1.
Kaspersky Lab webinar
“APT Predictions for 2015”
Date
Thursday, December 11, 11 AM CET
Highlights
Ź APT trends in 2014
Ź The merger of cybercrime and APT
Ź Fragmentation of bigger APT groups
Ź Evolving malware techniques
Ź New methods of data exfiltration
Ź APT arms race
Ź Advanced Persistent Threats mitigation
Presenter: Costin Raiu
Director of Global Research
and Analysis Team at Kaspersky Lab

2.
2015
APT Predictions
A look into the APT crystal ball

3.
GREAT: Elite Threats Research
Ź Global Research and Analysis Team, since 2008
Ź Threat intelligence, research and innovation
leadership
Ź Focus: APTs, critical infrastructure threats, banking
threats, sophisticated targeted attacks

4.
Sophisticated threat discovery
Classification
Detection
Active
Facts
Duqu
Cyber-espionage
malware
September 2011
Since 2010
• Sophisticated Trojan
• Acts as a backdoor
into a system
• Facilitates the theft
of private
information
Flame
Cyber-espionage
malware
May 2012
Since 2007
• More than 600
specific targets
• Can spread over
a local network or
via a USB stick
• Records
screenshots, audio,
keyboard activity and
network traffic
Gauss
Cyber-espionage
malware
July 2012
Since 2011
• Sophisticated toolkit
with modules with
modules that
perform a variety of
functions
• The vast majority of
victims were located
in Lebanon
miniFlame
Cyber-espionage
malware
October 2012
Since 2012
• Miniature yet fully-fledged
spyware
module
• Used for highly
targeted attacks
• Works as stand-alone
malware or as
a plug-in for Flame
Red October
Cyber-espionage
campaign
January 2013
Since 2007
• One of the first
massive espionage
campaigns
conducted on
a global scale
• Targeted diplomatic
and governmental
agencies
• Russian language
text in the code
notes
NetTraveler
Series of cyber-espionage
campaigns
May 2013
Since 2004
• 350 high
profile victims
in 40 countries
• Exploits known
vulnerabilities
• Directed at private
companies, industry
and research facilities,
governmental
agencies
Careto / The Mask
Extremely sophisticated
cyber-espionage campaign
February 2014
Since 2007
• 1000+ victims in
31 countries
• Complex toolset with
malware, rootkit, bootkit
• Versions for Windows,
Mac OS X, Linux
• Considered one of the
most advanced APTs ever
Threat

5.
apt.securelist.com
‘Targeted Cyber-attack
Logbook’ chronicles all the
complex cyber-campaigns,
or APTs (advanced persistent
threats) that have been
investigated by the company’s
Global Research and Analysis
Team.

6.
APT Trends in 2014 were:
Ź Cost of entry decreasing
Ź More APT groups
Ź Emergence of cyber-mercenaries
Ź Supply chain attacks
Ź Larger operations & surgical
strikes
Ź Critical infrastructure attacks
Ź “Wipers”, cyber-sabotage
What’s next?

7.
APT Predictions 2015

8.
Prediction: Targeted attacks directly
against banks, not their users.
n The merger of cybercrime and APT
Ź In a number of incidents, several
banks were breached using methods
straight out of the APT playbook.

9.
Prediction: More widespread attack
base (more companies will be hit).
Bigger companies will see attacks
from a wider range of sources.
o Fragmentation of bigger APT groups
Recent exposure of APT groups:
MSUpdater/PutterPanda, APT1/Comment Crew,
Energetic Bear, Turla, Regin and NetTraveler leads
to fragmentation and creation of new groups.

10.
Ź More malware is being updated for 64 bits
Ź Including rookits
60%
50%
40%
30%
20%
10%
0%
2010 2011 2012 2013 2014
x64 users growth
Prediction: more sophisticated
malware implants, enhanced evasion
techniques and more use of virtual
file systems
p Evolving malware techniques
Ź More advanced persistence techniques
Ź Cross platform persistence
Ź Network equipment, embedded, ICS

11.
q New methods of data exfiltration

12.
Prediction: more groups to adopt
use of cloud services in order to
make exfiltration stealthier and
harder to notice.
New methods of data exfiltration
Ź Use of compromised trusted
websites
Ź WebDAV
Ź DNS requests
Ź UDP
Ź ICMP
Ź …
Ź Cloud

13.
r More countries join the cyberarms race
Ź Unusual languages seen in APTs:
German, Old Italian, Spanish,
Korean, French, Arabic
Prediction: Although we haven't yet
seen APT attacks in Swedish, we do
predict that more nations will join
the “cyberarms” race and develop
cyber-espionage capabilities.

