Advanced Persistent Threat _APT_ - CSI Services Inc

Document Sample
Advanced Persistent Threat _APT_ - CSI Services Inc Powered By Docstoc
					Advanced Persistent Threat (APT)
What is it?
What is it?

 Mandiant defines the APT as a group of
 sophisticated, determined and coordinated
 attackers that have been systematically
 compromising U.S. Government and Commercial
 networks for years. The vast majority of APT
 activity observed by Mandiant has been linked to

 APT is a term coined by the U.S. Air Force in 2006
   Advanced means the adversary can operate in the full spectrum of computer
    intrusion. They can use the most pedestrian publicly available exploit against a well-
    known vulnerability, or they can elevate their game to research new vulnerabilities
    and develop custom exploits, depending on the target’s posture.
   Persistent means the adversary is formally tasked to accomplish a mission. They are
    not opportunistic intruders. Like an intelligence unit they receive directives and work
    to satisfy their masters. Persistent does not necessarily mean they need to constantly
    execute malicious code on victim computers. Rather, they maintain the level of
    interaction needed to execute their objectives.
   Threat means the adversary is not a piece of mindless code. This point is crucial.
    Some people throw around the term “threat” with reference to malware. If malware
    had no human attached to it (someone to control the victim, read the stolen data,
    etc.), then most malware would be of little worry (as long as it didn’t degrade or deny
    data). Rather, the adversary here is a threat because it is organized and funded and
    motivated. Some people speak of multiple “groups” consisting of dedicated “crews”
    with various missions.

    Richard Bejtlich’s Blog
Cyberattacks Push CSIS to Reach Out to

  “Although Canada is relatively small compared
   with the U.S., Intelligence officials have said that
   leading companies in several sectors –
   aerospace, biotech, oil, military and
   communications – make it attractive to foreign

Globe and Mail – 2010.03.09
 M-Trends Quotes

 “The scale, operation and logistics of conducting these attacks –
  against the government, commercial and private sectors –
  indicates that they’re state-sponsored.”
 “Superbly capable teams of attackers successfully expanded
  their intrusions at government and defence-related targets . . .
  to researchers, manufacturers, law firms, and even non-profits.”
 The APT successfully compromises any target it desires.
  Conventional information security defences don’t work. The
  attackers successfully evade anti-virus, network intrusion
  detection and other best practices. They can even defeat incident
  responders, remaining undetected inside the target’s network,
  all while their target believes they’ve been eradicated.”
Offence vs. Defence

 “Given that the offence has the advantage of no legacy
  drag, the offence’s ability to insert innovation into its
  product mix is unconstrained. By contrast, the CIO who
  does the least that can be gotten away with only
  increases the frequency of having to do something, not
  the net total work deficit pending.” – Dan Greer on APT

 In other words:
   Offence – No legacy drag
   Defence – Expends work each day and never catches up
APT’s Objectives

 Political
    Includes suppression of their own population for
 Economic
   Theft of IP, to gain competitive advantage
 Technical
   Obtain source code for further exploit development
 Military
   Identifying weakenesses that allow inferior military
    forces to defeat superior military forces
Targeting and Exploitation

 In multiple cases, Mandiant identified a
  number of public website pages from which a
  victim’s contact information was extracted
  and subsequently used in targeted social
  engineering messages.
 Initial Intrusion into the Network

 The most common and successful method has been the use of social
   engineering combined with email
 The spoofed email will contain an attachment or a link to a zip file.
   The zip file will contain one of several different intrusion techniques:
    A CHM file containing malware
    A Microsoft Office document exploit
    Some other client software exploit, like an Adobe Reader exploit.
 The attackers typically operate late in the night (U.S. Time) between
   the hours of 10 p.m. and 4 a.m. These time correlate to daytime in
    Establish a Backdoor into the Network

   Attempt to obtain domain administrative credentials . . . Transfer the
    credentials out of the network
   The attackers then established a stronger foothold in the environment by
    moving laterally through the network and installing multiple backdoors with
    different configurations.
   The malware is installed with system level privileges through the use of
    process injection, registry modification or scheduled services.
   Malware characteristics:
     Malware is continually updated
     Malware uses encryption and obfuscation techniques of its network
     The attackers’ malware uses built-in Microsoft libraries
     The attackers’ malware uses legitimate user credentials so they can
       better blend in with typical user activity
     Do not listen for inbound connections
Obtain User Credentials

