SlideShare a Scribd company logo

3. APTs Presentation

I
isc2-hellenic

(ISC)2 Hellenic Chapter

Technology
1 of 30
Download to read offline
APTs  –  Playing  Defense   The  New  Era  of  Cyber  Security     University  of  Piraeus     8/12/2014   Christos  Ventouris   cventouris@isc2-­‐chapter.gr   @clechuck  
•  Advanced  means  the  adversary  can  operate  in  the  full  spectrum  of  computer  intrusion.   They  can  use  the  most  pedestrian  publicly  available  exploit  against  a  well-­‐known   vulnerability,  or  they  can  elevate  their  game  to  research  new  vulnerabilities  and   develop  custom  exploits,  depending  on  the  target’s  posture.   •  Persistent  means  the  adversary  is  formally  tasked  to  accomplish  a  mission.  They  are   not  opportunistic  intruders.  Like  an  intelligence  unit  they  receive  directives  and  work   to  satisfy  their  masters.  Persistent  does  not  necessarily  mean  they  need  to  constantly   execute  malicious  code  on  victim  computers.  Rather,  they  maintain  the  level  of   interaction  needed  to  execute  their  objectives.   •  Threat  means  the  adversary  is  not  a  piece  of  mindless  code.  This  point  is  crucial.  Some   people  throw  around  the  term  “threat”  with  reference  to  malware.  If  malware  had  no   human  attached  to  it  (someone  to  control  the  victim,  read  the  stolen  data,  etc.),  then   most  malware  would  be  of  little  worry  (as  long  as  it  didn’t  degrade  or  deny  data).   Rather,  the  adversary  here  is  a  threat  because  it  is  organized  and  funded  and   motivated.  Some  people  speak  of  multiple  “groups”  consisting  of  dedicated  “crews”   with  various  missions.    
The  lifecycle…  
Generic  anatomy  
Targeted  AHack  Campaigns   Email  per  Campaign   122   78   29   Recipients/Campaign   61   111   23   Campaigns   165   408   779   2011   2012   2013   DuraQon  of  Campaign   4  days   3  days   8.3  days  
Establish  a  Backdoor  into  the  Network   •  Attempt  to  obtain  domain  administrative  credentials  .  .  .    Transfer  the   credentials  out  of  the  network   •  The  attackers  then  established  a  stronger  foothold  in  the  environment  by   moving  laterally  through  the  network  and  installing  multiple  backdoors  with   different  configurations.   •  The  malware  is  installed  with  system  level  privileges  through  the  use  of   process  injection,  registry  modification  or  scheduled  services.   •  Malware  characteristics:   –  Malware  is  continually  updated   –  Malware  uses  encryption  and  obfuscation  techniques  of  its  network   traffic   –  The  attackers’  malware  uses  built-­‐in  Microsoft  libraries   –  The  attackers’  malware  uses  legitimate  user  credentials  so  they  can   better  blend  in  with  typical  user  activity   –  Do  not  listen  for  inbound  connections  
“UQliQes”   •  Programs  functionality  includes:   –  Installing  backdoors   –  Dumping  passwords   –  Obtaining  email  from  servers   –  List  running  processes   –  Tunnel  connections  via  trusted  systems  and  stay  low  (see  Beacon)   •  More  Malware  Characteristics:   –  Only  a  small  %  detected  by  security  software   –  Utilize  spoofed  or  stolen  SSL  Certificates   •  ie.  Microsoft,  Yahoo   –  Most  NOT  packed   –  Common  File  names   •  ie.  Svchost.exe,  iexplore.exe  
Capture   •  Long-­‐term  occupancy   – Longest  known  span  was  660  days   – Average  detecQon  span  is  150  days   •  Control   – Maintain  control  of  industrial  systems  or  business   related  hardware.    
Methods  of  exfiltraQon   •  EncrypQng  prior  to  exfiltraQon   – Defeat  DLP  network  monitoring   •  Webmail   •  SSL  via  vicQm’s  proxy   •  Abuse  of  other  protocols   – DNS   – ICMP  
OperaQon  Cleaver  
Tools  Used     Some  of  these  tools  are  custom  built  by  the  APT  group,  while  others  are   publicly  available.   Shell  Creator  2  –  A  custom  built  tool  used  to  check  connecQons  to  their  staging   server.  Ensuring  that  the  members  are  uQlizing  proxy  connecQons  by  rejecQng   any  connecQon  aHempts  made  in  Iran.     Net  Crawler  –  A  worm-­‐like  malware  used  to  gather  cached  credenQals  in  a   Windows  network.     TinyZBot  –  A  custom  built  bot  with  varying  funcQonaliQes.  This  tool  is  the   primary  weapon  of  choice  for  this  group.   PrivEsc  –  A  copy  of  another  tool  named  “KiTrap0D”  exploit  which  was  released   publicly.  This  tool  uQlizes  the  vulnerability  MS10-­‐015  to  achieve  privilege   escalaQons.   Logger  Module  –  A  key  logger  component  of  custom  built  PVZ  bot  tool  set.   CCProxy  –  A  publicly  available  proxy  server  for  Windows.   NMap  –  A  publicly  available  tool  used  to  map  networks  and  for   reconnaissance.   Squid  proxy  –  A  publicly  available  tool  that  caches  Internet  content  closer  to  a   requestor  than  its  original  point  of  origin.    