14.
Prediction: With governments
increasingly keen to “name and shame”
attackers, we believe that APT groups
will also carefully adjust their operations
and throw false flags into the game.
s Use of false flags
Ź In 2014 we observed several “false flag”
operations where attackers delivered
“inactive” malware commonly used by
other APT groups.

15.
Prediction: in 2015, we anticipate
more mobile-specific malware in APT
attacks, with a focus on Android and
jailbroken iOS.
t Addition of mobile attacks
iPhone1,1 iPhone1,2 iPhone2,1
iPhone3,1 iPhone3,2 iPhone3,3
iPhone4,1 iPhone5,1 iPhone5,2
iPad1,1 iPad2,1 iPad2,2
iPad2,3 iPad2,4 iPad3,1
iPad3,2 iPad3,3 iPad3,4
iPad3,5 iPad3,6 iPhone
iPhone 3G iPhone 3GS iPhone 4
iPhone 4 iPhone 4 (cdma) iPhone 4s
iPhone 5 (gsm) iPhone 5 iPad
iPad2 (Wi-Fi) iPad2 (gsm) iPad2 (cdma)
iPad2 (Wi-Fi) iPad3 (Wi-Fi) iPad3 (gsm)
iPad3 iPad4 (Wi-Fi) iPad4 (gsm)
iPad4

16.
Prediction: in 2015, a few other groups
might also embrace these techniques,
but it will remain beyond the reach of
the vast majority of APT players.
u Targeting of hotel networks
Hotels provide an excellent way of targeting particular
categories of people, such as company executives.

17.
Ź In general, APT groups are careful to avoid
making too much noise with their operations
Ź In 2014 we observed two APT groups (Animal
Farm and Darkhotel) using botnets in
addition to their regular targeted operations
Ź In addition to DDoS operations, botnets
can also offer another advantage - mass
surveillance apparatus for a “poor country”
Ź Flame and Gauss, which we discovered
in 2012, were designed to work as a mass
surveillance tool
Prediction: in 2015 more APT groups
will embrace this trend of using precise
attacks along with noisy operations,
and deploy their own botnets.
v APT+Botnet: targeted mass surveillance

18.
Massive vs targeted: Darkhotel example
e-mail

19.
Ź Spyware sales cannot be controlled
Ź Eventually, these dangerous software
products end up in the hands of less
trustworthy individuals or nations
Prediction: A high-reward, low-risk
business that will lead to the creation
of more software companies focused
on “legal surveillance tools” market.
In turn, these tools will be used for
nation-on-nation cyber-espionage
operations, domestic surveillance
and maybe even sabotage.
w Commercialization of APT attacks

20.
What about
solutions?
How to defend
your company
against APTs
in 2015

21.
Advanced Persistent
Knowledge
; Kaspersky Lab GReAT intelligence
reports on active campaigns:
intelreports@kaspersky.com
; Cybersecurity Training Services
; Malware Analysis Service
; Threat Data Feeds/Botnet Tracking
APT Mitigation Strategy:
Intelligence + Technology
Advanced Technologies
; Kaspersky Security Network – instant reaction to the
most recent threats;
; Automatic Exploit Prevention technology in Kaspersky
Lab protection solutions: proactively blocks exploits
used in targeted attacks.
Example 1: AEP proactively detected components
of Red October espionage campaign
Example 2: AEP proactively blocked CVE-2013-3906
used in targeted attacks
; Whitelisting / Default deny mode

22.
Conclusions
Ź 2014 was a rather sophisticated and diverse year for APT
incidents
Ź Kaspersky Lab discovered three zero-days vulnerabilities in 2014
Ź Exposed several APTs: Mask/Careto, Darkhotel, Machete, Epic
Turla, Regin, Cloud Atlas
Ź The word for 2015 will be “elusive”
Ź APT groups will become concerned with exposure and they will
take more advanced measures to hide from discovery
Ź False flag operations

23.
QUESTIONS ?