Post on 02-Jul-2015
transcript
9:25-10:05 – Sala 9
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Antonio Ieranòantonio.ierano@ierano.it
APT A Practical Transit-Mapping Service
APT Academy for Power & Transportation
APT Accelerated Pavement Test
APT Accelerated Planning Technique
APT Accelerator Production of Tritium
APT Acquisition Pointing and Tracking
APT Active Process Table
APT Active Pulse Train
APT Adaptive Phase Tracking
APT Address Pass Through
APT Administrative, Professional and Technical (staff)
APT Advanced Package Tool (Linux)
APT Advanced Personnel Testing
APT Advanced Photoscale Technology (Brother)
APT Advanced Pirate Technology
APT Advanced Platform Technology
APT Advanced Plume Treatment
APT Advanced Power Technologies Center (multi-university consortium)
APT Advanced Power Technology (Richardson Electronics)
APT Advanced Predictive Technology
APT Advances in Psychiatric Treatment
APT Air Passenger Tariff
APT Air Passenger Terminal
APT Aircrew Procedures Trainer
APT Alabama Public Television
APT significa?APT Alliance for Photonic Technology
APT Alliance for Productive Technology (insurance, SEMCI)
APT Alliance for Public Technology
APT Alliance of Professional Tattooists
APT All-Purpose Tire
APT American Phone Terrorists
APT American Players Theater (Spring Green, WI)
APT American Pneumatic Tool, Inc. (Gardena, California)
APT American Portable Telecommunications
APT American Public Television
APT Amide Proton Transfer
APT Ammonium Paratungstate (tungsten refining)
APT Analytic Perturbation Theory
APT Annual Planning Table
APT Annular Proton Telescope
APT Antarctic Passenger Terminal (New Zealand)
APT Application Productivity Tool
APT Applied Potential Tomography
APT Aquaculture Production Technology, Ltd (Israel)
APT Arbitrage Pricing Theory
APT Arranged Passenger Transport
APT Artist Pension Trust
APT Asia Pacific Transport Pty Ltd (Australian rail-building consortium)
APT Asia-Pacific Telecommunity
APT Aspirin Provocation Test
APT Asset Protection Trust
APT Associated Pharmacists and Toxicologists
APT Association for Preservation Technology
APT Association for Public Transportation, Inc
APT Association for the Prevention of Torture
APT Association of Pensioneer Trustees
APT Association of Polysomnographic Technologists
APT Association of Professional Tattooists
APT AT&T Pre-Paid Technology (pre-paid long distance, wireless, etc)
APT Atomic Polar Tensor
APT Attached Proton Test (chemistry)
APT Augmented Programming Training
APT Automated Pit Trading
APT Automatic Photometric Telescope
APT Automatic Picture Test
APT Automatic Picture Transmission
APT Automatic Program Tool
APT Automatic Programming of Tools
APT Automatic Public Toilet
APT Automatically Programmed Tool
APT Autorisation Provisoire de Travail (French: Temporary Work Permit)
APT Awaiting Pilot Training (US Air Force)
Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.
Advanced Persistent Threat
Political objectives that include continuing to suppress its own population in the name of "stability."
Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.
Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.
…
APT Target
"La minaccia avanzata persistente è un avversario con livelli sofisticati di competenza e risorse significative, che gli consentono, attraverso l'utilizzo di vettori di attacco multipli (come frode e metodi informatici e fisici), di generare opportunità per raggiungere i propri obiettivi: questi consistono
tipicamente nello stabilire e ampliare punti di appoggio all'interno dell'infrastruttura informatica delle organizzazioni, allo scopo di derivarne informazioni in modo continuativo e/o di compromettere o ostacolare aspetti critici di una missione, programma o organizzazione, o di mettersi in condizione di farlo in futuro. Inoltre, la minaccia avanzata persistente persegue i propri obiettivi ripetutamente per un periodo di tempo prolungato, adattandosi agli sforzi di un difensore per resisterle, e con lo scopo di mantenere il livello di interazione necessario per eseguire i propri obiettivi".
