Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2015’

DDate

Thursday, December 11, 11 AM CET Highlights

APT trends in 2014 The merger of cybercrime and APT Fragmentation of bigger APT groups Evolving malware techniques New methods of data exfiltration APT arms race Advanced Persistent Threats mitigation

Kaspersky Lab webinar “APT Predictions for 2015”

Presenter: Costin RaiuDirector of Global Research and Analysis Team at Kaspersky Lab

2015 APT Predictions

A look into the APT crystal ball

GGlobal Research and Analysis Team, since 2008

Threat intelligence, research and innovation leadership

Focus: APTs, critical infrastructure threats, banking threats, sophisticated targeted attacks

GREAT: Elite Threats Research

Facts

Classification

Detection

Active

Duqu

Cyber-espionage malware

September 2011

Since 2010

• Sophisticated Trojan

• Acts as a backdoor into a system

• Facilitates the theft of private information

Flame

Cyber-espionage malware

May 2012

Since 2007

• More than 600 specific targets

• Can spread over a local network or via a USB stick

• Records screenshots, audio, keyboard activity and network traffic

Gauss

Cyber-espionage malware

July 2012

Since 2011

• Sophisticated toolkit with modules with modules that perform a variety of functions

• The vast majority of victims were located in Lebanon

miniFlame

Cyber-espionage malware

October 2012

Since 2012

• Miniature yet fully-fledged spyware module

• Used for highly targeted attacks

• Works as stand-alone malware or as a plug-in for Flame

Red October

Cyber-espionage campaign

January 2013

Since 2007

• One of the first massive espionage campaigns conducted on a global scale

• Targeted diplomatic and governmental agencies

• Russian language text in the code notes

NetTraveler

Series of cyber-espionage campaigns

May 2013

Since 2004

• 350 high profile victims in 40 countries

• Exploits known vulnerabilities

• Directed at private companies, industry and research facilities, governmental agencies

Careto / The Mask

Extremely sophisticated cyber-espionage campaign

February 2014

Since 2007

• 1000+ victims in 31 countries

• Complex toolset with malware, rootkit, bootkit

• Versions for Windows, Mac OS X, Linux

• Considered one of the most advanced APTs ever

Threat

Sophisticated threat discovery

apt.securelist.com ‘Targeted Cyber-attack Logbook’ chronicles all the complex cyber-campaigns, or APTs (advanced persistent threats) that have been investigated by the company’s Global Research and Analysis Team.

Cost of entry decreasing More APT groups Emergence of cyber-mercenaries Supply chain attacks Larger operations & surgical strikes Critical infrastructure attacks “Wipers”, cyber-sabotage

APT Trends in 2014 were:

What’s next?

APT Predictions 2015

Prediction: Targeted attacks directly against banks, not their users.

The merger of cybercrime and APT

In a number of incidents, several banks were breached using methods straight out of the APT playbook.

Prediction: More widespread attack base (more companies will be hit). Bigger companies will see attacks from a wider range of sources.

Fragmentation of bigger APT groups

Recent exposure of APT groups: MSUpdater/PutterPanda, APT1/Comment Crew, Energetic Bear, Turla, Regin and NetTraveler leads to fragmentation and creation of new groups.

0%

10%

20%

30%

40%

50%

60%

2010 2011 2012 2013 2014

x64 users growth

More malware is being updated for 64 bits Including rookits

PPrediction: more sophisticated malware implants, enhanced evasion techniques and more use of virtual file systems

Evolving malware techniques

More advanced persistence techniques Cross platform persistence Network equipment, embedded, ICS

New methods of data exfiltration

Prediction: more groups to adopt use of cloud services in order to make exfiltration stealthier and harder to notice.

New methods of data exfiltration

Use of compromised trusted websites WebDAV DNS requests UDP ICMP …

Cloud

More countries join the cyberarms race

Unusual languages seen in APTs: German, Old Italian, Spanish, Korean, French, Arabic

Prediction: Although we haven't yet seen APT attacks in Swedish, we do predict that more nations will join the “cyberarms” race and develop cyber-espionage capabilities.

PPrediction: With governments increasingly keen to “name and shame” attackers, we believe that APT groups will also carefully adjust their operations and throw false flags into the game.

Use of false flags

In 2014 we observed several “false flag” operations where attackers delivered “inactive” malware commonly used by other APT groups.

PPrediction: in 2015, we anticipate more mobile-specific malware in APT attacks, with a focus on Android and jailbroken iOS.

iPhone1,1 iPhone1,2 iPhone2,1

iPhone3,1 iPhone3,2 iPhone3,3

iPhone4,1 iPhone5,1 iPhone5,2

iPad1,1 iPad2,1 iPad2,2

iPad2,3 iPad2,4 iPad3,1

iPad3,2 iPad3,3 iPad3,4

iPad3,5 iPad3,6 iPhone

iPhone 3G iPhone 3GS iPhone 4

iPhone 4 iPhone 4 (cdma) iPhone 4s

iPhone 5 (gsm) iPhone 5 iPad

iPad2 (Wi-Fi) iPad2 (gsm) iPad2 (cdma) iPad2 (Wi-Fi) iPad3 (Wi-Fi) iPad3 (gsm) iPad3 iPad4 (Wi-Fi) iPad4 (gsm) iPad4

Addition of mobile attacks

Prediction: in 2015, a few other groups might also embrace these techniques, but it will remain beyond the reach of the vast majority of APT players.

Targeting of hotel networks

Hotels provide an excellent way of targeting particular categories of people, such as company executives.

In general, APT groups are careful to avoid making too much noise with their operations

In 2014 we observed two APT groups (Animal Farm and Darkhotel) using botnets in addition to their regular targeted operations

In addition to DDoS operations, botnets can also offer another advantage - mass surveillance apparatus for a “poor country”

Flame and Gauss, which we discovered in 2012, were designed to work as a mass surveillance tool

Prediction: in 2015 more APT groups will embrace this trend of using precise attacks along with noisy operations, and deploy their own botnets.

APT+Botnet: targeted mass surveillance

ee-mail

Massive vs targeted: Darkhotel example

Spyware sales cannot be controlled Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations

PPrediction: A high-reward, low-risk business that will lead to the creation of more software companies focused on “legal surveillance tools” market. In turn, these tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.

Commercialization of APT attacks

What about solutions?

How to defend your company against APTs

in 2015

Advanced Persistent Knowledge

Kaspersky Lab GReAT intelligence reports on active campaigns: [email protected]

Cybersecurity Training Services

Malware Analysis Service

Threat Data Feeds/Botnet Tracking

APT Mitigation Strategy: Intelligence + Technology

Advanced Technologies Kaspersky Security Network – instant reaction to the most recent threats;

Automatic Exploit Prevention technology in Kaspersky Lab protection solutions: proactively blocks exploits used in targeted attacks.

Example 1: AEP proactively detected components of Red October espionage campaign

Example 2: AEP proactively blocked CVE-2013-3906 used in targeted attacks

Whitelisting / Default deny mode

Conclusions

2014 was a rather sophisticated and diverse year for APT incidents Kaspersky Lab discovered three zero-days vulnerabilities in 2014 Exposed several APTs: Mask/Careto, Darkhotel, Machete, Epic Turla, Regin, Cloud Atlas The word for 2015 will be “elusive” APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery False flag operations

QUESTIONS ?