1. Jason Dablow
Sr. Sales Engineer
What is a Breach? … Exploited
Weaknesses of Traditional Security
6/20/2015 Confidential | Copyright 2013 Trend Micro Inc.Copyright 2014 Trend Micro Inc.
2. Advanced Malware Targeted Attacks
Advanced
Malware
Targeted
Attacks
Employee
Data Leaks
Traditional
Malware
Vulnerability
Exploits
220K new malware programs daily!
2
6. Attack Stages
Confidential | Copyright 2015 Trend Micro Inc.
1. Intelligence Gathering
Identify & research target individuals using public sources (LinkedIn,
Facebook, etc) and prepare a customized attack.
2. Point of Entry
The initial compromise is typically malware delivered via social engineering
(email/IM or drive by download). A backdoor is created and the network
can now be infiltrated.
3. Command & Control (C&C) Communication
Allows the attacker to instruct and control the compromised machines and
malware used for all subsequent phases.
4. Lateral Movement
Once inside the network, attacker compromises additional machines to
harvest credentials, escalate privilege levels and maintain persistent
control.
5. Asset/Data Discovery
Several techniques and tools are used to identify the noteworthy servers
and the services that house the data of interest.
6. Data Exfiltration
Once sensitive information is gathered, the data is funneled to an internal
staging server where it is chunked, compressed and often encrypted for
transmission to external locations.
7. Stage 1 - Intelligence Gathering
Acquire strategic
information about the
targets IT environment
and organizational
structure.
“res://” protocol
Confidential | Copyright 2015 Trend Micro Inc.
8. Data at Risk
• Corporate / Financial—board meeting records, legal proceedings, strategic
plans, contracts, purchase agreements, pre-earnings announcements, executive
salaries, M&A plans and pending patent filings.
• Manufacturing—Intellectual Property and manufacturing methods
• Retail—Financial records & transactions, customer profiles to generate revenue
for identity theft
• Internal Organization—employee records and health claims for identity and
insurance fraud
Confidential | Copyright 2015 Trend Micro Inc.
9. Stage 2 - Point of Entry
Gain entry into a target network using weaknesses found.
Weaponized
Attachment
Malicious
URLs
Attack Weakness found in:
• Infrastructure
• Systems
• Applications
• People
• 3rd Party Organizations
Confidential | Copyright 2015 Trend Micro Inc.
10. Infection Options
Island Hopping
Customers
Trusted Partner
Attackers
Cloning websites of conferences victims will attend
Craft email for registration and have a fake
registration page (Repeatable)
Watering Hole Attacks
13. Attackers Try Everything
Poison Ivy
Multiple Ports
HTTPS
HTTP
IMAP
IMAP
POP3
SMTP
DNS
POP3S
HYPER TEXT
HTTP_ALT
Monitoring a few ports is
not sufficient
Apps & protocols
Evilgrab
Monitoring a few apps & protocols is
not sufficient
Morphing
IXESHE
It’s extremely difficult to
track the attack
Changes in C&C,
IP addresses,
signatures & behavior
13
14. Evade detection with customized malware
Attacker
Malicious C&C
websites
Ahnlab's
Update
Servers
wipe
out files
Destroy
MBR
Destroy
MBR
wipe
out files
Unix/Linux Server
Farm
Windows
endpoints
Victimized
Business
A total of 76 tailor-made malware were used, in which
9 were destructive, while the other 67 were used for
penetration and monitoring.
Confidential | Copyright 2015 Trend Micro Inc.
16. Today’s Reality – One & Done!
99 10% of
malware
infect
< victims
80 1% of
malware
infect
= victim
?
Confidential | Copyright 2015 Trend Micro Inc.
17. Stage 3 - Command & Control Communications
Ensure continued communication between the
compromised target and the attackers.
Common Traits
• Uses typical protocols (HTTP)
• Uses legitimate sites as C&C
• Uses internal systems as C&C
• Uses 3rd party apps as C&C
• May use compromised internal
systems
Advantages
• Maintains persistence
• Avoids detection
Threat
Actor
C&C
Server
Confidential | Copyright 2015 Trend Micro Inc.
18. Trend Micro C&C Research
Confidential | Copyright 2015 Trend Micro Inc.
54% of C&C Lifespan
< 1 Day
19. Stage 4 - Lateral Movement
Seek valuable hosts that house sensitive
information.
