Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc

BSidesSanFrancisco Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) Will Gragido | CISSP, CISA, IAM, IEM John Pirc | CEH, IAM, SANS Thought Leader Cassandra Security Analysis of the Security Industry and that it influences

2 Cassandra Security Analysis of the Security Industry and that it influences Agenda •  Introductions •  Advanced Persistent Threats – An Introduction •  Dynamic Shifts In the Threat Landscape •  Foreign Country Activity – Session Analysis Validation •  Subversive Multi-Vector Threats •  Gods of War: Blended Attacks •  Cryptovirology •  CrimeWare as a Service (CaaS) •  Question and Answer

Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Well Documented and •  Advanced Persistent Quite Old Threats” ▫  Earliest known instances ▫  Named by the United date to the early 1990s States Air Force   Department of Defense ▫  What’s old is new again: Parlance   “Events of Interest” Origination points ▫  State Sponsored   State sponsored infowar labs ▫  Industrial Espionage   Intelligence agencies ▫  Colloquially referred to as   The underground ‘events of interest’   Though not not necessarily in the same fashion which threats such as ‘MyDoom’, ‘CodeRed’, or ‘Sql Slammer’ did; this is simply not the case

Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Easy Definition for a Non- •  Sophistication Level: Trivial Challenge: ▫  Only as sophisticated as they ▫  Opportunistic form of cyber need to be attack developed and designed to ▫  Sophistication is determined and meet the needs of its architects in dictated by aggressors after compromising a specific system intelligence gathering has or group of systems in order occurred acquire and exfiltrate data to those behind the original attack •  Historical Targets of Opportunity & Interest: ▫  Military ▫  Intelligence ▫  Defense Intelligence Base ▫  High Tech (Intellectual Property  Lucent Technologies, Motorola etc.)

Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats The Classics The Subversives SMT’s Eligible Moonlight Byzantine Operation Receiver Exxon Maze Foothold Shockwave 1997 1998 1999 2004 2007 2009 2010 Solar Titan US Power Aurora Sunrise Rain Grid

Cassandra Security Analysis of the Security Industry and that it influences Dynamic Shifts in Threat Landscape •  Your Father’s Internet ▫  Perimeters use to be will defined and so was the protection   Static & Informational   Firewall and AV saved the day   Web defacements and breaking into a network through open ports or OS vulnerabilities were par for the course •  Today’s Internet (Better have a virtual hazmat suit) ▫  Floating perimeters ▫  Dynamic, Interactive & Mobile ▫  App Driven ▫  Web browsers and plugins

Cassandra Security Analysis of the Security Industry and that it influences U.S. military OKs use of online social Seriously…Seriously? Washington (CNN) -- U.S. military personnel are officially allowed to tweet. That's the upshot of the Pentagon's long-awaited policy on rank and file personnel using online social media, unveiled Friday. The new rules authorize access to Facebook, Twitter, YouTube, and other social media Web sites from nonclassified government computers -- as long as such activity doesn't compromise operational security or involve prohibited activities or Web sites. •  Security Risk & Social Media Trade-off

Cassandra Security Analysis of the Security Industry and that it influences Hacking not Required Imagine the Possibilities

Cassandra Security Non-Intentional Act Intentional Act Analysis of the Security Industry and that it influences Routes to the Cyber Market Expertise + Motivation + Attack Vector = Result Email None Notoriety and Compromise of an Asset/Policy (Normal End-User) Attachments and/or Intellectual Property Destruction Novice IM,IRC,P2P (Script Kiddie) Espionage Money Corporate/Government Web Browsers Apps Intermediate Moral (Hacker for Hire) Agenda Open Ports Theft Expert Unwitting (Foreign Intel Service, Terrorist Organization and/or Organized Crime) Vulnerable Operating System Fame Fun

Foreign Country Activity – Drive-By Why Session Based Analysis in Needed! Compliments of Netwitness ;-) 1. Examine traffic to foreign countries 2. Follow the clues Cassandra Security Analysis of the Security Industry and that it influences

Cassandra Security Analysis of the Security Industry and that it influences Suspicious outbound traffic to various countries…. Destination China

Cassandra Security Analysis of the Security Industry and that it influences Instant Correlation Breadcrumb Mostly unknown service Executables exist

Cassandra Security Analysis of the Security Industry and that it influences Anti-Virus triggered on content rendering Breadcrumb JavaScript www.333292.com?? Must be bad… Get: 1.exe,2.exe,…

