Download as PDF, PPTX
![IdenQty
Protect
Detect
Respond
Recover
NIST
Categories
FuncQon
What
are
my
assets,
risks
and
business
goals?
Asset
Mgmt
Business
Environment
Governance
Risk
Assessment
Risk
Mgmt
Strategy
What
are
my
safeguards
to
block
aackers?
Access
Control
Training
Data
Security
Processes
Maintenance
ProtecQve
Technology
How
do
I
know
when
a
security
event
has
happened?
Anomalies
and
Events
ConQnuous
Monitoring
DetecQon
Processes
How
do
I
respond
to
a
cyber
security
event?
Response
Planning
CommunicaQons
Analysis
MiQgaQon
Improvement
How
do
I
restore
services
a]er
an
event?
Recovery
Planning
Improvements
CommunicaQons
NIST
Cybersecurity
Framework
Summary
The
framework
provides
a
consensus
descripQon
of
what's
needed
for
a
comprehensive
cybersecurity
program,
and
allows
organizaQons—regardless
of
size,
degree
of
cyber
risk
or
cybersecurity
sophisQcaQon—to
apply
the
principles
and
best
pracQces
of
risk
management
to
improve
the
security
and
resilience
of
criQcal
infrastructure](https://image.slidesharecdn.com/3-141221191249-conversion-gate01/75/3-APTs-Presentation-27-2048.jpg)
More Related Content
Similar to 3. APTs Presentation
3. APTs Presentation
- 1. APTs – Playing Defense The New Era of Cyber Security University of Piraeus 8/12/2014 Christos Ventouris cventouris@isc2-‐chapter.gr @clechuck
- 2. • Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-‐known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture. • Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives. • Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
- 3.
- 4.
- 5. Targeted AHack Campaigns Email per Campaign 122 78 29 Recipients/Campaign 61 111 23 Campaigns 165 408 779 2011 2012 2013 DuraQon of Campaign 4 days 3 days 8.3 days
- 7. Establish a Backdoor into the Network • Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network • The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations. • The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services. • Malware characteristics: – Malware is continually updated – Malware uses encryption and obfuscation techniques of its network traffic – The attackers’ malware uses built-‐in Microsoft libraries – The attackers’ malware uses legitimate user credentials so they can better blend in with typical user activity – Do not listen for inbound connections
- 8. “UQliQes” • Programs functionality includes: – Installing backdoors – Dumping passwords – Obtaining email from servers – List running processes – Tunnel connections via trusted systems and stay low (see Beacon) • More Malware Characteristics: – Only a small % detected by security software – Utilize spoofed or stolen SSL Certificates • ie. Microsoft, Yahoo – Most NOT packed – Common File names • ie. Svchost.exe, iexplore.exe
- 10. Capture • Long-‐term occupancy – Longest known span was 660 days – Average detecQon span is 150 days • Control – Maintain control of industrial systems or business related hardware.
- 12. Methods of exfiltraQon • EncrypQng prior to exfiltraQon – Defeat DLP network monitoring • Webmail • SSL via vicQm’s proxy • Abuse of other protocols – DNS – ICMP
- 13.
- 14. Tools Used Some of these tools are custom built by the APT group, while others are publicly available. Shell Creator 2 – A custom built tool used to check connecQons to their staging server. Ensuring that the members are uQlizing proxy connecQons by rejecQng any connecQon aHempts made in Iran. Net Crawler – A worm-‐like malware used to gather cached credenQals in a Windows network. TinyZBot – A custom built bot with varying funcQonaliQes. This tool is the primary weapon of choice for this group. PrivEsc – A copy of another tool named “KiTrap0D” exploit which was released publicly. This tool uQlizes the vulnerability MS10-‐015 to achieve privilege escalaQons. Logger Module – A key logger component of custom built PVZ bot tool set. CCProxy – A publicly available proxy server for Windows. NMap – A publicly available tool used to map networks and for reconnaissance. Squid proxy – A publicly available tool that caches Internet content closer to a requestor than its original point of origin.
- 15. AHack & Incusion/Expansion This group was observed using the publicly known compiled exploit “PrivEsc” also known as “KiTrap0D”. This exploit leverages an already patched vulnerability in Microsog Windows Kernel (CVE-‐2010-‐0232). Cached CredenDal Dumping – Uses ‘Mimikatz’ and ‘Windows CredenQal’ Editor Tools to extract users’ credenQals from cache. “ZhMimikatz” and “MimikatzWrapper” – Custom built applicaQon to automate execuQon of ‘Mimikatz’ & ‘Windows CredenQal’ and parsing the result to get usable credenQal details. PsExec – Uses this tool to logon to other computers with credenQals obtained from zhMimikatz and MimikatzWrapper. NetCrawler – CombinaQon of PsExec and cached credenQal-‐dumping tools where first it gets credenQals from the infected machine’s cache and then scans the local subnet for SMB port communicaQon. Once another computer is idenQfied, it copies itself to it and gathers credenQals using the same method and reports results back to source of infecQon. It then propagates over the network. MS08-‐067 Exploit – This is the same vulnerability used by the conficker worm. This aHack group customizes the publicly available exploit for this vulnerability and incorporated in NetCrawler. Jasus – Custom built applicaQon to perform ARP cache poisoning. Cain & Abel – Publicly available password cracking tool. This tool is used to crack the passwords that are obtained from the cache credenQal dumping method.