Pass the Hash
Confidential | Copyright 2015 Trend Micro Inc.
23. Stage 5 - Data Discovery
Noteworthy assets are identified within the infrastructure
then isolated for future data exfiltration.
Email servers are identified so attackers can read important email
in order to discover valuable information.
File lists in different directories are sent back so attackers can
identify what are valuable.
24. Data at Risk
Confidential | Copyright 2015 Trend Micro Inc. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Credit
Cards
Birth & Phone
records
Customer
PII
User
Credentials
Credit
Cards
PII leads
to fraud
Movies,
Ransoms,
Terrorism
26. Stage 6 - Exfiltration
Transmit data to a location that the threat actors control.
Common Traits
• Built-in file transfer (RATs)
• FTP, HTTP
• Tor network/Encryption
• Public File Sharing sites
Confidential | Copyright 2015 Trend Micro Inc.
29. Build an Security Ecosystem
Copyright 2014 Trend Micro Inc.
Timely Global Threat Intelligence
Essential Technologies – Combat Current Threat Techniques
Integrated Product Strategy – Automated Protection
30. 150 Million+
Worldwide Sensors
Web Crawler
Trend Micro
SolutionsTest Labs
3rd Party Feeds
Honeypot
CDN / xSP Researcher
Intelligence
Copyright 2014 Trend Micro Inc.
Block malicious URL within 15 minutes once it goes online!
Timely Global Threat Intelligence
31. Data Science is Multidisciplinary
http://eduardoarea.blogspot.tw/2012/11/el-camino-de-un-data-scientist.html
32. Essential Technologies
Copyright 2014 Trend Micro Inc.
The challenges uncovered during the
stages of a targeted attack demonstrate
the need for sophisticated technologies
and services to secure the enterprise.
33. Essential Technologies:
Community File Reputation
• Determines the prevalence and maturity of
PE files
• Prevalence is a statistical concept referring to
the number of times a file was detected by
Trend Micro sensors at a given time
• If a file has not triggered any detections, we
will become suspicious of that file if we have
only seen it once or a few times
• Today over 80% of the malware is only seen
once
2
35. Essential Technologies:
Advanced Threat Scan Engine (ATSE)
How does ATSE determine a document is bad?
….d2hi.df..ga
@$#5^%&..so
60788-9-80-
=.//// ..)]}[.......
Malicious
payload
Gotcha!!
• Uses heuristic scanning and employs
a rule-based system
– Analyses the document to get
malicious/uncommon characteristics
• Payloads, malformed, obfuscation, Name
tricks,…etc.
– Uses both CVE rules & heuristic rules
• Zero-day exploits are malware taking advantage
of unpatched vulnerabilities but with similar
exploitation techniques
• Therefore looking for “characteristics” of an
exploit
36
36. Essential Technologies:
Memory Inspection Analysis
• Protect against most packer and variation
solution which obfuscate the file but not in
memory
37
Execute
Unpack
Log prefix with “RAV_”
38. Essential Technologies:
URL Time Of Click
• It is important to
evaluate URLs not
only when they are
first received but also
when they are
accessed, in order to
defend against
modified URLs.
39
Internet
Trend
Datacenter
Mail Server
Mail Gateway
Hosted Email Security
InterScan Messaging
Security
Endpoint
Risk!
No Risk
Block!
Mobile
Workers
Web
Gateway
Inside
Customer’s Network Perimeter
Outside
Customer’s Network Perimeter
Risk!
No Risk
Block!
Check URL
Reputation when
Clicked
Check URL
Reputation when
Clicked
Check URL
Reputation
In real time
URL has NO
reputation
Rewrite URL to
point to Trend
Cloud
39. Essential Technologies:
Patching and Intrusion Prevention
• Each stage of an attack uses exploits to reach its goal.
• Typical patching cycle in an enterprise
Risk:
• Window of opportunity for hacker: 1 month, often 2 months
• Potentially “high risk” periods of 1-2 months
(public exploit, patch not yet available, or patch not yet installed)
40
Virtual Patching
40. • In this day and age where new Workloads get
instantiated at a high rate, Security Automation is
a“must have”
• Operations and Security teams can focus on their
core responsibilities
• Without touching the machine, any new VM gets
the right protection
• Inventory and ensure protection throughout your
environment
41
Essential Technologies:
Security Automation
Deep Security
41. Essential Technologies:
Virtual Analyzer/Sandboxing
• A virtual environment used to analyze potential
malware samples
• It allows for the observation of file as well as
network behavior in order to identify malware via
potentially malicious characteristics
• Trend Solutions use custom sandboxes based on
our customers environment
– Targeted malware validates it is on the right
environment before infecting the machine,
whether it is targeted against one company,
one geography or one sector.
