Advanced Persistent Threat (APT) What is it?

1
Advanced Persistent Threat (APT) What is it?
2
What is it?

• Mandiant defines the APT as a group of
  sophisticated, determined and coordinated
  attackers that have been systematically
  compromising U.S. Government and Commercial
  networks for years. The vast majority of APT
  activity observed by Mandiant has been linked to
  China.
• APT is a term coined by the U.S. Air Force in
  2006

3
APT

• Advanced means the adversary can operate in the
  full spectrum of computer intrusion. They can use
  the most pedestrian publicly available exploit
  against a well-known vulnerability, or they can
  elevate their game to research new
  vulnerabilities and develop custom exploits,
  depending on the targets posture.
• Persistent means the adversary is formally tasked
  to accomplish a mission. They are not
  opportunistic intruders. Like an intelligence
  unit they receive directives and work to satisfy
  their masters. Persistent does not necessarily
  mean they need to constantly execute malicious
  code on victim computers. Rather, they maintain
  the level of interaction needed to execute their
  objectives.
• Threat means the adversary is not a piece of
  mindless code. This point is crucial. Some people
  throw around the term threat with reference to
  malware. If malware had no human attached to it
  (someone to control the victim, read the stolen
  data, etc.), then most malware would be of little
  worry (as long as it didnt degrade or deny
  data). Rather, the adversary here is a threat
  because it is organized and funded and motivated.
  Some people speak of multiple groups consisting
  of dedicated crews with various missions.

Richard Bejtlichs Blog
4
Cyberattacks Push CSIS to Reach Out to Business

• Although Canada is relatively small compared
  with the U.S., Intelligence officials have said
  that leading companies in several sectors
  aerospace, biotech, oil, military and
  communications make it attractive to foreign
  spies.
• Globe and Mail 2010.03.09

5
M-Trends Quotes

• The scale, operation and logistics of conducting
  these attacks against the government,
  commercial and private sectors indicates that
  theyre state-sponsored.
• Superbly capable teams of attackers successfully
  expanded their intrusions at government and
  defence-related targets . . . to researchers,
  manufacturers, law firms, and even non-profits.
• The APT successfully compromises any target it
  desires. Conventional information security
  defences dont work. The attackers successfully
  evade anti-virus, network intrusion detection and
  other best practices. They can even defeat
  incident responders, remaining undetected inside
  the targets network, all while their target
  believes theyve been eradicated.

6
Offence vs. Defence

• Given that the offence has the advantage of no
  legacy drag, the offences ability to insert
  innovation into its product mix is unconstrained.
  By contrast, the CIO who does the least that can
  be gotten away with only increases the frequency
  of having to do something, not the net total work
  deficit pending. Dan Greer on APT
• In other words
• Offence No legacy drag
• Defence Expends work each day and never catches
  up

7
APTs Objectives

• Political
• Includes suppression of their own population for
  stability
• Economic
• Theft of IP, to gain competitive advantage
• Technical
• Obtain source code for further exploit
  development
• Military
• Identifying weakenesses that allow inferior
  military forces to defeat superior military forces

8
(No Transcript)
9
Targeting and Exploitation Cycle
10
Reconnaissance

• In multiple cases, Mandiant identified a number
  of public website pages from which a victims
  contact information was extracted and
  subsequently used in targeted social engineering
  messages.

