Advanced Persistent Threat – Tony Capaccio and Jeff Bliss, Bloomberg, Oct 26, 2011 ! Computer...

Advanced Persistent Threat

CIO Forum & Executive IT Summit October 27 2011

Society of Information Managers Portland, OR Chapter

Crowne Plaza Hotel Portland Downtown

Advantage: Adversaries

Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists.

They have people, money and time.

2 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy

Much Ado About APT/Cyber

§  FIRST - I’m not a fan of the term APT…

§  Google: “Advanced Persistent Threat” – 10.1M hits*

§  Google: “Stuxnet” – 4M hits*

§  Google: “Cyber War” – 6M hits*

* October 27, 2011

10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy 3

Today’s News

Chinese Military Suspected in Hacker Attacks on U.S. Satellites –  http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-

hacker-attacks-on-u-s-satellites.html –  Tony Capaccio and Jeff Bliss, Bloomberg, Oct 26, 2011

§  Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway…

§  “Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” according to the draft. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”


…To Name Just a Few


By The Numbers

§  2 billion Internet-enabled devices exist today

§  Trends suggest 7 billion+ in four years

§  68,000 hacker tools available today

§  5.6M counterfeit computer chips seized

§  8 character passwords cracked in an hour

§  14 char alphanumeric cracked in <3 min


TwitBookBlogosphere


APT: Breakdown

§  The Security for Business Innovation Council defines the Advanced Persistent Threat as, “a cyber attack that is highly targeted, thoroughly researched, amply funded, and tailored to a particular organization— employing multiple vectors and using ‘low and slow’ techniques to evade detection.”

§  According to Richard Bejtlich, the phrase “Advanced Persistent Threat” appears to have been coined by DoD users around 2006 to permit them to talk about these attacks with non-DoD experts without using their classified code names.

§  Attacks as early as 1998 that would qualify using today’s general definition of APT


APT: “Advanced”

§  APT is not malware, it is an attack paradigm

§  APT events are usually named for the campaign (e.g. Aurora, Titan Rain, RSA), not for the malware family they belong to

§  An attack can be described as advanced even when no zero day exploits are used

§  If the attack scenario resembles a black ops scenario, it’s advanced even if all components used are mature and reliable


When Advanced Isn’t

§  “RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.” – http://goo.gl/zvwAD


APT: “Persistent”

§  Attacker will try anything and everything necessary to obtain goal

§  May use multiple companies or operating environments

§  Prolonged undetected access

§  Time and resources can be vast


Who Are They…?

§  Nation States

§  Non-Government Organizations (NGOs)

§  Organized Crime

§  Individual Actors

12 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is operated by EnergySec with funding assistance from the U.S. Department of Energy.

What Are They After?

§  Fun (lulz)?

§  Damage?

§  Control?

§  Intellectual Property?

§  Denial of Service?

§  Extortion?


Not If, But When

§  Today’s bleeding edge hardware and software is tomorrow’s legacy liability

§  Attack surface is increasing for both technology and human targets

§  Son of the ghost of the return of the revenge of when Stuxnet attacks part XIII in 3D

§  How do you operate through the attack with limited integrity assurance?


Constant Compromise

§  The number-one advanced persistent threat (APT) attack vector is now not technology, but social engineering. Furthermore, security is no longer about trying to keep all intruders outside of the network perimeter, but rather acknowledging that security today involves living in a state of constant compromise. – http://goo.gl/jhH51


Questions?

Patrick C Miller President & CEO, EnergySec

Principal Investigator, National Electric Sector Cybersecurity Organization [email protected]

503.446.1212 (desk) @patrickcmiller (twitter)

www.energysec.org


Elephants in the Room

APT has become a buzzword that has become associated with nearly all successful attacks.

Malware is not an APT. It’s a tool.

Espionage – corporate or otherwise – is the name of the game, as is sabotage.


So What Is An APT?


Image Copyright Ian Pe<crew. This work is licensed under the CreaFve Commons AIribuFon-‐Share Alike 2.0 Generic License. To view a copy of this license, visit hIp://creaFvecommons.org/licenses/by-‐sa/2.0/ or send a leIer to CreaFve Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Stuxnet: The APT Poster Child

§  Considered by many to be the most advanced malware deployment in history

§  Targeted a very specific set of assets

§  Had multiple (redundant?) methods for each stage

§  Appears to have been researched, developed, and tested in a vacuum

§  Went undetected during it’s mission


Stuxnet: Infection & Propagation

§  Could infect via USB thumbdrives

§  Could infect via network shares

§  Could exploit four previously unknown (and unpatched) OS vulnerabilities (0-Days)

§  Could exploit other known OS vulnerabilities

§  Could infect by hiding in data files for the system’s main application

§  Etc.


Stuxnet: Command & Control

§  Infected hosts told C&C server it’s name, OS version, target software existence, etc.