• Samples can be submitted by Trend products, via
APIs or manually (depending on the
implementation)
42
42. Interconnected Product Strategy –
Automated Protection
Copyright 2014 Trend Micro Inc.
The Interconnected Threat Response Cycle is
the key to providing real-time response from just
discovered threat information from your own
environment
43. Midsize &
Enterprise
Business
The Interconnected Threat Response (ITR) Cycle
44
Analyze risk and nature
of attack and attacker,
and assess impact of
threats retrospectively
Update protection
automatically,
prioritize areas for
remediation and
adapt protection
Detect advanced
malware, behavior and
communications
invisible to standard
defenses
Assess potential
vulnerabilities and
proactively protect
endpoints, servers
and applications
MONITOR &
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
44. ITR Use Cases - Prevent
System Lockdown
• Hardens the system by not allowing any new applications
from executing
• Can be used in conjunction with other application control
features to have a flexible, layered policy for each user
• Example:
– Lock down the system
– Block all Browsers, P2P and Online Storage apps
– Allow OS updates, IE, Office, Adobe and SafeSync
45
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
Application Control
45. ITR Use Cases - Prevent
Data Discovery and Encryption
46
TMCM OSCE
Server
OSCE Client
DLP Data Discovery
SQLlite DB
Data Discovery
Policy WCU
Data Discovery
Widgets
Data Discovery
Log Query
Data Discovery
Reports
Database
OSCE proxy
OfcCMAgent
Scan Configuration
Scan Report
Scan
Configuration
Scan Report
DLP SDK Interface
Scan Policy &
Command
Scan Report
Scan Engine
Match Engine
Policy Engine
Scan Result
Cache
LogProcessor
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
46. Midsize &
Enterprise
Business
The Interconnected Threat Response (ITR) Cycle
47
Analyze risk and nature
of attack and attacker,
and assess impact of
threats retrospectively
Update protection
automatically,
prioritize areas for
remediation and
adapt protection
Detect advanced
malware, behavior and
communications
invisible to standard
defenses
Assess potential
vulnerabilities and
proactively protect
endpoints, servers
and applications
MONITOR &
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
47. ITR Use Cases – Detect
OfficeScan
USB Sensor
Deep Discovery
Analyzer
IWSVAScanMail
for MS
Exchange
ScanMail for
Domino IMSVA
Deep Discover
Inspector
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
48. ITR Use Cases - Detect
C&C alerting via local intelligence
OfficeScan InterScan
Messaging
Security
Deep
Security
InterScan
Web
Security
Deep
Discovery
Analyzer
1. C&C list shared with local SPN
2. SPN enabled products will
obtain the latest C&C list
SPN Enabled
Trend product
Local SPN
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
Custom Defense
49. ITR Use Cases - Detect
Suspicious Object sharing via local intelligence
50
Control Manager
OfficeScan InterScan
Messaging
Security
InterScan
Web
Security
Deep Discovery
Inspector
ScanMailEndpoint
Sensor
1. Suspicious object list
2. Suspicious objects list shared
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
IP
URL
Domain
File hashes
Open IOC information
50. Midsize &
Enterprise
Business
The Interconnected Threat Response (ITR) Cycle
51
Analyze risk and nature
of attack and attacker,
and assess impact of
threats retrospectively
Update protection
automatically,
prioritize areas for
remediation and
adapt protection
Detect advanced
malware, behavior and
communications
invisible to standard
defenses
Assess potential
vulnerabilities and
proactively protect
endpoints, servers
and applications
MONITOR &
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
52. Visualize the Attack Phases (Network) MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
53. Midsize &
Enterprise
Business
The Interconnected Threat Response (ITR) Cycle
54
Analyze risk and nature
of attack and attacker,
and assess impact of
threats retrospectively
Update protection
automatically,
prioritize areas for
