You're fighting an APT with what exactly?

ST EVE AR MST R ONGT E CHNICAL DIR E CTOR LO G ICA LLY SE CUR E

Who is this guy?• Ex RAF Information Security specialist (17 years)

• I was in Cyber before they actually called it Cyber

• Technical Director at Logically Secure (8+ years)

• Doing Forensics & IR for over 8 years

• We support data centres, engineering companies, online (FPS) gaming studios, recording labels and HMG

• SANS Instructor (DFIR/Pentesting)

• One of the brains behind CyberCPR

What I should cover (E&OE)• What are you looking for?

• Common network configurations

• Why these common configurations don’t work

• What/who are you using to look for evil stuff?

• How do your attackers work? Where is the overlap?

• How do you react?

• How do you coordinate and plan your reaction

Key questions

• Who

• Where

• What

• Why

• When

• How

Lets do 'how often' first…..

Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

Lets do 'how often' first…..

Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

Lets do 'how often' first…..

Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)

Now the 'who'• The "shits and giggles" crews or pissed off users

• e.g. 4chan/Lulzsec

• Hacktivism

• Anonymous, Pakistani or Indian hacker groups

• Cybercrime

• Roman Valerevich Seleznev (Track2) - stole est. $2M

• Hector Xavier Monsegur (Sabu) - started hacking to get cash to pay his rent

• Cyber-espionage

• For Government level Secrets

• For industrial or technological advantage

What toys do 'they' have

Automation of the Attacks

Gong Da

Zhi Zhu

Nuclear

Incognito

Phoenix

Blackhole Exploit Kit

Sakura Exploit Pack

EleonoreYang Pack

Techno

XPack

Siberia

Siberia PrivateZero

Merry ChristmasLinuQ

Sava / PayOC

Best PackBomba

PapkaOpen Source / MetaPack

mushroom

Robopak

Katrin

Bleeding Life

CRIMEPACK

T-iframer

TornadoSEO Sploit Pack

Zombie Infection kit

Lupit

Salo

Unique Pack Sploit 2.1

Yes Exploit

iPack

El Fiiesta

Icepack

Mpack

Webattack

Matrix of capabilities

Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!

Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!

What do ATPs have to play with?

Now the where 'where'

Lets talk about your networkT HIS ONE IS FOR MANAG ERS……

Did you ever ask for a secure LAN?

• Included security in the list of system requirements

• Priced the line items and checked they were appropriate

• Required evidence of delivery

• Tested robustness and correctness post-installation

Did you ever ask for a secure LAN?

If you haven't asked for it, why would you expect your provider to:

take risks, decrease his margin and deviate from the specification?

Thus if you didn’t ask for it,you wont get it.

So what did you ask for?A BAR R IER (FIR EWALL) AND A DMZ ?

• http://www.amazon.co.uk/Building-Internet-Firewalls-Elizabeth-Zwicky/dp/1565928717

Building Internet Firewalls (page 105)

What else did we have in 2000?

It's often just poor configuration

=

So you're fighting an APT with…….

• Architecture concepts conceived when your Domain Controller had less memory and CPU power than your phone has now

Vs

Then came……….

THE UTM* < QUE UE DR A MAT IC MUSIC>

*Unified Threat Manager/Management

The UTM is sold as a simple solution

• However, to quote Wikipedia:

So you're fighting an APT with…….• A single simple solution aimed at…..

• Compliance

• No great #winning story ever started:

"We were doing some compliance activities and ….".

Lets come back to the future…

People now have….

• Web monitoring

• NetFlow

• Attachment analysis (sandbox)

• Full packet captures

• Internet end-point reputational checking

But where is it placed?T HE ANSWER IS USUALLY ON T HE BOUNDAR Y

Why this is bad

• Previously each install of malware phoned home

• Malware and APTs are changing

• Attackers are becoming more stealthy

• Still using standard deployment techniques

• Moving C&C servers

• More 'covert' channels

Previously

UTM

Malware C&C in clearhttp traffic signatureDomain known bad

Previously

UTM

Malware C&C in clearhttp traffic signatureDomain known bad

Boss we got a

problem!

But things have moved on past 2000

Now…

UTM

DNS

Public DNS

???

Now…

UTM

DNS

Public DNS

!!!

Now…

UTM

UDP port 53

In recent months we have seen

• The likes of PlugX/Kaba using:

• Internal peer-to-peer comms using UDP port 53

• DNS ports for in clear UDP C&C updates

• UDP of https (443) ports

• Domains switching from safe to unsafe for minutes

• Heavy use of *update* and honest sounding domains

• zipupdate.com, win7update.com, ibmupdate.com

Let's look at your team

Tools != CapabilityA LWAYS R E ME MBE R T HIS WHE N T HE SALESMAN IS ENCOUR AGING YOU TO SIG N T HE CO NT R ACT

Good tools are a bonus only if you have skills to really use them

Beautiful walnut handled chisel set

Perceived skills vs Actual capability

http://www.youtube.com/watch?v=K4elZ_T9Ulo

TV does not represent real life!

Not so much CSI…… more like….

Not so much CSI…… more like….

Team composition:• Velma (the guru)• Fred and Daphne

(Managers?)• Shaggy & Scooby (the

funny ones)

Which are you?

But we ask those that build the corporate networkO O O O O O T HE T R IBAL LEADER S…….

Tribal leaders…..

To quote Sun Tzu…..

• “If you know the enemy and know yourself, you need not fear the result of a hundred battles.

• If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

• If you know neither the enemy nor yourself, you will succumb in every battle."

Mature IR Team

DevelopingIR Team

New or badIR Team

But, if you don’t understand the attacker how can you orientate yourself to their

plans and thus pre-empt their actions

Why do we care who is attacking us….. Just

make them stop!

UTM

So what do you • Architect your network for today not circa 2000

• Deploy detection in network not on the boundary

• Don’t rely upon Tribal Leaders to be your only source of intelligence on attackers

• Centralise your intelligence, coordinate your response

• Monitor your Operational Security for signs you are leaking information of your plans to your enemy.

If you want more help:

• Logically Secure: Testing/IR Support and Advice

• CyberCPR Development Team:• Drew John

• Ed Tredgett @edtredgett

• Mike Antcliffe @mantcliffe

• Steve Armstrong @nebulator

• Email: cybercpr@logicallysecure.com• Twitter: @cybercpr

• Want some more????

• 28 April (it's a Tuesday )

• http://44con.com