Security Intelligence: Advanced Persistent Threats


Published on

Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Mike Cloppert is a senior member of Lockheed Martin's Computer Incident Response Team. He has lectured for various audiences including SANS, IEEE, the annual DC3 CyberCrime Convention, and teaches an introductory class on cryptography. His current work consists of security intelligence analysis and development of new tools and techniques for incident response. Michael holds a BS in computer engineering, an MS in computer science, has earned GCIA (#592) and GCFA (#711) gold certifications alongside various others, and is a professional member of ACM and IEEE.
  • Many people don’t understand that wireless networking is like a wired hub – there is no packet switching, so anyone connected to an open wireless access point can see everyone else’s traffic. Again discovering how to do this isn’t hard and the tools are free. A criminal attacker could be sitting some distance away with a directional antenna and watching everything on the unprotected network.
  • When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests. It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy. This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room. After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait. As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed.
  • Double-click on someone, and you're instantly logged in as them. That's it. Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way. Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
  • PETE: And also, just like the Smartphone, before you do anything else on a social network I want you to protect your ID and your personal information. Because of the “delusion of free”. Because you think the Internet is this wonderful, benign, philanthropic supermarket, run by Willy Wonka, where the price tag of everything is zero-point-zero, please-help-yourself. So you may not wonder why this social media outfit wants you to stuff its archives with all your personal information, all your preferences, all your loves and likes and loathings. But what’s going to happen, with your help, is they publish all your info them throughout the known universe. And thus, shrewd cold callers on the planet Zog will have access to all of that sweet intelligence plus your email and phone number. A reminder. What are you? FRANK: I am the product.
  • Security Intelligence: Advanced Persistent Threats

