5. #
man
[Advanced
Threats]
• Advanced
Persistent
Threats
• Organized
Cyber
Crime
• Hack5vists
• ‘Cyber
Terrorists’
• Etc…
• Able
to
develop
and
uElize
sophisEcated
techniques
in
pursuit
of
their
target
objecEve
from
reconnaissance
to
data
exfiltraEon.
• Will
leverage
the
full
spectrum
of
aWack
vectors
–
social,
technical,
physical,
etc.
• Highly
organized,
highly
moEvated,
highly
resourced.
• Willing
to
invest
significant
Eme
and
resources
to
compromise.
5
6. It’s
when,
not
if…
• Mission
Oriented
• Persistent
an
Driven
• PaEent
and
Methodical
• Focus
on
exponenEal
ROI
• Emphasis
on
high
IP
value
targets
• They
will
get
in…
6
Image:
hWp://pos^iles10.naver.net/20120823_137/ahranta1_1345681933371Je4vd_JPEG/Target.jpg
8. Ok,
for
real…
• *Simple…
Correlate
on
odd
network
/
host
ac5vity
• Use
the
data
at
hand
to
acEvely
detect
anomalies
• Understand
how
your
organizaEon
will
respond
to
a
breach
/
outage
/
squirrel
affecEng
any
of
the
three
InfoSec
pillars
• Confiden5ality
• Integrity
• Availability
8
9. Advanced
Threat
Tac5cs
and
Evasion
• Threat
actors
of
all
types
move
slowly
and
quietly
over
Eme.
LimiEng
exposure
and
potenEal
for
discovery.
• Trending
on
enterprise
data
over
Eme
helps
to
build
baselines
that
can
be
used
to
ac5vely
iden5fy
anomalies.
9
11. #
last
&&
echo
‘How
are
they
geYng
in??’
• Phishing
• 91%
of
‘advanced’
aWacks
began
with
a
phishing
email
or
similar
social
engineering
tacEcs.
• hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014
Metrics
• Average
cost
per
breach
=>
$3.5
million
• 15%
Higher
than
the
previous
year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐
of-‐data-‐breach-‐global-‐analysis
11
12. #
last
&&
echo
‘How
are
they
geYng
in??’
• Phishing
• 91%
of
‘advanced’
aWacks
began
with
a
phishing
email
or
similar
social
engineering
tacEcs.
• hWp://www.infosecurity-‐magazine.com/view/29562/91-‐of-‐apt-‐aWacks-‐
start-‐with-‐a-‐spearphishing-‐email/
• 2014
Metrics
• Average
cost
per
breach
=>
$3.5
million
• 15%
Higher
than
the
previous
year
• hWp://www.ponemon.org/blog/ponemon-‐insEtute-‐releases-‐2014-‐cost-‐
of-‐data-‐breach-‐global-‐analysis
12
24. Behavioral
Analy5cs
• Beaconing
Ac5vity
–
Usually
iniEated
over
port
443
or
an
encrypted
tunnel
over
port
80.
• Can
be
detected
with
a
Firewall
or
Web
Proxy
• Capability
to
decrypt
SSL
traffic
is
a
huge
plus
• Behavioral
analy5cs
can
be
uElized
to
differenEate
normal
browsing
acEvity
from
possible
evidence
of
an
infected
host.
• Using
a
SIEM,
track
the
unique
websites
usually
visited,
and
the
overall
volume
of
normal
web
acEvity,
on
a
per
user
and
a
per
host
basis.
• Watch
for
significant
changes
over
an
extended
period
of
Eme.
24
25. Reconnaissance
• Ping
sweeps,
service
discovery,
etc.
–
NO
• Why
make
unnecessary
noise?
• Instead
=>
access
network
shares,
web
apps,
and
services
• Passively
gather
informaEon
using
available
resources…
25
Image:
hWp://macheads101.com/pages/pics/download_pics/mac/portscan.png
26. Lateral
Movement
• Dump
Local
System
Hashes
• Maybe
crack
them,
maybe
it’s
not
even
necessary…
• Pass
the
Hash
(PtH)
• Dump
plain
text
passwords
• Mimikatz
-‐-‐
FTW!
• Act
as
an
internal
employee
-‐-‐
use
legiEmate
means
to
access
resources.
26
27. Uncovering
Internal
Reconnaissance
and
Pivo5ng
• Security
OperaEons
Goal
=>
Reduce
MTTD
and
MTTR
• MTTD
–
Mean
Time
to
Detect
• MTTR
–
Mean
Time
to
Respond
• Set
Traps
=>
Honeypot
/
Honey
Token
access
• Overt
Clues
=>
ModificaEon
of
user
/
file
/
group
permissions
and
pivoEng
evidence
• Subtle
Clues
=>
VPN
access
from
disparate
geographical
locaEons
• Missed
Opportuni5es
=>
Once
inside,
they
are
now
an
‘employee’…
27
28. Lateral
Movement
Log
Traces
• Microsos’s
granular
Event
IdenEficaEon
schema
(EVID)
in
conjuncEon
with
environment
informaEon
provides
analysts
with
plenty
of
informaEon
to
track
aWackers
once
they
have
breached
the
perimeter.
28
29. Passive
Data
Extrac5on
• Well
Poisoning
via
UNC
Paths
• SMB
Replay
• Help
Desk
Tickets
• Responder
–
By
Spider
Labs
• Keylogging
29
30. Passive
Traffic
Analysis
• Analyze
/
capture
anything
that
comes
across
the
wire.
• ARP
poison
hosts
of
interest,
take
over
switches/routers,
etc.
30
Image:
hWps://i.chzbgr.com/maxW500/5579525376/h7D009AE4/
32. #
wget
hbp://target/files.tgz
&&
echo
“Data
Exfiltra5on”
• Target
data
idenEfied,
gathered,
and
moved
out
of
the
environment.
• Data
is
normally
leaked
in
a
‘hidden’
or
modified
format,
rarely
is
the
actual
document
extracted.
• Emails
and
Employee
PII
• Intellectual
Property
• Trade
Secrets
32
Image:
hWp://www.csee.umbc.edu/wp-‐content/uploads/2013/04/ex.jpg
34. Catching
Data
Exfiltra5on
• Granular
restric5ons
on
sensi5ve
files
and
directories
to
specific
groups
or
individuals,
alert
on
any
abnormal
file
access
/
read
/
write
/
etc.
• DNS
exfiltra5on
or
someEmes
even
ICMP
Tunneling
in
high
security
environments
• Non-‐SSL
over
ports
443
/
8443,
encrypted
TCP
over
ports
80
/
8080
• Abnormal
web
server
ac5vity,
newly
created
files,
etc.
34
37. Closing
Thoughts…
• Don’t
be
hard
on
the
outside,
sos
and
chewy
on
the
inside…
• Implement
Layer
3
(network)
SegmentaEon
and
Least
User
Privilege
• Understand
your
environment
and
log
data
so
that
you
can
accurately
correlate
physical
and
cyber
events
• Implement
URL
filtering,
stateful
packet
inspecEon,
and
binary
analysis
• AcEvely
alert
on
and
respond
at
the
earliest
signs
of
lateral
movement
and
reconnaissance
observed
within
your
environment
• The
earlier
you
can
detect
aWackers
the
beWer…
37