© 2011 S-Generation Co., Ltd.

Advanced Persistent Threats <APT>

โดย ไชยกร อภวฒโนกล, CISSP, CSSLP, GCFA, IRCA:ISMS Chief Executive Officer, S-Generation Co., Ltd.

1997 1999 2000 2004 2006 2011

• CSO ASEAN Award 2010 by Ministry of Information and Communications and Ministry of Public Security, Vietnam • Honoree in the Senior Information Security Professional category for the 2010 Asia-Pacific Information Security

Leadership Achievements (ISLA) by (ISC)2

• Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Contribute to Thailand Cyber Crime Act B.E.2550 • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity workforce development, Division of Skill Development, Ministry of Labour • Advisor to Department of Special Investigation (DSI)

Name:

Title:

Company:

Certificates:

Chaiyakorn Apiwathanokul ไชยกร อภวฒโนกล Chief Executive Officer

S-GENERATION Company Limited

Asia Forensic Hub Company Limited CISSP, CSSLP, IRCA:ISMS (ISO27001), SANS:GCFA

ch

aiy

ako

rna@

ho

tmail.c

om

© 2011 S-Generation Co., Ltd.

AGENDA

1. About APT

2. Night Dragon Attack

3. Other case study

4. Solutions Partnership

© 2011 S-Generation Co., Ltd.

New malware growth from Q1 2010 through Q1 2011

© 2011 S-Generation Co., Ltd.

Malware Growth

Nearly Twenty Million New Malware Threats in 2010

© 2011 S-Generation Co., Ltd.

Malware Development Toolkit

© 2011 S-Generation Co., Ltd.

About APT

APT = Advanced Persistent Threat

จากกรณศกษามากมายทปรากฏ อยในหนาขาวไมวาจะเปน Google , Night Dragon Attack , RSA และ SONY Play Station Network ทถกบกรกเขาไปขโมยขอมลส าคญออกมานน นกวชาการทวโลกไดลงความเหนวาเกดจาก ปฏบตการในลกษณะเดยวกนทเรยกวา Advanced Persistent Threat หรอ APT ซงมความซบซอนและใชวธการทล าสมยในการบกรก ยากทจะตรวจจบไดโดยงาย จงจ าเปนทตองเรยนรท าความเขาใจลกษณะการเกดขนของปญหา เพอน าไปสการพจารณาสรรหา เทคโนโลยและกระบวนการ ทเหมาะสม เขามาชวยกนการบรหารจดการ

© 2011 S-Generation Co., Ltd.

What is APT?

• Advanced – All possible available techniques (or new) – Coordinated – Both well-know and UKNOWN (0-day) vulnerabilities – Multiple phases

• Persistent – Here to stay – Not by accident (targeted) – Specific mission – Polymorphic (for signature-base evasion) – Dormant(able)

• Threat – Organized and funded and motivated – dedicated "crews" with various missions – State-sponsored – Cyberwarfare

• Highly sophisticated • Targeted • Steal Information

© 2011 S-Generation Co., Ltd.

APT is used for …

• Political objectives that include continuing to suppress its own population in the name of "stability.“

• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.

• Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.

© 2011 S-Generation Co., Ltd.

Some Characteristic of APT

• Named in 2008 by US Air Force

• As security jargon when Google describe the attack on 2009

• Advanced – Coordinated

– Multi-phases

• High expertise/knowledge/skill in each phase unlikely to be in one single individual

• Highly crafted for specific target organization or individual

• Period of operation in weeks, months or years

• Not easy to detect

© 2011 S-Generation Co., Ltd.

Some Characteristic of APT

• Phases of the operation • Target selection

• Vulnerability identification

• Domain contamination

• Information ex-filtration

• Intelligence analysis

• Exploitation

© 2011 S-Generation Co., Ltd.

Some Characteristic of APT

• Expert advise –Defense-in-Dept

–Multiple layers of protection

–Multiple compartments

© 2011 S-Generation Co., Ltd.

Some facts about APT

Because APT malware is so difficult to detect, simple malware signatures such as MD5 hashes, filenames, and traditional anti-virus methods usually yield a low rate of true positives.

© 2011 S-Generation Co., Ltd.

Big Challenges in APT are…

• Detection

• Analysis

• Containment

© 2011 S-Generation Co., Ltd.

Thing to Consider for Resolution

• Educate users who has access to the infrastructure and critical information

• Evaluate network security posture • Work with expert in case of incident or under

suspicious • Automated situational awareness tool • Rapid deployment of countermeasures • Focus more on the detective measure • Focus more on what leaving out (ex-filtration)

from your network • White-listing your environment

© 2011 S-Generation Co., Ltd.

