Advanced Persistent Threat · APT - Overview ySummary / Synopsis –Advanced Persistent Threat yAnatomy yTimeline –Threat Vector Evolution yTools –Malware, Bots yTechniques –OSINT,

Advanced Persistent Threat:Evolution of the attacker

Joe Cummins, PCIPFounder, Principal ConsultantRed Tiger Security – Canada

Jonathan Pollet, CAP, CISSP, PCIPFounder, Principal ConsultantRed Tiger Security - USA

2

3

Presentery Joe Cummins, PCIP

y Canadian Information Security practitioner y President and Principal Consultant of Red Tiger Security - Canada, y Provision of Threat and Vulnerability Assessmentsy SME in the areas of:

y Critical Infrastructure, y Federal Readiness

y Speaker: y IEEE Boston, Massy Canadian CIP Symposiumy ISA Expo, Houstony SANS USA, SANS EURO

Jonathan Pollet – CISSP, PCIP, CAE

4

y 12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT Experiencey PLC Programming and SCADA System Design and Commissioningy Wireless RF and Telecommunications Design and Startupy Front-end Web Development for SCADA datay Backend Database design for SCADA datay Acting CIO for Seneca Oil Company for 2 years – Enterprise IT Management

y Last 8 Years Focused on SCADA and IT Securityy Published White Papers on SCADA Security early in 2001 y Focused research and standards development for SCADA Security since 2002y Conducted over 100 security assessments on Critical Infrastructure systemsy Co-founded Critical Infrastructure Institute in 2004 and the PCIP certificationy Developed security assessment methodology for SCADA Systems

APT - Overview

y Summary / Synopsis – Advanced Persistent Threaty Anatomyy Timeline – Threat Vector Evolutiony Tools – Malware, Botsy Techniques – OSINT, Phishingy Targets - Enterprisey Case Studies

y Project Auroray Ghost Nety Georgia v. Russia

y Solutions / Safeguardsy Relevance to Pipeline Attacky Horizon

5

Anatomy of APTSignature and style of the evolved attack

6

APT - Anatomyy Advanced:

y Taking advantage of latest techniquesy Application Stack y Protocols y Embedded Device Fuzzing

y Persistenty Intent dedicationy Focused patterny Patient / Latent ability

y Threaty Signatures y Vectors

7

APT - Signature

y Shift from enterprise (broad) scale attacks

y Focus on the dissection / comprehension of the Infrastructure

y Examination of the Corporate Infrastructure

y Pre-determined target / group

y Relentless approach

y Layered Focus

y Exfiltration of Data

8

Attack TimelineEvolution of the Attacker

9

APT - Timeline of Attack

10

Evolution of the Attack

yHackerz (1970 – 1995)y Objective:

y Gain “unauthorized” Accessy Usurp Controly Bypass common methods of control

y Leveragingy Password Guessingy Early Trojans/virusesy Misconfigured networksy “Phreaking”

Evolution of the Attack

yHobbyist Hacking (1995 – 2000) y Objective:

y Learn, exploration, Discoveryy Exposure of flaws, weaknesses, poor workmanshipy Defacementy Disruption

y Leveragingy Email viruses,y BO2Ky Early web attacks

Evolution of the Attack

yHack-tivism (2001 – 2005)y Objective:

y Capture Media attentiony Publicityy Denial of Service

y Leveragingy Attracting attention through large-scale activities. y Motivation publicity and moneyy Methods: DoS, worms, rootkits, etc..

Evolution of the Attack

y “Hacker for hire” (2005 - 2009)y Objectives:

y Identity thefty Information egressy DDOSy Financially motivated

y Leveraging: y Phishing/pharmingy Targeted Spear-phishingy Redirected patching / AVy Bots / Botnets

Attack LandscapePosture and Motivation of APT

15

APT - Defense / Threat Postures

Blue (Defender)y Exposed

y Informationy Marketing

y Sluggishy Slow to adopt change

y Constrainedy Underfundedy Personnely Education

Red (Attacker)y Agile

y More than one targety More than one vector

y Mobiley Change in Strategyy Change in Tactics

y Hostiley Ruthlessy Creative y Relentless

16

APT - Intentions

y DATA >> Competitivenessy Formulas, y Designs, y Schematics

y Information >> Knowledgey Agenda’s, y Itinerary,y Corporate Direction,y Mergers, y Acquisitions

y Advantage is the motivation

17

APT - Threat Vectors

Externaly Internet

y Email attachmentsy File sharingy Pirated Softwarey Spearphishingy DNS / Routing Modifications

y Physicaly Infections of Media (USB, CD)y Infected Appliancesy Malicious IT equipment

y Externaly Mass Vulnerability Exploitsy Co-location Exploitationy Rogue Wifi AP

Internaly Trusted Insider

y Rogue Employeey Subcontractorsy SOC-ENGy Break-Iny Dual Use software

y Trusted Channely Stolen VPN Credentialsy Hijacked Cell Communicationsy P2P tappingy 3rd party breachy Un-trusted Devices