AHack  &  Incusion/Expansion   This  group  was  observed  using  the  publicly  known  compiled  exploit  “PrivEsc”  also  known  as   “KiTrap0D”.  This  exploit  leverages  an  already  patched  vulnerability  in  Microsog  Windows   Kernel  (CVE-­‐2010-­‐0232).   Cached  CredenDal  Dumping  –  Uses  ‘Mimikatz’  and  ‘Windows  CredenQal’  Editor  Tools  to   extract  users’  credenQals  from  cache.   “ZhMimikatz”  and  “MimikatzWrapper”  –  Custom  built  applicaQon  to  automate  execuQon  of   ‘Mimikatz’  &  ‘Windows  CredenQal’  and  parsing  the  result  to  get  usable  credenQal  details.   PsExec  –  Uses  this  tool  to  logon  to  other  computers  with  credenQals  obtained  from   zhMimikatz  and  MimikatzWrapper.   NetCrawler  –  CombinaQon  of  PsExec  and  cached  credenQal-­‐dumping  tools  where  first  it  gets   credenQals  from  the  infected  machine’s  cache  and  then  scans  the  local  subnet  for  SMB  port   communicaQon.  Once  another  computer  is  idenQfied,  it  copies  itself  to  it  and  gathers   credenQals  using  the  same  method  and  reports  results  back  to  source  of  infecQon.  It  then   propagates  over  the  network.   MS08-­‐067  Exploit  –  This  is  the  same  vulnerability  used  by  the  conficker  worm.  This  aHack   group  customizes  the  publicly  available  exploit  for  this  vulnerability  and  incorporated  in   NetCrawler.   Jasus  –  Custom  built  applicaQon  to  perform  ARP  cache  poisoning.     Cain  &  Abel  –  Publicly  available  password  cracking  tool.  This  tool  is  used  to  crack  the   passwords  that  are  obtained  from  the  cache  credenQal  dumping  method.      
Persistence   TinyZBot  –  It  is  customized  malware  developed  on  C#,  which  collects  sensiQve  informaQon     such  as  keystrokes  of  infected  machines  and  sends  them  to  aHackers.  It  also  maintains  access   into  compromised  network.     •  Log  keystrokes,  Monitor  clipboard  acQvity   •  SMTP  exfiltraQon,  Enable  a  SOAP-­‐based  command  and  control  channel   •  Self-­‐updaQng,  Download  and  execute  arbitrary  code   •  Capture  screenshots,  Extract  saved  passwords  for  Internet  Explorer   •  Install  as  a  service,  Establish  persistence  by  shortcut  in  startup  folder   •  Provide  unique  malware  campaign  idenQfiers  for  tracking  and  control  purposes   •  FTP  exfiltraQon   •  Security  sogware  detecQon   •  Ability  to  disable  Avira  anQvirus   •  Ability  to  modify  PE  resources   •  Dynamic  plugin  structure   •  Command  and  Control  communicaQon:      TinyZbot  also  exfiltrates  sensiQve  informaQon  over  SOAP  protocol  which  is  sub-­‐protocol   communicated  via  HTTP.  
ExfiltraQon   Anonymous  FTP  –  ExfiltraQng  data  through  some  Anonymous  FTP  on  the  internet.   NetCat  –  Publicly  available  tool  to  transport  informaQon  over  the  network  between   configured  server  and  client.     zhCat  –  Customized  tool  to  replace  NetCat.  This  tool  lets  them  transport  informaQon   over  the  network  in  obfuscated  or  encrypted  form.   Plink  –  A  uQlity  provided  in  PuTTY(SSH)  which  is  used  by  the  aHack  group  to  forward   local  RDP  ports  over  SSH.   SMTP  –  Customized  malware  such  as  TinyZbot  &  Csext,  which  collects  sensiQve   informaQon  such  as  keystrokes  of    the  infected  machine  and  sends  them  to  aHackers   over  email  as  aHachment.   SOAP  –  TinyZbot  also  exfiltrates  sensiQve  informaQon  over  SOAP  protocol  which  is  sub-­‐ protocol  communicated  via  HTTP.  
What  Can  We  Do?  
One  ring  to  rule  them  all.  not.   Install  AV   I  need  DLP   Someone  get  me  an  anQ-­‐ APT  gateway   But…  we  have  a  firewall   I’m  gerng  a  SIEM   now  !   I  will  have  more   regular  pentests  …   I  will  be  patching  like  there’s  no   tomorrow   Not  enough   anymore   Ever  heard  of  the  “gender   changer”  using  socat  ?   You  need  a  team  to   work  with  it.  Its  not  a   fishtank.   …  same  way  I  promise  my  wife  to   put  the  toilet  seat  up  the  next  Qme.   Piece  of  the  puzzle,  not   the  puzzle  soluQon.   No  problem.  I  guess   you  know  what  to   protect,  right  ?   Ever  heard  of  red-­‐ teaming  ?  
