Upload
44con
View
212
Download
2
Embed Size (px)
DESCRIPTION
You're fighting an APT with what exactly? by Steve armstrong
Citation preview
You're fighting an APT with what exactly?
ST EVE AR MST R ONGT E CHNICAL DIR E CTOR LO G ICA LLY SE CUR E
Who is this guy?• Ex RAF Information Security specialist (17 years)
• I was in Cyber before they actually called it Cyber
• Technical Director at Logically Secure (8+ years)
• Doing Forensics & IR for over 8 years
• We support data centres, engineering companies, online (FPS) gaming studios, recording labels and HMG
• SANS Instructor (DFIR/Pentesting)
• One of the brains behind CyberCPR
What I should cover (E&OE)• What are you looking for?
• Common network configurations
• Why these common configurations don’t work
• What/who are you using to look for evil stuff?
• How do your attackers work? Where is the overlap?
• How do you react?
• How do you coordinate and plan your reaction
Key questions
• Who
• Where
• What
• Why
• When
• How
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
Now the 'who'• The "shits and giggles" crews or pissed off users
• e.g. 4chan/Lulzsec
• Hacktivism
• Anonymous, Pakistani or Indian hacker groups
• Cybercrime
• Roman Valerevich Seleznev (Track2) - stole est. $2M
• Hector Xavier Monsegur (Sabu) - started hacking to get cash to pay his rent
• Cyber-espionage
• For Government level Secrets
• For industrial or technological advantage
What toys do 'they' have
Automation of the Attacks
Gong Da
Zhi Zhu
Nuclear
Incognito
Phoenix
Blackhole Exploit Kit
Sakura Exploit Pack
EleonoreYang Pack
Techno
XPack
Siberia
Siberia PrivateZero
Merry ChristmasLinuQ
Sava / PayOC
Best PackBomba
PapkaOpen Source / MetaPack
mushroom
Robopak
Katrin
Bleeding Life
CRIMEPACK
T-iframer
TornadoSEO Sploit Pack
Zombie Infection kit
Lupit
Salo
Unique Pack Sploit 2.1
Yes Exploit
iPack
El Fiiesta
Icepack
Mpack
Webattack
Matrix of capabilities
Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!
Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!
What do ATPs have to play with?
Now the where 'where'
Lets talk about your networkT HIS ONE IS FOR MANAG ERS……
Did you ever ask for a secure LAN?
• Included security in the list of system requirements
• Priced the line items and checked they were appropriate
• Required evidence of delivery
• Tested robustness and correctness post-installation
Did you ever ask for a secure LAN?
If you haven't asked for it, why would you expect your provider to:
take risks, decrease his margin and deviate from the specification?
Thus if you didn’t ask for it,you wont get it.
So what did you ask for?A BAR R IER (FIR EWALL) AND A DMZ ?
• http://www.amazon.co.uk/Building-Internet-Firewalls-Elizabeth-Zwicky/dp/1565928717
Building Internet Firewalls (page 105)
What else did we have in 2000?
It's often just poor configuration
=
So you're fighting an APT with…….
• Architecture concepts conceived when your Domain Controller had less memory and CPU power than your phone has now
Vs
Then came……….
THE UTM* < QUE UE DR A MAT IC MUSIC>
*Unified Threat Manager/Management
The UTM is sold as a simple solution
• However, to quote Wikipedia:
So you're fighting an APT with…….• A single simple solution aimed at…..
• Compliance
• No great #winning story ever started:
"We were doing some compliance activities and ….".
Lets come back to the future…
People now have….
• Web monitoring
• NetFlow
• Attachment analysis (sandbox)
• Full packet captures
• Internet end-point reputational checking
But where is it placed?T HE ANSWER IS USUALLY ON T HE BOUNDAR Y
Why this is bad
• Previously each install of malware phoned home
• Malware and APTs are changing
• Attackers are becoming more stealthy
• Still using standard deployment techniques
• Moving C&C servers
• More 'covert' channels
Previously
UTM
Malware C&C in clearhttp traffic signatureDomain known bad
Previously
UTM
Malware C&C in clearhttp traffic signatureDomain known bad
Boss we got a
problem!
But things have moved on past 2000
Now…
UTM
DNS
Public DNS
???
Now…
UTM
DNS
Public DNS
!!!
Now…
UTM
UDP port 53
In recent months we have seen
• The likes of PlugX/Kaba using:
• Internal peer-to-peer comms using UDP port 53
• DNS ports for in clear UDP C&C updates
• UDP of https (443) ports
• Domains switching from safe to unsafe for minutes
• Heavy use of *update* and honest sounding domains
• zipupdate.com, win7update.com, ibmupdate.com
Let's look at your team
Tools != CapabilityA LWAYS R E ME MBE R T HIS WHE N T HE SALESMAN IS ENCOUR AGING YOU TO SIG N T HE CO NT R ACT
Good tools are a bonus only if you have skills to really use them
Beautiful walnut handled chisel set
Perceived skills vs Actual capability
http://www.youtube.com/watch?v=K4elZ_T9Ulo
TV does not represent real life!
Not so much CSI…… more like….
Not so much CSI…… more like….
Team composition:• Velma (the guru)• Fred and Daphne
(Managers?)• Shaggy & Scooby (the
funny ones)
Which are you?
But we ask those that build the corporate networkO O O O O O T HE T R IBAL LEADER S…….
Tribal leaders…..
To quote Sun Tzu…..
• “If you know the enemy and know yourself, you need not fear the result of a hundred battles.
• If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
• If you know neither the enemy nor yourself, you will succumb in every battle."
Mature IR Team
DevelopingIR Team
New or badIR Team
But, if you don’t understand the attacker how can you orientate yourself to their
plans and thus pre-empt their actions
Why do we care who is attacking us….. Just
make them stop!
UTM
So what do you • Architect your network for today not circa 2000
• Deploy detection in network not on the boundary
• Don’t rely upon Tribal Leaders to be your only source of intelligence on attackers
• Centralise your intelligence, coordinate your response
• Monitor your Operational Security for signs you are leaking information of your plans to your enemy.
If you want more help:
• Logically Secure: Testing/IR Support and Advice
• CyberCPR Development Team:• Drew John
• Ed Tredgett @edtredgett
• Mike Antcliffe @mantcliffe
• Steve Armstrong @nebulator
• Email: [email protected]• Twitter: @cybercpr
• Want some more????
• 28 April (it's a Tuesday )
• http://44con.com