Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Yuval Sinay - CISSP, MVP Enterprise Security 
DC9723, 20.05.2014 Meeting 
Blog: http://blogs.microsoft.co.il/yuval14/ 
Lin...
COPYRIGHT 2014 YUVAL SINAY. (“YS”). ALL RIGHTS RESERVED. PLEASE REFER TO THE LEGAL NOTICE BELOW FOR 
TERMS OF USE. 
INFORM...
1. What is Advanced Persistent Threat (APT)? 
2. Common Goals of APTs 
3. What is a Botnet? 
4. What is Advanced Evasion T...
I would like to thank Dr. Gabi Siboni (Retired colonel), the head of Cyber research department at the National 
Institute ...
1. Please note that the information that includes in this Power Point Presentation doesn’t cover all the 
Known Techniques...
“In 2006, the United States Air Force (USAF) analysts coined the term advanced persistent threat 
(APT) to facilitate disc...
Source: Advanced Persistent Threat (APT), Mike Shinn, U.S. NRC, 2013
 A common mistake is the assumption that APT based on software only. However, in practice APT 
can be based on software, ...
1. Theft – Intellectual Property and Industrial Espionage. 
2. Fraud. 
3. DDoS and Sabotage. 
4. Criminals Action (e.g. Mo...
1. How much time its take to create APT? 
2. How many APT/s may exist in an average organization today? 
3. How many organ...
“The term bot is short for robot. Criminals distribute malicious software (also known as malware) 
that can turn your comp...
"An advanced evasion technique (AET) is a type of network attack that combines several different 
known evasion methods to...
If, however, "kaarindtuettcr" and "tittnrrakdeuac" were part of a request, the system wouldn't 
recognize the code as simp...
Softstone demonstrates how AETs work in this short video: Anti-evasion Demo
AET – Intrusion technic that provides a higher rate of success. In other words, this technic that can 
be used to “By Pass...
Source: A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading Room, 2011
- SCADA (Supervisory Control and Data Acquisition) 
- PLC (Programmable logic controller) - connect to sensors and convert...
Source: The Real Story of Stuxnet
1. Prebuild in the system – BIOS, Firmware, OEM OS. etc. 
2. SMTP – Execute File, URL that points the end user to download...
8. Computer Equipment (e.g. Mouse, Keyboard, Printer, Disk On Key, etc.) 
9. Sound.
Source: How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013
“Style 1 — Network Traffic Analysis 
This style includes a broad range of techniques for Network Traffic Analysis. For exa...
Style 3 — Payload Analysis 
Using a sandbox environment, the Payload Analysis technique is used to detect malware and targ...
Style 5 — Endpoint Forensics 
Endpoint Forensics serves as a tool for incident response teams. Endpoint agents collect dat...
1. Signature Based Detection (e.g. File Name, File Size, File Type  MIME Type, File Extensions, 
Message Digest, Header In...
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
From FortiSandbox-3000D-Gen2 Datasheet: 
Disclaimer: The information expressed here is meant only to be informative and do...
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack: 
Disclaimer: The information expressed here is m...
Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack: 
Disclaimer: The information expressed here is m...
Shapesecurity.com solution- rewrite a site’s code: 
Disclaimer: The information expressed here is meant only to be informa...
“1. Statistical Methods. Statistical methods monitor the user or system behavior by measuring 
certain variables over time...
3. Rule based systems. Rule based systems used in anomaly detection characterize normal behavior 
of users, networks and/o...
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
Tenable SecurityCenter CV: 
Disclaimer: The information expressed here is meant only to be informative and does not imply ...
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
• We covered the basic APT architecture and its operation. 
• Currently, APTs becomes a real threat for most organizations...
Source: APT Detection Indicators – Part 3, Nige the Security Guy Blog
Questions?
מאמרים 
2013 ,Digital Whisper , יובל סיני ,Web 3.0 Security- 1. מבוא ל 
2. מרחב הסייבר והביטחון הלאומי מבחר מאמרים, גבי סי...
Books 
1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response, 
Richard Bejtlich, N...
Articles 
1. Real-time Polymorphism, A new category of advanced security defenses, Shapesecurity, 2014 
2. 2014 THREAT REP...
Articles - Continue 
10. AlienVault Finds Only Two Percent of Companies Would Publicly Report a Security Breach, 2014 
11....
Articles - Continue 
19. Threats on the Horizon: The Rise of the Advanced Persistent Threat, Fortinet, 2013 
20. How To De...
Articles - Continue 
30. What Is the Difference: Viruses, Worms, Trojans, and Bots?, Cisco 
31. Anomaly Detection / Outlie...
Video 
1. Anti-evasion Demo por Mark Boltz, Stonesoft em Português 
Websites 
1. APT Strategy Series 
2. Advanced evasion ...
Websites - Continue 
12. http://www.npulsetech.com/ 
13. http://www.cyber-ta.org/
Thank you!
Common Techniques To Identify Advanced Persistent Threat (APT)
Upcoming SlideShare
Loading in …5
×

