44CON @ IPexpo - You're fighting an APT with what exactly?
-
Upload
44con -
Category
Technology
-
view
210 -
download
2
description
Transcript of 44CON @ IPexpo - You're fighting an APT with what exactly?
![Page 1: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/1.jpg)
You're fighting an APT with what exactly?
ST EVE AR MST R ONGT E CHNICAL DIR E CTOR LO G ICA LLY SE CUR E
![Page 2: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/2.jpg)
Who is this guy?• Ex RAF Information Security specialist (17 years)
• I was in Cyber before they actually called it Cyber
• Technical Director at Logically Secure (8+ years)
• Doing Forensics & IR for over 8 years
• We support data centres, engineering companies, online (FPS) gaming studios, recording labels and HMG
• SANS Instructor (DFIR/Pentesting)
• One of the brains behind CyberCPR
![Page 3: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/3.jpg)
What I should cover (E&OE)• What are you looking for?
• Common network configurations
• Why these common configurations don’t work
• What/who are you using to look for evil stuff?
• How do your attackers work? Where is the overlap?
• How do you react?
• How do you coordinate and plan your reaction
![Page 4: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/4.jpg)
Key questions
• Who
• Where
• What
• Why
• When
• How
![Page 5: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/5.jpg)
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
![Page 6: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/6.jpg)
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
![Page 7: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/7.jpg)
Lets do 'how often' first…..
Source: UK BIS and PWC 2014 Information Security Breaches Survey (http://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf)
![Page 8: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/8.jpg)
Now the 'who'• The "shits and giggles" crews or pissed off users
• e.g. 4chan/Lulzsec
• Hacktivism
• Anonymous, Pakistani or Indian hacker groups
• Cybercrime
• Roman Valerevich Seleznev (Track2) - stole est. $2M
• Hector Xavier Monsegur (Sabu) - started hacking to get cash to pay his rent
• Cyber-espionage
• For Government level Secrets
• For industrial or technological advantage
![Page 9: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/9.jpg)
What toys do 'they' have
![Page 10: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/10.jpg)
Automation of the Attacks
Gong Da
Zhi Zhu
Nuclear
Incognito
Phoenix
Blackhole Exploit Kit
Sakura Exploit Pack
EleonoreYang Pack
Techno
XPack
Siberia
Siberia PrivateZero
Merry ChristmasLinuQ
Sava / PayOC
Best PackBomba
PapkaOpen Source / MetaPack
mushroom
Robopak
Katrin
Bleeding Life
CRIMEPACK
T-iframer
TornadoSEO Sploit Pack
Zombie Infection kit
Lupit
Salo
Unique Pack Sploit 2.1
Yes Exploit
iPack
El Fiiesta
Icepack
Mpack
Webattack
![Page 11: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/11.jpg)
Matrix of capabilities
![Page 12: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/12.jpg)
Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!
![Page 13: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/13.jpg)
Table from:http://contagiodump.blogspot.co.uk/Wanted Image from:http://www.kahusecurity.com/With many thanks!
![Page 14: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/14.jpg)
What do ATPs have to play with?
![Page 15: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/15.jpg)
Now the where 'where'
![Page 16: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/16.jpg)
Lets talk about your networkT HIS ONE IS FOR MANAG ERS……
![Page 17: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/17.jpg)
Did you ever ask for a secure LAN?
• Included security in the list of system requirements
• Priced the line items and checked they were appropriate
• Required evidence of delivery
• Tested robustness and correctness post-installation
![Page 18: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/18.jpg)
Did you ever ask for a secure LAN?
If you haven't asked for it, why would you expect your provider to:
take risks, decrease his margin and deviate from the specification?
Thus if you didn’t ask for it,you wont get it.
![Page 19: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/19.jpg)
So what did you ask for?A BAR R IER (FIR EWALL) AND A DMZ ?
![Page 20: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/20.jpg)
• http://www.amazon.co.uk/Building-Internet-Firewalls-Elizabeth-Zwicky/dp/1565928717
Building Internet Firewalls (page 105)
![Page 21: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/21.jpg)
What else did we have in 2000?
![Page 22: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/22.jpg)
It's often just poor configuration
=
![Page 23: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/23.jpg)
So you're fighting an APT with…….
• Architecture concepts conceived when your Domain Controller had less memory and CPU power than your phone has now
Vs
![Page 24: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/24.jpg)
Then came……….
