The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido and John Pirc
1. BSidesSanFrancisco
Advanced Persistent Threats
(Shining the Light on the Industries'
Best Kept Secret)
Will Gragido | CISSP, CISA, IAM, IEM
John Pirc | CEH, IAM, SANS Thought Leader
Cassandra Security
Analysis of the Security Industry and that it influences
2. 2
Cassandra Security
Analysis of the Security Industry and that it influences
Agenda
• Introductions
• Advanced Persistent Threats – An Introduction
• Dynamic Shifts In the Threat Landscape
• Foreign Country Activity – Session Analysis
Validation
• Subversive Multi-Vector Threats
• Gods of War: Blended Attacks
• Cryptovirology
• CrimeWare as a Service (CaaS)
• Question and Answer
3. Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats:
An Introduction
• Well Documented and • Advanced Persistent
Quite Old Threats”
▫ Earliest known instances ▫ Named by the United
date to the early 1990s States Air Force
Department of Defense ▫ What’s old is new again:
Parlance
“Events of Interest” Origination points
▫ State Sponsored State sponsored infowar
labs
▫ Industrial Espionage
Intelligence agencies
▫ Colloquially referred to as The underground
‘events of interest’
Though not not necessarily
in the same fashion which
threats such as ‘MyDoom’,
‘CodeRed’, or ‘Sql Slammer’
did; this is simply not the
case
4. Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats:
An Introduction
• Easy Definition for a Non- • Sophistication Level:
Trivial Challenge: ▫ Only as sophisticated as they
▫ Opportunistic form of cyber need to be
attack developed and designed to ▫ Sophistication is determined and
meet the needs of its architects in dictated by aggressors after
compromising a specific system intelligence gathering has
or group of systems in order occurred
acquire and exfiltrate data to
those behind the original attack
• Historical Targets of
Opportunity & Interest:
▫ Military
▫ Intelligence
▫ Defense Intelligence Base
▫ High Tech (Intellectual Property
Lucent Technologies,
Motorola etc.)
5. Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats
The Classics The Subversives
SMT’s
Eligible
Moonlight Byzantine Operation
Receiver Exxon
Maze Foothold Shockwave
1997 1998 1999 2004 2007 2009 2010
Solar Titan US Power Aurora
Sunrise Rain Grid
6. Cassandra Security
Analysis of the Security Industry and that it influences
Dynamic Shifts in Threat Landscape
• Your Father’s Internet
▫ Perimeters use to be will defined and so was the protection
Static & Informational
Firewall and AV saved the day
Web defacements and breaking into a network through open
ports or OS vulnerabilities were par for the course
• Today’s Internet (Better have a virtual hazmat suit)
▫ Floating perimeters
▫ Dynamic, Interactive & Mobile
▫ App Driven
▫ Web browsers and plugins
7. Cassandra Security
Analysis of the Security Industry and that it influences
U.S. military OKs use of online social
Seriously…Seriously?
Washington (CNN) -- U.S. military personnel are officially allowed to tweet.
That's the upshot of the Pentagon's long-awaited policy on rank and file
personnel using online social media, unveiled Friday. The new rules
authorize access to Facebook, Twitter, YouTube, and other social media Web
sites from nonclassified government computers -- as long as such
activity doesn't compromise operational security or involve
prohibited activities or Web sites.
• Security Risk & Social Media Trade-off
8. Cassandra Security
Analysis of the Security Industry and that it influences
Hacking not Required
Imagine the Possibilities
9. Cassandra Security Non-Intentional Act
Intentional Act
Analysis of the Security Industry and that it influences
Routes to the Cyber Market
Expertise
+
Motivation
+
Attack Vector
=
Result
Email
None
Notoriety
and
Compromise of an Asset/Policy
(Normal End-User)
Attachments
and/or
Intellectual Property
Destruction
Novice IM,IRC,P2P
(Script Kiddie)
Espionage
Money
Corporate/Government
Web Browsers
Apps
Intermediate
Moral
(Hacker for Hire)
Agenda
Open
Ports
Theft
Expert
Unwitting
(Foreign Intel Service,
Terrorist Organization
and/or Organized Crime)
Vulnerable
Operating System
Fame
Fun
10. Foreign Country Activity – Drive-By
Why Session Based Analysis in Needed!
Compliments of Netwitness ;-)
1. Examine traffic to foreign countries
2. Follow the clues
Cassandra Security
Analysis of the Security Industry and that it influences
11. Cassandra Security
Analysis of the Security Industry and that it influences
Suspicious outbound traffic to various
countries….