5

Share

Download to read offline

Common Techniques To Identify Advanced Persistent Threat (APT)

Download to read offline

Common Techniques To Identify Advanced Persistent Threat (APT)

Related Books

Free with a 30 day trial from Scribd

See all

Common Techniques To Identify Advanced Persistent Threat (APT)

  1. 1. Yuval Sinay - CISSP, MVP Enterprise Security DC9723, 20.05.2014 Meeting Blog: http://blogs.microsoft.co.il/yuval14/ LinkedIn: http://il.linkedin.com/in/yuval14/ e-mail: yuval14@Hotmail.com
  2. 2. COPYRIGHT 2014 YUVAL SINAY. (“YS”). ALL RIGHTS RESERVED. PLEASE REFER TO THE LEGAL NOTICE BELOW FOR TERMS OF USE. INFORMATION PROVIDED IN THIS POWER POINT PRESENTATION IS PROVIDED “AS IS” WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. NEITHER TNCI NOR ANY PARTY INVOLVED IN CREATING, PRODUCING OR DELIVERING THIS SITE SHALL BE LIABLE FOR ANY DIRECT, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR PUNITIVE DAMAGES NOR ANY DAMAGES WHATSOEVER ARISING OUT OF YOUR ACCESS, USE OR INABILITY TO USE THIS SITE OR ON ANY OTHER HYPERLINKED WEB SITE, OR ANY ERRORS OR OMISSIONS IN THE CONTENT THEREOF. IN ADDITON, THE INFORAMTION IN THIS POWER POINT PRESENTATION IS INTENTED TO BE USE FOR NON BUSNIESS USE ONLY. MOREVER, USING THE INFORAMTION IN THIS POWER POINT PRESENTATION FOR NON BUSNIESS USE IS ALLOWED ONLY BY ADDING REFERING TO THE AUTOR NAME AND BY UPDATING THE AUTOR BEFORE PUBLISHING THE INFORAMTION TO THE GENERAL AUDIANCE. PLEASE NOTE THAT SOME OF THE INFORMATION IN THIS POWER POINT PRESENTATION IS UNDER THE RIGHTS OF THIRD PARTY ORGINIZATIONS.
  3. 3. 1. What is Advanced Persistent Threat (APT)? 2. Common Goals of APTs 3. What is a Botnet? 4. What is Advanced Evasion Techniques (AET)? 5. The Relationship Between APT, AET and Botnet 6. APT Basic Architecture 7. Real Life Example - STUXNET Architecture (SCADA APT) 8. APT Intrusion Paths 9. Common Techniques To Identify APT 10. Real Life Example 1 - Traditional Technics 11. Real Life Example 2 - eMail Sandbox 12. Real Life Example 3 - Real-time Polymorphism 13. Real Life Example 4 - Anomaly and User Behavior Detection 14. Summary 15. Questions ? 16. Bibliography
  4. 4. I would like to thank Dr. Gabi Siboni (Retired colonel), the head of Cyber research department at the National Institute for National Security Studies (INSS) for his assistant to obtain information on Cyber impact on Israel Homeland Security. In addition, I would like to thank Mr. Nigel Willson, Chief Architect, Researcher, Author: Nige the Security Guy Blog for his assistant to obtain a background information on Advanced Persistent Threat (APT). Moreover, I would like to thank to Guy Mizrahi, CEO at Cyberia and Mr. Doron Ofek for providing a useful feedbacks on the presentation content.
  5. 5. 1. Please note that the information that includes in this Power Point Presentation doesn’t cover all the Known Techniques that can be used to Identify Advanced Persistent Threat (APT). 2. To simplicity, the information in this Point Presentation doesn’t provides a deep dive on Advanced Persistent Threat (APT) and the common Techniques To Identify Advanced Persistent Threat (APT). 3. Please note that terms, like Cyberwar doesn’t have single and full definition. Due this, you may find out that the terminology in the Power Point Presentation may vary from other resource/s. 4. The products included in this presentation are for illustrative only and should not state an opinion on one way or another or about their suitability to the needs of any organization, and should not be the mention to express an opinion about the quality. 5. The information and views presented during this presentation concerning software or hardware does not in any way constitute a recommendation or an official opinion. All information presented here is meant to be strictly informative. Do not use the tools or techniques described here unless you are legally authorized to do so. 6. All product logos and names used in this presentation are the property of their respective owners. I have no claim for ownership on those. I am merely using them as examples of such products.
  6. 6. “In 2006, the United States Air Force (USAF) analysts coined the term advanced persistent threat (APT) to facilitate discussion of intrusion activities with their uncleared civilian counterparts. Thus, the military teams could discuss the attack characteristics yet without revealing classified identities. [Bejtlich, 2007] Bejtlich explains the components of the terminology.  Advanced means the adversary is conversant with computer intrusion tools and techniques and is capable of developing custom exploits.  Persistent means the adversary intends to accomplish a mission. They receive directives and work towards specific goals.  Threat means the adversary is organized, funded and motivated.” Source: A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading Room, 2011
