Apt sharing tisa protalk 2-2554

2. Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Executive Officer Company: S-GENERATION Company Limited Asia Forensic Hub Company Limited Certificates: CISSP, CSSLP, IRCA:ISMS (ISO27001), SANS:GCFA • CSO ASEAN Award 2010 by Ministry of Information and Communications and Ministry of Public Security, Vietnam • Honoree in the Senior Information Security Professional category for the 2010 Asia-Pacific Information Security Leadership Achievements (ISLA) by (ISC)2 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Contribute to Thailand Cyber Crime Act B.E.2550 • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity workforce development, Division of Skill Development, Ministry of Labour chaiyakorna@hotmail.com • Advisor to Department of Special Investigation (DSI) 1997 1999 2000 2004 2006 2011

7. About APT APT = Advanced Persistent Threat ่ ่ จากกรณี ศึกษามากมายที่ปรากฏ อยูในหน้าข่าวไม่วาจะเป็ น Google , Night Dragon Attack , RSA และ SONY Play Station Network ที่ถูกบุกรุ กเข้าไปขโมยข้อมูลสาคัญออกมานั้น นักวิชาการทัว ่ โลกได้ลงความเห็นว่าเกิดจาก ปฏิบติการในลักษณะเดียวกันที่เรี ยกว่า Advanced Persistent Threat ั หรื อ APT ซึ่งมีความซับซ้อนและใช้วธีการที่ล้ าสมัยในการบุกรุ ก ยากที่จะตรวจจับได้โดยง่าย ิ จึงจาเป็ นที่ตองเรี ยนรู้ทาความเข้าใจลักษณะการเกิดขึ้นของปั ญหา เพื่อนาไปสู่ การพิจารณาสรรหา ้ เทคโนโลยีและกระบวนการ ที่เหมาะสม เข้ามาช่วยกันการบริ หารจัดการ © 2011 S-Generation Co., Ltd.

8. What is APT? • Advanced – All possible available techniques (or new) – Coordinated – Both well-know and UKNOWN (0-day) vulnerabilities – Multiple phases • Persistent – Here to stay – Not by accident (targeted) – Specific mission – Polymorphic (for signature-base evasion) – Dormant(able) • Threat – Organized and funded and motivated • Highly sophisticated – dedicated "crews" with various missions • Targeted – State-sponsored – Cyberwarfare • Steal Information © 2011 S-Generation Co., Ltd.

9. APT is used for … • Political objectives that include continuing to suppress its own population in the name of "stability.“ • Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims. • Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim. • Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these. © 2011 S-Generation Co., Ltd.

10. Some Characteristic of APT • Named in 2008 by US Air Force • As security jargon when Google describe the attack on 2009 • Advanced – Coordinated – Multi-phases • High expertise/knowledge/skill in each phase unlikely to be in one single individual • Highly crafted for specific target organization or individual • Period of operation in weeks, months or years • Not easy to detect © 2011 S-Generation Co., Ltd.

11. Some Characteristic of APT • Phases of the operation • Target selection • Vulnerability identification • Domain contamination • Information ex-filtration • Intelligence analysis • Exploitation © 2011 S-Generation Co., Ltd.

13. Some facts about APT Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives. © 2011 S-Generation Co., Ltd.

15. Thing to Consider for Resolution • Educate users who has access to the infrastructure and critical information • Evaluate network security posture • Work with expert in case of incident or under suspicious • Automated situational awareness tool • Rapid deployment of countermeasures • Focus more on the detective measure • Focus more on what leaving out (ex-filtration) from your network • White-listing your environment © 2011 S-Generation Co., Ltd.

16. Case Studies • Night Dragon • Ghost Net (Electronic Spy Network Focused on Dalai Lama and Embassy Computers) • Aurora (China vs. Google) • NASDAQ • RSA • Stuxnet • Sony Play Station Network (PSN) © 2011 S-Generation Co., Ltd.

