Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
1. Stop Watering Holes, Spear-Phishing and
Drive-by Downloads
STEPHEN WARD – VICE PRESIDENT
2. A Crumbling Industry
The Lost Decade
Failure to innovate
Symptoms vs. Disease
The Great Malware Arms Race
Business Revolution
Rush to adopt
Risk Acceptance vs. Understanding
The Mediocrity of Compliance
Closed Circuits
Shame of victimization
Classification vs. Cooperation
The Inability to Find Common Purpose
3. Aggressive and Persistent
Adversaries
NATION STATES CYBER CRIMINALS HACKTIVISTS
Motives
include:
• Cyber
espionage
• Intellectual
Property
Theft
• Probing of
Critical
Infrastructure
s
Motives
include:
• Identity theft
• Corporate
financial fraud
• Black market
sales to Nation
States
• Probing of
Financial
Infrastructures
Motives
include:
• Political action
• Shaming major
corporations
• Attacking
specific
executives
• Exposing
corporate
trade secrets
5. „11, „12 and ‟13 (so far) bloodiest years on
record…
• “White House” eCard (spear-phishing)
• HBGary Federal (social engineering)
• Night Dragon (spear-phishing)
• London Stock Exchange Website (watering-hole)
• French Finance Ministry (spear-phishing)
• Dupont, J&J, GE (spear-phishing)
• Charlieware (poisoned SEO)
• Nasdaq (spear-phishing)
• Office of Australian Prime Minister (spear-phishing)
• RSA (spear-phishing)
• Epsilon (spear-phishing)
• Barracuda Networks (spear-phishing)
• Oak Ridge National Labs (spear-phishing)
• Lockheed Martin (spear-phishing)
• Northrup Grumman (spear-phishing)
• Gannet Military Publications (spear-phishing)
• PNNL (spear-phishing)
• ShadyRAT (spear-phishing)
• DIB and IC campaign (spear-phishing)
• „Voho‟ campaign (watering-holes and spear-phishing)
• „Mirage‟ campaign (spear-phishing)
• „Elderwood‟ campaign (spear-phishing)
• White House Military Office (spear-phishing)
• Telvent‟ compromise (spear-phishing)
• Council on Foreign Relations (watering hole)
• Capstone Turbine (watering hole)
• RedOctober (spear-phishing)
• DoE (spear-phishing)
• Federal Reserve (spear-phishing)
• Bit9 (SQL injection)
• NYT, WSJ, WaPO (spear-phishing)
• South Korea (spear-phishing)
• 11 Energy Firms (spear-phishing)
• QinetIQ (TBD)
• Apple, Microsoft, Facebook (watering-hole)
• Speedtest.net (drive-by download)
• National Journal (watering hole)
• FemmeCorp (watering hole)
• Department of Labor / DoE (watering hole)
• WTOP and FedNewsRadio (drive-by downloads)
No One is Immune
What are we waiting for??
6. Enterprise Security Architecture
for Addressing APT
Firewalls/Web
Proxies
Network
Controls
Anti-Virus
Forensics and
IR
User Training
In Use | Confidence*
App Whitelisting
7. The Primary Target –
The Unwitting Accomplices
The User
The #1 Attack Vector =
• Ubiquitous usage of Internet and
Email has enabled adversaries to
shift tactics
• Prey on human psychology
• Spear Phishing – The New Black
• Drive by Downloads
• Malicious sites
• Weaponized Attachments
• Watering Hole Attacks
• Hijacked trusted sites
• Trust in social networks
• Facebook, Twitter, LinkedIn
• Faith in Internet search engines
• Poisoned SEO
• User Initiated Infections
• Fake A/V and fear
mongering
8. Competitive Futures Are at
Stake
“Theirs” Ours
The good news
is…they‟re stealing
petabytes worth of
data…
The bad news
is…in time, they‟ll
have sorted
through it all
12. 99 Red Balloons…
Watering Hole Attack Hits 3 Major Tech
Companies…
• 3rd party developer website
infected deliberately to target
these companies
• Employees targeted were in
R&D/Engineering groups
• Well planned, well
executed…easy peasy…
14. Alarming Malware Statistics
• 280 million malicious programs
detected in April 2012*
• 80,000+ new malware
variants daily **
• 134 million web-borne infections
detected (48% of all threats) in
April 2012*
• 24 million malicious URLs
detected in April 2012*
• 30,000+ new malicious URLs
daily**
• 95% of APTs involve spear-
phishing***
• Organizations witnessing an
average of 643 malicious URL
events per week***
• 225% increase from 2012**
* Kaspersky April 2012 Threat Report
** Panda Labs Q1 2012 Internet Threat Report
*** FireEye September 2012 Advanced Threats Report
****Both Mandiant and Trend Micro – 2013 Reports
15. KIA – Mandiant “APT-2”
Spear-Phish
www.invincea.com/blog
or -
http://https://www.invincea.com/2
013/02/mandiant-report-spear-
phishing-campaign-kia-with-
invincea-cve-2011-0611/
17. Einstein‟s Definition of Insanity
Patching software
as vulnerabilities
are made public
Detecting intruders
and infected systems
after the fact
Recovering and restoring
the infected machines
back to a clean state
Security
Insanity
Cycle
22. Rethink Security
If…you could negate user error
And…contain malware in a virtual environment
And…stop zero-days in their tracks without signatures
Then…preventing APTs would be possible
“Making Prevention Possible Again”
23. Contain the Contaminants
Prevention
Pre-Breach Forensics
Protect every user and the network from their error
Feed actionable forensic intelligence without the breach
Detection
Detect zero-day attacks without signatures
24. KIA – IE8 0day CVE-2013-1347
Watering Hole Attack on DoL subsite thwarted by
Invincea Enterprise
• Whitelisted or blacklisted website? More than likely whitelisted
• Targeted fully patched IE8 browsers on Windows XP platform
• Increasingly common poisoning tactic from adversaries
• Detected without signatures, immediately killed and forensically
analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/05/
part-2-us-dept-labor-watering-
hole-pushing-poison-ivy-via-ie8-
zero-day/
25. KIA – Dvorak, WTOP &
FederalNewsRadio
Mass Compromise on several media sites including
wtop.com and federalnewsradio.com thwarted by
Invincea Enterprise
• Whitelisted or blacklisted website? More than likely whitelisted
• Exploit Kit (FiestaEK) targeting recent Java vulnerabilities on IE
enabled systems only
• SAME EK as National Journal discovered by Invincea
• Detected without signatures, immediately killed and forensically
analyzed by Invincea
www.invincea.com/blog
or -
http://www.invincea.com/2013/05/
k-i-a-wtop-com-fednewsradio-
and-tech-blogger-john-dvorak-
blog-site-hijacked-exploits-java-
and-adobe-to-distribute-fake-av-
2/
26. Mapping the APT Kill Chain
Stage 1: Reconnaissance
Research the target
Stage 2: Attack Delivery
Spearphish with URL links
and/or attachment
Stage 5: Internal Recon
Scan network for targets
Stage 3: Client Exploit &
Compromise
Vulnerability exploited or user
tricked into running executable
Stage 8: Stage Data &
Exfil
Archive/encrypt, leak to
drop sites
Stage 4: C2
Remote Command & Control.
