Introduction to the advanced persistent threat and hactivism

1,919 views

Published on

Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,919
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
144
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Step #1 ReconnaissanceStep #2 Network IntrusionStep #3 Establish BackdoorStep #4 Install Command and Control UtilitiesStep #5 Data Ex-filtrationStep #6 Maintaining PersistenceStep 1ReconnaissanceNetwork DLP (Prevent sensitive data from leaving)Step 2Network IntrusionFirewall (blocks APT connection via IP reputation)Web Gateway (detects/blocks obfuscatedmalware)Email Gateway (block spear-phishing emails, links to malicious sites)Network Threat Response (detects obfuscated malware)Network Security Platform (stops malicious exploit delivery)Step 3Establish BackdoorFirewall (detects/blocks APT back-channel communication)Network Threat Response (detects APT destination IPs)Application Whitelisting(prevent backdoor installation)Step 4Install Command and Control UtilitiesWeb Gateway (detects/blocks access to malicious applications)Application Whitelisting(prevent unauthorized changes to systems)Step 5Data Ex-FiltrationUnified DLP (prevent data from leaving the network)Step 6Maintaining PersistenceNetwork User Behavioral Analysis (identifies unexpected user behavior during APT reconnaissance and data collection phases)
  • McAfee® Labs™ researchers recently gained access to the history log files of an attacking command and control (C&C) server and uncovered details of five years of attacks propagated by the Shady RAT advanced persistent threat (APT).Spear phishing works
  • Closely guarded national secretsSource codeBug databasesEmail archivesNegotiation plansExploration details for new oil/gas field auctionsDocument storesLegal contractsSupervisory control and data acquisition (SCADA) configurationsDesign schematics
  • Attackers have a variety of motivationsStolen data now reaches into petabytes (1 quadrillion or 1,000 terabytes) of content—as far as we knowWe don’t know where all of that information has gone, who has accessed it, or what they have done with itEvery geography is affectedEvery type of business (public, private,government) is affectedEvery size of business (government agencies to nonprofits) is affected Attacks are long-lived and persistent. The longest attack duration was 28 months (the average of 70+ companies identified was 8.75 months)
  • Starting in 2009, coordinated attacks against global oil, energy, and petrochemical companies beganThe Night Dragon attacks work by methodical and progressive intrusions into the targeted infrastructure.
  • The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database.
  • Block unwanted infiltrationEmail security, Web security and comprehensive Endpoint Protection helps detect and stop inadvertent downloads of malicious programsFirewall and Intrusion Prevention Systems (IPS) block the downloads of malware and deny unauthorized access by command and control serversBlock unauthorized changesApplication Whitelistingand Database Activity Monitoring stops unauthorized access and changesAvoid sensitive data from being harvested and exfiltratedData Encryption and Data Loss Prevention protects sensitiveKnow what’s going on inside your networkNetwork behavior analysis can identify compromised systems based on traffic behavior anomaliesAchieve a global perspectiveKnowing just your own network isn’t sufficient—you need a global understanding of all threats worldwide to protect yourself
  • Introduction to the advanced persistent threat and hactivism

    1. 1. SAFE NEVER SLEEPSA peak into the underworld…Hosted by: Jathniel Meyer & Christo vanStaden, McAfee South AfricaDate: 17-19 October 2011
    2. 2. Introduction to theAdvanced PersistentThreat & Hactivism
    3. 3. Agenda 1 Advanced Persistent Threats (APT’s) 2 Countermeasures 3 Questions and Answers 3
    4. 4. Advanced Persistent Threat, How was it Done APT In action
    5. 5. Advanced Persistent Threats
    6. 6. Advanced Persistent ThreatsWhat is an Advanced Persistent Threat?1. An attack by a sophisticated adversary with deep resources and advanced penetration skills engaged in electronic espionage to support long-term strategic goals2. Over abused marketing term used by point product security vendors to refer to “bad things from the Internet” APTs have specific targets 6
    7. 7. Advanced Persistent Threats 7
    8. 8. Malware Used in APTsSimple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives. Average file size 121.85 kb Most common AP file names Svchost.exe, explore.exe, lprinp.dll, wiinzf21.dll Anomaly detection avoidance Outbound HTTP connections Process injection and Service persistence Communication 100 percent of backdoors connect outbound-only 83 percent use TCP port 80 or 443; 17 percent are mixed 8
    9. 9. OperationShady RAT
    10. 10. Operation Shady RATShady RAT advanced persistent threat (APT). Active command and control (C&C) server accessed by Mcafee® Labs™ Evidence of five years of attacks Most common attack vector: Spearphishing 10
    11. 11. Operation Shady RATCoveted Data 11
    12. 12. Operation Shady RATMotivation MONEY POLITICS 12
    13. 13. Operation Night Dragon
    14. 14. Night DragonTargeted attacks & advanced persistent threats 14
    15. 15. Night DragonMethodical and Progressive 2. User opens infected email and the compromised website is accessed; a RAT is downloaded. 1. Attacker sends a spear- phishing email containing a link to a compromised web server Web Email Internet 4. Attacker uses RAT malware to conduct 3. User account information and additional reconnaissance and systems host configuration information compromises and to harvest confidential data C&C is sent to a C&C server 15
    16. 16. Operation StuxNet
    17. 17. StuxnetUsed 20 Zero day vulnerabilities Stuxnet  CVE-2010-2772 – SCADA WinCC/PCS 7 vulnerability  CVE-2010-2568 - MS10-046 - LNK  CVE-2010-2729 - MS10-061 - Print Spooler  CVE-2010-2743 - MS010-073 - Privilege escalation via keyboard layout file  CVE-2010-3338 – MS010-092 - Privilege escalation via Task Scheduler  Win32k.sys (waiting CVE) 17
    18. 18. Stuxnet The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda. It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment. The certificate was valid through June 10 and Stuxnets drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild. The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database. 18
    19. 19. Hacktivism
    20. 20. HactivismAnonymous Group stands up for Wikileaks 20
    21. 21. Stuxnet Anonymous publishes BofA emails 21
    22. 22. Countermeasures
    23. 23. McAfee: Complete End-to-End Protection AgainstAll Phases of APT Attacks Steps to ProtectionStep 1 Network DLP (Prevent sensitive dataReconnaiss from leaving)ance Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware)Step 2 Email Gateway (block spear-phishingNetwork emails, links to malicious sites)Intrusion Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery) Firewall (detects/blocks APT back- channel communication)Step 3 Network Threat Response (detects APTEstablish destination IPs)Backdoor Application Whitelisting (prevent backdoor installation) 23
    24. 24. McAfee: Complete End-to-End Protection AgainstAll Phases of APT Attacks Steps to ProtectionStep 4 Web Gateway (detects/blocks accessInstall to malicious applications)Command Application Whitelisting (preventand Control unauthorized changes to systems)UtilitiesStep 5 Unified DLP (prevent data from leavingData Ex- the network)Filtration Network User Behavioral AnalysisStep 6 (identifies unexpected user behaviorMaintaining duringPersistence APT reconnaissance and data collection phases) 24
    25. 25. McAfee SaaS Architecture Vision Collaboration Proxies Agent-based Collectors Threat Feeds Vulnerability Probes Real-time Threat Analyzers Data Protection Vaults Authentication and Trust Brokers Intelligent Dashboards 25
    26. 26. McAfee SaaS Architecture VisionAn intelligent security fabric that wraps around the Enterprise 26
    27. 27. Find out more Visit Global Micro Solutions: http://www.globalmicro.co.za 27

    ×