SlideShare una empresa de Scribd logo

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc

Security B-Sides
Security B-Sides

The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.

TecnologíaEmpresariales
1 de 28
Descargar para leer sin conexión
BSidesSanFrancisco Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) Will Gragido | CISSP, CISA, IAM, IEM John Pirc | CEH, IAM, SANS Thought Leader Cassandra Security Analysis of the Security Industry and that it influences
2 Cassandra Security Analysis of the Security Industry and that it influences Agenda •  Introductions •  Advanced Persistent Threats – An Introduction •  Dynamic Shifts In the Threat Landscape •  Foreign Country Activity – Session Analysis Validation •  Subversive Multi-Vector Threats •  Gods of War: Blended Attacks •  Cryptovirology •  CrimeWare as a Service (CaaS) •  Question and Answer
Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Well Documented and •  Advanced Persistent Quite Old Threats” ▫  Earliest known instances ▫  Named by the United date to the early 1990s States Air Force   Department of Defense ▫  What’s old is new again: Parlance   “Events of Interest” Origination points ▫  State Sponsored   State sponsored infowar labs ▫  Industrial Espionage   Intelligence agencies ▫  Colloquially referred to as   The underground ‘events of interest’   Though not not necessarily in the same fashion which threats such as ‘MyDoom’, ‘CodeRed’, or ‘Sql Slammer’ did; this is simply not the case
Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Easy Definition for a Non- •  Sophistication Level: Trivial Challenge: ▫  Only as sophisticated as they ▫  Opportunistic form of cyber need to be attack developed and designed to ▫  Sophistication is determined and meet the needs of its architects in dictated by aggressors after compromising a specific system intelligence gathering has or group of systems in order occurred acquire and exfiltrate data to those behind the original attack •  Historical Targets of Opportunity & Interest: ▫  Military ▫  Intelligence ▫  Defense Intelligence Base ▫  High Tech (Intellectual Property  Lucent Technologies, Motorola etc.)
Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats The Classics The Subversives SMT’s Eligible Moonlight Byzantine Operation Receiver Exxon Maze Foothold Shockwave 1997 1998 1999 2004 2007 2009 2010 Solar Titan US Power Aurora Sunrise Rain Grid
Cassandra Security Analysis of the Security Industry and that it influences Dynamic Shifts in Threat Landscape •  Your Father’s Internet ▫  Perimeters use to be will defined and so was the protection   Static & Informational   Firewall and AV saved the day   Web defacements and breaking into a network through open ports or OS vulnerabilities were par for the course •  Today’s Internet (Better have a virtual hazmat suit) ▫  Floating perimeters ▫  Dynamic, Interactive & Mobile ▫  App Driven ▫  Web browsers and plugins
Cassandra Security Analysis of the Security Industry and that it influences U.S. military OKs use of online social Seriously…Seriously? Washington (CNN) -- U.S. military personnel are officially allowed to tweet. That's the upshot of the Pentagon's long-awaited policy on rank and file personnel using online social media, unveiled Friday. The new rules authorize access to Facebook, Twitter, YouTube, and other social media Web sites from nonclassified government computers -- as long as such activity doesn't compromise operational security or involve prohibited activities or Web sites. •  Security Risk & Social Media Trade-off
Cassandra Security Analysis of the Security Industry and that it influences Hacking not Required Imagine the Possibilities
Cassandra Security Non-Intentional Act Intentional Act Analysis of the Security Industry and that it influences Routes to the Cyber Market Expertise + Motivation + Attack Vector = Result Email None Notoriety and Compromise of an Asset/Policy (Normal End-User) Attachments and/or Intellectual Property Destruction Novice IM,IRC,P2P (Script Kiddie) Espionage Money Corporate/Government Web Browsers Apps Intermediate Moral (Hacker for Hire) Agenda Open Ports Theft Expert Unwitting (Foreign Intel Service, Terrorist Organization and/or Organized Crime) Vulnerable Operating System Fame Fun
Foreign Country Activity – Drive-By Why Session Based Analysis in Needed! Compliments of Netwitness ;-) 1. Examine traffic to foreign countries 2. Follow the clues Cassandra Security Analysis of the Security Industry and that it influences
Cassandra Security Analysis of the Security Industry and that it influences Suspicious outbound traffic to various countries…. Destination China
Cassandra Security Analysis of the Security Industry and that it influences Instant Correlation Breadcrumb Mostly unknown service Executables exist
Cassandra Security Analysis of the Security Industry and that it influences Anti-Virus triggered on content rendering Breadcrumb JavaScript www.333292.com?? Must be bad… Get: 1.exe,2.exe,…