Stage 6: Lateral
Movement
Colonize network
Stage 7: Establish Persistence
Root presence to re-infect as
machines are remediated
Stage 9: Incident
Response
Analysis, remediation,
public relations, damage
control
27. Invincea – Breaking the APT
Workflow
Containment | Detection | Prevention | Intelligence
• Highly targeted apps run in contained environment
• Behavioral based detection spots all malware including 0-days
• Automatic kill and remediation to clean state
• Forensic intelligence on thwarted attacks fed to broader
infrastructure
Threat Data Server
28. • Prestigious SANS Institute Calls for DPW type of
controls…
• Item 5: Malware Defenses
• 5.7. Quick wins: Deploy…products that provide sandboxing (e.g.,
run browsers in a VM), and other techniques that prevent
malware exploitation.
• SANS awards NSA a National Security Award for
review of Invincea technology
• NSA led a year long analysis of the technology that powers DPW
• Endorsed as effective for combatting the advanced threat
• SANS viewed as a break-through in endpoint security
• Notable Industry Awards
• Most Innovative Company of the Year – RSA 2011
• GovTek Best Tech Transfer to Startup – 2012
• Government Security News‟ “Best Anti-Malware Solution” - 2012
Recognized as a Game
Changer…
29. Steve Ward:
steve.ward@invincea.com
Go ahead…spear-phish me!
www.invincea.com
Twitter: @Invincea
Want a t-shirt? Drop a note to megan.cavanaugh@invincea.com – only
one catch, you‟ve got to tweet a pic of you wearing it!
Let‟s Get Moving
Editor's Notes
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
The challenge is that we keep investing millions of dollars into yesterday’s problems. And the target keeps moving. There are more than 80,000 new malware variants and 3,000 malicious websites identified daily, no wonder the traditional defenses like signatures, listing and training do not work. As I stated earlier, the number 1 attack vector is the end user. Your organization has 30,000 employees. From a cyber-criminal’s perspective, that is 30,000 targets.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
The challenge is that we keep investing millions of dollars into yesterday’s problems. And the target keeps moving. There are more than 80,000 new malware variants and 3,000 malicious websites identified daily, no wonder the traditional defenses like signatures, listing and training do not work. As I stated earlier, the number 1 attack vector is the end user. Your organization has 30,000 employees. From a cyber-criminal’s perspective, that is 30,000 targets.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
Actors – Weapons – Targets – Defenses - InvinceaThreats and their exploits are punching holes into today’s security controls by changing the game,They are going after your user and bypassing all your controls.Chasing yesterdays attacks by list based technologies will simply never catch up because its looking for the last indicator.Cleaning up using Incident Response is messy, expensive only tells you how bad the problem is and only generates more signatures or lists for ineffective technologies.The only way to protect stop the attack is to play today’s game. We stop the attack by defending the user while letting the user be themselves.Trust the Web Again!-------------------------------------------------------------------------------------------------------------------------------The Malicious link contains an EXPLOIT.AV - Microsoft Essentials happened to have a signature for it and therefore cleaned it. This in general can happen with Enterprise and any AV software and is expected. If MSE did not have a signature we would have seen the resulting exploit and stopped it.So, what you saw was MSE cleaning the exploit and the page then just sitting there. To restore then, all you need to do is to go to our systray icon and restore the browser session.PATCHING - That said, the next thing to be aware of or ask "Will the exploit actually line up to a vulnerability on my workstation?" So, the next test I did was to disable MSE on my workstation. I went to the same site, and nothing happened. In other words, the exploit did not compromise my latest patched version of java. So, it had a similar result, the page just sitting there and we did not have to stop any resulting behavior.RAW/UNPROTECTED - I took the same link and went to a workstation that had no MSE and an unpatched version of java. This time the exploit worked and we detected the result of that exploit as well as fully restoring the environment.Then, I went to the sophos link and again nothing happened. I think that site is just cleaned up.It also iterates a good layered defense approach but where we come into play.1) Patching - prevent a match of exploit/vulnerability2) AV - if signature matches3) Invincea, your last line of defense in case the previous fails.I do sometimes say, depending on how you look at it, we could be thought of your first line or last line of defense.
