The Advanced Threat Life Cycle
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

The Advanced Threat Life Cycle

on

  • 137 views

Advanced Threats are a growing concern in the security industry because they differentiate themselves from other types of hacking activities by targeting a specific organization for a specific target, ...

Advanced Threats are a growing concern in the security industry because they differentiate themselves from other types of hacking activities by targeting a specific organization for a specific target, often extremely high pay-off data. While no two advanced threats are the same, most follow a common lifecycle. This presentation will present each stage of an advanced threat lifecycles as evidenced by the log data trail left behind. The presentation will then outline a defense in depth strategy designed to detect, alert and respond to the earliest indicators of an advance threat against your network.

Speaker: Greg Foss, Senior Security Research Engineer, LogRhythm

Statistics

Views

Total Views
137
Views on SlideShare
134
Embed Views
3

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 3

http://www.slideee.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Advanced Threat Life Cycle Presentation Transcript

  • 1. Company Confidential Advanced Threat Lifecycles Greg Foss OSCP, GPEN, GWAPT, GCIH, CEH Senior Security Research Engineer LogRhythm Labs - Threat Intelligence Team
  • 2. Company Confidential • Advanced Persistent Threats • Able to develop and/or leverage sophisticated techniques in pursuit of their target objective from reconnaissance to data exfiltration. • Will leverage the full spectrum of attack vectors – social, technical, physical, etc. • Highly organized, highly motivated, highly resourced. • Willing to invest significant time and resources to compromise. • Organized Cyber Crime • Operate through anonymity, utilize the ‘darknet’ and TOR to share information and communicate. • Purchase malware and/or access to systems to influence the theft of funds in the form of Credit Cards, Social Security Numbers, BitCoin’s, and anything else of monetary value. • Extremely resourceful and able to leverage unique attack vectors to compromise merchant networks and ex-filtrate valuable data. What are ‘Advanced Threats’?
  • 3. Company Confidential • Mission Oriented • Persistent an Driven • Patient and Methodical • Focus on exponential ROI • Emphasis on high Intellectual Property Value Targets • They will get in… It’s when, not if… Image: http://postfiles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
  • 4. Company Confidential • Phishing • 91% of ‘advanced’ attacks begin with a phishing email • http://www.infosecurity-magazine.com/view/29562/91-of-apt- attacks-start-with-a-spearphishing-email/ • “Breaches, malware to cost $491 billion in 2014” • http://www.scmagazine.com/breaches-malware-to-cost-491- billion-in-2014-study-says/article/339167/ How are they getting in?
  • 5. Company Confidential • Phishing • 91% of ‘advanced’ attacks begin with a phishing email • http://www.infosecurity-magazine.com/view/29562/91-of-apt- attacks-start-with-a-spearphishing-email/ • “Breaches, malware to cost $491 billion in 2014” • http://www.scmagazine.com/breaches-malware-to-cost-491- billion-in-2014-study-says/article/339167/ How are they getting in?
  • 6. Company Confidential Client-Side Exploits – Discovered Daily
  • 7. Company Confidential • “[…]there have been real-world reports of sophisticated attackers bypassing two-factor authentication in OpenSSL-based VPNs in order to gain access to corporate networks by stealing Session IDs using the Heartbleed vulnerability.” • Tom Cross -- Director of Security Research, Lancope • http://www.itbusinessedge.com/slideshows/how-heartbleed- is-changing-security-06.html Heartbleed…
  • 8. Company Confidential Defense in Depth
  • 9. Company Confidential Spear Phishing
  • 10. Company Confidential Spear Phishing Attack -- Log Traces
  • 11. Company Confidential • Maintain Access… What happens once they get in? Image: http://www.netresec.com/images/back_door_open_300x200.png
  • 12. Company Confidential • *Nothing… • For a long time… Then?
  • 13. Company Confidential Attackers Go Unnoticed… Image created at: https://imgflip.com/
  • 14. Company Confidential • Once infected, the beachhead will beacon periodically Beaconing
  • 15. Company Confidential • Beaconing activity – Usually initiated over port 443 or an encrypted tunnel over port 80. • Can be detected with a Web Proxy capable of decrypting SSL traffic. • Behavioral analytics can be utilized to differentiate normal browsing activity and possible evidence of an infected host. • Using a SIEM, track the unique websites usually visited, and the overall volume of normal web activity, on a per user and a per host basis. • Watch for changes in a close period of time. Behavioral Analytics
  • 16. Company Confidential • Host Discovery • Ping sweeps • Sweep for specific services / scan single hosts • Slowly, attempting to avoid unnecessary attention… • Accessing network shares, web apps, and services Reconnaissance & Service Enumeration Image: http://macheads101.com/pages/pics/download_pics/mac/portscan.png
  • 17. Company Confidential • Internal reconnaissance looks very similar to activities seen on the perimeter… • Port Scans / Sweep’s • ‘Odd Traffic’ and honeypot file access • Modification of user and/or file and/or group permissions • VPN logins / attempts from disparate geographical locations Reconnaissance Log Traces
  • 18. Company Confidential • Dump System Hashes • Maybe crack them, maybe they don’t need to… • Use Pass the Hash (PtH) • Now featuring Remote Desktop! • http://www.kali.org/penetration-testing/passing-hash-remote- desktop/ • Dump plain text password Hashes • Mimikatz -- FTW! • Act as an internal employee -- use legitimate means to access resources. Lateral Movement
  • 19. Company Confidential • Microsoft’s granular Event Identification schema (EVID) in conjunction with environment information provides analysts with plenty of information to track attackers once they have breached the perimeter. Lateral Movement Log Traces
  • 20. Company Confidential Source: https://twitter.com/markrussinovich/status/439788234587922432
  • 21. Company Confidential • Analyze / capture anything that comes across the wire Passive Traffic Analysis Image: http://media2.intoday.in/indiatoday/images/stories// 2013december/cyber_security-650_122913095343.gif
  • 22. Company Confidential • Domain Controllers • Vulnerable Services • File Shares • Intellectual Property • Business Leaders – CEO, CIO, CFO, CMO, etc. • Administrative Assistants Identify Key Resources Image: http://www.mobilemarketingwatch.com/wordpress/wp- content/uploads/2011/07/Top-Secret-Tip-To-Pick-SMS-Keyword.jpeg
  • 23. Company Confidential • Target data identified, gathered, and moved out of the environment. • Data is normally leaked in a ‘hidden’ or modified format, rarely is the actual document extracted. • Emails and Employee PII • Intellectual Property • Trade Secrets Data Exfiltration Image: http://www.csee.umbc.edu/wp-content/uploads/2013/04/ex.jpg
  • 24. Company Confidential • Set granular restrictions on sensitive files and directories to specific groups or individuals, alert on any abnormal file access / read / write / etc. • ICMP Tunneling • Non-SSL over ports 443 / 8443, encrypted TCP over ports 80 / 8080 • SCP / FTP(S) transfers to external hosts • Abnormal web server activity, newly created files, etc. Catch Data Exfiltration and File Access
  • 25. Company Confidential Lateral Movement – Attack Detection [ demo ]
  • 26. Company Confidential • Don’t be hard on the outside, soft and chewy on the inside… Monitor internal activity, closely. • Implement Layer 3 (network) Segmentation and Least User Privilege. • Understand your environment and log data. • Actively alert on and respond to lateral movement and reconnaissance observed within your environment. • The earlier you can detect attackers the better… • They will get in… How will you react? Closing Thoughts
  • 27. 27 Company Confidential SIEM 2.0 | See what you’re missing