Barrier1Zero Access Bot is another great example of a multi vector attack. In addition, it has shown resilience due to its flexibility in usage of the CnC component.
First it really is a Trojan. It is used to download malware and infect machines. Machines are infected via Click fraud and bitcoin. In order to stay hidden, it uses rootkit techniques. Zero Access also infect the master Boot record and random drivers. This give the Cyber-criminal total control. IN addition, it can disable Window Security Center and therefore leaving no FW protection and thus wide open.
In true form of today’s cyber-attacks there are several attack vectors used.
1. Social Engineering- by disguising as a legitimate file or including hidden code as additional payload in an executable.
2. Advertising- By the use of Click Advertising to lure user, once the ad is click the user is redirected to an infected URL.
3. 3rd parties are being hired to install rootkits.
First efforts by Microsoft were to kill the CnC connection. Not all CnC were using outbound destination IP. They were using P2P for outbound.
Barrier1 stops ZeroAccess Bot in several ways.
1. Barrier1 has 5 versions of Rootkits that are used for inspection.
2. Barrier1 inspects the Payload of all packets.
3. Barrier1 Analytics are used for the ENTIRE data stream and analyzed in Total. So, assuming the first CnC communications were standard destination and thus “Odd” outbound hand shaking and communications, Barrier1 would block, alert, and learn. When the CnC switches to P2P, Barrier1 would have learned enough about the previous CnC communication blocking to no STOP/BLOCK the P2P version of the CnC. This ability to learn and then apply would also work through a rapid change of IP Source Address throughout a multination BOT network.
Now Sony gaming has been hit again with a DDOS attack. It proves that a DDOS attack can be for hire. A mid size DDOS attack can be generated for around $100 then just use your PayPal account.
Time to rethink DDOS
Regin Malware has just been identified. Like most Malware, it is really not new. In many cases, new means just found. However, in reality, the Malware has been performing for sometimes years.
Regin, has several aspects that model former Malware. Flamer, Weevil, Dubuqu, Stuxnet, and etc. were similar. These early version introduced the concept of delivering in stages, have back doors, and customized for specific targets.
There are 5 stages. They are Dropper, 2 steps of the loading process, 2 steps for the Kernel and then Payload. A user is tricked into a spoofed version of a well-known web site. The dropper is installed via web browser or App. Regin has been found to originate from Yahoo, Instant Messenger, and etc. The remote access Trojans are using features and process found years ago and called RAT (remote access Trojans). They are intent on network monitoring, stealing passwords, and overall cyber theft. There are custom built and modified EVFS files, Encrypted RC5, ICMP/ping, embedded commands in HTTP Cookies, and custom TCP&UDP protocol usage.
Barrier1, with its extensive Intelligent Analytics that deals with the entire data flow and not individually, would identify Regin in several ways.
- RAT has been identified several years ago. Barrier1 has remembered how it operates and thus would detect and block.
- Barrier1 already has identified, blocked, and learned about Dubuqu, Stuxnet, Flamer, and weevil. The very attributes of this would be identified through Barrier1 AARE Engine and Analytics.
- Barrier1 extensive library of rootkits would detect the kernel frame work.
- Barrier1 inspect the Payload and thus would detect abnormal structures, request, and behavior.
- Barrier1 AARE Engine and Analytics would be able to detect spoofed web sites. Even those that are NOT on any URL black list.
- Barrier1 extensive library of Protocols would detect variants of RC5, ICMP pings, and the Customer TCP/UDP protocols would be different than the accepted RFC specs.
The following are threats to the Cloud Infrastructure
- Data segregation and session highjacking are threats
- Multi tenancy model is a great challenge to privacy
- Storage security at the cloud service providers data centers are often directly linked
- Tradition breach opportunities do not go away
- Malicious users can sniff network packets and gain extensive insight
- bypass the application logic to access the databases directly
- Cyber criminals have learned to move horizontal and thus making multi tenancy vulnerable
- Check you SLA do not assume service providers will be able to support electronic discovery or internal investigations of illegal activity
- What happens if the Cloud Provider goes out of business?
- Check your SLA, most of the time NONE of an organizations legal and regulatory compliance responsibilities are transferred to a provider when the organization adopts cloud services.
The cyber kill chain was documented to explain how cyber criminals were getting in. Several years ago, the single vector cyber-attack made its way to multi-vector approach. This also represents a process of events to accomplish goals set forth by the cyber-criminal.
These are individual steps. What was not addressed was the Rapidly Changing, Never before seen, polymorphic attacks. The principals are the same but solutions were put in place to perform functions at each stage.
The MISSSING Link was Intelligence in Real Time. The key attributes of Intelligence as defined in Wikipedia, is Knowledge, learning, memory, problem solving, and Reaction time. Intelligence delivers the ability to learn and remember what each of the steps in the Cyber Kill Chain did. Therefore, with the analysis or problem solving, and knowledge of the TOTAL situation, one can now React/block with extreme accuracy in Real Time.
Barrier1 Intelligent Threat Mgmt. goes beyond UTM- NGFW- Cloud Solutions, and Sandboxing
Intelligent Threat Management in Real Time
goes Beyond Static Analysis and Dynamic Analysis Sandboxes
Over $7B – $20B per year is being spent on network security. Yet, it is being reported that 8,000 -30,000 new malware exploits are identified per month. Worse, they are getting through the defense. UTM- NGFW- Sandboxes- Cloud Security Services were to have fixed or stop the problem. In addition, the belief that spending a lot of money on these platforms and extensive vulnerability scans and you would be protected.
