SlideShare a Scribd company logo

Advanced Persistent Threats (APTs) - Information Security Management

Download as PPTX, PDF
Mayur Nanotkar
Mayur Nanotkar

- Information Security Management: - APTs - a sophisticated and organized cyber attack to access and steal information from compromised computers.

Technology
1 of 32
ADVANCED PERSISTENT THREAT Group B Sagar Patil Raghav Tripathi Mayur Nanotkar
AGENDA • Introduction • What is APT? • How does it work? • Illustration • Exploitation Cycle • Case Studies • Security Solutions For APT 2
4
WHAT IS APT? • “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia] • “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee] • “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT] 5
WHY THE TERM APTs? • Advanced – Attacker adapts to defenders’ efforts – Can develop or buy Zero-Day exploits – Higher level of sophistication • Persistent – Attacks are objective specific – Will continue until goal is reached – Intent to maintain long term connectivity • Threats – Entity/s behind the attack – Not the malware/exploit/attack alone 6
HOW DO THEY WORK? - APTS 7
KEY DIFFERENCES: INCURSION 8 Establish Breach head for campaign
KEY DIFFERENCES: DISCOVERY 9
KEY DIFFERENCES: CAPTURE 10
KEY DIFFERENCES: EXFILTRATION 11
12
13
TARGETING AND EXPLOITATION CYCLE Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence 14
15
RECONNAISSANCE • A reconnaissance attack occurs when an adversary tries to learn information about your network. • Unauthorized discovery and mapping of systems, services, or vulnerabilities. • Also known as information gathering and, in most cases, precedes an actual access or DoS attack. o First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. o Then the intruder determines which services or ports are active on the live IP addresses. o From this information, the intruder queries the ports to determine the type and version of the application and operating system running on the target host. 16
RECONNAISSANCE (Cont..) • In multiple cases, Mandiant identified a number of public website pages from which a victim’s contact information was extracted and subsequently used in targeted social engineering messages. • Preventive Measures: Network DLP (Prevent sensitive data from leaving) 17
INITIAL INTRUSION INTO THE NETWORK • Social Engineering combined with Email - The most common and successful • The spoofed email will contain an attachment or a link to a zip file. o A CHM file containing malware o A Microsoft Office document exploit o Some other client software exploit, like an Adobe Reader exploit. • The attackers typically operate late in the night (U.S. Time) between the hours of 10 p.m. and 4 a.m. These time correlate to daytime in China • Preventive Measure : o Firewall (blocks APT connection via IP reputation) o Web Gateway (detects/blocks obfuscated malware) o Email Gateway (block spear-phishing emails, links to malicious sites) o Network Threat Response (detects obfuscated malware) o Network Security Platform (stops malicious exploit delivery) 18
ESTABLISH A BACKDOOR INTO THE NETWORK • Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network • The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations. • The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services. • Malware characteristics: o Continually updated o Encryption and Obfuscation techniques of its network traffic o Uses Built-in Microsoft libraries o Uses legitimate user credentials o Do not listen for inbound connections • Preventive Measures : o Firewall (detects/blocks APT back- channel communication) o Network Threat Response (detects APT destination IPs) o Application Whitelisting (prevent backdoor installation) 19
OBTAIN USER CREDENTIALS • The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse. • The attackers also obtain local credentials from compromised systems • The APT intruders access approximately 40 systems on a victim network using compromised credentials • Mandiant has seen as few as 10 compromised systems to in excess of 150 compromised systems • Preventive Measure: o Web Gateway (detects/blocks access to malicious applications) o Application Whitelisting (prevent unauthorized changes to systems) 20
INSTALL VARIOUS UTILITIES • Programs functionality includes: o Installing backdoors o Dumping passwords o Obtaining email from servers o List running processes o Many other tasks • More Malware Characteristics: o Only 24% detected by security software o Utilize spoofed SSL Certificates • i.e.. Microsoft, Yahoo o Most NOT packed o Common File names • i.e.. Svchost.exe, iexplore.exe o Malware in sleep mode from a few weeks to a few months to up to a year o Target executives’ systems o Use of a stub file to download malware into memory (Minimal Forensic Footprint) o Preventive Measures: Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to malicious sites) Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery) 21
PRIVILEGE ESCALATION / DATA EXFILTRATION • Once a secure foothold has been established: o Exfiltrate data such as emails and attachments, or files residing on user workstations or project file servers o The data is usually compressed and put into a password protected RAR or Microsoft Cabinet File. o They often use “Staging Servers” to aggregate the data they intend to steal o They then delete the compressed files they exfiltrated from the “Staging Servers.” • Preventive Measures: Unified DLP (prevent data from leaving the network) 22
MAINTAIN PERSISTENCE • As the attackers detect remediation, they will attempt to establish additional footholds and improve the sophistication of their malware • Preventive Measures: o Network User Behavioural Analysis (identifies unexpected user behaviour during APT reconnaissance and data collection phases) 23
Case Study Analysis: RSA Secure Id Hack 1. Research public information about employees 2. Select low-value targets 3. Spear phishing email “2011 Recruitment Plan” with.xls attachment 4. Spread sheet contains 0day exploit that installs backdoor through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected) 5. Digital shoulder surf & harvest credentials 6. Performed privilege escalation 7. Target and compromise high-value accounts 8. Copy data from target servers 9. Move data to staging servers and aggregate, compress and encrypt it 10. FTP to external staging server at compromised hosting site 11. Finally pull data from hosted server and remove traces 24
25
Case Study Analysis: Operation Aurora • Operation Aurora was a cyber attack which was first publicly disclosed by Google on January 12, 2010, in a blog post. • Highlights: o Google said the attack originated in China. o Demonstrated • high degree of sophistication, • strong indications of well resourced and consistent APT attack. o Aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc. o Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices. • Primary goal: was to gain access to and potentially modify source code repositories at these high tech, security and defence contractor companies. 26
Case Study: CHINESE SPY TEAM HACKS FORBES.COM 27
SECURITY SOLUTIONS FOR APT 28
EMET (Enhanced Mitigation Experience Toolkit) • EMET (Enhanced Mitigation Experience Toolkit) o free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. o It does so by opt-ing in software to the latest security mitigation technologies. o The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. • Highlights Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration • EMET 3.0 comes with three default "Protection Profiles". o Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. 29
• Bit9 Parity Suite o Endpoint Threat Protection Solution. o This solution provides an extensive list of features for protection against APT’s: • Features of Bit9: Application Control/White-listing Software Reputation Service File Integrity Monitoring Threat Identification Device Control File Integrity Monitoring Registry Protection Memory Protection Bit9 Parity Suite 30
REFERENCES 31 • https://www.bluecoat.com/ • www.symantec.com/en/in/ • www.mcafee.com/ • www.kaspersky.co.in/ • https://www.mandiant.com/ • www.informationweek.com/ - Case Studies
THANK YOU! 32

