Your SlideShare is downloading. ×
Advanced Persistent Threats– Coming to a Network Near You - Barry Hensley Director, Counter Threat Unit and Jeff Schilling Director, Security & Risk Consulting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Advanced Persistent Threats– Coming to a Network Near You - Barry Hensley Director, Counter Threat Unit and Jeff Schilling Director, Security & Risk Consulting

1,194
views

Published on

Advanced persistent threats– Coming to a network near you - Barry Hensley Director, Counter Threat Unit …

Advanced persistent threats– Coming to a network near you - Barry Hensley Director, Counter Threat Unit

Advanced persistent threats– Coming to a network near you - Jeff Schilling Director, Security & Risk Consulting

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,194
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • There has been a lot of press coverage over the last couple of years on an apparent up tick in activity with the Advance Persistent Threat or APT in cyberspace. Shown on the right side of this slide are companies that received a great deal of that press coverage. When you really unpack what happened in these incidents, one thing you see is a trend that the persistent threat did not necessarily use any advance techniques or zero day vulnerabilities to gain access to these companies. It is not because these actors didn’t have the capability to leverage advanced techniques or zero day exploits, they didn’t have to. What I like to say, you don’t break a window when the front door is open. Those of us in the network security business have for the most term dropped the term “advanced” in APT and use a more appropriate descriptive term of a Targeted, Persistent threat. The point is, an APT is not a what, but a who, a human behind the keyboard who has an operational mission, intent and purpose to successfully compromise your network to steal intellectual property, use your network as a bridge to one of your partner networks, or in some limited cases, destroy or alter data and network infrastructure to achieve an operational impact to your companies business objectives and bottom line. In order to achieve this effect, they conduct reconnaissance and social engineering to develop custom tools that are delivered to the right person in the right place in your organization who will open that exploit in an email or go to a poisoned website and gain that initial foothold on your network. Next SlideTalking points:Lot of hype around APT. Not just hype, it’s a real problem that many organizations faceMost common perception people have is that cyber threats are Trojans, viruses, worms, exploits, etc.APT isn’t a malware problem, it’s not a vulnerability problem – APT isn’t a what problem APT is a what problem. Dealing with threat actors that are organized (give example)APT actors are efficient (give example)APT actors are tenacious (give example)
  • This slide illustrates the complexity and wide-ranging nature of the infrastructure of the Targeted Persistent Threat actors. Not included in the data on the left are the cyber criminal gangs and hacktivist who use commercially purchased tool suites and botnets. These numbers only include those threats that Dell SecureWorks assess use targeted campaigns to gain access to their victim networks. Most are nation state sponsored with a significant bench of operators, good technology and deep pockets. When you look at this data in its native format, such as event logs from intrusion detection systems, firewalls, snort appliances, and network flow data, it really does not give you the context and a picture of the complexity of the problem. You have to use a tool like the Dell Secure Work Threat Intelligence Management System to draw the actual 3 dimensional network that these actors use to conduct business. The observation you see is that these actors are sharing tools, Command and Control hop points but they are geographically located in different areas around the globe. The picture on the right side of the slide is a significant magnification of a small portion of a threat network 3D model. Myself being a chemistry major from my college days, the full picture of this diagram resembles something like what a chemist would build to understand a complex organic compound that has irregular bonds, shapes and connectivity. But as you observe this picture from the high level, you also discover there are key nodes and hubs that are critical points in the threat network and in some cases help you get close to attribution.
