Advanced Persistent ThreatsEvaluating Effective Responses
strategies for organizations and their impactGarve Hays, Solutions Architect
© 2012 NetIQ Corporation. All rights reserved.2
Persistence
“Nothing in the world can take the place of
Persistence. Talent will not; nothing is more common
than unsuccessful men with talent. Genius will not;
unrewarded genius is almost a proverb.
Education will not; the world is full of educated
derelicts. Persistence and determination alone are
omnipotent.”
Calvin Coolidge
© 2012 NetIQ Corporation. All rights reserved.3
Introduction
• Today we will:
– Examine why Advanced Persistent Threats (APTs)
are a problem (really)
– Look at what has NOT worked
– Examine what can work
– Provide some practical next steps
What is an APT?
© 2012 NetIQ Corporation. All rights reserved.5
Advanced Means…
…they have a plan
© 2012 NetIQ Corporation. All rights reserved.6
P is for Persistent
Long haul…
© 2012 NetIQ Corporation. All rights reserved.7
What do you have to lose?
All your base are belong to us…
© 2012 NetIQ Corporation. All rights reserved.8
What Are APTs?
• They are highly targeted attacks
• A long-term pattern of unauthorized computer system intrusions
• Advanced – not necessarily leading edge,
– Sophisticated
– With structure
– They have a plan
• Persistent – the perpetrators are in no rush
– Patient
• Threat – the goal is to establish a beachhead or ex-filtrate
information
© 2012 NetIQ Corporation. All rights reserved.9
Not Every Attack is an APT
• Don’t confuse them with random thieves
– Smash and grab
– Dude check out the new Metasploit
• Important to understand the difference
between opportunistic attackers and
APTs
© 2012 NetIQ Corporation. All rights reserved.10
Not Always State-Sponsored
© 2012 NetIQ Corporation. All rights reserved.11
The Mandiant Study
http://intelreport.mandiant.com/
“Our evidence indicates that
APT1 has been stealing
hundreds of terabytes of data
from at least 141
organizations across a
diverse set of industries
beginning as early as 2006.”
“Once the group establishes
access to a victim’s network,
they continue to access it
periodically over several
months or years to steal large
volumes of valuable
intellectual ...”
© 2012 NetIQ Corporation. All rights reserved.12
Loss of
Intellectual
Property
The loss of industrial
information and
intellectual property
through cyber espionage
constitutes the "greatest
transfer of wealth in
history”
Gen. Keith Alexander,
NSA Director
© 2012 NetIQ Corporation. All rights reserved.13
What Do They Look Like?
© 2012 NetIQ Corporation. All rights reserved.14
What Do They Look Like
• Typical Attacks Utilize:
– Email (phishing)
– Community portals (“watering hole”)
– Dropbox
– Portable media (USB thumb drive)
© 2012 NetIQ Corporation. All rights reserved.15
© 2012 NetIQ Corporation. All rights reserved.16
Plausible Email Messages
© 2012 NetIQ Corporation. All rights reserved.17
Plausible Email Messages
© 2012 NetIQ Corporation. All rights reserved.18
Top Words Used in Spear Phishing Attacks
http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf
© 2012 NetIQ Corporation. All rights reserved.19
• Why is Jo on the system at 3 AM? I know she’s a
hard worker and all…
• Why is the CPU usage spiking on the order-entry
server?
• Is the sales team really using an open Dropbox
account? Don’t we have a policy against that?
© 2012 NetIQ Corporation. All rights reserved.20
Low-Hanging Fruit First…
• Attackers are not going to use a 0-day if they don’t
have to
• Vulnerabilities against Java 7 Update 21 and Java 6
Update 45
• Already in exploit kits
Examples
© 2012 NetIQ Corporation. All rights reserved.22
6 months in duration, ending in December, 2009
First publicly disclosed in January, 2012
Adobe Systems
Juniper Networks
Rackspace
Also targets, according to
media reports
Yahoo
Symantec
Northrop Grumman
Morgan Stanley
Dow Chemical
Operation Aurora
© 2012 NetIQ Corporation. All rights reserved.23
Cyber Attacks
Started in mid 2006
United Sates
Canada
South Korea
The UN
International Olympic
Committee
12 US defense
contractors
At least 72 organizations
Operation Shady RAT
© 2012 NetIQ Corporation. All rights reserved.24
Drone Contractor Breached
“Earlier this week, Bloomberg reported that
QinetiQ, a high tech defense contractor
specializing in secret satellites drones and
software used by U.S. special forces, was the
victim of a sustained cybersecurity breach for
several years starting in 2007.”
http://thinkprogress.org/security/2013/05/03/1958871/contractors-
outsource-cybersecurity-hacked/
© 2012 NetIQ Corporation. All rights reserved.25
Why Are They A Problem?
• Difficult (if not impossible to keep out)
• Target saleable information
• Very good at long term penetration
• Traditional techniques do not keep them out
© 2012 NetIQ Corporation. All rights reserved.26
This isn’t working…
© 2012 NetIQ Corporation. All rights reserved.27
What Hasn’t Worked?