    1. 1. Security Intelligence:Advanced Persistent Threats An Ethical Hacker’s View Peter Wood Chief Executive Officer First•Base Technologies LLP
    2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2012
    3. 3. Security Intelligence and This Presentation “SI is a recognition of the evolution of sophisticated adversaries, the study of that evolution, and the application of this information in an actionable way to the defence of systems, networks, and data. In short, it is threat-focused defence, or as I occasionally refer to it, intelligence-driven response. The “intelligence” in intelligence-driven response is the information acquired about ones adversaries, or collectively the threat landscape. Each industry has a different threat landscape, and each organisation in each industry has a different risk profile, even to the same adversary. Understanding ones threat environment is collecting actionable information on known threat actors for computer network defence, whether that action is purely detection or detection with prevention.” Source: Mike Cloppert 3 © First Base Technologies 2012
    4. 4. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 4 © First Base Technologies 2012
    5. 5. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 5 © First Base Technologies 2012
    6. 6. Advanced Persistent Threat (APT) • “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia] • “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee] • “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT]Slide 6 © First Base Technologies 2012
    7. 7. Advanced, Persistent, Threat • They combine multiple attack methodologies and tools in order to reach and compromise their target • The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives • It does not mean a barrage of constant attacks and malware updates - in fact, a “low-and-slow” approach is usually more successful • There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code • The operators have a specific objective and are skilled, motivated, organized and well fundedSlide 7 © First Base Technologies 2012
    8. 8. The Aurora attack 8 © First Base Technologies 2012
    9. 9. The Aurora attack 9 © First Base Technologies 2012
    10. 10. The Aurora attack If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years. Nor is it a new development that the attackers used an 0day client- side exploit along with targeted social engineering as their initial access vector. What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack. And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops. Dino Dai ZoviSlide 10 © First Base Technologies 2012
    11. 11. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 11 © First Base Technologies 2012
    12. 12. Slide 12 © First Base Technologies 2012
    13. 13. The RSA attack 1. Research public information about employees 2. Select low-value targets 3. Spear phishing email “2011 Recruitment Plan” with.xls attachment 4. Spreadhseet contains 0day exploit that installs backdoor through Flash vulnerability (Backdoor is Poison Ivy variant RAT reverse-connected) 1. Digital shoulder surf & harvest credentials 2. Performed privilege escalation 3. Target and compromise high-value accounts 4. Copy data from target servers 5. Move data to staging servers and aggregate, compress and encrypt it 6. FTP to external staging server at compromised hosting site 7. Finally pull data from hosted server and remove tracesSlide 13 © First Base Technologies 2012
    14. 14. RSA Security Brief, February 2012Slide 14 © First Base Technologies 2012
    15. 15. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 15 © First Base Technologies 2012
    16. 16. Entry PointsSlide 16 © First Base Technologies 2012
    17. 17. Identifying ‘The Mark’Slide 17 © First Base Technologies 2012
    18. 18. Social NetworkingSlide 18 © First Base Technologies 2012
    19. 19. Slide 19 © First Base Technologies 2012
    20. 20. Facebook ScamsSlide 20 © First Base Technologies 2012
    21. 21. Document MetaData HarvestingSlide 21 © First Base Technologies 2012
    22. 22. Infosecurity Europe 2012 Experiment • Open WiFi on a laptop on our stand • Network name: ‘Infosec free wifi’ • Fake AP using airbase-ng on BackTrack • In one day we collected 86 unique devicesSlide 22 © First Base Technologies 2012
    23. 23. Wireless Eavesdropping Packet sniffing unprotected WiFi can reveal: • logons and passwords for unencrypted sites • all plain-text traffic (e-mails, web browsing, file transfers)Slide 23 © First Base Technologies 2012
    24. 24. Firesheep CapturingSlide 24 © First Base Technologies 2012
    25. 25. Firesheep: Game OverSlide 25 © First Base Technologies 2012
    26. 26. Telephone Social Engineering Sometimes all they have to do is call up and ask!Slide 26 © First Base Technologies 2012
    27. 27. Information Leakage Exposure of: • Corporate hierarchy • E-mail addresses • Phone numbers • Technical infrastructure • Business plans • Sensitive information • Passwords!Slide 27 © First Base Technologies 2012
    28. 28. Spear PhishingSlide 28 © First Base Technologies 2012
    29. 29. Phishing EmailsSlide 29 © First Base Technologies 2012
    30. 30. Phishing EmailsSlide 30 © First Base Technologies 2012
    31. 31. Spear phishingSlide 31 © First Base Technologies 2012
    32. 32. Privilege EscalationSlide 32 © First Base Technologies 2012
    33. 33. Password ‘Quality’ 33 © First Base Technologies 2012
    34. 34. Case study: Windows Administrator Passwords admin5 crystal finance Global organisation: friday macadmin • 67 Administrator accounts monkey orange • 43 simple passwords (64%) password password1 prague • 15 were “password” (22%) pudding rocky4 • Some examples we found -> security security1 sparkle webadmin yellowSlide 34 © First Base Technologies 2012
    35. 35. Case study: Password Crack • 26,310 passwords from a Windows domain • 11,279 (42.9%) cracked in 2½ minutes • It’s not a challenge!Slide 35 © First Base Technologies 2012
    36. 36. Password Issues • Passwords based on dictionary words and names • Service accounts with simple/stupid passwords • Other easy-to-guess passwords • Little or no use of passphrases • Password policies not tailored to specific environments (e.g. Windows LM hash problem) • Old fashioned rules no longer apply (rainbow tables, parallel cracking, video processors) • Just general ignorance and apathy? • One password to rule them all …Slide 36 © First Base Technologies 2012
    37. 37. Agenda • APT Primer • Case Studies • Entry Points • Prevention and DetectionSlide 37 © First Base Technologies 2012
    38. 38. Identifying “The Mark”: Social Networking • Don’t reveal personal or sensitive information in social networking sites or blogs • Set the privacy options in social networking sites • Don’t discuss confidential information online • Don’t ‘friend’ people you don’t know Remember – what goes on the Internet, stays on the Internet!Slide 38 © First Base Technologies 2012
    39. 39. Identifying “The Mark”: Telephone Social Engineering • If you receive a suspicious phone call, hang up and call back on a number you know is legitimate • Never reveal personal or sensitive information in response to a phone call unless you have verified the caller • Don’t answer questions about your organisation or colleagues unless it’s your job to do so • Report any phone calls that you suspect might be social engineering attacksSlide 39 © First Base Technologies 2012
    40. 40. Identifying “The Mark”: Public and Open WiFi • Remember: open and WEP-encrypted WiFi networks are visible to almost anyone • Never use public WiFi for sensitive information • Don’t use the same password for web sites and for corporate systems • Make sure your email connections are encryptedSlide 40 © First Base Technologies 2012
    41. 41. Spear Phishing • Never reveal personal or sensitive information in response to an email, no matter who appears to have sent it • If you receive an email that appears suspicious, call the person or organisation in the ‘From’ field before you respond or open any attached files • Never click links in an email message that requests personal or sensitive information. Enter the web address into your browser instead • Report any email that you suspect might be a spear phishing campaign within your companySlide 41 © First Base Technologies 2012
    42. 42. Privilege Escalation • Don’t use passwords based on dictionary words and names • Use complex passphrases for service accounts • Tailor password policies to specific environments (e.g. Windows vs. web sites) • Remember: old fashioned rules no longer apply (rainbow tables, parallel cracking, video processors) • Never re-use passwords: “one password to rule them all …”Slide 42 © First Base Technologies 2012
    43. 43. Think Like an Attacker! Hacking is a way of thinking: - A hacker is someone who thinks outside the box - Its someone who discards conventional wisdom, and does something else instead - Its someone who looks at the edge and wonders whats beyond - Its someone who sees a set of rules and wonders what happens if you dont follow them [Bruce Schneier] Hacking applies to all aspects of life - not just computersSlide 43 © First Base Technologies 2012
    44. 44. The Human Firewall The money you spent on security products, patching systems and conducting audits could be wasted if you don’t prevent social engineering attacks … Invest in Marketing security awareness and Intelligent, practical policiesSlide 44 © First Base Technologies 2012
    45. 45. Need more information? Peter Wood Chief Executive OfficerFirst•Base Technologies LLP Blog: Twitter: peterwoodx