 The attackers often target domain controllers to obtain user
   accounts and corresponding password hashes en masse.
 The attackers also obtain local credentials from compromised
 The APT intruders access approximately 40 systems on a victim
   network using compromised credentials
 Mandiant has seen as few as 10 compromised systems to in excess
   of 150 compromised systems
    Install Various Utilities
   Programs functionality includes:
     Installing backdoors
     Dumping passwords
     Obtaining email from servers
     List running processes
     Many other tasks
   More Malware Characteristics:
     Only 24% detected by security software
     Utilize spoofed SSL Certificates
        ie. Microsoft, Yahoo
     Most NOT packed
     Common File names
        ie. Svchost.exe, iexplore.exe
     Malware in sleep mode from a few weeks to a few months to up to a year
     Target executives’ systems
     Use of a stub file to download malware into memory (Minimal Forensic Footprint)
Privilege Escalation / Lateral Movement /
Data Exfiltration

 Once a secure foothold has been established:
    Exfiltrate data such as emails and attachments, or files residing
     on user workstations or project file servers
    The data is usually compressed and put into a password
     protected RAR or Microsoft Cabinet File.
    They often use “Staging Servers” to aggregate the data they
     intend to steal
    They then delete the compressed files they exfiltrated from the
     “Staging Servers.”
Maintain Persistence

 As the attackers detect remediation, they will attempt to
  establish additional footholds and improve the
  sophistication of their malware
Preparation and Detection
 Preparation
    Follow Industry Compliance Guidelines:
        Robust logging
        Servers and Workstations will be more secure
        User credentials will be harder to crack
        Security appliances will be strategically distributed
 Detection

    “You have to be able to look for complex signs of compromise;
     integrate host-based and network-based information; and go far
     beyond simple anti-virus and network intrusion detection. You need
     to look inside packets, files, e-mail – and even live memory of
     systems that are still running.”
What Can We Do?

 Your Network MUST be
  Defensible
  Hostile
  Fertile

 You need near-realtime access to:

   •Active Directory      •Antivius
   •DHCP                  •Server Event Logs
   •VPN                   •Workstation Event Logs
   •Web Proxy             •Software Management
   •IDS/IPS               •Vulnerability Scans
   •Firewall/Router ACL

 Know the boundaries of your network
   Where it begins and where it ends
 Know what should be in your network
 Segment your network and use DMZs
 Where there is a firewall, there should also be
  an IDS and network monitoring
 Standardize your hardware and software
 Know where accounts authenticate
    Baseline network traffic
    Do not allow public facing devices to connect
     directly to internal domain controllers
    Limit administrative privileges to users
    Develop data collection and analysis
     guidelines that help in decreasing the amount
     of time an attacker goes undetected

GOAL: Make it as difficult as possible for an attacker to
compromise and reside in your network
 Your network should be a breeding ground of
  forensic and investigative data:
  1.   Proxy Logs
  2.   Authentication Logs
  3.   IDS Alerts
  4.   Host-based Logs
  5.   Firewall Logs
  6.   Full Content Traffic Captures
  7.   Netflow
Investigation – Required Info

    Develop Overview of Enterprise                   Implement Robust Logging
     Infrastructure                                       Ensure both Success and Failure audits
        List of all DNS & DHCP servers                    are being logged on all systems
        List of all Internet points of presence          Increase the amount of storage for logs
                                                           so they are not overwritten
        List of all VPN concentrators
                                                          AV and IDS to centralized logging
        Network diagram of core network
                                                          Firewall traffic logs to centralized
        Compile the rule set of core firewalls
                                                           utility (Packet Contents not required)
        Ensure GPO(s) log failed and successful
                                                          Web Proxy (date/time, hostname, IP
         log-on attempts
                                                           address pairing, URL browsed info)
        Ensure all items logged centrally
                                                          VPN Concentrators (hostname and IP
    Centralize the Storage of Key                         address pairing, date/time)
     Logs                                                 DHCP (hostname and IP address
                                                           pairing, date/time)
        Integrate key logs (firewall, VPN,
         DHCP, DNS, etc) into a SIEM                      DNS (queried domain name and
                                                           system performing the query)
        At a minimum store key logs in a
         central location
Initial DATA Collection Timeframe