Cassandra Security Analysis of the Security Industry and that it influences Malicious Content in the same session Bogus 404 error Obfuscated JavaScript Executables downloaded
Cassandra Security Analysis of the Security Industry and that it influences Foreign Country Traffic Summary •  Scrutinize outbound traffic to China •  Unknown services with .exe transfers •  Content review triggered Anti-Virus - “Infostealer” •  Content review shows malicious obfuscated JavaScript and .exe downloads •  Classic drive-by exploit •  Rule Example: ▫  Dst.country = “China” extension =“exe” •  FlexParse Example: ▫  Obfuscated Javascript patterns ▫  Executable file signatures – for those that don’t have correct extension
Subversive Multi-Vector Threats (SMTs) Cassandra Security Analysis of the Security Industry and that it influences
Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Vector Threats •  Definition: •  Subversive Multi-Vector ▫  Highly sophisticated, well Threats (SMTs) are complex crafted, executed attacks unions of human intelligence, designed to use and exploit as information security, many possible threat vectors as communications intelligence / necessary to accomplish the signals intelligence missions milestones. What (COMINT)/ (SIGINT), and makes them different than other threats is the willingness to open source intelligence utilize people, process and (OPSINT) and differ greatly in technology weaknesses in order this sense from other threat to meet their ends classes such as the Advanced ▫  These threats are designed to, in Persistent Threat (APT), as a a dynamic fashion, place a result. (Gragido 12122009 greater or lesser amount of effort and emphasis in one area versus http:// another over time as dictated by cassandrasecurity.com/? the mission’s goals and the p=960) leadership behind them
Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT) •  Differ dramatically from other well- •  The greatest differences noted between known threat types in a number of ways, the types of threats some more obvious than others ▫  Lies in the targets of interest ▫  Approaches employed in selecting and exploiting the target ▫  Whether they be targets of opportunity or selected targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT)   The avenues for exploitation may change though their overall relevance is entrenched in the realm of the technical ▫  As such, APTs, contrary to popular belief are focused and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals ▫  Not so with the Subversive Multi-Vector Threat   These threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Cassandra Security Analysis of the Security Industry and that it influences Identifying and Addressing Subversive Multi-Vector Threats (SMT) •  Uncompromising Diligence Is Required •  Subversive Multi-Vector Threats (SMTs) ▫  Employment of intellectual honesty •  Progressive approaches required   Reality dictates we will be targeted ▫  Creativity   “When” not “If” ▫  Collaboration ▫  Requires risk management ▫  Iron sharpens Iron ▫  Repeatable processes and procedures are non-negotiable; they are imperative •  Innovative technological solutions coupled with innovative comprehensive approaches ▫  Metrics employed to practical, risk based information security   What gets measured gets results management imperative   Aids in establishing the known from the unknown while demonstrating ▫  Are there technologies which can aid us progression or regression in achieving these goals?   Our assertion is that in doing so an   Yes organization can quickly identify areas where vulnerabilities and ▫  Are they already in our environments? deficiencies exist which leave them   Perhaps, but odds are they are not exposed to potential exploitation of people, process and technology but will be or should be considered in the near future
Gods of War: Blended Attacks Cassandra Security Analysis of the Security Industry and that it influences
Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS (also known as Zbot / •  Crimeware kit which is best WSNPoem known for its tenacity, intelligent design and ability to steal credentials (in a voluminous manner), from a truly impressive, disparate base of sources including but not limited to the following: ▫  Social Networks (Facebook, Twitter, MySpace, Linkedin, Foursquare, Yelp etc.) ▫  Online financial accounts (Banking, Brokerage, Retirement etc.) ▫  FTP accounts (yes people still use unsecured ftp accounts…) ▫  E-Mail accounts (Phishing / Spear Phishing) ▫  Cloud Computing Based Environments (Amazon EC2)
Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS’ DNA ▫  Crimeware Kit which contains the following •  ZeuS Botnet Features: modules ▫  Framework design   A web interface for administering and   Unintelligent program which hooks itsef into managing the botnet (ZeuS Admin Panel) the Operating System (need to verify if it is hooking at ring 3 or 0) and hides itself   A customized tool used in the creation of the Trojan binaries and in encrypting the   All logic for the botnet itself is contained within configuration file (commonly referred to as an the configuration file executable generator)   The configuration file for ZeuS / Zbot acts like a definitions database for AV products; without ▫  ZeuS Hosts this the bot is fairly benign   Typically Consist of Three Components   Often times lists of targets (financial   A configuration file (most commonly associated institutions for example) are contained within file name extension is *.bin) it in addition to other data such as urls for   A binary file which contains the newest version other components the bot relies upon for of the ZeuS Trojan code (updated periodically command control purposes, the lists of by the Bot Master to ensure highest degree of information gathered from targets to populate functionality and feature use / availability) fields which the bot completes in order to steal   A dropzone (most commonly seen as a php file details / credentials and other information used for storage)   The configuration file is always ciphered; it’s never found in clear ▫  The older versions of ZeuS used a hard- coded cipher which could be reverse engineered however the current versions use a more sophisticated level of cryptovirology (using unique keys for encrypting the config file, the key is then stored in the executable – which is also ‘packed’); this eliminates the potential for deciphering all botted hosts universally ▫  The key is 256 bytes long making it a non- trivial task for brute forcing Courtesy of abuse.ch ZeuS Tracker
Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks   Credentials Capturing   Integrated SOCKS-Proxy   HTTP   Web based form for   HTTPS searching captured   FTP credentials   POP3   Ciphered configuration   Botnets Protected Storage files Area (PSTORE)   Kill Operating System   Organize / Assemble / Functions (becoming Group infected hosts into more common in botnets different botnets for: the world over)   Ease of use   Well QA’d   Flexibility   Exhaustively tested before   Meeting customer needs release
Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  What is cryptovirology? ▫  A wonderful question with a myriad of plausible responses ▫  What cryptovirology is not is obvious, common, trivial or new ▫  Cryptovirology as a discipline has a lineage dating back to the mid to late 1990s something that seems to be (along with other things in our industry as of late), often over looked
Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology: •  The earliest observed instances •  An attack by any other name where crypto viral attacks were would smell as sweet… utilized have become known as ▫  The intent and logical outcomes ‘cryptoviral extortion’. are the same: via a virus, worm, •  AKA ‘cryptoviral ransom’ Trojan etc a victim’s files (whether discriminately chosen attacks however or not so), are identified and encrypted with the file owner being notified that should she wish to receive them back intact, she must first make payment to the author of the malicious code in question in order to receive the proper session key. ▫  If payment is not brought forward the author / attacker may make a variety of threats / claims as to what he / she will do with the files to and including destruction.
Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  There are many examples of •  Historical Examples Include Are malicious code and contact which Not Limited To the Following: use questionable encryption ▫  ZeuS schemes however the distinction ▫  Blazebot which must be made and taken ▫  Storm / Waldec note of is the purpose for which it is used today versus the past •  In the past, cryptography was used by malicious code and content authors to solely avoid detection by mitigation solutions such as Anti-Virus. In these scenarios the payload was not ciphered and thusly not considered ‘ransomware’. Today, the world has changed and as such payloads are ciphered and subsequently the game has changed.
Cassandra Security Analysis of the Security Industry and that it influences CrimeWare as a Service (CaaS): Service with a Smile •  Globalization  The World •  As a result a myriad of Is Flat! (Friedman) service offerings and ▫  Leveled the playing for some providers have emerged the ▫  Introduced the game and world over ready, willing, built the field for others and able to meet your needs ▫  Torn the game asunder better than their rendering it forever changed competitors while offering for still others you maximum RO ▫  Ensured that the free hand of ▫  Hacking as a Service (HaaS) the open market is allowed to ▫  Fraud as a Service (FaaS) move freely for all including criminals ▫  DDoSing as a Service ▫  Spamming as a Service ▫  Spear phishing as a Service ▫  Designer / Custom Malware Creation as a Service
28 Cassandra Security Analysis of the Security Industry and that it influences Key Point’s ▫  Known Current Solutions Not Good Enough ▫  Advanced Persistent Threats Will Become Pervasive ▫  Subversive Multi-Vector Threats Will Eclipse APTs ▫  Cryptovirology Is Alive and Well ▫  Inaction Equals To Acceptance