Recommended

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 

Recommended

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Institute of Information Security (IIS)
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 

More Related Content

What's hot

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoorsGaurav Dalvi
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 

What's hot (20)

Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Trojans and backdoors
Trojans and backdoorsTrojans and backdoors
Trojans and backdoors
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 

Viewers also liked

Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs BacsayShakacon
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskSurfWatch Labs
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...HackIT Ukraine
 
Cyber security and user privacy
Cyber security and user privacyCyber security and user privacy
Cyber security and user privacyJay Tripathy
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Ibrahim balic cyber-weapons
Ibrahim balic cyber-weaponsIbrahim balic cyber-weapons
Ibrahim balic cyber-weaponsIbrahim Baliç
 

Viewers also liked (20)

Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black market
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
 
Cyber security and user privacy
Cyber security and user privacyCyber security and user privacy
Cyber security and user privacy
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORK
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Polygon filling
Polygon fillingPolygon filling
Polygon filling
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Ibrahim balic cyber-weapons
Ibrahim balic cyber-weaponsIbrahim balic cyber-weapons
Ibrahim balic cyber-weapons
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 

Similar to Advanced Persistent Threats (APTs) - Information Security Management

Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityGeevarghese Titus
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 

Similar to Advanced Persistent Threats (APTs) - Information Security Management (20)

Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Application security
Application securityApplication security
Application security
 
Metasploit
MetasploitMetasploit
Metasploit
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Network security
Network securityNetwork security
Network security
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 

More from Mayur Nanotkar

Babok Requirement Life Cycle Management
Babok Requirement Life Cycle ManagementBabok Requirement Life Cycle Management
Babok Requirement Life Cycle ManagementMayur Nanotkar
 
