Advanced Persistent Threat - Evaluating Effective Responses

Advanced Persistent ThreatsEvaluating Effective Responses

strategies for organizations and their impactGarve Hays, Solutions Architect

© 2012 NetIQ Corporation. All rights reserved.2

Persistence

“Nothing in the world can take the place of

Persistence. Talent will not; nothing is more common

than unsuccessful men with talent. Genius will not;

unrewarded genius is almost a proverb.

Education will not; the world is full of educated

derelicts. Persistence and determination alone are

omnipotent.”

Calvin Coolidge


Introduction

• Today we will:

– Examine why Advanced Persistent Threats (APTs)

are a problem (really)

– Look at what has NOT worked

– Examine what can work

– Provide some practical next steps

What is an APT?


Advanced Means…

…they have a plan


P is for Persistent

Long haul…


What do you have to lose?

All your base are belong to us…


What Are APTs?

• They are highly targeted attacks

• A long-term pattern of unauthorized computer system intrusions

• Advanced – not necessarily leading edge,

– Sophisticated

– With structure

– They have a plan

• Persistent – the perpetrators are in no rush

– Patient

• Threat – the goal is to establish a beachhead or ex-filtrate

information


Not Every Attack is an APT

• Don’t confuse them with random thieves

– Smash and grab

– Dude check out the new Metasploit

• Important to understand the difference

between opportunistic attackers and

APTs


Not Always State-Sponsored


The Mandiant Study

http://intelreport.mandiant.com/

“Our evidence indicates that

APT1 has been stealing

hundreds of terabytes of data

from at least 141

organizations across a

diverse set of industries

beginning as early as 2006.”

“Once the group establishes

access to a victim’s network,

they continue to access it

periodically over several

months or years to steal large

volumes of valuable

intellectual ...”

http://intelreport.mandiant.com/


Loss of

Intellectual

Property

The loss of industrial

information and

intellectual property

through cyber espionage

constitutes the "greatest

transfer of wealth in

history”

Gen. Keith Alexander,

NSA Director


What Do They Look Like?


What Do They Look Like

• Typical Attacks Utilize:

– Email (phishing)

– Community portals (“watering hole”)

– Dropbox

– Portable media (USB thumb drive)



Plausible Email Messages


Plausible Email Messages


Top Words Used in Spear Phishing Attacks

http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf


• Why is Jo on the system at 3 AM? I know she’s a

hard worker and all…

• Why is the CPU usage spiking on the order-entry

server?

• Is the sales team really using an open Dropbox

account? Don’t we have a policy against that?


Low-Hanging Fruit First…

• Attackers are not going to use a 0-day if they don’t

have to

• Vulnerabilities against Java 7 Update 21 and Java 6

Update 45

• Already in exploit kits

Examples


6 months in duration, ending in December, 2009

First publicly disclosed in January, 2012

Google

Adobe Systems

Juniper Networks

Rackspace

Also targets, according to

media reports

Yahoo

Symantec

Northrop Grumman

Morgan Stanley

Dow Chemical

Operation Aurora


Cyber Attacks

Started in mid 2006

United Sates

Canada

South Korea

The UN

International Olympic

Committee

12 US defense

contractors

At least 72 organizations

Operation Shady RAT


Drone Contractor Breached

“Earlier this week, Bloomberg reported that

QinetiQ, a high tech defense contractor

specializing in secret satellites drones and

software used by U.S. special forces, was the

victim of a sustained cybersecurity breach for

several years starting in 2007.”

http://thinkprogress.org/security/2013/05/03/1958871/contractors-

outsource-cybersecurity-hacked/

http://thinkprogress.org/security/2013/05/03/1958871/contractors-outsource-cybersecurity-hacked/


Why Are They A Problem?

• Difficult (if not impossible to keep out)

• Target saleable information

• Very good at long term penetration

• Traditional techniques do not keep them out


This isn’t working…


What Hasn’t Worked?

• Perimeter based defenses

• Malware scanning

• Anti-virus

• Employee Training

• IDS

• In reality -


What Hasn’t Worked?

