Errors 1980 Medium NoneThe Global Remediation Plan – The PlanRank Strategic Initiative1 Perform and Maintain a Complete Asset Inventory; Decommission Old Systems2 Monitor Third Party Relationships3 Perform Internal Segmentation4 Rethink WirelessCopyright Trustwave 2010Confidential5 Encrypt Your Data6 Investigate Anomalies7 Educate Your Staff8 Implement and Follow a Software Development Life Cycle (SDLC)9 Lock Down User Access10 Use Multifactor Authentication Every Where PossibleTake Aways• Attackers are using old vulnerabilities• Organizations do not know what they own or how their data flows• Blind trust in 3rd parties is a huge liabilityCopyright Trustwave 2010Confidential• Fixing new/buzz issues, but not fixing basic/old issues• In 2010, take a step back before moving forwardMalware Landscape Today: Targeted MalwareCustomized• Malware developers a taking a methodical approach to study target systems and environments and testing before developing their toolkits. Persistent• Once planted on a system, the malware must survive reboots and even upgrades to be successful while propagating slowly to similar systems. Copyright Trustwave 2010Confidentialsystems. Covert• These types of malware go unnoticed for months, even within environments with IT Security “best practices” in place. Automated• Targeted malware will do the job for the attackers, leaving them to just wait to receive data being harvested.Targeted Malware: Memory ParserCopyright Trustwave 2010Confidential• Captures card data during computer processing• Strength: Targeted custom malware not easily detectable & can be installed anywhere in the processing chain• Weakness: Seen on Windows platforms onlyTargeted Malware: Keystroke LoggerCopyright Trustwave 2010Confidential• Captures card data during swipe• Strength: Publicly Available, Output encryption, & upload capability• Weakness: Easily detectable by AV & must be installed at point of swipeTargeted Malware: Network
View Full Document
Unlocking...