APTs Are Not a New Type of Malware

PowerPoint Template for Office 2007

APTs Are Not a New Type of Malware

1Source: BC Labs Report: Advanced Persistent Threats Blue Coat Systems, Inc. 2011. All Rights Reserved.As a new kind of threat, there is a great deal of confusion about what they are.

We have seen news stories of a SQL Injections, spear-phishing emails, an Insider walking out with a USB full of data, a zero-day exploit, or other common attacks. Unfortunately, these are sometimes presented as an APT. The truth is more often that it was part of an APT.

An APT is not a new type of malware, or even a new name for an OLD type of malware, but simply a strategy where criminals apply multiple malware tools and other attack methods in a coordinated effort to reach a specific target. The attack is advanced because of the level of planning and application of these tools. An APT may tweak an existing tool, and some aspect of the attack may actually be unique. But the majority of the tools used in an APT are pulled from the pool of existing malware code, social engineering tactics, and so forth.

IMPORTANT POINT TO MAKE: Since APTs are still relatively new to the commercial sector, and therefore the consumer and commercial focused security community, we encourage you to be on the alert for common misunderstandings in blogs, articles, and other information sources. For example, a number of recent articles on various Spear-Phishing attacks described them as an APT because it was the just the first stage of an attack intended to plant a virus on the target computers (which is commonly referred to as a blended threat.) But these attacks failed to meet many of the definition points of a true Advanced, Persistent Threat not the least of which was a lack of persistence. The spear-phishing emails did what they could (depending on who was duped by them), some data was stolen (in a way that set off all sorts of alerts), and the attack was over.

1Harvest

The APT Attack Lifecycle

ResearchEntryPenetration

2 Blue Coat Systems, Inc. 2011. All Rights Reserved.The APT attack lifecycle begins with an extensive amount of Research. They know what they want, so where is it? Who has access to it? How is it used? What tools are available and what expertise might they need to sub-contract out? Does a Botnet owner already have a compromised system inside the target agency or organization?

This phase also involves preparing some of the early tools to be used in the attack such as taking malware that has been used by others previously, typically as part of a successful mass-market attack, and repurpose it for their goals. And with those tools

They begin to search for ways to gain Entry and establish a foothold on the network. Note that this begins as a protracted event. As they attack progresses in later stages of the lifecycle, notice that they may encounter obstacles or uncover opportunities that might require additional research and perhaps the need to gain entry to new systems.

From the initially compromised systems, a Penetration stage often takes place where they use their foothold position to compromise additional systems. Depending on the system already compromised, they may simply try to use the peer access of the user to infect other users. Or, if the infected systems has the necessary access, they may download additional tools to move to their target area of the network.

Once the target system, or systems, are breached, they will begin the Harvest stage of the attack. To avoid detection, the pattern may be erratic in an attempt to avoid detection by establishing any discernible pattern. If a large amount of data is the objective of the attack, they may even trickle it out in pieces through multiple vectors to avoid any spikes in activity.

The information sought could be personally identifiable information, espionage related data, or anything of financial value.

Some attacks may even be in preparation of perpetrating a major disruption of some kind, such as a power grid, natural gas distribution system, or other business services.OPTIONAL: For example, if they could pick just the right moment to shut down a key system in your business, how much might they make off in stocks off of the resulting new hype? Or worse, rather than a shut down, what if they simply found a way to change a select set of numbers in an inventory, shipping, or finance department system?

IMPORTANT WRAP UP COMMENT:Note that each stage is an ongoing activity, even if it is intermittent. Most APTs are long term attacks. Several attacks uncovered in the last few years are believed to have been in place for several months, and some even several years. This is not your typical malware smash-n-grab style attack.

2Putting Social Networking to Work2011 Security Reports: HighlightsMitigating the Malware ThreatThe Value of Granular ControlsAccelerating Valued ContentAGENDA

3 Blue Coat Systems, Inc. 2011. All Rights Reserved.3Desktop AVWebFilterw/ WebPulseFirewallSGIDSProxyAVProxyClient/ Cloud SvcDLPPacketShaperLayered DefensesAttackers use multiple tools, so should youEnsure overlap and avoid gapsAPTAPTAPTAPTAPTAPTAPT

The best attacks still leave tracksRead and Correlate logs, identify anomalies and connect the dots4 Blue Coat Systems, Inc. 2011. All Rights Reserved.Just as an APT is a well orchestrated attack using many common tools so should be your defense.

