1. APTs
–
Playing
Defense
The
New
Era
of
Cyber
Security
University
of
Piraeus
8/12/2014
Christos
Ventouris
cventouris@isc2-‐chapter.gr
@clechuck
2. • Advanced
means
the
adversary
can
operate
in
the
full
spectrum
of
computer
intrusion.
They
can
use
the
most
pedestrian
publicly
available
exploit
against
a
well-‐known
vulnerability,
or
they
can
elevate
their
game
to
research
new
vulnerabilities
and
develop
custom
exploits,
depending
on
the
target’s
posture.
• Persistent
means
the
adversary
is
formally
tasked
to
accomplish
a
mission.
They
are
not
opportunistic
intruders.
Like
an
intelligence
unit
they
receive
directives
and
work
to
satisfy
their
masters.
Persistent
does
not
necessarily
mean
they
need
to
constantly
execute
malicious
code
on
victim
computers.
Rather,
they
maintain
the
level
of
interaction
needed
to
execute
their
objectives.
• Threat
means
the
adversary
is
not
a
piece
of
mindless
code.
This
point
is
crucial.
Some
people
throw
around
the
term
“threat”
with
reference
to
malware.
If
malware
had
no
human
attached
to
it
(someone
to
control
the
victim,
read
the
stolen
data,
etc.),
then
most
malware
would
be
of
little
worry
(as
long
as
it
didn’t
degrade
or
deny
data).
Rather,
the
adversary
here
is
a
threat
because
it
is
organized
and
funded
and
motivated.
Some
people
speak
of
multiple
“groups”
consisting
of
dedicated
“crews”
with
various
missions.
5. Targeted
AHack
Campaigns
Email
per
Campaign
122
78
29
Recipients/Campaign
61
111
23
Campaigns
165
408
779
2011
2012
2013
DuraQon
of
Campaign
4
days
3
days
8.3
days
6.
7. Establish
a
Backdoor
into
the
Network
• Attempt
to
obtain
domain
administrative
credentials
.
.
.
Transfer
the
credentials
out
of
the
network
• The
attackers
then
established
a
stronger
foothold
in
the
environment
by
moving
laterally
through
the
network
and
installing
multiple
backdoors
with
different
configurations.
• The
malware
is
installed
with
system
level
privileges
through
the
use
of
process
injection,
registry
modification
or
scheduled
services.
• Malware
characteristics:
– Malware
is
continually
updated
– Malware
uses
encryption
and
obfuscation
techniques
of
its
network
traffic
– The
attackers’
malware
uses
built-‐in
Microsoft
libraries
– The
attackers’
malware
uses
legitimate
user
credentials
so
they
can
better
blend
in
with
typical
user
activity
– Do
not
listen
for
inbound
connections
8. “UQliQes”
• Programs
functionality
includes:
– Installing
backdoors
– Dumping
passwords
– Obtaining
email
from
servers
– List
running
processes
– Tunnel
connections
via
trusted
systems
and
stay
low
(see
Beacon)
• More
Malware
Characteristics:
– Only
a
small
%
detected
by
security
software
– Utilize
spoofed
or
stolen
SSL
Certificates
• ie.
Microsoft,
Yahoo
– Most
NOT
packed
– Common
File
names
• ie.
Svchost.exe,
iexplore.exe
9.
10. Capture
• Long-‐term
occupancy
– Longest
known
span
was
660
days
– Average
detecQon
span
is
150
days
• Control
– Maintain
control
of
industrial
systems
or
business
related
hardware.
11.
12. Methods
of
exfiltraQon
• EncrypQng
prior
to
exfiltraQon
– Defeat
DLP
network
monitoring
• Webmail
• SSL
via
vicQm’s
proxy
• Abuse
of
other
protocols
– DNS
– ICMP
14. Tools
Used
Some
of
these
tools
are
custom
built
by
the
APT
group,
while
others
are
publicly
available.
Shell
Creator
2
–
A
custom
built
tool
used
to
check
connecQons
to
their
staging
server.
Ensuring
that
the
members
are
uQlizing
proxy
connecQons
by
rejecQng
any
connecQon
aHempts
made
in
Iran.
Net
Crawler
–
A
worm-‐like
malware
used
to
gather
cached
credenQals
in
a
Windows
network.
TinyZBot
–
A
custom
built
bot
with
varying
funcQonaliQes.
This
tool
is
the
primary
weapon
of
choice
for
this
group.
PrivEsc
–
A
copy
of
another
tool
named
“KiTrap0D”
exploit
which
was
released
publicly.
This
tool
uQlizes
the
vulnerability
MS10-‐015
to
achieve
privilege
escalaQons.
Logger
Module
–
A
key
logger
component
of
custom
built
PVZ
bot
tool
set.
CCProxy
–
A
publicly
available
proxy
server
for
Windows.