The  AnQ-­‐AnQAPT   •  DetecQon  of  virtual  environment   –  NIC  idenQfiers   –  Storage  IdenQfiers   •  Delay  to  execute   •  Run  on  targeted  system  only.   •  Detect  other  environment  characterisQcs.   –  IP  subnet   –  Joined  in  a  domain.   –  Does  “My  Documents”  have  files  ?   –  Is  there  an  mail  client  with  an  acQve  profile  and  full   mailbox  ?   –  Previous  logged  in  users  ?  
A  successful  monitoring   program  requires  both   numerous  sources  of   security  data  and  the   automaQon,  personnel   and  services  to   appropriately  correlate   and  respond  to   intelligence.   Signature-­‐Based   NIDS  Monitoring   NIDS  Monitoring   with  Global   Intelligence   Firewall  Log   AssociaQon   Firewall  Analysis:   Scan  DetecQon   Firewall  Analysis:   Anomaly  DetecQon   Firewall  Analysis:   Backdoor  DetecQon   Firewall  Analysis:   Botnet  C&C   DetecQon   Firewall  Analysis:  IP   Watchlist  DetecQon   Web  Proxy  Analysis   Web  ApplicaQon   Firewall  Alerts   Host  IDS/IPS  Alerts   OS  and  ApplicaQon   Logs  Analysis   Endpoint  ProtecQon   Alerts   So,  you  have  a  SIEM  
One  step  back,  see  the  big  picture   •  What  do  I  need  to  protect  ?   –  Do  I  know  what  I  need  to  protect?   •  Where  is  it  ?   •  How’s  it  been  used  ?   –  Do  I  need  to  apply  same  controls  everywhere  ?   •  InformaQon  value  vs.  Security  Control  cost     –  Is  my  management  aware  and  supporQve  ?   •  PrevenQve  measures   –  What  do  I  have  in  place  ?   –  Can  I  improve  my  security  with  what  I  have  ?   –  Where  shall  I  invest  first  ?   •  People   •  Processes   •  Technologies       •  USE  THIS  ORDER  
One  step  back,  see  the  big  picture   – Assume  Breach   •  How  fast  can  I  detect?   •  How  fast  can  I  respond?   – Play  to  learn  (kids  do  it  all  the  Qme)   •  Look  out  for  CTFs   •  Play  –  organize  challenges  with  your  peers   •  Take  aHacker  or  –beHer-­‐  defender  sides   •  You  gain  more  with  experience  than  with  educaQon.  
Ok,  I’m  pulling  the  plug  of  my  Datacenter   •  Not  yet.  Start  with  what  you  have.   •  People   – Educate  the  employees   •  Many  sources  of  informaQon  on  the  internet   •  Small  group  classes.   •  Different  content  per  group   •  Throw  a  few  baits  here  and  there.  Give  them  a  safe   environment  to  fail.  
Ok,  I’m  pulling  the  plug  of  my  Datacenter   •  Not  yet.  Start  with  what  you  have.   •  Are  you  uQlizing  100%  of  your  security  soluQons?   –  Endpoint  Security  is  NOT  AV.  Enable  all  the   capabiliQes.   –  Is  your  FW/UTM  using  all  of  its  security  features?   –  Can  you  monitor  for  changes  in  files  and   configuraQons  ?     •  Why  should  a  Windows  8.1  system  have  Windows  XP  files  ?   •  Why  have  the  DNS  serngs  here?   •  Who  just  created  a  new  mail  rule  to  delete  emails.  
IdenQty   Protect   Detect   Respond   Recover   NIST  Categories  FuncQon   What  are  my   assets,  risks  and   business  goals?         Asset  Mgmt   Business   Environment   Governance  Risk   Assessment   Risk  Mgmt   Strategy   What  are  my   safeguards  to   block  aackers?         Access  Control   Training   Data  Security   Processes   Maintenance   ProtecQve   Technology   How  do  I  know   when  a  security   event  has   happened?       Anomalies  and   Events   ConQnuous   Monitoring   DetecQon   Processes   How  do  I   respond  to  a   cyber  security   event?       Response   Planning   CommunicaQons   Analysis   MiQgaQon   Improvement   How  do  I  restore   services  a]er  an   event?         Recovery   Planning   Improvements   CommunicaQons     NIST  Cybersecurity  Framework  Summary   The  framework  provides  a  consensus  descripQon  of  what's  needed  for  a  comprehensive   cybersecurity  program,  and  allows  organizaQons—regardless  of  size,  degree  of  cyber  risk  or   cybersecurity  sophisQcaQon—to  apply  the  principles  and  best  pracQces  of  risk  management  to   improve  the  security  and  resilience  of  criQcal  infrastructure    
If  all  else  fails  …  
Core  Security  TC  Programme   29  
References   •  hHp://www.symantec.com/content/en/us/enterprise/white_papers/b-­‐ advanced_persistent_threats_WP_21215957.en-­‐us.pdf   •  hHp://www.cylance.com/operaQon-­‐cleaver/   •  hHp://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr-­‐19   •  hHp://azure.microsog.com/blog/2014/11/11/red-­‐teaming-­‐using-­‐curng-­‐edge-­‐threat-­‐ simulaQon-­‐to-­‐harden-­‐the-­‐microsog-­‐enterprise-­‐cloud/  