Influences of organizational image on applicant attraction in the recruitment...
Influences of organizational image on applicant attraction in the recruitment...Influences of organizational image on applicant attraction in the recruitment...
Influences of organizational image on applicant attraction in the recruitment...Mayur Nanotkar
 
Retail Banking India 2015 - Now and Predictions
Retail Banking India 2015 - Now and PredictionsRetail Banking India 2015 - Now and Predictions
Retail Banking India 2015 - Now and PredictionsMayur Nanotkar
 
Business proposal mayurnanotkar
Business proposal mayurnanotkarBusiness proposal mayurnanotkar
Business proposal mayurnanotkarMayur Nanotkar
 
Customer Intimacy Using IBM SPSS
Customer Intimacy Using IBM SPSS Customer Intimacy Using IBM SPSS
Customer Intimacy Using IBM SPSS Mayur Nanotkar
 

More from Mayur Nanotkar (6)

RPA
RPARPA
RPA
 
Babok Requirement Life Cycle Management
Babok Requirement Life Cycle ManagementBabok Requirement Life Cycle Management
Babok Requirement Life Cycle Management
 
Influences of organizational image on applicant attraction in the recruitment...
Influences of organizational image on applicant attraction in the recruitment...Influences of organizational image on applicant attraction in the recruitment...
Influences of organizational image on applicant attraction in the recruitment...
 
Retail Banking India 2015 - Now and Predictions
Retail Banking India 2015 - Now and PredictionsRetail Banking India 2015 - Now and Predictions
Retail Banking India 2015 - Now and Predictions
 
Business proposal mayurnanotkar
Business proposal mayurnanotkarBusiness proposal mayurnanotkar
Business proposal mayurnanotkar
 
Customer Intimacy Using IBM SPSS
Customer Intimacy Using IBM SPSS Customer Intimacy Using IBM SPSS
Customer Intimacy Using IBM SPSS
 

Recently uploaded

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Advanced Persistent Threats (APTs) - Information Security Management

