Embed Size (px)
Citation preview
International Cooperative
APT Hunting
Andre LudwigCurrent: CTO - Global Cyber Alliance
Past: CEO - Honeynet Project
Sr Technical Director - Novetta
Principal Security Engineer -DARPA
Zachary HanifCurrent: Head of Security Data Machine Learning - Capital One
Past:Director of Applied Data Science - NovettaHolmes-Totem
Principal Data Scientist - EndgameBinaryPig
So you want to hunt APT's?
01
What is an “APT”?
What does APT stand for?A basic history of the termHow has this term evolved over time?
Where did the term come from?
Advanced Persistent Threats: Originated from a term created by Colonel Greg Rattray (USAF) in 2006 to describe a
certain “class” of threat actor that the USAF was dealing with.
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology
What is the Official definition?
Catch all phrase for any attacker or group of attackers who demonstrate persistence and/or sophistication in their attempts to
gain unauthorized access to computers/networks/data.
AKA
CHINA/RUSSIA/US/UK/HackTeam/FinFisher/Anyone who ever used Metasploit
How people (mis)use the term
● APT tends to get thrown around a great deal (THANKS MARKETING DEPT!)
● Too often, it becomes a byword for “state sponsored” or “technically sophisticated” malware
○ This is not nuanced, and can misrepresent reality○ Many professionals dislike the term as a result
● In general, the actor is the differentiating factor, not the malware itself
○ Technical sophistication is not the sole meaning of “Advanced” in APT
Resultant Confusion
02
The reality of APTs
Introduction to the Intelligence ProcessRealities of APT’s
● Nation states are typically APTs, but not all APTs are nation states.
● Multistage, long term attacks, focused on their strategic objectives
● Not necessarily deep technical sophistication through the tool chain
● Attack vectors and persistence strategies range widely, even into the physical realm
● Attacker probability of success approaches 1 over time (sooner or later, they’ll achieve their goals)
○ These are players on the world stage at the end of the day
○ This is their full-time job, and there is a large support structure around most operations
Realities of APTs
03
Interacting with APTs
Good guy motivationsCautionary talesKnowing when to stop (or continue)Appropriate responses
● Defense of an organization, network, customer base, etc● Public Participation in an effort/PR and marketing
○ Potential sales by being seen as “experts”○ Personal/organizational fame
● General “internet cleanliness”● Political motivations
○ The support of or opposition to an actor or victim○ This can be seen in the candidate selection process and
reporting style● Desire to have an impact against “the bad guys”
Good Guy’s motivations
● Ok, so you’ve muscled onto the stage of geopolitics...now what?
○ It’s strongly unlikely that you are prepared to tango here
● Interacting with an APT is a very delicate thing, with many concerns
○ Public Attribution?■ What are the goals?
○ What kind of escalation may occur?■ Against individuals, organizations, our home
countries, etc? ■ rm -rf / (aka Sony attacks)■ DDOS attacks?!?■ Non cyber related escalations?■ Or do they just re-tool and do the same old stuff?
● Think how an organized group would react to their prized tool being removed from their toolset, what's the next best tool?
World Stage
● Ok, let’s say it IS a nation-state behind things● Maybe they retaliate?
○ PII leaks against people or organizations?○ Blackmail?○ Kinetic retaliation?
● Potential Diplomatic issues?○ Official statements made by national representatives○ Complicate ongoing official investigations
■ Intel gain/loss concerns● Potential Personal Security Issues?
○ Increased interest by international LE/Intel agencies?● Economic impacts on participating organizations
○ Sanctions, “lost paperwork”, other economic punishment
World Stage pt2
04
The Generic Process of
Interdiction Target SelectionSetting of strategic goalsDiscovery processKnowledge creationPlanning of actionsImpact AssessmentDealing with follow up responses
● Infection populations○ Analysis of overall infections from telemetry of partners
● Overall threat and harm○ What does the threat do, how, why, etc
● Random selection ○ No really, just randomly select from a list○ Darts are also good
● Based on industry the threat targets○ Sector based threats (retail banking, energy sector,
etc)● Some “basic” analysis is being done at this step already
○ Type of threat○ Type of victims○ Potential impact of mitigating the threat
Target Selection
● What does the end result look like○ Slowing the actor’s progress?○ Bringing the actor’s actions to the general public
knowledge?○ Stopping the actor entirely (rarely, if ever)
● Participants○ Multi organizational effort?○ Inclusion of law enforcement?○ Inclusion of national security apparatus?