  7. 7. Source: Advanced Persistent Threat (APT), Mike Shinn, U.S. NRC, 2013
  8. 8.  A common mistake is the assumption that APT based on software only. However, in practice APT can be based on software, hardware, social engineering or some combinations of the three.  “APT can change it self while moving, in a way similar to the mutation that change it self-according to the theory of Darwin. In other words, APT is like a Bacteria that can adapt itself to modern antibiotics in a short time” Yuval Sinay, 2014
  9. 9. 1. Theft – Intellectual Property and Industrial Espionage. 2. Fraud. 3. DDoS and Sabotage. 4. Criminals Action (e.g. Money Theft, Fraud, Cyber-Extortion, Spam, etc.) 5. Impact on the decision-making process (e.g. Integrity Violation, Data Manipulation, etc.) 6. Deterrence and Intimidation. 7. Economic Apocalypse. 8. Political Act (e.g. Hacktivism, Creating social awareness, etc.) 9. Cyberwar (e.g. Terror, Camouflaging attack, SIGINT, Creating conflict and or increasing conflict exists between countries/organizations, etc.) 10. Display capabilities. 11. Just For Fun. 12. Waiting For a New Tasks (e.g. backdoor). "War is merely the continuation of policy by other means", Carl von Clausewitz
  10. 10. 1. How much time its take to create APT? 2. How many APT/s may exist in an average organization today? 3. How many organization would publicly report a security breach? 4. In average, how much time it takes to an organization to discover a data breach?
  11. 11. “The term bot is short for robot. Criminals distribute malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it. Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet. Criminals use botnets to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, your computer might slow down and you might inadvertently be helping criminals.” Source: Microsoft
  12. 12. "An advanced evasion technique (AET) is a type of network attack that combines several different known evasion methods to create a new technique that's delivered over several layers of the network simultaneously. The code in the AET itself is not necessarily malicious; the danger is that it provides the attacker with undetectable access to the network. There are currently about 200 known evasion techniques that are recognized by vendor products. An AET can create literally millions of "new" evasion techniques from just a couple of combinations - - none of which would be recognized by current intrusion detection system (IDS) vendor products. If all 200 were used, the permutations would be unlimited. Here is a very simplified explanation for how an AET works: Let's say that the words "attack" and "intrude" represent two strings of known malicious code. When an IDS identifies those strings in a request, the system intervenes and denies entry. …
  13. 13. If, however, "kaarindtuettcr" and "tittnrrakdeuac" were part of a request, the system wouldn't recognize the code as simply being the well-known malicious strings "attack" and "intrude" combined and rearranged in a new way. The IDS would not intervene and entry would be allowed. “ Source: Whatis Please note that according to the current MacAfee research, there are more than 800 million AETs and the list is growing…
  14. 14. Softstone demonstrates how AETs work in this short video: Anti-evasion Demo
  15. 15. AET – Intrusion technic that provides a higher rate of success. In other words, this technic that can be used to “By Pass” most of the security protections layers that exits today in most of the organizations. Botnet – A common attack tool that is used by attacker to implement the attack in practice. As previously noted above, AET technic may be used to inject the Botnet in a “stealth mode” into the target organization. APT's using a sophistic technics, like AET to inject hacking tools, like Botnet's into the target organization. However, please note that APTs can be inject into the target organization by using other methods, like scanned documents, telephony commands, and more. Source: 2014 THREAT REPORT, Mandiant, A FireEye Company
  16. 16. Source: A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading Room, 2011
  17. 17. - SCADA (Supervisory Control and Data Acquisition) - PLC (Programmable logic controller) - connect to sensors and converting sensor signals to digital data.
  18. 18. Source: The Real Story of Stuxnet