  • This slide illustrates a common use case of an APT compromise and some of the innovative techniques they use to evade network defenses. In this generic scenario, the threat actor could compromised the home system of an employee who sometimes worked remotely from home using a thin client. The attacker would then wait for the user to log into their thin client from home, captured the credentials and then became an authorized user from his own exploited system. That is the persistent threat’s ultimate goal, to become and insider threat. The actor can enumerated the network, find a share point sight or other files shares with Intellectual property and exploit to the steal data. Then, using the company’s web mail, stage the documents he wanted to steal as attachments to emails in the “my drafts” section of the web outlook client inside the victim’s network. Then the actor could use another compromised system outside of the victim’s network to open the web mail client and then saved the exploited documents in my drafts. Thus evading the company’s boundary defenses, mail guards and Data Loss Protection systems.Next slide
  • So, with a determined, persistent threat, how do you get ahead of them? If BOOM is the moment I discover I am compromised, what do I do left of Boom to reduce the risk of compromise and increase the likelihood of detection and then what do right of boom, after I know I am compromised to ensure I have detected all of the threat presence, limited their ability to move laterally across my network, eradicated it, and emplaced controls that will ensure I am not compromised using the same methods in the future. Most organizations suffer from insufficient visibility and insufficient counter measures that result in a target rich environment for the Advance Threat. Next slide4 fundamental challenges that security leaders struggle with:Don’t know how I’m going to be attacked and what they’re after (example of why that’s important). Lack of visibility into what’s happening outside sphere of control.Don’t know if I’ve been compromised or not (example of that situation). Lack of visibility within sphere of control.Unable to contain the threat before it gets to something important (example. Once you engage the adversary, they know they’ve been found and adapt/execute procedures.) Insufficient countermeasures to disrupt.I can’t get them out and keep them out (example. Multiple persistence tools, can’t find them all and close all doors at once). Insufficient counter-measures to remove and eradicate.
  • There are three major activities you must synchronize to combat against the targeted threat. Remember, Risk = Threat + Vulnerabilities. You can really solve for “x” in that equation, Risk, unless you define the threat. First, you must have an understanding of the threat against your organization. Remember the APT is not a what, but a who. The key things to know about your adversaries are what are their tactics and tradecraft and how does this define the indicators to look for in your network. Security operations is defined by your actions to protect and detect persistent threat activity and disrupt the kill chain. Then Incident response is your ability to respond and recover to a breach or attack and return to normal operations. Other talking points:KnowUnderstand tactics and tradecraft used by threat actorsDefine indicators to look for that signify attack or presenceDetectCollect and analyze telemetry from across your environmentProactively hunt for indicators on networks and hostsDisruptImplement countermeasures to prevent tradecraft deploymentDetect and limit lateral movement and exfiltrationEradicateInspect hosts and networks for actor presenceRemove all presence in a single sweepTalking points:Threat Intelligence is vital to this entire process. The more you know about your adversary and their TTP, the more focused and effective you can defend.The ongoing vigilance of a mature security operations function is essential. Gather and collect telemetry for indicators, and to minimize the timeframe to realize you are being attacked. Once the threat has been identified and an incident declared, engaging, disrupting and eradicating the threat requires professional IR experienced with APT. Once you’ve engaged the threat, there is no margin for error. Has to be done cleanly and efficiently.
  • In dell secureworks, these 3 critical functions are executed across three groups in the company. First, the Counter Threat Unit or CTU is our intelligence group that is helping us answer those threat questions for our customers. Our 24x7 Managed Security Services is run out of our operations directorate and provide that ability for our customers to protect against and detect the threat activity. And lastly, my Incident Response Practice is run out of our Security Risk Consultant group. We are called in when a customer needs assistance in responding and recovering to APT incident. Together we provide an integrated approach to left and right of Boom activities to help you combat threat activity on your network.Other Talking Points:APT is an issue because there aren’t many organizations that have resources to successfully execute this strategy.Security researchers are very scarce resources, setting up an advanced SOC capable of detecting APT isn’t easy, and neither is staffing a SWAT team of IR pros.But you don’t have to do this on your own. Many organizations choose to partner with Dell for some or all of thisWhy? Because we are experts at bringing to bear the intelligence, operations and response capabilities they need, when they need them.
