APT – Myths & Malware

WHY WE’RE HERE

STRICTLY CONFIDENTIAL 2

LOTS OF HYSTERIA AROUND THE “APT THREAT”

HAS BECOME AN INTERNET BOOGEYMAN OF SORTS

SOMETIMES AN APT IS SIMPLY A HACKER TAKING ADVANTAGE OF YOUR POOR SECURITY PRACTICES

SOMETIMES AN APT SOMETHING MORE….

AN APT BY ANY OTHER NAME?

STRICTLY CONFIDENTIAL 3

CYBERCRIME != CYBERWARFARE •  Plenty of media coverage of the threat of Cyberwarfare

•  Very little actual Cyberwarfare actually going on though

–  Stuxnet in Iran

–  Estonia…but not really –  Vitek Boden….Maroochydore

•  Despite that Cyberwarfare is seen as a credible and present threat

–  Akin to the ‘nuclear option’ a serious escalation in times of conflict

•  Where does that leave us? –  Cyber Activism (Hacktivism)

–  Cybercrime

–  Good old fashioned espionage, either corporate or state sponsored

–  (Un)fortunately for us the line between these three has become increasingly blurred

STRICTLY CONFIDENTIAL 4

5

Cyber-­‐criminals   Cyber-­‐ac/vists   Cyber-­‐espionage  

Serving  themselves   Serving  the  cause   Serving  the  na/on  

© BAE SYSTEMS DETICA 2013 6

Cyber-­‐ac)vists  

Recent  examples  

© BAE SYSTEMS DETICA 2013 7

Cyber-­‐ac)vists  

Recent  examples  

June  

September  

January  

April  

July  

March  

April  

May  

News  reports  of  ‘Syrian  Electronic  Army’  harassing  dissidents  on  Facebook,  spamming  an/-­‐government  pages  

Harvard.edu  site  hacked,  defaced  

Al-­‐Jazeera  blog  hacked,  defaced  

LinkedIn  Blog  hacked,  defaced  

TwiLer  account  of  Al-­‐Jazeera’s  Stream  programme  hacked,  messages  posted  cri/cising  Al-­‐Jazeera  and  The  Guardian  

Human  Rights  Watch  site  &  TwiLer  account  hacked.  Mul/ple  other  TwiLer  accounts  hacked,  including  BBC  News  and  Deustche  Welle  

Associated  Press  TwiLer  account  hacked,  false  reports  of  aLack  on  white  house  cause  DOW  Jones  to  temporarily  crash.  11  Guardian  TwiLer  Accounts  hacked  

The  Onion  hacked  

2011

2012

2013

© BAE SYSTEMS DETICA 2013 8

Cyber-­‐espionage  

State-­‐of-­‐the-­‐na)on  

NYT  hacked  aVer  publishing  ar/cle  en/tled:  “Billions  in  Hidden  Riches  for  Family  of  Chinese  Leader”  

WSJ:  “It's  a  plain-­‐old  crime,  undertaken  by  a  government  that  fancies  itself  the  world's  next  superpower  but  acts  like  a  giant  thievery  corpora/on.”  

© BAE SYSTEMS DETICA 2013 9

The  US  goes  on  the  offensive:   Chinese  hacking  crew  go  quiet:  

Cyber-­‐espionage  

State-­‐of-­‐the-­‐na)on  

© BAE SYSTEMS DETICA 2013 10

“De/ca  researchers  have  obtained  a  copy  of  malware  that  has  all  the  hallmarks  of  being  craVed  by  this  espionage  group.”  

Recently  compiled  sample:  

Targe/ng  US  defence  related  conference:  

Consistent  communica/on  and  cipher  rou/ne:  

Cyber-­‐espionage  

State-­‐of-­‐the-­‐na)on  

A DAY IN THE LIFE OF AN APT •  APT is a business

•  Like any business they have working hours, customers, suppliers, partners and a fully functioning supply chain

•  Business is good, really good!

STRICTLY CONFIDENTIAL 11

A PROFESSIONAL APPROACH

PORTALS

PORTAL STRUCTURE

PORTAL MANAGEMENT

ENABLING SERVICES

MALWARE AND MAYHEM

::  Campaign  da/ng  back  over  5  years  

::  Targeted  government  ministries,  embassies,  and  technology  companies  

::  Advanced  code-­‐base  of  over  100  dis/nct  modules  for  stealing  specific  data  

::  Cyrillic  language  sebngs,  and  Russian  words  in  the  code  

“EVERBODY’S WORKING FOR THE WEEKEND”

Cyber-­‐war  on  Korean  Peninsula?  

