APT REPORTS AND OPSEC EVOLUTION

OR

©

CanSecWest 2016 ©

WHY ARE WE HERE?

2

We will simplify the attack process, demonstrate the evolution of various actors over the years, and suggest

ways to close the evolutionary gap.

@deanSysman(CREDIT):@gadievron/@inbarraz

CanSecWest 2016 ©

TITLE TEXT

3

CanSecWest 2016 ©

WE’VE ALWAYS HAD MALWARE

4

CanSecWest 2016 ©

IT ALL CHANGED WHEN…

5

APT1 was disclosed by Mandiant, !on February 2013.!!The extent of exposure was huge.!!Result:!!Operations were significantly disrupted!

CanSecWest 2016 ©

BUT THEY WERE NOT ALONE

6

Other campaigns had already been disclosed, !such as Stuxnet and Flame.!

Stuxnet was tight (~500K)!and target-specific.!!Flame was a monster (20M),!clearly meant for scale.!

CanSecWest 2016 ©

ACTORS STARTED ADAPTING

7

Let’s look at other APTs, and see various choices threat actors made:! Gauss - In addition to a scaled operation (>2K victims), there was an instance where the malware opens only on a specific targets. Constraints must have been tight.!!

Rocket Kitten - Using an off-the-shelf tool (Core Impact).!

We’d like to thing they had OPSEC meetings…!

CanSecWest 2016 ©

OPSEC IN 60 SECONDS

8

Why do you need OPSEC?!

1.  Assure success!

2.  Prevent Detection!

3.  Prevent Attribution!

Analogous processes: !Regular software development, risk management!

CanSecWest 2016 ©

OPSEC IN 60 SECONDS

9

When is OPSEC compromised?!

1.  Time-to-Market!

2.  Scalability!

3.  Ease of deployment! !!!

GENERALLY SPEAKING, EVERY REPORT !REPRESENTS AN OPSEC FAILURE IN A WAY!

CanSecWest 2016 © 10

CanSecWest 2016 ©

THE HACKING TEAM

11

But we don’t have the other actors’ email…!

CanSecWest 2016 ©

MANY APT REPORTS SUCK

12

CanSecWest 2016 ©

MANY APT REPORTS SUCK

13

CanSecWest 2016 ©

MANY APT REPORTS SUCK

14

CanSecWest 2016 ©

AS A RESULT

15

CanSecWest 2016 © 16

CanSecWest 2016 © 17

CanSecWest 2016 ©

APT REPORTS ARE FREE QA

18

Lessons Learned: !APT1 C2 -> Turla Satellite Traffic Hijacking!

Learning in Progress:Stuxnet/Duqu/Flame -> Duqu2 still similar code!

You never know…Iron Tiger: Clearly ChineseCareto: All fits so well - could actually be false flag!Duqu 2: Multiple false flags!

CanSecWest 2016 ©

SO YOU’VE READ AN APT REPORT…

19

| Malware Analysis

| C2

Setup

| Attack

Vectors

| IOCs

| Attacker Objective

CanSecWest 2016 ©

WHAT IT FEELS LIKE

20

CanSecWest 2016 ©

ENGAGEMENT PROCESS

21

We’re “reverse engineering” the attacks by means of forensic investigation - what is it we should be seeing?!

Let’s “re-engineer” how attackers works by examining their operational planning, with a simplified model we’ll call the Engagement Process.!

CanSecWest 2016 © ATTACKER SIDE

22

CanSecWest 2016 ©

It’s like going shopping.!

!

!!

What Would I Like to Know?!

1. COMPOSE INTELLIGENCE REQUIREMENTS

23

CanSecWest 2016 ©

Examples:!

-  Does Saddam Hussain have WMD’s?!

-  Where are the WMD’s?!

-  Does he intend to use the WMD’s?!

-  Who is working on the WMD’s?!

-  How can we get Matt Damon back?!

1. COMPOSE INTELLIGENCE REQUIREMENTS

24

CanSecWest 2016 ©

“Where can I find answers?”!

or:!

“Who holds the information I need?”!

2. COMPILE TARGET LIST

25

CanSecWest 2016 ©

Examples:!

-> Verticals: Banking, Energy, Pharmaceutical!

-> Specific Targets!

Exceptions:!

-> Sofacy!

2. COMPILE TARGET LIST

26

CanSecWest 2016 ©

3. INTELLIGENCE GATHERING

27

CanSecWest 2016 ©

4. TARGET REPORT

28

CanSecWest 2016 ©

5. ATTACK PLAN AND EXECUTION

29

CanSecWest 2016 ©

Examples:!

5. ATTACK PLAN AND EXECUTION

30

CanSecWest 2016 ©

AND THE BEAT GOES ON

31

Target Report

Intelligence Gathering

Attack Plan and

Execution

CanSecWest 2016 ©

3. INTELLIGENCE GATHERING: REVISITED

32

CanSecWest 2016 ©

OPSEC REVISITED

33

1.  Map target’s defenses!

2.  Examine Security Vendor Backend capabilities!

3.  Look for other players!

a.  Regin - APT Magnet!