Recommended

Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Double guard
Double guardDouble guard
Double guardDivya Gowda
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 

Recommended

Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Double guard
Double guardDouble guard
Double guardDivya Gowda
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learningCysinfo Cyber Security Community
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Malware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowMalware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowSilvio Cesare
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionn|u - The Open Security Community
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Cc proxy
Cc proxyCc proxy
Cc proxyTrường Tiền
 
Delivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High TechDelivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High TechSAP Technology
 

More Related Content

What's hot

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Malware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowMalware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowSilvio Cesare
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Realityamiable_indian
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 

What's hot (20)

Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Malware Classification Using Structured Control Flow
Malware Classification Using Structured Control FlowMalware Classification Using Structured Control Flow
Malware Classification Using Structured Control Flow
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Digital Immunity -The Myths and Reality
Digital Immunity -The Myths and RealityDigital Immunity -The Myths and Reality
Digital Immunity -The Myths and Reality
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 

Viewers also liked

Delivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High TechDelivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High TechSAP Technology
 
Grupo 1 y 4 internet
Grupo 1 y 4 internetGrupo 1 y 4 internet
Grupo 1 y 4 internetzproano
 
Robotica educativa-119533634591712-4
Robotica educativa-119533634591712-4Robotica educativa-119533634591712-4
Robotica educativa-119533634591712-4Deinis Top
 
Radioferoz Experiencia a seguir
Radioferoz Experiencia a seguirRadioferoz Experiencia a seguir
Radioferoz Experiencia a seguircrazene
 
Euromillones, administración de loterías online
Euromillones, administración de loterías onlineEuromillones, administración de loterías online
Euromillones, administración de loterías onlineApuesta Loteria
 
Projecte de convivència
Projecte de convivènciaProjecte de convivència
Projecte de convivènciamitjadms
 
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...Ignacio Despujol Zabala
 
Stocks(vki)notes.
Stocks(vki)notes.Stocks(vki)notes.
Stocks(vki)notes.Rohit Mohan
 
kimika - 12-13
kimika - 12-13kimika - 12-13
kimika - 12-13ANACV
 
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...TheLastMile
 
Sistema de planificación de recursos empresariales
Sistema de planificación de recursos empresarialesSistema de planificación de recursos empresariales
Sistema de planificación de recursos empresarialesJorge López
 
Optical properties materials_studio_55
Optical properties materials_studio_55Optical properties materials_studio_55
Optical properties materials_studio_55BIOVIA
 

Viewers also liked (20)

Cc proxy
Cc proxyCc proxy
Cc proxy
 
Delivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High TechDelivering Real-Time Business Value for High Tech
Delivering Real-Time Business Value for High Tech
 
Grupo 1 y 4 internet
Grupo 1 y 4 internetGrupo 1 y 4 internet
Grupo 1 y 4 internet
 
Birkosit tds msds 2012
Birkosit tds msds 2012Birkosit tds msds 2012
Birkosit tds msds 2012
 
