Embed Size (px)
Citation preview
The Evolution of Advanced Persistent
Threats: The Current Risks & Mitigation
Strategies
Sponsored by
Webcast Logistics
• Enable pop-ups within your browser
• Turn on your system’s sound to hear the streaming presentation
• Questions? Submit them to the presenters at anytime on the console
• Technical problems? Click ―Help‖ or submit a question for
assistance
Optimize your experience today
Featured Presenters
Our knowledgeable speakers today are:
Tom Parker
Chief Technology
Officer and VP
Security Services
FusionX
Paul Zimski
Vice President
Solution Marketing
Lumension
Tom Parker - CTO
About the Presenter..
• Tom Parker: CTO & VP Security Services
– Dark Reading: Advanced Threats SME/Blogger
– Over Fifteen Years Securing Multi-National Corporations and Government Institutions
– Author of multiple publications on Information Security and Cyber Actor Profiling
– Regular speaker at industry events including Blackhat Briefings and SANS Conferences
3/28/2013 5
Threat-Scape Today
• 2012 estimated: $338B cost to Global Economy
• US “Hemorrhaging” Intellectual Property
• Online Hacktivism has made significant comeback
• Generally poor understanding of web based vulnerabilities and threats
• Dynamic threat intent ranges from organized crime monetization to national strategic objectives
3/28/2013 6
Threat Time Line
2000: I Love U 2001: EP3 Spy
Plane 2001:
Code Red 2003: SQL Slammer
2004: MyDoom 2005: Zotob 2008: Conficker 2009: Operation
Aurora (Discovered)
2010: Stuxnet (Discovered)
2010: Comment Crew Attacks
2011: DuQu (Discovered)
2011: Operation Shady Rat
(Discovered)
2012: Flame (Discovered)
2013: Comment Crew Report (Disclosed)
3/28/2013 7
Change in Technical Focus
3/28/2013 8
1990’s: Network
Based Attacks
2001 (Code Red)
2003 (Slammer)
2009 (Aurora)
2012: Client
Based Attacks
2011 (Shady Rat)
Attackers Response to Defense
• Broad use of firewall products
– Focus on ‘hard outer shell’
• Microsoft focus on securing network services
• Implementation of DEP/ASLR for Services
• Lower Service Profile in Default Configurations
– Resulting in less network attack surface
• Authentication of MSRPC Services
– And disabling of guest/default accounts
3/28/2013 9
APT Who?
• Originated from US Air Force (circa 2006)
• Originally Intended for use regarding China
• Public recognition in 2009 (Google/Aurora)
• Loss of clear meaning due to marketing use
3/28/2013 10
Dissecting APT Today
• Advanced:
– Utilizes ‘above average’ TTP’s
– Not necessarily just technically advanced
• Persistent:
– Not a smash and grab effort
• Threat
– Attempts to coerce technology/users
3/28/2013 11
A
T
P
Challenges Understanding Advanced Threats
• ‘Advanced’ is Subjective
– Typically contingent on ones experiences
– And knowledge of the threat-spectrum
• Sophistication Isn’t always a 1 or 0
– Sophisticated attack preparation
– Target intelligence
– Target coercion
• Pesky Acronyms & Commercialization of Name Space
– Clouds understanding of already murky waters
3/28/2013 13
Defining ‘Advanced’
• Sophistication (‘advanced-ness’) is not a 1 or a 0
– Shades of grey
• Different attributes of threat differ in sophistication
– Attack preparation
– Initial entry vector
– Exfiltration method
– Persistence technologies
3/28/2013 14
It’s good to be SPECIFIC
• This is a complex subject area
• Generalizations, acronyms etc. counterproductive
• Beware of silver-bullet marketing
3/28/2013 15
Threat Spectrum: Tactical Cyber Threats
• Surgical By Nature
• Highly Specific Targeting
• Technologically Sophisticated
• High Cost Development
• Repeatability Less Significant
3/28/2013 16
Threat Spectrum: Strategic Cyber Threats
• Highly Repeatable
• General Targeting:
– Broad Industry (Energy, Defense etc.)
