3. ► The threats I’ve faced
► Battling advanced threats at LM since 2003
► The friends I’ve made
► DoD, law enforcement, industry, telecom, energy, finance, etc...
What’s shaped me most
5. ► Passing a malicious payload (device or human) through
a trusted security boundary
Intrusion
6. ► Success or failure, they will try again and again
► Persistence requires:
► Playbooks
► Infrastructure, including automation
► Organizational structure
► Supply chain
Persistence
Persistence is the most significant factor in cyber security today
8. ► Washington Post series in Sept 2007 on counter IED
► Left of Boom: “the concept of disrupting the bomb chain
long before detonation”
Left of Boom
► Original article series: http://wapo.st/UycLiI
14. Seven gates to success
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Gives execution to malware via
software, hardware,
(or human) vulnerability
15. Seven gates to success
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Create a point of persistence on
victim system
► Service, AutoRun, etc
16. Seven gates to success
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Two-way communications to
controllers, typically HTTP
17. Seven gates to success
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► “Hands on Keyboard” access
► What happens next depends on
who’s on the keyboard
18. Just one breaks the chain
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
19. ► First and foremost, it is an analytic framework
► A tool to help you understand intrusions and express risk
It isn’t perfect
21. ► 29 October 2010: Authorities discover explosives inside
laser printer cartridges on UPS & FedEx cargo planes
bound from Yemen to Chicago
Al Qaeda laser printer bomb
► See article: http://en.wikipedia.org/wiki/Cargo_planes_bomb_plot
22. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► 29 Oct: Explosive device
embedded in toner cartridge
discovered on cargo plane
Citation: http://bit.ly/YHHitq
23. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► How did this bomb go
undetected? What enabled it to
bypass security controls?
24. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Explosive chemical PETN is
difficult to discover due to low
vapor pressure
► Even upon direct
examinations, dogs did not
initially discover explosives
Citation: http://bit.ly/YHHitq
25. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Where was it sent from? To?
► When?
► Who paid for it?
26. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► 27 Oct delivery via FedEx &
UPS from Sana’a Yemen
► In contrast to suicide “underwear
bomber” and “shoe bomber”
► 1 Nov arrival in Chicago, USA
► Identity of 22 y.o. woman used
to send package
► Addressed to names of
notorious historical names
Citations: http://wapo.st/bp4LYl
http://nyti.ms/12Up39f
27. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► How was it built?
► Identifying characteristics?
► Common components or
unique/exclusive?
28. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Switch: Cell phone timer with
light bulb filament
► Main charge: 400 grams of
military grade PETN
► Container: Toner cartridges
► Power Supply: Cell phone
battery, 3 to 4 days
► Initiator: Syringe w/ lead azide
► Same component used in underwear
bomber
► Suspected builder: Saudi
member of Al Qaeda in Yemen
Citations: http://lat.ms/UF7y9Q
http://bit.ly/YHHitq
29. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► How was it set to go off?
Altitude? Timer? Remote
trigger?
30. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
Citation: http://lat.ms/UF7y9Q
► Timer trigger on cell phone
► Lack of SIM chip precludes
remote-dial trigger
31. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► What was the objective?
32. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
Citation: http://lat.ms/UF7y9Q
► Timer trigger suggests
objective was to explode cargo
plane mid-air
33. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
► Was there a dry run? How
many other packages sent
from Yemen to Chicago?
34. Printer bomb step by step
Reconnaissance1
Weaponization2
Delivery3
Exploitation4
Installation5
Command & Control6
Actions on Objectives7
Citations: http://nyti.ms/UA9uzv
http://on.wsj.com/cTLSL2
► September test packages sent
from Yemen to Chicago
► Jewish congregation website
visited 83 times on one day by
Egyptian IP addresses
37. Weaponized PDF, XLS, Doc..
Backdoor
Exploit
Dropper
Decoy
doc
All of these
components
may be
repeats:
Block here
How to block a “zero day”
This is the
“zero day”.
This is hard
to block.
The two-edged sword of adversary supply chain
39. Use every part of the buffalo
Recon Weapon Delivery Exploit Install ActionsC2
Recon Weapon Delivery Exploit Install ActionsC2
Detect
Detect
Analyze
Analyze Synthesize
Detect late: work all the way backwards
Detect early: work backwards and forwards
Find Fix Finish Exploit Analyze
40. Achieve resilience
Detect Deny Disrupt Degrade Deceive
Web
analytics
Firewall
ACL
NIDS NIPS
Vigilant
User
Proxy
filter
Inline AV
Email
Queuing
HIDS
Vendor
Patch
EMET,
DEP
HIDS AV
NIDS
Firewall
ACL
NIPS Tarpit
DNS
redirect
Audit log
Quality of
Service
Honeypot
41. How to really be proactive
Tsunami Warning
• Trusted info sharing
• Regimented intel
consumption
Farmers Almanac
• Campaign tracking
• Trending, forecasting
Actual Early Warning
• Mission partners,
especially law
enforcement & intel
community
!
42. ► Intelligence is key to defeating persistent threats
► Approach:
► Understand adversary’s techniques, processes, supply chain
► Layer resilience against every component
► Trend and forecast to anticipate the next move
Conclusion