5. WHAT IS APT?
• “An advanced and normally clandestine means to gain continual,
persistent intelligence on an individual, or group of individuals”
[Wikipedia]
• “… a sophisticated, mercurial way that advanced attackers can
break into systems, not get caught, keeping long-term access to
exfiltrate data at will.” [McAfee]
• “… a sophisticated and organized cyber attack to access and steal
information from compromised computers.” [MANDIANT]
5
6. WHY THE TERM APTs?
• Advanced
– Attacker adapts to defenders’ efforts
– Can develop or buy Zero-Day exploits
– Higher level of sophistication
• Persistent
– Attacks are objective specific
– Will continue until goal is reached
– Intent to maintain long term connectivity
• Threats
– Entity/s behind the attack
– Not the malware/exploit/attack alone
6
14. TARGETING AND EXPLOITATION CYCLE
Step 1 •Reconnaissance
Step 2 •Initial Intrusion into the Network
Step 3 •Establish a Backdoor into the Network
Step 4 •Obtain User Credentials
Step 5 •Install Various Utilities
Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration
Step 7 •Maintain Persistence
14
16. RECONNAISSANCE
• A reconnaissance attack occurs when an adversary tries to learn information
about your network.
• Unauthorized discovery and mapping of systems, services, or vulnerabilities.
• Also known as information gathering and, in most cases, precedes an actual
access or DoS attack.
o First, the malicious intruder typically conducts a ping sweep of the target
network to determine which IP addresses are alive.
o Then the intruder determines which services or ports are active on the
live IP addresses.
o From this information, the intruder queries the ports to determine the
type and version of the application and operating system running on the
target host.
16
17. RECONNAISSANCE (Cont..)
• In multiple cases, Mandiant identified a number of public
website pages from which a victim’s contact information
was extracted and subsequently used in targeted social
engineering messages.
• Preventive Measures: Network DLP (Prevent
sensitive data from leaving)
17
18. INITIAL INTRUSION INTO THE NETWORK
• Social Engineering combined with Email - The most
common and successful
• The spoofed email will contain an attachment or a
link to a zip file.
o A CHM file containing malware
o A Microsoft Office document exploit
o Some other client software exploit, like an
Adobe Reader exploit.
• The attackers typically operate late in the night (U.S.
Time) between the hours of 10 p.m. and 4 a.m.
These time correlate to daytime in China
• Preventive Measure :
o Firewall (blocks APT connection via IP reputation)
o Web Gateway (detects/blocks obfuscated malware)
o Email Gateway (block spear-phishing emails, links to
malicious sites)
o Network Threat Response (detects obfuscated malware)
o Network Security Platform (stops malicious exploit
delivery) 18
19. ESTABLISH A BACKDOOR INTO THE NETWORK
• Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the
network
• The attackers then established a stronger foothold in the environment by moving laterally
through the network and installing multiple backdoors with different configurations.
• The malware is installed with system level privileges through the use of process injection,
registry modification or scheduled services.
• Malware characteristics:
o Continually updated
o Encryption and Obfuscation techniques of its network traffic
o Uses Built-in Microsoft libraries
o Uses legitimate user credentials
o Do not listen for inbound connections
• Preventive Measures :
o Firewall (detects/blocks APT back- channel communication)
o Network Threat Response (detects APT destination IPs)
o Application Whitelisting (prevent backdoor installation) 19
20. OBTAIN USER CREDENTIALS
• The attackers often target domain controllers to obtain user
accounts and corresponding password hashes en masse.