Recomendados

Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
Ammar WK
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
 

Recomendados

Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
Network Intelligence India
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
Ammar WK
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
David C. Petty
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
Wail Hassan
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies via
IJNSA Journal
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
Ricardo Resnik
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
Conferencias FIST
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
Shah Sheikh
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)
Wail Hassan
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
Wail Hassan
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
Constantine Karbaliotis
 
Weaponized malware comparison
Weaponized malware comparisonWeaponized malware comparison
Weaponized malware comparison
Bill Hagestad II
 
Bitdefender in depth-analysis cyber espionage
Bitdefender in depth-analysis cyber espionageBitdefender in depth-analysis cyber espionage
Bitdefender in depth-analysis cyber espionage
Jacopo Maria Tavaroli
 

Más contenido relacionado

La actualidad más candente

Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
Savvius, Inc
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies via
IJNSA Journal
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 

La actualidad más candente (20)

Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Deterring hacking strategies via
Deterring hacking strategies viaDeterring hacking strategies via
Deterring hacking strategies via
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
 
CERT Certification
CERT CertificationCERT Certification
CERT Certification
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 

Destacado

Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attack
Icomm Technologies
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
Frode Hommedal
 

Destacado (19)

Weaponized malware comparison
Weaponized malware comparisonWeaponized malware comparison
Weaponized malware comparison
 
Bitdefender in depth-analysis cyber espionage
Bitdefender in depth-analysis cyber espionageBitdefender in depth-analysis cyber espionage
Bitdefender in depth-analysis cyber espionage
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Cyber Threat Taxonomy Matrix APR 2014
Cyber Threat Taxonomy Matrix APR 2014Cyber Threat Taxonomy Matrix APR 2014
Cyber Threat Taxonomy Matrix APR 2014
 
Reducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksReducing the Impact of Cyber Attacks
Reducing the Impact of Cyber Attacks
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attack
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber Conflict
 
From data to numbers to knowledge: semantic embeddings By Alvaro Barbero
From data to numbers to knowledge: semantic embeddings By Alvaro BarberoFrom data to numbers to knowledge: semantic embeddings By Alvaro Barbero
From data to numbers to knowledge: semantic embeddings By Alvaro Barbero
 
The Rise of Engineering-Driven Analytics by Loren Shure
The Rise of Engineering-Driven Analytics by Loren ShureThe Rise of Engineering-Driven Analytics by Loren Shure
The Rise of Engineering-Driven Analytics by Loren Shure
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
ICT Security: Defence strategies against targeted attack
ICT Security: Defence strategies against targeted attackICT Security: Defence strategies against targeted attack
ICT Security: Defence strategies against targeted attack
 
From data to AI with the Machine Learning Canvas by Louis Dorard Slides
From data to AI with the Machine Learning Canvas by Louis Dorard SlidesFrom data to AI with the Machine Learning Canvas by Louis Dorard Slides
From data to AI with the Machine Learning Canvas by Louis Dorard Slides
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 

Similar a Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc

Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secure
Kappa Data
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
Messiernl
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
Symantec
 
Cyber security assocham
Cyber security assochamCyber security assocham
Cyber security assocham
nmrdkoz
 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Neelabh Rai
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6
David Spinks
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
Mike Murray
 

Similar a Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc (20)

Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015DNS Cybersecurity in 2012-2015
DNS Cybersecurity in 2012-2015
 
Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010Peering Through the Cloud Forrester EMEA 2010
Peering Through the Cloud Forrester EMEA 2010
 
Smart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business ManagersSmart Grids & Dumb Security => A Guide For Business Managers
Smart Grids & Dumb Security => A Guide For Business Managers
 
Trend Micro - is your cloud secure
Trend Micro - is your cloud secureTrend Micro - is your cloud secure
Trend Micro - is your cloud secure
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Cyber and influence
Cyber and influenceCyber and influence
Cyber and influence
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 
Cyber security assocham
Cyber security assochamCyber security assocham
Cyber security assocham
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
 
Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6Csirs Trabsport Security September 2011 V 3.6
Csirs Trabsport Security September 2011 V 3.6
 
Issa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social EngineeringIssa Seattle 5 09 Social Engineering
Issa Seattle 5 09 Social Engineering
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 

Más de Security B-Sides

2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Security B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
Security B-Sides
 

Más de Security B-Sides (20)

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the Gold
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 