  19. 19. 1. Prebuild in the system – BIOS, Firmware, OEM OS. etc. 2. SMTP – Execute File, URL that points the end user to download execute file (e.g. Direct Download, XSS, etc.), File / embedded content (e.g. HTML Code, SMTP Headers, etc.), Zero-Day Exploit, Multipart file build itself on the endpoint, Worm, etc. - It is common for attackers to use “Social Engineering” techniques to convince the end user that the obtained email is legitimated email. 3. Web - URL that point the end user to download execute file (e.g. Direct Download, XSS, etc.), Zero-Day Exploit, Execute File injection to a web site, etc. - It is common for attackers to use “Social Engineering” techniques to convince the end user that the obtained email is legitimated email. 4. Mobile Devices – Communication channels (e.g. Bluetooth, QR, etc.). 5. Source Code that obtained from un-trusted source (even “legitimated” trusted source code that becomes contaminated can lead to expose. 6. Application/s Installed by end users. 7. Automatic Update Systems like OS patch management systems, Antivirus, etc. 8. Application and/or Network Protocol vulnerability / Weakness.
  20. 20. 8. Computer Equipment (e.g. Mouse, Keyboard, Printer, Disk On Key, etc.) 9. Sound.
  21. 21. Source: How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013
  22. 22. “Style 1 — Network Traffic Analysis This style includes a broad range of techniques for Network Traffic Analysis. For example, anomalous DNS traffic patterns are a strong indication of botnet activity. NetFlow records (and other flow record types) provide the ability to establish baselines of normal traffic patterns and to highlight anomalous patterns that represent a compromised environment. Some tools combine protocol analysis and content analysis. Style 2 — Network Forensics Network Forensics tools provide full-packet capture and storage of network traffic, and provide analytics and reporting tools for supporting incident response, investigative and advanced threat analysis needs. The ability of these tools to extract and retain metadata differentiates these security-focused solutions from the packet capture tools aimed at the network operations buyer.
  23. 23. Style 3 — Payload Analysis Using a sandbox environment, the Payload Analysis technique is used to detect malware and targeted attacks on a near-real-time basis. Payload Analysis solutions provide detailed reports about malware behavior, but they do not enable a postcompromise ability to track endpoint behavior over a period of days, weeks or months. Enterprises that seek that capability will need to use the incident response features of the solutions in Style 5 (Endpoint Forensics). The sandbox environment can reside on-premises or in the cloud. Style 4 — Endpoint Behavior Analysis There is more than one approach to Endpoint Behavior Analysis to defend against targeted attacks. Several vendors focus on the concept of application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real time incident response. An entirely different strategy for ATA defense is to restrict application execution to only known good applications, also known as "whitelisting".
  24. 24. Style 5 — Endpoint Forensics Endpoint Forensics serves as a tool for incident response teams. Endpoint agents collect data from the hosts they monitor. These solutions are helpful for pinpointing which computers have been compromised by malware, and highlighting specific behavior of the malware. Because of the challenges in combating targeted attacks and malware, security-conscious organizations should plan on implementing at least two styles from this framework. The framework is useful for highlighting which combinations of styles are the most complementary. Effective protection comes from combining technologies from different rows (for example: network/payload, payload/endpoint or network/endpoint). The same logic applies to mixing styles from different columns (different time horizons). The most effective approach is to combine styles diagonally through the framework.” Source: How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013