18

APT - Threat Vectors

y Malware / Wormsy 2009 May – July y 1335 Unique variants and infections

y Inclu. Conficker Worm / Conficker A, B, C, D and E

y Malicious AV Advertisements/Products

y Segmentation of the Network (ITSG-ITSB)

y Mobile Devicesy USB drives

y U3 Devices

y Stolen or lost Laptops

y Insecure Buildsy Devices that are mis-configured / unpatched before activation

APT - Threat Vectors (Con’t)

y Information leakagey Exposure of sensitive media / material onliney Small / Irrelevant

yApplication Securityy Fuzzing / Reverse Engineeringy Overflows, Cross Site Scripting,

ySocial Engineering y Spear phishingy Social Engineering Toolkit (SET) Framework

APT - Tools

y Open Sourced Information

y Search Aggregators

y Malware:y Botnetsy Crimewarey Rootkitsy Malicious Attachments

y Live DVD – Distributionsy Backtracky A.P.E.

21

APT - Overcoming Traditional Safeguards

yAnti-Virusy Signatures being obfuscatedy Covert De-activation

yPatchingy Servers being redirectedy Popups

yFirewallsy Malicious attachments creating holes y USB devices circumvention

22

Symbiotic Progression

Internet Web ?.0

Cyber Crime

Cyber Espionage

23

Don’t take my word for it…

yGeneral Keith Alexandery Head, US Cyber Commandy On Operation Buckshot Yankeey "probed by unauthorized users

approximately 250,000 times an hour, over six million times a day."

yRichard A. Clarky "It is the public, the civilian population

of the United States and the publicly owned corporations that run our key national systems, that are likely to suffer in a cyber war."

24

yWilliam J. Lynn III, y Deputy Secretary of Defensey "Computer-induced failures of U.S. power

grids, transportation networks, or financial systems could cause massive physical damage and economic disruption"

y Jonathan Evansy Head MI-5y Both traditional and cyber espionage

continue to pose a threat to British interests, with the commercial sector very much in the front line along with more traditional diplomatic and defence interests

25

Tools and TradecraftSkills and Methodology used in Construction of the APT

26

APT – Techniques / Tradecraft

yOSINT

ySocial Engineering

yTargeted “Spear Phishing”

yMalicious Attachments

yUSB devices

yWebsites

27

Social Engineering

y Attack the 8th (Human) Level

y Contextual

y Implied / Explicit

y Leverages social interaction

y Forms emotional exchangey Angery Surprisey Anticipation

y “Robyn Sage” Experiment

28

Targeted Spear Phishing

y Require in-depth knowledge of target

y Sophistication based on posted / known information

y Used to leverage people / groups

29

Malicious Attachments (Malware)

yPDF

yMS Productsy Word, Excel, etc…

yThe usual suffixes…y mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs,

js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe

30

APT – Targeted Attacks (2009)

4.527.39

39.22

48.87

Targeted Attacks

MS Powe…

hIp://www.f‐secure.com/weblog/archives/00001676.html

31

Malware (Con’t)

32

66.8%7.7%

8.6%3.1%

0.2%

11.8%1.8%

General Attacks

Malware

Other

Phishing

Physical Loss

Denial of Service

Unauthorized Access Attempt

Inappropriate Use

hIp://www.f‐secure.com/weblog/archives/00001676.html

Malware Kits

yProliferation of cheap and easy to use y Free (Webattacker)y Torrents, P2P

yComplex $7,000 kitsy 12+ kits available every 3-4 months

y Zeus (ZBOT)y GHOSTNET (GHOSTRAT)y MUMBA (Zeus v3)y Mariposa

33

ZEUS (ZBOT)

yProfessional Crime-ware toolkit

yVersions: v.1 – v3 +

yTargets banks, banking systemsy Harvests client datay Accounts

34

Zeus (ZBOT) Server location

35

Command and Control (C&C)

yLeverages communication systems to relay messages

yCommand Vectorsy Twittery IRCy Facebooky Google Groups

36

Staged attack

ySeries of weeks/months to fully compromise a system

y Incremental uploads/downloads/xchanges

yResults are fully “rooted” devices

yRandom “radio” silence y Remain hidden,

37

Hardware backdoor

yProvision of devices/ equipments that have “malware” alreadyy Projectorsy Printersy Photocopiers

y Flash memory

y W32 Spybot worm

y http://en.community.dell.com/dell-blogs/Direct2Dell/b/direct2dell/archive/2010/07/21/dell-on-the-server-malware-issue.aspx

38

APT - Targetsy Intellectual Property

y Codey Applicationsy Protocols

y Designsy Schematicsy Drawingsy Illustrations

y Chemical / Biological y Formula’sy Equationsy Chemical Compounds

39

APT - Case Studies

y Stuxnet – 2010 - Present

y Ghostnet: 2009 – 2010

y Operation Aurora: June 2009 – January 2010

y Eastonia vs Russia: 2007

40

Russia – Georgia Conflict (July – August 2007)yObjective:

y Precursor to the South Ossetia Wary Destabilization / PsyOps support / Mis-Information

yTargeted:y 7 August: Georgian servers and the Internet traffic were seized

and placed under external control;y 8 August, country wide cyber attack. Alleged connections to

“Russian Business Network”;y 9 August, Defacement of Georgian MFA, MIA, MOD. DDOS

National bank of Georgia as well as news portals;y 12 August, President Saakashvili’s website, Georgian TV websites

were attacked;y 12-13 August, the Georgian MOD website suffered direct attack

as well as compromise.

