Emilio Tonelli

Senior Sales Engineer South Europe

WatchGuard Technologies, Inc.

Advanced
Persistent
Threats

the new security challenge

Are you protected?

Current Threat Landscape

2
Global Threat Landscape: Threats Rising!
The Cloud’s Becoming Suspect…
Snowden Effect Influences Encryption
Information Security Trends

Attackers more sophisticated Attacks more targeted

Security’s a boardroom
Mobile attacks increase conversation

Ransomware is hot “You will get breached”

Internet of Things (IoT) Encryption use grows

Threat Intelligence gains

prominence Governments more involved
You’ve Heard the APT spiel, for sure

An Advanced Persistent Threat (APT)

is a very high-tech, cutting edge attack
leveraged to gain prolonged, stealthy
control over a high value political or
business target.

Three APT Attributes:

1. Advanced
2. Persistent
3. Targeted
APTs are Only Nation-State… Right?

These don’t
affect me, right?
Advanced Threats Timeline
Nation-states / Political Criminals / Private

China-based C&C Four 0day 0day Word flaw Targeted Lebanon 152M records
Spear Phishing PLC Rootkit Iran, Sudan, Syrian USB LNK Flaw 0day Coldfusion
Political Targets Broke Centrifuges Cyber Espionage APT Bank Trojan Stolen source

GhostNet Stuxnet Duqu Gauss Adobe

Jun. Oct.
Mar. Jan. Jun. Mar. Sep. 2012 2013
2009 2010 2010 2011 2011 May Jan. Dec.
2012 2013 2013

Operation Aurora RSA/Lockheed Flame NYTimes Target

IE 0day 0day Flash Flaw 0day MS Cert Flaw China-based

Comment Crew (CN) 0dayTrojan 40M CCNs
Stole IP Spear phishing
Stole Gmail and Src Stole SecureID Info 0day malware
Target Iranian Oil 0day malware
Partner access

2009 2010 2011 2012 2013 2014

 Modern Evasive Malware
Advanced Persistent Threats

How WatchGuard Protects

Advanced Threats Require Defense-in-Depth

Advanced threats, by definition, leverage

multiple vectors of attack.

No single defense will protect you

completely from computer attacks…

Firewall The more layers of security you have,

Intrusion Prevention System the higher chance an additional
AntiVirus protection might catch an advanced threat
that other layers might miss.
AntiSpam
Reputation Services
APT Protection
 Cyber Kill Chain® 3.0 (…the WatchGuard Edition)
Reconnaissance

Delivery

Compromise/Exploit

Infection/Installation

Command and Control (C&C)

Lateral Movement / Pivoting

Objectives/Exfiltration

*Cyber Kill Chain® is an intelligence defense-driven process registered by Lockeed Martin

WatchGuard Breaks the Cyber Kill Chain®

Reconnaissance

Delivery

Compromise/Exploit

Infection/Installation

Command and Control (C&C)

Lateral Movement / Pivoting

Objectives/Exfiltration
APT Techniques Trickle Down

Today, normal criminal malware

exploits the same advanced tactics as
nation-state APTs. Every organization is
at risk of advanced threats!

Zeus copies Stuxnet 0day exploit

Criminals use evasive malware (Cryptolocker)

Zeus uses stolen certificates

Criminal spear phishing

Criminal watering hole attacks

 Is Anti-Virus Really Dead?
Traditional antivirus software is best used to combat opportunistic (untargeted) attacks,
offering effective and efficient protection following the creation of a signature.
Hosts Compromised

Signature
Opportunistic

available
THRESHOLD OF DETECTION
Attacks

Goal for the cyber miscreant

is to maximize slope.

Time
Hosts Compromised
“Advanced”

Signature
Phishing

THRESHOLD OF DETECTION available?

Goal for the cyber miscreant

is to minimize slope.

Time
Source: Jeffrey J Guy; Director, Product Management; Bit9/Carbon Black
APT Blocker — How Does it Work (1)
The «legacy» infection process 12 – The
Onceattacker builds package
the malware generic as been
malware
recognizedto attack large no. of victims base
Target:
a signature is created and bytecode is
damages
compared to as much
against assignatures
those possible hosts
stored into AV DB
Malware is distributed using:
- phishing, spear phishing, …
- drive-by download on crowded,
generic, communities and web services

drive-by download

mail

GAV Signature DB (updated) attacker

APT Blocker — How Does it Work (2)
The «APT» approach > targeted for A
1 – The only
2 waybuilds
attacker we have today to(targeted)
SPECIFIC identify these threats
is to… launch
packed them!
(i.e. encrypted), malware to attack A’s victim base
Target:
An
data hash for the malware isto
leaks/spy/damages A’s assets
calculated and compared
on the cloud, just to check if it has been already found
A can be a company, pool of targeted victims,…
If not... an
Malware is array of sandoboxes
distributed using: (Lastline) are used to lauch
- phishing, spear phishing, … to A’sbehaviour
the malware, inspect the code and of the malware
users & «relatives»
on the victim’s
- drive-by system,
download on then it is classified
communities visitedatby A’s users
runtime

drive-by download
for A’s victims

mail

attacker
sandbox cloud array
That’s why APT Blocker fills that security gap!

 Identifies and submits suspicious files

to cloud-based, next-generation, full
system emulation sandbox
 Provides real-time threat visibility;
protection in minutes not hours
 Analyzes comprehensive set of files
(Executables, Office documents,
PDFs & Android APKs)
 Detects Zero Day Malware
 Scalable; inspects millions of objects
at any given time
 Not fooled by evasion
Emilio Tonelli
emilio.tonelli@watchguard.com

Info&Sales: italy@watchguard.com