Craig Searle BAE Systems Detica: APT – Myths & malware

1,333 views

Published on

Craig Searle, Operations Director (Australasia), BAE Systems Detica delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconference

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,333
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Craig Searle BAE Systems Detica: APT – Myths & malware

  1. 1. APT – Myths & Malware
  2. 2. WHY WE’RE HERE LOTS OF HYSTERIA AROUND THE “APT THREAT” HAS BECOME AN INTERNET BOOGEYMAN OF SORTS SOMETIMES AN APT IS SIMPLY A HACKER TAKING ADVANTAGE OF YOUR POOR SECURITY PRACTICES SOMETIMES AN APT SOMETHING MORE…. STRICTLY CONFIDENTIAL 2
  3. 3. AN APT BY ANY OTHER NAME? STRICTLY CONFIDENTIAL 3
  4. 4. CYBERCRIME != CYBERWARFARE •  Plenty of media coverage of the threat of Cyberwarfare •  Very little actual Cyberwarfare actually going on though –  Stuxnet in Iran –  Estonia…but not really –  Vitek Boden….Maroochydore •  Despite that Cyberwarfare is seen as a credible and present threat –  Akin to the ‘nuclear option’ a serious escalation in times of conflict •  Where does that leave us? –  Cyber Activism (Hacktivism) –  Cybercrime –  Good old fashioned espionage, either corporate or state sponsored –  (Un)fortunately for us the line between these three has become increasingly blurred STRICTLY CONFIDENTIAL 4
  5. 5. Cyber-­‐criminals   Cyber-­‐ac/vists   Cyber-­‐espionage   Serving  themselves   Serving  the  cause   Serving  the  na/on   5
  6. 6. Recent  examples   Cyber-­‐ac)vists   © BAE SYSTEMS DETICA 2013 6
  7. 7. Recent  examples   Cyber-­‐ac)vists   2011 June   September   2012 January   News  reports  of  ‘Syrian  Electronic  Army’  harassing  dissidents  on  Facebook,  spamming  an/-­‐ government  pages   Harvard.edu  site  hacked,  defaced   Al-­‐Jazeera  blog  hacked,  defaced   April   July   2013 LinkedIn  Blog  hacked,  defaced   TwiLer  account  of  Al-­‐Jazeera’s  Stream  programme  hacked,  messages  posted  cri/cising  Al-­‐Jazeera   and  The  Guardian   March   Human  Rights  Watch  site  &  TwiLer  account  hacked.  Mul/ple  other  TwiLer  accounts  hacked,   including  BBC  News  and  Deustche  Welle   April   Associated  Press  TwiLer  account  hacked,  false  reports  of  aLack  on  white  house  cause  DOW   Jones  to  temporarily  crash.  11  Guardian  TwiLer  Accounts  hacked   May   The  Onion  hacked   © BAE SYSTEMS DETICA 2013 7
  8. 8. State-­‐of-­‐the-­‐na)on   Cyber-­‐espionage   NYT  hacked  aVer  publishing  ar/cle  en/tled:   “Billions  in  Hidden  Riches  for  Family  of  Chinese   Leader”   WSJ:  “It's  a  plain-­‐old  crime,  undertaken   by  a  government  that  fancies  itself  the   world's  next  superpower  but  acts  like  a   giant  thievery  corpora/on.”   © BAE SYSTEMS DETICA 2013 8
  9. 9. State-­‐of-­‐the-­‐na)on   Cyber-­‐espionage   The  US  goes  on  the  offensive:   Chinese  hacking  crew  go  quiet:   © BAE SYSTEMS DETICA 2013 9
  10. 10. State-­‐of-­‐the-­‐na)on   Cyber-­‐espionage   Consistent  communica/on  and  cipher  rou/ne:   “De/ca  researchers  have  obtained  a  copy   of  malware  that  has  all  the  hallmarks  of   being  craVed  by  this  espionage  group.”   Targe/ng  US  defence  related  conference:   Recently  compiled  sample:   © BAE SYSTEMS DETICA 2013 10
  11. 11. A DAY IN THE LIFE OF AN APT •  APT is a business •  Like any business they have working hours, customers, suppliers, partners and a fully functioning supply chain •  Business is good, really good! STRICTLY CONFIDENTIAL 11
  12. 12. A PROFESSIONAL APPROACH
  13. 13. PORTALS
  14. 14. PORTAL STRUCTURE
  15. 15. PORTAL MANAGEMENT
  16. 16. ENABLING SERVICES
  17. 17. MALWARE AND MAYHEM ::  Campaign  da/ng  back  over   5  years   ::  Targeted  government   ministries,  embassies,  and   technology  companies   ::  Advanced  code-­‐base  of  over   100  dis/nct  modules  for   stealing  specific  data   ::  Cyrillic  language  sebngs,   and  Russian  words  in  the  code  