§  C&C communications occurred via HTTP

§  C&C channel allowed for updating the payload

§  Data transmitted via the C&C channel was a mix of plain text and encrypted binary data

§  C&C server domains (there were two) both referenced soccer


Stuxnet: Payload

§  Only triggered if Stuxnet finds itself on a machine with Simatic Manager

§  Injects itself into the command & control function which manages PLCs

§  Overwrites key routines on the PLC and disguises the change (MitM)

§  Perturbs Variable Frequency Drives managed by the PLCs


Stuxnet: References/Resources

§  Symantec Stuxnet Dossier: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

§  Ralph Langer’s Blog: http://www.langner.com/en/blog/

§  Joel Langill’s Stuxnet Resource Library: http://scadahacker.com/resources/stuxnet.html


What Can You Do?

§  Educate your users

§  Monitor for system anomalies that aren’t proven consistent with approved changes

§  Monitor your networks for exfiltration

§  Audit and enforce vendor commitments

§  Develop staff with well-honed “Spidey Senses”

§  Don’t ignore seemingly minor security issues


Executive Action

§  Don’t rely solely on security tools and consultants

§  Do identify and groom security-minded staff

§  Ensure relationships with response organizations are well-managed

§  Don’t think that you have nothing of value

§  Don’t require 100% security – What is that anyway?


Questions?

Chris Jager Vice President – Threat and Vulnerability Analysis and Management, EnergySec

Co-Principal Investigator, National Electric Sector Cybersecurity Organization [email protected]

206.214.8879 (desk) @chrisjager (twitter) www.energysec.org


Law Enforcement Perspective

State Sponsored Organizations

§  Employ professional personnel

§  Virtually unlimited budget

§  Specialize in intrusion activity targeting government, manufacturing, research, and other high value targets

§  Very different motivation

§  Goal is to maintain persistence on victim systems




Usual A(ackers APT Actors

MONEY Create Botnets MONEY ExtorFons MONEY Hacker status MONEY

PoliFcal CompeFFve advantage Economical Military advantage Espionage

Mo2va2on



Countries with Computer Network Opera2ons





Obtain Creds!

Maintain Persistence!

Install Tools!Initial Intrusion!

Establish Persistence!

Lateral Movement!Recon!

APT Progression


Step 1: Recon

§  Port Scanning

§  Social Engineering

§  Email Harvesting





Step 2: Intrusion

§  Hack through the firewall?

§  Exploit a web application sitting in the DMZ?

§  Exploit some other piece of network equipment?



Step 2: Intrusion

Exploit the human



Step 2: Intrusion

Spear Phishing



Step 2: Spear Phishing §  Socially Engineered Attacks §  Information gathered during the recon phase §  Often target high level executives or others

who are perceived as high access / low tech §  Usually attach a .pdf or other document with

an exploit



Step 3: Establish Persistence §  Create backdoor in one or multiple systems §  Use legitimate credentials (SAM database exfil?) §  Malware uses encryption and obfuscation of

network traffic (port 443?) §  Regularly updates to the malware §  Utilize Microsoft libraries to reduce the size of

the malware



Steps 4, 5 and 6


Obtain Creds! Install Tools! Lateral Movement!

Target Domain Controller Obtain user accounts / passwords Netbios logins

Establish Backdoors Obtain passwords Query running processes

Move through systems to locate data Data Exfil Encrypt and compress files RAR Files?


Step 7: Maintain Persistence

§  Resist attempts at remediation – Multiple Backdoors?

– Multiple Accounts / Passwords

– Harvest of email accounts

§  Malware Evolution – Off the shelf products

– Highly customized?



Common Characteristics §  Average APT Malware files under 130 KB §  Svchost.exe is most common APT file name §  Data exfiltrated compressed in .rar format §  Windows XP/2003 Servers §  Antivirus detection rate is under 25% §  Port 80 and 443 used for C2

communications



FBI Response to Computer Intrusions

§  Provide real time information

§  Work together with company response team

§  Maintain communication as necessary

§  Provide analysis and intelligence

§  KEEP INFORMATION COFIDENTIAL and ANONYMOUS



FBI Response to Computer Intrusions

§  Forensic examination services

§  Monitoring actor activity is a key source of intelligence

§  Provide possible motivation

§  Group characteristics, tools, and techniques

§  Remediation suggestions and guidance



Combating The Threat

§  Apprehension is often not realistic

§  Active monitoring of intruder activity

§  Intelligence gathering and dissemination

§  Hardening of targets



Ways To Harden The Network §  Anti-virus software §  Firewalls §  Migrations to Windows 7 and Server 2008 §  Application whitelisting §  Reduce Admin Privileges §  Two factor authentication §  Enhanced network / data segementation §  Longer password / phrases (at least 15 characters) §  Enhanced email controls §  Attachment filtering §  Know where the keys to the kingdom are


Questions?


Phil Slinkard Special Agent

Portland Division - Cyber Crime Federal Bureau of Investigation

o: 503.528.3344 www.fbi.gov

Date post:	13-Mar-2018
Category:	Documents
Upload:	nguyenkiet
View:	216 times
Download:	2 times

Advanced Persistent Threat – Tony Capaccio and Jeff Bliss, Bloomberg, Oct 26, 2011 ! Computer...

Documents