Date post: | 13-Mar-2018 |
Category: |
Documents |
Upload: | nguyenkiet |
View: | 216 times |
Download: | 2 times |
Advanced Persistent Threat
CIO Forum & Executive IT Summit October 27 2011
Society of Information Managers Portland, OR Chapter
Crowne Plaza Hotel Portland Downtown
Advantage: Adversaries
Intelligent, adaptive adversaries exist. They don’t follow the rules or compliance checklists.
They have people, money and time.
2 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Much Ado About APT/Cyber
§ FIRST - I’m not a fan of the term APT…
§ Google: “Advanced Persistent Threat” – 10.1M hits*
§ Google: “Stuxnet” – 4M hits*
§ Google: “Cyber War” – 6M hits*
* October 27, 2011
10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy 3
Today’s News
Chinese Military Suspected in Hacker Attacks on U.S. Satellites – http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-
hacker-attacks-on-u-s-satellites.html – Tony Capaccio and Jeff Bliss, Bloomberg, Oct 26, 2011
§ Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway…
§ “Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” according to the draft. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”
10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy 4
…To Name Just a Few
10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy 5
By The Numbers
§ 2 billion Internet-enabled devices exist today
§ Trends suggest 7 billion+ in four years
§ 68,000 hacker tools available today
§ 5.6M counterfeit computer chips seized
§ 8 character passwords cracked in an hour
§ 14 char alphanumeric cracked in <3 min
6 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
TwitBookBlogosphere
7 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
APT: Breakdown
§ The Security for Business Innovation Council defines the Advanced Persistent Threat as, “a cyber attack that is highly targeted, thoroughly researched, amply funded, and tailored to a particular organization— employing multiple vectors and using ‘low and slow’ techniques to evade detection.”
§ According to Richard Bejtlich, the phrase “Advanced Persistent Threat” appears to have been coined by DoD users around 2006 to permit them to talk about these attacks with non-DoD experts without using their classified code names.
§ Attacks as early as 1998 that would qualify using today’s general definition of APT
8 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
APT: “Advanced”
§ APT is not malware, it is an attack paradigm
§ APT events are usually named for the campaign (e.g. Aurora, Titan Rain, RSA), not for the malware family they belong to
§ An attack can be described as advanced even when no zero day exploits are used
§ If the attack scenario resembles a black ops scenario, it’s advanced even if all components used are mature and reliable
9 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
When Advanced Isn’t
§ “RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.” – http://goo.gl/zvwAD
10 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
APT: “Persistent”
§ Attacker will try anything and everything necessary to obtain goal
§ May use multiple companies or operating environments
§ Prolonged undetected access
§ Time and resources can be vast
11 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Who Are They…?
§ Nation States
§ Non-Government Organizations (NGOs)
§ Organized Crime
§ Individual Actors
12 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on (NESCO) is operated by EnergySec with funding assistance from the U.S. Department of Energy.
What Are They After?
§ Fun (lulz)?
§ Damage?
§ Control?
§ Intellectual Property?
§ Denial of Service?
§ Extortion?
13 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Not If, But When
§ Today’s bleeding edge hardware and software is tomorrow’s legacy liability
§ Attack surface is increasing for both technology and human targets
§ Son of the ghost of the return of the revenge of when Stuxnet attacks part XIII in 3D
§ How do you operate through the attack with limited integrity assurance?
14 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Constant Compromise
§ The number-one advanced persistent threat (APT) attack vector is now not technology, but social engineering. Furthermore, security is no longer about trying to keep all intruders outside of the network perimeter, but rather acknowledging that security today involves living in a state of constant compromise. – http://goo.gl/jhH51
15 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Questions?
Patrick C Miller President & CEO, EnergySec
Principal Investigator, National Electric Sector Cybersecurity Organization [email protected]
503.446.1212 (desk) @patrickcmiller (twitter)
www.energysec.org
16 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Elephants in the Room
APT has become a buzzword that has become associated with nearly all successful attacks.
Malware is not an APT. It’s a tool.
Espionage – corporate or otherwise – is the name of the game, as is sabotage.
17 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
So What Is An APT?
18 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Image Copyright Ian Pe<crew. This work is licensed under the CreaFve Commons AIribuFon-‐Share Alike 2.0 Generic License. To view a copy of this license, visit hIp://creaFvecommons.org/licenses/by-‐sa/2.0/ or send a leIer to CreaFve Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Stuxnet: The APT Poster Child
§ Considered by many to be the most advanced malware deployment in history
§ Targeted a very specific set of assets
§ Had multiple (redundant?) methods for each stage
§ Appears to have been researched, developed, and tested in a vacuum
§ Went undetected during it’s mission
19 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Stuxnet: Infection & Propagation
§ Could infect via USB thumbdrives
§ Could infect via network shares
§ Could exploit four previously unknown (and unpatched) OS vulnerabilities (0-Days)
§ Could exploit other known OS vulnerabilities
§ Could infect by hiding in data files for the system’s main application
§ Etc.
20 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Stuxnet: Command & Control
§ Infected hosts told C&C server it’s name, OS version, target software existence, etc.
