• Like
Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Cyber attacks, Cybercrime, Cyber warfare and Cyber threats exposed!

  • 1,110 views
Published

More info on http://techdays.be.

More info on http://techdays.be.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,110
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
92
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. APTs, Cyber-attacks, Cybercrime, Cyberwarfare and Cyber threatsexposedMarcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Securityx2
  • 2. Marcus Murray Hasain Alshakarti
  • 3. The threat landscape is changing.. It used to be kids hacking for fun…..
  • 4. Not anymore....
  • 5. Most countries have “cyber capabilities” today..
  • 6. The ”Mandiant report”
  • 7. Unit 61398 is partially situated on Datong Road(大同路) in Gaoqiaozhen (高桥镇), which islocated in the Pudong New Area (浦东新区) ofShanghai (上海). The central building in thiscompound is a 130,663 square foot facility thatis 12 stories high and was built in early 2007. * Mandiant APT1 report 2013
  • 8. We estimate that Unit 61398 is staffed byhundreds, and perhaps thousands of peoplebased on the size of Unit 61398’s physicalinfrastructure.
  • 9. “Unit 61398 requires its personnel to betrained in computer security and computernetwork operations and also requires itspersonnel to be proficient in the Englishlanguage.” * Mandiant APT1 report 2013
  • 10. “They have systematically stolen hundreds ofterabytes of data from at least 141organizations, and has demonstrated thecapability and intent to steal from dozens oforganizations simultaneously”* * Mandiant APT1 report 2013
  • 11. “Among other large-scale thefts of intellectualproperty, we have observed them stealing 6.5terabytes of compressed data from a singleorganization over a ten-month time period.” * Mandiant APT1 report 2013
  • 12. Attack process Initial Establish Lateral Complete Initial recon Movement compromize foothold mission Maintain Internal presence Recon Escalate privileges
  • 13. Attack process
  • 14. Initial recon
  • 15. Initial recon
  • 16. Initial compromize Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 17. Establish foothold C & C SRV Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 18. What about antivirus? Av-test Trojan.exe Avhide Newtrojan.exe
  • 19. Lateral movement Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 20. Complete mission Web Srv Mail Srv DC File Srv Mail Srv Client Client Admin User
  • 21. What about network detection?
  • 22. Complete mission Harvest data • intellectual property • business contracts • negotiations, • policy papers • internal memoranda • etc. Compress and collect • Rar+pwd • etc.
  • 23. Channel over MSN
  • 24. Channel over Google calendar
  • 25. FQDN used..About half of APT1’s known zones were named according to three themes:• News• Technology• Business. aoldaily.com mediaxsds.net reutersnewsonline.com aunewsonline.com myyahoonews.com rssadvanced.org canadatvsite.com newsesport.com saltlakenews.org canoedaily.com newsonet.net sportreadok.net cnndaily.com newsonlinesite.com todayusa.org cnndaily.net newspappers.org usapappers.com cnnnewsdaily.com nytimesnews.net usnewssite.com defenceonline.net oplaymagzine.com yahoodaily.com freshreaders.net phoenixtvus.com giftnews.org purpledaily.com issnbgkit.net
  • 26. Origins of attacks..
  • 27. Marcus Murray Hasain Alshakarti
  • 28. Thank you for listening! 