Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Presented by:QuratulAin Najeeb
. • Advance persistent threat. • Stages of APT. • Problem in Detection. • Events. • Detection Framework
AdvancedUse of advanced techniquesPersistentRemain in system for long period“Low” and “Slow”ThreatAgenda of stealing dataA...
Dont destroy systemsDont interrupt normal operationTry to stay hidden and keep the stolen data flowingTrick a user into in...
6. Exfiltration5. Data Collection4.Operation3. Exploitation2. Delivery1. ReconnaissanceCollecting information aboutOrganiz...
Twitter StarbucksLinkedInSniffingCaptured:Email address (engineer@gmail.com)Friend’s email (engineer2@gmail.com)Interest...
Hey look! An email from Engineer2. With acatalog attached!Spoofed, ofcourse MostcertainlyclickinghereCLICK HERE TO VIEW “I...
The PDF gets clicked.Code gets dropped.The backdoor is opened.
The attacker connects to the listeningport i.e. Remote Access
At this point, the attackercould do any number ofthings to get moresensitive data
A mean to detect potentialvulnerable elements towards thetargeted dataAttack tree of APT aimed at source dataAND
ProblemAn attack path may go across multiple planesPLANES EVENTSPhysical Physical devices, workinglocationUser Recording s...
Candidate EventsSuspicious EventsAttack Events
Attack Pyramid Unfolded Attack Pyramid
Alert SystemUsing AlgorithmsG={G1,…..Gn}Gi = {P1, . . . , Pn}Pi = {e1 ………….eK }Put together the events relevant to an atta...
In research papers APT is defined, and proposedan attack model for problem detection i.e.Attack Pyramid
http://www.research.att.com/techdocs/TD_101075.pdfhttp://www.infosecurityproject.com/2012/Download/K7_Advanced%20Persisten...
Advanced persistent threat (apt)
Advanced persistent threat (apt)
Upcoming SlideShare
Loading in …5
×

Advanced persistent threat (apt)

4,407 views

Published on

Published in: Education
  • Be the first to comment

Advanced persistent threat (apt)

  1. 1. Presented by:QuratulAin Najeeb
  2. 2. . • Advance persistent threat. • Stages of APT. • Problem in Detection. • Events. • Detection Framework
  3. 3. AdvancedUse of advanced techniquesPersistentRemain in system for long period“Low” and “Slow”ThreatAgenda of stealing dataAPTElements of APT
  4. 4. Dont destroy systemsDont interrupt normal operationTry to stay hidden and keep the stolen data flowingTrick a user into installing malwareSpear-Phishing
  5. 5. 6. Exfiltration5. Data Collection4.Operation3. Exploitation2. Delivery1. ReconnaissanceCollecting information aboutOrganization’s resourcesSpear phishing emails are prepared and sentCommand and control connection is build fromtargeted employee’s machine via remote accessPersistent presence in network and gain access todataInformation is packed, compressed andencryptedData is moved over channels to variousexternal servers
  6. 6. Twitter StarbucksLinkedInSniffingCaptured:Email address (engineer@gmail.com)Friend’s email (engineer2@gmail.com)Interests (www.ITECH-2013.com)
  7. 7. Hey look! An email from Engineer2. With acatalog attached!Spoofed, ofcourse MostcertainlyclickinghereCLICK HERE TO VIEW “ITECH” EVENT 2013
  8. 8. The PDF gets clicked.Code gets dropped.The backdoor is opened.
  9. 9. The attacker connects to the listeningport i.e. Remote Access
  10. 10. At this point, the attackercould do any number ofthings to get moresensitive data
  11. 11. A mean to detect potentialvulnerable elements towards thetargeted dataAttack tree of APT aimed at source dataAND
  12. 12. ProblemAn attack path may go across multiple planesPLANES EVENTSPhysical Physical devices, workinglocationUser Recording sensitive dataaccessNetwork Firewall /logs/ IDS/IPSApplication Information deliver throughgateway
  13. 13. Candidate EventsSuspicious EventsAttack Events
  14. 14. Attack Pyramid Unfolded Attack Pyramid
  15. 15. Alert SystemUsing AlgorithmsG={G1,…..Gn}Gi = {P1, . . . , Pn}Pi = {e1 ………….eK }Put together the events relevant to an attackcontextDetection RuleSignature based rules (Connecting to blacklisted domain)Anomaly detection rules (Send more data than usual)Policy based rules (Overloaded VPN connection)
  16. 16. In research papers APT is defined, and proposedan attack model for problem detection i.e.Attack Pyramid
  17. 17. http://www.research.att.com/techdocs/TD_101075.pdfhttp://www.infosecurityproject.com/2012/Download/K7_Advanced%20Persistent%20Threat%20and%20Modern%20Malware_Jones%20Leung.pdf

×