  • The CTU is our elite cyber threat research team, focused on threat actors, their motives, tradecraft and countermeasures. The Dell SecureWorks CTU is comprised of top talent with experience from CERT, Natl. Labs, US CYBERCOM, DoD, the intel community and others. They are widely respected in the security community, sought after for their insight into the threat landscape. This elite team has accumulated a rich database of attack data spanning thousands of organizations, more than a decade with visibility across 35B+ events every day, tens of thousands of malware samples every day. As described on an earlier slide, the CTU has a world-class intelligence platform and tools that they use to systematically anticipate threats and develop countermeasures to disrupt kill chain. Our relationships across industries and with key law enforcement to include the National Cyber Forensic Training Alliance in Pittsburg. Our approach to research is very different than how AV companies and others do security research. AV vendors are very focused on keeping pace with malware variants and writing AV signatures. IDS/IPS vendors are very focused on vulnerability research. These are necessary, they do a lot of good to help organizations protect against the deluge of broader and less sophisticated threats. We don’t need to duplicate that effort. Instead, the CTU goes beyond that to understand who and how, and how to protect effectively against the methods being used by sophisticated actors to get by common security measures like AV and IPS. Talking points:The CTU is our elite cyber threat research team, focused on threat actors, their motives, tradecraft and countermeasures.Comprised of top talent from CERT, Natl. Labs, US CYBERCOM, DoD, etc.Widely respected in the security community, sought after for their insight into the threat landscapeRich database of attack data spanning thousands of organizations, more than a decadeVisibility across 35B+ events every day, tens of thousands of malware samples every dayWorld-class intelligence platform and tools that they use to systematically anticipate threats and develop countermeasures to disrupt kill chainRelationships across industries and with key law enforcement (mention guys embedded in Pittsburgh FBI group)?This is very different than how AV companies and others do security research. AV vendors are very focused on keeping pace with malware variants and writing AV signatures. IDS/IPS vendors are very focused on vulnerability research.These are necessary, they do a lot of good to help organizations protect against the deluge of broader and less sophisticated threats. We don’t need to duplicate that effort.Instead, the CTU goes beyond that to understand who and how, and how to protect effectively against the methods being used by sophisticated actors to get by common security measures like AV and IPS.
  • Much of that CTU research is then applied to protect customers through our Managed Security Services. As you can see on the right side, we have cyber-criminals and advance threats in a constant attack mode worldwide. They are trying to inflict harm on our customers. Using our proprietary CounterThreat Platform, we collect and monitor security event data from the networks of thousands of customers ranging from Fortune 10 corporations to community banks. We see more than 35B+ events every day coming into our platform. These 35 billion events are processed, correlated and analyzed, with potential security threats investigated by certified security analysts in our 7 Security Operations Centers located across the globe. When a real threat is identified that puts a customer at risk, we engage the customer and work with them to stop the threat. When a new threat we haven’t seen before is found, the CTU rips it apart and develops proactive countermeasures. Those countermeasures are then pushed out to all of our customers to insulate them from the new threat. This has created a very powerful “ecosystem” that continuously learns and improves security for all of our customers to keep them protected 24x7 against emerging threats. Talking points:Much of that research is then applied to protect customers through our Managed Security Services.- As you can see on the right side, we have cyber-criminals in a constant attack mode worldwide. They are trying to inflict harm on our clients. Using our proprietary CTP platform, we collect and monitor security data from the networks of thousands of customers ranging from Fortune 10 corporations to community banks. Again, we see more than 35B+ events every day coming into our platform. That data is processed, correlated and analyzed, with potential security threats investigated by certified security analysts in our multiple Security Operations Centers. When a real threat is identified that puts a customer at risk, we engage the customer and work with them to stop the threat. When a new threat we haven’t seen before is found, the CTU rips it apart and develops proactive countermeasures. Those countermeasures are then pushed out to all of our customers to insulate them from the new threat.This has created a very powerful “ecosystem” that continuously learns and improves security for all of our customers to keep them protected 24x7 against emerging threats.
  • As much as we would hope that we will knock down 100% of the threat with our 24x7 managed security services, no security solution is a silver bullet and you can’t eliminate 100% of the risk. Remember the “P” in APT is for Persistence. So after you have a BOOM, or discover you are compromised, how do you react? In our experience, a great deal of companies either have no Incident Response Plan or have one on paper that has never been exercised or used and may not be appropriately scaled for the scope of the problem they may encounter with an APT. You should ask yourself a couple of questions. One, do I have a plan, hopefully that is a yes, two, do I have the right skillsets on my staff to quickly respond to an incident and quickly contain and eradicate the threat presence. I think the answer you will find to the second question is almost always NO, unless you are really, really lucky. The forensic and malware analysis functions critical to and effective Incident Response are high level and high priced skills that require frequent use and exercise. Most organizations will not have enough incidents to achieve that required experience level to keep their responders proficient at their skills. As you can see from the slide, the typical life cycle of a Incident response is almost doubled when an organization does not have a plan in place to bring in the right talent to conduct a complex, advanced incident response. This problem is easily solved by having a retainer in place with a Managed Security Service provider, such as Dell SecureWorks, who not only conducts incident response, but has the Manage Security services and threat intelligence context from our CTU to inform our Incident response actions.
