Contos Brian Mcafee

Exploring Modern Threat Vectors and Trends

Brian Contos, Director Global Security Strategy and Risk Management, McAfee

February 2011

Insider Threats

Industrialized Hacking

Advanced Persistent Threats

The Consumerization of IT and Virtualization

Cloud and Web 2.0

Uniting Data Protection and Network Security

Connected Security Strategy

Provides open system for 3rd parties

Provides ability to automate key workflows

Connects on a platform

Provides enterprise security

Provides reputation based security

Connects security together

Connects the business to security

Provides risk based view of security

Provides situational awareness

Your Actions

Identify the threats most critical to

your organization

Understand key trends in IT

Define mechanisms for security to

enable business priorities

Select solutions that embrace a

connected security framework

Drive an implementation project to

address the above

Connected:

One Billion Today, 50 Billion by 2020

Circa Event/Technology Circa Event/Technology

20,000 B.C. Cave Paintings 1969 ARPANET

3,100 B.C. Sumerian Cuneiform Markings - First language-based writing system 1969 Telnet

500 B.C. Pre-Columbian civilizations use paper 1970 Banking ATMs

350 B.C. Greek Ionic alphabet of 24 letters 1971 FTP

1100 Wax seals used to sign documents 1972 email, C Programming Language

1455 Guttenberg produces printed bibles using movable type 1973 NCP Later renamed TCP/IP

1755 First comprehensive/authoritative English dictionary 1979 Xerox introduces Ethernet

1800 Library of Congress opens in Washington 1980 Personal Computer

1804 Joseph-Marie Jacquard of France devises an automatic loom 1982 Lotus 1-2-3

1822 Charles Babbage builds a prototype of his difference engine 1983 Cellular Technology

1837 Samuel Morse develops telegraph and Morse Code 1988 Internet

1877 Photography 1989 Web Browser based on HTTP

1877 Telephone 1997 Blogs

1897 Radio 1998 Google

1923 Credit Cards 2000 Wikipedia

1928 Television 2001 iPod

1931 Telex (Antecedent to FAX) 2003 Social Networks

1946 Mobile Phones 2004 Podcasting

1958 ARPA Created by President Eisenhower 2005 YouTube

1966 ASCII 2006 Twitter

Digitization, Access, DependenceInformation Gone Viral

Comparative Threat Windows

Sea 3,000 BC people in the Mediterranean distributed goods 1,300 first recorded pirates Threat Window 1,700 years

Air 1859 John Wise distributed mail via air balloon India to NY 1931 first hijacking (Peru) Threat Window 72 years

Space 1962 first commercial satellite just five years after Sputnik Access and cost have made it less attractive

Cyber ARPANET1969 / Commercial use NSFNET/MCI Mail 1988 Threat Window zero

Different

Cultures

International

Boundaries

Complex

Jurisdiction

Motives

Why do you rob banks?

Willie "The Actor" Sutton

(19011980)

NOW

THEN

Money AND Politics

Curiosity AND Excitement

Insiders

Anything done

unintentionally can also

be done intentionally with greater impact

Low-tech Trumps Hi-tech

Trust & Access

Who Are They

Why hack when you can recruit

or plant?

It is very important to concentrate on hitting the U.S. economy through all possible means.

Osama Bin Laden

Unstructured Data

Downloading

Structured Data

Sending and Posting

Executive Leadership

Beyond IT

Users & Data

Beyond Prevention

Augment Human Intuition

The Countermeasures

Industrial Revolution

19th century

Mass Production

Automation,

Efficiency, Scalability

1997 EarthLink & AOL

2002 eBay

2003 Amazon,

Banks, ISPs (Grammar)

Old School

New School

If crime didnt pay thered be no crime. G. Gordon Liddy

350,000+ Apps 100,000+ Apps

Malware Continues to Be the Biggest Threat to

Enterprises and Consumers

New pieces of malware

per day:

