Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015

1,289 views

Published on

Cyber espionage attacks have been aware of for around 10 years. Security vendors keep inventing new technology to defend against attack. Many solutions look fancy, however breaches keep happening. People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful. In Taiwan, we have more than 10 years history with cyber espionage attacks. Government, enterprises, and security vendors were fighting hard with threat actors, but new victims still got compromised day by day.
In recent years, a lot of Japanese government agencies, defense industry, enterprises are suffering from cyber attacks from cyber espionage groups. We keep seeing breaches and incidents from news. We believe many victims still have no good strategy to defend and control the situation.
In this talk, cyber espionage attacks in the last decade would be discussed from Asia Pacific region’s point of view. We’ll discuss why security solutions didn’t work, how actors easily bypassed those fancy solutions and adopted countermeasures quickly with very low cost. Besides, according to our incident response’s experience for hundreds times and consulting to help victim for several years, we will try to propose a design of security model to prevent, detect, react, and remediate cyber espionage threats.

Published in: Internet
  • Be the first to comment

Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - CODE BLUE 2015

  1. 1. Failures Of Security Industry In The Last Decade Lessons Learned From Hundreds of Cyber Espionage Breaches Sung-ting Tsai (TT), Chi-en Shen (Ashley) Oct 29, 2015
  2. 2. Agenda • Cyber Espionage Attacks In The Last decade  APT Review  Operation Eclipse  Attacks Against The Whole World • Failures of Security Industry  Existing Solutions And How They Failed On APT Attacks • Dealing with Cyber Espionage threats  You Will Be Pwned, Sooner Or Later  The Endless War  Defense In Depth  Case Study • Conclusion  Suggestions to Targeted Organizations  Suggestions to Security Vendors
  3. 3. Sung-ting Tsai (TT) CEO at Team T5 Inc. • Frequent Black Hat conference speaker • Vulnerability researcher and owner of several CVE ID • 10+ years on security product development • 8+ years experience on cyber threat research • Organizer of HITCON (Hacks in Taiwan Security Conference)  tt@teamt5.org
  4. 4. Chi-en Shen (Ashley) Senior Threat Analyst at Team T5 Inc. • Malicious document, malware analysis, APT research • Tracking several cyber espionage groups for years • Core member and speaker of HITCON GIRLS. • HITCON speaker  ashley@teamt5.org
  5. 5. Team T5 Inc. Found In January 2013 Based In Taipei Website https://www.teamt5.org • Who We Are: • Cyber threat intelligence, research, and service provider. • World-leading research on Asia Pacific cyber espionage threats. • What We Do: • We monitor, analyze, and track cyber threats. • Helping people to gain advantaged position facing cyber threats. • What We Provide: • Threat research. • Malware analysis service • Incident response / Investigation • Consulting service
  6. 6. • Team T5 tracks about 150+ malware families. Malware Research
  7. 7. • Team T5 tracks about 60+ cyber espionage groups. Campaign Tracking
  8. 8. Cyber Espionage Attacks In The Last decade
  9. 9. APT Review • APT has been popular in the security industry since around 2009 • Many solutions look fancy, however breaches keep happening. • People spent a lot of budget to improve their fences, but the effectiveness of these security products remains doubtful.
  10. 10. Operation Eclipse
  11. 11. Operation Eclipse (CloudyOmega Emdivi)
  12. 12. Japan Pension Service Breach • At least 27 PCs were infected  Anti-virus software installed, but they didn't work. • About 1.25 million pension service participants' personal information leaked under this attack. • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.  Regarding the Review of the Employee's Pension Fund (Draft)
  13. 13. Petroleum Association of Japan • More than 3 PCs were infected • Related data of requests regarding the petroleum policy to the government • About 250 files are leaked • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.
  14. 14. National Health Insurance Association • More than 4 PCs were infected • About 1500 files are leaked • Sending spear-phishing emails with attachment (malware) to faculty staffs  The body of email claims the attachment includes a medical receipt.
  15. 15. Targeting Sectors
  16. 16. Operation Eclipse Incident Number At least 47 victims confirmed by Team T5.
  17. 17. It doesn’t take a long time • It could be just a few hours from infection to intrusion and data leakage. • Our observation shows that 80% of victims leak data in 5 hrs after being compromised. Reconnaissance Initial Intrusion Control Strengthen Data Exfiltration 5 hrs
  18. 18. 10+ Years APT Attacks History of Taiwan • Most of government agencies were either ever compromised before or is still in adversary's control. – i.e. Active Directory server was compromised. • Related to ALL industries. – ISP, military contractor, defense industry, political parties, think tank organization, trade organization, university professors, social network, e-commerce, employment websites, online game. • Get along with them peacefully? – Clean all infection? – Reinstall all endpoints?
