2. Agenda
• Few interesting real APT attacks
• What’s an APT, what are the goals?
• Attack Phases
• Actors and attribution
• Why there’s no end to it (yet!)
• Further resources
• Demo using Metasploit + Armitage
3. The cuckoo’s egg
• 1st known incident of cyber espionage
• First observed intrusion in 1986 at Berkeley Lab
• Espionage of confidential military documents
• Culminated with arrests in Germany in 1990
• Alleged involvement of KGB
4. Stuxnet
• 1st known cyber weapon
• Uncovered in 2010
• Destroyed nuclear centrifuges in Natanz, Iran
• Alleged involvement of APT group(s) in
Israel and US
• Abused 4 0days in single attack!
5. Gh0stNet
• Widespread political espionage
• Discovered in 2009
• Compromised systems in 100+ countries
• Close to 30% systems belong to
diplomatic, political, economic, and
military targets
• Alleged involvement of APT group(s) in
China
6. Operation Aurora
• Aimed at multiple big corporations
including Google, Adobe, etc.
• Primary goal was to gain access to and
modify source code repositories at these
companies
• Widespread industrial espionage
• Alleged involvement of APT group(s) in
China
• Abused an IE 0day
7. Few recent APTs
• DNC email leak (2016)
• Bangladesh Bank cyber heist (2016)
• Olympic Destroyer (2018)
• Ukraine power outage (2015)
• Saudi Oil and Gas plant disruption (2017)
8. What’s an APT
• Targeted attack (Not every targeted attack is APT)
• Advanced
• Tools customized for target/campaign
• Deception and trickery
• Persistent
• Low and slow
• Hard to eradicate
• Well funded and staffed
• 0days, spearphising, rootkits, etc.
• Mostly involve nation state level groups
9. Goals
• Industrial and military Espionage
• Destruction
• Demonstration of power
• Financial motives
• Hacktivism
11. APT actors and attribution
• There are real humans behind APTs
• Multiple groups can be
attributed to single country
• Attribution is a hard problem
• Pyramid of pain
12. Why there’s no end to it (yet!)
• Democracy of internet
• Lack of deterrence
• It’s an Arms Race!
13. Further resources
• Past APT reports https://github.com/kbandla/APTnotes
New location https://github.com/aptnotes/data
• ATT&CK framework, threats, actors etc. https://attack.mitre.org/
• Lockheed martin Kill chain
• The cuckoo’s egg: Tracking a Spy Through the Maze of Computer
Espionage
• Countdown to Zero Day: Stuxnet and the Launch of the World's First
Digital Weapon
• Pyramid of pain (in Attribution)