Advanced Persistent Threat · APT - Overview ySummary / Synopsis –Advanced Persistent Threat...
Transcript of Advanced Persistent Threat · APT - Overview ySummary / Synopsis –Advanced Persistent Threat...
Advanced Persistent Threat:Evolution of the attacker
Joe Cummins, PCIPFounder, Principal ConsultantRed Tiger Security – Canada
Jonathan Pollet, CAP, CISSP, PCIPFounder, Principal ConsultantRed Tiger Security - USA
2
3
Presentery Joe Cummins, PCIP
y Canadian Information Security practitioner y President and Principal Consultant of Red Tiger Security - Canada, y Provision of Threat and Vulnerability Assessmentsy SME in the areas of:
y Critical Infrastructure, y Federal Readiness
y Speaker: y IEEE Boston, Massy Canadian CIP Symposiumy ISA Expo, Houstony SANS USA, SANS EURO
Jonathan Pollet – CISSP, PCIP, CAE
4
y 12 Years of Electrical Engineering, SCADA, Industrial Controls, and IT Experiencey PLC Programming and SCADA System Design and Commissioningy Wireless RF and Telecommunications Design and Startupy Front-end Web Development for SCADA datay Backend Database design for SCADA datay Acting CIO for Seneca Oil Company for 2 years – Enterprise IT Management
y Last 8 Years Focused on SCADA and IT Securityy Published White Papers on SCADA Security early in 2001 y Focused research and standards development for SCADA Security since 2002y Conducted over 100 security assessments on Critical Infrastructure systemsy Co-founded Critical Infrastructure Institute in 2004 and the PCIP certificationy Developed security assessment methodology for SCADA Systems
APT - Overview
y Summary / Synopsis – Advanced Persistent Threaty Anatomyy Timeline – Threat Vector Evolutiony Tools – Malware, Botsy Techniques – OSINT, Phishingy Targets - Enterprisey Case Studies
y Project Auroray Ghost Nety Georgia v. Russia
y Solutions / Safeguardsy Relevance to Pipeline Attacky Horizon
5
Anatomy of APTSignature and style of the evolved attack
6
APT - Anatomyy Advanced:
y Taking advantage of latest techniquesy Application Stack y Protocols y Embedded Device Fuzzing
y Persistenty Intent dedicationy Focused patterny Patient / Latent ability
y Threaty Signatures y Vectors
7
APT - Signature
y Shift from enterprise (broad) scale attacks
y Focus on the dissection / comprehension of the Infrastructure
y Examination of the Corporate Infrastructure
y Pre-determined target / group
y Relentless approach
y Layered Focus
y Exfiltration of Data
8
Attack TimelineEvolution of the Attacker
9
APT - Timeline of Attack
10
Evolution of the Attack
yHackerz (1970 – 1995)y Objective:
y Gain “unauthorized” Accessy Usurp Controly Bypass common methods of control
y Leveragingy Password Guessingy Early Trojans/virusesy Misconfigured networksy “Phreaking”
Evolution of the Attack
yHobbyist Hacking (1995 – 2000) y Objective:
y Learn, exploration, Discoveryy Exposure of flaws, weaknesses, poor workmanshipy Defacementy Disruption
y Leveragingy Email viruses,y BO2Ky Early web attacks
Evolution of the Attack
yHack-tivism (2001 – 2005)y Objective:
y Capture Media attentiony Publicityy Denial of Service
y Leveragingy Attracting attention through large-scale activities. y Motivation publicity and moneyy Methods: DoS, worms, rootkits, etc..
Evolution of the Attack
y “Hacker for hire” (2005 - 2009)y Objectives:
y Identity thefty Information egressy DDOSy Financially motivated
y Leveraging: y Phishing/pharmingy Targeted Spear-phishingy Redirected patching / AVy Bots / Botnets
Attack LandscapePosture and Motivation of APT
15
APT - Defense / Threat Postures
Blue (Defender)y Exposed
y Informationy Marketing
y Sluggishy Slow to adopt change
y Constrainedy Underfundedy Personnely Education
Red (Attacker)y Agile
y More than one targety More than one vector
y Mobiley Change in Strategyy Change in Tactics
y Hostiley Ruthlessy Creative y Relentless
16
APT - Intentions
y DATA >> Competitivenessy Formulas, y Designs, y Schematics
y Information >> Knowledgey Agenda’s, y Itinerary,y Corporate Direction,y Mergers, y Acquisitions
y Advantage is the motivation
17
APT - Threat Vectors
Externaly Internet
y Email attachmentsy File sharingy Pirated Softwarey Spearphishingy DNS / Routing Modifications
y Physicaly Infections of Media (USB, CD)y Infected Appliancesy Malicious IT equipment
y Externaly Mass Vulnerability Exploitsy Co-location Exploitationy Rogue Wifi AP
Internaly Trusted Insider
y Rogue Employeey Subcontractorsy SOC-ENGy Break-Iny Dual Use software
y Trusted Channely Stolen VPN Credentialsy Hijacked Cell Communicationsy P2P tappingy 3rd party breachy Un-trusted Devices
18
APT - Threat Vectors
y Malware / Wormsy 2009 May – July y 1335 Unique variants and infections
y Inclu. Conficker Worm / Conficker A, B, C, D and E
y Malicious AV Advertisements/Products
y Segmentation of the Network (ITSG-ITSB)
y Mobile Devicesy USB drives
y U3 Devices
y Stolen or lost Laptops
y Insecure Buildsy Devices that are mis-configured / unpatched before activation
APT - Threat Vectors (Con’t)
y Information leakagey Exposure of sensitive media / material onliney Small / Irrelevant
yApplication Securityy Fuzzing / Reverse Engineeringy Overflows, Cross Site Scripting,
ySocial Engineering y Spear phishingy Social Engineering Toolkit (SET) Framework
APT - Tools
y Open Sourced Information
y Search Aggregators
y Malware:y Botnetsy Crimewarey Rootkitsy Malicious Attachments
y Live DVD – Distributionsy Backtracky A.P.E.