  • Now, lets talk about a real world incident. The names have been changed to protect the innocent, but this is great use case to study how to leverage the three critical activities when defending against an APT.
  • On this slide, we see what is a fairly common avenue of approach the threat uses. He gained initial access though a targeted spear phishing email, enticing enough for the right person in the right position of this organization to click on and allow the threat to gain the initial breach. Once inside the network the threat actor quickly escalated privileges to Domain administrator access. The goal of an APT is to become an insider threat with Domain level credentials. The threat basically owned the networks and moved laterally, almost effortlessly. The actors were only discovered when a domain administrator stumbled onto unusual administrator activity.
  • At this point, the company really had no real Incident response plan and reached out for help to Dell SecureWorks. As you can see from the timeline, because this was a cold start, or no retainer in place, it took 3 days to get an Incident Response Consultant on the ground to start the response. After about 6 days after the consultant arrived, the extent of the incident is enumerated and the environment is swept and more systems are found with compromises.
  • The bad news for the customer, they had indicators 4 different APT infections on their networks.
  • As part of the final report provided to the customer, on the left side were the root causes that allowed this company to become a victim. There were more problems, but these were the most troubling of problems we found. The thing that bothers me most is how flat the networks are that we end up doing our most complex incident responses on. And I am talking about companies with billions of dollars in revenue, who lose billions of dollars in stolen intellectual property because they don’t do the simplest of actions to protect themselves. In the end, there is a happy ending. The company let their security staff go find other opportunities and they are now a happy customer in the Dell SecureWorks family. We would love to have the opportunity to assist security staffs before it gets to this point. In most cases, it is not that the security staff is incompetent or negligent, it is that no one is listening or there is a perception that security controls are to cumbersome and expensive.
  • Transcript

    • 1. Advanced persistent threats– Coming to a networknear youBarry HensleyDirector, Counter Threat Unit
    • 2. Advanced persistent threats– Coming to a networknear youJeff SchillingDirector, Security & Risk Consulting
    • 3. Advanced persistent threatsYour cash, intellectual property, access credentials, intelligence and Contentaccess to your infrastructure are all on someone’s wish list style guidelines Public breaches are tip of A “who,” not a “what” • Specifically targeted because you have the iceberg… Organized something they want Efficient • Will invest time and resources until they achieve the objective Tenacious • Can and will adapt until they win Confidential
    • 4. Scope of APT is bigger than you think… ~14,500 ~800Command and control Hard-coded Command hostnames and control IPs APT tracking ~900 ~200Actor-registered APT Unique malware families domain names (thousands of samples) Confidential
    • 5. APT methods are not limited • Compromised numerous domain admin accounts • Dozens of external IPs from different network address blocks and geographic locations, associated with attacker • Attackers deleted their tools and recovered credentials after use. • Forensic review identified attacker presence over 180 days Victim’s network access points were distributed across multiple sites and access mechanisms, including different VPN endpoints, Virtual Desktop Infrastructure (VDI) systems, Outlook Web Access (OWA) interface, and several Microsoft SharePoint portals Confidential
    • 6. The struggle to defendMost organizations fail to notice APT until long after compromise “I don’t know if I am “I can’t stop the threat Insufficient Insufficient counter-measures being targeted and before it reaches my visibility + Insufficient visibility 37% how.” ? assets.” ! Insufficient counter- measures “I don’t know if I have “I can’t completely = been compromised.” remove the threat’s Ripe for ? presence breach and access.” ! Confidential
