SlideShare une entreprise Scribd logo

Exfiltration slides-v1-release

Télécharger en tant que PPTX, PDF
Eric Koeppen
Eric Koeppen

Exfiltration slides from Virus Bulletin 2014.

Internet
1  sur  19
HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop (v1) IBM Security Systems | © 2014 IBM Corporation
IBM Security Systems | © 2014 IBM Corporation AGENDA  Introduction  Exfiltration Scenarios – Advanced Persistent Threat (APT) – Point of Sale (POS) Malware – Financial Malware  Conclusion
HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation INTRODUCTION
IBM Security Systems | © 2014 IBM Corporation INTRODUCTION  Initial malware infection often just the first step.  Data sent to external servers.  Can have disastrous effects: – Initial loss of revenue – Company brand image – Customer loyalty – Competitive advantage (trade secrets) – Subsequent lawsuits
HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation EXFILTRATION SCENARIOS
 Operation ShadyRAT – Began 2006 and ran for 5 years – Targeted over 70 organizations – Government organizations & private companies – Multiple infection mechanisms – Moves laterally through network – Novel C2 (often used steganography) – Petabytes of data IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT
IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT
IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT  Detection APT Exfiltration tactics – Data different for each site • Data types different • Data formats different – Various forms of C2 – Initial connection uses predefined handshake
IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE  BlackPOS – the Target attack – Customer data compromised • 40 million accounts • PII data for 70 million – Initial infection by Trojan – Periodic memory scraping to collect info
IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE (SCENARIO 1)
IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE (SCENARIO 2)
 Detection POS Malware Exfiltration – Leverages different transport protocols/methods • HTTP Posts, HTTP Gets, HTTPS, FTP, SMB/NetBIOS, NFS, etc – Data usually known format: • Track 1 & 2 credit card information – Various data encoding techniques: • Some samples use Ascii or UUencoding • Some samples use minor obfuscation • Some samples use encryption IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE
 Zeus Banking Trojan – Many variants – Has been around for years – Gameover Zeus variant has accounted for over $100 million in theft since 2011 – Various techniques: • Mock up web pages for stealing bank info • Parsing cookie files for local data-containing files • Steal digital certificates, local private keys • Stealing FTP client info and mail client settings • Parses registry keys for valuable information IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE
IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE (SCENARIO 1)
IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE (SCENARIO 2)
 Detection Zeus Banking Trojan Exfiltration – Constantly updating their techniques – Payload messages hashed, signed, and encrypted with RC4 encryption – Can detect the presence of P2P botnet on the network (Game Over P2P variant) • Detect P2P keep-alive messages IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE
HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation CONCLUSION
IBM Security Systems | © 2014 IBM Corporation CONCLUSION – Changing landscape – Detection based on knowing: • Which data is being targeted • What are typical formats for that data • How that data is being encoded – When data is encrypted, monitor traffic patterns – Common practices can go a long way: • Monitor logs • Keep patches up to date • Lock down acceptable communication • Educate users
HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK IBM Security Systems | © 2014 IBM Corporation Thank You! Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop

Recommandé

Unit 3
Unit 3Unit 3
Unit 3abhishek srivastav
 
truMe for visitor management
truMe for visitor managementtruMe for visitor management
truMe for visitor managementAthulJojo1
 
truMe for visitor access management
truMe for visitor access managementtruMe for visitor access management
truMe for visitor access managementAthulJojo1
 
Visitor management system for government buildings
Visitor management system for government buildingsVisitor management system for government buildings
Visitor management system for government buildingsAthulJojo1
 
Introduction to ceh
Introduction to cehIntroduction to ceh
Introduction to cehHemant Mittal
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romneywoyaoni
 
Cybersecurity: More than A DoD Issue
Cybersecurity: More than A DoD IssueCybersecurity: More than A DoD Issue
Cybersecurity: More than A DoD IssueRobert E Jones
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityPrecisely
 