NMap
–
A
publicly
available
tool
used
to
map
networks
and
for
reconnaissance.
Squid
proxy
–
A
publicly
available
tool
that
caches
Internet
content
closer
to
a
requestor
than
its
original
point
of
origin.
15. AHack
&
Incusion/Expansion
This
group
was
observed
using
the
publicly
known
compiled
exploit
“PrivEsc”
also
known
as
“KiTrap0D”.
This
exploit
leverages
an
already
patched
vulnerability
in
Microsog
Windows
Kernel
(CVE-‐2010-‐0232).
Cached
CredenDal
Dumping
–
Uses
‘Mimikatz’
and
‘Windows
CredenQal’
Editor
Tools
to
extract
users’
credenQals
from
cache.
“ZhMimikatz”
and
“MimikatzWrapper”
–
Custom
built
applicaQon
to
automate
execuQon
of
‘Mimikatz’
&
‘Windows
CredenQal’
and
parsing
the
result
to
get
usable
credenQal
details.
PsExec
–
Uses
this
tool
to
logon
to
other
computers
with
credenQals
obtained
from
zhMimikatz
and
MimikatzWrapper.
NetCrawler
–
CombinaQon
of
PsExec
and
cached
credenQal-‐dumping
tools
where
first
it
gets
credenQals
from
the
infected
machine’s
cache
and
then
scans
the
local
subnet
for
SMB
port
communicaQon.
Once
another
computer
is
idenQfied,
it
copies
itself
to
it
and
gathers
credenQals
using
the
same
method
and
reports
results
back
to
source
of
infecQon.
It
then
propagates
over
the
network.
MS08-‐067
Exploit
–
This
is
the
same
vulnerability
used
by
the
conficker
worm.
This
aHack
group
customizes
the
publicly
available
exploit
for
this
vulnerability
and
incorporated
in
NetCrawler.
Jasus
–
Custom
built
applicaQon
to
perform
ARP
cache
poisoning.
Cain
&
Abel
–
Publicly
available
password
cracking
tool.
This
tool
is
used
to
crack
the
passwords
that
are
obtained
from
the
cache
credenQal
dumping
method.
16. Persistence
TinyZBot
–
It
is
customized
malware
developed
on
C#,
which
collects
sensiQve
informaQon
such
as
keystrokes
of
infected
machines
and
sends
them
to
aHackers.
It
also
maintains
access
into
compromised
network.
•
Log
keystrokes,
Monitor
clipboard
acQvity
•
SMTP
exfiltraQon,
Enable
a
SOAP-‐based
command
and
control
channel
•
Self-‐updaQng,
Download
and
execute
arbitrary
code
•
Capture
screenshots,
Extract
saved
passwords
for
Internet
Explorer
•
Install
as
a
service,
Establish
persistence
by
shortcut
in
startup
folder
•
Provide
unique
malware
campaign
idenQfiers
for
tracking
and
control
purposes
•
FTP
exfiltraQon
•
Security
sogware
detecQon
•
Ability
to
disable
Avira
anQvirus
•
Ability
to
modify
PE
resources
•
Dynamic
plugin
structure
•
Command
and
Control
communicaQon:
TinyZbot
also
exfiltrates
sensiQve
informaQon
over
SOAP
protocol
which
is
sub-‐protocol
communicated
via
HTTP.
17. ExfiltraQon
Anonymous
FTP
–
ExfiltraQng
data
through
some
Anonymous
FTP
on
the
internet.
NetCat
–
Publicly
available
tool
to
transport
informaQon
over
the
network
between
configured
server
and
client.
zhCat
–
Customized
tool
to
replace
NetCat.
This
tool
lets
them
transport
informaQon
over
the
network
in
obfuscated
or
encrypted
form.
Plink
–
A
uQlity
provided
in
PuTTY(SSH)
which
is
used
by
the
aHack
group
to
forward
local
RDP
ports
over
SSH.
SMTP
–
Customized
malware
such
as
TinyZbot
&
Csext,
which
collects
sensiQve
informaQon
such
as
keystrokes
of
the
infected
machine
and
sends
them
to
aHackers
over
email
as
aHachment.
SOAP
–
TinyZbot
also
exfiltrates
sensiQve
informaQon
over
SOAP
protocol
which
is
sub-‐
protocol
communicated
via
HTTP.
19. One
ring
to
rule
them
all.
not.
Install
AV
I
need
DLP
Someone
get
me
an
anQ-‐
APT
gateway
But…
we
have
a
firewall
I’m
gerng
a
SIEM
now
!
I
will
have
more
regular
pentests
…
I
will
be
patching
like
there’s
no
tomorrow
Not
enough
anymore
Ever
heard
of
the
“gender
changer”
using
socat
?
You
need
a
team
to
work
with
it.
Its
not
a
fishtank.