Attackers are using multiple tools from different directions. So you need to leverage multiple tools able to detect and defend.Your layered defenses should be designed to overlap and avoid gaps. IMPORTANT: In some cases, redundancy may still be necessary such as when following the multi-vendor AV best practice most companies use.

Even the best planned APT attacks leave visible traces. The challenge is that many of these traces are small and, by themselves, insignificant. When reviewing an actual breach due to an APT, researchers often find that many elements of the attack may have actually be detected, by different systems, or at least shown signs of anomalous behavior. In most cases, several tools used in the APT were simply treated as another mass-market malware attempt.This is where log files can be powerful since they are another way to identify anomalous activity. For example, the Conficker botnet was first detected when an IT administrator noticed a spike in his DNS logs where clients were asking for IP addresses for a large number of URLs that didnt exist in a very short period of time. Note that Conficker was NOT an APT, but it is a good example of something that was undetectable until someone noticed anomalies in the logs.

However, noticing the anomaly is often only the first step to identifying an APT. This is similar to how currency forgeries are detected. It begins when someone notices an anomaly, but it is rarely enough to be sure that the money is fake. But it is enough to indicate that they should look closer.So, once you identify something this might be part of an APT, you should start investigating deeper. Correlating log activity may uncover a number of activities that on their own seemed innocent. But together, it is a clear indication of malicious activity.Note that one of the advantages that an APT attack gains from using common tools is that it is often easy to IT to treat it as a mass-malware attack. If it looks like a know piece of malware, and they caught it, IT often considers the incident over without even checking to see if the proxy, web filter, IDS or other systems saw anything that might be related by time, the individual machine, etc.4Web Security OptionsCloud Services (XaaS)

Multi-function Cloud Security

Real-time Web Protection Granular Policy Control Central Visibility Inline Malware Analysis Flexible Deployment Options

Roles-basedAdministrativeControlsReportingPolicy ManagementWeb FilteringRea

Cloud IntelligenceReal-Time Defense Services

On Premise Web Security

ProxyAntivirusDLPWeb filter

Multi-Layer SWG5 Blue Coat Systems, Inc. 2011. All Rights Reserved.The Blue Coat Web Security solution portfolio is shifting along with the mega trends, innovations and new web security challenges.

At the center is the WebPulse real-time cloud defense that provides security intelligence to on-premises appliances as well as the Cloud Security SaaS. We will go into details on WebPulse in a few slides. Our traditional appliance based SWG solutions are on the left and the Cloud Security SaaS is on the right, allowing customers a step-by-step adoption of the Cloud Security SaaS based risk profile.

Across the top is a single plane of glass with role-based administrative controls (RBAC) for Reporting, Policy Management and Web Filtering controls. For example, Web Filtering is RBAC within Director for multiple ProxySG devices, plus Reporter on-premise has AD inheritance for fine grain role-based access, privileges, and individual user reporting, or a manager and direct reports.

The hallmarks of the solution are Real-Time Web Protection, Granular Policy Controls, Central Visibility/Reporting, 100% Inline Malware Analysis, and now in 2011 the ability to provide Flexible Deployment Options.

The DNA that built the FG500 leading SWG is now inherited into the Cloud Security SaaS.

5Cloud IntelligenceAwareness from millions of users, feeds, etc.Real-time inputs & content analysisMalware, phishing and call-home web threat detectionScalableMinimize patches & downloadsMaintained by Security Experts

Cloud Services

Network Monitors

SWG

Mobile Workers

XSPs

Consumer6 Blue Coat Systems, Inc. 2011. All Rights Reserved.Protecting users from todays dynamic web threats no matter where they are located requires comprehensive awareness of web content and fast protection cycles. At Blue Coat we leverage the combined web activity of more than 75M users for full visibility into new and existing web content. Six different solutions at Blue Coat receive and send web intelligence. These real-time inputs are analyzed for web threats and if unrated, dynamically rated for language and categorization, plus web application and operation.

