Document Sample
Advanced_Persistent_Threat_and_Effective_Counter_Actions_-_Dave_Whipple_-_03-04-2011 Powered By Docstoc
					Advanced Persistent Threat
Effective Counter Actions

Briefing to Secretary of Defense
Meeting Agenda

   Who am I?

   Advanced Persistent Threat
   How did they do that?

   Case Study
   My experience in the wild...

   Effective Counter Measures
   What has 30 years taught me…
Now lets look at a few problems…
          How’s your Calculus?

My Background
              Know the Enemy…

He who knows the enemy and himself will never in
a hundred battles be at risk; He who does not know
the enemy but knows himself will sometimes win
and sometimes lose; He who knows neither the
enemy nor himself will be at risk in every battle.
Advanced Persistent Threat (APT)
MI5 says the Chinese government “represents
one of the most significant espionage threats”
                What is it?

Mandiant defines the APT as a group of
sophisticated, determined and coordinated
attackers that have been systematically
compromising U.S. Government and
Commercial networks for years. The vast
majority of APT activity observed by Mandiant
has been linked to China.

APT is a term coined by the U.S. Air Force in
              Advanced Persistent Threat

 Advanced means the adversary can operate in the full spectrum of
   computer intrusion. They can use the most pedestrian publicly available
   exploit against a well-known vulnerability, or they can elevate their
   game to research new vulnerabilities and develop custom exploits,
   depending on the target’s posture.
 Persistent means the adversary is formally tasked to accomplish a
   mission. They are not opportunistic intruders. Like an intelligence unit
   they receive directives and work to satisfy their masters. Persistent
   does not necessarily mean they need to constantly execute malicious
   code on victim computers. Rather, they maintain the level of interaction
   needed to execute their objectives.
 Threat means the adversary is not a piece of mindless code. This point
   is crucial. Some people throw around the term “threat” with reference to
   malware. If malware had no human attached to it (someone to control
   the victim, read the stolen data, etc.), then most malware would be of
   little worry (as long as it didn’t degrade or deny data). Rather, the
   adversary here is a threat because it is organized and funded and
   motivated. Some people speak of multiple “groups” consisting of
   dedicated “crews” with various missions.           Richard Bejtlich’s Blog
Threat Landscape
Targeting and Exploitation Cycle
                  APT’s Objectives

 Political
   Includes suppression of their own population for stability

 Economic
   Theft of IP, to gain competitive advantage

 Technical
   Obtain source code for further exploit development

 Military
   Identifying weaknesses that allow inferior military forces
    to defeat superior military forces
                 Recon / Intelligence

 Systems, resources, connections
   (Easier to attack a trusted partner?)
     • (E.g., target’s ISP, legal firm, contractor?)

 Individuals of interest
   (Good targets for spear phishing?)

 Possible access methods
   (Attacks on systems, partners, people)
                    Initial Intrusion

 Spear phishing is pretty common
   (Because it seems to work well enough because we are so
    weak. )
   Email to one or more targeted individuals
     • Spoofed follow-up to conference, meeting, etc.
     • Or email “follow-up” to customer complaint …
   Malware payload
     • Zip file typical (harder to scan for malware)
     • Different people may get different attacks
   If even one attack works – they’re in 
Looks Real Doesn't it?
What about this one?
What about my dream Job?
There is no safe Porn site!!!

 Install additional malware
   Multiple copies (various locations)
   Different kinds & configurations

 Crack & exfiltrate credentials
   For re-login from outside (unusual)

 Provide for malware updates

 (To look like a local user/admin)
 Identify local usernames
   Active Directory
   Local machine user database

 Attack local authentication data
   Password guessing (Nvidia CUDA GPU)
   Brute force decryption

 Backdoor install
 Password dump
 Get email
 List processes
 (Normal, useful stuff  )
   (Doesn’t trip AV alarms)

 Disguise via RAR, CAB, encryption
   (Make it difficult to see what’s leaving)

 Multiple hops to final destination
   (Harder to ID where data is going)
   Outgoing connections only, IP tunnel, etc.

 Expect discovery of more tricks
   Piggyback on other traffic? Slow torrent?
                 Command / Control

 Outgoing connections preferred
   Firewall less of an issue (mistake)

 Imitates “normal” traffic
   Looks like (but isn’t) Windows Update
   Looks like chat, actually C/C rendevous
   C/C in web comments & image headers

 Scan-signatures more difficult to find
   Random content, multiple encryption
                  APT Maintenance

 Tries to keep your system infected
   Multiple copies
   “Seeds” to re-infect
   Multiple small custom programs
   Leverage existing system components
   Updates, to change AV signatures
     • (Only 20% trip AV alarms – so change ‘em)
APT Case Study
Night Dragon – Oil Companies
                APT Case Study

 Major Defense Contractor – Electronic Systems
 Attacks consistent with US-CERT CIIN-07-332-01
 Attackers been in almost a year before noticed
 Attacks came from Shandong Providence
 Exfiltrated 20 GB/360 GB staged and encrypted
 8 known variants of malware
 Corporate PII from HR taken as well
                APT Case Study - Methodology

 Poison Ivy
   Remote Admin
   Keystroke logger
 Mine Trojan
   Full Remote Admin
   Capture user credentials
   Exfiltrates Data
 MS Gina
   Password sniffer
   Remote RDP
             Case Study – Process of Attack

 This Information is on a Master Target List
 Search unclassified information using Google operands
 Use Maltego To target individual – Facebook /Linkedin
 Get HR Records – Target HR Boss
 Send SE email to VP he had access to everything
 Harvest user credentials – Move latterly… Harvest
 Access Servers – establish test connection Port 53/443
 Access Data – Compress/Encrypt
 Pass out port 53 or 443
 done
                    SE - Email

 Use Maltego/Facebook/Linkedin– find the weak-
  link someone who is possibly underappreciated
  /underpaid. Find the person who has porn issue
  (eastern block owns this), gambling (mostly US
  organized crime), or is searching for a new job
  (someone who is frustrated).
 Email target and appeal to their pride! “We have
  conducted an exhaustive nationwide search for
  someone with these skills and you are in the top 3
  of your peers” “We are willing to fly you and your
  spouse to our Corporate Headquarters for an
                               What should we do?

 End “Default Permit” mentality – sandbox everything coming in
 Enable “White Lists” for corporate user groups – kill all default
 Don’t allow “corporate users (n00bs)”
  to install their favorite software – take them
  out of local Admin Group on local box
 Learn how to operate Back-Track 4
  – become proficient in Linux
                                                   Dave and Muts (Mati Aharoni)

 Don’t trust anyone…everyone on the inside of the network is a
 Know what “normal” looks like – data coming in, data going
             What has 30 years taught me?

 You want a good job – Then look like you want a good
 Polish your social skills for interviews
 Customers and Employers like
  certifications – Get over it.
 Don’t be afraid in an interview “What
  educational opportunities do you give your
 Always keep in mind your continuing
  education – you don’t want to be working
  for a young snot-nose boss when your 55

Shared By: