The Advanced Threat Life Cycle


Published on

Advanced Threats are a growing concern in the security industry because they differentiate themselves from other types of hacking activities by targeting a specific organization for a specific target, often extremely high pay-off data. While no two advanced threats are the same, most follow a common lifecycle. This presentation will present each stage of an advanced threat lifecycles as evidenced by the log data trail left behind. The presentation will then outline a defense in depth strategy designed to detect, alert and respond to the earliest indicators of an advance threat against your network.

Speaker: Greg Foss, Senior Security Research Engineer, LogRhythm

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Advanced Threat Life Cycle

  1. 1. Company Confidential Advanced Threat Lifecycles Greg Foss OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer LogRhythm Labs - Threat Intelligence Team
  2. 2. Company Confidential • Advanced Persistent Threats • Able to develop and/or leverage sophisticated techniques in pursuit of their target objective from reconnaissance to data exfiltration. • Will leverage the full spectrum of attack vectors – social, technical, physical, etc. • Highly organized, highly motivated, highly resourced. • Willing to invest significant time and resources to compromise. • Organized Cyber Crime • Operate through anonymity, utilize the ‘darknet’ and TOR to share information and communicate. • Purchase malware and/or access to systems to influence the theft of funds in the form of Credit Cards, Social Security Numbers, BitCoin’s, and anything else of monetary value. • Extremely resourceful and able to leverage unique attack vectors to compromise merchant networks and ex-filtrate valuable data. What are ‘Advanced Threats’?
  3. 3. Company Confidential • Mission Oriented • Persistent an Driven • Patient and Methodical • Focus on exponential ROI • Emphasis on high Intellectual Property Value Targets • They will get in… It’s when, not if… Image:
  4. 4. Company Confidential • Phishing • 91% of ‘advanced’ attacks begin with a phishing email • attacks-start-with-a-spearphishing-email/ • “Breaches, malware to cost $491 billion in 2014” • billion-in-2014-study-says/article/339167/ How are they getting in?
  5. 5. Company Confidential • Phishing • 91% of ‘advanced’ attacks begin with a phishing email • attacks-start-with-a-spearphishing-email/ • “Breaches, malware to cost $491 billion in 2014” • billion-in-2014-study-says/article/339167/ How are they getting in?
  6. 6. Company Confidential Client-Side Exploits – Discovered Daily
  7. 7. Company Confidential • “[…]there have been real-world reports of sophisticated attackers bypassing two-factor authentication in OpenSSL-based VPNs in order to gain access to corporate networks by stealing Session IDs using the Heartbleed vulnerability.” • Tom Cross -- Director of Security Research, Lancope • is-changing-security-06.html Heartbleed…
  8. 8. Company Confidential Defense in Depth
  9. 9. Company Confidential Spear Phishing
  10. 10. Company Confidential Spear Phishing Attack -- Log Traces
  11. 11. Company Confidential • Maintain Access… What happens once they get in? Image:
  12. 12. Company Confidential • *Nothing… • For a long time… Then?
  13. 13. Company Confidential Attackers Go Unnoticed… Image created at:
  14. 14. Company Confidential • Once infected, the beachhead will beacon periodically Beaconing
  15. 15. Company Confidential • Beaconing activity – Usually initiated over port 443 or an encrypted tunnel over port 80. • Can be detected with a Web Proxy capable of decrypting SSL traffic. • Behavioral analytics can be utilized to differentiate normal browsing activity and possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall volume of normal web activity, on a per user and a per host basis. • Watch for changes in a close period of time. Behavioral Analytics
  16. 16. Company Confidential • Host Discovery • Ping sweeps • Sweep for specific services / scan single hosts • Slowly, attempting to avoid unnecessary attention… • Accessing network shares, web apps, and services Reconnaissance & Service Enumeration Image:
  17. 17. Company Confidential • Internal reconnaissance looks very similar to activities seen on the perimeter… • Port Scans / Sweep’s • ‘Odd Traffic’ and honeypot file access • Modification of user and/or file and/or group permissions • VPN logins / attempts from disparate geographical locations Reconnaissance Log Traces
  18. 18. Company Confidential • Dump System Hashes • Maybe crack them, maybe they don’t need to… • Use Pass the Hash (PtH) • Now featuring Remote Desktop! • desktop/ • Dump plain text password Hashes • Mimikatz -- FTW! • Act as an internal employee -- use legitimate means to access resources. Lateral Movement
  19. 19. Company Confidential • Microsoft’s granular Event Identification schema (EVID) in conjunction with environment information provides analysts with plenty of information to track attackers once they have breached the perimeter. Lateral Movement Log Traces
  20. 20. Company Confidential Source:
  21. 21. Company Confidential • Analyze / capture anything that comes across the wire Passive Traffic Analysis Image: 2013december/cyber_security-650_122913095343.gif
  22. 22. Company Confidential • Domain Controllers • Vulnerable Services • File Shares • Intellectual Property • Business Leaders – CEO, CIO, CFO, CMO, etc. • Administrative Assistants Identify Key Resources Image: content/uploads/2011/07/Top-Secret-Tip-To-Pick-SMS-Keyword.jpeg
  23. 23. Company Confidential • Target data identified, gathered, and moved out of the environment. • Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted. • Emails and Employee PII • Intellectual Property • Trade Secrets Data Exfiltration Image:
  24. 24. Company Confidential • Set granular restrictions on sensitive files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc. • ICMP Tunneling • Non-SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080 • SCP / FTP(S) transfers to external hosts • Abnormal web server activity, newly created files, etc. Catch Data Exfiltration and File Access
  25. 25. Company Confidential Lateral Movement – Attack Detection [ demo ]
  26. 26. Company Confidential • Don’t be hard on the outside, soft and chewy on the inside… Monitor internal activity, closely. • Implement Layer 3 (network) Segmentation and Least User Privilege. • Understand your environment and log data. • Actively alert on and respond to lateral movement and reconnaissance observed within your environment. • The earlier you can detect attackers the better… • They will get in… How will you react? Closing Thoughts
  27. 27. 27 Company Confidential SIEM 2.0 | See what you’re missing