  19. 19. APT Incidents Timeline
  20. 20. Attacks Against The Whole World • Not only Taiwan and Japan, we monitored they are attacking the whole world. • Especially Asia pacific countries
  21. 21. Taiwan Government
  22. 22. Taiwan Government
  23. 23. Korea Corperation
  24. 24. India Energy Sector
  25. 25. Philippine Government
  26. 26. Vietnam Government
  27. 27. Mongolia Victim
  28. 28. Myanmar Victim
  29. 29. Thailand Government
  30. 30. Russia Government
  31. 31. Cyber espionage attack has been aware of for 10 years... Do you have good strategy to defend? Can you control the situation?
  32. 32. Failures of security industry
  33. 33. APT Solutions? • When people are talking about APT solutions, they might be thinking about one of following technologies: • Anti-virus • Sandbox • Next Generation Firewall / Intrusion prevention system • SIEM (Security Information and Event Management) • Application Control • Exploit Mitigation • Incident Response Service
  34. 34. Anti-Virus? • Gdrive RAT with 0/55 detection rate.
  35. 35. Anti-Virus? • APT Actor testing malware with VirusTotal
  36. 36. • APT Actor testing malware with VirusTotal
  37. 37. Anti-Virus? • It is easy to evade AV detection with very low cost. Anti-Virus
  38. 38. Sandbox? • Approaches to bypass sandbox • Hardware and configurations • CPU ID, quantity • Device information • Vmware backdoor I/O port • Memory size • Screen resolution • VGA/Network Product • System Environment • Service • System process • Windows product serial number • Installed software list • Registry key • Others Hotfixs count System up time Mouse movement Files count in temp folder Desktop files count Antivirus
  39. 39. • Anti-anti-sandbox? • Patch Vmware string • Patch start up time • Patch processor number • Put more hotfix • Change memory size • ……… Host Name: ABC OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 3 Build 2600 System Manufacturer: VMware, Inc. OS Build Type: Uniprocessor Free Registered Owner: ABC Original Install Date: 2/19/2014, 11:29:39 PM System Boot Time: 8/18/2015, 3:13:02 PM System Up Time: 0 Days, 0 Hours, 1 Minutes, 55 Seconds System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 2 Stepping 3 GenuineIntel ~2400 Mhz System Manufacturer: QEMU BIOS Version: Bochs Bochs, 1/1/2007 Total Physical Memory: 1,024 MB Hotfix(s): 3 Hotfix(s) Installed. [01]: KB2534111 [02]: KB958488 [03]: KB976902 Network Card(s): 1 NIC(s) Installed. [01]: Realtek RTL8139C+ Fast Ethernet NIC Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 192.168.180.51
  40. 40. Sandbox? • Specially crafted fake website. Deliver malware after entering password.
  41. 41. Sandbox? • Encrypted attachment
  42. 42. Sandbox? • Tons of ways to detect if it is running in a virtual environment.
  43. 43. NGFW / IPS? • Normal, but encrypted traffic?
  44. 44. • Public cloud service as C2? NGFW / IPS?
  45. 45. • Frequent changing C&C server NGFW / IPS?
  46. 46. • Compromised website as C2, safe or dangerous? Allow or deny? NGFW / IPS?
  47. 47. NGFW / IPS? • Most of APT malware traffic are either encoded or encrypted, and C2 IP changed rapidly. source: www.passivetotal.org
  48. 48. SIEM? • Even with the most powerful SIEM, no detection means no visibility. • Logs are useless without efficient rules.
  49. 49. Application Control? • Low adoption rate, refused by IT teams. • Trade-off between convenience and security? • Can still be bypassed (ie. DLL Sideloading) • Non-PE backdoor, i.e. script trojan
  50. 50. Exploit Mitigation? • Great solution to defend. • However, adoption rate is quite low, even for free EMET. • Stability and compatibility. • Decreasing amount of exploit attack.
  51. 51. Incident Response Service? • One time service is difficult to solve “persistent” problems. • It is not easy to clean up all infections completely. • Attack will come right after the IR service. • Service cost is usually not affordable for victims. • Root causes are not easy to find. • Probably you can find all malware, but where is the vulnerability? • How to prevent next attack?
  52. 52. No Solutions to Social Engineering.. • Spear-phishing emails with insurance fee theme in Operation Eclipse.
  53. 53. No Solutions to Social Engineering.. • The email might be sent from your co- workers.
  54. 54. Failures of security industry • Security vendors don’t understand Cyber Espionage threats. • Cyber espionage is not easy to observe without experience. • It is hard to understand without stand at the front line (IR). • How do you defend without knowing what is coming?
  55. 55. Failures of security industry • Actors are quicker than security vendors • Actors change rapidly according to vendor’s latest techniques and solutions. • Actors rebuild malware and apply C2 domain specifically for their target.