remediation and
adapt protection
Detect advanced
malware, behavior and
communications
invisible to standard
defenses
Assess potential
vulnerabilities and
proactively protect
endpoints, servers
and applications
MONITOR &
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
54. ITR Use Cases - Respond
Outbreak Prevention via Mutex Sharing
55
Deep
Discovery
Inspector/
Analyzer
OfficeScan Endpoint Endpoint EndpointControl Manager
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
55. ITR Use Cases - Respond
File Hash Based Blocking
56
Deep
Discovery
Inspector/
Analyzer
Application
Control / Officescan
Endpoint Endpoint EndpointControl Manager
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
56. ITR Use Cases – Respond:
Suspicious objects can feed into 3rd
party products to extend protection:
• Bluecoat
• HP SMS/Tipping Point
• Palo Alto Networks
• IBM XGS
• And Others…
57
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
57. ITR Use Cases – Respond :
Outbreak Prevention via NSX Security Tagging
58
• Mechanism: Automatic VM Quarantining
– If Deep Security detects (uncleanable/unblockable)
malware (and in 9.5sp1 also IPS rules)
– Then Deep Security adds an NSX tag to the VM
– VMWare NSX adds the VM to a Security Group based
on the tag value (dynamic membership)
– This NSX Security group has firewall settings that
isolates the VM to a management network for
remediation and to prevent further infections
MONITOR
&
CONTROL
PREVENT
DETECT
RESPOND
ANALYZE
62. Deep Discovery – Custom Defense
Advanced Threat Protection
Across the Attack Sequence
Malicious Content
Copyright 2014 Trend Micro Inc.
Suspect Communication
Attack Behavior
360 degree view
80 + Protocol across all ports
Custom Sandboxing – Windows, Android, Mac
Custom Defense – Gateway, Messaging, Endpoints
Threat Intelligence across platforms – Windows, Mobile, Mac, Linux
Security Echosystem
SOC in a Box
63. Complete User Protection
Anti-Malware Encryption
Application
Control
Device
Management
Data Loss
Prevention
Content
Filtering
Employees
IT Admin
Security
Email &
Messaging
Web Access Device Hopping
Collaboration
Cloud Sync
& Sharing
Social
Networking
File/Folder &
Removable Media
65
64. 66
Cloud and Data Center Security
Anti-Malware
Integrity
Monitoring
EncryptionSSL
Intrusion
Prevention
Application
Scanning
Copyright 2014 Trend Micro Inc.
Data Center
Ops
Security
Data Center
Physical Virtual Private Cloud Public Cloud
67. • Identified 65M unique cyber security
incidents (more than 180K per day on
average) Note: We blocked 80B threats
targeting our customers.
• Discovered 65M unique malware infections
due to ALL activity (almost 180K per day on
average)
• Logged over 160 million command-and-
control (CnC) communications (more than
five every second on average)
• Analyzed 39,504 unique cyber security
incidents (more than 100 per day on
average)
• Discovered 17,995 unique malware
infections due to APT activity (almost 50
per day on average)
• Logged over 22 million command-and-
control (CnC) communications (less
than one every second on average)
Source: https://www2.fireeye.com/advanced-threat-report-2013.htmlConfidential | Copyright 2014 Trend Micro Inc.
72. 6 Billion URLs Processed Daily
User Traffic / Sourcing
CDN vender
Rating Server for Known Threats
Unknown & Prefilter
Page Download
Threat
Analysis
6 billion/day
3 billion/day
300 million/day
50% filtered
90% filtered
50,000 malicious URL /day
99.95% filtered
Trend Micro
Products / Technology
CDN Cache
High Throughput Web Service
Hadoop Cluster
Web Crawling
Machine Learning
Data Mining
Technology Process Operation
Block malicious URL within 15 minutes once it goes online!
Copyright 2014 Trend Micro Inc.
73. Endpoint Security -- Consumer Products
2009
5.2 h
38.0 h
15.6 h
7.5 h
19.6 h
39.5 h
46.1 h
31.9 h
30.5 h
0 h 5 h 10 h 15 h 20 h 25 h 30 h 35 h 40 h 45 h 50 h
Trend Micro
Kaspersky
Norton
McAfee
Norman
F‐Secure
AVG
Panda
ESET
Average time to protect
New socially engineered malware
Average time to protect
2010
New socially engineered malware
2014