The document, presented by Peter Wood, focuses on advanced persistent threats (APTs) and their implications for security intelligence. It discusses the evolution of sophisticated adversaries, case studies, entry points for attacks, and prevention strategies, highlighting the importance of understanding one's threat landscape. Key takeaways emphasize the need for tailored security policies, awareness of social engineering tactics, and the necessity for strong, complex passwords.

1. Security Intelligence:
Advanced Persistent Threats
An Ethical Hacker’s View
Peter Wood
Chief Executive Officer
First•Base Technologies LLP

2. Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLP
Social engineer & penetration tester
Conference speaker and security ‘expert’
Member of ISACA Security Advisory Group
Vice Chair of BCS Information Risk Management and Audit Group
UK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISP
Registered BCS Security Consultant
Member of ACM, ISACA, ISSA, Mensa
Slide 2 © First Base Technologies 2012

3. Security Intelligence and This Presentation
“SI is a recognition of the evolution of sophisticated adversaries, the
study of that evolution, and the application of this information in an
actionable way to the defence of systems, networks, and data. In
short, it is threat-focused defence, or as I occasionally refer to it,
intelligence-driven response.
The “intelligence” in intelligence-driven response is the information
acquired about one's adversaries, or collectively the threat landscape.
Each industry has a different threat landscape, and each organisation
in each industry has a different risk profile, even to the same
adversary.
Understanding one's threat environment is collecting actionable
information on known threat actors for computer network defence,
whether that action is purely detection or detection with prevention.”
Source: Mike Cloppert http://computer-forensics.sans.org/blog/
Slide 3 © First Base Technologies 2012

4. Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 4 © First Base Technologies 2012

5. Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 5 © First Base Technologies 2012

6. Advanced Persistent Threat (APT)
• “An advanced and normally clandestine means to gain
continual, persistent intelligence on an individual, or group of
individuals” [Wikipedia]
• “… a sophisticated, mercurial way that advanced attackers can
break into systems, not get caught, keeping long-term access
to exfiltrate data at will.” [McAfee]
• “… a sophisticated and organized cyber attack to access and
steal information from compromised computers.” [MANDIANT]
Slide 6 © First Base Technologies 2012

7. Advanced, Persistent, Threat
• They combine multiple attack methodologies and tools in
order to reach and compromise their target
• The attack is conducted through continuous monitoring and
interaction in order to achieve the defined objectives
• It does not mean a barrage of constant attacks and malware
updates - in fact, a “low-and-slow” approach is usually more
successful
• There is a level of coordinated human involvement in the
attack, rather than a mindless and automated piece of code
• The operators have a specific objective and are skilled,
motivated, organized and well funded
Slide 7 © First Base Technologies 2012

8. The Aurora attack http://threatpost.com/
Slide 8 © First Base Technologies 2012

9. The Aurora attack http://threatpost.com/
Slide 9 © First Base Technologies 2012

10. The Aurora attack
http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/
If you have done or been around any high-level incident response,
you would know that these advanced persistent threats have been
going on in various sectors for years.
Nor is it a new development that the attackers used an 0day client-
side exploit along with targeted social engineering as their initial
access vector.
What is brand new is the fact that a number of large companies
have voluntarily gone public with the fact that they were victims to
a targeted attack.
And this is the most important lesson: targeted attacks do exist and
happen to a number of industries besides the usual ones like credit
card processors and e-commerce shops.
Dino Dai Zovi
Slide 10 © First Base Technologies 2012

11. Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 11 © First Base Technologies 2012

12. Slide 12 © First Base Technologies 2012
http://blogs.rsa.com/rivner/anatomy-of-an-attack/

13. The RSA attack
1. Research public information about employees
2. Select low-value targets
3. Spear phishing email “2011 Recruitment Plan” with.xls
attachment
4. Spreadhseet contains 0day exploit that installs backdoor
through Flash vulnerability
(Backdoor is Poison Ivy variant RAT reverse-connected)
1. Digital shoulder surf & harvest credentials
2. Performed privilege escalation
3. Target and compromise high-value accounts
4. Copy data from target servers
5. Move data to staging servers and aggregate, compress and
encrypt it
6. FTP to external staging server at compromised hosting site
7. Finally pull data from hosted server and remove traces
Slide 13 © First Base Technologies 2012

14. RSA Security Brief, February 2012
Slide 14 © First Base Technologies 2012

15. Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 15 © First Base Technologies 2012

16. Entry Points
Slide 16 © First Base Technologies 2012

17. Identifying ‘The Mark’
Slide 17 © First Base Technologies 2012

18. Social Networking
Slide 18 © First Base Technologies 2012

19. Slide 19 © First Base Technologies 2012

20. Facebook Scams
Slide 20 © First Base Technologies 2012

21. Document MetaData Harvesting
Slide 21 © First Base Technologies 2012

22. Infosecurity Europe 2012 Experiment
• Open WiFi on a laptop on
our stand
• Network name:
‘Infosec free wifi’
• Fake AP using airbase-ng on
BackTrack
• In one day we collected 86
unique devices
Slide 22 © First Base Technologies 2012

