Apt confidential-top-lessons-learned-from-real-attacks

  • 498 views
Uploaded on

Advanced Persistent Threats, APT, Network Security,

Advanced Persistent Threats, APT, Network Security,

More in: News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
498
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. IN THIS UNPRECEDENTED TIME OF CYBER ATTACKS, INFORMATION ABOUT ATTACKER METHODS IS DIFFICULT TO OBTAIN UNLESS YOU ARE THE VICTIM, AND THAT IS TOO LATE. ANALYSTS AT BIT9 HAVE FREQUENT OPPORTUNITIES TO INVESTIGATE INTRUSIONS AND WORK WITH CUSTOMERS TO EXAMINE THE MALWARE USED BY ATTACKERS. THIS PAPER DETAILS LESSONS LEARNED FROM EXTENSIVE INTERVIEWS WITH SECURITY ANALYSTS AT BIT9, BIT9 CUSTOMERS, AND OTHERS. A COMMON THREAD THAT EMERGED WAS THE DIFFICULTY OF PREVENTING THE DELIVERY OF APT MALWARE TO SYSTEMS OR OF QUICKLY DETECTING THE ATTACK ONCE THE MALWARE WAS ACTIVE. IN BETWEEN THOSE TWO EVENTS, HOWEVER, THERE IS A GOLDEN OPPORTUNITY TO STOP THE ATTACK IN ITS TRACKS BY LEVERAGING TRUST-BASED SECURITY TECHNOLOGY. Sponsored by APT Confidential: 14 Lessons Learned from Real Attacks
  • 2. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved 1. YOU ARE UP AGAINST 3 TYPES OF ATTACKERS To appreciate the level of risk that all organizations face from cyber-attacks, you need to understand the three types of attackers, their motivations, and their methods. CRIMINAL ORGANIZATIONS Criminal organizations, often associated with Eastern Europe, can benefit from breaking into nearly any organization’s or individual’s network or system. Criminal organizations are primarily looking for information that can be used to steal money, the most obvious being credit card numbers, credentials to bank accounts, and personal identity information that can be used to open fraudulent credit accounts. But there are many other ways to profit via cyber- attacks. In today’s efficient cyber-crime marketplace, some criminals simply focus on penetrating networks and selling access to those networks to other criminals, who then use that access for their own purposes. Others specialize in building malware components. Nearly any person or organization can be victimized, and criminal organizations cast a wide net using spam and other broad methods. Generally, their efforts are less targeted than those of the other two types of attackers. But when presented with opportunities such as inside knowledge, criminals happily change tactics and launch focused attacks on a single organization or industry. Some industries, such as the financial sector, are responding by organizing security information-sharing initiatives. We are late to the race in this regard. Criminals have already built an efficient black market for malware, stolen credentials, bot networks, vulnerable systems, and information on possible targets. Information-sharing efforts are crucial to keeping up with advances by attackers. NATION STATES Nation states actively target organizations around the world for a host of economic, trade, defense, and political reasons. Nation states that are trying to control information about their regimes or treatment of their citizens target any organization that might have contacts to dissidents and opposition groups. This includes human rights groups as well as any non-governmental organizations (NGOs) or religious or aids organizations that such states perceive as threats. As shown by recent incidents at The New York Times, countries are willing to make relatively overt and aggressive attacks on news organizations in response to bad publicity and to discover reporter information sources. Attackers Criminal Hacktivist Nation State
  • 3. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved Defense contractors are obvious targets and are well aware of this fact. But executives of other organizations are often surprised to learn that they have been targeted and why. Any organization that does business with certain nation states can expect to be targeted. The prevailing philosophy apparently holds that the more information one has about one’s business partners, the more effective one can be at the negotiating table. Any organization in an industry in which a nation state has economic interest is also a target. Many industries are included because countries such as China are trying to enter new markets or have a shortage in the many natural resources and materials necessary to sustain their growth. Nation states might try to steal technology even in mundane areas, such as rubber formulas for tires. Or they might look for business data to anticipate or influence market dynamics. In the final analysis, nearly any organization can come to the attention of a nation state that simply lacks an expectation of fair play and competition. HACKTIVISTS In this paper, the term hacktivists is used to identity groups that launch cyber-attacks against any organization of which they disapprove in relation to a cause, value, or conflict between groups. Again, organizations are frequently surprised when they provoke the ire of hacktivists. A corporation might terminate dealings with a controversial customer, seeking merely to avoid possible criminal charges or public relations fallout. The corporation might have no agenda other than abiding by its terms of service and making business decisions that management believes to be in the best interests of shareholders. Nevertheless, hacktivists might punish the company for not taking up their cause. In such an environment, there is no way to be perceived as neutral by all sides nor to avoid making at least one interest angry. At that point, you might become the target of denial of service (DoS) attacks, data-destruction efforts, or even attempts to steal your private information so as to post it on public websites, for no other reason than to punish you. Such nihilistic motivations create risks to information that would not otherwise be targeted by classic attacker types that are out for some type of traditional gain. 2. PARTNER ORGANIZATIONS CAN BE COLLATERAL DAMAGE Other organizations are being targeted—organizations that  Do not have the desired information  Are not involved in the targeted industry or activities Nation states, in particular, are patient and have long-term, strategic goals. Knowing that their ultimate target is already on its guard and has shored up its own defenses, many attackers target second- or third-level organizations that interact with the primary target, whether that is a government agency, defense contractor, human rights or aid organization, or corporation with economic value. An example of such a second-level organization is an ordinary company that provides maintenance supplies to the organization of interest.