  • 1. ADVANCED PERSISTENT THREAT Group B Sagar Patil Raghav Tripathi Mayur Nanotkar
  • 2. AGENDA • Introduction • What is APT? • How does it work? • Illustration • Exploitation Cycle • Case Studies • Security Solutions For APT 2
  • 3.
  • 4. 4
  • 5. WHAT IS APT? • “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia] • “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee] • “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT] 5
  • 6. WHY THE TERM APTs? • Advanced – Attacker adapts to defenders’ efforts – Can develop or buy Zero-Day exploits – Higher level of sophistication • Persistent – Attacks are objective specific – Will continue until goal is reached – Intent to maintain long term connectivity • Threats – Entity/s behind the attack – Not the malware/exploit/attack alone 6
  • 7. HOW DO THEY WORK? - APTS 7
  • 8. KEY DIFFERENCES: INCURSION 8 Establish Breach head for campaign
  • 12. 12
  • 13. 13
  • 14. TARGETING AND EXPLOITATION CYCLE Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence 14
  • 15. 15
  • 16. RECONNAISSANCE • A reconnaissance attack occurs when an adversary tries to learn information about your network. • Unauthorized discovery and mapping of systems, services, or vulnerabilities. • Also known as information gathering and, in most cases, precedes an actual access or DoS attack. o First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. o Then the intruder determines which services or ports are active on the live IP addresses. o From this information, the intruder queries the ports to determine the type and version of the application and operating system running on the target host. 16
  • 17. RECONNAISSANCE (Cont..) • In multiple cases, Mandiant identified a number of public website pages from which a victim’s contact information was extracted and subsequently used in targeted social engineering messages. • Preventive Measures: Network DLP (Prevent sensitive data from leaving) 17
  • 18. INITIAL INTRUSION INTO THE NETWORK • Social Engineering combined with Email - The most common and successful • The spoofed email will contain an attachment or a link to a zip file. o A CHM file containing malware o A Microsoft Office document exploit o Some other client software exploit, like an Adobe Reader exploit. • The attackers typically operate late in the night (U.S. Time) between the hours of 10 p.m. and 4 a.m. These time correlate to daytime in China • Preventive Measure : o Firewall (blocks APT connection via IP reputation) o Web Gateway (detects/blocks obfuscated malware) o Email Gateway (block spear-phishing emails, links to malicious sites) o Network Threat Response (detects obfuscated malware) o Network Security Platform (stops malicious exploit delivery) 18
  • 19. ESTABLISH A BACKDOOR INTO THE NETWORK • Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network • The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations. • The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services. • Malware characteristics: o Continually updated o Encryption and Obfuscation techniques of its network traffic o Uses Built-in Microsoft libraries o Uses legitimate user credentials o Do not listen for inbound connections • Preventive Measures : o Firewall (detects/blocks APT back- channel communication) o Network Threat Response (detects APT destination IPs) o Application Whitelisting (prevent backdoor installation) 19
  • 20. OBTAIN USER CREDENTIALS • The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse. • The attackers also obtain local credentials from compromised systems • The APT intruders access approximately 40 systems on a victim network using compromised credentials • Mandiant has seen as few as 10 compromised systems to in excess of 150 compromised systems • Preventive Measure: o Web Gateway (detects/blocks access to malicious applications) o Application Whitelisting (prevent unauthorized changes to systems) 20
  • 21. INSTALL VARIOUS UTILITIES • Programs functionality includes: o Installing backdoors o Dumping passwords o Obtaining email from servers o List running processes o Many other tasks • More Malware Characteristics: o Only 24% detected by security software o Utilize spoofed SSL Certificates • i.e.. Microsoft, Yahoo o Most NOT packed o Common File names • i.e.. Svchost.exe, iexplore.exe o Malware in sleep mode from a few weeks to a few months to up to a year o Target executives’ systems o Use of a stub file to download malware into memory (Minimal Forensic Footprint) o Preventive Measures: Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to malicious sites) Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery) 21
  • 22. PRIVILEGE ESCALATION / DATA EXFILTRATION • Once a secure foothold has been established: o Exfiltrate data such as emails and attachments, or files residing on user workstations or project file servers o The data is usually compressed and put into a password protected RAR or Microsoft Cabinet File. o They often use “Staging Servers” to aggregate the data they intend to steal o They then delete the compressed files they exfiltrated from the “Staging Servers.” • Preventive Measures: Unified DLP (prevent data from leaving the network) 22
  • 23. MAINTAIN PERSISTENCE • As the attackers detect remediation, they will attempt to establish additional footholds and improve the sophistication of their malware • Preventive Measures: o Network User Behavioural Analysis (identifies unexpected user behaviour during APT reconnaissance and data collection phases) 23
  • 24. Case Study Analysis: RSA Secure Id Hack 1. Research public information about employees 2. Select low-value targets 3. Spear phishing email “2011 Recruitment Plan” with.xls attachment 4. Spread sheet contains 0day exploit that installs backdoor through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected) 5. Digital shoulder surf & harvest credentials 6. Performed privilege escalation 7. Target and compromise high-value accounts 8. Copy data from target servers 9. Move data to staging servers and aggregate, compress and encrypt it 10. FTP to external staging server at compromised hosting site 11. Finally pull data from hosted server and remove traces 24
  • 25. 25
  • 26. Case Study Analysis: Operation Aurora • Operation Aurora was a cyber attack which was first publicly disclosed by Google on January 12, 2010, in a blog post. • Highlights: o Google said the attack originated in China. o Demonstrated • high degree of sophistication, • strong indications of well resourced and consistent APT attack. o Aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc. o Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices. • Primary goal: was to gain access to and potentially modify source code repositories at these high tech, security and defence contractor companies. 26
  • 27. Case Study: CHINESE SPY TEAM HACKS FORBES.COM 27
  • 29. EMET (Enhanced Mitigation Experience Toolkit) • EMET (Enhanced Mitigation Experience Toolkit) o free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. o It does so by opt-ing in software to the latest security mitigation technologies. o The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. • Highlights Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration • EMET 3.0 comes with three default "Protection Profiles". o Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. 29
  • 30. • Bit9 Parity Suite o Endpoint Threat Protection Solution. o This solution provides an extensive list of features for protection against APT’s: • Features of Bit9: Application Control/White-listing Software Reputation Service File Integrity Monitoring Threat Identification Device Control File Integrity Monitoring Registry Protection Memory Protection Bit9 Parity Suite 30
  • 31. REFERENCES 31 • https://www.bluecoat.com/ • www.symantec.com/en/in/ • www.mcafee.com/ • www.kaspersky.co.in/ • https://www.mandiant.com/ • www.informationweek.com/ - Case Studies