A description of interdictions, the intelligence process, and APTs.

1. International
Cooperative
APT Hunting

2. Andre Ludwig
Current:
CTO - Global Cyber Alliance
Past:
CEO - Honeynet Project
Sr Technical Director - Novetta
Principal Security Engineer -DARPA

3. Zachary Hanif
Current:
Head of Security Data Machine Learning -
Capital One
Past:
Director of Applied Data Science - Novetta
Holmes-Totem
Principal Data Scientist - Endgame
BinaryPig

4. So you want to hunt
APT's?

5. 01What is an “APT”?
What does APT stand for?
A basic history of the term
How has this term evolved over time?

6. Where did the term
come from?
Advanced Persistent Threats:
Originated from a term created by Colonel Greg
Rattray (USAF) in 2006 to describe a certain
“class” of threat actor that the USAF was dealing
with.

7. An adversary that possesses sophisticated levels of expertise and
significant resources which allow it to create opportunities to achieve its
objectives by using multiple attack vectors (e.g., cyber, physical, and
deception). These objectives typically include establishing and extending
footholds within the information technology infrastructure of the targeted
organizations for purposes of exfiltration of information, undermining or
impeding critical aspects of a mission, program, or organization; or
positioning itself to carry out these objectives in the future. The advanced
persistent threat: (i) pursues its objectives repeatedly over an extended
period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is
determined to maintain the level of interaction needed to execute its
objectives.” –National Institute of Standards and Technology
What is the Official definition?

8. Catch all phrase for any attacker or group of attackers who demonstrate
persistence and/or sophistication in their attempts to gain unauthorized
access to computers/networks/data.
AKA
CHINA/RUSSIA/US/UK/HackTeam/FinFisher/Anyone who ever used
Metasploit
How people (mis)use the term

9. ● APT tends to get thrown around a great deal (THANKS
MARKETING DEPT!)
● Too often, it becomes a byword for “state sponsored” or
“technically sophisticated” malware
○ This is not nuanced, and can misrepresent reality
○ Many professionals dislike the term as a result
● In general, the actor is the differentiating factor, not the malware
itself
○ Technical sophistication is not the sole meaning of
“Advanced” in APT
Resultant Confusion

10. 02The reality of APTs
Introduction to the Intelligence Process
Realities of APT’s

13. ● Nation states are typically APTs, but not all APTs are nation states.
● Multistage, long term attacks, focused on their strategic objectives
● Not necessarily deep technical sophistication through the tool
chain
● Attack vectors and persistence strategies range widely, even into
the physical realm
● Attacker probability of success approaches 1 over time (sooner or
later, they’ll achieve their goals)
○ These are players on the world stage at the end of the day
○ This is their full-time job, and there is a large support
structure around most operations
Realities of APTs

14. 03Interacting with
APTs
Good guy motivations
Cautionary tales
Knowing when to stop (or continue)
Appropriate responses

15. ● Defense of an organization, network, customer base, etc
● Public Participation in an effort/PR and marketing
○ Potential sales by being seen as “experts”
○ Personal/organizational fame
● General “internet cleanliness”
● Political motivations
○ The support of or opposition to an actor or victim
○ This can be seen in the candidate selection process and
reporting style
● Desire to have an impact against “the bad guys”
Good Guy’s motivations

16. ● Ok, so you’ve muscled onto the stage of geopolitics...now what?
○ It’s strongly unlikely that you are prepared to tango here
● Interacting with an APT is a very delicate thing, with many concerns
○ Public Attribution?
■ What are the goals?
○ What kind of escalation may occur?
■ Against individuals, organizations, our home countries,
etc?
■ rm -rf / (aka Sony attacks)
■ DDOS attacks?!?
■ Non cyber related escalations?
■ Or do they just re-tool and do the same old stuff?
● Think how an organized group would react to their prized tool
being removed from their toolset, what's the next best tool?
World Stage

17. ● Ok, let’s say it IS a nation-state behind things
● Maybe they retaliate?
○ PII leaks against people or organizations?
○ Blackmail?
○ Kinetic retaliation?
● Potential Diplomatic issues?
○ Official statements made by national representatives
○ Complicate ongoing official investigations
■ Intel gain/loss concerns
● Potential Personal Security Issues?
○ Increased interest by international LE/Intel agencies?
● Economic impacts on participating organizations
○ Sanctions, “lost paperwork”, other economic punishment
World Stage pt2

18. 04The Generic
Process of
Interdiction Target Selection
Setting of strategic goals
Discovery process
Knowledge creation
Planning of actions
Impact Assessment
Dealing with follow up responses