Recommandé

Unit 3
Unit 3Unit 3
Unit 3abhishek srivastav
 
truMe for visitor management
truMe for visitor managementtruMe for visitor management
truMe for visitor managementAthulJojo1
 
truMe for visitor access management
truMe for visitor access managementtruMe for visitor access management
truMe for visitor access managementAthulJojo1
 
Visitor management system for government buildings
Visitor management system for government buildingsVisitor management system for government buildings
Visitor management system for government buildingsAthulJojo1
 
Introduction to ceh
Introduction to cehIntroduction to ceh
Introduction to cehHemant Mittal
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romneywoyaoni
 
Cybersecurity: More than A DoD Issue
Cybersecurity: More than A DoD IssueCybersecurity: More than A DoD Issue
Cybersecurity: More than A DoD IssueRobert E Jones
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityPrecisely
 
Resume
ResumeResume
ResumeTimothy Poss
 
Network Security
Network SecurityNetwork Security
Network SecurityJitin Kollamkudy
 
AlertBoot Datasheet
AlertBoot DatasheetAlertBoot Datasheet
AlertBoot Datasheettmaliyil
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsPrecisely
 
Rune - Empowering User-based Security
Rune - Empowering User-based SecurityRune - Empowering User-based Security
Rune - Empowering User-based SecurityRob Levey
 
Network security
Network securityNetwork security
Network securityhajra azam
 
Firewall
FirewallFirewall
FirewallNikhil Dagale
 
Building a Hacker Resistant Network
Building a Hacker Resistant Network Building a Hacker Resistant Network
Building a Hacker Resistant Network Sentry Global Technologies, LLC
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Informationhypknight
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Homework0703
Homework0703Homework0703
Homework0703YUEPINGTSAI
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire Vijay Νavgire
 
Digital skimming root_conf_ppt
Digital skimming root_conf_pptDigital skimming root_conf_ppt
Digital skimming root_conf_pptArjun BM
 
Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitalityVishal Sharma
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
IACP 2011
IACP 2011IACP 2011
IACP 2011gnichols_interdev
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringSam Bowne
 
Essential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network SecurityEssential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network SecurityPrecisely
 
Using Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality AssessmentUsing Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality AssessmentOlaf Hartig
 
In Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationIn Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationItzik Kotler
 

Contenu connexe

Tendances

AlertBoot Datasheet
AlertBoot DatasheetAlertBoot Datasheet
AlertBoot Datasheettmaliyil
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsPrecisely
 
Rune - Empowering User-based Security
Rune - Empowering User-based SecurityRune - Empowering User-based Security
Rune - Empowering User-based SecurityRob Levey
 
Network security
Network securityNetwork security
Network securityhajra azam
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Informationhypknight
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksSam Bowne
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architectureImran Khan
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire Vijay Νavgire
 
Digital skimming root_conf_ppt
Digital skimming root_conf_pptDigital skimming root_conf_ppt
Digital skimming root_conf_pptArjun BM
 
Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitalityVishal Sharma
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringSam Bowne
 
Essential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network SecurityEssential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network SecurityPrecisely
 

Tendances (20)

Resume
ResumeResume
Resume
 
Network Security
Network SecurityNetwork Security
Network Security
 
AlertBoot Datasheet
AlertBoot DatasheetAlertBoot Datasheet
AlertBoot Datasheet
 
Enterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected EnvironmentsEnterprise Security in Mainframe-Connected Environments
Enterprise Security in Mainframe-Connected Environments
 
Rune - Empowering User-based Security
Rune - Empowering User-based SecurityRune - Empowering User-based Security
Rune - Empowering User-based Security
 
Network security
Network securityNetwork security
Network security
 
Firewall
FirewallFirewall
Firewall
 
Building a Hacker Resistant Network
Building a Hacker Resistant Network Building a Hacker Resistant Network
Building a Hacker Resistant Network
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Information
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Homework0703
Homework0703Homework0703
Homework0703
 
Development of security architecture
Development of security architectureDevelopment of security architecture
Development of security architecture
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
 