• Perimeter based defenses

• Malware scanning

• Anti-virus

• Employee Training

• IDS

• In reality -

YOU WILL NOT KEEP THEM OUT


Better Approach

• Plan on being compromised

• Get the basics right

• Have a policy and a response plan

• Look for activity and changes, not tools

– Build a baseline

– Harden systems (patch and best practice configurations)

– Manage your privileged users

– Monitor for activity that looks suspicious*


A Recipe…

Implement

policies/plans

Enforce

with

technology

Know what

you’ve gotKnow how

it’s at risk

Refine and

repeat

Know what you’ve got

Understand how it’s at risk

Implement reasonable policies & processes

Enforce with technology

Refine and repeat over time


Identify and Protect Critical Data

• Finding the data

– Data may be in files, on physical media, in databases, or in

the cloud.

– Most breaches involve data that the victim did not know was

there.

• Categorizing data

– What data is sensitive and at risk?

• Monitoring access

– Can I identify abnormal access?

– Who is really accessing the information?


Control and Monitor Privileged Access

• Monitor system and file integrity

– Changes to key system files.

– Modification of rarely accessed data.

• Investigate unusual changes

– Changes to key system files.

– Modification of rarely accessed data.

• Audit individual actions

– Focus on privileged and “high risk”

users/accounts.


Capture and Monitor Log Data

• Security and network devices generate lots of data

– OS, Network, Virtual, P&A, User Activity, DAM, IAM.

• Compliance mandates capture and review of logs

• Logs can often provide early warning signs

– 82% of the time, evidence was visible in logs beforehand.

• Failure to monitor is costly

– Breaches often go undiscovered and uncontained for weeks

or months.


What We See

Organizations are most successful when they:

– Adopt a pragmatic approach

– Prioritize monitoring around data – data centricity is key

– Include identity and access monitoring

– Tie as much together as possible to integrate information

– Filter and enrich monitoring of activity


• Develop policy

• Understand what critical data you need to protect and

where it is stored

• Focus resources around protecting inside the

perimeter

• Layer defenses inside to slow down attackers

• Monitor for unusual activity

• Reduce your privileged user attack surface

• Create, agree, and OWN a response plan

Next Steps


NetIQ Can Help

• Provide expertise and experience in Identity, Access

Management and Security Management

• Help reduce number of privileged users

• Reduce and manage privileges

• Monitor users and look for unusual activity

• Provide visibility into access rights to critical resources

• Harden systems against attackers

© 2010 NetIQ Corporation. All rights reserved.

Security & Compliance

Identity & Access

Performance & Availability

3737 © 2010 NetIQ Corporation. All rights reserved.

Our Areas of Focus and Expertise

• Manage and audit user entitlements

• Track privileged user activity

• Protect the integrity of key systems and files

• Monitor access to sensitive information

• Simplify compliance reporting • Monitor and manage heterogeneous environments including custom applications

• IT Service validation and end-user performance monitoring

• Dynamic provisioning of large-scale monitoring with exceptions

• Functional and hierarchical incident escalation

• Deliver and manage differentiated service levels

• User Provisioning Lifecycle Management

• Centralize Unix account management through Active Directory

• Reduce number of privileged users

• Secure delegated administration

• Windows and Exchange migration

© 2010 NetIQ Corporation. All rights reserved.

Image Credits

38

http://commons.wikimedia.org/wiki/File:Calvin_

Coolidge,_bw_head_and_shoulders_photo_po

rtrait_seated,_1919.jpg

http://www.flickr.com/photos/seattlemunicipalar

chives/4459827777

http://www.flickriver.com/photos/12567713@N

00/44514786/

http://garyckarntzen.deviantart.com/art/Chines

e-Flag-Wallpaper-196092557

http://commons.wikimedia.org/wiki/File:Keith_

B._Alexander_official_portrait.jpg

http://www.worth1000.com

http://commons.wikimedia.org/wiki/File:Oppstilling-2.jpg

http://en.wikipedia.org/wiki/File:Barney_Oldfield%27s_R

ace_for_a_Life.jpg

http://www.flickr.com/photos/crazyeddie/2916193420/

http://www.flickr.com/photos/mookitty/2375679549/

http://commons.wikimedia.org/wiki/File:IllegalFlowerTrib

ute1.jpg

Business

Advanced Persistent Threat - Evaluating Effective Responses