§ C&C communications occurred via HTTP
§ C&C channel allowed for updating the payload
§ Data transmitted via the C&C channel was a mix of plain text and encrypted binary data
§ C&C server domains (there were two) both referenced soccer
21 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Stuxnet: Payload
§ Only triggered if Stuxnet finds itself on a machine with Simatic Manager
§ Injects itself into the command & control function which manages PLCs
§ Overwrites key routines on the PLC and disguises the change (MitM)
§ Perturbs Variable Frequency Drives managed by the PLCs
22 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Stuxnet: References/Resources
§ Symantec Stuxnet Dossier: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
§ Ralph Langer’s Blog: http://www.langner.com/en/blog/
§ Joel Langill’s Stuxnet Resource Library: http://scadahacker.com/resources/stuxnet.html
23 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
What Can You Do?
§ Educate your users
§ Monitor for system anomalies that aren’t proven consistent with approved changes
§ Monitor your networks for exfiltration
§ Audit and enforce vendor commitments
§ Develop staff with well-honed “Spidey Senses”
§ Don’t ignore seemingly minor security issues
24 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Executive Action
§ Don’t rely solely on security tools and consultants
§ Do identify and groom security-minded staff
§ Ensure relationships with response organizations are well-managed
§ Don’t think that you have nothing of value
§ Don’t require 100% security – What is that anyway?
25 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Questions?
Chris Jager Vice President – Threat and Vulnerability Analysis and Management, EnergySec
Co-Principal Investigator, National Electric Sector Cybersecurity Organization [email protected]
206.214.8879 (desk) @chrisjager (twitter) www.energysec.org
26 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
State Sponsored Organizations
§ Employ professional personnel
§ Virtually unlimited budget
§ Specialize in intrusion activity targeting government, manufacturing, research, and other high value targets
§ Very different motivation
§ Goal is to maintain persistence on victim systems
27 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
28 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Usual A(ackers APT Actors
MONEY Create Botnets MONEY ExtorFons MONEY Hacker status MONEY
PoliFcal CompeFFve advantage Economical Military advantage Espionage
Mo2va2on
Law Enforcement Perspective
29 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Countries with Computer Network Opera2ons
Law Enforcement Perspective
30 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
31 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Obtain Creds!
Maintain Persistence!
Install Tools!Initial Intrusion!
Establish Persistence!
Lateral Movement!Recon!
APT Progression
Law Enforcement Perspective
Step 1: Recon
§ Port Scanning
§ Social Engineering
§ Email Harvesting
32 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
33 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Step 2: Intrusion
§ Hack through the firewall?
§ Exploit a web application sitting in the DMZ?
§ Exploit some other piece of network equipment?
34 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Step 2: Intrusion
Exploit the human
35 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Step 2: Intrusion
Spear Phishing
36 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Step 2: Spear Phishing § Socially Engineered Attacks § Information gathered during the recon phase § Often target high level executives or others
who are perceived as high access / low tech § Usually attach a .pdf or other document with
an exploit
37 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Step 3: Establish Persistence § Create backdoor in one or multiple systems § Use legitimate credentials (SAM database exfil?) § Malware uses encryption and obfuscation of
network traffic (port 443?) § Regularly updates to the malware § Utilize Microsoft libraries to reduce the size of
the malware
38 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Steps 4, 5 and 6
39 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Obtain Creds! Install Tools! Lateral Movement!
Target Domain Controller Obtain user accounts / passwords Netbios logins
Establish Backdoors Obtain passwords Query running processes
Move through systems to locate data Data Exfil Encrypt and compress files RAR Files?
Law Enforcement Perspective
Step 7: Maintain Persistence
§ Resist attempts at remediation – Multiple Backdoors?
– Multiple Accounts / Passwords
– Harvest of email accounts
§ Malware Evolution – Off the shelf products
– Highly customized?
40 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Common Characteristics § Average APT Malware files under 130 KB § Svchost.exe is most common APT file name § Data exfiltrated compressed in .rar format § Windows XP/2003 Servers § Antivirus detection rate is under 25% § Port 80 and 443 used for C2
communications
41 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
FBI Response to Computer Intrusions
§ Provide real time information
§ Work together with company response team
§ Maintain communication as necessary
§ Provide analysis and intelligence
§ KEEP INFORMATION COFIDENTIAL and ANONYMOUS
42 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
FBI Response to Computer Intrusions
§ Forensic examination services
§ Monitoring actor activity is a key source of intelligence
§ Provide possible motivation
§ Group characteristics, tools, and techniques
§ Remediation suggestions and guidance
43 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Combating The Threat
§ Apprehension is often not realistic
§ Active monitoring of intruder activity
§ Intelligence gathering and dissemination
§ Hardening of targets
44 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy
Law Enforcement Perspective
Ways To Harden The Network § Anti-virus software § Firewalls § Migrations to Windows 7 and Server 2008 § Application whitelisting § Reduce Admin Privileges § Two factor authentication § Enhanced network / data segementation § Longer password / phrases (at least 15 characters) § Enhanced email controls § Attachment filtering § Know where the keys to the kingdom are
45 10/27/11 The Na'onal Electric Sector Cybersecurity Organiza'on is par'ally funded by the US Department of Energy