Destination China
12. Cassandra Security
Analysis of the Security Industry and that it influences
Instant Correlation
Breadcrumb
Mostly unknown service
Executables exist
13. Cassandra Security
Analysis of the Security Industry and that it influences
Anti-Virus triggered on content
rendering Breadcrumb
JavaScript
www.333292.com??
Must be bad…
Get: 1.exe,2.exe,…
14. Cassandra Security
Analysis of the Security Industry and that it influences
Malicious Content in the same session
Bogus 404 error
Obfuscated JavaScript
Executables downloaded
15. Cassandra Security
Analysis of the Security Industry and that it influences
Foreign Country Traffic Summary
• Scrutinize outbound traffic to China
• Unknown services with .exe transfers
• Content review triggered Anti-Virus - “Infostealer”
• Content review shows malicious obfuscated JavaScript
and .exe downloads
• Classic drive-by exploit
• Rule Example:
▫ Dst.country = “China” extension =“exe”
• FlexParse Example:
▫ Obfuscated Javascript patterns
▫ Executable file signatures – for those that don’t have
correct extension
17. Cassandra Security
Analysis of the Security Industry and that it influences
Subversive Multi-Vector Threats
• Definition: • Subversive Multi-Vector
▫ Highly sophisticated, well Threats (SMTs) are complex
crafted, executed attacks unions of human intelligence,
designed to use and exploit as information security,
many possible threat vectors as communications intelligence /
necessary to accomplish the signals intelligence
missions milestones. What (COMINT)/ (SIGINT), and
makes them different than other
threats is the willingness to open source intelligence
utilize people, process and (OPSINT) and differ greatly in
technology weaknesses in order this sense from other threat
to meet their ends classes such as the Advanced
▫ These threats are designed to, in Persistent Threat (APT), as a
a dynamic fashion, place a result. (Gragido 12122009
greater or lesser amount of effort
and emphasis in one area versus http://
another over time as dictated by cassandrasecurity.com/?
the mission’s goals and the p=960)
leadership behind them
18. Cassandra Security
Analysis of the Security Industry and that it influences
Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats
(APT)
• Differ dramatically from other well- • The greatest differences noted between
known threat types in a number of ways, the types of threats
some more obvious than others ▫ Lies in the targets of interest
▫ Approaches employed in selecting and
exploiting the target
▫ Whether they be targets of opportunity or
selected targets, exploitation mechanisms
will vary in the world of the Subversive
Multi-Vector Threats whereas in the
world of the Advanced Persistent
Threats (APT)
The avenues for exploitation may change
though their overall relevance is entrenched in
the realm of the technical
▫ As such, APTs, contrary to popular belief
are focused and rely upon technological
vulnerabilities present within a system or
enterprise in order meet its goals
▫ Not so with the Subversive Multi-Vector
Threat
These threats are not bound to technology
alone as an avenue of exploitation but rather
often assess both people and process weakness
equally in order to identify the path of least
resistance while capitalizing upon the weakness
of others.
19. Cassandra Security
Analysis of the Security Industry and that it influences
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
• Uncompromising Diligence Is Required
• Subversive Multi-Vector Threats
(SMTs)
▫ Employment of intellectual honesty • Progressive approaches required
Reality dictates we will be targeted ▫ Creativity
“When” not “If” ▫ Collaboration
▫ Requires risk management ▫ Iron sharpens Iron
▫ Repeatable processes and
procedures are non-negotiable;
they are imperative • Innovative technological solutions coupled
with innovative comprehensive approaches
▫ Metrics employed
to practical, risk based information security
What gets measured gets results
management imperative
Aids in establishing the known from
the unknown while demonstrating ▫ Are there technologies which can aid us
progression or regression in achieving these goals?
Our assertion is that in doing so an Yes
organization can quickly identify
areas where vulnerabilities and ▫ Are they already in our environments?
deficiencies exist which leave them Perhaps, but odds are they are not
exposed to potential exploitation of
people, process and technology but will be or should be considered in
the near future
20. Gods of War: Blended Attacks
Cassandra Security
Analysis of the Security Industry and that it influences
21. Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks
• ZeuS (also known as Zbot / • Crimeware kit which is best
WSNPoem known for its tenacity, intelligent
design and ability to steal
credentials (in a voluminous
manner), from a truly impressive,
disparate base of sources
including but not limited to the
following:
▫ Social Networks (Facebook, Twitter,
MySpace, Linkedin, Foursquare, Yelp
etc.)
▫ Online financial accounts (Banking,
Brokerage, Retirement etc.)