WebPulse provides malware ratings, phishing attack ratings, plus call-home ratings to identify infected users systems that may require remediation steps to clean the system.

New defenses or adjustments to current defenses in WebPulse can be made in the cloud immediately with no patches, downloads or updates required at web gateways or for remote users. WebPulse scales to keep pace with cyber crime and is managed by Blue Coat Security Labs.

Every day, WebPulse:Delivers 8B ratings to customersReceived 400M rating requests for new URLsProvides over 25M ratings in real-time for new content

6Flexible, Hybrid Deployments

Branch OfficeRemote User

Remote User

Internet

Headquarters Data Center

Cloud Intelligence

Cloud Services (XaaS)

DLPAntivirusWeb Filtering

Reporter

7 Blue Coat Systems, Inc. 2011. All Rights Reserved.Here is an example of blending the on-premises appliances with the Cloud Security SaaS. Customers can step into the Security SaaS as it makes sense for their risk profile. For example, upgrading remote users from ProxyClient to the full Security SaaS were full web gateway controls are provided in the SaaS not seen in ProxyClient, so an upgrade to remote users, online policy controls and reporting.

For business models that are hub-spoke like retail, the remote branch stores or offices may use the Cloud Security SaaS while the main offices use on-premise equipment. As Blue Coat used the same reporting and policy engine for the SaaS from the appliances with SGOS, the DNA is the same and creates a unified customer experience.

To provide the remote stores with cached content that frequent shoppers demand with WiFi access points in stores, a MACH5 appliance can be the Cloud SaaS connector, thus providing the optimal in web content optimization, pre-population of web content (product reviews, test reports, competitive pricing) for shoppers, plus the lower operating expense of a Cloud Security SaaS for all store locations.

For larger offices with large web gateways were on-premise appliances provide the depth of policy and control desired, they are still in Cloud Assist mode with WebPulse for on-demand security intelligence through real-time web ratings, threat detection and greater awareness from over 75M users.

Hybrid deployment options for customers are many and this can lead to interesting discussions. 7Putting Social Networking to Work2011 Security Reports: HighlightsMitigating the Malware ThreatThe Value of Granular ControlsAccelerating Valued ContentAGENDA

8 Blue Coat Systems, Inc. 2011. All Rights Reserved.8Granular Web Application ControlsSafe SearchMajor Engines supportedMedia Search engines as wellKeyword SearchesSocial NetworksRegulate OperationsRestrict abuseMulti-mediaPublishingSharingWeb Mail

Upload VideoUpload PhotoPost MessageSend EmailDownload AttachmentUpload Attachment

9 Blue Coat Systems, Inc. 2011. All Rights Reserved.Blue Coat solutions have incorporated market-leading Web application controls, giving administrators the ability to not only determine which applications are allowed on their network, but also to what extent users are able to interact with the applications.

- In a world of Search Engine Optimization (SEO) and Poisoning (SEP), it important for IT to take control at the browser level. You can enforce Safe Search policy, even if the user has disabled it in their local browser and you can track the search terms used by individual users perhaps as part of a forensic investigation as to how a user encountered dangerous or inappropriate content.

Social Networking applications can be controlled to provide users with acceptable access while restricting operations thatmight impact network performance (such as uploading video from the office network), present a Data Loss risk (such as uploading documents or posting confidential information), (NOTE: And APT might actually automate posting data through social media sites as a way to harvest the information without using Webmail or other more well known methods.)Potentially expose the network to malware, perhaps as part of an APT.

Social Media sites can also be controlled to control bandwidth abuse and as another possible harvest vector for spyware or APTs.

Last, but definitely not least, Webmail can be monitored and features controlled. For example, the ability to send attachments could be disabled as a DLP measure.NOTE: Webmail is perhaps one of the most neglected vectors for both malware entry as well as data loss. Few have the same level of controls on Webmail that they have on their official SMTP email systems.