Robotica educativa-119533634591712-4
Robotica educativa-119533634591712-4Robotica educativa-119533634591712-4
Robotica educativa-119533634591712-4
 
Pequeriodiquito Octubre 2014
Pequeriodiquito Octubre 2014Pequeriodiquito Octubre 2014
Pequeriodiquito Octubre 2014
 
HMB Engineering, Noida, Wire Mesh
HMB Engineering, Noida, Wire MeshHMB Engineering, Noida, Wire Mesh
HMB Engineering, Noida, Wire Mesh
 
Radioferoz Experiencia a seguir
Radioferoz Experiencia a seguirRadioferoz Experiencia a seguir
Radioferoz Experiencia a seguir
 
Euromillones, administración de loterías online
Euromillones, administración de loterías onlineEuromillones, administración de loterías online
Euromillones, administración de loterías online
 
Projecte de convivència
Projecte de convivènciaProjecte de convivència
Projecte de convivència
 
Paria y Turismo 07072016
Paria y Turismo 07072016Paria y Turismo 07072016
Paria y Turismo 07072016
 
Guru dispilin
Guru dispilinGuru dispilin
Guru dispilin
 
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...
Google Course Builder Workshop Presentation on upvx MOOC platform and Polimed...
 
Modulo 3 evaluacion
Modulo 3 evaluacionModulo 3 evaluacion
Modulo 3 evaluacion
 
Stocks(vki)notes.
Stocks(vki)notes.Stocks(vki)notes.
Stocks(vki)notes.
 
kimika - 12-13
kimika - 12-13kimika - 12-13
kimika - 12-13
 
Videoteca del Pacifico
Videoteca del PacificoVideoteca del Pacifico
Videoteca del Pacifico
 
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...
Transportation Planning for Car Free Living: The Evolution of Zurich, Switzer...
 
Sistema de planificación de recursos empresariales
Sistema de planificación de recursos empresarialesSistema de planificación de recursos empresariales
Sistema de planificación de recursos empresariales
 
Optical properties materials_studio_55
Optical properties materials_studio_55Optical properties materials_studio_55
Optical properties materials_studio_55
 

Similar to 3. APTs Presentation

VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system securityGary Mendonca
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 

Similar to 3. APTs Presentation (20)

VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Web Security
Web SecurityWeb Security
Web Security
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 

More from isc2-hellenic

Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Teamisc2-hellenic
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Marsisc2-hellenic
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0isc2-hellenic
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentationisc2-hellenic
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosisc2-hellenic
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1isc2-hellenic
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2isc2-hellenic
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0isc2-hellenic
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attackisc2-hellenic
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & updateisc2-hellenic
 

More from isc2-hellenic (20)

Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpected
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Team
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Mars
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatos
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & update
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