Cassandra Security Analysis of the Security Industry and that it influences Malicious Content in the same session Bogus 404 error Obfuscated JavaScript Executables downloaded

Cassandra Security Analysis of the Security Industry and that it influences Foreign Country Traffic Summary •  Scrutinize outbound traffic to China •  Unknown services with .exe transfers •  Content review triggered Anti-Virus - “Infostealer” •  Content review shows malicious obfuscated JavaScript and .exe downloads •  Classic drive-by exploit •  Rule Example: ▫  Dst.country = “China” && extension =“exe” •  FlexParse Example: ▫  Obfuscated Javascript patterns ▫  Executable file signatures – for those that don’t have correct extension

Subversive Multi-Vector Threats (SMTs) Cassandra Security Analysis of the Security Industry and that it influences

Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Vector Threats •  Definition: •  Subversive Multi-Vector ▫  Highly sophisticated, well Threats (SMTs) are complex crafted, executed attacks unions of human intelligence, designed to use and exploit as information security, many possible threat vectors as communications intelligence / necessary to accomplish the signals intelligence missions milestones. What (COMINT)/ (SIGINT), and makes them different than other threats is the willingness to open source intelligence utilize people, process and (OPSINT) and differ greatly in technology weaknesses in order this sense from other threat to meet their ends classes such as the Advanced ▫  These threats are designed to, in Persistent Threat (APT), as a a dynamic fashion, place a result. (Gragido 12122009 greater or lesser amount of effort and emphasis in one area versus http:// another over time as dictated by cassandrasecurity.com/? the mission’s goals and the p=960) leadership behind them

Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT) •  Differ dramatically from other well- •  The greatest differences noted between known threat types in a number of ways, the types of threats some more obvious than others ▫  Lies in the targets of interest ▫  Approaches employed in selecting and exploiting the target ▫  Whether they be targets of opportunity or selected targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT)   The avenues for exploitation may change though their overall relevance is entrenched in the realm of the technical ▫  As such, APTs, contrary to popular belief are focused and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals ▫  Not so with the Subversive Multi-Vector Threat   These threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.

Cassandra Security Analysis of the Security Industry and that it influences Identifying and Addressing Subversive Multi-Vector Threats (SMT) •  Uncompromising Diligence Is Required •  Subversive Multi-Vector Threats (SMTs) ▫  Employment of intellectual honesty •  Progressive approaches required   Reality dictates we will be targeted ▫  Creativity   “When” not “If” ▫  Collaboration ▫  Requires risk management ▫  Iron sharpens Iron ▫  Repeatable processes and procedures are non-negotiable; they are imperative •  Innovative technological solutions coupled with innovative comprehensive approaches ▫  Metrics employed to practical, risk based information security   What gets measured gets results management imperative   Aids in establishing the known from the unknown while demonstrating ▫  Are there technologies which can aid us progression or regression in achieving these goals?   Our assertion is that in doing so an   Yes organization can quickly identify areas where vulnerabilities and ▫  Are they already in our environments? deficiencies exist which leave them   Perhaps, but odds are they are not exposed to potential exploitation of people, process and technology but will be or should be considered in the near future

Gods of War: Blended Attacks Cassandra Security Analysis of the Security Industry and that it influences

Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS (also known as Zbot / •  Crimeware kit which is best WSNPoem known for its tenacity, intelligent design and ability to steal credentials (in a voluminous manner), from a truly impressive, disparate base of sources including but not limited to the following: ▫  Social Networks (Facebook, Twitter, MySpace, Linkedin, Foursquare, Yelp etc.) ▫  Online financial accounts (Banking, Brokerage, Retirement etc.) ▫  FTP accounts (yes people still use unsecured ftp accounts…) ▫  E-Mail accounts (Phishing / Spear Phishing) ▫  Cloud Computing Based Environments (Amazon EC2)

Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS’ DNA ▫  Crimeware Kit which contains the following •  ZeuS Botnet Features: modules ▫  Framework design   A web interface for administering and   Unintelligent program which hooks itsef into managing the botnet (ZeuS Admin Panel) the Operating System (need to verify if it is hooking at ring 3 or 0) and hides itself   A customized tool used in the creation of the Trojan binaries and in encrypting the   All logic for the botnet itself is contained within configuration file (commonly referred to as an the configuration file executable generator)   The configuration file for ZeuS / Zbot acts like a definitions database for AV products; without ▫  ZeuS Hosts this the bot is fairly benign   Typically Consist of Three Components   Often times lists of targets (financial   A configuration file (most commonly associated institutions for example) are contained within file name extension is *.bin) it in addition to other data such as urls for   A binary file which contains the newest version other components the bot relies upon for of the ZeuS Trojan code (updated periodically command & control purposes, the lists of by the Bot Master to ensure highest degree of information gathered from targets to populate functionality and feature use / availability) fields which the bot completes in order to steal   A dropzone (most commonly seen as a php file details / credentials and other information used for storage)   The configuration file is always ciphered; it’s never found in clear ▫  The older versions of ZeuS used a hard- coded cipher which could be reverse engineered however the current versions use a more sophisticated level of cryptovirology (using unique keys for encrypting the config file, the key is then stored in the executable – which is also ‘packed’); this eliminates the potential for deciphering all botted hosts universally ▫  The key is 256 bytes long making it a non- trivial task for brute forcing Courtesy of abuse.ch ZeuS Tracker

Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks   Credentials Capturing   Integrated SOCKS-Proxy   HTTP   Web based form for   HTTPS searching captured   FTP credentials   POP3   Ciphered configuration   Botnets Protected Storage files Area (PSTORE)   Kill Operating System   Organize / Assemble / Functions (becoming Group infected hosts into more common in botnets different botnets for: the world over)   Ease of use   Well QA’d   Flexibility   Exhaustively tested before   Meeting customer needs release

Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  What is cryptovirology? ▫  A wonderful question with a myriad of plausible responses ▫  What cryptovirology is not is obvious, common, trivial or new ▫  Cryptovirology as a discipline has a lineage dating back to the mid to late 1990s something that seems to be (along with other things in our industry as of late), often over looked

Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology: •  The earliest observed instances •  An attack by any other name where crypto viral attacks were would smell as sweet… utilized have become known as ▫  The intent and logical outcomes ‘cryptoviral extortion’. are the same: via a virus, worm, •  AKA ‘cryptoviral ransom’ Trojan etc a victim’s files (whether discriminately chosen attacks however or not so), are identified and encrypted with the file owner being notified that should she wish to receive them back intact, she must first make payment to the author of the malicious code in question in order to receive the proper session key. ▫  If payment is not brought forward the author / attacker may make a variety of threats / claims as to what he / she will do with the files to and including destruction.

Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  There are many examples of •  Historical Examples Include Are malicious code and contact which Not Limited To the Following: use questionable encryption ▫  ZeuS schemes however the distinction ▫  Blazebot which must be made and taken ▫  Storm / Waldec note of is the purpose for which it is used today versus the past •  In the past, cryptography was used by malicious code and content authors to solely avoid detection by mitigation solutions such as Anti-Virus. In these scenarios the payload was not ciphered and thusly not considered ‘ransomware’. Today, the world has changed and as such payloads are ciphered and subsequently the game has changed.

Cassandra Security Analysis of the Security Industry and that it influences CrimeWare as a Service (CaaS): Service with a Smile •  Globalization  The World •  As a result a myriad of Is Flat! (Friedman) service offerings and ▫  Leveled the playing for some providers have emerged the ▫  Introduced the game and world over ready, willing, built the field for others and able to meet your needs ▫  Torn the game asunder better than their rendering it forever changed competitors while offering for still others you maximum RO ▫  Ensured that the free hand of ▫  Hacking as a Service (HaaS) the open market is allowed to ▫  Fraud as a Service (FaaS) move freely for all including criminals ▫  DDoSing as a Service ▫  Spamming as a Service ▫  Spear phishing as a Service ▫  Designer / Custom Malware Creation as a Service

28 Cassandra Security Analysis of the Security Industry and that it influences Key Point’s ▫  Known Current Solutions Not Good Enough ▫  Advanced Persistent Threats Will Become Pervasive ▫  Subversive Multi-Vector Threats Will Eclipse APTs ▫  Cryptovirology Is Alive and Well ▫  Inaction Equals To Acceptance

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc

by Security B-Sides

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 9

Statistics

Advanced Persistent Threats (Shining the Light on the Industries’ Best Kept Secret) - Will Gragido and John Pirc Presentation Transcript