…
same
way
I
promise
my
wife
to
put
the
toilet
seat
up
the
next
Qme.
Piece
of
the
puzzle,
not
the
puzzle
soluQon.
No
problem.
I
guess
you
know
what
to
protect,
right
?
Ever
heard
of
red-‐
teaming
?
20. The
AnQ-‐AnQAPT
• DetecQon
of
virtual
environment
– NIC
idenQfiers
– Storage
IdenQfiers
• Delay
to
execute
• Run
on
targeted
system
only.
• Detect
other
environment
characterisQcs.
– IP
subnet
– Joined
in
a
domain.
– Does
“My
Documents”
have
files
?
– Is
there
an
mail
client
with
an
acQve
profile
and
full
mailbox
?
– Previous
logged
in
users
?
21. A
successful
monitoring
program
requires
both
numerous
sources
of
security
data
and
the
automaQon,
personnel
and
services
to
appropriately
correlate
and
respond
to
intelligence.
Signature-‐Based
NIDS
Monitoring
NIDS
Monitoring
with
Global
Intelligence
Firewall
Log
AssociaQon
Firewall
Analysis:
Scan
DetecQon
Firewall
Analysis:
Anomaly
DetecQon
Firewall
Analysis:
Backdoor
DetecQon
Firewall
Analysis:
Botnet
C&C
DetecQon
Firewall
Analysis:
IP
Watchlist
DetecQon
Web
Proxy
Analysis
Web
ApplicaQon
Firewall
Alerts
Host
IDS/IPS
Alerts
OS
and
ApplicaQon
Logs
Analysis
Endpoint
ProtecQon
Alerts
So,
you
have
a
SIEM
22.
23. One
step
back,
see
the
big
picture
• What
do
I
need
to
protect
?
– Do
I
know
what
I
need
to
protect?
• Where
is
it
?
• How’s
it
been
used
?
– Do
I
need
to
apply
same
controls
everywhere
?
• InformaQon
value
vs.
Security
Control
cost
– Is
my
management
aware
and
supporQve
?
• PrevenQve
measures
– What
do
I
have
in
place
?
– Can
I
improve
my
security
with
what
I
have
?
– Where
shall
I
invest
first
?
• People
• Processes
• Technologies
• USE
THIS
ORDER
24. One
step
back,
see
the
big
picture
– Assume
Breach
• How
fast
can
I
detect?
• How
fast
can
I
respond?
– Play
to
learn
(kids
do
it
all
the
Qme)
• Look
out
for
CTFs
• Play
–
organize
challenges
with
your
peers
• Take
aHacker
or
–beHer-‐
defender
sides
• You
gain
more
with
experience
than
with
educaQon.
25. Ok,
I’m
pulling
the
plug
of
my
Datacenter
• Not
yet.
Start
with
what
you
have.
• People
– Educate
the
employees
• Many
sources
of
informaQon
on
the
internet
• Small
group
classes.
• Different
content
per
group
• Throw
a
few
baits
here
and
there.
Give
them
a
safe
environment
to
fail.
26. Ok,
I’m
pulling
the
plug
of
my
Datacenter
• Not
yet.
Start
with
what
you
have.
• Are
you
uQlizing
100%
of
your
security
soluQons?
– Endpoint
Security
is
NOT
AV.
Enable
all
the
capabiliQes.
– Is
your
FW/UTM
using
all
of
its
security
features?
– Can
you
monitor
for
changes
in
files
and
configuraQons
?
• Why
should
a
Windows
8.1
system
have
Windows
XP
files
?
• Why
have
the
DNS
serngs
here?
• Who
just
created
a
new
mail
rule
to
delete
emails.
27. IdenQty
Protect
Detect
Respond
Recover
NIST
Categories
FuncQon
What
are
my
assets,
risks
and
business
goals?
Asset
Mgmt
Business
Environment
Governance
Risk
Assessment
Risk
Mgmt
Strategy
What
are
my
safeguards
to
block
aackers?
Access
Control
Training
Data
Security
Processes
Maintenance
ProtecQve
Technology
How
do
I
know
when
a
security
event
has
happened?
Anomalies
and
Events
ConQnuous
Monitoring
DetecQon
Processes
How
do
I
respond
to
a
cyber
security
event?
Response
Planning
CommunicaQons
Analysis
MiQgaQon
Improvement
How
do
I
restore
services
a]er
an
event?
Recovery
Planning
Improvements
CommunicaQons
NIST
Cybersecurity
Framework
Summary
The
framework
provides
a
consensus
descripQon
of
what's
needed
for
a
comprehensive
cybersecurity
program,
and
allows
organizaQons—regardless
of
size,
degree
of
cyber
risk
or
cybersecurity
sophisQcaQon—to
apply
the
principles
and
best
pracQces
of
risk
management
to
improve
the
security
and
resilience
of
criQcal
infrastructure