  25. 25. 1. Signature Based Detection (e.g. File Name, File Size, File Type MIME Type, File Extensions, Message Digest, Header Information, Archiving Type, etc.). It’s common to see the use of Yara rules in this filed. 2. Content Decoding (Data Pattern). 3. Firewall ACL (Access List). 4. IP / Domain /DNS Records - Repudiation Black Lists (SIGINT). 5. Geo. 6. Threshold Limits. 7. Application Whitelist. 8. Embedded Objects (e.g. Java Script, etc.). Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  26. 26. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  27. 27. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  28. 28. From FortiSandbox-3000D-Gen2 Datasheet: Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  29. 29. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  30. 30. Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack: Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  31. 31. Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack: Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  32. 32. Shapesecurity.com solution- rewrite a site’s code: Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  33. 33. “1. Statistical Methods. Statistical methods monitor the user or system behavior by measuring certain variables over time (e.g. login and logout time of each session in intrusion detection domain). The basic models keep averages of these variables and detect whether thresholds are exceeded based on the standard deviation of the variable. More advanced statistical models also compare profiles of long-term and short-term user activities. 2. Distance based Methods. Distance based approaches attempt to overcome limitations of statistical outlier detection approaches and they detect outliers by computing distances among points. Several distance based outlier detection algorithms have been recently proposed for detecting anomalies in network traffic. These techniques are based on computing the full dimensional distances of points from one another using all the available features, and on computing the densities of local neighborhoods. Source: Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  34. 34. 3. Rule based systems. Rule based systems used in anomaly detection characterize normal behavior of users, networks and/or computer systems by a set of rules. 4. Profiling Methods. In profiling methods, profiles of normal behavior are built for different types of network traffic, users, programs etc., and deviations from them are considered as intrusions. Profiling methods vary greatly ranging from different data mining techniques to various heuristic-based approaches. In this section, we provide an overview of several distinguished profiling methods for anomaly detection. 5. Model based approaches. Many researchers have used different types of models to characterize the normal behavior of the monitored system. In the model-based approaches, anomalies are detected as deviations for the model that represents the normal behavior. Very often, researchers have used data mining based predictive models such as replicator neural networks or unsupervised support vector machines.” Source: Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  35. 35. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  36. 36. Tenable SecurityCenter CV: Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  37. 37. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation
  38. 38. • We covered the basic APT architecture and its operation. • Currently, APTs becomes a real threat for most organizations. • The use of APT allow to a single attacker / a small group of attackers to achieve high offensive capability. • We covered a few techniques that can be used to Identify APTs. However, there is no silver bullet solution when it comes to Cyber security.
  39. 39. Source: APT Detection Indicators – Part 3, Nige the Security Guy Blog
  40. 40. Questions?
  41. 41. מאמרים 2013 ,Digital Whisper , יובל סיני ,Web 3.0 Security- 1. מבוא ל 2. מרחב הסייבר והביטחון הלאומי מבחר מאמרים, גבי סיבוני, המכון למחקרי ביטחון לאומי )חל"צ(, 2013 3. מרחב הסייבר והביטחון הלאומי מבחר מאמרים – קובץ שני, גבי סיבוני, המכון למחקרי ביטחון לאומי )חל"צ(, 2013 4. לוחמה במרחב הקיברנטי מושגים, מגמות ומשמעויות לישראל שמואל אבן ודוד סימן־טוב, המכון למחקרי ביטחון לאומי )חל"צ(, 2011 2011 ,Digital Whisper , אנומליות, איתור ומניעה, קיריל לשצ'יבר Domain Name System - .5 6. אלגוריתמים אבולוציוניים, מבוא למדעי המחשב, תשס"ט, אוניברסיטת בן גוריון See Security ,APT - Advanced Persistent Threat 7. התקפת
  42. 42. Books 1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response, Richard Bejtlich, No Starch Press, 2013 2. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Eric Cole, Syngress, 2012 3. Reverse Deception: Organized Cyber Threat Counter-Exploitation, Sean Bodmer, Dr. Max Kilger, Gregory Carpenter, Jade Jones, McGraw-Hill Osborne Media, 2012 4. SuperCooperators: Altruism, Evolution, and Why We Need Each Other to Succeed, Martin Nowak, Roger Highfield, Free Press, 2012 5. Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats, Will Gragido, John Pirc, Syngress, 2011 6. High-Throughput Next Generation Sequencing, Young Min, Ricke, Steven C. Humana Press, 2011