3. APTs Presentation

  • 1. APTs  –  Playing  Defense   The  New  Era  of  Cyber  Security     University  of  Piraeus     8/12/2014   Christos  Ventouris   cventouris@isc2-­‐chapter.gr   @clechuck  
  • 2. •  Advanced  means  the  adversary  can  operate  in  the  full  spectrum  of  computer  intrusion.   They  can  use  the  most  pedestrian  publicly  available  exploit  against  a  well-­‐known   vulnerability,  or  they  can  elevate  their  game  to  research  new  vulnerabilities  and   develop  custom  exploits,  depending  on  the  target’s  posture.   •  Persistent  means  the  adversary  is  formally  tasked  to  accomplish  a  mission.  They  are   not  opportunistic  intruders.  Like  an  intelligence  unit  they  receive  directives  and  work   to  satisfy  their  masters.  Persistent  does  not  necessarily  mean  they  need  to  constantly   execute  malicious  code  on  victim  computers.  Rather,  they  maintain  the  level  of   interaction  needed  to  execute  their  objectives.   •  Threat  means  the  adversary  is  not  a  piece  of  mindless  code.  This  point  is  crucial.  Some   people  throw  around  the  term  “threat”  with  reference  to  malware.  If  malware  had  no   human  attached  to  it  (someone  to  control  the  victim,  read  the  stolen  data,  etc.),  then   most  malware  would  be  of  little  worry  (as  long  as  it  didn’t  degrade  or  deny  data).   Rather,  the  adversary  here  is  a  threat  because  it  is  organized  and  funded  and   motivated.  Some  people  speak  of  multiple  “groups”  consisting  of  dedicated  “crews”   with  various  missions.    
  • 5. Targeted  AHack  Campaigns   Email  per  Campaign   122   78   29   Recipients/Campaign   61   111   23   Campaigns   165   408   779   2011   2012   2013   DuraQon  of  Campaign   4  days   3  days   8.3  days  
  • 6.
  • 7. Establish  a  Backdoor  into  the  Network   •  Attempt  to  obtain  domain  administrative  credentials  .  .  .    Transfer  the   credentials  out  of  the  network   •  The  attackers  then  established  a  stronger  foothold  in  the  environment  by   moving  laterally  through  the  network  and  installing  multiple  backdoors  with   different  configurations.   •  The  malware  is  installed  with  system  level  privileges  through  the  use  of   process  injection,  registry  modification  or  scheduled  services.   •  Malware  characteristics:   –  Malware  is  continually  updated   –  Malware  uses  encryption  and  obfuscation  techniques  of  its  network   traffic   –  The  attackers’  malware  uses  built-­‐in  Microsoft  libraries   –  The  attackers’  malware  uses  legitimate  user  credentials  so  they  can   better  blend  in  with  typical  user  activity   –  Do  not  listen  for  inbound  connections  
  • 8. “UQliQes”   •  Programs  functionality  includes:   –  Installing  backdoors   –  Dumping  passwords   –  Obtaining  email  from  servers   –  List  running  processes   –  Tunnel  connections  via  trusted  systems  and  stay  low  (see  Beacon)   •  More  Malware  Characteristics:   –  Only  a  small  %  detected  by  security  software   –  Utilize  spoofed  or  stolen  SSL  Certificates   •  ie.  Microsoft,  Yahoo   –  Most  NOT  packed   –  Common  File  names   •  ie.  Svchost.exe,  iexplore.exe  
  • 9.
  • 10. Capture   •  Long-­‐term  occupancy   – Longest  known  span  was  660  days   – Average  detecQon  span  is  150  days   •  Control   – Maintain  control  of  industrial  systems  or  business   related  hardware.    
  • 11.
  • 12. Methods  of  exfiltraQon   •  EncrypQng  prior  to  exfiltraQon   – Defeat  DLP  network  monitoring   •  Webmail   •  SSL  via  vicQm’s  proxy   •  Abuse  of  other  protocols   – DNS   – ICMP  
  • 14. Tools  Used     Some  of  these  tools  are  custom  built  by  the  APT  group,  while  others  are   publicly  available.   Shell  Creator  2  –  A  custom  built  tool  used  to  check  connecQons  to  their  staging   server.  Ensuring  that  the  members  are  uQlizing  proxy  connecQons  by  rejecQng   any  connecQon  aHempts  made  in  Iran.     Net  Crawler  –  A  worm-­‐like  malware  used  to  gather  cached  credenQals  in  a   Windows  network.     TinyZBot  –  A  custom  built  bot  with  varying  funcQonaliQes.  This  tool  is  the   primary  weapon  of  choice  for  this  group.   PrivEsc  –  A  copy  of  another  tool  named  “KiTrap0D”  exploit  which  was  released   publicly.  This  tool  uQlizes  the  vulnerability  MS10-­‐015  to  achieve  privilege   escalaQons.   Logger  Module  –  A  key  logger  component  of  custom  built  PVZ  bot  tool  set.   CCProxy  –  A  publicly  available  proxy  server  for  Windows.   NMap  –  A  publicly  available  tool  used  to  map  networks  and  for   reconnaissance.   Squid  proxy  –  A  publicly  available  tool  that  caches  Internet  content  closer  to  a   requestor  than  its  original  point  of  origin.    