2007: 16,000

2008: 29,000

2009: 46,000

2010: 60,000

Number of malware

samples in our database

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

Q108

Q208

Q308

Q408

Q109

Q209

Q309

Q409

Q110

Q210

Q310

Botnets By The Numbers

Number of Systems: 160,000 Bandwidth: 500 Gbps

Number of Systems: 500,000 Bandwidth: 1,500 Gbps

Number of Systems: 6,400,000 Bandwidth: 28 Terabits Across over 230 Countries

Industrialized Hacking Maturity Model

Hacking Is a Profitable Industry

Roles Optimization Automation

Its not fair and its not personal; its just business

Researching Vulnerabilities

Developing Exploits Growing Botnets Exploiting Targets Consuming

Direct Valuei.e. IP, PII, CCN

Command & Control Malware Distribution Phishing & spam DDoS Blackhat SEO

Growing Botnets and Exploiting

Vulnerabilities

Selecting Targets via Search Engines

Templates & Kits Centralized

Management

Service Model

Black Hat SEO

2010s Most Dangerous Internet Searches

60% of Popular Google Searches Yield Malicious

Sites in First 100 Results

Cameron Diaz Julia Roberts Jessica Biel Gisele Bndchen

Rome Is the Mob

Neptune, Poseidon, Oceanus

Mister Splashy Pants

78% of Votes

Zeus: An Abbreviated Love Story

Discovered July 2007More recent versions with over 150 variants

Doesnt self propagaterequires spam, phishing, drive-by downloads

C&C 196 countries; 2,400 companies impacted, 3.6M PCs in U.S. alone

Targeted: email accounts, social networking sites and banking

Control, steal credentials, transfer funds

Man in the Browser

Kit: $700-$4,000 USD plus add-ons & plug-ins $500-$10,000 USD

Binary generator to evade detection

Copy protection and license keys

Money mules in U.S. recruited and paid on commission

Create bank accounts using fake documents and phony names

Wire fund to Eastern Europe or smuggle cash

Stole around $70M USD

100+ arrested across U.S., U.K., & Ukraine 2010

Charges of bank fraud & money laundering

Zitmo: SMS (Blackberry & Symbian-based phones)

The Countermeasures

The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in

anarchy that we have ever had.

Eric E. Schmidt, Chairman of the Board and CEO Google

Reputation

Reduce complexity

Wolverines not mosquitoes

Damn the whalessave the plankton Anti-social engineering

APT

APTIndustrialized Hacking

Advanced: Custom exploits and other mature tools

Persistent: Not a crime of opportunityon a missionThreat: They have money and they are motivated

APT Maturity Model

Stealth intrusion, backdoors

Sensitive data, Monitoring, Sabotage

Leave no traces

GoalsActors Motives Targets

Nation-States Insiders &

Ex-employees

Unscrupulous Competitors

Terrorist/Activist/Criminal

Organizations

Political Economic

Large corporations Critical infrastructure Governments Academic & Media

Early weapons

Technology Shifts Advantage

Circa 323 BC Greeks

Bronze, Iron, Phalanx

Fight as a unit

Circa 120 BC Romans

Steel, Gladius Sword

Fight in multiple directions and terrain

New weaponsold tactics


Circa 1500 Ottoman Empire

Matchlock musket; armor ineffective

1st time used in infantry in force

Circa 1862 American Civil War

Rifled muskets

Accurate, mass produced

Like taking a knife to a gun fightalmost


Today: AK-47

Simple, Cheap, Reliable

100,000,000 Made

Today: Modern Warrior

Boron Carbide Body Armor

Night Vision; Robots

Drones; Satellites

Prompt Global Strikes < 60 minutes

Smart Dust (bio, chemical or mechanical)

Technology becomes an equalizeragain


Simple

Excellent Range

Inexpensive

Anonymous

Espionage

Propaganda

Attack

State & Non-state

Participants

God made man, but Samuel Colt made them equal.

EstoniaMay 2007: Three weeks of cyber attacks following the removal of a bronze soldier

Russian mafia and Russian sympathizers in Latvia, Ukraine, and the US (80,000 IP address sources)

Convergence of Kinetic and Non-Kinetic Warfare

Georgia - August 2008: Kinetic + Non-kinetic attacks where radio station towers were being shot by tanks,

as DDoS was taking out online capabilities

Others attacks 2007 Lithuania, Ukraine 2009 Kyrgyzstan

April 2008

CNN reports on Tibet

5,000 Chinese forums recruit patriots antiCNN.exe

CNN blocks traffic from .CN Double win

Patriotic DDoS

The essence of espionage is access Allen Dulles, longest serving director of the CIA (1953 1961)

Espionage

2003Titian Rain

April 2009 $300 Billion Fighter (F-35)

Equivalent to about 4,600 tanks

The US has about 8,000

Critical Infrastructure Meltdown: Theres An App

36

According to a CNN interview with economist Scott Borg

A multi month attack on a small part of the U.S. is equivalent to being hit by about 50 hurricanes at once with economic damage greater than any modern economy has ever experienced.