– Groups of Individuals (Politicians, Executives)
• Must Have Long-Term Staying Power
• Less Sophisticated in Comparison
• Low Cost to Develop & Maintain
3/28/2013 17
Threat Spectrum Today
• Espionage
– Highly Strategic
– Industrial Attacks
– Government (and DIB) Targets
• Organized Crime
– Strategic
– Financially motivated
– Civilian & Private Organization targets
3/28/2013 18
Strategic: Espionage
• Highly Strategic
• Industrial Attacks – Gas & Oil
– Manufacturing
• Government (and DIB) Targets – Defense Contractors
– Research Organizations
– Political & Other High Ranking Figures
• Examples: Shady Rat, Aurora, Night Dragon
3/28/2013 19
Strategic: Organized Crime
• Strategic
• Financially motivated
• Civilian & Private Organization targets
• Who:
– Eastern European Crime Rings
– US/Domestic Crime Groups
– Mexican Cartels
3/28/2013 20
Tactical: Subversive Operations
• Tactical
– Typically augmenting other activities (e.g. military)
• Motivations vary, often force multiplier
• Examples: Estonia, Georgia, Stuxnet
• Who? Well funded private entities & governments
– US, UK, Israel, Germany, France + ???
3/28/2013 21
Strategic: Socio-Political Attacks
• Strategic:
– Often intended to elevate awareness of a topic
• Relatively Unsophisticated
– Currently favoring lower-hanging fruit via:
• SQL Injection, [D]DoS, etc
• Examples:
– Anonymous, Radical Muslim Groups, Others..
3/28/2013 22
Threat Scape Summary
• Critical not to generalize the threat
• No two adversaries are identical
– Motivation
– Capabilities
3/28/2013 23
Adversaries Under the Microscope
• Organized Crime
– Fairly well understood today
• Monetization Methods
• Enterprise organizational structures – Bot herders, skimmers, cash-outs, vuln acquisition
• Linkage back to conventional crime rings
• And links to state’s & radical groups
• Espionage much less well understood
3/28/2013 25
The C-word
• Many companies/countries reluctant to call out the C-Word: Largely due to operations/relationships at stake
• Large sums of credible evidence in public domain implicating Chinese Adversaries
• Little public diplomatic activity between US/China • China Economic and Security Review Commission
“Techniques appear consistent with authoritative Chinese military writings“ USCC "This report is untrue and has ulterior motives. It's not worth a comment“ Chinese foreign Ministry spokesperson
• Attacks attributed to Chinese Actors – State level participation not publicly proven
3/28/2013 26
Chinese Intelligence Doctrine
• More is better!
– Large sums of data gathered
– Significance of data unrealized
– Future analytical efforts realize use of stolen data
• Strategy:
– Fifty Year Plan – not eight years
3/28/2013 27
Chinese Hacker Communities
• High Degree of Safety Behind the Monitor
• Cultural Prioritization:
1. Country
2. Self
3. Employer
• Extremely active research community
– Forums, code sharing, IRC, etc
3/28/2013 28
Finding a smoking gun
• Not easy
• ROI is not immediate
– May be tomorrow – could be in fifty years
• Some real-world impacts do exist
– Such as M&A activity leveraging stolen data
3/28/2013 29
Adversary Success Factors
• Organizations Forgetting the Basics
– Poor network segmentation
– Excessive account privileges
– Third party software patching
– Poor asset management practices
– Insecure or non existent system base lines
– Insecure remote access solutions (end points)
– Over reliance on silver bullet solutions
3/28/2013 30
Direction of the Threat
• If it isn’t broken..
• While TTP’s aren't static however
– overall approach remains
• Status quo will remain until defensive posture changes
– This process will likely take years
• Offence is generally easier than defense
– Adversary can adapt more quickly than todays technology
3/28/2013 31
Once we do adapt
• Lots left in the funded adversaries tool chest:
– Supply chain influences
– Insider placement
– Resurgence of network based attacks
• Particularly against cloud providers
– Targeting of more obscure technologies
3/28/2013 32
Disrupting APTs
at the Endpoint
What is the APT “Kill Chain”?