History has a Clue
Network Security was developed by a couple of notable fundamentals. The process went like this
1. Early attacks were singular in nature. Singular that they had one attack vector.
2. Defense designs were first to find and identify the cyber-attacks.
3. The identification process was that of finding someone that had been the recipient of the attack and then scan that system.
4. Once found, craft a solution and then distribute the fix. This often took weeks to months.
This process was true for Viruses, Trojans, bad web sites, and etc. It was the method used on Routers using ACL rules and Thresholds, Firewall using rules, AV using signatures, Web Content/URL filtering, IDS using definitions, and etc. That process could take months. As the profit and disruptive motives increased, new vulnerabilities in OS, Applications, and Process were discovered faster and deployed faster. This ushered in new terms for exploits such as Zero Day, Malware, Bots, Mutation, Polymorphic, Dynamic, Automatic, Evasive, Rapid evolution, APT’s, and etc.
The common themes to this evolution of attacks are
• Sensors- Cyber criminals took some old and some new tools and used them to learn what was in place. They include, key loggers, root kits, Threshold technics, and etc.
• Time Compression- New Attacks types and categories are developed and launched faster
• Change- Once launched, they have the ability to Change. That could mean a change in responses, clocking, and acknowledgements, require responses, ports, destinations, file structure, and etc.
• Intelligent Evasion- by using packing, encryption, Change the required response time, changing fingerprints of the code all would alter the outcome.
How did the Cyber Criminals change?
Cyber Criminals continued to increase their activities. The increased activities compressed the time it took for new versions and methods. Second, they turned the cyber-attacks structure from a single vector to a multiple vector approach. Third, cyber-attacks became a process. The process is;
These activities are much like any modern day warfare. Cyber Criminals used these steps to learn about their targets, figure out how to get around the defenses, Attack, Extract the information called for by the Objective, and Cover Tracts. Over time this process became automated and at speeds that rendered present security solutions useless. Thus, $7B – $30 B spent and cyber criminals are still getting through.
What is the Security Gap in today’s Approaches?
The fundamental Security Gaps are;
1. Learning- No real time learning at the Edge of networks
2. Remembering- No one remembers what they found
3. Analysis- No one is analyzing the entire data stream together and as a whole
4. Slow reaction- Today’s speed of networks require inspection, analysis, and reaction with in microsecs.
5. Automation- Humans can no longer analyze fast enough to be effective
These fundamental requirements are absent in UTM-NGFW- Sandboxing- and Cloud based Security Solutions.
A new category is on the horizon. Some media outlets are calling it “Breach Detection Market”. So, what is this and how would it work? In order for this to work you will have to A. Identify and Block the known cyber attacks and B. Identify and Block the never before seen cyber attacks. All in real time.
Using real time Intelligence at the Edge of Networks is the only way.
There is more and more Malware being discovered that involves IP and SCADA. Black Energy is one of those. This is another case proving that Malware and APT’s are a process.
Black Energy capabilities include Trojan Custom Plug In, IT steal digital certificates and passwords, Attacks and can launch attacks from Cisco Routers and other networking devices, Targets ARM and MIPs platforms, can launch DDOS Attacks, and is compatible with a number of protocols like SMTP, HTTP, and FTP. Black Energy can Launch DDOS attack, delete all system tracking and files related to malware, gather information from USB. For CnC they use a lot of different servers.
Barrier1 with all of the components and the SCADA protocols would be able to identify this attack. One of the main reasons is the ability to Learn, Inspect All traffic, Analyze the traffic in total such as if a DDOS is launched Barrier1 would learn about the origins and stop if that source would try and steal digital certificates. In addition, Barrier1 has various version of Keyloggers on board acting as sensors. If the keyloggers detect activity and block it, the key attributes would be log in the onboard dbase and thus available for immediate (12 microsecs) use in the analytics for the next packet.
Voxis present another challenge for POS system. This one claims to get around Apple Pay, CurrentC, and other systems.
The present systems are limited in their analysis and only block from those that come from automated systems. Voxis, submits fraudulent card transaction with characteristics of a human sending a payment from a mobile device or PC.
Next, Voxis needs a fraudulent ecommerce site and 1 merchant account with a payment processor. Don’t worry if you do not have a site, Voxis will build one for you. Next step is a stolen identity. A stolen identity is used to open an account with a processor. Last, in any automated payment system the CVV number will be needed. In this case it could be supplied with the fraudulent information or the CVV number is automatically filled in and can come from over 32 different Credit Card Processors.
Barrier1 can identify and stop this attack.
Even the programing language, golang, created by Google and used by Dropbox and Sendspace have been seeing Malware exploits since 2012. The Malware checks personal folders and uploads documents with common file extension. This allows the use of refresh tokens to bypass the storage service authentication process. This is especially useful information. This activity generally is found during the Reconnaissance steps.
Barrier1 would catch this process through the file structures, the files mobility, and lack of authentication process. All would have specific attributes that would be added to the dbase and thus would be remembered when the official cyber-attack takes place.
Barrier1 -Intelligent Threat Management platform has a Key element, it Learns and Remembers.