Professional Documents
Culture Documents
§ Contact
§ Email:
sfrei@nsslabs.com
§ TwiKer:
@stefan_frei
Speaker
–
Mr.
Francisco
Artés
§ Professional
§ Research
Director
@
NSS
Labs
§ CSO/CISO
§ Trace3
§ Deluxe
Entertainment
§ Electronic
Arts
§ Contact
§ Email:
frank@nsslabs.com
§ TwiKer:
@franklyfranc
ABSTRACT
Cybercriminals
persistently
challenge
the
security
of
organiza4ons
through
the
rapid
implementa4on
of
diverse
aKack
methodologies,
state
of
the
art
malware,
and
innova4ve
evasion
techniques.
In
response
organiza4ons
deploy
and
rely
on
mul4ple
layers
of
diverse
security
technologies.
This
talk
examines
the
aKackers'
kill
chain
and
the
measured
effec4veness
of
typical
defense
technologies
such
as
Next
Genera4on
Firewalls,
Intrusion
Preven4on
Systems
IPS,
An4virus/Malware
Detec4on,
and
browsers
internal
protec4on.
Empirical
data
on
the
effec4veness
of
security
products
derived
from
NSS
Labs
harsh
real
world
tes4ng
is
presented
together
with
a
live
demonstra4on
of
successful
evasion
of
malware
detec4on.
We
find
a
considerable
gap
of
protec4on
levels
within/and
across
different
security
product
groups.
Using
Maltego
complex
correla4ons
between
undetected
exploits,
crimware
kits,
and
affected
so^ware
vendor
and
products
are
demonstrated.
Agenda
AKackers View
Defenders
View
AKack
Kill
Chain
–
Understanding
the
AKacker
Understand
the
threat
and
the
⌃aKackers
mo4va4on
&
methods
⌃
Assess
the
effec4veness
of
layered
defenses
AKack
Kill
Chain
–
If
preven4on
failed
⌃
Detect
&
neutralize
The
Changing
Threat
Environment
Fastest
growing
segment
Mo4va4on
Personal
TheD
Gain
Author
Tools
created
by
Personal
of
experts
now
used
Fame
Tools
by
less-‐skilled
Vandalism
criminals,
Curiosity
for
personal
gain
1
Development
1. Create
malicious
tool
1
x
Perimeter
Firewall
Firewall
IPS IPS
Perimeter
Firewall
Firewall
IPS IPS
An4 An4
Host based
Virus
Virus
Browser
Browser
URL
Block
URL
Block
Perimeter
Firewall
Firewall
IPS IPS
An4 An4
Host based
Virus
Virus
Browser
Browser
URL
Block
URL
Block
Perimeter
Firewall
Firewall
IPS IPS
An4 An4
Host based
Virus
Virus
Browser
Browser
URL
Block
URL
Block
Perimeter
Firewall
Firewall
IPS IPS
An4 An4
Host based
Virus
Virus
Browser
Browser
URL
Block
URL
Block
sidechannel
attack
server desktop laptop
on premise off premise
Or
any
of
these:
We
are
doing
this:
Wizard-‐like
knowledge…
Engineering
Workflow
..
§ The
same
types
of
aKack
as
used
by
modern
cyber
criminals
§ U4lizing
mul4ple
commercial,
open
source
and
proprietary
tools
as
appropriate
§ More
than
1,400
exploits,
tested
such
that
§ a
reverse
shell
is
returned,
allowing
the
aKacker
to
execute
arbitrary
commands
§ a
malicious
payload
is
installed
§ a
system
is
rendered
unresponsive
Metric
An4
Evasion
Performance
2
§ Three
of
the
six
products
tested
crashed
when
subjected
to
our
stability
tests
This
lack
of
resilience
is
alarming
and
indicates
the
presence
of
a
vulnerability
that
could
be
exploited
400"
350"
§ Exploit
block
rate
varies
300"
Undetected
Exploits
between
77%
and
98%
(0f
1,486
tested)
250"
§ Tuning
of
the
IPS
policy
makes
200"
a
difference,
up
to
50%
less
150"
Mean"74"exploits" protec4on
with
default
policy
100"
Tipping"Point"
PaloAlto"PA"5020"
SonicWall"
McAfee"M80000"
ForFGate"3240C"
StonesoI"1302"
CheckPoint"12600"
Sourcefire"Virtual"
Sourcefire"3D8260"
Sourcefire"8120"
Sourcefire"8250"
IBM"GX"7800"
McAfee"M8000"
Juniper"IDP"8200"
800$
714$ § Correla4on
of
undetected
700$
exploits
between
vendors
600$ Unique
Exploits
undetected
products
by
N
Vendors
IPS
Number$of$Exploits$
500$
§ Only
a
small
set
of
exploits
is
400$
Three$exploits$that$
required
to
successfully
bypass
300$ 244$ are$undetected$by$ all
IPS
products
7$of$10$vendors$IPSs$
200$
§ Only
one
combina4on
of
89$
100$ 52$
29$
different
IPS
products
blocked
11$ 3$ 0$ 0$ 0$
0$ all
exploits
1$ 2$ 3$ 4$ 5$ 6$ 7$ 8$ 9$ 10$
Number$of$IPS$vendors$
¤
End-‐Point
An4virus
Percent
undetected
exploits
§ AV
products
differ
up
to
58%
in
Kaspersky#
(of
144
exploits
tested)
block
performance
Avast#
Norton# § Many
products
failed
to
detect
AVG# exploits
over
HTTPS
that
were
detected
over
HTTP
ESET#
Trend#Micro#
McAfee#
§ Keeping
AV
up-‐to-‐date
does
Avira#
MicrosoC# not
yield
adequate
protec4on,
F=Secure# s4ll
many
old
exploits
remain
undetected
Norman#
Panda#
Total#Defense#
0%# 10%# 20%# 30%# 40%# 50%# 60%# 70%# 80%# 90%# 100%#
¤
Browser
Block
Performance
§ Browsers
offer
the
largest
aKack
surface
in
most
enterprise
networks
§ Browsers
are
the
most
common
vector
for
malware
installa4ons
URL Feeds
¤
Browser
Block
Performance
Safari$ 5%$
Firefox$ 5%$
Chrome$ 28%$
Internet$Explorer$ 94%$
#
=
#
exploit
exploits
x
targets
x
availability
Undetected
Exploits
undetected Exploits
that
bypass
exploits our
defense
layers
(IPS,
NGFW,
An4virus,
..)
Undetected
exploits
available
in
Metasploit
Phoenix
Eleonore
Undetected
by
one
IPS
Undetected
by
mul4ple
IPS
Bubble
size
indicates
number
of
IPS
engines
not
detec4ng
given
exploit
Combined
Failure
Rate
PA
PB
PA B ¢
10% 10% ?
PA B = PA . PB = 1%
¢ (?)
Correla4on
Fallacy
-‐
Rethink
your
risk
assessment
PA B ≠ PA PB
¢
.
§ Failures
are
correlated,
they
are
not
independent
events
Thank
you
sfrei@nsslabs.com
frank@nsslabs.com
Resources
§ Network
Firewall
Group
Test
2011
hKps://www.nsslabs.com/reports/network-‐firewall-‐group-‐test-‐2011
or
hKp://bit.ly/RzLX3a