Digital skimming root_conf_ppt
Digital skimming root_conf_pptDigital skimming root_conf_ppt
Digital skimming root_conf_ppt
 
Credit card frauds in hospitality
Credit card frauds in hospitalityCredit card frauds in hospitality
Credit card frauds in hospitality
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
IACP 2011
IACP 2011IACP 2011
IACP 2011
 
CNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social EngineeringCNIT 123: Ch 4: Footprinting and Social Engineering
CNIT 123: Ch 4: Footprinting and Social Engineering
 
Essential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network SecurityEssential Layers of IBM i Security Series – Network Security
Essential Layers of IBM i Security Series – Network Security
 

En vedette

Using Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality AssessmentUsing Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality AssessmentOlaf Hartig
 
In Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationIn Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationItzik Kotler
 
Data leakage detection (synopsis)
Data leakage detection (synopsis)Data leakage detection (synopsis)
Data leakage detection (synopsis)Mumbai Academisc
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionkalpesh1908
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016FitCEO, Inc. (FCI)
 
data-leakage-detection
data-leakage-detectiondata-leakage-detection
data-leakage-detectionNagendra Kumar
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionMohit Pandey
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionrejii
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionVikrant Arya
 
Advanced Data Exfiltration
Advanced Data ExfiltrationAdvanced Data Exfiltration
Advanced Data ExfiltrationIftach Ian Amit
 
Data leakage detection Complete Seminar
Data leakage detection Complete SeminarData leakage detection Complete Seminar
Data leakage detection Complete SeminarSumit Thakur
 

En vedette (11)

Using Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality AssessmentUsing Web Data Provenance for Quality Assessment
Using Web Data Provenance for Quality Assessment
 
In Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationIn Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect Exfiltration
 
Data leakage detection (synopsis)
Data leakage detection (synopsis)Data leakage detection (synopsis)
Data leakage detection (synopsis)
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Data exfiltration so many threats 2016
Data exfiltration so many threats 2016Data exfiltration so many threats 2016
Data exfiltration so many threats 2016
 
data-leakage-detection
data-leakage-detectiondata-leakage-detection
data-leakage-detection
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Advanced Data Exfiltration
Advanced Data ExfiltrationAdvanced Data Exfiltration
Advanced Data Exfiltration
 
Data leakage detection Complete Seminar
Data leakage detection Complete SeminarData leakage detection Complete Seminar
Data leakage detection Complete Seminar
 

Similaire à Exfiltration slides-v1-release

Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksIBM Security
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
Combating Constantly Evolving Advanced Threats – Solution Architecture
Combating Constantly Evolving Advanced Threats – Solution ArchitectureCombating Constantly Evolving Advanced Threats – Solution Architecture
Combating Constantly Evolving Advanced Threats – Solution ArchitectureIBM Sverige
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Unisys Corporation
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against MalwarePrecisely
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
 
Ethical Hacking: Safeguarding Systems through Responsible Security Testing
Ethical Hacking: Safeguarding Systems through Responsible Security TestingEthical Hacking: Safeguarding Systems through Responsible Security Testing
Ethical Hacking: Safeguarding Systems through Responsible Security Testingchampubhaiya8
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 

Similaire à Exfiltration slides-v1-release (20)

Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
Combating Constantly Evolving Advanced Threats – Solution Architecture
Combating Constantly Evolving Advanced Threats – Solution ArchitectureCombating Constantly Evolving Advanced Threats – Solution Architecture
Combating Constantly Evolving Advanced Threats – Solution Architecture
 
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014 Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
Don’t Sweat the Small Stuff – Protect What Matters Most - Interop 2014
 
Cyber security
Cyber securityCyber security
Cyber security
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Defending Your IBM i Against Malware
Defending Your IBM i Against MalwareDefending Your IBM i Against Malware
Defending Your IBM i Against Malware
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever Alone
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated Ransomware
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Ethical Hacking: Safeguarding Systems through Responsible Security Testing
Ethical Hacking: Safeguarding Systems through Responsible Security TestingEthical Hacking: Safeguarding Systems through Responsible Security Testing
Ethical Hacking: Safeguarding Systems through Responsible Security Testing
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 

