1 / 23

Defense Against Web Threats

Defense Against Web Threats. January 14, 2010. Web Evolution. Static Pages. Dynamic Pages. Dynamic Pages. Interactive Pages. Publishing Model. Community Model. Single Host Pages. Multi-Host Pages. Nice to Have. Must Have. 1991-2003 Web 1.0. 2003-present Web 2.0.

etana
Download Presentation

Defense Against Web Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense Against Web Threats January 14, 2010

  2. Web Evolution Static Pages Dynamic Pages Dynamic Pages Interactive Pages Publishing Model Community Model Single Host Pages Multi-Host Pages Nice to Have Must Have 1991-2003 Web 1.0 2003-present Web 2.0

  3. Cyber Crime Evolution Wide-spread, Fast Targeted Visible, DoS Invisible Damage/Defacement Data Collection/Identity Ingenuity/Pride Driven Profit Driven Amateurs Professionals

  4. Web Today • Dynamic links • Multiple sources • Frequent updates • Vulnerable

  5. Malware – Dynamic Links • Popular Web Site Pointers • Middle Relay Servers & Link Farms • Malware Download Hosts A C B

  6. Changing Environment Web Malware 5X increase from 2007 90% from popular trusted sites Information for profit Web 2.0 Today’s toys, tomorrow’s tools Vulnerable new technologies More Remote Users Application performance issues Web malware exposure 6

  7. Malware Defined Specific threats downloaded from web pages without a user’s knowledge, often piggybacking on a user’s trust of a known domain to deliver malware payloads Malware Classification Virus – copies/infects without permission Worm – self-propagating on a network Trojan – destructive program inside a benign application Bot – automated coordination with networked computers Rootkit – subverts control of operating system Spyware – intercepts/controls user’s action with computer Backdoor – covert access to enter undetected (bypass-auth) Downloader – downloads/installs malicious software Adware – automatically displays/downloads ads Ransomware – encrypts individual’s data, demanding ransom Objective: Committing online fraud via identity collection ENISA Position Paper No.3 – Botnets – The Silent Threat 7

  8. Mobile Malicious Code (MMC) MMC is malicious software obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution by the recipient User is completely unaware of install & execution Delivery via website visit, web email, email, plus attachments Examples of mobile code include: Scripts (JavaScript, VBScript) Java applets ActiveX controls Flash animations Shockwave movies (and Xtras) Macros embedded within MS Office documents. 8

  9. Injection Attack Example XHR to retrieve download Hundreds of infected sources for download (Malware) • Client Web Browsing • Corporate Office • Branch Office • Remote Location iframe injection (MMC) Internet Super Bowl Site • User visits popular and trusted web site • Static URL filtering allows, plus Reputation ratings • Injection attack calls malware download host • New URL request (XHR) to analyze with cloud service • If community watch knows this malware host, it is blocked • Malware downloads on to user desktop • Inline threat detection at web gateway can block malware • Desktop is the last defense, anti-malware active & updated 9

  10. Halloween Search Attack • Halloween-related searches • Search results link to a hacked blog page, then redirected to a malware download host • User presented with a download file named “search term”+ to-play.exe+version number • If downloaded, the application executes connections to download more malware • No AV programs detected the 102k binary as malware at the time of discovery • Expect more search attacks like this during the holidays

  11. “koobface” Facebook Attack • Message from friend… • “You look so amazing funny on our new video” • Click to see video • Flash player out of date, please update… • Click on <Download> • File contains malicious code to infect user • Leverages trust model to spread

  12. “conficker” Attack • Variant C generates 50K domains per day • Overwhelms traditional URL filtering solutions • Early April, contacts 32 domains via P2P backup channel • Only five domains are registered with payloads • Passive defenses requiring updates were too late • Defense required “web awareness” and immediate payload analysis from real-time inputs

  13. An Example – Drive-by Download Takes advantage of MS’s Data Access Components that allow arbitrary code execution on a users computer Drive-by Download Steps: Exploit delivered to a user’s browser via an iframe on a compromised web page (iframe embeds another HTML element) The iframe contains JavaScript to instantiate an ActiveX object that is not normally safe for scripting (MMC elements) The JavaScript makes an XMLHttpRequest (XHR) to retrieve an executable (AJAX in action) Adodb.stream is used to write the executable to disk (malware) A shell.application is used to launch the newly written executable A twenty line JavaScript can reliably accomplish this sequence of steps to launch any binary Layers of obfuscation makes analysis/detection complex Ex. VBScript inside multiple layers of JavaScript May’07 Google Report 13

  14. Malware Delivery Internet • Open Paths: • - Popular Web Sites • No encryption • Visible • Hidden Paths: • - Social Networking • Web Mail, P2P & IM • SSL traffic Single Defense? • Examples: • iframe injections • SQL injections • DNS poisoning • Phishing • Examples: • Facebook, MySpace • gmail, Yahoo, Skype • File downloads • Fake updates Users 14

  15. Malware Detection Internet • Reactive: • - Inline threat analysis • Content filter • Desktop defense • Proactive: • - Community watch • Cloud defenses • Filter/Block Layered Defenses Users 15

  16. Layered Defenses 16

  17. Layered Defenses • Subscription service outlining categorization of web sites • Diverse enough to handle multiple languages • Manageable category support (more is not always better) • Frequent updates • Reputation • Heuristics • Behavior • Analysis feedback • Signature 17

  18. Layered Defenses • Enforce protection inline and avoid passive deployment • See and enforce client and server side. • Its not just HTTP, Look inside SSL, FTP • Network Based Antivirus to increase the depth 18

  19. Layered Defenses • Control non approved actions and protocols • Stop spyware affects • Control downloadable system files • Authenticate valid traffic • Detect and enforce valid user agents • Enforce Safe-search • Control web scripting and active controls 19

  20. Layered Defenses • Enforce traffic leaving your premises is not a breach • Prevent corporate espionage • Variety of DLP vendors out there. 20

  21. Layered Defenses • Utilize feedback mechanism to keep threat list current • Prevents Zero day attacks 21

  22. In addition to Layered Defenses • Continue to remember to: • Enforce security updates to desktop • Practice sound security posture for desktop and mobile users • Maintain security infrastructure (Firewall/IPS/IDS,PKI etc) 22

More Related