23. Wireless Eavesdropping
Packet sniffing unprotected WiFi can reveal:
• logons and passwords for unencrypted sites
• all plain-text traffic (e-mails, web browsing, file transfers)
Slide 23 © First Base Technologies 2012

24. Firesheep Capturing
Slide 24 © First Base Technologies 2012

25. Firesheep: Game Over
Slide 25 © First Base Technologies 2012

26. Telephone Social Engineering
Sometimes all they have to do is call up and ask!
Slide 26 © First Base Technologies 2012

27. Information Leakage
Exposure of:
• Corporate hierarchy
• E-mail addresses
• Phone numbers
• Technical infrastructure
• Business plans
• Sensitive information
• Passwords!
Slide 27 © First Base Technologies 2012

28. Spear Phishing
Slide 28 © First Base Technologies 2012

29. Phishing Emails
Slide 29 © First Base Technologies 2012

30. Phishing Emails
Slide 30 © First Base Technologies 2012

31. Spear phishing
Slide 31 © First Base Technologies 2012

32. Privilege Escalation
Slide 32 © First Base Technologies 2012

33. Password ‘Quality’
http://iqsecur.blogspot.ca/2012/04/analysis-of-leaked-militarysinglesorg.html
Slide 33 © First Base Technologies 2012

34. Case study:
Windows Administrator Passwords
admin5
crystal
finance
Global organisation: friday
macadmin
• 67 Administrator accounts monkey
orange
• 43 simple passwords (64%) password
password1
prague
• 15 were “password” (22%)
pudding
rocky4
• Some examples we found -> security
security1
sparkle
webadmin
yellow
Slide 34 © First Base Technologies 2012

35. Case study: Password Crack
• 26,310 passwords from a Windows domain
• 11,279 (42.9%) cracked in 2½ minutes
• It’s not a challenge!
Slide 35 © First Base Technologies 2012

36. Password Issues
• Passwords based on dictionary words and names
• Service accounts with simple/stupid passwords
• Other easy-to-guess passwords
• Little or no use of passphrases
• Password policies not tailored to specific
environments (e.g. Windows LM hash problem)
• Old fashioned rules no longer apply
(rainbow tables, parallel cracking,
video processors)
• Just general ignorance and apathy?
• One password to rule them all …
Slide 36 © First Base Technologies 2012

37. Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 37 © First Base Technologies 2012

38. Identifying “The Mark”:
Social Networking
• Don’t reveal personal or sensitive information in social
networking sites or blogs
• Set the privacy options in social networking sites
• Don’t discuss confidential information online
• Don’t ‘friend’ people you don’t know
Remember – what goes on the Internet, stays on the Internet!
Slide 38 © First Base Technologies 2012

39. Identifying “The Mark”:
Telephone Social Engineering
• If you receive a suspicious phone call, hang up and call back
on a number you know is legitimate
• Never reveal personal or sensitive information in response to
a phone call unless you have verified the caller
• Don’t answer questions about your organisation or
colleagues unless it’s your job to do so
• Report any phone calls that you suspect might be social
engineering attacks
Slide 39 © First Base Technologies 2012

40. Identifying “The Mark”:
Public and Open WiFi
• Remember: open and WEP-encrypted WiFi networks are
visible to almost anyone
• Never use public WiFi for sensitive information
• Don’t use the same password for web sites and for corporate
systems
• Make sure your email connections are encrypted
Slide 40 © First Base Technologies 2012

41. Spear Phishing
• Never reveal personal or sensitive information in response to
an email, no matter who appears to have sent it
• If you receive an email that appears suspicious, call the
person or organisation in the ‘From’ field before you respond
or open any attached files
• Never click links in an email message that requests personal
or sensitive information. Enter the web address into your
browser instead
• Report any email that you suspect might be a spear phishing
campaign within your company
Slide 41 © First Base Technologies 2012

42. Privilege Escalation
• Don’t use passwords based on dictionary words and names
• Use complex passphrases for service accounts
• Tailor password policies to specific environments
(e.g. Windows vs. web sites)
• Remember: old fashioned rules no longer apply
(rainbow tables, parallel cracking, video processors)
• Never re-use passwords: “one password to rule them all …”
Slide 42 © First Base Technologies 2012

43. Think Like an Attacker!
Hacking is a way of thinking:
- A hacker is someone who thinks outside the box
- It's someone who discards conventional wisdom, and does
something else instead
- It's someone who looks at the edge and wonders what's
beyond
- It's someone who sees a set of rules and wonders what
happens if you don't follow them
[Bruce Schneier]
Hacking applies to all aspects of life - not just computers
Slide 43 © First Base Technologies 2012

44. The Human Firewall
The money you spent on security products, patching systems
and conducting audits could be wasted if you don’t prevent
social engineering attacks …
Invest in
Marketing security awareness
and
Intelligent, practical policies
Slide 44 © First Base Technologies 2012

45. Need more information?
Peter Wood
Chief Executive Officer
First•Base Technologies LLP
peterw@firstbase.co.uk
http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com
Blog: fpws.blogspot.com
Twitter: peterwoodx