Four Zero Days

Stolen encryption Advanced & Expensive

PLC not SCADA

DOE/DHS Test beds

Patching..oops

The Countermeasures

The best poker players walk a tightrope between their business sense and their passion. As professionals, they

seek out the most profitable opportunities and control as many

factors as possible to create a positive result. As gamblers,

they want the risk and excitement of something important on

the line with the outcome in the balance.

Michael Craig Full Tilt Poker Blog

Discover

Connect

Assume

Risk Awareness

Partnerships

Trends in IT

Consumerization of IT: What

Consumerization will force more IT change over the next 10

years than any other trend.

Gartner 2009

Consumerization of IT: Why

Pick Your Metaphor

Consumerization of IT: Approach

Maximize employee flexibility, capabilities while minimizing organizational risk

Happier and more effective employees with lower procurement costs

Manage provisioning, revocation, access and control where sensitive data resides

Mobility Management (lock, track, backup, wipe (partial) | NAC | Virtualization

Virtualization: What

ServersEndpoints

Operating Systems | Applications | Profiles

Virtualization: Why

Bring Your Own

Computer

Use of Home

Computer

Power to the Data

Center (Centralization)

Management

Efficiencies

Unmanaged Devices

Used for Business-

Related Work

Minimize Hardware

Footprint/Costs

Cloud: What

IaaS | PaaS | SaaS

Cloud: Why

Accelerate ability to use business applications email, CRM

Leverage infrastructure with greater resources at lower cost

Cloud: Approach

Security FROM the cloud- Security-as-a-Service (SaaS)

Security IN the cloud- Global Threat Intelligence (GTI)

Security FOR the cloud- Security for the cloud ecosystem

48March 4, 2011

Spans the entire Internet

including millions of sensors

Identify-1 new malicious web server/60 sec

-60k new pieces of malware/day

-5M new zombies/month

Across all threat vectorsNetwork/IPS Signatures Malware

Vulnerability Management Spam

Outbound Web Protection

Real-time in the cloud threat collection and

distribution model

Providing reputation

based capabilities-20B mail queries/month

-75B web queries/month

450+ Dedicated

researchers in 30+

countries

48

GLOBAL

THREAT

INTELLIGENCE

DesktopContentNetwork CloudData DBs

Ma

na

ge

me

nt

Apps

Cloud: Approach (Threat Intelligence)

Web 2.0: Whatreally

Rank Country Population Date of Estimate

1 China 1,340,950,000 December 2nd 2010

2 India 1,190,930,000 December 2nd 2010

3 Facebook 500,000,000 December 2nd 2010

4 USA 310,829,000 December 2nd 2010

5 Indonesia 237,556,000 May 10th 2010

6 Brazil 190,732,000 August 1st 2010

#1 Site On The Internet

If Facebook Was a Country

People spend over 700 billion minutes per month on Facebook

Web 2.0: Why

Just saying no doesnt scale and misses business opportunities

The next generation sees email and traditional web as archaic

Web 2.0: Approach

Leverage application-aware controls

Control application access, downloads, and posts

Dont block manage interactions based on roles, permissions, and business requirements

Educate users on social engineering and other Web 2.0 attacks

Uniting Data Protection and

Network Security: What

Data has value & people want it; network-centric controls alone wont protect it

Resources are limited; adding more solutions in a silo isnt desirable

Network controls in parity with data controls represent symbiotic mutualism


Network Security: Why

Data at rest, in motion, and in use (transactions) must be considered

Across applications, databases, laptops, mobile phones

So patterns & anomalies of users interacting with data can be gleaned


Network Security: Approach

Monitor user behavior

Protect data across the network and on endpoints

from careless and malicious activity

Achieve enhanced analytics, expansive reporting,

accurate alerting and streamlined management

Address questions such as:

Where is the data that needs protection?

Who has access to it?

What uses is it being put to; for example, is it being

copied to insecure locations/devices?

Who else is involved, what else might be

happening, and how long has this been occurring?

More Information on McAfee

McAfee

Documents

Contos Brian Mcafee