Último

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc

  • 1. BSidesSanFrancisco Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) Will Gragido | CISSP, CISA, IAM, IEM John Pirc | CEH, IAM, SANS Thought Leader Cassandra Security Analysis of the Security Industry and that it influences
  • 2. 2 Cassandra Security Analysis of the Security Industry and that it influences Agenda •  Introductions •  Advanced Persistent Threats – An Introduction •  Dynamic Shifts In the Threat Landscape •  Foreign Country Activity – Session Analysis Validation •  Subversive Multi-Vector Threats •  Gods of War: Blended Attacks •  Cryptovirology •  CrimeWare as a Service (CaaS) •  Question and Answer
  • 3. Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Well Documented and •  Advanced Persistent Quite Old Threats” ▫  Earliest known instances ▫  Named by the United date to the early 1990s States Air Force   Department of Defense ▫  What’s old is new again: Parlance   “Events of Interest” Origination points ▫  State Sponsored   State sponsored infowar labs ▫  Industrial Espionage   Intelligence agencies ▫  Colloquially referred to as   The underground ‘events of interest’   Though not not necessarily in the same fashion which threats such as ‘MyDoom’, ‘CodeRed’, or ‘Sql Slammer’ did; this is simply not the case
  • 4. Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats: An Introduction •  Easy Definition for a Non- •  Sophistication Level: Trivial Challenge: ▫  Only as sophisticated as they ▫  Opportunistic form of cyber need to be attack developed and designed to ▫  Sophistication is determined and meet the needs of its architects in dictated by aggressors after compromising a specific system intelligence gathering has or group of systems in order occurred acquire and exfiltrate data to those behind the original attack •  Historical Targets of Opportunity & Interest: ▫  Military ▫  Intelligence ▫  Defense Intelligence Base ▫  High Tech (Intellectual Property  Lucent Technologies, Motorola etc.)
  • 5. Cassandra Security Analysis of the Security Industry and that it influences Advanced Persistent Threats The Classics The Subversives SMT’s Eligible Moonlight Byzantine Operation Receiver Exxon Maze Foothold Shockwave 1997 1998 1999 2004 2007 2009 2010 Solar Titan US Power Aurora Sunrise Rain Grid
  • 6. Cassandra Security Analysis of the Security Industry and that it influences Dynamic Shifts in Threat Landscape •  Your Father’s Internet ▫  Perimeters use to be will defined and so was the protection   Static & Informational   Firewall and AV saved the day   Web defacements and breaking into a network through open ports or OS vulnerabilities were par for the course •  Today’s Internet (Better have a virtual hazmat suit) ▫  Floating perimeters ▫  Dynamic, Interactive & Mobile ▫  App Driven ▫  Web browsers and plugins
  • 7. Cassandra Security Analysis of the Security Industry and that it influences U.S. military OKs use of online social Seriously…Seriously? Washington (CNN) -- U.S. military personnel are officially allowed to tweet. That's the upshot of the Pentagon's long-awaited policy on rank and file personnel using online social media, unveiled Friday. The new rules authorize access to Facebook, Twitter, YouTube, and other social media Web sites from nonclassified government computers -- as long as such activity doesn't compromise operational security or involve prohibited activities or Web sites. •  Security Risk & Social Media Trade-off
  • 8. Cassandra Security Analysis of the Security Industry and that it influences Hacking not Required Imagine the Possibilities
  • 9. Cassandra Security Non-Intentional Act Intentional Act Analysis of the Security Industry and that it influences Routes to the Cyber Market Expertise + Motivation + Attack Vector = Result Email None Notoriety and Compromise of an Asset/Policy (Normal End-User) Attachments and/or Intellectual Property Destruction Novice IM,IRC,P2P (Script Kiddie) Espionage Money Corporate/Government Web Browsers Apps Intermediate Moral (Hacker for Hire) Agenda Open Ports Theft Expert Unwitting (Foreign Intel Service, Terrorist Organization and/or Organized Crime) Vulnerable Operating System Fame Fun
  • 10. Foreign Country Activity – Drive-By Why Session Based Analysis in Needed! Compliments of Netwitness ;-) 1. Examine traffic to foreign countries 2. Follow the clues Cassandra Security Analysis of the Security Industry and that it influences
  • 11. Cassandra Security Analysis of the Security Industry and that it influences Suspicious outbound traffic to various countries…. Destination China
  • 12. Cassandra Security Analysis of the Security Industry and that it influences Instant Correlation Breadcrumb Mostly unknown service Executables exist
  • 13. Cassandra Security Analysis of the Security Industry and that it influences Anti-Virus triggered on content rendering Breadcrumb JavaScript www.333292.com?? Must be bad… Get: 1.exe,2.exe,…
  • 14. Cassandra Security Analysis of the Security Industry and that it influences Malicious Content in the same session Bogus 404 error Obfuscated JavaScript Executables downloaded
