APT REPORTS AND OPSEC EVOLUTION
OR
©
CanSecWest 2016 ©
WHY ARE WE HERE?
2
We will simplify the attack process, demonstrate the evolution of various actors over the years, and suggest
ways to close the evolutionary gap.
@deanSysman(CREDIT):@gadievron/@inbarraz
CanSecWest 2016 ©
TITLE TEXT
3
CanSecWest 2016 ©
WE’VE ALWAYS HAD MALWARE
4
CanSecWest 2016 ©
IT ALL CHANGED WHEN…
5
APT1 was disclosed by Mandiant, !on February 2013.!!The extent of exposure was huge.!!Result:!!Operations were significantly disrupted!
CanSecWest 2016 ©
BUT THEY WERE NOT ALONE
6
Other campaigns had already been disclosed, !such as Stuxnet and Flame.!
Stuxnet was tight (~500K)!and target-specific.!!Flame was a monster (20M),!clearly meant for scale.!
CanSecWest 2016 ©
ACTORS STARTED ADAPTING
7
Let’s look at other APTs, and see various choices threat actors made:! Gauss - In addition to a scaled operation (>2K victims), there was an instance where the malware opens only on a specific targets. Constraints must have been tight.!!
Rocket Kitten - Using an off-the-shelf tool (Core Impact).!
We’d like to thing they had OPSEC meetings…!
CanSecWest 2016 ©
OPSEC IN 60 SECONDS
8
Why do you need OPSEC?!
1. Assure success!
2. Prevent Detection!
3. Prevent Attribution!
Analogous processes: !Regular software development, risk management!
CanSecWest 2016 ©
OPSEC IN 60 SECONDS
9
When is OPSEC compromised?!
1. Time-to-Market!
2. Scalability!
3. Ease of deployment! !!!
GENERALLY SPEAKING, EVERY REPORT !REPRESENTS AN OPSEC FAILURE IN A WAY!
CanSecWest 2016 © 10
CanSecWest 2016 ©
THE HACKING TEAM
11
But we don’t have the other actors’ email…!
CanSecWest 2016 ©
MANY APT REPORTS SUCK
12
CanSecWest 2016 ©
MANY APT REPORTS SUCK
13
CanSecWest 2016 ©
MANY APT REPORTS SUCK
14
CanSecWest 2016 ©
AS A RESULT
15
CanSecWest 2016 © 16
CanSecWest 2016 © 17
CanSecWest 2016 ©
APT REPORTS ARE FREE QA
18
Lessons Learned: !APT1 C2 -> Turla Satellite Traffic Hijacking!
Learning in Progress:Stuxnet/Duqu/Flame -> Duqu2 still similar code!
You never know…Iron Tiger: Clearly ChineseCareto: All fits so well - could actually be false flag!Duqu 2: Multiple false flags!
CanSecWest 2016 ©
SO YOU’VE READ AN APT REPORT…
19
| Malware Analysis
| C2
Setup
| Attack
Vectors
| IOCs
| Attacker Objective
CanSecWest 2016 ©
WHAT IT FEELS LIKE
20
CanSecWest 2016 ©
ENGAGEMENT PROCESS
21
We’re “reverse engineering” the attacks by means of forensic investigation - what is it we should be seeing?!
Let’s “re-engineer” how attackers works by examining their operational planning, with a simplified model we’ll call the Engagement Process.!
CanSecWest 2016 © ATTACKER SIDE
22
CanSecWest 2016 ©
It’s like going shopping.!
!
!!
What Would I Like to Know?!
1. COMPOSE INTELLIGENCE REQUIREMENTS
23
CanSecWest 2016 ©
Examples:!
- Does Saddam Hussain have WMD’s?!
- Where are the WMD’s?!
- Does he intend to use the WMD’s?!
- Who is working on the WMD’s?!
- How can we get Matt Damon back?!
1. COMPOSE INTELLIGENCE REQUIREMENTS
24
CanSecWest 2016 ©
“Where can I find answers?”!
or:!
“Who holds the information I need?”!
2. COMPILE TARGET LIST
25
CanSecWest 2016 ©
Examples:!
-> Verticals: Banking, Energy, Pharmaceutical!
-> Specific Targets!
Exceptions:!
-> Sofacy!
2. COMPILE TARGET LIST
26
CanSecWest 2016 ©
3. INTELLIGENCE GATHERING
27
CanSecWest 2016 ©
4. TARGET REPORT
28
CanSecWest 2016 ©
5. ATTACK PLAN AND EXECUTION
29
CanSecWest 2016 ©
Examples:!
5. ATTACK PLAN AND EXECUTION
30
CanSecWest 2016 ©
AND THE BEAT GOES ON
31
Target Report
Intelligence Gathering
Attack Plan and
Execution
CanSecWest 2016 ©
3. INTELLIGENCE GATHERING: REVISITED
32
CanSecWest 2016 ©
OPSEC REVISITED
33
1. Map target’s defenses!
2. Examine Security Vendor Backend capabilities!
3. Look for other players!
a. Regin - APT Magnet!