Dernier

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 

Dernier (20)

Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 

Exfiltration slides-v1-release

  • 1. HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop (v1) IBM Security Systems | © 2014 IBM Corporation
  • 2. IBM Security Systems | © 2014 IBM Corporation AGENDA  Introduction  Exfiltration Scenarios – Advanced Persistent Threat (APT) – Point of Sale (POS) Malware – Financial Malware  Conclusion
  • 3. HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation INTRODUCTION
  • 4. IBM Security Systems | © 2014 IBM Corporation INTRODUCTION  Initial malware infection often just the first step.  Data sent to external servers.  Can have disastrous effects: – Initial loss of revenue – Company brand image – Customer loyalty – Competitive advantage (trade secrets) – Subsequent lawsuits
  • 5. HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation EXFILTRATION SCENARIOS
  • 6.  Operation ShadyRAT – Began 2006 and ran for 5 years – Targeted over 70 organizations – Government organizations & private companies – Multiple infection mechanisms – Moves laterally through network – Novel C2 (often used steganography) – Petabytes of data IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT
  • 7. IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT
  • 8. IBM Security Systems | © 2014 IBM Corporation ADVANCED PERSISTENT THREAT  Detection APT Exfiltration tactics – Data different for each site • Data types different • Data formats different – Various forms of C2 – Initial connection uses predefined handshake
  • 9. IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE  BlackPOS – the Target attack – Customer data compromised • 40 million accounts • PII data for 70 million – Initial infection by Trojan – Periodic memory scraping to collect info
  • 10. IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE (SCENARIO 1)
  • 11. IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE (SCENARIO 2)
  • 12.  Detection POS Malware Exfiltration – Leverages different transport protocols/methods • HTTP Posts, HTTP Gets, HTTPS, FTP, SMB/NetBIOS, NFS, etc – Data usually known format: • Track 1 & 2 credit card information – Various data encoding techniques: • Some samples use Ascii or UUencoding • Some samples use minor obfuscation • Some samples use encryption IBM Security Systems | © 2014 IBM Corporation POINT OF SALE MALWARE
  • 13.  Zeus Banking Trojan – Many variants – Has been around for years – Gameover Zeus variant has accounted for over $100 million in theft since 2011 – Various techniques: • Mock up web pages for stealing bank info • Parsing cookie files for local data-containing files • Steal digital certificates, local private keys • Stealing FTP client info and mail client settings • Parses registry keys for valuable information IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE
  • 14. IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE (SCENARIO 1)
  • 15. IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE (SCENARIO 2)
  • 16.  Detection Zeus Banking Trojan Exfiltration – Constantly updating their techniques – Payload messages hashed, signed, and encrypted with RC4 encryption – Can detect the presence of P2P botnet on the network (Game Over P2P variant) • Detect P2P keep-alive messages IBM Security Systems | © 2014 IBM Corporation FINANCIALMALWARE
  • 17. HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK: A SURVEY OF METHODS USED FOR EXFILTRATION OF SENSITIVE DATA, RECOMMENDATIONS FOR DETECTION AND PROTECTION IBM Security Systems | © 2014 IBM Corporation CONCLUSION
  • 18. IBM Security Systems | © 2014 IBM Corporation CONCLUSION – Changing landscape – Detection based on knowing: • Which data is being targeted • What are typical formats for that data • How that data is being encoded – When data is encrypted, monitor traffic patterns – Common practices can go a long way: • Monitor logs • Keep patches up to date • Lock down acceptable communication • Educate users
  • 19. HOW THEY’RE GETTING THE DATA OUT OF YOUR NETWORK IBM Security Systems | © 2014 IBM Corporation Thank You! Eric Koeppen IBM X-Force Advanced Research erkoeppe[at]us[dot]ibm[dot]com @PorkChop