9:25-10:05 – Sala 9

Advanced Persistent Threat: come muoversi tra il marketing e la realtà?

Advanced Persistent Threat: come muoversi tra il marketing e la realtà?

Antonio Ieranòantonio.ierano@ierano.it

APT A Practical Transit-Mapping Service

APT Academy for Power & Transportation

APT Accelerated Pavement Test

APT Accelerated Planning Technique

APT Accelerator Production of Tritium

APT Acquisition Pointing and Tracking

APT Active Process Table

APT Active Pulse Train

APT Adaptive Phase Tracking

APT Address Pass Through

APT Administrative, Professional and Technical (staff)

APT Advanced Package Tool (Linux)

APT Advanced Personnel Testing

APT Advanced Photoscale Technology (Brother)

APT Advanced Pirate Technology

APT Advanced Platform Technology

APT Advanced Plume Treatment

APT Advanced Power Technologies Center (multi-university consortium)

APT Advanced Power Technology (Richardson Electronics)

APT Advanced Predictive Technology

APT Advances in Psychiatric Treatment

APT Air Passenger Tariff

APT Air Passenger Terminal

APT Aircrew Procedures Trainer

APT Alabama Public Television

APT significa?APT Alliance for Photonic Technology

APT Alliance for Productive Technology (insurance, SEMCI)

APT Alliance for Public Technology

APT Alliance of Professional Tattooists

APT All-Purpose Tire

APT American Phone Terrorists

APT American Players Theater (Spring Green, WI)

APT American Pneumatic Tool, Inc. (Gardena, California)

APT American Portable Telecommunications

APT American Public Television

APT Amide Proton Transfer

APT Ammonium Paratungstate (tungsten refining)

APT Analytic Perturbation Theory

APT Annual Planning Table

APT Annular Proton Telescope

APT Antarctic Passenger Terminal (New Zealand)

APT Application Productivity Tool

APT Applied Potential Tomography

APT Aquaculture Production Technology, Ltd (Israel)

APT Arbitrage Pricing Theory

APT Arranged Passenger Transport

APT Artist Pension Trust

APT Asia Pacific Transport Pty Ltd (Australian rail-building consortium)

APT Asia-Pacific Telecommunity

APT Aspirin Provocation Test

APT Asset Protection Trust

APT Associated Pharmacists and Toxicologists

APT Association for Preservation Technology

APT Association for Public Transportation, Inc

APT Association for the Prevention of Torture

APT Association of Pensioneer Trustees

APT Association of Polysomnographic Technologists

APT Association of Professional Tattooists

APT AT&T Pre-Paid Technology (pre-paid long distance, wireless, etc)

APT Atomic Polar Tensor

APT Attached Proton Test (chemistry)

APT Augmented Programming Training

APT Automated Pit Trading

APT Automatic Photometric Telescope

APT Automatic Picture Test

APT Automatic Picture Transmission

APT Automatic Program Tool

APT Automatic Programming of Tools

APT Automatic Public Toilet

APT Automatically Programmed Tool

APT Autorisation Provisoire de Travail (French: Temporary Work Permit)

APT Awaiting Pilot Training (US Air Force)

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Advanced Persistent Threat

Political objectives that include continuing to suppress its own population in the name of "stability."

Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.

Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.

…

APT Target

"La minaccia avanzata persistente è un avversario con livelli sofisticati di competenza e risorse significative, che gli consentono, attraverso l'utilizzo di vettori di attacco multipli (come frode e metodi informatici e fisici), di generare opportunità per raggiungere i propri obiettivi: questi consistono

tipicamente nello stabilire e ampliare punti di appoggio all'interno dell'infrastruttura informatica delle organizzazioni, allo scopo di derivarne informazioni in modo continuativo e/o di compromettere o ostacolare aspetti critici di una missione, programma o organizzazione, o di mettersi in condizione di farlo in futuro. Inoltre, la minaccia avanzata persistente persegue i propri obiettivi ripetutamente per un periodo di tempo prolungato, adattandosi agli sforzi di un difensore per resisterle, e con lo scopo di mantenere il livello di interazione necessario per eseguire i propri obiettivi".

