4. Innovation at the other side
Known Threats
OrganizationalRisk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK
7. Evasive Command and Control
WEKBY Attacks use DNS requests
The following commands, and their descriptions are supported by the malware:
• sifo – Collect victim system information
• drive – List drives on victim machine
• list – List file information for provided directory
• upload – Upload a file to the victim machine
• open – Spawn a command shell
10. Hacking Team POC’s
Invisibility test
Invisibility test - MacOS (Yosemite) + AVG (silent installer): during the infection everything
was good; a problem occurred just after we configured the MacOS' mail client in order to let
the agent retrieve the emails: just a few seconds after that configuration, an AVG popup
warned about a trojan detection. I closed the popup in time while the customer was
attending Serge's explanation of the received evidences, so the customer didn't see. The
emails were correctly retrieved by the agent, but we didn't have a chance to check what was
the object of the detection (our trojan or what else);
https://wikileaks.org/hackingteam/emails/emailid/19213
17. Zero Days
You don’t need 0days when there are 1000 days in the network
In an unprecedented talk on Thursday at the USENIX Enigma security conference in
San Francisco, Rob Joyce, chief of NSA's Tailored Access Operations (TAO),
downplayed the importance of zero-days and the degree to which nation-state
hackers like those in his unit depend on them.
“I will tell you that persistence and focus will get you in, will achieve that exploitation
without the zero-days,” he continued “There's so many more vectors that are easier,
less risky and quite often more productive than going down that route.”
27. SSL Encryption
Easy to hide
Dridex activity included SSL traffic to various IP addresses, mostly with example.com SSL
certificates. I also noted an SSL certificate for example.net as shown below:
36. WildFire: Protecting Against The Unknown
Protections developed
with in-line enforcement
across the attack lifecycle
Intelligence correlated across:
Web
Detect unknown
§ Malware
§ Exploits
§ Command-and-control
§ DNS queries
§ Malware URLs
WildFire
WildFire
Threat
Prevention
URL
Filtering
All traffic
SSL encryption
All ports
Perimeter
All commonly
exploited file types
3rd party data
Data center
Endpoint
Email
FTP
SMTP
SMB
Sandboxing The Unknown