19. ● Infection populations
○ Analysis of overall infections from telemetry of partners
● Overall threat and harm
○ What does the threat do, how, why, etc
● Random selection
○ No really, just randomly select from a list
○ Darts are also good
● Based on industry the threat targets
○ Sector based threats (retail banking, energy sector, etc)
● Some “basic” analysis is being done at this step already
○ Type of threat
○ Type of victims
○ Potential impact of mitigating the threat
Target Selection

20. ● What does the end result look like
○ Slowing the actor’s progress?
○ Bringing the actor’s actions to the general public
knowledge?
○ Stopping the actor entirely (rarely, if ever)
● Participants
○ Multi organizational effort?
○ Inclusion of law enforcement?
○ Inclusion of national security apparatus?
● What level of reporting should be done
○ Full exhaustive reporting or something lighter?
○ Should you only publish signatures (av/IDS)?
● Analysis and understanding of the threat should be pushed
forward by this step as well
Setting of Strategic Goals

21. ● Sample discovery though open measures
○ Trolling of private industry sources
○ VirusTotal
● Sample Collection from private sources
○ Sample trading
○ Group/Partner contributions
● Infrastructure mapping
○ Domain name analysis (passive DNS)
○ Port scanning
○ Whois analysis
● Identifying what other parties you’re likely conflicting with
○ Or, in Blockbuster, might conflict with you
Discovery Process

22. ● Capturing background data
○ Previous reporting
○ Daily news (geopolitical issues/conflicts/tensions)
● Dynamic malware analysis
○ Generates limited data quickly!
○ Can aid in “basic” clustering of malware families
● Reverse engineering output
○ Capture and instrumentation of reverse engineering process
○ Only real way to cluster families with strong confidence
● Potentially related attacks by the actor
○ Previous reporting
○ Previous misreporting
● TTP mapping and signature generation
○ You can find a large repository of good resources on past
APT’s here
Knowledge Creation

23. ● Level of involvement with ecosystem maintainers and owners
● Strategy for marketing and publication
● Strategy for group management and coordinated release
● Deconfliction with other organizations which may be
independently pursuing the actor
● Timelines for public reporting, and which components of research
to be released
○ Written agreements and NDAs
○ Continual group communication
● Definitions of operational security measures
○ Encrypted email and other digital communications
○ Discussion only with small, known groups
Planning of Actions

24. ● Important to know if your efforts had any meaningful effect, or
were just hot air
○ Measurement is hard, and is always a cooperative process
● Telemetry gathering and analysis
○ Partners are likely the best mechanism for gathering this
data
○ Victims are often incentivized to not report additional
problems
● Long-term information gathering
○ Monitoring for TTPs or other indicators of infrastructure
reuse
○ This can include wide-spectrum scanning for some threat
infrastructure
Impact Assessment

25. ● Most actors will not go away after a single operation
○ Or for that matter, any number of operations
○ Can actually be an indicator of success, an attempted
compromise
○ This reinfection can be across a vertical (other, similar orgs)
● Anti-APT efforts are a continual struggle - just like us, these actors
make their living through this activity
● Likely, even if the actors abandon their efforts, the infection will not
be cleaned worldwide, and multiple stages of signatures, etc will
need to be pushed
● In some situations, you might never know exactly how effective
your efforts were - for good and bad
Follow Up

26. 05Prior Takedowns
Storm
Conficker
Waledec
Operation SMN
Operation Blockbuster

27. ● First real P2P botnet
○ Focused on spam
○ Heavily monetized
● Several parallel researchers were “messing with the botnet”
○ P2P poisoning, C2 take overs, etc.
● Microsoft and other large Vendors pushed “detections”
○ MS pushed a MSRT update
○ Honeynet pushes out Stormfucker tool
● Actors behind the botnet start to slice it up and sell it off
● New version appears: Stormbot 2
● Authors may have moved on to other things?!?
Storm Botnet

28. ● Started as a worm exploiting MS08-067
○ Spread at an alarming rate
○ Multiple infection vectors
● Multiple Generations of malware (three major versions)
● Very suspicious functionality (Ukrainian keyboard detection)
Conficker

29. ● Operation B49 by microsoft 2010
○ Via legal action MS took control of 276 c2 domains used by
the bot
● Attempt by Dell Secureworks/Kaspersky/Honeynet to take down
Kehlios.b in 2012
○ Worked for a few weeks, but two weeks later actors
introduced a new version .c with new protocols being used.
● 2013 Kehlios.c live take down on stage at Black Hat by Tillmann
Werner
● Different malware families have been installed by the various
versions over the years
● Effects:
○ Multiple generations of botnet (authors really liked to make
$$)
Waledec/Kehlios