  43. 43. Articles 1. Real-time Polymorphism, A new category of advanced security defenses, Shapesecurity, 2014 2. 2014 THREAT REPORT, Mandiant, A FireEye Company 3. Risk and responsibility in a hyperconnected world: Implications for enterprises, David Chinn, James Kaplan, and Allen Weinberg, McKinsey, 2014 4. 2013-2014 DDoS Threat Landscape Report, Incapsula, 2014 5. Protect Against Advanced Evasion Techniques Essential design principles Olli-Pekka Niemi, McAfee, 2014 6. Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, NIST, 2014 7. What are Advanced Evasion Techniques? Don't expect CIOs to know, says McAfee, John E Dunn, Techworld, 2014 8. Network Security Redefined Vectra’s cybersecurity thinking machine detects and anticipates attacks in real time, Vectra Networks, Inc., 2014 9. An Agent-Based Framework for Dynamical Understanding of DNS Events (DUDE), H. Van Dyke Parunak, Alex Nickels, Richard Frederiksen, Soar Technology, Inc., 2014
  44. 44. Articles - Continue 10. AlienVault Finds Only Two Percent of Companies Would Publicly Report a Security Breach, 2014 11. ThreatConnect: Indicator for Suspicious Behavior and Malware, Paul Asadoorian, 2014 12. A DFIR Analysis of a Word Document Spear-Phish Attack, Armon Bakhshi, Invincea, 2014 13. A “Kill Chain” Analysis of the 2013 Target Data Breach, COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26, 2014 14. 2014 DATA BREACH INVESTIGATIONS REPORT, Verizon 15. Best Practices for Mitigating Advanced Persistent Threats (G00256438), Lawrence Pingree, Neil MacDonald, Peter Firstbrook, Gartner, 2013 16. Evading Deep Inspection for Fun and Shell, Olli-Pekka Niemi, Antti Levomäki, Stonesoft Corporation Helsinki, Finland, 2013 17. Gartner: 'Five Styles of Advanced Threat Defense' can protect enterprise from targeted attacks, Ellen Messmer, Network World, 2013 18. Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence (G00252476), Neil MacDonald, Gartner, 2013
  45. 45. Articles - Continue 19. Threats on the Horizon: The Rise of the Advanced Persistent Threat, Fortinet, 2013 20. How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013 21. Advanced Persistent Threat (APT), Mike Shinn, U.S. NRC, 2013 22. The Real Story of Stuxnet, David Kushner, IEEE Spectrum, 2013 23. CHALLENGES IN SECURING CRITICAL MARITIME INFRASTRUCTURE, Oded Blatman, 2013 24. Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats, Paul Giura, Wei Wang, AT&T Security Research Center, New York, 2012 25. Protection against Advanced Evasion Techniques in Stonesoft IPS, Stonesoft, 2012 26. A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading Room, 2011 27. Advanced Evasion Techniques Cybercriminals Up The Ante, Amit Klein, General Information, 2011 28. Deep Visibility over Applications, Content and Threats: How Deep Session Inspection® Can Help You See, Study, and Stop Advanced Threats, May 2011 29. Fidelis XPS™ Tech Talk: Preventing Cyber Attacks With Real-Time Threat Intelligence, 2010
  46. 46. Articles - Continue 30. What Is the Difference: Viruses, Worms, Trojans, and Bots?, Cisco 31. Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic 32. Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances, Steven Noel, Eric Robertson, Sushil Jajodia Center for Secure Information Systems, George Mason University 33. Constructing Attack Scenarios through Correlation of Intrusion Alerts Peng Ning, Yun Cui, Douglas S. Reeves, Department of Computer Science NC State University 34. USING SECURITY ATTACK SCENARIOS TO ANALYSE SECURITY DURING INFORMATION SYSTEMS DESIGN, Haralambos Mouratidis, Paolo Giorgini, Gordon Manson, Department of Computer Science, University of Sheffield, England
  47. 47. Video 1. Anti-evasion Demo por Mark Boltz, Stonesoft em Português Websites 1. APT Strategy Series 2. Advanced evasion technique (AET) 3. What is a botnet? Microsoft 4. http://www.spylogic.net/ 5. http://www.vectranetworks.com/blog.html 6. YARA in a nutshell 7. FortiSandbox-1000D/3000D DataSheet 8. http://www.tenable.com 9. http://threatstream.com/ 10. Security-onion 11. Cyvera TRAPS™
  48. 48. Websites - Continue 12. http://www.npulsetech.com/ 13. http://www.cyber-ta.org/
  49. 49. Thank you!
  • RobinNewmanGrigg

    Dec. 6, 2017
  • OmariRodney

    May. 18, 2017
  • MinhTrietPhamTran

    Mar. 13, 2016
  • mariusz-12

    Sep. 1, 2015
  • PauloJorgeMorgado

    Oct. 10, 2014

Common Techniques To Identify Advanced Persistent Threat (APT)

Views

Total views

6,509

On Slideshare

0

From embeds

0

Number of embeds

67

Actions

Downloads

391

Shares

0

Comments

0

Likes

5

×