National Institute of Standards and Technology (NIST)

Definizione bersaglio

…

APT STEPS

Definire chiaramente target, goals e strategy.

An APT require a target to be identified, as well the goal of the attack and the overall strategy.

The drivers that lead to an APT are different so the strategies implemented and goals. Goals and target are interconencted, sometimes we can start choosing a specific aim (money, political acktivism, espionage) and as a consequence a target and relative goals or we can start choosing a target and define the goalsof our attack to achieve our aim.

Definire il bersaglio

Define a target

• Who I want to target

• Why I want to do so

• …

Define Goals

• I want to obtainthis result so:

• I have to gain access to thoseresources

• I want to stop those services

• I want to explosethose data

• I want to stole something

• …

Define a Strategy

• What are my time constrains?

• What are myresourceconstrains?

• Will I act alone or with others?

• Will this be a public or silentoperation?

• …

APT: Definire il bersaglio

Definizione bersaglio

Analisi Bersaglio

…

APT STEPS

Analisi Bersaglio

Ricognizione

OS fingerprinting

Port Scanning …

Profilazione

…

Analisi Bersaglio

Uno dei primi passi una volta identificato l’obiettivo è iniziare una attività di profilazione:

1. Structure (single company, private helded, public, size, …)

2. Public interfaces (web, mailing lists, other sources, …)

3. Activities (what they do, how they do it, why they do it…)

4. Employees

5. Competition

6. Neiborhoods

7. Assets

8. Geography

9. …

Profilare il bersaglio

Social Engineering

Spear Phishing

Analisi dati pubblici:web,

social,

forum,

blog

stampa,

info varie

…

Analisi sito fisico

…

Profilazione bersaglio: tools

Social EngineeringSpear PhishingDNSExternal Network TopologyPort scanningService DiscoveryDirectory HarvestingO.S. fingerprintingDNSNetwork TopologyRoute TopologyVulnerability analisys…

Analisi Bersaglio: Ricognizione

Definizione bersaglio

Analisi Bersaglio

Ingresso Iniziale

…

APT STEPS

Lo scopo del primo ingresso è generalmente quello di iniziare a testare la topologia INTERNA del sistema, trovare i punti di «attracco» ove fare deployment degli strumenti di attacco.

Serve anche a testare i sistemi difensivi e le vie di comunicazione utilizzabili.

L’ingresso iniziale

Test vulnerabilità utilizzabili

Test riconoscimento attacchi e risposte

Definizione strategie multiple di copertura

Weaponization (prima infezione)

Exploitation

Topology

…

L’ingresso iniziale

Definizione bersaglio

Analisi Bersaglio

Ingresso Iniziale

Deployment …

APT STEPS

Infezione\ingresso primi hosts

L’attività può essere remota, fisica o ibrida.

Remota:

Network Hack

Fisica:

Inserzione di device vettori di infezione in situ (USB, Network device…)

Ibrida:

Combinazione di attività remote e deployment fisico

Deployment

Definizione bersaglio

Analisi Bersaglio

Ingresso Iniziale

Deployment Espansione …

APT STEPS

Una volta penetrato il sistema si iniziano ad attaccare diversi bersagli. Alcuni motivi possono essere legati a

Esigenze di sviluppo di una vulnerabilità

Copertura e test sistemi di difesa

Raccoglimento dati topologia

Analisi credenziali e processi

OS Fingerprinting

…

L’espansione

Infezione hosts target

Movimenti laterali

Azioni di copertura ed interferenza

Creazione network di attacco

…

L’espansione

Definizione bersaglio

Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento …

APT STEPS

La fase di consolidamento consiste nel finire le attività di analisi e discoveryed iniziare le attività di preparazione dell’attacco vero e proprio.

