24.02.2015© IKARUS Security Software GmbH 1
APT
24.02.2015© IKARUS Security Software GmbH 2
Agenda
24.02.2015© IKARUS Security Software GmbH 3
What is APT
Staying inside a network as long as possible without
detection to grab tons of information
Something special for everyone and yet another
„special“ product
From back then until today
– Since malware is/was born
– Spear phishing / social engineering
Marketing & scaring of businesses
– Stoned Bootkit, Conficker, Stuxnet, Operation Shady RAT…
24.02.2015© IKARUS Security Software GmbH 4
1st. Apt?
24.02.2015© IKARUS Security Software GmbH 5
1st AV solution (1986)
24.02.2015© IKARUS Security Software GmbH 6© 2012 IKARUS Security Software GmbH
1 Year present in each AV-Vendors Virus Database without knowing the potential
Stuxnet.
24.02.2015© IKARUS Security Software GmbH 7
Comparison Industry Computer - PC
Industry Computer
Priority on stability
Usage > 20 years
24/7 uptime
Updates dangerous/impossible
System designed for stability, not security
Proprietary systems and protocols
Standalone concept, no network connection planned
Little knowledge about the complete system
PC
5-6 years lifetime
24/7 uptime not necessary
Updates possible
System designed for stability AND security
Standard protocols
Networking integral part of the system
Good knowledge about the complete system
24.02.2015© IKARUS Security Software GmbH 8
Why is APT detection relevant?
Industry espionage through targeted attacks
Little awareness for threats and security practices (APT
detection „software as a service“ based)
No basis for decisions for further actions
– Which hosts have been infected?
– What has happened? Has customer data been affected?
24.02.2015© IKARUS Security Software GmbH 9
Open Problems 08/15 AV
Is my network currently compromised?
Has my network been compromised in the past?
Track attack over time
Provide good basis for further decisions
External contractors cost a lot of money (forensic
analysis)
24.02.2015© IKARUS Security Software GmbH 10
Our motivation for APT detection
Traditional solutions have limitations
– Targeted attacks are hard to detect
– Detection, containment and cleanup are costly
– Total number of malware rising fast
– AV-vendor have to generate detection fast enough
Enhance visibility and transparence
Extensive and universal endpoint monitoring in contrast
to special-case protection mechanisms
24.02.2015© IKARUS Security Software GmbH 11
Cyber Kill Chain
1. Reconnaissance
2. Craft an attack
3. Deliver the malware
4. Exploit security holes
5. Install malware
6. Command & Control
7. Perform malicious acts
24.02.2015© IKARUS Security Software GmbH 12
Cyber Kill Chain for 08/15 AV solution
1.
2.
3. Deliver: Scan engine, (Spam/URL Filter, FW)
4.
5. Install: Scan engine
6.
7.
24.02.2015© IKARUS Security Software GmbH 13
Behavior-based Solutions
Collect a lot of data
– Network data (Appliance, endpoint)
– Host data
Detection info database
– Cloud service containing detection information (not real-time)
– Local detection information
Detection/prevention:
– Use IOCs to block delivery or execution of malware
– Use data to notify about suspicious behavior
(Live) inspection
Forensic and time-line information
24.02.2015© IKARUS Security Software GmbH 14
Predictive solutions
Collection
– Collect malware
– Algorithms forecast future malware, generate derivatives
– Collect behavior information
Analysis
– Derivatives and behavior information are used to train detectors
Protect
– Protect endpoints from future versions of malware
24.02.2015© IKARUS Security Software GmbH 15
IKARUS APT
Host-based solution, not based on network traffic
Collect data
Provide visibility
Machine learning
Detect deviations
24.02.2015© IKARUS Security Software GmbH 16
Data collection
Process activities
Thread activities
Network connections
Registry access
File access
…
24.02.2015© IKARUS Security Software GmbH 17
Anomaly detection
Use collected data to learn benign behavior of a user
Once normal and abnormal behavior is known, any
deviations are considered suspicious
Send notification once suspicious behavior is detected
Future steps
– Block execution of unwanted programs
– Generate IOCs to detect actively detect malicious behavior
Example:
– A user always uses certain programs each day
– An executable that has never before been executed is started
– Create notification about that event
24.02.2015© IKARUS Security Software GmbH 18
The End!
“I think it’s important to recognize that you can’t have 100
per cent security and also then have 100 per cent privacy
and zero inconvenience”Barack Obama about the NSA, San Jose, California, on June 7, 2013