1. Session ID:
Session Classification:
Gunter Ollmann
CTO, IOActive Inc.
STU-W23B
Intermediate
Building a BetterAPT Package

2. ► Gunter Ollmann
► CTO - IOActive
► University of Georgia Advisory board
► Formerly:
► Damballa CTO & VP Research
► IBM Chief Security Strategist
► ISS Director of X-Force & EMEA SAS
► NGS Professional Services Director
► Can be found/followed/located at:
► Email gunter.ollmann@ioactive.com
► Twitter - @gollmann
About Me

3. Advanced “Classic”
►Advanced
►Persistent
►Threat
APT
Targeted Threat
► Scary Stuff

4. WeaponizationTeeter-totter
Cost($$$)
Stealthiness(Prob.Detection)

5. ►
►
► Outsourcing of all complex bits
► Commercial tools for evasion
►
► Quality Assurance services
► Subscription services to check every malware against all current
enterprise network and host-based detection technologies
Cybercrime Evasion

6. ►
► Multiple campaigns, multiple vectors, multiple tools
► Constant information gathering
►
► Mapping networks, host configurations, incident response metrics
► Tie in to organized crime and cybercrime units
► Buy the info or access
► Mingle cyber with physical world

7. ► Bypassing automated defenses Sandboxing/Virtual
►
►
►
► Live Exchange connector & address book
► Age of browser cache
► Webex connectors, etc.
►
►
Stealth within an Onslaught

8. ► Who needs the front door?
► Other devices being carried in past perimeter (BYOD)
► Substitution of physical components
► Spotting chip & board changes?
► Incorporation of custom FPGA logic, etc.
►
►
Breaking the Supply Chain

9. ►
► Most commercial crimeware techniques are already sufficient
►
► Buffer overflow conditions
►
► 0-day, shmo-
► Not normally needed.
► Often increases probability of being detec

10. WeaponizationTeeter-totter
Cost($$$)
Stealthiness(Prob.Detection)

11. APT DeliveryFramework
Cost($)
Attack (Volume/Frequency)

12. Thank you!
gunter.ollmann@IOActive.com
Twitter:@gollmann