Exploits - from zero day to ongoing threat
•Descargar como PPTX, PDF•
1 recomendación•677 vistas
Exploits take advantage of software vulnerabilities to execute malicious code. The document discusses the evolution of exploits and attack vectors over time as defensive strategies like DEP, ASLR, and sandboxes were introduced. It also outlines the lifecycle of a zero-day exploit from initial discovery to integration into exploit kits. Increasing software complexity drives more vulnerabilities while mitigation techniques aim to raise the cost of carrying out successful attacks.
Recomendados
Más contenido relacionado
Similar a Exploits - from zero day to ongoing threat
Similar a Exploits - from zero day to ongoing threat (20)
Último
Último (20)
Exploits - from zero day to ongoing threat
- 2. 2 EXPLOITS – FROM 0DAY TO ONGOING THREAT ANDREAS FOBIAN, SECURITY RESEARCHER G DATA
- 3. OVERVIEW What are Exploits? Exploit Evolution Change of attack vectors Lifecycle of a 0day Defensive strategies/ technologies G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 3
- 4. EXPLOITS - MOTIVATION Definition: „Programm using a vulnerbility to execute arbitrary programms, not limited to calc.exe “ Exploit Kits: Framework for infections using exploits 50 – 200 Mio $ loss using exploit kits Bitkom: 14 billon $ loss in buisness sector G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 4
- 5. EXPLOITS 101 G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 5 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 6. ROOT CAUSE: COMPLEXITY G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 6 0.00 2000.00 4000.00 6000.00 8000.00 10000.00 12000.00 14000.00 2007 2008 2009 2010 2011 2012 2013 2014 2015 KLOC (OK) KLOC (Faults)
- 7. EVOLUTION OF ATTACK VECTORS G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 7 0 20 40 60 80 100 120 140 160 Q1/2005 Q2/2005 Q3/2005 Q4/2005 Q1/2006 Q2/2006 Q3/2006 Q4/2006 Q1/2007 Q2/2007 Q3/2007 Q4/2007 Q1/2008 Q2/2008 Q3/2008 Q4/2008 Q1/2009 Q2/2009 Q3/2009 Q4/2009 Q1/2010 Q2/2010 Q3/2010 Q4/2010 Q1/2011 Q2/2011 Q3/2011 Q4/2011 Q1/2012 Q2/2012 Q3/2012 Q4/2012 Q1/2013 Q2/2013 Q3/2013 Q4/2013 Q1/2014 Q2/2014 Q3/2014 Q4/2014 Q1/2015 Q2/2015 Q3/2015 jre_ek jre internet_explorer_ek internet_explorer flash_player_ek flash_player acrobat_reader_ek acrobat_reader
- 8. LIFECYCLE OF AN EXPLOIT G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 8 Vulnerbility released Vendor notifies Vulnerbility Vulnerbility published Vulnerbility found Patch released td tv tvd tpd ta Zero day Attack Follow-on Attacks Patchdeployment finished tp Reactive Protectionmechanisms published ts
- 9. TARGETED ATTACK -> EXPLOIT KIT 3 Flash 0Days 0-”day”: October 2013 – 5.Juli 2015 Exploit Kit Integration 7.Juli 2015 Fixed 10. Juli 2015 G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 Example: Hacking Team 9
- 10. EVOLUTION OF ATTACK VECTORS G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 10 0 20 40 60 80 100 120 140 160 Q1/2005 Q2/2005 Q3/2005 Q4/2005 Q1/2006 Q2/2006 Q3/2006 Q4/2006 Q1/2007 Q2/2007 Q3/2007 Q4/2007 Q1/2008 Q2/2008 Q3/2008 Q4/2008 Q1/2009 Q2/2009 Q3/2009 Q4/2009 Q1/2010 Q2/2010 Q3/2010 Q4/2010 Q1/2011 Q2/2011 Q3/2011 Q4/2011 Q1/2012 Q2/2012 Q3/2012 Q4/2012 Q1/2013 Q2/2013 Q3/2013 Q4/2013 Q1/2014 Q2/2014 Q3/2014 Q4/2014 Q1/2015 Q2/2015 Q3/2015 jre_ek jre internet_explorer_ek internet_explorer flash_player_ek flash_player acrobat_reader_ek acrobat_reader
- 11. 0 1 2 3 4 5 6 7 8 9 java internet_explorer flash_player acrobat_reader RELEASED EXPLOITS PER QUARTER G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 11 ASLR/DEP Sandboxing Click to play Vector Check