● What level of reporting should be done○ Full exhaustive reporting or something lighter?○ Should you only publish signatures (av/IDS)?
● Analysis and understanding of the threat should be pushed forward by this step as well
Setting of Strategic Goals
● Sample discovery though open measures○ Trolling of private industry sources○ VirusTotal
● Sample Collection from private sources○ Sample trading○ Group/Partner contributions
● Infrastructure mapping○ Domain name analysis (passive DNS)○ Port scanning○ Whois analysis
● Identifying what other parties you’re likely conflicting with○ Or, in Blockbuster, might conflict with you
Discovery Process
● Capturing background data○ Previous reporting○ Daily news (geopolitical issues/conflicts/tensions)
● Dynamic malware analysis○ Generates limited data quickly!○ Can aid in “basic” clustering of malware families
● Reverse engineering output○ Capture and instrumentation of reverse engineering
process○ Only real way to cluster families with strong confidence
● Potentially related attacks by the actor○ Previous reporting○ Previous misreporting
● TTP mapping and signature generation○ You can find a large repository of good resources on
past APT’s here
Knowledge Creation
● Level of involvement with ecosystem maintainers and owners● Strategy for marketing and publication● Strategy for group management and coordinated release● Deconfliction with other organizations which may be
independently pursuing the actor● Timelines for public reporting, and which components of
research to be released○ Written agreements and NDAs○ Continual group communication
● Definitions of operational security measures○ Encrypted email and other digital communications○ Discussion only with small, known groups
Planning of Actions
● Important to know if your efforts had any meaningful effect, or were just hot air
○ Measurement is hard, and is always a cooperative process
● Telemetry gathering and analysis○ Partners are likely the best mechanism for gathering
this data○ Victims are often incentivized to not report additional
problems● Long-term information gathering
○ Monitoring for TTPs or other indicators of infrastructure reuse
○ This can include wide-spectrum scanning for some threat infrastructure
Impact Assessment
● Most actors will not go away after a single operation○ Or for that matter, any number of operations○ Can actually be an indicator of success, an attempted
compromise○ This reinfection can be across a vertical (other, similar
orgs)● Anti-APT efforts are a continual struggle - just like us, these
actors make their living through this activity● Likely, even if the actors abandon their efforts, the infection
will not be cleaned worldwide, and multiple stages of signatures, etc will need to be pushed
● In some situations, you might never know exactly how effective your efforts were - for good and bad
Follow Up
05
Prior Takedowns
StormConfickerWaledecOperation SMNOperation Blockbuster
● First real P2P botnet○ Focused on spam○ Heavily monetized
● Several parallel researchers were “messing with the botnet”○ P2P poisoning, C2 take overs, etc.
● Microsoft and other large Vendors pushed “detections”○ MS pushed a MSRT update○ Honeynet pushes out Stormfucker tool
● Actors behind the botnet start to slice it up and sell it off● New version appears: Stormbot 2● Authors may have moved on to other things?!?
Storm Botnet
● Started as a worm exploiting MS08-067○ Spread at an alarming rate○ Multiple infection vectors
● Multiple Generations of malware (three major versions)● Very suspicious functionality (Ukrainian keyboard detection)
Conficker
● Operation B49 by microsoft 2010○ Via legal action MS took control of 276 c2 domains
used by the bot● Attempt by Dell Secureworks/Kaspersky/Honeynet to take
down Kehlios.b in 2012○ Worked for a few weeks, but two weeks later actors
introduced a new version .c with new protocols being used.