  • 4. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved Note the phrase “interact with” in the previous paragraph, an action that is more generic than “doing business with” in the commercial sense. Firms in the financial sector, for example, have been targeted through emails that were apparently sent from compromised PCs in state or municipal regulatory agencies. Attackers target second-level organizations with many possible goals—both technical and otherwise: 1. Exploit the list of contacts that the second-level organization has at the primary target. 2. Send spear-phishing emails that appear to be from a business partner or other trusted entity. 3. Gain access to the primary target’s network through trusted network links or remote access credentials. 4. Gain any possible information about the primary target. 5. Plant malware that will be picked up when individuals at the primary target access the website or extranet of the second-level organization. 3. YOU DON’T NEED NUCLEAR WARHEADS TO BE TARGETED Vendors of traditional security technologies point out that most of us aren’t running centrifuges for refining uranium or building strong authentication tokens that protect defense secrets. We are thus unlikely, they say, to be targeted by the types of malware that have grabbed headlines in the past couple years. But after this project, the author of this paper is convinced that those attacks are merely the tip of the iceberg made public. The quantity and variety of attackers and their widely differing goals and motivations is staggering. Combine that with the fact that you might be targeted even though you have no direct stake in their game (whatever it might be), other than a trusted relationship with someone who does. It is not an overstatement to say that any organization is a target and might already be compromised. 4. ALL IT TAKES IS ONE To establish a beachhead inside an organization, attackers need to compromise only one system. Ironically, this means that organizations must protect every system. Confidential discussions with victim organizations show that in the aftermath of an attack, victim organizations often identify a single unprotected system that enabled the attack to proceed to fruition. The same thing is borne out in public incidents such as the code-signing debacle at Adobe. That attack was blamed on a single server used to digitally sign certain applications; this code signing server was overlooked in terms of applying the corporate standard security configuration. Organizations must implement controls and processes to verify and re-verify that every system—even those that seem unimportant—are fully protected. Doing so requires a defense-in-depth mentality and brings into question the wisdom of overreliance on “compensating controls” to justify leaving some systems less protected. For instance, supposedly air-gapped networks have been compromised by flash memory and removable media. Other systems have been left unhardened because they are on a “trusted” network.
  • 5. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved 5. APTS USE MANY METHODS TO ADVANCE ALONG THE KILL CHAIN Once an advanced persistent threat (APT) embeds on the initial system and activates, it becomes much more difficult to stop the attack because of the confounding array of methods it can use to spread. Here are just a few examples, ranging from the highly advanced to the painfully simple: 1. The malware named Flame posed as a proxy server and Windows Update site to intercept attempts by other network computers to obtain security patches. Flame subsequently tricked those computers into installing malware that was digitally signed to look like legitimate updates. 2. One victim organization reported that an APT spread by dropping an autorun file into a shared folder that was the root of a mapped drive. The file was automatically executed by users who accessed the file server. Thorough security configuration and attack-surface reduction can slow down embedded APTs, but there is no way to plug every hole through which they can spread. The key is to prevent untrusted software from executing in the first place. 6. YOUR EMPLOYEE HOME PCs ARE A THREAT Plenty of attention is paid to the mobile-security risks of bring your own device (BYOD) computing. However, the threat of employees' home PCs predates mobile devices and continues to be exploited by attackers. I discussed cases in which employees were specifically targeted via their social networking profile or simply fell victim to a broadcast attack and then compromised their employers through their remote access. This is a difficult vector to protect against, but organizations can take certain measures: 1. Limit remote access to trusted devices that are owned and controlled by the employer or through mobile- security technologies to which employees opt-in. 2. Provide remote access to information via web or remote desktop instead of VPN, and require one-time passwords. This limits, to some extent, the options and access that are available to an attacker with control of an employee’s home PC. 3. Use network access-protection technologies that quarantine and verify the health of systems before they are allowed to connect to the internal network. 7. YOU DON’T REALIZE HOW DIRTY YOUR PCS ARE Every organization that I spoke with at some point expressed surprise at how much software they found, after deploying application control technology, to be resident on their systems. This was even true for a firm with a mature governance program, centralized software distribution, and managed endpoints. After activating application-control technology, this organization “found all kinds of crazy stuff.” The lesson is that without hard technology controls, users will install software regardless of written policy. Uncontrolled software installation not only allows APTs to directly embed but also expands the attack surface through which they can initially infect an organization.