- 12. DEP (DATA EXECUTION PREVENTION) G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 12 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 13. DEP (DATA EXECUTION PREVENTION) G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 13 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 14. ROP (RETURN ORIENTED PROGRAMMING) G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 14 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 15. ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION) G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 15 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 16. ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION) G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 16 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit MSHTMT.DLL JSCRIPT.DLL JPG JS HTML Malicious Code (Shellcode) IEXPLORER.EXE
- 17. 14 billon $ loss? G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 17
- 18. EXPLOIT PROTECTION G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 18
- 19. ADDRESS TABLE FILTER G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 19 Load Website Create layout Load images Render graphic and show layout Wait for Input Load Exploit IEXPLORER.EXE MSHTML.DLL HTML JPG JS Malicious Code (Shellcode) JSCRIPT.DLL
- 20. CONCLUSION Fixing all security bugs is expensive A look at the past show: Killing offensive techniques forces attackers to develop new techniques Goal: Increasing the cost of a functional attack Mitigation Software Patchmanagement G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 20
- 21. G DATA | 30Y ANNIVERSARY SECURITY SUMMIT | BOCHUM, SEPTEMBER 24, 2015 21 … THANK YOU!
Notas del editor
- Kurzer Aufriss Überblick, was sind Exploits? Entwicklung auf dem Gebiet: Veränderungen der Angriffsvektoren Zeitlicher Verlauf eines Exploits Entdeckung, Ausnutzung, Patch Gewonnene Erkenntniss Umsetzen zur Bekämpfung
- -Was ist eine Exploit? -Definition -Grobe Hochrechnung, Marktanteil eines EK - Hochrechnung Magnitude EK + CryptoWall - 60k Pro Woche - CryptoWall 23des Traffics - 31% Marktanzeil
- Highlevel Überblick auf Broswer Exploit Als erstes Normaler Ablauf Dann Unterschied zu Exploit Lila: ProgrammCode Gelb: Daten
- - Können wir einfach alle Bugs Patchen? -> Nein Komplexität Windows Quellcode, 1993 -2007 1993 Windows NT 3.1 - 4-5 Mio 1994 Windows NT 3.5 – 7-8 Mio 1996 Windows NT 4.0 – 11-12 Mio 2000 Windows 2000 – 29 Mio 2001 Windows XP – 40 Mio 2007 Windows Vista - 50Mio 10 -50 Fehler pro 1000 Zeilen Code Nicht alle ausnutzbar Statistik über Schwachstellen folgt jetzt
- Zeitliche Analyze der CVE Datenbank CVE( Common Vulnerabilties and Exposures)) Java, Internet Explorer, Flash, Acrobat Reader Generell steigender Trend In the wild Angriffe: Nur wenige Wirklich Ausgenutzt
- Start : Sicherheitslücke wird eingebaut Exploits existieren vor Ihrer Veröffentlichung: 300 Tage Response/Patch Zeit: XXX Tage Patch Deployment Zeit: XXX Tage abhängig von AutoUpdate und anderen Faktoren
- Beispiel aus der nahen Vergangenheit Hacking Team Breach
- Zeitliche Analyze der CVE Datenbank CVE( Common Vulnerabilties and Exposures)) Java, Internet Explorer, Flash, Acrobat Reader Generell steigender Trend In the wild Angriffe: Nur wenige Wirklich Ausgenutzt
- ASLR/DEP: 2 Sicherheitsfeatures, werden gleich ausführlicher (IE,ADOBE,FLASH) Adobe Sandboxing: ein erfolgreicher Angriff ist nicht mehr so interessant Java Click2play: Sicherheitsabfrage im Browser Flash Vector Checking: neuer Sicherheitscheck, es wird sich zeigen welche Veränderung daraus folgt
- - Was kann man umsetzen, um die Situation zu verbessern?