▫ FTP accounts (yes people still use
unsecured ftp accounts…)
▫ E-Mail accounts (Phishing / Spear
Phishing)
▫ Cloud Computing Based
Environments (Amazon EC2)
22. Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks
• ZeuS’ DNA
▫ Crimeware Kit which contains the following
• ZeuS Botnet Features:
modules ▫ Framework design
A web interface for administering and Unintelligent program which hooks itsef into
managing the botnet (ZeuS Admin Panel) the Operating System (need to verify if it is
hooking at ring 3 or 0) and hides itself
A customized tool used in the creation of the
Trojan binaries and in encrypting the All logic for the botnet itself is contained within
configuration file (commonly referred to as an the configuration file
executable generator) The configuration file for ZeuS / Zbot acts like
a definitions database for AV products; without
▫ ZeuS Hosts this the bot is fairly benign
Typically Consist of Three Components Often times lists of targets (financial
A configuration file (most commonly associated institutions for example) are contained within
file name extension is *.bin) it in addition to other data such as urls for
A binary file which contains the newest version other components the bot relies upon for
of the ZeuS Trojan code (updated periodically command control purposes, the lists of
by the Bot Master to ensure highest degree of information gathered from targets to populate
functionality and feature use / availability) fields which the bot completes in order to steal
A dropzone (most commonly seen as a php file details / credentials and other information
used for storage) The configuration file is always ciphered; it’s
never found in clear
▫ The older versions of ZeuS used a hard-
coded cipher which could be reverse
engineered however the current versions
use a more sophisticated level of
cryptovirology (using unique keys for
encrypting the config file, the key is then
stored in the executable – which is also
‘packed’); this eliminates the potential for
deciphering all botted hosts universally
▫ The key is 256 bytes long making it a non-
trivial task for brute forcing
Courtesy of abuse.ch ZeuS Tracker
23. Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks
Credentials Capturing Integrated SOCKS-Proxy
HTTP Web based form for
HTTPS searching captured
FTP credentials
POP3 Ciphered configuration
Botnets Protected Storage files
Area (PSTORE) Kill Operating System
Organize / Assemble / Functions (becoming
Group infected hosts into more common in botnets
different botnets for: the world over)
Ease of use Well QA’d
Flexibility Exhaustively tested before
Meeting customer needs release
24. Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology
• What is cryptovirology?
▫ A wonderful question with a myriad of plausible
responses
▫ What cryptovirology is not is obvious, common, trivial or
new
▫ Cryptovirology as a discipline has a lineage dating back
to the mid to late 1990s something that seems to be
(along with other things in our industry as of late), often
over looked
25. Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology:
• The earliest observed instances • An attack by any other name
where crypto viral attacks were would smell as sweet…
utilized have become known as ▫ The intent and logical outcomes
‘cryptoviral extortion’. are the same: via a virus, worm,
• AKA ‘cryptoviral ransom’ Trojan etc a victim’s files
(whether discriminately chosen
attacks however or not so), are identified and
encrypted with the file owner
being notified that should she
wish to receive them back intact,
she must first make payment to
the author of the malicious code
in question in order to receive
the proper session key.
▫ If payment is not brought
forward the author / attacker
may make a variety of threats /
claims as to what he / she will do
with the files to and including
destruction.
26. Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology
• There are many examples of • Historical Examples Include Are
malicious code and contact which Not Limited To the Following:
use questionable encryption ▫ ZeuS
schemes however the distinction ▫ Blazebot
which must be made and taken ▫ Storm / Waldec
note of is the purpose for which it
is used today versus the past
• In the past, cryptography was
used by malicious code and
content authors to solely avoid
detection by mitigation solutions
such as Anti-Virus. In these
scenarios the payload was not
ciphered and thusly not
considered ‘ransomware’. Today,
the world has changed and as such
payloads are ciphered and
subsequently the game has
changed.
27. Cassandra Security
Analysis of the Security Industry and that it influences
CrimeWare as a Service (CaaS): Service
with a Smile
• Globalization The World • As a result a myriad of
Is Flat! (Friedman) service offerings and
▫ Leveled the playing for some providers have emerged the
▫ Introduced the game and world over ready, willing,
built the field for others and able to meet your needs
▫ Torn the game asunder better than their
rendering it forever changed competitors while offering
for still others you maximum RO
▫ Ensured that the free hand of ▫ Hacking as a Service (HaaS)
the open market is allowed to ▫ Fraud as a Service (FaaS)
move freely for all including
criminals ▫ DDoSing as a Service
▫ Spamming as a Service
▫ Spear phishing as a Service
▫ Designer / Custom Malware
Creation as a Service
28. 28
Cassandra Security
Analysis of the Security Industry and that it influences
Key Point’s
▫ Known Current Solutions Not Good Enough
▫ Advanced Persistent Threats Will Become Pervasive
▫ Subversive Multi-Vector Threats Will Eclipse APTs
▫ Cryptovirology Is Alive and Well
▫ Inaction Equals To Acceptance