  • 6. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved 8. SERVERS NEED ADVANCED THREAT PROTECTION TOO Initially, application control seems to be a user endpoint issue, based on the assumption that servers are less vulnerable because of two reasons:  The assumption that IT staff can be trusted not to install unneeded software and to refrain from dangerous activities such as browsing the web from servers.  Servers are on the protected internal network. And it’s true that sometimes attackers can realize their ultimate goal exclusively through using compromised end- user systems and normal network protocols to obtain desired information from relevant servers. But several successful attacks that I had the opportunity to discuss depended on the execution of malicious code on the server itself—not just pulling information from that server. Moreover, public-facing websites are being targeted by attackers but for different reasons than the rampant defacement in the 1990s. Preventing untrusted software from executing is the crucial second-level defense that can stop attacks from progressing past the initial exploitation of misconfigured systems and zero-day vulnerabilities. Also, in security audits I have repeatedly seen servers on which inappropriate or vulnerable and unnecessary software was installed. The lesson here is the same as in the previous point: Without hard technology controls, users will install software regardless of written policy – including IT staff. 9. NEW TARGETING METHOD: “WATERING HOLES” Spear phishing has been around for years and is still working well for attackers. But that hasn’t stopped them from developing new techniques for targeting users of targeted organizations. In Africa, predators lie in wait around watering holes, knowing that sooner or later prey will need to come and drink. Similarly, attackers have realized that employees at a given organization will come sooner or later visit certain predictable websites—the most obvious being the organization’s own website. Therefore, it becomes desirable to compromise a company’s website. This is true even when the server is owned by some hosting provider, has no connection to the company’s network, or has no confidential information on it. The goal is simply to plant an APT loader and wait for members of the website’s organization to browse by. The organization’s website is just one example of how watering holes can be used. Although that website might be under the control of the targeted organization, other potential watering holes (e.g., industry association websites) are not.
  • 7. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved 10. TRUSTING PERSONAL EMAIL ACCOUNTS FOR BUSINESS IS DANGEROUS As users become aware of spear-phishing attacks, they are more careful about opening attachments or clicking on links in email messages. Attackers must trick users into thinking that an email message is safe. One way to do this is by taking advantage of the fact that many people use personal email accounts for business communication; for example, when their business email account is unavailable or inconvenient. How can this practice be exploited? Users might not be surprised to receive an email from a colleague’s personal email account. They might willingly open attachments or follow links, which is the first crucial step in getting an APT started. Through social networking sites, it’s easy to learn the names of workers and their colleagues. Even though personal email account passwords are often easy to guess, it isn't even necessary for attackers to compromise a user’s real account. Attackers simply open a new account at Yahoo, Gmail, or Hotmail, using an email address that is similar to the name of the person they want to spoof. Attackers have gone so far as to note that the employee is on vacation from her posts on FaceBook or Twitter and used that as an opportune time and plausible reason to email a business associate from the fake "personal" email account. 11. WANT TO GET HACKED? FOCUS TOO MUCH ON HIGH-VALUE TARGETS I’ve often heard chief information security officers (CISOs) talk about optimizing their defenses by concentrating on protecting “high-value targets”: servers with crucial information or executives with access to it. As logical as this might seem, it’s dangerous. Most of the intrusions that I examined both privately and in the news were largely successful because the attackers began with low-value targets and worked along a kill chain of progressively higher value assets. You obviously want to identity and protect your most valuable assets, but no employee or system is an island. Every element is vulnerable to neighboring elements. This lesson is similar to lesson #4. Today, you must do everything right. 12. APPLICATION CONTROL STOPS APTS; ANTIVIRUS DOESN’T Signature-based antivirus might protect you against undirected attacks that use a wide net of known methods. But signature-based antivirus is reactive and increasingly outpaced by today’s attackers. This is especially true with zero-day exploits. Software vendors sometimes seek to minimize the perceived risk of a new exploit by pointing out that it is not being widely exploited; rather, it is being used only in certain limited, targeted attacks. That is no comfort if your industry or organization is the one being targeted. Optimize Protect Everything bob@acme.com bob@gmail.combob@yahoo.com