  • 15. Cassandra Security Analysis of the Security Industry and that it influences Foreign Country Traffic Summary •  Scrutinize outbound traffic to China •  Unknown services with .exe transfers •  Content review triggered Anti-Virus - “Infostealer” •  Content review shows malicious obfuscated JavaScript and .exe downloads •  Classic drive-by exploit •  Rule Example: ▫  Dst.country = “China” extension =“exe” •  FlexParse Example: ▫  Obfuscated Javascript patterns ▫  Executable file signatures – for those that don’t have correct extension
  • 16. Subversive Multi-Vector Threats (SMTs) Cassandra Security Analysis of the Security Industry and that it influences
  • 17. Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Vector Threats •  Definition: •  Subversive Multi-Vector ▫  Highly sophisticated, well Threats (SMTs) are complex crafted, executed attacks unions of human intelligence, designed to use and exploit as information security, many possible threat vectors as communications intelligence / necessary to accomplish the signals intelligence missions milestones. What (COMINT)/ (SIGINT), and makes them different than other threats is the willingness to open source intelligence utilize people, process and (OPSINT) and differ greatly in technology weaknesses in order this sense from other threat to meet their ends classes such as the Advanced ▫  These threats are designed to, in Persistent Threat (APT), as a a dynamic fashion, place a result. (Gragido 12122009 greater or lesser amount of effort and emphasis in one area versus http:// another over time as dictated by cassandrasecurity.com/? the mission’s goals and the p=960) leadership behind them
  • 18. Cassandra Security Analysis of the Security Industry and that it influences Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT) •  Differ dramatically from other well- •  The greatest differences noted between known threat types in a number of ways, the types of threats some more obvious than others ▫  Lies in the targets of interest ▫  Approaches employed in selecting and exploiting the target ▫  Whether they be targets of opportunity or selected targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT)   The avenues for exploitation may change though their overall relevance is entrenched in the realm of the technical ▫  As such, APTs, contrary to popular belief are focused and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals ▫  Not so with the Subversive Multi-Vector Threat   These threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
  • 19. Cassandra Security Analysis of the Security Industry and that it influences Identifying and Addressing Subversive Multi-Vector Threats (SMT) •  Uncompromising Diligence Is Required •  Subversive Multi-Vector Threats (SMTs) ▫  Employment of intellectual honesty •  Progressive approaches required   Reality dictates we will be targeted ▫  Creativity   “When” not “If” ▫  Collaboration ▫  Requires risk management ▫  Iron sharpens Iron ▫  Repeatable processes and procedures are non-negotiable; they are imperative •  Innovative technological solutions coupled with innovative comprehensive approaches ▫  Metrics employed to practical, risk based information security   What gets measured gets results management imperative   Aids in establishing the known from the unknown while demonstrating ▫  Are there technologies which can aid us progression or regression in achieving these goals?   Our assertion is that in doing so an   Yes organization can quickly identify areas where vulnerabilities and ▫  Are they already in our environments? deficiencies exist which leave them   Perhaps, but odds are they are not exposed to potential exploitation of people, process and technology but will be or should be considered in the near future
  • 20. Gods of War: Blended Attacks Cassandra Security Analysis of the Security Industry and that it influences
  • 21. Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS (also known as Zbot / •  Crimeware kit which is best WSNPoem known for its tenacity, intelligent design and ability to steal credentials (in a voluminous manner), from a truly impressive, disparate base of sources including but not limited to the following: ▫  Social Networks (Facebook, Twitter, MySpace, Linkedin, Foursquare, Yelp etc.) ▫  Online financial accounts (Banking, Brokerage, Retirement etc.) ▫  FTP accounts (yes people still use unsecured ftp accounts…) ▫  E-Mail accounts (Phishing / Spear Phishing) ▫  Cloud Computing Based Environments (Amazon EC2)
