Advanced Persistent Threats - govmu.org Presentation APT.pdf · advanced threats result in IT downtime result in the theft of intellectual property result in the theft of confidential

1© Copyright 2011 EMC Corporation. All rights reserved.

Advanced Persistent Threats

Craig Harwood

Channel Manager – SADC and Indian Ocean Islands


Agenda

• Introduction

• Today‟s Threat landscape

• What is an Advance persistent Threat

• How are these crimes perpetrated

• Why traditional security measures alone are no longer effective

• Why is security Management and compliance so important

• Solutions and Technologies to help YOU!


The Hyperextended EnterpriseExpanding entities, explosive information growth, increased regulation

Enterprise HQ Remote Offices

Mobile

Workers

Telecommuter

s

Consumers

Supply Chain &

Collaboration Partners

Retail Stores

Distribution

Centers

Service Provider

Virtualization, Cloud Computing

& other ISPs

Hijacks

Data Theft

Application Hacking

Cookies

Screen Scraping

Identity Theft, Privacy

Viruses, Worms, P2P

Content Piracy, SPAM

Solicitation

Cyber Attacks on

Apps. & Infrastructure

Industrial Espionage

Extortion

Service Theft

Spoofing, BOTNETS

Phishing

Threats are Everywhere…


The Attacking Community is Professionalizing


Mobile Workers

Telecommuters

Consumers

Supply Chain & Collaboration Partners

Retail Stores

Distribution Centers

Service Provider Virtualization, Cloud Computing & other ISPs

Hijacks Data Theft

Application Hacking

Cookies Screen Scraping

Identity Theft, Privacy Viruses, Worms, P2P

Content Piracy, SPAM Solicitation

Cyber Attacks on Apps. & Infrastructure

Industrial Espionage Extortion

Service Theft Spoofing, BOTNETS

Phishing


PII, Government,

Defense,

Industrial Base,

IP Rich Enterprises

Governments

Organized, sophisticated

Supply chains (PII,

Financial Services, Retail)

Organized Crime

“Hacktivists”

Targets of Opportunity

Anti-

Establishment

Vigilantes

PII, Government

Critical Infrastructure

Terrorists

Agencies

Between 2006 and 2010

there was a 660%

increase in Cyber

Incidents reported from

Government Agencies

Agencies

In 2010 - 88% of the

Global 500 had BOTNET

activity associated with

their domains

Government Accountability Office and Time Magazine, July 2011RSA Security Brief, February 2011 “Malware and the Enterprise”


On the surface all may seem calm!


What are we facing?

• Well organized, well funded entities with a specific

set of Collection Requirements (CR) that may be

controlled by a gov‟t or criminal entity

• CR‟s could be anything from military secrets to

source code to pharmaceutical intellectual

property to documentation about critical

infrastructure


Advanced Persistent Threat (APT)

• “Targeted Computer Attacks By Government

Agencies, Cyber Criminals, Terrorists And/Or

Individuals With The Intent Of Stealing Intellectual

Property, Trade Secrets Or Other

Political/Economical Motivation.”


83% 71% 65%

51% 45% 44%

believe that

they have

been the

victim of

advanced

threat

have seen an

increase in

advanced

threats in the

last 12 months

believe they

have

insufficient

resources to

prevent

advanced

threats

result in IT

downtime

result in the

theft of

intellectual

property

result in the

theft of

confidential or

sensitive

information

• 18 months of high-profile sophisticated cyber

attacks; pandemic levels, not a passing fad

• Advanced Persistent Threats have moved

from realm of military to mainstream

• Highly targeted, well researched and well

funded

• Moving beyond credit card data to intellectual

property

• Multiple vectors: social engineering, zero-day

vulnerabilities, application-layer exploits, etc.

• The primary attack vector has shifted from

technology to people

Advanced Persistent ThreatsThe New Norm

Of companies…

Of advanced

persistent threats…

It is now not a question of IF but WHEN you are attacked…

…but more importantly will you notice, and can you react?

Source: Ponemon Institute Survey “Growing Risk of Advanced

Threats”


Advanced

Persistent

Threats

Sophisticated attacks and

well resourced

adversaries

Nation State

Actors

Cyber

Criminals

Open Source

Intelligence

Collection

Foreign

Nationals

Black Markets

Who How

Non-Nation State

Sub Contractors

Supply Chain

Tampering

Third Countries

The Age of Advanced Persistent Threats


Tactics, Techniques and Procedures (TTP‟s)

• There are typically precursors to APT attacks. Knowing the TTP’s used by threat actors can give an organization a jump start on defending the network.