4.  Really try to hide your identity!

CanSecWest 2016 ©

OPSEC REVISITED

34

CanSecWest 2016 ©

OPSEC REVISITED

35

CanSecWest 2016 ©

CYBER ENGAGEMENT CYCLE EVOLUTION

36

1.  Threat Group 3390/Emissary Panda!Whenever possible, revert to OS-included tools (WMI, powershell, at, ipconfig, etc.)!

2.  Duqu2!A rare example of lateral movement/persistence!evolution.!

CanSecWest 2016 ©

6. FOLD / RETREAT

37

CanSecWest 2016 ©

6. FOLD / RETREAT

38

Evolution examples:!

1.  Red October: Dismantle after publication!

2.  The Mask: Following vendor blog - 4hrs folding!

3.  Duqu2: Don’t wait for publication - hunt vendor!

Counter examples: APT12, Gaza Hacker team!

CanSecWest 2016 © DEFENDER SIDE

39

CanSecWest 2016 © 40

Problem !

Takeaways !

Action

CanSecWest 2016 ©

Problem:!Not enough information on attacker objectives!

Takeaways:1. It’s like having a stalker - they really like you!

1. COMPOSE INTELLIGENCE REQUIREMENTS

41

CanSecWest 2016 ©

1. COMPOSE INTELLIGENCE REQUIREMENTS

42

CanSecWest 2016 ©

Problem:!Not enough information on attacker objectives!

Takeaways:1. It’s like having a stalker - they really like you!2. Stealing data is just one of the options!

1. COMPOSE INTELLIGENCE REQUIREMENTS

43

CanSecWest 2016 ©

1. COMPOSE INTELLIGENCE REQUIREMENTS

44

CanSecWest 2016 ©

Problem:!Not enough information on attacker objectives!

Takeaways:1. It’s like having a stalker - they really like you!2. Stealing data is just one of the options!!Action:Perform a meaningful, periodical Risk Assessment!

1. COMPOSE INTELLIGENCE REQUIREMENTS

45

CanSecWest 2016 ©

2. COMPILE TARGET LIST

46

Problem:!No time-sensitive information -> No pattern!

Takeaways:If you have similar data or platforms as another compromised organization -> You’re on the list!

Action:Perform a relevant Threat Assessment (Threat = Intent + Capability)!

CanSecWest 2016 ©

3-5. CYBER ENGAGEMENT CYCLE

47

Target Report

Intelligence Gathering

Attack Plan and

Execution

CanSecWest 2016 ©

PRE-ENGAGEMENT STAGE

48

Problem:!Publicly available sensitive data!Lax security awareness allows probing (Automatic/Human)!

Takeaways:Attacker can gain a lot before reaching your network!

Action:Limit public information!Act outside your own perimeter!Periodical awareness refreshments!

CanSecWest 2016 ©

ENGAGEMENT STAGE

49

Problem:!Not many share Lateral Movement reports!

Takeaways:The engagement is an ongoing process, there are many opportunities for the defender to intervene!

Action:Put as many obstacles as possible (Layered Security)!Don’t be shy, share your breach data!

CanSecWest 2016 ©

Problem:!Attacker can destroy forensic evidence!

Takeaways:Snapshots and logs can potentially save the day!

Action:Backup Response Plan!

6. FOLD/RETREAT

50

CanSecWest 2016 ©

TRY THIS AT HOME

51

DEMAND BETTER APT REPORTS FROM YOUR VENDOR

1.  Compose Intelligence Requirements!

2.  Compile Target List!

3.  Intelligence Gathering!

4.  Target Report!

5.  Attack Plan and Execution!

6.  Fold!|

Malware Analysis

| C2

Setup

| Attack

Vectors

| IOCs

| Attacker Objective

Engagement Process!

CanSecWest 2016 ©

THE DECLINE OF SHAME

52

CanSecWest 2016 ©

THE DECLINE OF SHAME

53

CanSecWest 2016 ©

WHAT WE WOULD LIKE TO SEE

54

1. Better, more actionable APT reports!

2. Earlier breach reports (heads up will do)!

3. Actionable, public information sharing!

4. Enough with the attribution addiction!

CanSecWest 2016 ©

WHAT WE WOULD LIKE TO SEE

55

CanSecWest 2016 ©

FINAL WORDS

56

APT Reports can be a huge help

Stay on the attacker’s 6

Increase their costs

CanSecWest 2016 © 57

Inbar Raz VP of Research @inbarraz inbar@perimeterx.com

Gadi Evron Founder, CEO @gadievron gadi@cymmetria.com

Dean Sysman Co-Founder, CTO @DeanSysman dean@cymmetria.com