  • 8. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved Application control is more effective because it stops APTs because it employees a completely different method to prevent malware from executing. This method is proactive and affective against unknown malware, not just those attacks that have been identified. One interview in particular drove home the effectiveness of application control. A Bit9 customer commented that they see malware (caught by whitelisting) that isn’t detected by their antivirus solution for days or even weeks afterwards. 13. APPLICATION CONTROL IS INCOMPLETE WITHOUT RMI DEFENSE Originally, application control simply needed to prevent .exe files, DLLs, and other executable files from being executed by the operating system through normal application programming interfaces (APIs). Application control solutions could simply hook into those APIs, verify the executable’s provenance and integrity, and block it if necessary. In response, attackers developed new techniques to avoid dropping an executable file on the file system and loading it through normal means. One of the most effective is currently reflective memory attacks, which allow the attacker to inject malicious code into the memory of a trusted process and trigger its execution without any operations that give traditional application control or antivirus a chance to check the code. To counter this approach, application-control vendors, including Bit9, have developed techniques for detecting and terminating processes that are compromised by reflective memory injection. 14. APPLICATION CONTROL CAN BE SUCCESSFUL IN ANY ENVIRONMENT Early attempts at whitelisting technology gave application control a bad name because of these problems:  The arduous task of cataloging all legitimate software and building rules to allow each file to run  The unsustainable burden of keeping rules up to date as programs are patched and new software added  The backlash from users who are unable to get their work done due to applications that are blocked by incomplete rules  The ever-present problem of how to handle the innumerable exceptions that inevitably arise Those problems are solved by modern application-control solutions such as Bit9. Solutions come in the form of policy-based whitelisting, which includes grandfathered applications, phased implementation, extensive catalogs of known good software, support for digital signatures, and the concept of trusted updaters. One conversation that I had with a Bit9 customer proves that whitelisting can be successful in any environment with modern application control such as Bit9. This organization has a large software-development staff that generates tens of thousands of new files every week. The challenge of implementing whitelisting on developer PCs and other computers that run production copies of frequently updated, internally developed software would frighten many infosec professionals, leading to exceptions and a population of unprotected systems. This organization, however, carefully identified the compilers and developer tools that were used to generate executables. It created trusted updater rules that cause Bit9 to automatically trust new programs created and executed on developer systems. To allow the same programs to run on other systems, the organization worked with developers to ensure that their compilers were configured to digitally sign executables when built for release
  • 9. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved to production. In this way, the company enjoys 100-percent coverage with application control and thus prevents untrusted software from executing on any system. Another Bit9 customer was sensitive to the fact it has a large population of knowledge workers and power users who need the ability to run many more tools than average users. To successfully implement whitelisting without alienating users or hurting productivity, this organization has implemented an internal “app store” in which it endeavors to provide approved, trusted tools for any job. Whenever a user comes to IT with a legitimate need for an application that isn’t yet available, IT doesn’t just vet the tool and grant that user an exception. Rather, IT publishes the tool through the app store to pre-empt the same process from occurring when the next user encounters the same need. Modern application control is effective and practical and stays out of the way of business. THE BIT9 TRUST-BASED SECURITY PLATFORM The Bit9 Security Platform is the only next-generation endpoint and server security solution that continuously monitors and records all activity on endpoints and servers and stops cyber threats that evade traditional security defenses. Bit9’s real-time sensor and recorder and cloud-based services provide actionable intelligence within days of implementation, and Bit9’s real- time enforcement engine delivers the most proactive and reliable form of endpoint and server security. This combination gives organizations immediate visibility to everything running on their endpoints and servers; real-time signature-less detection of and protection against advanced threats; and a recorded history of all endpoint and server activity for deep forensics. Security teams use Bit9’s integration with network security devices such as FireEye and Palo Alto Networks to accelerate incident response and ensure all files arriving on endpoints and servers are safe. Bit9 has stopped the most advanced attacks, including Flame, Gauss and the malware responsible for the RSA breach. 1,000 organizations worldwide – from 25 Fortune 100 companies to small businesses – use Bit9 to increase security, reduce operational costs and improve compliance. CORE TECHNOLOGIES TRUST At the core of the Bit9 solution is a policy-driven trust engine, in which you specify the software that you trust to run in your enterprise; everything else is suspect or denied by default. You define the software that you trust,
