Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploit Intelligence ProjectExploit Intelligence Project  Intel-driven case study from 2011  How do we use intel to mitigate.

Similar presentations

Presentation on theme: "Exploit Intelligence ProjectExploit Intelligence Project  Intel-driven case study from 2011  How do we use intel to mitigate."— Presentation transcript:


2 Introductions @dguido

3 Exploit Intelligence ProjectExploit Intelligence Project  Intel-driven case study from 2011  How do we use intel to mitigate a threat?  What are optimal defenses for mass malware?  How do crimepacks acquire exploits?  Is security research being applied by crimepack authors?  Separate what could happen from what is happening

4 Clear Market LeadersClear Market Leaders

5 Limited Target SupportLimited Target Support

6 Low Quality ExploitsLow Quality Exploits Memory Corruption (19) Defeated by DEP14 Defeated by ASLR17 Defeated by EMET19 Logic Flaws (8) No Java in Internet Zone4 No EXEs in PDFs1 No Firefox or FoxIt Reader2

7 Developed ElsewhereDeveloped Elsewhere DEP Bypasses (5) Developed by APT3 Developed by Whitehats2 Developed by Malware Authors0 Logic Flaws (8) Discovered by APT0 Discovered by Whitehats8 Discovered by Malware Authors0

8 Java is a Path ForwardJava is a Path Forward Malicious HTML Google Chrome IE8 DEP/ASLR Bypass DEP/ASLR Bypass Sandbox Escape Integrity Escalation Java Shell

9 Derived Optimal DefensesDerived Optimal Defenses  Recommended to defend against crimepacks in 2011: 1.Enable DEP on browser and plugins 2.Remove Java from Internet Zone 3.Secure Adobe Reader configuration 4.Use EMET when possible / where needed  Then, continue to monitor threat intel for changes…

10 Where are they now? Crimepacks in 2013

11 Crimepacks in 2013Crimepacks in 2013  Standard desktop builds use DEP/ASLR/Sandboxes  2009: Windows XP, IE7, Flash 9, Office 2007, Java 6  2013: Windows 7, IE9, Flash 11, Office 2010, Java 7  Blackhole / Cool, Sweet Orange, and Gong Da  Have these kits invested in bypassing our new defenses?  How have crimeware packs dealt with the pressure?

12 The World is ChangingThe World is Changing Source: StatCounter January 2011 – August 2013 Browser Versions

13 Supported TargetsSupported Targets

14 Close Encounters of the EIP KindClose Encounters of the EIP Kind Crimepacks acquire capabilities for Windows 7+ through divine intervention

15 Exploit OriginsExploit Origins All memory corruption exploits came from APT campaigns or the VUPEN blog. All Java exploits came from security researchers: Jeroen Frijters TELUS Security Labs Adam Gowdiak (Security Explorations) Stefan Cornellius Sami Koivu via ZDI Michael Schierl via ZDI “Whitehats Shrugged” IE / Flash Java

16 Cool Exploit KitCool Exploit Kit  Premium version of Blackhole, by the same author  Launched a $100k bug bounty for improved exploits  Only offered as a hosted service to prevent source leaks  As a result, Cool has several unique exploits:  CVE-2011-3402: Windows Kernel TTF font (Duqu)  CVE-2012-1876: IE 9 (VUPEN Pwn2Own)  CVE-2012-0775: Reader 9/10 (self-developed?)  No privesc included for these targets, relies on payload

17 How did we stack up?How did we stack up?  DEP, remove Java, secure Reader, EMET as necessary  Safe from all but TTF font exploit w/o patching!  Systems being deployed now w/o Java are out of reach  Win7, IE9, Reader X, EMET as necessary  Mixed messages coming from this data  Success! We have pushed crimepacks to the margins  Warning! It is easy to predict if you will get owned

18 The Advanced Persistent ThreatThe Advanced Persistent Threat How effective are exploit mitigations against this threat?

19 Aurora et al.Aurora et al.  Highly regarded technical capabilities  Prolific developers of zero-day exploits  Original source for many crimepack exploits  Pioneered “watering hole” attack campaigns  Notable for successful compromises of Google, Bit9  Continues to cross paths with Trail of Bits  Exploit profiled in Assured Exploitation  Elderwood Exploit Kit dissection and analysis

20 Elderwood  Think, a “startup” for Aurora to invest in  Developed several reusable vuln disc / exploit tools  Requires less-skilled people to operate the tools  Launch zero-day watering holes on a regular basis  Released new attacks every ~3 months in 2011/2012  4 Internet Explorer, 5 Adobe Flash zero-days  Dozens of prominent websites compromised (CFR)

21 Quality Exploits?Quality Exploits? Elderwood 50% of the time Flash, Java, and Office plugins available Internet Explorer 8 All Computers Modest exploit mitigations are surprisingly effective!

22 Meet NYU-Poly…Meet NYU-Poly…

23 … and Davis… and Davis

24 It’s Easy to Get BetterIt’s Easy to Get Better ElderwoodNYU-PolyDavis Plugins RequiredFlash, Office, Java.NETNone Version SupportIE8 / Win XPIE8 / Win7IE9 / Win7 Reliability~50%~95%~99% FeaturesHardcoded ROP Dynamic ROP Time to Develop? (probably 8 hrs)~5 days~10 days ExperienceProfessionalAmateur

25 Reality  RSA – phishing email with malicious Excel doc  Exploited Flash vuln no longer viable in IE  Google – IE6 in remote office to total control of Gmail  They found the ONE guy in Google using IE6  Amateurs push as hard as they can. Professionals push as hard as they have to.  Rapid discovery and shift to low cost attack vectors

26 APT DiscoveriesAPT Discoveries  Maybe we should try to make protections that cannot be bypassed by CS undergrads with 40 hrs of training?  We need to push harder since the professional bad guys can own things without caring about mitigations  APT can get better, we know they will, but is it prudent not to act just because you know they will respond?

27 Taming the TigerTaming the Tiger Use the Kill Chain and Courses of Action the way they were intended

28 Variety of ApproachesVariety of Approaches or “An APT breached my network despite my $750,000 IPS and $2,000,000 SIEM. What other vendor products should I buy to protect myself?” –Jerkface

29 External ExposureExternal Exposure

30 Phishing ResistancePhishing Resistance “99% of the security breaches it investigated in 2012 started with a targeted spearphishing attack.” –Mandiant “If you go from 35 to 12% on fire, you’re still on fire.” –Zane Lackey

31 Exploitability

32 Final ConclusionsFinal Conclusions  Let’s make defenses that bored undergrads can’t take out in one semester, that would be cool!  Let’s build things that help understand your adversary’s capability and intent.  Let’s use the defenses we have. They work, and they work against the people you care about.  Thanks Andrew Ruef and Hal Brodigan!

33 References  Contagio: An Overview of Exploit Packs  exploit-packs-update.html exploit-packs-update.html  Elderwood Kit Analysis  department-of-labor-hack/ department-of-labor-hack/  Detecting Targeted Malicious Email  content/uploads/ 1-dissertation.pdf content/uploads/ 1-dissertation.pdf

Download ppt "Exploit Intelligence ProjectExploit Intelligence Project  Intel-driven case study from 2011  How do we use intel to mitigate."

Similar presentations

Ads by Google