Activity                    Activity Begins   Completion
Live Data Collection        Under 4 Hours     4 Hours
Disk Duplication            Under 4 Hours     2 Days
IDS Log Collection          Under 2 Hours     4 Hours
Active Directory Log        Under 2 Hours     4 Hours
Anti-Virus Log Collection   Under 2 Hours     4 Hours
Firewall Log Collection     Under 2 Hours     4 Hours
Desired Data Analysis Timeframe

Activity                  Confirm Compromise           In-Depth Inspection
Review Live data          Under 1 Hour                 4 Hours
Review Forensic Images    Under 4 Hours                2 – 3 Days
Review IDS Logs           Requires Know Indicators /   Real-Time Alerting
                          Custom Signatures
Review Active Directory   Requires Known Indicators    Unknown
Logs                      (Normal Logon Behaviour)
Review Firewall Logs      Requires Known Indicators    Unknown
Mandiant Intelligent Response

   Combating the APT is a protracted event, requiring a sustained effort to rid
    your networks of the threat. Therefore, the APT requires the victim
    organization to perform the following tasks more rapidly, efficiently, and
   Detect
       Compromised Systems
   Collect
       Evidence
   Analyze
       Data
   Remediate
       Threats
Another Approach - Awareness

 Not Really an Either / Or Scenario.
 The APT History shows an Initial Entry Vector
  to the Network Through Spear Phishing.
 It’s MUCH easier to gain entry through
  tricking an employee to click on a link than
  finesse your way through a firewall.
 The following is one example of a good
  awareness program for Enlightening your
  staff to the dangers of Spear Phishing.
    What is
 Web-based platform that facilitates the
  execution of mock phishing exercises and user
  awareness training
 Easy Setup
 Real Metrics*
 Targeted Awareness Training

* We do NOT collect or store passwords. Only detect if they were entered
Easy Setup
Real Metrics
  Measuring Improvement
• 24,000 employees
• 3 times in a 12 month period
• Significant Improvement
    Targeted Awareness Training
Employees found to be susceptible can
immediately be redirected to

•   Internal corporate training websites
•   PhishMe’s built-in educational message
•   PhishMe’s educational comic strip
•   Generic message non-indicative of the underlying
What It Boils Down To…

 Mining publicly available information
 Executing a spear phish
 Pushing malware to the victim machines
   Advanced
     Bypasses Anti-Spam/Anti-Phishing/Anti-Virus
     Difficult to detect (little to no footprint in the file
   Persistent
     Dynamically evolves (Polymorphic)
  Proven Results

 10,000 employees “phished”
 First run  75% opened email, 17% clicked the link
 Second Run  ONLY 8% opened the email

 500 cadets “phished”
 80% found vulnerable
                             Source: Wall Street Journal
We Were Forewarned
   The APT is everyone’s problem. No          They steal information to achieve
    target is too small, or too obscure,        economic, political and strategic
    or too well-known, or too                   advantage.
    vulnerable. Its’ not spy-vs.-spy, but      They establish and maintain an
    spy-vs.-everyone.                           occupying force in their target’s
   This is a war of attrition against an       environment.
    enemy with extensive resources. It is      They steal between $40 billion to
    a long fight, one that never ends.          $50 billion in intellectual property
                                                from U.S. organizations each year.
The Last Word to Kevin Mandia

   As attacks have migrated from targeting
   systems via exploits to targeting people,
   security breaches are growing in number and
   sophistication. Therefore, it is no longer
   acceptable to rely exclusively on preventative
   measures . . .
Sources of Information

  Richard Bejtlich’s Blog                               2009.10.22
  Report on Chinese Government Sponsored Cyber

  Richard Bejtlich’s Blog                               2010.01.16
  What is APT and What Does it Want

  Mandiant: M Trends:                                   2010.01.25
  The advanced persistent threat

  The GLOBE AND MAIL:                                   2010.03.09
  Cyberattacks push CSIS to reach out to

  SANS Forensic Summit 2008                             2008.10.14
  Slaying the Red Dragon: Remediating the China Cyber
  Threat by Mandiant
Contact Info


C.S.I. Services Inc.
(306) 949-6125 - Office
(306) 591-4514 - Cell