Post on 19-Oct-2014
description
transcript
Company Confidential
Advanced Threat
Lifecycles
Greg Foss
OSCP, GPEN, GWAPT, GCIH, CEH
Senior Security Research Engineer
LogRhythm Labs - Threat Intelligence Team
Company Confidential
• Advanced Persistent Threats
• Able to develop and/or leverage sophisticated techniques in pursuit
of their target objective from reconnaissance to data exfiltration.
• Will leverage the full spectrum of attack vectors – social, technical,
physical, etc.
• Highly organized, highly motivated, highly resourced.
• Willing to invest significant time and resources to compromise.
• Organized Cyber Crime
• Operate through anonymity, utilize the ‘darknet’ and TOR to share
information and communicate.
• Purchase malware and/or access to systems to influence the theft of
funds in the form of Credit Cards, Social Security Numbers,
BitCoin’s, and anything else of monetary value.
• Extremely resourceful and able to leverage unique attack vectors to
compromise merchant networks and ex-filtrate valuable data.
What are ‘Advanced Threats’?
Company Confidential
• Mission Oriented
• Persistent an Driven
• Patient and Methodical
• Focus on exponential ROI
• Emphasis on high Intellectual Property Value Targets
• They will get in…
It’s when, not if…
Image: http://postfiles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
Company Confidential
• Phishing
• 91% of ‘advanced’ attacks begin with a phishing email
• http://www.infosecurity-magazine.com/view/29562/91-of-apt-
attacks-start-with-a-spearphishing-email/
• “Breaches, malware to cost $491 billion in 2014”
• http://www.scmagazine.com/breaches-malware-to-cost-491-
billion-in-2014-study-says/article/339167/
How are they getting in?
Company Confidential
• Phishing
• 91% of ‘advanced’ attacks begin with a phishing email
• http://www.infosecurity-magazine.com/view/29562/91-of-apt-
attacks-start-with-a-spearphishing-email/
• “Breaches, malware to cost $491 billion in 2014”
• http://www.scmagazine.com/breaches-malware-to-cost-491-
billion-in-2014-study-says/article/339167/
How are they getting in?
Company Confidential
Client-Side Exploits – Discovered Daily
Company Confidential
• “[…]there have been real-world reports of
sophisticated attackers bypassing two-factor
authentication in OpenSSL-based VPNs in order to
gain access to corporate networks by stealing Session
IDs using the Heartbleed vulnerability.”
• Tom Cross -- Director of Security Research, Lancope
• http://www.itbusinessedge.com/slideshows/how-heartbleed-
is-changing-security-06.html
Heartbleed…
Company Confidential
Defense in Depth
Company Confidential
Spear Phishing
Company Confidential
Spear Phishing Attack -- Log Traces
Company Confidential
• Maintain Access…
What happens once they get in?
Image: http://www.netresec.com/images/back_door_open_300x200.png
Company Confidential
• *Nothing…
• For a long time…
Then?
Company Confidential
Attackers Go Unnoticed…
Image created at: https://imgflip.com/
Company Confidential
• Once infected, the beachhead will beacon periodically
Beaconing
Company Confidential
• Beaconing activity – Usually initiated over port 443 or
an encrypted tunnel over port 80.
• Can be detected with a Web Proxy capable of
decrypting SSL traffic.
• Behavioral analytics can be utilized to differentiate
normal browsing activity and possible evidence of an
infected host.
• Using a SIEM, track the unique websites usually visited, and
the overall volume of normal web activity, on a per user and a
per host basis.
• Watch for changes in a close period of time.
Behavioral Analytics
Company Confidential
• Host Discovery
• Ping sweeps
• Sweep for specific services / scan single hosts
• Slowly, attempting to avoid unnecessary attention…
• Accessing network shares, web apps, and services
Reconnaissance & Service Enumeration
Image: http://macheads101.com/pages/pics/download_pics/mac/portscan.png
Company Confidential
• Internal reconnaissance looks very similar to activities
seen on the perimeter…
• Port Scans / Sweep’s
• ‘Odd Traffic’ and honeypot file access
• Modification of user and/or file and/or group
permissions
• VPN logins / attempts from disparate geographical
locations
Reconnaissance Log Traces
Company Confidential
• Dump System Hashes
• Maybe crack them, maybe they don’t need to…
• Use Pass the Hash (PtH)
• Now featuring Remote Desktop!
• http://www.kali.org/penetration-testing/passing-hash-remote-
desktop/
• Dump plain text password Hashes
• Mimikatz -- FTW!
• Act as an internal employee -- use legitimate means
to access resources.
Lateral Movement
Company Confidential
• Microsoft’s granular Event Identification schema
(EVID) in conjunction with environment information
provides analysts with plenty of information to track
attackers once they have breached the perimeter.
Lateral Movement Log Traces
Company Confidential
Source: https://twitter.com/markrussinovich/status/439788234587922432
Company Confidential
• Analyze / capture anything that comes across the wire
Passive Traffic Analysis
Image: http://media2.intoday.in/indiatoday/images/stories//2013december/cyber_security-650_122913095343.gif
Company Confidential
• Domain Controllers
• Vulnerable Services
• File Shares
• Intellectual Property
• Business Leaders – CEO, CIO, CFO, CMO, etc.
• Administrative Assistants
Identify Key Resources
Image: http://www.mobilemarketingwatch.com/wordpress/wp-content/uploads/2011/07/Top-Secret-Tip-To-Pick-SMS-Keyword.jpeg
Company Confidential
• Target data identified, gathered, and moved out of the
environment.
• Data is normally leaked in a ‘hidden’ or modified
format, rarely is the actual document extracted.
• Emails and Employee PII
• Intellectual Property
• Trade Secrets
Data Exfiltration
Image: http://www.csee.umbc.edu/wp-content/uploads/2013/04/ex.jpg
Company Confidential
• Set granular restrictions on sensitive files and
directories to specific groups or individuals, alert on
any abnormal file access / read / write / etc.
• ICMP Tunneling
• Non-SSL over ports 443 / 8443, encrypted TCP over
ports 80 / 8080
• SCP / FTP(S) transfers to external hosts
• Abnormal web server activity, newly created files, etc.
Catch Data Exfiltration and File Access
Company Confidential
Lateral Movement – Attack Detection
[ demo ]
Company Confidential
• Don’t be hard on the outside, soft and chewy on the
inside… Monitor internal activity, closely.
• Implement Layer 3 (network) Segmentation and Least
User Privilege.
• Understand your environment and log data.
• Actively alert on and respond to lateral movement and
reconnaissance observed within your environment.
• The earlier you can detect attackers the better…
• They will get in… How will you react?
Closing Thoughts
27
Company Confidential
SIEM 2.0 | See what you’re missing