11
Initial Intrusion into the Network

• The most common and successful method has been
  the use of social engineering combined with email
• The spoofed email will contain an attachment or a
  link to a zip file. The zip file will contain one
  of several different intrusion techniques
• A CHM file containing malware
• A Microsoft Office document exploit
• Some other client software exploit, like an Adobe
  Reader exploit.
• The attackers typically operate late in the night
  (U.S. Time) between the hours of 10 p.m. and 4
  a.m. These time correlate to daytime in China

12
Establish a Backdoor into the Network

• Attempt to obtain domain administrative
  credentials . . . Transfer the credentials out
  of the network
• The attackers then established a stronger
  foothold in the environment by moving laterally
  through the network and installing multiple
  backdoors with different configurations.
• The malware is installed with system level
  privileges through the use of process injection,
  registry modification or scheduled services.
• Malware characteristics
• Malware is continually updated
• Malware uses encryption and obfuscation
  techniques of its network traffic
• The attackers malware uses built-in Microsoft
  libraries
• The attackers malware uses legitimate user
  credentials so they can better blend in with
  typical user activity
• Do not listen for inbound connections

13
Obtain User Credentials

• The attackers often target domain controllers to
  obtain user accounts and corresponding password
  hashes en masse.
• The attackers also obtain local credentials from
  compromised systems
• The APT intruders access approximately 40 systems
  on a victim network using compromised credentials
• Mandiant has seen as few as 10 compromised
  systems to in excess of 150 compromised systems

14
Install Various Utilities

• Programs functionality includes
• Installing backdoors
• Dumping passwords
• Obtaining email from servers
• List running processes
• Many other tasks
• More Malware Characteristics
• Only 24 detected by security software
• Utilize spoofed SSL Certificates
• ie. Microsoft, Yahoo
• Most NOT packed
• Common File names
• ie. Svchost.exe, iexplore.exe
• Malware in sleep mode from a few weeks to a few
  months to up to a year
• Target executives systems
• Use of a stub file to download malware into
  memory (Minimal Forensic Footprint)

15
Privilege Escalation / Lateral Movement / Data
Exfiltration

• Once a secure foothold has been established
• Exfiltrate data such as emails and attachments,
  or files residing on user workstations or project
  file servers
• The data is usually compressed and put into a
  password protected RAR or Microsoft Cabinet File.
• They often use Staging Servers to aggregate the
  data they intend to steal
• They then delete the compressed files they
  exfiltrated from the Staging Servers.

16
Maintain Persistence

• As the attackers detect remediation, they will
  attempt to establish additional footholds and
  improve the sophistication of their malware

17
Preparation and Detection

• Preparation
• Follow Industry Compliance Guidelines
• Robust logging
• Servers and Workstations will be more secure
• User credentials will be harder to crack
• Security appliances will be strategically
  distributed
• Detection
• You have to be able to look for complex
  signs of compromise integrate host-based and
  network-based information and go far beyond
  simple anti-virus and network intrusion
  detection. You need to look inside packets,
  files, e-mail and even live memory of systems
  that are still running.

18
What Can We Do?

• Your Network MUST be
• Defensible
• Hostile
• Fertile

19
Defensible

• You need near-realtime access to

• Active Directory
• DHCP
• VPN
• Web Proxy
• IDS/IPS
• Firewall/Router ACL
• HIDS/HIPS

• Antivius
• Server Event Logs
• Workstation Event Logs
• Software Management
• Vulnerability Scans

20
Defensible

• Know the boundaries of your network
• Where it begins and where it ends
• Know what should be in your network
• Segment your network and use DMZs
• Where there is a firewall, there should also be
  an IDS and network monitoring
• Standardize your hardware and software
• Know where accounts authenticate

21
Hostile

• Baseline network traffic
• Do not allow public facing devices to connect
  directly to internal domain controllers
• Limit administrative privileges to users
• Develop data collection and analysis guidelines
  that help in decreasing the amount of time an
  attacker goes undetected

GOAL Make it as difficult as possible for an
attacker to compromise and reside in your network
22
Fertile

• Your network should be a breeding ground of
  forensic and investigative data
• Proxy Logs
• Authentication Logs
• IDS Alerts
• Host-based Logs
• Firewall Logs
• Full Content Traffic Captures
• Netflow