  • 15. AHack  &  Incusion/Expansion   This  group  was  observed  using  the  publicly  known  compiled  exploit  “PrivEsc”  also  known  as   “KiTrap0D”.  This  exploit  leverages  an  already  patched  vulnerability  in  Microsog  Windows   Kernel  (CVE-­‐2010-­‐0232).   Cached  CredenDal  Dumping  –  Uses  ‘Mimikatz’  and  ‘Windows  CredenQal’  Editor  Tools  to   extract  users’  credenQals  from  cache.   “ZhMimikatz”  and  “MimikatzWrapper”  –  Custom  built  applicaQon  to  automate  execuQon  of   ‘Mimikatz’  &  ‘Windows  CredenQal’  and  parsing  the  result  to  get  usable  credenQal  details.   PsExec  –  Uses  this  tool  to  logon  to  other  computers  with  credenQals  obtained  from   zhMimikatz  and  MimikatzWrapper.   NetCrawler  –  CombinaQon  of  PsExec  and  cached  credenQal-­‐dumping  tools  where  first  it  gets   credenQals  from  the  infected  machine’s  cache  and  then  scans  the  local  subnet  for  SMB  port   communicaQon.  Once  another  computer  is  idenQfied,  it  copies  itself  to  it  and  gathers   credenQals  using  the  same  method  and  reports  results  back  to  source  of  infecQon.  It  then   propagates  over  the  network.   MS08-­‐067  Exploit  –  This  is  the  same  vulnerability  used  by  the  conficker  worm.  This  aHack   group  customizes  the  publicly  available  exploit  for  this  vulnerability  and  incorporated  in   NetCrawler.   Jasus  –  Custom  built  applicaQon  to  perform  ARP  cache  poisoning.     Cain  &  Abel  –  Publicly  available  password  cracking  tool.  This  tool  is  used  to  crack  the   passwords  that  are  obtained  from  the  cache  credenQal  dumping  method.      
  • 16. Persistence   TinyZBot  –  It  is  customized  malware  developed  on  C#,  which  collects  sensiQve  informaQon     such  as  keystrokes  of  infected  machines  and  sends  them  to  aHackers.  It  also  maintains  access   into  compromised  network.     •  Log  keystrokes,  Monitor  clipboard  acQvity   •  SMTP  exfiltraQon,  Enable  a  SOAP-­‐based  command  and  control  channel   •  Self-­‐updaQng,  Download  and  execute  arbitrary  code   •  Capture  screenshots,  Extract  saved  passwords  for  Internet  Explorer   •  Install  as  a  service,  Establish  persistence  by  shortcut  in  startup  folder   •  Provide  unique  malware  campaign  idenQfiers  for  tracking  and  control  purposes   •  FTP  exfiltraQon   •  Security  sogware  detecQon   •  Ability  to  disable  Avira  anQvirus   •  Ability  to  modify  PE  resources   •  Dynamic  plugin  structure   •  Command  and  Control  communicaQon:      TinyZbot  also  exfiltrates  sensiQve  informaQon  over  SOAP  protocol  which  is  sub-­‐protocol   communicated  via  HTTP.  
  • 17. ExfiltraQon   Anonymous  FTP  –  ExfiltraQng  data  through  some  Anonymous  FTP  on  the  internet.   NetCat  –  Publicly  available  tool  to  transport  informaQon  over  the  network  between   configured  server  and  client.     zhCat  –  Customized  tool  to  replace  NetCat.  This  tool  lets  them  transport  informaQon   over  the  network  in  obfuscated  or  encrypted  form.   Plink  –  A  uQlity  provided  in  PuTTY(SSH)  which  is  used  by  the  aHack  group  to  forward   local  RDP  ports  over  SSH.   SMTP  –  Customized  malware  such  as  TinyZbot  &  Csext,  which  collects  sensiQve   informaQon  such  as  keystrokes  of    the  infected  machine  and  sends  them  to  aHackers   over  email  as  aHachment.   SOAP  –  TinyZbot  also  exfiltrates  sensiQve  informaQon  over  SOAP  protocol  which  is  sub-­‐ protocol  communicated  via  HTTP.  
  • 18. What  Can  We  Do?  
  • 19. One  ring  to  rule  them  all.  not.   Install  AV   I  need  DLP   Someone  get  me  an  anQ-­‐ APT  gateway   But…  we  have  a  firewall   I’m  gerng  a  SIEM   now  !   I  will  have  more   regular  pentests  …   I  will  be  patching  like  there’s  no   tomorrow   Not  enough   anymore   Ever  heard  of  the  “gender   changer”  using  socat  ?   You  need  a  team  to   work  with  it.  Its  not  a   fishtank.   …  same  way  I  promise  my  wife  to   put  the  toilet  seat  up  the  next  Qme.   Piece  of  the  puzzle,  not   the  puzzle  soluQon.   No  problem.  I  guess   you  know  what  to   protect,  right  ?   Ever  heard  of  red-­‐ teaming  ?  