![Page 25: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/25.jpg)
THE UTM* < QUE UE DR A MAT IC MUSIC>
*Unified Threat Manager/Management
![Page 26: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/26.jpg)
The UTM is sold as a simple solution
• However, to quote Wikipedia:
![Page 27: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/27.jpg)
So you're fighting an APT with…….• A single simple solution aimed at…..
• Compliance
• No great #winning story ever started:
"We were doing some compliance activities and ….".
![Page 28: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/28.jpg)
Lets come back to the future…
![Page 29: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/29.jpg)
People now have….
• Web monitoring
• NetFlow
• Attachment analysis (sandbox)
• Full packet captures
• Internet end-point reputational checking
![Page 30: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/30.jpg)
But where is it placed?T HE ANSWER IS USUALLY ON T HE BOUNDAR Y
![Page 31: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/31.jpg)
Why this is bad
• Previously each install of malware phoned home
• Malware and APTs are changing
• Attackers are becoming more stealthy
• Still using standard deployment techniques
• Moving C&C servers
• More 'covert' channels
![Page 32: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/32.jpg)
Previously
UTM
Malware C&C in clearhttp traffic signatureDomain known bad
![Page 33: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/33.jpg)
Previously
UTM
Malware C&C in clearhttp traffic signatureDomain known bad
Boss we got a
problem!
![Page 34: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/34.jpg)
But things have moved on past 2000
![Page 35: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/35.jpg)
Now…
UTM
DNS
Public DNS
???
![Page 36: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/36.jpg)
Now…
UTM
DNS
Public DNS
!!!
![Page 37: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/37.jpg)
Now…
UTM
UDP port 53
![Page 38: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/38.jpg)
In recent months we have seen
• The likes of PlugX/Kaba using:
• Internal peer-to-peer comms using UDP port 53
• DNS ports for in clear UDP C&C updates
• UDP of https (443) ports
• Domains switching from safe to unsafe for minutes
• Heavy use of *update* and honest sounding domains
• zipupdate.com, win7update.com, ibmupdate.com
![Page 39: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/39.jpg)
Let's look at your team
![Page 40: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/40.jpg)
Tools != CapabilityA LWAYS R E ME MBE R T HIS WHE N T HE SALESMAN IS ENCOUR AGING YOU TO SIG N T HE CO NT R ACT
![Page 41: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/41.jpg)
Good tools are a bonus only if you have skills to really use them
Beautiful walnut handled chisel set
![Page 42: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/42.jpg)
Perceived skills vs Actual capability
http://www.youtube.com/watch?v=K4elZ_T9Ulo
![Page 43: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/43.jpg)
TV does not represent real life!
![Page 44: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/44.jpg)
Not so much CSI…… more like….
![Page 45: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/45.jpg)
Not so much CSI…… more like….
Team composition:• Velma (the guru)• Fred and Daphne
(Managers?)• Shaggy & Scooby (the
funny ones)
Which are you?
![Page 46: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/46.jpg)
But we ask those that build the corporate networkO O O O O O T HE T R IBAL LEADER S…….
![Page 47: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/47.jpg)
Tribal leaders…..
![Page 48: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/48.jpg)
To quote Sun Tzu…..
• “If you know the enemy and know yourself, you need not fear the result of a hundred battles.
• If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
• If you know neither the enemy nor yourself, you will succumb in every battle."
Mature IR Team
DevelopingIR Team
New or badIR Team
![Page 49: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/49.jpg)
But, if you don’t understand the attacker how can you orientate yourself to their
plans and thus pre-empt their actions
Why do we care who is attacking us….. Just
make them stop!
![Page 50: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/50.jpg)
UTM
![Page 51: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/51.jpg)
So what do you • Architect your network for today not circa 2000
• Deploy detection in network not on the boundary
• Don’t rely upon Tribal Leaders to be your only source of intelligence on attackers
• Centralise your intelligence, coordinate your response
• Monitor your Operational Security for signs you are leaking information of your plans to your enemy.
![Page 52: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/52.jpg)
If you want more help:
• Logically Secure: Testing/IR Support and Advice
• CyberCPR Development Team:• Drew John
• Ed Tredgett @edtredgett
• Mike Antcliffe @mantcliffe
• Steve Armstrong @nebulator
• Email: [email protected]• Twitter: @cybercpr
![Page 53: 44CON @ IPexpo - You're fighting an APT with what exactly?](https://reader033.fdocuments.us/reader033/viewer/2022052622/5596dc8a1a28abcb6a8b47a1/html5/thumbnails/53.jpg)
• Want some more????
• 28 April (it's a Tuesday )
• http://44con.com