● 2013 Kehlios.c live take down on stage at Black Hat by Tillmann Werner
● Different malware families have been installed by the various versions over the years
● Effects:○ Multiple generations of botnet (authors really liked to
make $$)
Waledec/Kehlios
● Discovery○ Brought to our attention by our customers○ Discovered malware on their networks, and wanted to
investigate● Actor
○ Highly coordinated group of actors○ Appeared to have a multi-stage victim funnel○ Primarily engaged in information theft
● Techniques/TTPs (report)○ Initial method of infection varied (phishing, watering
hole attacks)○ Heavy use of compromised/misappropriated
infrastructure○ Later stages were very “smash and grab” oriented
Operation SMN
● Resultant Tooling and Lessons○ Interdiction group coordination (rosetta stone,
announcements)○ Coordinated press releases are hard○ Large scale infrastructure scanning and collection○ Static analysis and machine learning (
Skald/Holmes-Totem)■ Large sample sets are hard for everyone to work
with■ Became large open source project, partnership
with TUM and GSoC (hi George, Christian, Marcel, Max)
● Nine public industry partners involved○ First coordinated industry effort against an APT group
● Purpose was to expose and clean the entire toolset used by the threat actor
○ Coordinated high quality signature release across partners
○ Shared those signatures on “publication” date with 155 other security vendors across the globe
Operation SMN
● Led to follow up reporting○ Bad guys shifted, found new tools at last minute○ This is a good thing: forced the retooling goal we were
looking for● Effects:
○ Public FBI assertion that the attacks originated from China
○ Decrease in attacks attributed to this group○ Reduction/Disappearance of some of the specialized
tools from use
Operation SMN
● Discovery○ Very public announcement of hack by the attackers○ We got involved after becoming frustrated with follow-on
reporting● Actor
○ Strong operational capabilities, issues with technical implementation
● Techniques/TTPs○ Extremely detailed internal knowledge of the target
● Resultant Tooling and Lessons○ Machine learning based triage system○ Function/malware clustering algorithm○ Big take away - a small team can have a huge effect on
keeping the Internet safe
Operation Blockbuster
● Coordinated AV push○ Kaspersky, AlienVault, Symantec, TrendMicro, netrisk.io,
other private and public participants● Large scale distribution of in depth RE/Technical info to industry
○ Main resources page● Public reporting of TTP's
○ Securelist Blog Announcement● Effects
○ Thousands of infections detected and cleaned (that we know of)
○ Swift banking attacks attributed to Lazarus Group (951 million attempted, 81 Million laundered)
○ Continued interest and larger working base of knowledge in industry
Operation Blockbuster
06
Future of Interdictions
GCA Takedown Task ForceFollowing the Changing threat landscape
● Global Cyber Alliance is a US/UK based not for profit organization
○ Funded by District Attorney of New York and City of London Police
● GCA would act like a middleman to coordinate, help plan, and manage operations for industry partners
○ Partners would sponsor/suggest threats to pursue○ GCA would help build reasonable coalitions○ GCA would aid in the management and planning
● A goal is to drive continued and sustained efforts to coordinate across industries and build lasting coalitions to address malware based risks
GCA Takedown Task Force
● As technology evolves and new attack surfaces appear, the good guys will have to follow into those realms and defend them
○ Internet of Things○ Mobile/Wireless networks
● This really ends up being a bunch of education work aimed at new industries where security may not be “built in”
● We have to try and project beyond what a “bad guy” can do so we can strategically build technology, relationships, and processes to address future issues
Following the Changing Landscape
Key Points
Four key points for thinking about in the future
This is not just a technical problemIn order to coordinate and build long lasting partnerships you must master the art of relationship building and understand each stakeholder's needs and motivations.
APT is differentiated by humans, not codeWhile APT actors will display sophisticated technical skills, the ultimate differentiator is their operational capabilities and coordination
Anyone can start an interdiction effortAll it takes is some technical skills, a lot of motivation, and the ability to communicate and build relationships to execute an interdiction.
The landscape is changing rapidlyThe last 10 years have seen massive changes in threat actor sophistication and motivation. This evolutionary process shows no signs of slowing down.