  56. 56. Failures of security industry • Actors are quicker than security vendors • Vendors keep collecting OLD samples / C2s after the attack, and making signatures to detect OLD samples / C2s. • Malware updates are always faster than security products.
  57. 57. Failures of security industry • Ignorance of vulnerability • Vulnerability plays a very important role • Solutions to 0day? • Too much vulnerabilities information. • I.e. CloudyOmega deployed flash 0day (CVE 2015-5119) right after the Hacking Team leak. 10+ organizations were compromised in a week.
  58. 58. Is CE attack complicated? • CE attack is this simple: Actor Spear-phishing Emails Attachment file http://im.malicious.link Malicious link
  59. 59. CE is not just technical things • You are not facing a malware or an attack technique. • However, most of security vendors only care how to block an attack from technical perspective. • CE is your adversary, they are human. • They adapt and change rapidly. • Security vendors only react to attack techniques. • Security vendors only provide software and machine. • You need to learn their Tactics, Techniques, and Procedures (TTP).
  60. 60. Dealing with Cyber Espionage threats
  61. 61. You Need to know... • You will be pwned, sooner or later. • If one single attack in a million times succeeded, you are compromised. • So, just get ready for it. Be prepared. • It is not all about defense, it also matters how fast you can mitigate the incident.
  62. 62. You Need to know... • Cyber Espionage is the endless war • Your adversary won’t stop. • Be prepared for the war. • “Know yourself and know your enemy, and you will never be defeated.” - Sunzi's Art of War
  63. 63. You Need to know... • Invest on people, not only software or hardware • Your enemies are human. They are well-trained hackers. You cannot rely on computer programs only. • You need good security strategy to defend. Only people can make strategy. • Build your CSIRT - have a dedicated security team. • Don’t forget human weakness and social engineering .
  64. 64. Defense In Depth • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  65. 65. Case Study – A Taiwan Think Tank • 500 researchers and assistants • Doing policy research for 10+ government departments • Targeted by 5+ different Cyber Espionage groups • Active Directory server under 2 groups’ control • Antivirus Update server 0day to install malware 2014-10 Team T5 Incident Respond 2014-11 T5 Suggested Defense Solution 2014-12 T5 Daily monitoring begin 2015-02 ~ No more CE incidents
  66. 66. Detect Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  67. 67. Detect stage • Gateway • Web browsing => Proxy with Reputation blacklisting • Email (attachment and link) => Spam + AV + Sandbox • Endpoint • Staff workstations Memory forensics APT scanner • Server-area White-list only firewall rules • Active Directory Firewall
  68. 68. Respond Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • SWAT • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  69. 69. • When bad things happened, we act as fast as possible to… • Collect samples • Analyze samples • Generate indicators • Detect with indicators • Feedback to analyze (important) • CE mitigation is a long-term task. Mitigation cycle Collect Samples Analyze Sample Generate Indicators / Yara Detect with Indicators Feedback
  70. 70. Respond Stage • Remote forensics agent or on-site forensics • Mitigation cycle Collect Samples Analysis Sample Generate Indicators / Yara Detect with Indicators
  71. 71. Research Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  72. 72. Research Stage • More surveillance cameras, more screen playbacks. • Collect data for retro-hunting research • Syslog server • Weblog server • Passive DNS replication • Netflow recording • Full packet recording
  73. 73. Prevent Stage • Security Guard (SoC/MSS Team) • 24x7 monitor, stop bad guys • Emergency Response (CSIRT Team) • Dispatch to warzone, clean & repair threats • Fitness Doctor (CISO/Manager) • Plan & exercise, defense strategy • Private Detective (Threat Analyst) • Investigate & track know Adversary TTP 研析 Research 預防 Prevent 檢知 Detect 反應 Respond
  74. 74. Prevent Stage • Consulting on IT Security budget • Consulting on defense deployment strategy • Consulting on choosing proper APT solutions, by doing PoC tests • Building CSIRT team • Building risk assessment criteria • Building Threat Intelligence Program
  75. 75. Conclusion
  76. 76. Conclusion • Security vendors’ technology are advanced, and elegant. • However, actors usually bypass quickly with very low cost. • Because they don’t understand actors well. • Malware updates are always faster than security products. • New protection features always gets bypassed within a few weeks.
  77. 77. Conclusion • To cyber espionage targets: • Face the threat. Prepare for long-term battle once it happened. • Try as much as you can to secure your e-mail. • Cyber espionage incident is hard to deal with. Make a long-term recovery plan. • Build a CSIRT to fight with cyber war. • To security vendors: • Need to follow with cyber espionage actors. • Not only for TTPs, but also campaign tracking. • Please provide long-term service for cyber espionage victims.
  78. 78. Q&A tt@teamt5.org ashley@teamt5.org

×