17. Night Dragon Attack “Night Dragon” attacks from China strike energy companies • Exxon Mobil, Royal Dutch Shell and BP were among the oil companies targeted • The intrusions targeted intellectual property and have been going on for as long as 2-4 years • The oil, gas and petrochemical companies targeted were hit with technical attacks on their public-facing Web sites. • It happens during 9am-5pm local Beijing time. © 2011 S-Generation Co., Ltd.

19. Operation Aurora • China vs. Google • politically motivated attacks against Gmail from China • Censorship • Government Eavesdropping/Privacy • Backdoor • zero-day flaw in Internet Explorer © 2011 S-Generation Co., Ltd.

21. STUXNET • Discovered late June 2010 • A computer worm that infects Windows computers • It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet • Use both known and patched vulnerabilities, and four "zero-day exploits” • Target Siemens PLC • Reads and changes particular bits of data in the PLCs • It’s claimed to target Iranian powerplant © 2011 S-Generation Co., Ltd.

22. What happen with Sony PlayStation … @2011 S-GENERATION CO., LTD

23. RSA’s SecureID Security Breach! RSA has not yet divulged specifics about the APT attack of which it has found evidence and says it's now interacting with customers of its SecurID product on the situation. But security analysts are also quickly trying to size up the situation, advising their clientele who are RSA customers about a stance they might take. http://www.pcworld.com/businesscenter/article/222554/rsas_securid_security_breach_what_s hould_you_do.html#tk.mod_rel @2011 S-GENERATION CO., LTD

24. RSA’s SecureID Security Breach! Microsoft Excel is used to distribute malicious SWF file (“2011 Recruitment plan.xls”) via email to specific users at RSA. (Perhaps other specific targets as well, an approach known as “spear phishing.”) A malicious SWF file installs a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised machine. (Using a customized variant makes signature-based malware detection of the RAT ineffective; see FireEye Malware analysis of a.exe.) Using the RAT, users’ credentials are harvested and used to access other machines within the RSA network. These other machines are searched, sensitive information was copied and transferred to external servers. @2011 S-GENERATION CO., LTD

25. RSA Breached • 2011 Recruitment plan.xls with malicious .swf file embeded • spear phishing • Customized variant Poison Ivy remote administration tool (RAT) • March 14, 2011 - Adobe issues security advisory and patch schedule, warning of a vulnerability (APSA11-01, CVE-2011- 0609, SecurityFocus BID 46860) • March 16, 2011 - Microsoft adds Exploit:SWF/CVE-2011-0609 detection for malicious SWF file. • March 17, 2011 - RSA warns SecurID customers after company is hacked, offers guidance. © 2011 S-Generation Co., Ltd.

26. Many Other Cases • Night Dragon • Ghost Net (Electronic Spy Network Focused on Dalai Lama and Embassy Computers) • Aurora (China vs. Google) • NASDAQ • RSA • Stuxnet • Sony Play Station Network (PSN) © 2011 S-Generation Co., Ltd.

27. About S-Generation “The Trusted Partner … to Conquer Advanced Digital Threats” • Cybersecurity Solutions Distribution in Thailand and ASEAN • Advanced Persistent Threats Solution • Mobile Security Solution • Application Security Solution • Information Security Consultancy • Incident Response, Recovery & Investigation • Industrial Control System Security (SCADA/DCS/BAS/Embedded) © 2011 S-Generation Co., Ltd.

30. About AFH Product • Planning session ( Plan of Action) • On-Site Support Professional • Document & File Discovery Service • Preservation of Evidence • Data Recovery & Analysis • Expert Reporting • Post – investigation Reports with Recommendations • Digital Media Sanitization © 2011 S-Generation Co., Ltd. CONFIDENTIAL TO AFH & PTTICT

Apt sharing tisa protalk 2-2554

You are reading a preview.

Check these out next

Apt sharing tisa protalk 2-2554

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Similar to Apt sharing tisa protalk 2-2554 (20)

More from TISA (11)

Recently uploaded (20)