  • 10. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved using a policy-based approach that includes trusted publishers, software-distribution systems, users, updaters, and more. You also can use the file trust ratings in the Bit9 Software Reputation Service to set thresholds if you allow users to download and install their own software. These trust policies drive the application-control and whitelisting engine in Bit9. This engine detects any untrusted software that enters your environment and protects you by stopping its execution. REAL-TIME SENSOR AND RECORDER After you place Bit9’s lightweight real-time sensor and recorder on every endpoint, server, and fixed-function device, you’ll have immediate visibility from a single console into the files, executions, devices, and crucial system resources on every machine. Bit9’s always-on sensor watches the arrival and (attempted) execution of files, memory violations, process behavior, registry settings, attached devices, file changes, and more. This sensor is the key to Bit9’s real-time detection, protection, and forensics. BIT9 CLOUD SERVICES Bit9′s cloud-based Software Reputation Service constantly crawls the Internet looking for software and calculates a trust rating for it, based on attributes such as its age, prevalence, publisher, source, results of antivirus scans, and more. Bit9 also uses threat-intelligence feeds, including one from a leading Internet research company’s malware hash registry, to identify malicious and suspicious files. You’ll have access to all this information through the cloud- based Bit9 Software Reputation Service, which contains billions of records and is the world’s most reliable source of software trust. Bit9’s Threat Indicator Service provides updates and additions to the Advanced Threat Indicators (ATI) that the Bit9 Security Platform uses to detect advanced threats and zero-day attacks. These ATIs detect advanced threats by using a completely different approach than signature-based blacklisting technology, which is inadequate in today’s environment. FOUR MAJOR CAPABILITIES VISIBILITY Know what’s running on every computer—right now. From a single console, Bit9 gives you immediate visibility—without any scanning or polling—into the files, executions, and crucial system resources on every machine that is protected by Bit9. This visibility increases your security posture by giving you the confidence that comes from knowing what has arrived and executed on every system in your company. DETECTION Use real-time detection of advanced threats and zero-day attacks. Bit9 detects advanced threats, zero-day attacks, and other malware that evades blacklisting and signature-based detection tools. Bit9’s trust-based approach combines real-time sensors, ATI, and the Bit9 Software Reputation
  • 11. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved Service to immediately detect advanced threats and malware. No waiting for signature file updates. No testing and updating .dat files. Just immediate, proactive detection. PROTECTION Stop all untrusted software from executing. Bit9’s proactive, trust-based security solution enables you to define the software that you trust to run in your organization. Everything else is denied by default. This stops advanced threats and other forms of malware— including targeted, customized attacks that are unique to your organization. FORENSICS A full audit trail accelerates analysis and response. When you suspect a threat incident, Bit9 provides the information that you need to analyze, scope, contain, and remediate the problem. You can “go back in time” to see what happened, understand what is happening right now, isolate untrusted software, and determine the trust rating for any file. Methods for preventing malware from being delivered to endpoints are limited and will only be partially successful. Detecting APTs once they are operational on the network is equally problematic. But between those 2 events is a golden opportunity to leverage application whitelisting. Bit9 enables you to seize this opportunity and stop APTs in their tracks before they execute – without getting in the way of business.
  • 12. © 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved ABOUT RANDY FRANKLIN SMITH Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. Randy publishes www.UltimateWindowsSecurity.com and wrote The Windows Server 2008 Security Log Revealed – the only book devoted to the Windows security log. Randy is the creator of LOGbinder software, which makes cryptic application logs understandable and available to log-management and SIEM solutions. As a Certified Information Systems Auditor, Randy performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations. Randy is also a Microsoft Security Most Valuable Professional. DISCLAIMER UltimateWindowsSecurity.com is operated by Monterey Technology Group, Inc. Monterey Technology Group, Inc. and Bit9 make no claim that use of this whitepaper will assure a successful outcome. Readers use all information within this document at their own risk.