41

Operation Aurora

yObjectivey Dubbed “Operation Aurora” based on a filename in the malicious

payload traced to one of the hackersy leveraged a Windows Internet Explorer browser vulnerability

(CVE-2010-0249)

yTargeted: y Intellectual property, y software configuration management (SCM) systemsy Gmail e-mail accounts of Chinese human rights activists and

three dozen large enterprises.y Google, IBM, Juniper, +28 othersy STILL IN THE WILD

42

Operation Aurora (Con’t)

yStages of infectiony A targeted user received a link in email or instant message from a

“trusted” source.y The user clicked on the link which caused them to visit a website

hosted in Taiwan that also contained a malicious JavaScript payload.

y The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit

y The exploit downloaded a binary disguised as an image from Taiwan servers and executed the malicious payload.

y The payload set up a backdoor and connected to command and control servers in Taiwan.

y As a result, attackers had complete access to internal systems.

43

GhostNet (Ghostrat)

yObjectivey Infection and Exfiltration

yTargetedy over 1,2000 infected in over 100 countries.

yStages of Infectionsy infected host downloads trojans that give the attacker control of

actions made on host computer.y the trojan attacks the computer by downloading files and

activating the host’s webcams and microphones.

44

APT – GhostNet by distinct IP

45

53130

148

92

1517

13

12192413

65

1136

113

225

Infected IP / CountryIndia

Vietnam

Signed Code abuse

ySTUXNET

yTook advantage of Jmicron / Realtek private keys to hack drivers that were signed by these companies

yLegitimate signatures.

yCyber-sabotage

46

Valid Certificates ?!?!

47

Certificates – Con’t

48

Stuxnet - Dissected

Certificate•Jmicron•Realtek

USB

• Initial infection vector•USB

replication (x3)

Windows 0day

•4 unique Vulns•Each found on

most MS 2003

Rogue PLC logic

•Discovers PLC Device•Pushes new logic

49

Stuxnet - Process

Step7

s7otbxdx.dll

PLC: s7/315-2

Step7

s7otbxsx.dll

PLC: s7/315-2

50

Stuxnet – 0day

y2 Privileges Escalation Vulnerabilitiesy SMB – MS08-067

yPrint Spoolery CVE-2010-2729y MS10-061

yUSB Proliferation VulnerabilityBID 41732 +

y ~WTR4141.tmpy ~WTR4132.tmp

51

APT – Steps to compromise

52

APT – Phased Compromise

53

Exfiltration /

Propagation

Command & ControlInitiation

First Contact

Discovery Hosts / Devices

Spread 0Day / Vuln

Orders

Radio Silence

Infect

DataCollect

Transmit

Mitigation StrategyReal world solutions to combat the APT Threat

54

Education and Awareness

y Half Day:y Executive Briefingy High Level / Consumable

y Full Day:y More Detailedy Focus on Sector Specific requirements

y 3 Day Intermediate:y Intensive Reviewy Split of Theory / Practical

y 5 Day:y Hands Ony Advanced Defence / Tradecraft

55

R & D: Security/Automation Lab

yActive / Functional y Replication of actual processes in

the Fieldy Scaled Automation network

yFocus:y Patchingy Testing Signatures (AV / IDS)y More robust DCS Environment

y Technology is available and cost effective

56

Compliance ≠ Security

yBack to Basicsy “you can’t buy security; You have to get security”

yProduct Panaceay Configurationy Inspectiony Dissection

yStandardsy Jump Off pointy Security Conversationy What works for you / othersy One size fits none

57

Defence Strategy

y Conduct External/Internal Security Assessmentsy What you don’t know can STILL hurt youy Assessments from External / Internal perspective

y Education / Awarenessy Trainingy Regular Briefingsy Foster environment of Security / Communication

y INTRA Departmental

y Security Bulletinsy Weekly remindersy Trends

y Advanced Persistent Diligencey Truth, but Verify

58

APT meet APD

Advanced Persistent Diligence

y Testing patches before pushingy Development of a lab environmenty Functionaly Compressed version of ACTUAL devices and configuration

y SOCNETy Truth, and Verify

y Cyber Security Awarenessy Employees are the best security barometer

59

Event HorizonWhat do we see on the way

60

The Horizon

yMutating Bots / Command & Controly Quiet installationy Obfuscated Exfiltration (HTTP, DNS, Masked)

yDirected Social Engineeringy Staggered Attacky Combined with other stylesy Building relationships over time

y Leverage of Social Networks (SOCNET)y Facebook is not your friendy Twitter or Linkedin aren’t too fond of you either…

61