Friday 15 March 2013! Wednesday 20 March 2013!

“The  computer  networks  of  three  broadcasters  -­‐  KBS,  MBC  and  YTN  -­‐  and  two  banks,  Shinhan  and  Nonghyup,  froze  at  around  2pm  local  /me.  Shinhan  said  its  ATMs,  payment  terminals  and  mobile  banking  in  the  South  were  affected.  TV  broadcasts  were  not  affected.”  

Another Persistent Threat

THE 4CORNERS EFFECT

20

Prevalen

ce  

“There  are  two  types  of  CEO,  those  that  know  their  systems  are  being  hacked  -­‐  and  those  that  don’t”,  Ian  Livingstone,  CEO  of  BT  

“There  are  now  three  certain/es  in  life  -­‐  there's  death,  there's  taxes  and  there's  a  foreign  intelligence  service  on  your  system”,  MI5  Head  of  Cyber  

Characteris)cs  

•  Asymmetric  –  much  easier  to  aLack  than  defend  

•  Anonymous  –  easy  to  hide  or  deny  

•  Global  –  can  aLack  anyone  from  anywhere  

•  Trans-­‐jurisdic/onal  –  loca/on  of  incidents  are  not  obvious  •  Large  and  complex  –  billions  of  people  and  webpages  interac/ng  

•  Dynamic  –  millions  of  bright  people  inven/ng  new  services  or  aLacks  

THE 4CORNERS EFFECT •  Increasing public accounts of industrial espionage using ‘cyber’ as an attack vector •  APTs are exceedingly skillful at keeping a low profile

- Not apparent you have a problem until it is too late •  Increasing attacks on the supply chain due to:

- Weaker links / softer targets than the end entity - Ability to achieve deeper and wider penetration

21

Do  any  of  your  customers  think  that  this  is  you?  Which  of  your  vendors/suppliers  is  this?  

ANOTHER WAY TO THINK OF APT •  Consider APT to be a business, which they are •  They have now evolved to become a hyper-aggressive competitor, always

on the lookout to impinge upon your IP, your products/services and your brand

•  Now how would you counter that threat? –  Changes board focus, has now become a business risk not an IT risk

•  You might consider additional control of your crown jewels •  You would likely also want better notification of what your competitor is

doing and where your IP is appearing •  Also need the ability to respond effectively and efficiently in the event of a

breach

STRICTLY CONFIDENTIAL 22

New  customers  

New  partners  

Mobilising  and  globalising  delivery  

New  IP  and  markets  

More  online  services  

More  personal  data  being  collected  and  stored  

More  connec/vity  between  systems  

More  sensi/ve  commercial  informa/on  

More  partners,  customers  and  clients  

More  mobile  and  flexible  working  

…but  the  threats  and  possible  impacts  on  business  are  con/nuously  evolving…  

ORGANISATIONAL IMPERATIVES •  Whatever the business, there is always a need to adapt in order to grow and build value

…but  threats  and  impacts  on  business  are  constantly  evolving…  

24  

External  threats  

Malicious  insiders  

Vulnerable  partners  

…and  the  aLacks  reported  in  the  press  are  just  the  /p  of  the  iceberg  

Financial  loss  

Physical  damage  

Business  disrup/on  

Loss  of  compe//ve  advantage  

Reputa/onal  damage  

Economic  damage  

Endangering  na/onal  security  

PLAN FOR RESILIENCE

25  

Protect  

Monitor  Respond  

Prepare  

Understanding  and  managing  risk  and  preparing  

for  the  risks  we  wish  to  mi/gate  

Protec/ng  key  informa/on  and  systems  from  aLack  and  

reducing  the  impact  of  aLacks  

Managing  the  consequences  of  an  aLack  to  minimise  its  

impact  

Monitoring  systems  to  detect  and  frustrate  

aLackers  

IN CLOSING •  Hype

•  Know your enemy

•  A business problem

•  Plan for resilience

Legal Disclaimer STRICTLY CONFIDENTIAL 26

QUESTIONS

? Legal Disclaimer STRICTLY CONFIDENTIAL 27