• The following are the steps used by APT threat actors when staging attacks. This is referred to as the APT “killchain”

• Open Source Collection

• Malware and toolkit creation

• Delivery of malware

• Exploitation

• Command and Control communications (C2 beaconing)

• Exfiltration


Open source collection TTP

• Identify high value programs, technology and

people– Threat actors will use open source data to research their

targets.

– There is a surprising amount of information freely

available

– Clean documents are harvested from Internet sources

– A company‟s public website

– News stories (CNN, FOX News, etc)

– Relationships are researched which can be leveraged in

an attack


Malware and toolkit creation

• The act of placing malicious payload inside the

delivery mechanism (i.e. DOC or PDF file)– APT actors use a variety of custom toolkits to create

malware

– Metasploit modules bring toolkits to a larger audience

– Link based attacks are on the rise and much harder to

detect


Delivery methods

• Threat actors will utilize intelligence gathered from their

collections to target specific users. Emails will typically

contain a link or attachment that entices the recipient. The

malware is sophisticated and will evade most standard

COTS software.

• Other server side attacks have also been observed such as

SQL Injections

• “Water holing” is another popular technique


Exploitation

• Threat actors will attempt to exploit a system using specially crafted malware. The main goal is to compromise the target asset that will allow the attacker access to the system

• This is a key phase of the attack, If exploitation is successful, the machine is compromised

– Tendency toward multi-stage exploits

– Shellcode delivered which in turns downloads & executes other malware

– Exploitation depends on Vulnerability, proper execution and compatibility


Command and Control Communications (C2)

• C2 communications is established once the target

system can communicate with the threat actors

infrastructure. Attackers could perform the

following– Tool dropping

– System enumeration

– Lateral movement

– Credential harvesting


Exfiltration

• Once the threat locates the data they are after they

usually will compress the data and send out. – Intellectual Property

– PII

– Government Data


Importance of knowing these TTP‟s

• These APT TTP‟s are commonly known in the security world

as the “Kill Chain”

Reconnaissance

Weaponization

Delivery

Installation &

Exploitation

Command &

Control

Exfiltration


ATTACKER FREE TIME

Attack

Begins

System

Intrusion

Attacker Surveillance

Cover-up

Complete

Access

Probe

Leap Frog

Attacks

Complete

Target

Analysis

Time

Attack

Set-up

Discovery /

Persistence

Maintain foothold

Cover-up

Starts

Attack

Forecast

Physical

Security

Containment

& eradication

System

Reaction

Damage

Identification

Recovery

Defender discovery

Monitoring &

ControlsImpact

Analysis

ResponseThreat

Analysis

Attack

Identified

Incident

Reporting

Need to collapse attacker free time

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

The Anatomy of an Attack

Need to ID attack

precursors


• Focus is on breaking the kill-chain before exfiltration

• Deveopment of a proactive approach to the detection of APT

• Understanding the methodologies used by attackers allows organizations to select safeguards and security controls to counter the threat.

What Can you do About APT’s?


Customer Breached by

Hackers, APT‟s or Malicious

Code


Companies that have been compromised


More examples


More examples


More Examples


More Examples


Security Today (and for the last 5 years)


