Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Security Intelligence:Advanced Persistent Threats     An Ethical Hacker’s View                           Peter Wood       ...
Who is Peter Wood?      Worked in computers & electronics since 1969      Founded First Base in 1989 (one of the first eth...
Security Intelligence and This Presentation          “SI is a recognition of the evolution of sophisticated adversaries, t...
Agenda          • APT Primer          • Case Studies          • Entry Points          • Prevention and DetectionSlide 4   ...
Agenda          • APT Primer          • Case Studies          • Entry Points          • Prevention and DetectionSlide 5   ...
Advanced Persistent Threat (APT)          • “An advanced and normally clandestine means to gain            continual, pers...
Advanced, Persistent, Threat          • They combine multiple attack methodologies and tools in            order to reach ...
The Aurora attack         http://threatpost.com/Slide 8                       © First Base Technologies 2012
The Aurora attack         http://threatpost.com/Slide 9                       © First Base Technologies 2012
The Aurora attack                  http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/           If yo...
Agenda           • APT Primer           • Case Studies           • Entry Points           • Prevention and DetectionSlide ...
Slide 12                                               © First Base Technologies 2012           http://blogs.rsa.com/rivne...
The RSA attack           1.   Research public information about employees           2.   Select low-value targets         ...
RSA Security Brief, February 2012Slide 14                             © First Base Technologies 2012
Agenda           • APT Primer           • Case Studies           • Entry Points           • Prevention and DetectionSlide ...
Entry PointsSlide 16                  © First Base Technologies 2012
Identifying ‘The Mark’Slide 17                        © First Base Technologies 2012
Social NetworkingSlide 18                       © First Base Technologies 2012
Slide 19   © First Base Technologies 2012
Facebook ScamsSlide 20                    © First Base Technologies 2012
Document MetaData HarvestingSlide 21                          © First Base Technologies 2012
Infosecurity Europe 2012 Experiment           • Open WiFi on a laptop on             our stand           • Network name:  ...
Wireless Eavesdropping           Packet sniffing unprotected WiFi can reveal:           • logons and passwords for unencry...
Firesheep CapturingSlide 24                         © First Base Technologies 2012
Firesheep: Game OverSlide 25                      © First Base Technologies 2012
Telephone Social Engineering           Sometimes all they have to do is call up and ask!Slide 26                          ...
Information Leakage           Exposure of:           • Corporate hierarchy           • E-mail addresses           • Phone ...
Spear PhishingSlide 28                    © First Base Technologies 2012
Phishing EmailsSlide 29                     © First Base Technologies 2012
Phishing EmailsSlide 30                     © First Base Technologies 2012
Spear phishingSlide 31                    © First Base Technologies 2012
Privilege EscalationSlide 32                          © First Base Technologies 2012
Password ‘Quality’           http://iqsecur.blogspot.ca/2012/04/analysis-of-leaked-militarysinglesorg.htmlSlide 33        ...
Case study:                 Windows Administrator Passwords                                         admin5                ...
Case study: Password Crack           • 26,310 passwords from a Windows domain           • 11,279 (42.9%) cracked in 2½ min...
Password Issues           • Passwords based on dictionary words and names           • Service accounts with simple/stupid ...
Agenda           • APT Primer           • Case Studies           • Entry Points           • Prevention and DetectionSlide ...
Identifying “The Mark”:                            Social Networking           • Don’t reveal personal or sensitive inform...
Identifying “The Mark”:                     Telephone Social Engineering           • If you receive a suspicious phone cal...
Identifying “The Mark”:                          Public and Open WiFi           • Remember: open and WEP-encrypted WiFi ne...
Spear Phishing           • Never reveal personal or sensitive information in response to             an email, no matter w...
Privilege Escalation           • Don’t use passwords based on dictionary words and names           • Use complex passphras...
Think Like an Attacker!           Hacking is a way of thinking:              - A hacker is someone who thinks outside the ...
The Human Firewall           The money you spent on security products, patching systems           and conducting audits co...
Need more information?       Peter Wood    Chief Executive OfficerFirst•Base Technologies LLP  peterw@firstbase.co.uk     ...
Upcoming SlideShare
Loading in …5
×

Security Intelligence: Advanced Persistent Threats

3,421 views

Published on

Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.