National Institute of Standards and Technology (NIST)
Definizione bersaglio
…
APT STEPS
Definire chiaramente target, goals e strategy.
An APT require a target to be identified, as well the goal of the attack and the overall strategy.
The drivers that lead to an APT are different so the strategies implemented and goals. Goals and target are interconencted, sometimes we can start choosing a specific aim (money, political acktivism, espionage) and as a consequence a target and relative goals or we can start choosing a target and define the goalsof our attack to achieve our aim.
Definire il bersaglio
Define a target
• Who I want to target
• Why I want to do so
• …
Define Goals
• I want to obtainthis result so:
• I have to gain access to thoseresources
• I want to stop those services
• I want to explosethose data
• I want to stole something
• …
Define a Strategy
• What are my time constrains?
• What are myresourceconstrains?
• Will I act alone or with others?
• Will this be a public or silentoperation?
• …
APT: Definire il bersaglio
Definizione bersaglio
Analisi Bersaglio
…
APT STEPS
Analisi Bersaglio
Ricognizione
OS fingerprinting
Port Scanning …
Profilazione
…
Analisi Bersaglio
Uno dei primi passi una volta identificato l’obiettivo è iniziare una attività di profilazione:
1. Structure (single company, private helded, public, size, …)
2. Public interfaces (web, mailing lists, other sources, …)
3. Activities (what they do, how they do it, why they do it…)
4. Employees
5. Competition
6. Neiborhoods
7. Assets
8. Geography
9. …
Profilare il bersaglio
Social Engineering
Spear Phishing
Analisi dati pubblici:web,
social,
forum,
blog
stampa,
info varie
…
Analisi sito fisico
…
Profilazione bersaglio: tools
Social EngineeringSpear PhishingDNSExternal Network TopologyPort scanningService DiscoveryDirectory HarvestingO.S. fingerprintingDNSNetwork TopologyRoute TopologyVulnerability analisys…
Analisi Bersaglio: Ricognizione
Definizione bersaglio
Analisi Bersaglio
Ingresso Iniziale
…
APT STEPS
Lo scopo del primo ingresso è generalmente quello di iniziare a testare la topologia INTERNA del sistema, trovare i punti di «attracco» ove fare deployment degli strumenti di attacco.
Serve anche a testare i sistemi difensivi e le vie di comunicazione utilizzabili.
L’ingresso iniziale
Test vulnerabilità utilizzabili
Test riconoscimento attacchi e risposte
Definizione strategie multiple di copertura
Weaponization (prima infezione)
Exploitation
Topology
…
L’ingresso iniziale
Definizione bersaglio
Analisi Bersaglio
Ingresso Iniziale
Deployment …
APT STEPS
Infezione\ingresso primi hosts
L’attività può essere remota, fisica o ibrida.
Remota:
Network Hack
Fisica:
Inserzione di device vettori di infezione in situ (USB, Network device…)
Ibrida:
Combinazione di attività remote e deployment fisico
Deployment
Definizione bersaglio
Analisi Bersaglio
Ingresso Iniziale
Deployment Espansione …
APT STEPS
Una volta penetrato il sistema si iniziano ad attaccare diversi bersagli. Alcuni motivi possono essere legati a
Esigenze di sviluppo di una vulnerabilità
Copertura e test sistemi di difesa
Raccoglimento dati topologia
Analisi credenziali e processi
OS Fingerprinting
…
L’espansione
Infezione hosts target
Movimenti laterali
Azioni di copertura ed interferenza
Creazione network di attacco
…
L’espansione
Definizione bersaglio
Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento …
APT STEPS
La fase di consolidamento consiste nel finire le attività di analisi e discoveryed iniziare le attività di preparazione dell’attacco vero e proprio.