Traditional Security is Not Working

Source: Verizon 2012 Data Breach Investigations Report

99% of breaches led to

compromise within “days” or less

with 85% leading to data

exfiltration in the same time

85% of breaches took

“weeks” or more to

discover


Advanced

Security

Close the risk gap

Deliver new intelligence

Enable agility

Transforming Security

address the pervasiveness of dynamic, focused adversaries

Traditional

SecuritySignature-based

Perimeter oriented

Compliance Driven

Advanced

ThreatAgile

Definitive

Intelligent


Security Paradigm Shift

– „Shift From Perimeter-Based Security Model To An

Intelligence-Based Model.‟• Risk-Based

• Agile

• Contextual

• Information Sharing – Peers, Government, etc…

– Intel Cannot Just Be Gathered Internally, It Also Needs

To Come From External Sources• Pattern Recognition

• Predictive

• Big-Data Analytics


Today‟s tools need to adapt

• Today‟s tools need to be able to detect and

investigate– Lateral movement of threats as they gain foothold

– Covert characteristics of attack tools, techniques &

procedures

– Exfiltration or sabotage of critical data

• Today‟s tools need to be able to scale

– To collect and store the volume and diversity of data

required

– To provide analytic tools to support security work

streams

– Time to respond is critical in a breach situations – and

SIEM often falls short


CONTROLS

Integrated Advanced Security

BUSINESS DRIVERS

PROTECT AND DEFEND


Mobile Workers

Telecommuters

Consumers

Supply Chain & Collaboration Partners

Retail Stores

Distribution Centers

Service Provider Virtualization, Cloud Computing & other ISPs

Hijacks Data Theft

Application Hacking

Cookies Screen Scraping

Identity Theft, Privacy Viruses, Worms, P2P

Content Piracy, SPAM Solicitation

Cyber Attacks on Apps. & Infrastructure

Industrial Espionage Extortion

Service Theft Spoofing, BOTNETS

Phishing


Ide

nti

tie

s

Info

rmatio

n

Infrastructure Update controls

POLICIES AND PROCESSESDEFINE POLICIES

GOVERNANCE, RISK AND COMPLIANCE MANAGEMENT DASHBOARD

DETECT

INVESTIGATE

REMEDIATE

Monitor

Manage Governance, Risk and Compliance


SIEM has been a good start

• SIEM can provide:– Valuable reporting on device and application activity

– Basic alerting on known sequences (i.e. basic

correlation)

– Proof of compliance for internal and external auditors

– Central view into disparate event sources being

collectedIn today’s world…Threats are multi-faceted, dynamic and stealthy

The most dangerous attacks have never been seen before

Threats often don’t leave a footprint in logs


Introducing RSA Security Analytics


What is RSA Security Analytics?

• RSA Security Analytics is RSA‟s platform for– Security monitoring

– Incident investigation

– Malware analytics

– Log compliance reporting

• Is the cornerstone of RSA‟s Security Management & Big Data strategy

– Going beyond enVision and NetWitness – a new approach to security operations

• RSA Security Analytics is the convergence of enVision/SIEM with Netwitness high speed analytics and forensics


Suspect Attack ScenarioSpike in Suspect Network TrafficIP Address shows multiple RDP connections tunneled over non-standard port

Authorized User Logged in to ADAD Logs show user logged in from suspect

IP with authorized credentials

Different user logged into VPN from same IP

VPN logs show a different set of authorized credentials used to log into

VPN

Data ex-filtrationEncrypted ZIP file transferred out to Internet via FTP server

2

3

●●●●●●●●

PASSWORD4

1 ●●●●●●●●

PASSWORD


Only RSA Security Analytics can tell you the impact of the attack

Attack Step Traditional SIEM RSA Security

Analytics

Alert for RDP tunneled over non-

standard portNo Yes

Recreate activity of suspect IP

address across environmentNo Yes

Show user activity across AD and

VPNYes Yes

Alert for different credentials

used for AD and VPNYes Yes

Reconstruct exfiltrated dataNo Yes


Investigation ScenarioFind Workstation acting as SPAM hostMultiple outbound SMTP connections from workstation.

Multiple internet DNS connections from workstation

Find out how the workstation got infected

User clicked on the link and got infected by Trojan from drive-by

download.

Analyze malwareDetermine whether targeted or vanilla malware in use

2

3

4

1

Recreate phishing e-mail message

Determine whether targeted phishing attack at play


Only RSA Security Analytics can tell if this is a targeted attack

Attack Step Traditional SIEM RSA Security

Analytics

Alert for suspected SPAM host Yes Yes

Show all WWW requests where

executable downloadedNo Yes

Recreate email with suspect linkNo Yes

Analyze malware and incorporate

community intelligenceNo Yes

Determine whether attack is part

of a targeted campaignNo Yes


Key Point: Increasingly sophisticated models of both “good” and “bad” are needed. Better models require more data and analytics.

= BAD

Separating “Bad” from “Good” is Increasingly Difficult

• Understand what “bad”

looks like and look for

similarities

– Antivirus

– Intrusion Prevention

Systems

– Thresholds exceeded

= BAD

• Understand what “good” looks

like and look for meaningful

differences

– Network analysis and baselining

– Anomaly detection

– Predictive failure analysis


Security Analytics Methodology: Ripping away the hay with automated queries

ALERT ME for sessions

to/from critical assets

SHOW ME files where file

type

does not match extension

SHOW ME all downloads of

executable content

(pdf, doc, exe, xls, jar etc)

Start with all network

traffic and logs

No SIEM will let you do this!


Know Everything…Answer Anything


THANK YOUTHANK YOU

Advanced Persistent Threats - govmu.org Presentation APT.pdf · advanced threats result in IT downtime result in the theft of intellectual property result in the theft of confidential

Documents