• The attackers also obtain local credentials from compromised
systems
• The APT intruders access approximately 40 systems on a victim
network using compromised credentials
• Mandiant has seen as few as 10 compromised systems to in excess
of 150 compromised systems
• Preventive Measure:
o Web Gateway (detects/blocks access to malicious applications)
o Application Whitelisting (prevent unauthorized changes to systems)
20
21. INSTALL VARIOUS UTILITIES
• Programs functionality includes:
o Installing backdoors
o Dumping passwords
o Obtaining email from servers
o List running processes
o Many other tasks
• More Malware Characteristics:
o Only 24% detected by security software
o Utilize spoofed SSL Certificates
• i.e.. Microsoft, Yahoo
o Most NOT packed
o Common File names
• i.e.. Svchost.exe, iexplore.exe
o Malware in sleep mode from a few weeks to a few months to up to a year
o Target executives’ systems
o Use of a stub file to download malware into memory (Minimal Forensic Footprint)
o Preventive Measures: Firewall (blocks APT connection via IP reputation) Web Gateway
(detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to
malicious sites) Network Threat Response (detects obfuscated malware) Network Security
Platform (stops malicious exploit delivery)
21
22. PRIVILEGE ESCALATION / DATA EXFILTRATION
• Once a secure foothold has been established:
o Exfiltrate data such as emails and attachments, or files residing on user
workstations or project file servers
o The data is usually compressed and put into a password protected RAR or
Microsoft Cabinet File.
o They often use “Staging Servers” to aggregate the data they intend to
steal
o They then delete the compressed files they exfiltrated from the “Staging
Servers.”
• Preventive Measures: Unified DLP (prevent data from leaving the
network)
22
23. MAINTAIN PERSISTENCE
• As the attackers detect remediation, they will attempt to
establish additional footholds and improve the
sophistication of their malware
• Preventive Measures:
o Network User Behavioural Analysis (identifies unexpected user
behaviour during APT reconnaissance and data collection phases)
23
24. Case Study Analysis: RSA Secure Id Hack
1. Research public information about employees
2. Select low-value targets
3. Spear phishing email “2011 Recruitment Plan”
with.xls attachment
4. Spread sheet contains 0day exploit that installs
backdoor through Flash vulnerability(Backdoor is
Poison Ivy variant RAT reverse-connected)
5. Digital shoulder surf & harvest credentials
6. Performed privilege escalation
7. Target and compromise high-value accounts
8. Copy data from target servers
9. Move data to staging servers and aggregate,
compress and encrypt it
10. FTP to external staging server at compromised
hosting site
11. Finally pull data from hosted server and remove
traces
24
26. Case Study Analysis: Operation Aurora
• Operation Aurora was a cyber attack which was first publicly disclosed by Google on
January 12, 2010, in a blog post.
• Highlights:
o Google said the attack originated in China.
o Demonstrated
• high degree of sophistication,
• strong indications of well resourced and consistent APT attack.
o Aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo,
Symantec, Northrop Grumman, Morgan Stanley etc.
o Google stated in its blog that it plans to operate a completely uncensored version of its
search engine in China "within the law, if at all". If not possible, it may leave China and close
its Chinese offices.
• Primary goal: was to gain access to and potentially modify source code
repositories at these high tech, security and defence contractor companies.
26
29. EMET (Enhanced Mitigation Experience Toolkit)
• EMET (Enhanced Mitigation Experience Toolkit)
o free utility that helps prevent vulnerabilities in software from being successfully exploited for
code execution.
o It does so by opt-ing in software to the latest security mitigation technologies.
o The result is that a wide variety of software is made significantly more resistant to
exploitation – even against zero day vulnerabilities and vulnerabilities for which an update
has not yet been applied.
• Highlights
Making configuration easy
Enterprise deployment via Group Policy and SCCM
Reporting capability via the new EMET Notifier feature
Configuration
• EMET 3.0 comes with three default "Protection Profiles".
o Protection Profiles are XML files that contain pre-configured EMET settings for common
Microsoft and third-party applications.
29
30. • Bit9 Parity Suite
o Endpoint Threat Protection Solution.
o This solution provides an extensive list of features for protection against
APT’s:
• Features of Bit9:
Application Control/White-listing
Software Reputation Service
File Integrity Monitoring
Threat Identification
Device Control
File Integrity Monitoring
Registry Protection
Memory Protection
Bit9 Parity Suite
30