Attivazione network di attacco
Attivazione misure di copertura (stealthing)
…
Consolidamento
Definizione bersaglio
Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco …
APT STEPS
L’attacco
Definizione bersaglio
Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco Copertura …
APT STEPS
Copertura
Definizione bersaglio
Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco Copertura …
APT Riconoscimento attacchi
Non rilevabile
Effetti parzialmente rilevabili
Rilevabile (EarlyExternal Detection)
Rilevabile (ExternalDetection)
Rilevabile (EarlyInternal Detection)
Rilevabile (Post Mortem)
Rilevabile (InternalDetection)
Rilevabile (Late Internal Detection)
Comunicazione esterna
1. Complicare l'accesso iniziale (Firewall, Sandbox, Antimalware, gestione DNS e DHCP, IPS …)
Monitorare constantemente le risorse (SIEM deployment, Vulnerabilityassessment, …)
2. Ridurre il rischio di escalation dei privilegi in caso di compromissione di un account (NAC, IAC, DLP, …)
3. Rilevare precocemente account compromessi e attività sospette (SOC, NOC…)
5. Raccogliere informazioni utili a un'indagine forense, per poter determinare quali danni si sono verificati, quando e a opera di chi
Cosa fare?
Gli APT sono difficili da individuare. Secondo il Verizon 2012 Data BreachInvestigations Report, il 92% di tutte le organizzazioni e il 49% delle grandi organizzazioni è venuta a conoscenza di una violazione della sicurezza perché informata da un soggetto esterno.
RICORDATE
Advanced volatile threat
https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT
Anatomy of an Advanced Persistent Threat (APT)". Dell SecureWorks. Retrieved 2012-05-21.
Are you being targeted by an Advanced Persistent Threat?". Command Five Pty Ltd. Retrieved 2011-03-31.
Search for malicious files". Malicious File Hunter. Retrieved 2014-10-10.
"The changing threat environment ...". Command Five Pty Ltd. Retrieved 2011-03-31.
Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains". Lockheed Martin Corporation Abstract. Retrieved March 13, 2013.
Assessing Outbound Traffic to Uncover Advanced Persistent Threat". SANS Technology Institute. Retrieved 2013-04-14.
Introducing Forrester's Cyber Threat Intelligence Research". Forrester Research. Retrieved 2014-04-14.
Olavsrud, Thor. "Targeted Attacks Increased, Became More Diverse in 2011". PCWorld.
An Evolving Crisis". BusinessWeek. April 10, 2008. Archived from the original on 10 January 2010. Retrieved 2010-01-20.
The New E-spionage Threat". BusinessWeek. April 10, 2008. Archived from the original on 18 April 2011. Retrieved 2011-03-19.
Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. 2010-01-19. Archived from the original on 21 January 2010. Retrieved 2010-01-20.
Under Cyberthreat: Defense Contractors". BusinessWeek. July 6, 2009. Archivedfrom the original on 11 January 2010. Retrieved 2010-01-20.
Understanding the Advanced Persistent Threat". Tom Parker. February 4, 2010. Retrieved 2010-02-04.
Advanced Persistent Threat (or Informationized Force Operations)". Usenix, Michael K. Daly. November 4, 2009. Retrieved 2009-11-04.
Ingerman, Bret. "Top-Ten IT Issues, 2011". Educause Review.
Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN 0-07-177249-9, ISBN 978-0-07-177249-5
Advanced Persistent Threats: Higher Education Security Risks". Dell SecureWorks. Retrieved 2012-09-15.
APT1: Exposing One of China's Cyber Espionage Units". Mandiant. 2013.
China says U.S. hacking accusations lack technical proof". Reuters. 2013.
What's an APT? A Brief Definition". Damballa. January 20, 2010. Archived from the original on 11 February 2010. Retrieved 2010-01-20.
See also:
Grazie!Advanced Persistent Threat: come muoversi tra ilmarketing e la realtà?
34