• Perimeter based defenses
• Malware scanning
• Anti-virus
• Employee Training
• IDS
• In reality -
© 2012 NetIQ Corporation. All rights reserved.28
What Hasn’t Worked?
• Perimeter based defenses
• Malware scanning
• Anti-virus
• Employee Training
• IDS
• In reality -
YOU WILL NOT KEEP THEM OUT
© 2012 NetIQ Corporation. All rights reserved.29
Better Approach
• Plan on being compromised
• Get the basics right
• Have a policy and a response plan
• Look for activity and changes, not tools
– Build a baseline
– Harden systems (patch and best practice configurations)
– Manage your privileged users
– Monitor for activity that looks suspicious*
© 2012 NetIQ Corporation. All rights reserved.30
A Recipe…
Implement
policies/plans
Enforce
with
technology
Know what
you’ve gotKnow how
it’s at risk
Refine and
repeat
Know what you’ve got
Understand how it’s at risk
Implement reasonable policies & processes
Enforce with technology
Refine and repeat over time
© 2012 NetIQ Corporation. All rights reserved.31
Identify and Protect Critical Data
• Finding the data
– Data may be in files, on physical media, in databases, or in
the cloud.
– Most breaches involve data that the victim did not know was
there.
• Categorizing data
– What data is sensitive and at risk?
• Monitoring access
– Can I identify abnormal access?
– Who is really accessing the information?
© 2012 NetIQ Corporation. All rights reserved.32
Control and Monitor Privileged Access
• Monitor system and file integrity
– Changes to key system files.
– Modification of rarely accessed data.
• Investigate unusual changes
– Changes to key system files.
– Modification of rarely accessed data.
• Audit individual actions
– Focus on privileged and “high risk”
users/accounts.
© 2012 NetIQ Corporation. All rights reserved.33
Capture and Monitor Log Data
• Security and network devices generate lots of data
– OS, Network, Virtual, P&A, User Activity, DAM, IAM.
• Compliance mandates capture and review of logs
• Logs can often provide early warning signs
– 82% of the time, evidence was visible in logs beforehand.
• Failure to monitor is costly
– Breaches often go undiscovered and uncontained for weeks
or months.
© 2012 NetIQ Corporation. All rights reserved.34
What We See
Organizations are most successful when they:
– Adopt a pragmatic approach
– Prioritize monitoring around data – data centricity is key
– Include identity and access monitoring
– Tie as much together as possible to integrate information
– Filter and enrich monitoring of activity
© 2012 NetIQ Corporation. All rights reserved.35
• Develop policy
• Understand what critical data you need to protect and
where it is stored
• Focus resources around protecting inside the
perimeter
• Layer defenses inside to slow down attackers
• Monitor for unusual activity
• Reduce your privileged user attack surface
• Create, agree, and OWN a response plan
Next Steps
© 2012 NetIQ Corporation. All rights reserved.36
NetIQ Can Help
• Provide expertise and experience in Identity, Access
Management and Security Management
• Help reduce number of privileged users
• Reduce and manage privileges
• Monitor users and look for unusual activity
• Provide visibility into access rights to critical resources
• Harden systems against attackers
© 2010 NetIQ Corporation. All rights reserved.
Security & Compliance
Identity & Access
Performance & Availability
3737 © 2010 NetIQ Corporation. All rights reserved.
Our Areas of Focus and Expertise
• Manage and audit user entitlements
• Track privileged user activity
• Protect the integrity of key systems and files
• Monitor access to sensitive information
• Simplify compliance reporting • Monitor and manage heterogeneous environments including custom applications
• IT Service validation and end-user performance monitoring
• Dynamic provisioning of large-scale monitoring with exceptions
• Functional and hierarchical incident escalation
• Deliver and manage differentiated service levels
• User Provisioning Lifecycle Management
• Centralize Unix account management through Active Directory
• Reduce number of privileged users
• Secure delegated administration
• Windows and Exchange migration
© 2010 NetIQ Corporation. All rights reserved.
Image Credits
38
http://commons.wikimedia.org/wiki/File:Calvin_
Coolidge,_bw_head_and_shoulders_photo_po
rtrait_seated,_1919.jpg
http://www.flickr.com/photos/seattlemunicipalar
chives/4459827777
http://www.flickriver.com/photos/12567713@N
00/44514786/
http://garyckarntzen.deviantart.com/art/Chines
e-Flag-Wallpaper-196092557
http://commons.wikimedia.org/wiki/File:Keith_
B._Alexander_official_portrait.jpg
http://www.worth1000.com
http://commons.wikimedia.org/wiki/File:Oppstilling-2.jpg
http://en.wikipedia.org/wiki/File:Barney_Oldfield%27s_R
ace_for_a_Life.jpg
http://www.flickr.com/photos/crazyeddie/2916193420/
http://www.flickr.com/photos/mookitty/2375679549/
http://commons.wikimedia.org/wiki/File:IllegalFlowerTrib
ute1.jpg