  • 20. The  AnQ-­‐AnQAPT   •  DetecQon  of  virtual  environment   –  NIC  idenQfiers   –  Storage  IdenQfiers   •  Delay  to  execute   •  Run  on  targeted  system  only.   •  Detect  other  environment  characterisQcs.   –  IP  subnet   –  Joined  in  a  domain.   –  Does  “My  Documents”  have  files  ?   –  Is  there  an  mail  client  with  an  acQve  profile  and  full   mailbox  ?   –  Previous  logged  in  users  ?  
  • 21. A  successful  monitoring   program  requires  both   numerous  sources  of   security  data  and  the   automaQon,  personnel   and  services  to   appropriately  correlate   and  respond  to   intelligence.   Signature-­‐Based   NIDS  Monitoring   NIDS  Monitoring   with  Global   Intelligence   Firewall  Log   AssociaQon   Firewall  Analysis:   Scan  DetecQon   Firewall  Analysis:   Anomaly  DetecQon   Firewall  Analysis:   Backdoor  DetecQon   Firewall  Analysis:   Botnet  C&C   DetecQon   Firewall  Analysis:  IP   Watchlist  DetecQon   Web  Proxy  Analysis   Web  ApplicaQon   Firewall  Alerts   Host  IDS/IPS  Alerts   OS  and  ApplicaQon   Logs  Analysis   Endpoint  ProtecQon   Alerts   So,  you  have  a  SIEM  
  • 22.
  • 23. One  step  back,  see  the  big  picture   •  What  do  I  need  to  protect  ?   –  Do  I  know  what  I  need  to  protect?   •  Where  is  it  ?   •  How’s  it  been  used  ?   –  Do  I  need  to  apply  same  controls  everywhere  ?   •  InformaQon  value  vs.  Security  Control  cost     –  Is  my  management  aware  and  supporQve  ?   •  PrevenQve  measures   –  What  do  I  have  in  place  ?   –  Can  I  improve  my  security  with  what  I  have  ?   –  Where  shall  I  invest  first  ?   •  People   •  Processes   •  Technologies       •  USE  THIS  ORDER  
  • 24. One  step  back,  see  the  big  picture   – Assume  Breach   •  How  fast  can  I  detect?   •  How  fast  can  I  respond?   – Play  to  learn  (kids  do  it  all  the  Qme)   •  Look  out  for  CTFs   •  Play  –  organize  challenges  with  your  peers   •  Take  aHacker  or  –beHer-­‐  defender  sides   •  You  gain  more  with  experience  than  with  educaQon.  
  • 25. Ok,  I’m  pulling  the  plug  of  my  Datacenter   •  Not  yet.  Start  with  what  you  have.   •  People   – Educate  the  employees   •  Many  sources  of  informaQon  on  the  internet   •  Small  group  classes.   •  Different  content  per  group   •  Throw  a  few  baits  here  and  there.  Give  them  a  safe   environment  to  fail.  
  • 26. Ok,  I’m  pulling  the  plug  of  my  Datacenter   •  Not  yet.  Start  with  what  you  have.   •  Are  you  uQlizing  100%  of  your  security  soluQons?   –  Endpoint  Security  is  NOT  AV.  Enable  all  the   capabiliQes.   –  Is  your  FW/UTM  using  all  of  its  security  features?   –  Can  you  monitor  for  changes  in  files  and   configuraQons  ?     •  Why  should  a  Windows  8.1  system  have  Windows  XP  files  ?   •  Why  have  the  DNS  serngs  here?   •  Who  just  created  a  new  mail  rule  to  delete  emails.  
  • 27. IdenQty   Protect   Detect   Respond   Recover   NIST  Categories  FuncQon   What  are  my   assets,  risks  and   business  goals?         Asset  Mgmt   Business   Environment   Governance  Risk   Assessment   Risk  Mgmt   Strategy   What  are  my   safeguards  to   block  aackers?         Access  Control   Training   Data  Security   Processes   Maintenance   ProtecQve   Technology   How  do  I  know   when  a  security   event  has   happened?       Anomalies  and   Events   ConQnuous   Monitoring   DetecQon   Processes   How  do  I   respond  to  a   cyber  security   event?       Response   Planning   CommunicaQons   Analysis   MiQgaQon   Improvement   How  do  I  restore   services  a]er  an   event?         Recovery   Planning   Improvements   CommunicaQons     NIST  Cybersecurity  Framework  Summary   The  framework  provides  a  consensus  descripQon  of  what's  needed  for  a  comprehensive   cybersecurity  program,  and  allows  organizaQons—regardless  of  size,  degree  of  cyber  risk  or   cybersecurity  sophisQcaQon—to  apply  the  principles  and  best  pracQces  of  risk  management  to   improve  the  security  and  resilience  of  criQcal  infrastructure    
  • 28. If  all  else  fails  …  
  • 29. Core  Security  TC  Programme   29  
  • 30. References   •  hHp://www.symantec.com/content/en/us/enterprise/white_papers/b-­‐ advanced_persistent_threats_WP_21215957.en-­‐us.pdf   •  hHp://www.cylance.com/operaQon-­‐cleaver/   •  hHp://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr-­‐19   •  hHp://azure.microsog.com/blog/2014/11/11/red-­‐teaming-­‐using-­‐curng-­‐edge-­‐threat-­‐ simulaQon-­‐to-­‐harden-­‐the-­‐microsog-­‐enterprise-­‐cloud/