The document discusses strategies for defending against advanced persistent threats (APTs). It notes that many organizations are still relying on network configurations and security tools conceived decades ago. Modern APTs have evolved tactics to avoid detection, like using internal peer-to-peer communications and fast-flux domain naming that evade perimeter-based security tools. The document advocates deploying detection capabilities throughout the network rather than just at the boundary, and maintaining coordinated incident response plans and skills to understand adversaries' techniques.

1. You're fighting an APT
with what exactly?
STEVE ARMSTRONG
TECHNICAL DIRECTOR LOGICALLY SECURE

2. Who is this guy?
• Ex RAF Information Security specialist (17 years)
• I was in Cyber before they actually called it Cyber
• Technical Director at Logically Secure (8+ years)
• Doing Forensics & IR for over 8 years
• We support data centres, engineering companies, online (FPS)
gaming studios, recording labels and HMG
• SANS Instructor (DFIR/Pentesting)
• One of the brains behind CyberCPR

3. What I should cover (E&OE)
• What are you looking for?
• Common network configurations
• Why these common configurations don’t work
• What/who are you using to look for evil stuff?
• How do your attackers work? Where is the overlap?
• How do you react?
• How do you coordinate and plan your reaction

4. Key questions
• Who
• Where
• What
• Why
• When
• How

5. Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey
(http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

6. Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey
(http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

7. Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey
(http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

8. Now the 'who'
• The "shits and giggles" crews or pissed off users
• e.g. 4chan/Lulzsec
• Hacktivism
• Anonymous, Pakistani or Indian hacker groups
• Cybercrime
• Roman Valerevich Seleznev (Track2) - stole est. $2M
• Hector Xavier Monsegur (Sabu) - started hacking to get cash to pay his
rent
• Cyber-espionage
• For Government level Secrets
• For industrial or technological advantage

9. What toys do 'they' have

10. Automation of the Attacks
Gong Da
Merry Christmas
Zhi Zhu
Nuclear
Incognito
Phoenix
Blackhole Exploit Kit
Sakura Exploit Pack
Eleonore
Techno
Yang Pack
XPack
Siberia
mushroom
Zero Siberia Private
LinuQ
Sava / PayOC
Bomba Best Pack
Open Source / MetaPack Papka
Robopak
Katrin
Bleeding Life
CRIMEPACK
T-iframer
Tornado
SEO Sploit Pack
Zombie Infection kit
Lupit
Salo
Unique Pack Sploit 2.1
Yes Exploit
iPack
El Fiiesta
Icepack
Mpack
Webattack

11. Matrix of capabilities

12. Table from:
http://contagiodump.blogspot.co.uk/
Wanted Image from:
http://www.kahusecurity.com/
With many thanks!

13. Table from:
http://contagiodump.blogspot.co.uk/
Wanted Image from:
http://www.kahusecurity.com/
With many thanks!

14. What do ATPs have to play with?

15. Now the where 'where'

16. Lets talk about your network
T H I S O N E I S F O R MA N A G E R S……

17. Did you ever ask for a secure LAN?
• Included security in the list of system requirements
• Priced the line items and checked they were appropriate
• Required evidence of delivery
• Tested robustness and correctness post-installation

18. Did you ever ask for a secure LAN?
If you haven't asked for it, why would you
expect your provider to:
take risks, decrease his margin and
deviate from the specification?
Thus if you didn’t ask for it,
you wont get it.

19. So what did you ask for?
A BARRIER (FIREWALL) AND A DMZ?

20. Building Internet Firewalls (page 105)
• http://www.amazon.co.uk/Building-Internet-
Firewalls-Elizabeth-Zwicky/dp/1565928717

21. What else did we have in 2000?

22. It's often just poor configuration
=

23. So you're fighting an APT with…….
• Architecture concepts conceived when your
Domain Controller had less memory and CPU
power than your phone has now
Vs

24. Then came……….

25. THE UTM*
<QUEUE DRAMATIC MUSIC>
*Unified Threat Manager/Management

26. The UTM is sold as a simple
solution
• However, to quote Wikipedia:

27. So you're fighting an APT with…….
• A single simple solution aimed at…..
• Compliance
• No great #winning story ever started:
"We were doing some compliance
activities and ….".

28. Lets come back
to the future…

29. People now have….
• Web monitoring
• NetFlow
• Attachment analysis (sandbox)
• Full packet captures
• Internet end-point reputational checking

30. But where is it placed?
THE ANSWER IS USUALLY ON THE BOUNDARY

31. Why this is bad
• Previously each install of malware phoned home
• Malware and APTs are changing
• Attackers are becoming more stealthy
• Still using standard deployment techniques
• Moving C&C servers
• More 'covert' channels

32. Previously
UTM
Malware C&C in clear
http traffic signature
Domain known bad

33. Previously
UTM
Malware C&C in clear
http traffic signature
Domain known bad
Boss we
got a
problem!

34. But things have moved
on past 2000

35. Now…
UTM
DNS
Public
DNS
???

36. Now…
UTM
DNS
Public
DNS
!!!

37. Now…
UTM
UDP port 53

38. In recent months we have seen
• The likes of PlugX/Kaba using:
• Internal peer-to-peer comms using UDP port 53
• DNS ports for in clear UDP C&C updates
• UDP of https (443) ports
• Domains switching from safe to unsafe for minutes
• Heavy use of *update* and honest sounding domains
• zipupdate.com, win7update.com, ibmupdate.com

39. Let's look at your team

40. Tools != Capability
ALWAYS REMEMBER THIS WHEN THE
SALESMAN IS ENCOURAGING YOU TO SIGN
THE CONTRACT

41. Good tools are a bonus only if you
have skills to really use them
Beautiful walnut
handled chisel set

42. Perceived skills vs Actual capability
http://www.youtube.com/watch?v=K4elZ_T9Ulo

43. TV does not represent real life!

44. Not so much CSI…… more like….

45. Not so much CSI…… more like….
Team composition:
• Velma (the guru)
• Fred and Daphne
(Managers?)
• Shaggy & Scooby (the
funny ones)
Which are you?

46. But we ask those that build
the corporate network
OOOOOO T H E T R I B A L L E A D E R S…….

47. Tribal leaders…..

48. To quote Sun Tzu…..
• “If you know the enemy and know yourself, you
need not fear the result of a hundred battles.
• If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat.
• If you know neither the enemy nor yourself, you
will succumb in every battle."
Mature IR
Team
Developing
IR Team
New or bad
IR Team

49. Why do we care who is
attacking us….. Just
make them stop!
But, if you don’t understand
the attacker how can you
orientate yourself to their
plans and thus pre-empt their
actions

50. UTM

51. So what do you
• Architect your network for today not circa 2000
• Deploy detection in network not on the boundary
• Don’t rely upon Tribal Leaders to be your only
source of intelligence on attackers
• Centralise your intelligence, coordinate your
response
• Monitor your Operational Security for signs you are
leaking information of your plans to your enemy.

52. If you want more help:
• Logically Secure: Testing/IR Support and Advice
• CyberCPR Development Team:
• Drew John
• Ed Tredgett @edtredgett
• Mike Antcliffe @mantcliffe
• Steve Armstrong @nebulator
• Email: cybercpr@logicallysecure.com
• Twitter: @cybercpr

53. • Want some more????
• 28 April (it's a Tuesday  )
• http://44con.com