Published in: Technology, Business
  • Be the first to comment

Security Intelligence: Advanced Persistent Threats

  1. 1. Security Intelligence:Advanced Persistent Threats An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies LLP
  2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2012
  3. 3. Security Intelligence and This Presentation “SI is a recognition of the evolution of sophisticated adversaries, the study of that evolution, and the application of this information in an actionable way to the defence of systems, networks, and data. In short, it is threat-focused defence, or as I occasionally refer to it, intelligence-driven response. The “intelligence” in intelligence-driven response is the information acquired about ones adversaries, or collectively the threat landscape. Each industry has a different threat landscape, and each organisation in each industry has a different risk profile, even to the same adversary. Understanding ones threat environment is collecting actionable information on known threat actors for computer network defence, whether that action is purely detection or detection with prevention.” Source: Mike Cloppert http://computer-forensics.sans.org/blog/Slide 3 © First Base Technologies 2012
  4. 4. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 4 © First Base Technologies 2012
  5. 5. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 5 © First Base Technologies 2012
  6. 6. Advanced Persistent Threat (APT) • “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia] • “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee] • “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT]Slide 6 © First Base Technologies 2012
  7. 7. Advanced, Persistent, Threat • They combine multiple attack methodologies and tools in order to reach and compromise their target • The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives • It does not mean a barrage of constant attacks and malware updates - in fact, a “low-and-slow” approach is usually more successful • There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code • The operators have a specific objective and are skilled, motivated, organized and well fundedSlide 7 © First Base Technologies 2012
  8. 8. The Aurora attack http://threatpost.com/Slide 8 © First Base Technologies 2012
  9. 9. The Aurora attack http://threatpost.com/Slide 9 © First Base Technologies 2012
  10. 10. The Aurora attack http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/ If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years. Nor is it a new development that the attackers used an 0day client- side exploit along with targeted social engineering as their initial access vector. What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack. And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops. Dino Dai ZoviSlide 10 © First Base Technologies 2012
  11. 11. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 11 © First Base Technologies 2012
  12. 12. Slide 12 © First Base Technologies 2012 http://blogs.rsa.com/rivner/anatomy-of-an-attack/
  13. 13. The RSA attack 1. Research public information about employees 2. Select low-value targets 3. Spear phishing email “2011 Recruitment Plan” with.xls attachment 4. Spreadhseet contains 0day exploit that installs backdoor through Flash vulnerability (Backdoor is Poison Ivy variant RAT reverse-connected) 1. Digital shoulder surf & harvest credentials 2. Performed privilege escalation 3. Target and compromise high-value accounts 4. Copy data from target servers 5. Move data to staging servers and aggregate, compress and encrypt it 6. FTP to external staging server at compromised hosting site 7. Finally pull data from hosted server and remove tracesSlide 13 © First Base Technologies 2012
  14. 14. RSA Security Brief, February 2012Slide 14 © First Base Technologies 2012
  15. 15. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 15 © First Base Technologies 2012
  16. 16. Entry PointsSlide 16 © First Base Technologies 2012
  17. 17. Identifying ‘The Mark’Slide 17 © First Base Technologies 2012
  18. 18. Social NetworkingSlide 18 © First Base Technologies 2012
  19. 19. Slide 19 © First Base Technologies 2012
  20. 20. Facebook ScamsSlide 20 © First Base Technologies 2012
  21. 21. Document MetaData HarvestingSlide 21 © First Base Technologies 2012
  22. 22. Infosecurity Europe 2012 Experiment • Open WiFi on a laptop on our stand • Network name: ‘Infosec free wifi’ • Fake AP using airbase-ng on BackTrack • In one day we collected 86 unique devicesSlide 22 © First Base Technologies 2012
  23. 23. Wireless Eavesdropping Packet sniffing unprotected WiFi can reveal: • logons and passwords for unencrypted sites • all plain-text traffic (e-mails, web browsing, file transfers)Slide 23 © First Base Technologies 2012
  24. 24. Firesheep CapturingSlide 24 © First Base Technologies 2012
  25. 25. Firesheep: Game OverSlide 25 © First Base Technologies 2012