  • 22. Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks •  ZeuS’ DNA ▫  Crimeware Kit which contains the following •  ZeuS Botnet Features: modules ▫  Framework design   A web interface for administering and   Unintelligent program which hooks itsef into managing the botnet (ZeuS Admin Panel) the Operating System (need to verify if it is hooking at ring 3 or 0) and hides itself   A customized tool used in the creation of the Trojan binaries and in encrypting the   All logic for the botnet itself is contained within configuration file (commonly referred to as an the configuration file executable generator)   The configuration file for ZeuS / Zbot acts like a definitions database for AV products; without ▫  ZeuS Hosts this the bot is fairly benign   Typically Consist of Three Components   Often times lists of targets (financial   A configuration file (most commonly associated institutions for example) are contained within file name extension is *.bin) it in addition to other data such as urls for   A binary file which contains the newest version other components the bot relies upon for of the ZeuS Trojan code (updated periodically command control purposes, the lists of by the Bot Master to ensure highest degree of information gathered from targets to populate functionality and feature use / availability) fields which the bot completes in order to steal   A dropzone (most commonly seen as a php file details / credentials and other information used for storage)   The configuration file is always ciphered; it’s never found in clear ▫  The older versions of ZeuS used a hard- coded cipher which could be reverse engineered however the current versions use a more sophisticated level of cryptovirology (using unique keys for encrypting the config file, the key is then stored in the executable – which is also ‘packed’); this eliminates the potential for deciphering all botted hosts universally ▫  The key is 256 bytes long making it a non- trivial task for brute forcing Courtesy of abuse.ch ZeuS Tracker
  • 23. Cassandra Security Analysis of the Security Industry and that it influences Gods of War: Blended Attacks   Credentials Capturing   Integrated SOCKS-Proxy   HTTP   Web based form for   HTTPS searching captured   FTP credentials   POP3   Ciphered configuration   Botnets Protected Storage files Area (PSTORE)   Kill Operating System   Organize / Assemble / Functions (becoming Group infected hosts into more common in botnets different botnets for: the world over)   Ease of use   Well QA’d   Flexibility   Exhaustively tested before   Meeting customer needs release
  • 24. Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  What is cryptovirology? ▫  A wonderful question with a myriad of plausible responses ▫  What cryptovirology is not is obvious, common, trivial or new ▫  Cryptovirology as a discipline has a lineage dating back to the mid to late 1990s something that seems to be (along with other things in our industry as of late), often over looked
  • 25. Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology: •  The earliest observed instances •  An attack by any other name where crypto viral attacks were would smell as sweet… utilized have become known as ▫  The intent and logical outcomes ‘cryptoviral extortion’. are the same: via a virus, worm, •  AKA ‘cryptoviral ransom’ Trojan etc a victim’s files (whether discriminately chosen attacks however or not so), are identified and encrypted with the file owner being notified that should she wish to receive them back intact, she must first make payment to the author of the malicious code in question in order to receive the proper session key. ▫  If payment is not brought forward the author / attacker may make a variety of threats / claims as to what he / she will do with the files to and including destruction.
  • 26. Cassandra Security Analysis of the Security Industry and that it influences CryptoVirology •  There are many examples of •  Historical Examples Include Are malicious code and contact which Not Limited To the Following: use questionable encryption ▫  ZeuS schemes however the distinction ▫  Blazebot which must be made and taken ▫  Storm / Waldec note of is the purpose for which it is used today versus the past •  In the past, cryptography was used by malicious code and content authors to solely avoid detection by mitigation solutions such as Anti-Virus. In these scenarios the payload was not ciphered and thusly not considered ‘ransomware’. Today, the world has changed and as such payloads are ciphered and subsequently the game has changed.
  • 27. Cassandra Security Analysis of the Security Industry and that it influences CrimeWare as a Service (CaaS): Service with a Smile •  Globalization  The World •  As a result a myriad of Is Flat! (Friedman) service offerings and ▫  Leveled the playing for some providers have emerged the ▫  Introduced the game and world over ready, willing, built the field for others and able to meet your needs ▫  Torn the game asunder better than their rendering it forever changed competitors while offering for still others you maximum RO ▫  Ensured that the free hand of ▫  Hacking as a Service (HaaS) the open market is allowed to ▫  Fraud as a Service (FaaS) move freely for all including criminals ▫  DDoSing as a Service ▫  Spamming as a Service ▫  Spear phishing as a Service ▫  Designer / Custom Malware Creation as a Service
  • 28. 28 Cassandra Security Analysis of the Security Industry and that it influences Key Point’s ▫  Known Current Solutions Not Good Enough ▫  Advanced Persistent Threats Will Become Pervasive ▫  Subversive Multi-Vector Threats Will Eclipse APTs ▫  Cryptovirology Is Alive and Well ▫  Inaction Equals To Acceptance