CIS 166 Highline Community College February 2013
Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific targetSource: http://en.wikipedia.org/wiki/Advanced_persistent_threat
Bodmer, Kilger, Carpenter and Jones defined the following APT criteria: Objectives - The end goal of the threat, your adversary Timeliness - The time spent probing and accessing your system Resources - The level of knowledge and tools used in the event (skills and methods will weigh on this point) Risk tolerance - The extent the threat will go to remain undetected Skills and methods - The tools and techniques used throughout the event Actions - The precise actions of a threat or numerous threats Attack origination points - The number of points where the event originated Numbers involved in the attack - How many internal and external systems were involved in the event, and how many peoples systems have different influence/importance weights Knowledge source - The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by a little proactive)
Actors behind advanced persistent threats create a growing and changing risk to organizations financial assets, intellectual property, and reputation by following a continuous process: Target specific organizations for a singular objective Attempt to gain a foothold in the environment, common tactics include spear phishing emails. Use the compromised systems as access into the target network Deploy additional tools that help fulfill the attack objective Cover tracks to maintain access for future initiatives
Maltego Develop a method and standard to identify targets within an organization that we can social engineer Metasploit So we can write URL’s, PDF’s and other items to send to our target within an organization So we can “hack into a system” leaving behind a username and password for access later on ZenMap/NMAP So we can identify weak targets on a network
Initial compromise — performed by use of Social engineering (security) and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim employees will be likely to visit. Establish Foothold — plant remote administration software in victims network, create network backdoors and tunnels allowing stealth access to its infrastructure. Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victims computer and possibly expand it to Windows domain administrator accounts. Internal Reconnaissance — collect information on surrounding infrastructure, trust relationships, Windows domain structure. Move Laterally — expand control to other workstations, servers and infrastructure elements and perform data harvesting on them. Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps. Complete Mission — exfiltrate stolen data from victims network.
Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization using the hijacked credentials of employees or business partners, or via less- secured remote offices. As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point. https://www.damballa.com/knowledge/advanced-persistent-threats.php
So when you find “awesome” Passwords Configurations Databases E-Mail The whole company can be yours, and often is
To take short cuts Not think that they could be a victim of social profiling or grooming To “Friday” their job (not pay attention) To forget “details” To get around “roadblocks”
APT sign No. 1: Increase in elevated log-ons late at night APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons while the legitimate work crew is at home, start to worry. Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
APT sign No. 2: Finding widespread backdoor Trojans APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials get changed when the victim gets a clue. Another related trait: Once discovered, APT hackers dont go away like normal attackers. Why should they? They own computers in your environment, and you arent likely to see them in a court of law. These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment -- and they proliferate in APT attacks. Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
APT sign No. 3: Unexpected information flows If I could pick the single best way to detect APT activities, this would be it: Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network. Those data flows may also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this. Of course, in order to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines. Source: http://www.infoworld.com/d/security/5-signs-youve- been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
APT sign No. 4: Discovering unexpected data bundles APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (were talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company. Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,1#sthash.Jw5b5REJ.dpuf
APT sign No. 5: Detecting pass-the-hash hacking tools Although APTs dont always use pass-the-hash attack tools, they frequently pop up. Strangely, after using them, hackers often forget to delete them. If you find pass-the-hash attack tools hanging around, its OK to panic a little or at least consider them as evidence that should be investigated further. Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,1#sthash.Jw5b5REJ.dpuf
All the tools you used in this class help you understand more about APT If you know how to do it, you know what to look for If you know what to look for you know how to protect your company If you know how to protect your company, you are going to be one awesome Information Security Engineer
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.