9Facebook Demo next: AV Filtering Demo Blue Coat Systems, Inc. 2011. All Rights Reserved.11

Blue Coat Systems, Inc. 2011. All Rights Reserved.12

Blue Coat Systems, Inc. 2011. All Rights Reserved.13

Blue Coat Systems, Inc. 2011. All Rights Reserved.Facebook Demo next: Block outgoing messages Blue Coat Systems, Inc. 2011. All Rights Reserved.15

Blue Coat Systems, Inc. 2011. All Rights Reserved.16

Blue Coat Systems, Inc. 2011. All Rights Reserved.Putting Social Networking to Work2011 Security Reports: HighlightsMitigating the Malware ThreatThe Value of Granular ControlsAccelerating Valued ContentAGENDA

17 Blue Coat Systems, Inc. 2011. All Rights Reserved.17Packet Shaping Visibility18 Blue Coat Systems, Inc. 2011. All Rights Reserved.18Packet Shaping Visibility19 Blue Coat Systems, Inc. 2011. All Rights Reserved.19

Video OptimizationRequirementsBlue Coat Optimized Video DeliveryLive Stream-splittingVideo-on-Demand Caching with eCDNAdobe Flash, HTTP/SSL, HTML5, Windows Media, SilverlightScale Video Bandwidth: 10x, 100x, 1000xReduce Recreational Video by 30-80%Protect Critical Apps from Video Floods

DATA CENTER

Branch Office

INTERNET

WAN

HTML5

Video Server

20 Blue Coat Systems, Inc. 2011. All Rights Reserved.Now lets turn to video.

Video dominates recreational traffic but its also being used increasingly in the enterprise for training and communications. Lets first take the example of a video hosted from YouTube. That video tends to go through the data center then over the private wide area network to be served at the branch office. And if this is something that somebody finds interesting that a second, third or fourth person will watch that video is served across the WAN multiple times and can have a huge impact on the network.

So here we have new requirements for really handling this traffic. If its live video you need to do stream splitting to lessen the burden on the network of multiple streams. For video on demand, as in the YouTube example, you need caching. If you watch the royal wedding and walk down the hall to tell your girlfriend to do that pretty soon 2 or 3 or 5 people have watched that same YouTube clip. So caching that on-demand content can have an extraordinary impact on bandwidth. And you need to do this for not only things like HTTP but also for other specialized or proprietary protocols like Adobe Flash, Silverlight, Windows Media, RTMP.

And so with Blue Coat, we actually provide all those capabilities and deliver a real value of 10, 100 or even 1000 times bandwidth multiplication for video.

For external video, like YouTube, Blue Coat caches a copy of the video at the branch office.

When a second, third, or fourth person goes to request the same video, it is delivered from the ProxySG in the branch office, not from the Internet. For live streaming video, we actually take a single stream from the Internet and split it at the branch offices to serve multiple employees watching the same feed, significantly reducing the bandwidth being consumed by the video.

In the case of internal video, we serve that from the data center and can either cache it at the branch, as in the case with YouTube, or split a live stream as well. Additionally, you can pre-populate video content in the branch office after peak hours to better manage your bandwidth. For bandwidth-intensive training videos, for instance, you can send those to the branch office ProxySG for your employees to access the video the next day. Whether its being able to scale internal video for training or communications purposes or whether its reducing the burden of recreational viewing and protecting from that video flood, the technologies fundamentally work for each of those use cases .

20Top N Applications

Trended over time

Visually stacked

Identify spikes

Application Utilization Trending

21 Blue Coat Systems, Inc. 2011. All Rights Reserved.Comprehensive ReportingApplication ReportsResponse timeUtilizationSite ReportsResponse timeWAN utilizationTop users, apps, etc.Host ReportsTop talkers, listeners, DSCPs, etc.Advanced Protocol SupportVoIP ReportingWAN Optimization

22 Blue Coat Systems, Inc. 2011. All Rights Reserved.???????????????AGENDA

23 Blue Coat Systems, Inc. 2011. All Rights Reserved.2324 Blue Coat Systems, Inc. 2011. All Rights Reserved.Slides beyond this point are backup only24