This document discusses advanced persistent threats (APTs) and malware, highlighting challenges facing traditional defenses. It notes that malware events occur every 3 minutes on average at organizations. The document outlines APT attack lifecycles involving exploitation, malware deployment, communication with command and control servers, and lateral movement. It also discusses case studies, forensic challenges posed by obfuscated code, and a signatureless next-generation threat protection approach.

1. APT: Hunting ÖDay Malware
Mustafa Qasim

2. Since this presentation started
of organizations will have some
malware event successfully evade
their IT defenses.

3. On average, malware events occur at a single
organization once every
3MINUTES

4. Introduction

5. Once upon a time...

8. According to IDC, between 2003 and 2011, total IT security spend grew
from $12 billion to $28 billion.
$12 Billion
2003
$28 Billion
2011

9. reActive
Vs
proActive

11. Fear of False Positive!

12. So called Defenders!

13. Firewalls
- Yes/No
- NexGen Firewall Buzz
- Latency Impact

14. IPS
- Traffic Signatures
- 0Day Prevention Buzz (Exploit > Vulnerability)
- Network Services vs. Client Side Attacks

15. Web Gateways
Called: Defense In-depth
In Actual: Iteration

16. Anti-Virus (L0L)
- Signatures
- Heuristics
- Sandbox

17. Anti-Virus (L0L)
- VIP entry via signed binary
– Flame by Microsoft ;-)

18. Signatures
- Binary / Traffic
- Morphing, Obfuscation, Encryption

19. Heuristics Dilemma

20. Heuristics Dilemma

21. Isn't Sandbox made up of sand?

24. Disheartened by Backward Looking Defenders?

25. The highest technique is to
have no technique.
My technique is a result of your technique;
my movement is a result of your movement.

26. APT Malware vs. Traditional

27. APT Attack Life Cycle

29. Stage 1
Intrusion through exploitation
- Remote Exploit / Local Exploit
- Social Engineering

30. Stage 2
Malware is dropped
- Single Click
- 64base Encrypted Hidden Link
- Java revoke list check disabled
- Legacy vs Advanced
* pdf not exe
* DLL search order hijacking

31. Stage 3
Phones Home
- RAT
- Outbound Encrypted Connection
- Proxy CnC for a network

32. Stage 4
Spreads laterally
- Not always hits target
- Clear entry point

33. Stage 5
Data extraction
- Small Chunks
- Staged Host
- Encrypted RAR

34. Case Studies
- RSA breach
- Operation Aurora

35. Forensics & Challenges
- Behavior
- Code
* Packed
* Obfuscated
* Anti Debugger
* Anti VM
* Time

36. NGTP
- Signature less
- Protection not Detection
- Virtual Execution Engine

37. Pakistan Cyber Space

38. First things FIRST!

39. “ If you know the enemy and know yourself, you
need not fear the result of a hundred battles.
If you know yourself but not the enemy, for
every victory gained you will also suffer a
defeat.”
— Sun Tzu, The Art of War

40. Honeynet Pakistan
- 6 Deployments
- Avg. 400 malware per day
- Around 100 Unique

42. ISPs
Financial
Institutions
NADRA
Government
Organizations

43. Honeytoken Snort Rule
alert ip any any -> any any (msg:"Alert! Token c86";
content:"r71p@g3r";)

44. Catch Me
Twitter: mustafaqasim
Freenode: mustu @ #offsec