3
4 PROPRIETARY &
As defined by security researchers at Lockheed Martin, the ―kill chain‖ of APTs is a
methodology comprised of seven links (or steps), according to researchers at
global defense company Lockheed Martin Corp.:
1. Reconnaissance—Identify targets.
2. Weaponization— Create customized malware payload.
3. Delivery—Transmit the payload, typically through an email
attachment, website or USB drive.
4. Exploitation—Trigger payload, usually via a vulnerability.
5. Installation—Establish foothold to persist within the target.
6. Command and control—―hands on the keyboard‖ access to the
environment.
7. Actions on objectives—Execute toward goals, typically to steal
data.
http://papers.rohanamin.com/wp-
content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf
The ―Kill Chain‖ is simply the phases of an attack progression
Disrupting APT Payload Delivery on Endpoints
3
5 PROPRIETARY &
Delivery - Transmission of the weapon
to the targeted environment. The three
most prevalent delivery vectors for
weaponized payloads by APT actors, as
observed by the Lockheed Martin
Computer Incident Response Team (LM-
CIRT) for the years 2004-2010, are email
attachments, websites, and USB
removable media.
Exploitation - After the weapon is
delivered to victim host, exploitation
triggers intruders’ code. Most often,
exploitation targets an application or
operating system vulnerability, but it could
also more simply exploit the users
themselves or leverage an operating
system feature that auto-executes
Installation - Installation of a remote
access trojan or backdoor on the victim
system allows the adversary to maintain
persistence inside the environment.
• USB blocking w/ Device Control
• File-type filtering from USB-to-Endpoint
• AntiVirus with Heuristics Enabled
• Browser or gateway URL Filtering
• Patch Management, Configuration Management
prevent known vulnerabilities
• Memory /Buffer Overflow protection / DEP
• End User Security Awareness & Training
• Application Control
Defense-in-Depth Strategy
AV
Control the Bad
Device Control Control the Flow
HD and Media Encryption Control the Data
Application Control Control the Gray
Patch and Configuration Management Control the Vulnerability Landscape
Successful risk mitigation
starts with a solid vulnerability
management foundation,
augmented by additional
layered defenses which go
beyond the traditional blacklist
approach.
36
Layered Approach for Mitigation
» Maintain strong patch management practices
» Enable native memory security controls in Windows including DEP and
ASLR to limit the success of generic memory based attacks
» Deploy advanced memory-injection attack protection including RMI and
Skape/JT to interrupt advanced memory attacks
» Utilize application control/whitelisting to defend against unknown
payloads
» Use Device control to block USB-borne malware
» Blacklist outdated plugin versions
» Adopt the concept of least privilege for end users
End Users Are Your Weakest Link
•Be Aware of What You Share – End User Resource Center
http://www.lumension.com/be-aware
More Information
• Free Security Scanner Tools » Vulnerability Scanner – discover all OS and
application vulnerabilities on your network
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
http://www.lumension.com/special-
offer/premium-security-tools.aspx
• Lumension® Endpoint Management
and Security Suite » Online Demo Video:
http://www.lumension.com/Resources/Demo-
Center/Vulnerability-Management.aspx
» Free Trial (virtual or download):
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
• Get a Quote (and more) http://www.lumension.com/endpoint-
management-security-suite/buy-now.aspx#2
39
Questions?
Submit questions to the presenters via the on-screen text box
Tom Parker
Chief Technology
Officer and VP
Security Services
FusionX
Paul Zimski
Vice President
Solution Marketing
Lumension
Thank you for attending
Please visit our sponsor and any of the resources below:
• www.darkreading.com/event
• www.lumension.com/special-offer/premium-security-tools.aspx?rpLeadSourceId=L4224