Case Studies

• Night Dragon • Ghost Net

(Electronic Spy Network Focused on Dalai Lama and Embassy Computers)

• Aurora (China vs. Google)

• NASDAQ • RSA • Stuxnet • Sony Play Station Network (PSN)

© 2011 S-Generation Co., Ltd.

Night Dragon Attack

“Night Dragon” attacks from China strike energy companies

• Exxon Mobil, Royal Dutch Shell and BP were

among the oil companies targeted • The intrusions targeted intellectual property and

have been going on for as long as 2-4 years • The oil, gas and petrochemical companies

targeted were hit with technical attacks on their public-facing Web sites.

• It happens during 9am-5pm local Beijing time.

© 2011 S-Generation Co., Ltd.

© 2011 S-Generation Co., Ltd.

Operation Aurora

• China vs. Google

• politically motivated attacks against Gmail from China

• Censorship

• Government Eavesdropping/Privacy

• Backdoor

• zero-day flaw in Internet Explorer

© 2011 S-Generation Co., Ltd.

Spear-Phishing

© 2011 S-Generation Co., Ltd.

STUXNET

• Discovered late June 2010

• A computer worm that infects Windows computers

• It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet

• Use both known and patched vulnerabilities, and four "zero-day exploits”

• Target Siemens PLC

• Reads and changes particular bits of data in the PLCs

• It’s claimed to target Iranian powerplant

@2011 S-GENERATION CO., LTD

What happen with Sony PlayStation …

@2011 S-GENERATION CO., LTD

http://www.pcworld.com/businesscenter/article/222554/rsas_securid_security_breach_what_should_you_do.html#tk.mod_rel

RSA has not yet divulged specifics about the APT attack of which it has found evidence and says it's now interacting with customers of its SecurID product on the situation. But security analysts are also quickly trying to size up the situation, advising their clientele who are RSA customers about a stance they might take.

RSA’s SecureID Security Breach!

@2011 S-GENERATION CO., LTD

Microsoft Excel is used to distribute malicious SWF file (“2011 Recruitment plan.xls”) via email to specific users at RSA. (Perhaps other specific targets as well, an approach known as “spear phishing.”) A malicious SWF file installs a customized variant of the Poison Ivy remote administration tool (RAT) on the compromised machine. (Using a customized variant makes signature-based malware detection of the RAT ineffective; see FireEye Malware analysis of a.exe.) Using the RAT, users’ credentials are harvested and used to access other machines within the RSA network. These other machines are searched, sensitive information was copied and transferred to external servers.

RSA’s SecureID Security Breach!

© 2011 S-Generation Co., Ltd.

RSA Breached

• 2011 Recruitment plan.xls with malicious .swf file embeded

• spear phishing

• Customized variant Poison Ivy remote administration tool (RAT)

• March 14, 2011 - Adobe issues security advisory and patch schedule, warning of a vulnerability (APSA11-01, CVE-2011-0609, SecurityFocus BID 46860)

• March 16, 2011 - Microsoft adds Exploit:SWF/CVE-2011-0609 detection for malicious SWF file.

• March 17, 2011 - RSA warns SecurID customers after company is hacked, offers guidance.

© 2011 S-Generation Co., Ltd.

Many Other Cases

• Night Dragon

• Ghost Net (Electronic Spy Network Focused on Dalai Lama and Embassy Computers)

• Aurora (China vs. Google)

• NASDAQ

• RSA

• Stuxnet

• Sony Play Station Network (PSN)

© 2011 S-Generation Co., Ltd.

About S-Generation

“The Trusted Partner …

to Conquer Advanced Digital Threats” • Cybersecurity Solutions Distribution in Thailand and ASEAN

• Advanced Persistent Threats Solution

• Mobile Security Solution

• Application Security Solution

• Information Security Consultancy

• Incident Response, Recovery & Investigation

• Industrial Control System Security (SCADA/DCS/BAS/Embedded)

© 2011 S-Generation Co., Ltd.

About S-Generation

© 2011 S-Generation Co., Ltd.

Welcome to

S-Generation Channel on YouTube

http://www.youtube.com/user/SGenerationChannel

CONFIDENTIAL TO AFH & PTTICT © 2011 S-Generation Co., Ltd.

About AFH

Product

Professional Service

• Planning session ( Plan of Action) • On-Site Support • Document & File Discovery • Preservation of Evidence • Data Recovery & Analysis • Expert Reporting • Post – investigation Reports with Recommendations • Digital Media Sanitization

© 2011 S-Generation Co., Ltd.

Thank You