4. Really try to hide your identity!
CanSecWest 2016 ©
OPSEC REVISITED
34
CanSecWest 2016 ©
OPSEC REVISITED
35
CanSecWest 2016 ©
CYBER ENGAGEMENT CYCLE EVOLUTION
36
1. Threat Group 3390/Emissary Panda!Whenever possible, revert to OS-included tools (WMI, powershell, at, ipconfig, etc.)!
2. Duqu2!A rare example of lateral movement/persistence!evolution.!
CanSecWest 2016 ©
6. FOLD / RETREAT
37
CanSecWest 2016 ©
6. FOLD / RETREAT
38
Evolution examples:!
1. Red October: Dismantle after publication!
2. The Mask: Following vendor blog - 4hrs folding!
3. Duqu2: Don’t wait for publication - hunt vendor!
Counter examples: APT12, Gaza Hacker team!
CanSecWest 2016 © DEFENDER SIDE
39
CanSecWest 2016 © 40
Problem !
Takeaways !
Action
CanSecWest 2016 ©
Problem:!Not enough information on attacker objectives!
Takeaways:1. It’s like having a stalker - they really like you!
1. COMPOSE INTELLIGENCE REQUIREMENTS
41
CanSecWest 2016 ©
1. COMPOSE INTELLIGENCE REQUIREMENTS
42
CanSecWest 2016 ©
Problem:!Not enough information on attacker objectives!
Takeaways:1. It’s like having a stalker - they really like you!2. Stealing data is just one of the options!
1. COMPOSE INTELLIGENCE REQUIREMENTS
43
CanSecWest 2016 ©
1. COMPOSE INTELLIGENCE REQUIREMENTS
44
CanSecWest 2016 ©
Problem:!Not enough information on attacker objectives!
Takeaways:1. It’s like having a stalker - they really like you!2. Stealing data is just one of the options!!Action:Perform a meaningful, periodical Risk Assessment!
1. COMPOSE INTELLIGENCE REQUIREMENTS
45
CanSecWest 2016 ©
2. COMPILE TARGET LIST
46
Problem:!No time-sensitive information -> No pattern!
Takeaways:If you have similar data or platforms as another compromised organization -> You’re on the list!
Action:Perform a relevant Threat Assessment (Threat = Intent + Capability)!
CanSecWest 2016 ©
3-5. CYBER ENGAGEMENT CYCLE
47
Target Report
Intelligence Gathering
Attack Plan and
Execution
CanSecWest 2016 ©
PRE-ENGAGEMENT STAGE
48
Problem:!Publicly available sensitive data!Lax security awareness allows probing (Automatic/Human)!
Takeaways:Attacker can gain a lot before reaching your network!
Action:Limit public information!Act outside your own perimeter!Periodical awareness refreshments!
CanSecWest 2016 ©
ENGAGEMENT STAGE
49
Problem:!Not many share Lateral Movement reports!
Takeaways:The engagement is an ongoing process, there are many opportunities for the defender to intervene!
Action:Put as many obstacles as possible (Layered Security)!Don’t be shy, share your breach data!
CanSecWest 2016 ©
Problem:!Attacker can destroy forensic evidence!
Takeaways:Snapshots and logs can potentially save the day!
Action:Backup Response Plan!
6. FOLD/RETREAT
50
CanSecWest 2016 ©
TRY THIS AT HOME
51
DEMAND BETTER APT REPORTS FROM YOUR VENDOR
1. Compose Intelligence Requirements!
2. Compile Target List!
3. Intelligence Gathering!
4. Target Report!
5. Attack Plan and Execution!
6. Fold!|
Malware Analysis
| C2
Setup
| Attack
Vectors
| IOCs
| Attacker Objective
Engagement Process!
CanSecWest 2016 ©
THE DECLINE OF SHAME
52
CanSecWest 2016 ©
THE DECLINE OF SHAME
53
CanSecWest 2016 ©
WHAT WE WOULD LIKE TO SEE
54
1. Better, more actionable APT reports!
2. Earlier breach reports (heads up will do)!
3. Actionable, public information sharing!
4. Enough with the attribution addiction!
CanSecWest 2016 ©
WHAT WE WOULD LIKE TO SEE
55
CanSecWest 2016 ©
FINAL WORDS
56
APT Reports can be a huge help
Stay on the attacker’s 6
Increase their costs
CanSecWest 2016 © 57
Inbar Raz VP of Research @inbarraz [email protected]
Gadi Evron Founder, CEO @gadievron [email protected]
Dean Sysman Co-Founder, CTO @DeanSysman [email protected]