  26. 26. Telephone Social Engineering Sometimes all they have to do is call up and ask!Slide 26 © First Base Technologies 2012
  27. 27. Information Leakage Exposure of: • Corporate hierarchy • E-mail addresses • Phone numbers • Technical infrastructure • Business plans • Sensitive information • Passwords!Slide 27 © First Base Technologies 2012
  28. 28. Spear PhishingSlide 28 © First Base Technologies 2012
  29. 29. Phishing EmailsSlide 29 © First Base Technologies 2012
  30. 30. Phishing EmailsSlide 30 © First Base Technologies 2012
  31. 31. Spear phishingSlide 31 © First Base Technologies 2012
  32. 32. Privilege EscalationSlide 32 © First Base Technologies 2012
  33. 33. Password ‘Quality’ http://iqsecur.blogspot.ca/2012/04/analysis-of-leaked-militarysinglesorg.htmlSlide 33 © First Base Technologies 2012
  34. 34. Case study: Windows Administrator Passwords admin5 crystal finance Global organisation: friday macadmin • 67 Administrator accounts monkey orange • 43 simple passwords (64%) password password1 prague • 15 were “password” (22%) pudding rocky4 • Some examples we found -> security security1 sparkle webadmin yellowSlide 34 © First Base Technologies 2012
  35. 35. Case study: Password Crack • 26,310 passwords from a Windows domain • 11,279 (42.9%) cracked in 2½ minutes • It’s not a challenge!Slide 35 © First Base Technologies 2012
  36. 36. Password Issues • Passwords based on dictionary words and names • Service accounts with simple/stupid passwords • Other easy-to-guess passwords • Little or no use of passphrases • Password policies not tailored to specific environments (e.g. Windows LM hash problem) • Old fashioned rules no longer apply (rainbow tables, parallel cracking, video processors) • Just general ignorance and apathy? • One password to rule them all …Slide 36 © First Base Technologies 2012
  37. 37. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 37 © First Base Technologies 2012
  38. 38. Identifying “The Mark”: Social Networking • Don’t reveal personal or sensitive information in social networking sites or blogs • Set the privacy options in social networking sites • Don’t discuss confidential information online • Don’t ‘friend’ people you don’t know Remember – what goes on the Internet, stays on the Internet!Slide 38 © First Base Technologies 2012
  39. 39. Identifying “The Mark”: Telephone Social Engineering • If you receive a suspicious phone call, hang up and call back on a number you know is legitimate • Never reveal personal or sensitive information in response to a phone call unless you have verified the caller • Don’t answer questions about your organisation or colleagues unless it’s your job to do so • Report any phone calls that you suspect might be social engineering attacksSlide 39 © First Base Technologies 2012
  40. 40. Identifying “The Mark”: Public and Open WiFi • Remember: open and WEP-encrypted WiFi networks are visible to almost anyone • Never use public WiFi for sensitive information • Don’t use the same password for web sites and for corporate systems • Make sure your email connections are encryptedSlide 40 © First Base Technologies 2012
  41. 41. Spear Phishing • Never reveal personal or sensitive information in response to an email, no matter who appears to have sent it • If you receive an email that appears suspicious, call the person or organisation in the ‘From’ field before you respond or open any attached files • Never click links in an email message that requests personal or sensitive information. Enter the web address into your browser instead • Report any email that you suspect might be a spear phishing campaign within your companySlide 41 © First Base Technologies 2012
  42. 42. Privilege Escalation • Don’t use passwords based on dictionary words and names • Use complex passphrases for service accounts • Tailor password policies to specific environments (e.g. Windows vs. web sites) • Remember: old fashioned rules no longer apply (rainbow tables, parallel cracking, video processors) • Never re-use passwords: “one password to rule them all …”Slide 42 © First Base Technologies 2012
  43. 43. Think Like an Attacker! Hacking is a way of thinking: - A hacker is someone who thinks outside the box - Its someone who discards conventional wisdom, and does something else instead - Its someone who looks at the edge and wonders whats beyond - Its someone who sees a set of rules and wonders what happens if you dont follow them [Bruce Schneier] Hacking applies to all aspects of life - not just computersSlide 43 © First Base Technologies 2012
  44. 44. The Human Firewall The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks … Invest in Marketing security awareness and Intelligent, practical policiesSlide 44 © First Base Technologies 2012
  45. 45. Need more information? Peter Wood Chief Executive OfficerFirst•Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Blog: fpws.blogspot.com Twitter: peterwoodx

×