  18. 18. “EVERBODY’S WORKING FOR THE WEEKEND”
  19. 19. Another Persistent Threat Cyber-­‐war  on  Korean  Peninsula?   “The  computer  networks  of   three  broadcasters  -­‐  KBS,  MBC   and  YTN  -­‐  and  two  banks,   Shinhan  and  Nonghyup,  froze  at   around  2pm  local  /me.  Shinhan   said  its  ATMs,  payment   terminals  and  mobile  banking  in   the  South  were  affected.  TV   broadcasts  were  not  affected.”   Friday 15 March 2013! Wednesday 20 March 2013!
  20. 20. Characteris)cs   Prevalence   THE 4CORNERS EFFECT “There  are  two  types  of  CEO,  those  that  know  their  systems  are  being  hacked  -­‐   and  those  that  don’t”,  Ian  Livingstone,  CEO  of  BT   “There  are  now  three  certain/es  in  life  -­‐  there's  death,  there's  taxes  and  there's   a  foreign  intelligence  service  on  your  system”,  MI5  Head  of  Cyber   •  •  •  •  •  •  Asymmetric  –  much  easier  to  aLack  than  defend   Anonymous  –  easy  to  hide  or  deny   Global  –  can  aLack  anyone  from  anywhere   Trans-­‐jurisdic/onal  –  loca/on  of  incidents  are  not  obvious   Large  and  complex  –  billions  of  people  and  webpages  interac/ng   Dynamic  –  millions  of  bright  people  inven/ng  new  services  or  aLacks   20
  21. 21. THE 4CORNERS EFFECT •  Increasing public accounts of industrial espionage using ‘cyber’ as an attack vector •  APTs are exceedingly skillful at keeping a low profile - Not apparent you have a problem until it is too late •  Increasing attacks on the supply chain due to: - Weaker links / softer targets than the end entity - Ability to achieve deeper and wider penetration Do  any  of  your  customers  think  that  this  ihis?   Which  of  your  vendors/suppliers  is  t s  you?   21
  22. 22. ANOTHER WAY TO THINK OF APT •  Consider APT to be a business, which they are •  They have now evolved to become a hyper-aggressive competitor, always on the lookout to impinge upon your IP, your products/services and your brand •  Now how would you counter that threat? –  Changes board focus, has now become a business risk not an IT risk •  You might consider additional control of your crown jewels •  You would likely also want better notification of what your competitor is doing and where your IP is appearing •  Also need the ability to respond effectively and efficiently in the event of a breach STRICTLY CONFIDENTIAL 22
  23. 23. ORGANISATIONAL IMPERATIVES •  Whatever the business, there is always a need to adapt in order to grow and build value New  customers   More  online  services   More  personal  data  being  collected   and  stored   New  partners   New  IP  and  markets   Mobilising  and   globalising  delivery   More  connec/vity  between   systems   More  sensi/ve  commercial   informa/on   More  partners,  customers  and  clients   More  mobile  and  flexible  working   …but  the  threats  and  possible  impacts  on  business  are  con/nuously  evolving…  
  24. 24. …but  threats  and  impacts  on  business  are  constantly  evolving…   Financial  loss   Physical  damage   Malicious  insiders   Business  disrup/on   Loss  of  compe//ve  advantage   Vulnerable  partners   Reputa/onal  damage   Economic  damage   External  threats   Endangering  na/onal  security   …and  the  aLacks  reported  in  the  press  are  just  the  /p  of  the  iceberg   24  
  25. 25. PLAN FOR RESILIENCE Understanding  and   managing  risk  and  preparing   for  the  risks  we  wish  to   mi/gate   Protec/ng  key  informa/on   and  systems  from  aLack  and   reducing  the  impact  of   aLacks   Prepare   Respond   Managing  the  consequences   of  an  aLack  to  minimise  its   impact   Protect   Monitor   Monitoring  systems  to   detect  and  frustrate   aLackers   25  
  26. 26. IN CLOSING •  Hype •  Know your enemy •  A business problem •  Plan for resilience Legal Disclaimer STRICTLY CONFIDENTIAL 26
  27. 27. QUESTIONS ? Legal Disclaimer STRICTLY CONFIDENTIAL 27

×