23
Investigation Required Info

• Develop Overview of Enterprise Infrastructure
• List of all DNS DHCP servers
• List of all Internet points of presence
• List of all VPN concentrators
• Network diagram of core network infrastructure
• Compile the rule set of core firewalls
• Ensure GPO(s) log failed and successful log-on
  attempts
• Ensure all items logged centrally
• Centralize the Storage of Key Logs
• Integrate key logs (firewall, VPN, DHCP, DNS,
  etc) into a SIEM
• At a minimum store key logs in a central location

• Implement Robust Logging
• Ensure both Success and Failure audits are being
  logged on all systems
• Increase the amount of storage for logs so they
  are not overwritten
• AV and IDS to centralized logging utility
• Firewall traffic logs to centralized utility
  (Packet Contents not required)
• Web Proxy (date/time, hostname, IP address
  pairing, URL browsed info)
• VPN Concentrators (hostname and IP address
  pairing, date/time)
• DHCP (hostname and IP address pairing, date/time)
• DNS (queried domain name and system performing
  the query)

24
Initial DATA Collection Timeframe
25
Desired Data Analysis Timeframe
26
Mandiant Intelligent Response

• Combating the APT is a protracted event,
  requiring a sustained effort to rid your networks
  of the threat. Therefore, the APT requires the
  victim organization to perform the following
  tasks more rapidly, efficiently, and effectively
  
• Detect
• Compromised Systems
• Collect
• Evidence
• Analyze
• Data
• Remediate
• Threats

27
Another Approach - Awareness

• Not Really an Either / Or Scenario.
• The APT History shows an Initial Entry Vector to
  the Network Through Spear Phishing.
• Its MUCH easier to gain entry through tricking
  an employee to click on a link than finesse your
  way through a firewall.
• The following is one example of a good awareness
  program for Enlightening your staff to the
  dangers of Spear Phishing.

28
What is PhishMe.com?

• Web-based platform that facilitates the execution
  of mock phishing exercises and user awareness
  training
• Easy Setup
• Real Metrics
• Targeted Awareness Training
• We do NOT collect or store passwords. Only
  detect if they were entered

29
Easy Setup
30
Real Metrics
31
Measuring Improvement

• 24,000 employees
• 3 times in a 12 month period
• Significant Improvement

32
Targeted Awareness Training

• Employees found to be susceptible can
• immediately be redirected to
• Internal corporate training websites
• PhishMes built-in educational message
• PhishMes educational comic strip
• Generic message non-indicative of the underlying
  activity

33
What It Boils Down To

• Mining publicly available information
• Executing a spear phish
• Pushing malware to the victim machines
• Advanced
• Bypasses Anti-Spam/Anti-Phishing/Anti-Virus
• Difficult to detect (little to no footprint in
  the file system)
• Persistent
• Dynamically evolves (Polymorphic)

34
Proven Results

• 10,000 employees phished
• First run ? 75 opened email, 17 clicked the
  link
• Second Run ? ONLY 8 opened the email
• 500 cadets phished
• 80 found vulnerable

Source Wall Street Journal
35
We Were Forewarned
36
Conclusion

• The APT is everyones problem. No target is too
  small, or too obscure, or too well-known, or too
  vulnerable. Its not spy-vs.-spy, but
  spy-vs.-everyone.
• This is a war of attrition against an enemy with
  extensive resources. It is a long fight, one that
  never ends.

• They steal information to achieve economic,
  political and strategic advantage.
• They establish and maintain an occupying force in
  their targets environment.
• They steal between 40 billion to 50 billion in
  intellectual property from U.S. organizations
  each year.

37
The Last Word to Kevin Mandia
As attacks have migrated from targeting systems
via exploits to targeting people, security
breaches are growing in number and
sophistication. Therefore, it is no longer
acceptable to rely exclusively on preventative
measures . . .
38
Sources of Information
39
Contact Info
Rick Lee CISSP, EnCE, CHFI, CEH, CEI C.S.I.
Services Inc. (306) 949-6125 - Office (306)
591-4514 - Cell rick.lee_at_sasktel.net www.csiservic
es.ca