APT-RISK-Dave-Shackleford by huanghengdong

VIEWS: 2 PAGES: 23

									  Fighting Off an Advanced
Persistent Threat & Defending
   Infrastructure and Data
         Dave Shackleford
          February, 2012
                Agenda
Attacks We’ve Seen

Advanced Threats…what’s that mean?

A Simple Example

What can we do? A cycle:
    Prevent
    Detect
    React
What are we seeing? (2009-
          2010)
 The attacks are getting worse
     More stealthy, more damaging, for longer term
     compromises

 April 2009:
     US Electrical Grid compromised by Chinese & Russian
     hackers
     US Joint Strike Fighter Program compromised through
     contractor networks – data was encrypted

 June 2010
     Stuxnet discovered, affecting Siemens SCADA control
     systems
What are we seeing in 2011-
          2012?
 RSA Breach in March 2011
      Compromised token seed files via initial vector of
      social engineering (email) + 0-day Flash exploit

 Lockheed Martin compromised 2 months later
 with fake tokens
      Possibly other victims too, including Northrop
      Grumman

 Citigroup hacked in June 2011
      210,000 customer records exposed

 And there’s plenty of “hacktivism” targeting that’s
 happening with Lulzsec and Anonymous
         What’s an “APT”?
The APT is…
     A more methodical, professional attack conducted by
     well-organized and possibly well-funded attackers

The APT is NOT…
     Just malware. Or any one attack.

We’ve settled on this term for anything even
remotely sophisticated or targeted

Is this a cop out?
     Are all of these breaches that sophisticated at all?
 The APT: An Attack Cycle
The APT is really an
attack cycle:
    Reconnaissance
    Intrusion
    Backdoors and
    persistence
    Advancement
       Privilege
       escalation
       Data theft
       Additional attacks
    Maintenance
Advanced Attacks Methods?
 The methods, techniques, and technology we see
 now, more than ever:
     Social engineering, especially phishing
     Use of 0-day exploits
     HTTP and HTTPS C&C channels
     Memory-resident payloads
     Use of common document formats for delivery, such as
     PDF, DOC, XLS, etc.
     Focus on client-side software exploits
     Data stealing code components
     A “Targeted Attack”
          Example
Competitor wants to gain access to R&D
documents
    They decide to target the firm’s engineers

Step 1: Recon

Step 2: Targeted Attack

Step 3: Gaining Access

Step 4: Command and Control

Step 5: Data Access/Exfiltration
        Step 1: Recon
Twitter  Starbucks            Starbucks  Sniffing




          Captured:
          Email address (engineer@gmail.com)
          Friend’s email (engineer2@gmail.com)
          Interests (www.techstuff.com)
Step 2: Targeted Attack
Hey look! An email from Engineer2. With a catalog
attached!




                        Spoofed, of
                          course

                                  Most
                               certainly
                                clicking
                                  here
Step 3: Gaining Access
The PDF gets clicked.
Code gets dropped.
The backdoor is opened.
      Step 4: Command &
            Control
The attacker connects back to the listening port
    A more likely scenario would be the other way around
    – an outbound shell (“Shoveling Shell”) or a more
    robust bot/rootkit
 Step 5: Adios to the Data
At this point, the attacker
could do any number of things
to get more sensitive data
    FTP/SFTP
    SSH/SCP
    Custom encrypted channels
    (Base64/UDP)
Today’s Security Programs




          Decrease Risk
        Increase Security
       Maintain Compliance
How most security shops
   spend their time
Changing our Risk Profile

Today’s attacks require a different focus:
1.   Prevention techniques should protect you from 80% or
     more of the issues
2.   Detection techniques should be focused on continuous
     monitoring
3.   Reaction capabilities are inevitable, and should be focused
     on speed and thoroughness

With 90% Detection and Reaction - we are just
doing “knee jerk” security
     This is bad.
   Prevention: Education
Educating users about the dangers of the Internet
(!) is important
    Browsing safely
    Not giving out personal or sensitive information over
    the phone
    Separating work and personal life on social media
    networks
    Being wary of links and emails with attachments

However, many security awareness programs
don’t seem to work well - why?
Prevention: Communication
 Risk needs to be articulated in audience-specific
 formats
 What are the best ways to communicate and
 work with groups internally & externally?
 Internally:
      Proactive communications: Share news stories and
      new threat information with executive management, IT
      management, and employees (via newsletter or
      Intranet)

 Externally:
      Develop and nurture contacts and relationships with
      law enforcement, ISP, and key partners and customers
      Set a “threshold” or “trigger” for when to communicate
      potential issues
Prevention: Testing Yourself

 Find holes before attackers do!
 Prove that security issues exist to skeptical
 management
 Raise overall security awareness
 Verify secure system configurations
 Test new technology
 Discover gaps in compliance posture and satisfy
 legal, industry and/or governmental
 requirements such as HIPAA, SOX or PCI DSS.
Prioritized and risk-focused
   remediation guidance
 Define what is important to you in terms of
 risk
      Confidentiality for PII and other data?
      Availability concerns with systems and apps?
      Integrity with MitM and other attacks?

 Build on this for the report
      Ensure both attacks and successful exploits
      are framed in the context of priorities to your
      business

 Any VA/PT should be focused on your
 actual risks – not just a scan or exploit
 to prove you’re vulnerable
    Pen Testing Metrics
What kinds of metrics make
sense for penetration testing
and vulnerability assessments?

For more continual vulnerability
assessments:
      Number of vulnerabilities found
      Criticality and types of
      vulnerabilities
      Percentage of systems/apps
      scanned
      Number of “unowned” or
      questionable assets detected

For penetration tests, the key is a
baseline:
      How many critical vulnerabilities
      were found vs. the last test?
      User accounts / passwords
      compromised
      Data records accessed (or similar)
 The Rub: Wrapping Up
The “APT” is not malware, or one specific type of
attack

Any targeted attacks with forethought, custom
exploits or malware, and social engineering will
likely fall into the “APT” realm

Embedded document code is a very common
attack vector

We have a huge gap in our risk profile right now:
PROACTIVE ASSESSMENT

Better knowledge of attack vectors = better
security overall.
Final Discussion & Questions


     Thanks for attending!

								
To top