This document discusses advanced persistent threats (APTs). APTs are sophisticated cyber attacks that are carried out over an extended period to steal information. They use various techniques to evade detection, like polymorphic shellcode and packet splitting. APTs typically start with reconnaissance, then spear phishing to gain initial access. Attackers establish backdoors, install utilities like keyloggers, and move laterally within the network to exfiltrate data. Nation-states are often behind APTs to gain intelligence or competitive advantages. Organizations should monitor for unusual logins or anomalies to detect signs of an APT attack.

1. Persistence is Key:
Advanced Persistent
Threats
By: Sameer Thadani

2. Objectives
What is an APT
What is an AET
Past targets
What to look for in the future

3. Advanced Persistent Threats
 Advanced
 Higher levels of sophistication
 Has access to Zero-Day exploits
 Adapts to the victims defenses
 Persistent
 Attacks are specific
 Continue until the specific goals are met
 Intend to maintain communication with victim
compromised systems
 Threats
 Real power players behind attacks such as nation-states
 Not your mom and pop hacking job

4. APT Malware Anatomy

5. APT Attack Flow
Step 1 • Reconnaissance
Step 2 • Initial Intrusion into the Network
Sep 3 • Establish a Backdoor into the Network
Step 5 • Install Various Utilities
Step 6 • Lateral Movement and Data Exfiltration

6. Reconnaissance
First stage of an APT
Learning about the victims business
processes and technology
Tools
Whois
Nmap
Netcraft.com
Social Media Searching
Acting SKILLZ

7. Network Access
Spear-Phishing = #1 Way
Targeting specific high value people
Sending highly realistic email addresses
with attachments
Attachments include remote trojans or
malware
BUT WAIT, how does my malware get
passed IDS/IPS, Firewalls, and Email
Filters?
ADVANCED EVASION TECHNIQUES

8. Advance Evasion Techniques
Key techniques used to disguise threats to
evade and bypass security systems
Why are they advanced?
They combine multiple evasion
techniques that focus on multiple protocol
layers.
Evasions change during the attack
They allow malicious payloads or
exploits, such as malware to look normal
A wide variety of techniques
Combinations are endless

9. Polymorphic Shellcode
Constantly changing packet injected
code… using ADMmutate

10. Polymorphic Shellcode

11. Packet Splitting

12. Establish Backdoors
Establish backdoors
Backdoors allow attackers to stay in
constant contact with the compromised
machine. Ex. Poison Ivy

13. Install Utilities
Install key-logger
Ex: iSam

14. Lateral Movement
 Compromise more machines on the network and setup more
back doors, this allows for lateral movement and persistence
 Ex. TRiAD Botnet Control System
 EXFILTRATE DATA!

15. Why is this happening?
Nation-State intelligence to aid in wartime
strategy and exploitation
Diminish competition and improve strategic
advantage by stealing intellectual property
To extort or ruin VIP
To gain $$$$ and gain economic power

16. Learning from the past…
Google - Hydraq
RSA SecureID
Iran’s Nuclear Plant - Stuxnet
All targeted attacks on huge companies
Anyone can be targeted.

17. Preparing for the Future..

18. Keep your eyes open
Elevated log-ons at unexpected times
Finding any backdoor Trojans
Look for any anomalies for information flow
Look for HUGE data bundles

19. Questions?

20. Sources
 http://www.infoworld.com/article/2615666/security/5-signs-
you-ve-been-hit-with-an-advanced-persistent-threat.html
 https://www.youtube.com/watch?v=ugXyzkkYN9E
 https://www.youtube.com/watch?v=J9MmrqatA1w
 http://searchsecurity.techtarget.com/definition/advanced-
persistent-threat-APT
 http://www.symantec.com/theme.jsp?themeid=apt-
infographic-1
 http://searchsecurity.techtarget.com/definition/advanced-
evasion-technique-AET
 http://www.csoonline.com/article/2138125/what-are-
advanced-evasion-techniques-dont-expect-cios-to-know-
says-mcafee.html
 Issa.org