30. ● Discovery
○ Brought to our attention by our customers
○ Discovered malware on their networks, and wanted to
investigate
● Actor
○ Highly coordinated group of actors
○ Appeared to have a multi-stage victim funnel
○ Primarily engaged in information theft
● Techniques/TTPs (report)
○ Initial method of infection varied (phishing, watering hole
attacks)
○ Heavy use of compromised/misappropriated infrastructure
○ Later stages were very “smash and grab” oriented
Operation SMN

31. ● Resultant Tooling and Lessons
○ Interdiction group coordination (rosetta stone,
announcements)
○ Coordinated press releases are hard
○ Large scale infrastructure scanning and collection
○ Static analysis and machine learning (Skald/Holmes-Totem)
■ Large sample sets are hard for everyone to work with
■ Became large open source project, partnership with
TUM and GSoC (hi George, Christian, Marcel, Max)
● Nine public industry partners involved
○ First coordinated industry effort against an APT group
● Purpose was to expose and clean the entire toolset used by the
threat actor
○ Coordinated high quality signature release across partners
○ Shared those signatures on “publication” date with 155 other
security vendors across the globe
Operation SMN

32. ● Led to follow up reporting
○ Bad guys shifted, found new tools at last minute
○ This is a good thing: forced the retooling goal we were
looking for
● Effects:
○ Public FBI assertion that the attacks originated from China
○ Decrease in attacks attributed to this group
○ Reduction/Disappearance of some of the specialized tools
from use
Operation SMN

33. ● Discovery
○ Very public announcement of hack by the attackers
○ We got involved after becoming frustrated with follow-on
reporting
● Actor
○ Strong operational capabilities, issues with technical
implementation
● Techniques/TTPs
○ Extremely detailed internal knowledge of the target
● Resultant Tooling and Lessons
○ Machine learning based triage system
○ Function/malware clustering algorithm
○ Big take away - a small team can have a huge effect on
keeping the Internet safe
Operation Blockbuster

34. ● Coordinated AV push
○ Kaspersky, AlienVault, Symantec, TrendMicro, netrisk.io, other
private and public participants
● Large scale distribution of in depth RE/Technical info to industry
○ Main resources page
● Public reporting of TTP's
○ Securelist Blog Announcement
● Effects
○ Thousands of infections detected and cleaned (that we know
of)
○ Swift banking attacks attributed to Lazarus Group (951 million
attempted, 81 Million laundered)
○ Continued interest and larger working base of knowledge in
industry
Operation Blockbuster

35. 06Future of
Interdictions
GCA Takedown Task Force
Following the Changing threat landscape

36. ● Global Cyber Alliance is a US/UK based not for profit organization
○ Funded by District Attorney of New York and City of London
Police
● GCA would act like a middleman to coordinate, help plan, and
manage operations for industry partners
○ Partners would sponsor/suggest threats to pursue
○ GCA would help build reasonable coalitions
○ GCA would aid in the management and planning
● A goal is to drive continued and sustained efforts to coordinate
across industries and build lasting coalitions to address malware
based risks
GCA Takedown Task Force

37. ● As technology evolves and new attack surfaces appear, the good
guys will have to follow into those realms and defend them
○ Internet of Things
○ Mobile/Wireless networks
● This really ends up being a bunch of education work aimed at new
industries where security may not be “built in”
● We have to try and project beyond what a “bad guy” can do so we
can strategically build technology, relationships, and processes to
address future issues
Following the Changing Landscape

38. Key Points
Four key points for thinking about in the
future
This is not just a technical problem
In order to coordinate and build long lasting partnerships
you must master the art of relationship building and
understand each stakeholder's needs and motivations.
APT is differentiated by humans, not
code
While APT actors will display sophisticated technical skills,
the ultimate differentiator is their operational capabilities
and coordination
Anyone can start an interdiction effort
All it takes is some technical skills, a lot of motivation, and
the ability to communicate and build relationships to
execute an interdiction.
The landscape is changing rapidly
The last 10 years have seen massive changes in threat actor
sophistication and motivation. This evolutionary process
shows no signs of slowing down.

39. THANK YOU!
Andre Ludwig -
Aludwig@globalcyberalliance.org
Key id: 2238C189
Zachary Hanif -
zachary.hanif@capitalone.com