    • 7. Your best defense*Successful defense against advanced threats requires integratedthreat intelligence, security operations and incident response Incident response Each element fuels the Security operations others, maximizing Know your Detect threat Disrupt the Eradicate your chance adversaries activity kill chain actor and their earlier in the and stop the presence of thwarting and remove methods kill chain attack the adversary the threat Threat intelligence Confidential
    • 8. Dell provides your best defenseKnow your adversaries, detect their activity, disrupt the kill chain anderadicate their presence with Dell’s Advanced Threat Management solutions Integrated solutions 1 Counter Threat Unit Intelligence Group that deliver exceptional protection against 2 24 x 7 Managed Security Services advanced threats. 3 Incident Response Services Confidential
    • 9. 1 Counter Threat Unit Intelligence Group Targeted CTU IPS Vendors Elite cyber- The intelligencerelentless AV Vendors experts providepursuit of • Insight into who and Commodity Advanced attackers and tradecraft how • “Over the horizon” threat anticipation • Countermeasures Broad against emerging threats Confidential
    • 10. 2 24x7 Managed Security Services* Global Visibility Thousands of Customers Detect and respond to threats 7 SOCs 24x7x365 Counter Threat Platform Intelligence Protect Flexibility against Scalability emerging threats Data Counter Threat Unit Confidential
    • 11. 3 Incident response services* What was breached Day 0 Day 6 Day 7 Day 2 Day 4 and how Breach IT staff tries to Seeks 3rd party Engages Dell Incident Response contract in place Detected remediate help SecureWorks Active Disrupt and Active attack Active attack Active attack attack contain the threat Assessment/ Forensic analysis Root cause Containment Day 7 + 8. Reporting END identification analysis Data loss assessment Thoroughly Day 7 + 2 Boots on the Day 7 + 3 Malware analyzed, Day 7 + 5 Day 7 + 6 Day 7 + 8 Engagementeradicate and ground actor profiled Entry point Malware and actor reported and and scope presence removed prevent confirmed lessons learned re-entry Confidential
    • 12. Codename “Wisconsin”Real world APT breach at aResearch Institute
    • 13. Wisconsin targeted and compromised September: February: February-September: Wisconsin sees the The attack begins Wisconsin is breached threat• APT attacker launched • Attacker gained access to • Administrators first two “spear-phishing” Wisconsin’s network noticed odd activity campaigns targeting • Established outbound • Domain Administrator “Wisconsin” communications account exhibited unusual • Expanded access, behavior obtained privileged credentials • Installed persistence measures to strengthen foothold • Exfiltrated data
    • 14. Wisconsin turns to Dell for help* October 14-17: October 18-24: October 25:Wisconsin reached out Breach confirmed and Threat contained and for help assessed removed• Contacted Dell • Host forensics confirm • Isolated all compromised SecureWorks infiltration and timeframes systems• Dell SecureWorks IR • Detected compromised • Blocked related traffic at all specialists arrive onsite accounts via event network boundaries and initiate response correlation • Implemented intermediate process • Swept environment for countermeasures to detect• Initial assessment reveals additional compromised and prevent re-entry A/V trigger for password systems • Infected machines cleaned dump tool on a host • Conducted data loss and rebuilt assessment
    • 15. Wisconsin gets the bad newsFour APT campaigns discovered in Wisconsin’s network Malicious Domain ***.edu.Freshdns.org 211.***.***.76 ***.edu.Blankchair.com ***.edu.Bcvziy.com Date of Activity 16 June, 2011 29 June, 2011 29 June, 2011 29 June, 2011 Country of Origin Vietnam Korea Hong Kong China Clear evidence of communication with malicious APT domains at least since June. (“Wisconsin” had no log data prior to June.)
    • 16. Wisconsin’s lessons learned Wisconsin’s Security Management did not take the threat of APT seriously.Lacked even basic securitycontrols Now on path to• No dual administrator accounts • Customer brought in new security• No network-based intrusion detection or management prevention systems • Working with Dell to implement proper• No log retention system controls and develop a good IR plan• No security event monitoring and analysis• Poor segregation for sensitive systems
    • 17. Please help Dell meet your needsby filling out the Session Evaluation Surveys On paper Content On the Dell World app style • Forms in room • Turn in on the way out guidelines 1. Select My Schedule Session Evaluation Survey 2. Select session to evaluate 3. Select Surveys 4. Select survey title Or 5. Simply complete the survey