1. Demystifying Advance Persistent
Threats:
Reversing the Course of a Perceived
Asymmetric Cyber Battle
Rick Doten, CISSP, RKC
Chief Scientist
Lockheed Martin
Center for Cyber Security Innovation
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
1
2. Cyber Security Is like…
Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
3. Threat Characteristics:
Advanced Characteristics:
• Targeted at specific individuals and groups within
Persistent Characteristics:
an organization
• Using unreported exploits (zero day)
Advanced Persistent Threat
• •• Advanced, custom foris typically the first step to an
Social Engineering months or years
Intrusions lasting malware that isn’t detected by
• antivirus products manipulating people to ensure
intrusion: people
Adversaries install multiple backdoors
• • Coordinated intrusions using a variety of vectors
continuedthey know which information they are
Assume access to the targets
targeting
• • Intruder will adjustpatient and dedicated (or
Adversaries are actions based on
• countermeasuresis a real person behind the actions,
assigned) there target.
Because to the
they will respond quickly to countermeasures
• Intruder will use least sophisticated exploits and
techniques first and escalate only as required
We Never Forget Who We’re Working For®
… and neither do the bad guys!
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
4. What APT is Not...
• Bot nets, Rogue antispyware, DOS and DDOS attacks
• Categorized by the techniques of intrusion, and not
considering the people or motive
• Typically defined as:
• Any intrusion not discovered by current security
technology
• Any intrusion that uses advanced techniques, such as zero
day exploits
One reason for confusion:
Many Cyber Criminal teams are adopting (buying or bartering) APT-built
techniques because of their effectiveness.
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
5. APT campaigns are not about being the anomaly,
but part of the normal:
• APT campaign will take advantage of trust
relationship
• APT campaign is low and slow, as opposed to broad
attempts, aggressive, or obvious
• APT campaign is patient and will take time to
achieve their objectives
• APT campaign will conceal actions by using
legitimate accounts and protocols
• APT campaign will utilize a current account and
enumerate information with those privileges
• APT campaign will attempt to create new accounts
with administrative privilege
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
6. So, how is PvZ like APT campaigns?
Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
7. “To protect our infrastructure, we have to be right every
compromise our infrastructure, the bad guys have to
step; the bad guys onlywe only have to be right once.”
be right every step; have to be right once.”
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
8. Cyber Threat Kill Chain
Reconnaissance
Weaponization
Delivery
Intrusion Exploit
Installation
Command and Control
Act on Objectives
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
9. Cyber Kill Chain Animation
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Act on Objectives
• No matter where you block the sequence in the
chain, you stop the attack.
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
10. Threat-focused Risk Reduction
Target
Risk = Value
x Vulnerability x Threat
Opportunity
Target
Risk = Value x Vulnerability x Capability
Intent
Our Objectives:
• Erode capability
• Increase Cost of Intrusion
• Understand intent
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
11. Same Technique works on these Guys!
Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
12. Attack Vector Escalation
Then
Email spoofing Parking lot entry vector Fake sites that look real
Compromised sites with
Now
Man-in-the-Mailbox Supply Chain
embedded malware
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
13. Benefits of Framework
1. Reconnaissance • Articulates Prioritization
2. Weaponization
3. Delivery
4. Exploitation • Articulates data collection
5. Installation requirements
6. Command & Control
7. Act on Objectives
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
14. Putting them Together
Detect Degrade Deny Disrupt Deceive
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command &
Control
Act on Objectives
Drives detection, mitigation measures
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
15. Which is not unlike…
Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
16. Because in the end, you don’t want…
Images courtesy PopCap; used with permission INFORMATION SYSTEMS & GLOBAL SOLUTIONS
17. Questions?
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
18. Thank You!
Rick Doten, CISSP, RKC
Chief Scientist
Lockheed Martin
Center for Cyber Security Innovation
eric.a.doten@lmco.com
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
18