- 16. Persistence TinyZBot – It is customized malware developed on C#, which collects sensiQve informaQon such as keystrokes of infected machines and sends them to aHackers. It also maintains access into compromised network. • Log keystrokes, Monitor clipboard acQvity • SMTP exfiltraQon, Enable a SOAP-‐based command and control channel • Self-‐updaQng, Download and execute arbitrary code • Capture screenshots, Extract saved passwords for Internet Explorer • Install as a service, Establish persistence by shortcut in startup folder • Provide unique malware campaign idenQfiers for tracking and control purposes • FTP exfiltraQon • Security sogware detecQon • Ability to disable Avira anQvirus • Ability to modify PE resources • Dynamic plugin structure • Command and Control communicaQon: TinyZbot also exfiltrates sensiQve informaQon over SOAP protocol which is sub-‐protocol communicated via HTTP.
- 17. ExfiltraQon Anonymous FTP – ExfiltraQng data through some Anonymous FTP on the internet. NetCat – Publicly available tool to transport informaQon over the network between configured server and client. zhCat – Customized tool to replace NetCat. This tool lets them transport informaQon over the network in obfuscated or encrypted form. Plink – A uQlity provided in PuTTY(SSH) which is used by the aHack group to forward local RDP ports over SSH. SMTP – Customized malware such as TinyZbot & Csext, which collects sensiQve informaQon such as keystrokes of the infected machine and sends them to aHackers over email as aHachment. SOAP – TinyZbot also exfiltrates sensiQve informaQon over SOAP protocol which is sub-‐ protocol communicated via HTTP.
- 18. What Can We Do?
- 19. One ring to rule them all. not. Install AV I need DLP Someone get me an anQ-‐ APT gateway But… we have a firewall I’m gerng a SIEM now ! I will have more regular pentests … I will be patching like there’s no tomorrow Not enough anymore Ever heard of the “gender changer” using socat ? You need a team to work with it. Its not a fishtank. … same way I promise my wife to put the toilet seat up the next Qme. Piece of the puzzle, not the puzzle soluQon. No problem. I guess you know what to protect, right ? Ever heard of red-‐ teaming ?
- 20. The AnQ-‐AnQAPT • DetecQon of virtual environment – NIC idenQfiers – Storage IdenQfiers • Delay to execute • Run on targeted system only. • Detect other environment characterisQcs. – IP subnet – Joined in a domain. – Does “My Documents” have files ? – Is there an mail client with an acQve profile and full mailbox ? – Previous logged in users ?
- 21. A successful monitoring program requires both numerous sources of security data and the automaQon, personnel and services to appropriately correlate and respond to intelligence. Signature-‐Based NIDS Monitoring NIDS Monitoring with Global Intelligence Firewall Log AssociaQon Firewall Analysis: Scan DetecQon Firewall Analysis: Anomaly DetecQon Firewall Analysis: Backdoor DetecQon Firewall Analysis: Botnet C&C DetecQon Firewall Analysis: IP Watchlist DetecQon Web Proxy Analysis Web ApplicaQon Firewall Alerts Host IDS/IPS Alerts OS and ApplicaQon Logs Analysis Endpoint ProtecQon Alerts So, you have a SIEM
- 23. One step back, see the big picture • What do I need to protect ? – Do I know what I need to protect? • Where is it ? • How’s it been used ? – Do I need to apply same controls everywhere ? • InformaQon value vs. Security Control cost – Is my management aware and supporQve ? • PrevenQve measures – What do I have in place ? – Can I improve my security with what I have ? – Where shall I invest first ? • People • Processes • Technologies • USE THIS ORDER
- 24. One step back, see the big picture – Assume Breach • How fast can I detect? • How fast can I respond? – Play to learn (kids do it all the Qme) • Look out for CTFs • Play – organize challenges with your peers • Take aHacker or –beHer-‐ defender sides • You gain more with experience than with educaQon.
- 25. Ok, I’m pulling the plug of my Datacenter • Not yet. Start with what you have. • People – Educate the employees • Many sources of informaQon on the internet • Small group classes. • Different content per group • Throw a few baits here and there. Give them a safe environment to fail.
- 26. Ok, I’m pulling the plug of my Datacenter • Not yet. Start with what you have. • Are you uQlizing 100% of your security soluQons? – Endpoint Security is NOT AV. Enable all the capabiliQes. – Is your FW/UTM using all of its security features? – Can you monitor for changes in files and configuraQons ? • Why should a Windows 8.1 system have Windows XP files ? • Why have the DNS serngs here? • Who just created a new mail rule to delete emails.
- 27. IdenQty Protect Detect Respond Recover NIST Categories FuncQon What are my assets, risks and business goals? Asset Mgmt Business Environment Governance Risk Assessment Risk Mgmt Strategy What are my safeguards to block aackers? Access Control Training Data Security Processes Maintenance ProtecQve Technology How do I know when a security event has happened? Anomalies and Events ConQnuous Monitoring DetecQon Processes How do I respond to a cyber security event? Response Planning CommunicaQons Analysis MiQgaQon Improvement How do I restore services a]er an event? Recovery Planning Improvements CommunicaQons NIST Cybersecurity Framework Summary The framework provides a consensus descripQon of what's needed for a comprehensive cybersecurity program, and allows organizaQons—regardless of size, degree of cyber risk or cybersecurity sophisQcaQon—to apply the principles and best pracQces of risk management to improve the security and resilience of criQcal infrastructure
- 28. If all else fails …
- 29. Core Security TC Programme 29
- 30. References • hHp://www.symantec.com/content/en/us/enterprise/white_papers/b-‐ advanced_persistent_threats_WP_21215957.en-‐us.pdf • hHp://www.cylance.com/operaQon-‐cleaver/ • hHp://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr-‐19 • hHp://azure.microsog.com/blog/2014/11/11/red-‐teaming-‐using-‐curng-‐edge-‐threat-‐ simulaQon-‐to-‐harden-‐the-‐microsog-‐enterprise-‐cloud/