Attivazione network di attacco

Attivazione misure di copertura (stealthing)

…

Consolidamento

Definizione bersaglio

Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco …

APT STEPS

L’attacco

Definizione bersaglio

Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco Copertura …

APT STEPS

Copertura

Definizione bersaglio

Analisi Bersaglio Ingresso Iniziale Deployment Espansione Consolidamento Sviluppo Attacco Copertura …

APT Riconoscimento attacchi

Non rilevabile

Effetti parzialmente rilevabili

Rilevabile (EarlyExternal Detection)

Rilevabile (ExternalDetection)

Rilevabile (EarlyInternal Detection)

Rilevabile (Post Mortem)

Rilevabile (InternalDetection)

Rilevabile (Late Internal Detection)

Comunicazione esterna

1. Complicare l'accesso iniziale (Firewall, Sandbox, Antimalware, gestione DNS e DHCP, IPS …)

Monitorare constantemente le risorse (SIEM deployment, Vulnerabilityassessment, …)

2. Ridurre il rischio di escalation dei privilegi in caso di compromissione di un account (NAC, IAC, DLP, …)

3. Rilevare precocemente account compromessi e attività sospette (SOC, NOC…)

5. Raccogliere informazioni utili a un'indagine forense, per poter determinare quali danni si sono verificati, quando e a opera di chi

Cosa fare?

Gli APT sono difficili da individuare. Secondo il Verizon 2012 Data BreachInvestigations Report, il 92% di tutte le organizzazioni e il 49% delle grandi organizzazioni è venuta a conoscenza di una violazione della sicurezza perché informata da un soggetto esterno.

RICORDATE

Advanced volatile threat

https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT

Anatomy of an Advanced Persistent Threat (APT)". Dell SecureWorks. Retrieved 2012-05-21.

Are you being targeted by an Advanced Persistent Threat?". Command Five Pty Ltd. Retrieved 2011-03-31.

Search for malicious files". Malicious File Hunter. Retrieved 2014-10-10.

"The changing threat environment ...". Command Five Pty Ltd. Retrieved 2011-03-31.

Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains". Lockheed Martin Corporation Abstract. Retrieved March 13, 2013.

Assessing Outbound Traffic to Uncover Advanced Persistent Threat". SANS Technology Institute. Retrieved 2013-04-14.

Introducing Forrester's Cyber Threat Intelligence Research". Forrester Research. Retrieved 2014-04-14.

Olavsrud, Thor. "Targeted Attacks Increased, Became More Diverse in 2011". PCWorld.

An Evolving Crisis". BusinessWeek. April 10, 2008. Archived from the original on 10 January 2010. Retrieved 2010-01-20.

The New E-spionage Threat". BusinessWeek. April 10, 2008. Archived from the original on 18 April 2011. Retrieved 2011-03-19.

Google Under Attack: The High Cost of Doing Business in China". Der Spiegel. 2010-01-19. Archived from the original on 21 January 2010. Retrieved 2010-01-20.

Under Cyberthreat: Defense Contractors". BusinessWeek. July 6, 2009. Archivedfrom the original on 11 January 2010. Retrieved 2010-01-20.

Understanding the Advanced Persistent Threat". Tom Parker. February 4, 2010. Retrieved 2010-02-04.

Advanced Persistent Threat (or Informationized Force Operations)". Usenix, Michael K. Daly. November 4, 2009. Retrieved 2009-11-04.

Ingerman, Bret. "Top-Ten IT Issues, 2011". Educause Review.

Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN 0-07-177249-9, ISBN 978-0-07-177249-5

Advanced Persistent Threats: Higher Education Security Risks". Dell SecureWorks. Retrieved 2012-09-15.

APT1: Exposing One of China's Cyber Espionage Units". Mandiant. 2013.

China says U.S. hacking accusations lack technical proof". Reuters. 2013.

What's an APT? A Brief Definition". Damballa. January 20, 2010. Archived from the original on 11 February 2010. Retrieved 2010-01-20.

See also:

Grazie!Advanced Persistent Threat: come muoversi tra ilmarketing e la realtà?

34