21
APT - Overcoming Traditional Safeguards
yAnti-Virusy Signatures being obfuscatedy Covert De-activation
yPatchingy Servers being redirectedy Popups
yFirewallsy Malicious attachments creating holes y USB devices circumvention
22
Symbiotic Progression
Internet Web ?.0
Cyber Crime
Cyber Espionage
23
Don’t take my word for it…
yGeneral Keith Alexandery Head, US Cyber Commandy On Operation Buckshot Yankeey "probed by unauthorized users
approximately 250,000 times an hour, over six million times a day."
yRichard A. Clarky "It is the public, the civilian population
of the United States and the publicly owned corporations that run our key national systems, that are likely to suffer in a cyber war."
24
yWilliam J. Lynn III, y Deputy Secretary of Defensey "Computer-induced failures of U.S. power
grids, transportation networks, or financial systems could cause massive physical damage and economic disruption"
y Jonathan Evansy Head MI-5y Both traditional and cyber espionage
continue to pose a threat to British interests, with the commercial sector very much in the front line along with more traditional diplomatic and defence interests
25
Tools and TradecraftSkills and Methodology used in Construction of the APT
26
APT – Techniques / Tradecraft
yOSINT
ySocial Engineering
yTargeted “Spear Phishing”
yMalicious Attachments
yUSB devices
yWebsites
27
Social Engineering
y Attack the 8th (Human) Level
y Contextual
y Implied / Explicit
y Leverages social interaction
y Forms emotional exchangey Angery Surprisey Anticipation
y “Robyn Sage” Experiment
28
Targeted Spear Phishing
y Require in-depth knowledge of target
y Sophistication based on posted / known information
y Used to leverage people / groups
29
Malicious Attachments (Malware)
yPDF
yMS Productsy Word, Excel, etc…
yThe usual suffixes…y mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg, rar, emf, shs,
js, vb, yourcompany.com.zip, cab, mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif, m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef, scf, chm, <#>.txt, wsf, fli, vbe
30
APT – Targeted Attacks (2009)
4.527.39
39.22
48.87
Targeted Attacks
MS Powe…
hIp://www.f‐secure.com/weblog/archives/00001676.html
31
Malware (Con’t)
32
66.8%7.7%
8.6%3.1%
0.2%
11.8%1.8%
General Attacks
Malware
Other
Phishing
Physical Loss
Denial of Service
Unauthorized Access Attempt
Inappropriate Use
hIp://www.f‐secure.com/weblog/archives/00001676.html
Malware Kits
yProliferation of cheap and easy to use y Free (Webattacker)y Torrents, P2P
yComplex $7,000 kitsy 12+ kits available every 3-4 months
y Zeus (ZBOT)y GHOSTNET (GHOSTRAT)y MUMBA (Zeus v3)y Mariposa
33
ZEUS (ZBOT)
yProfessional Crime-ware toolkit
yVersions: v.1 – v3 +
yTargets banks, banking systemsy Harvests client datay Accounts
34
Zeus (ZBOT) Server location
35
Command and Control (C&C)
yLeverages communication systems to relay messages
yCommand Vectorsy Twittery IRCy Facebooky Google Groups
36
Staged attack
ySeries of weeks/months to fully compromise a system
y Incremental uploads/downloads/xchanges
yResults are fully “rooted” devices
yRandom “radio” silence y Remain hidden,
37
Hardware backdoor
yProvision of devices/ equipments that have “malware” alreadyy Projectorsy Printersy Photocopiers
y Flash memory
y W32 Spybot worm
y http://en.community.dell.com/dell-blogs/Direct2Dell/b/direct2dell/archive/2010/07/21/dell-on-the-server-malware-issue.aspx
38
APT - Targetsy Intellectual Property
y Codey Applicationsy Protocols
y Designsy Schematicsy Drawingsy Illustrations
y Chemical / Biological y Formula’sy Equationsy Chemical Compounds
39
APT - Case Studies
y Stuxnet – 2010 - Present
y Ghostnet: 2009 – 2010
y Operation Aurora: June 2009 – January 2010
y Eastonia vs Russia: 2007
40
Russia – Georgia Conflict (July – August 2007)yObjective:
y Precursor to the South Ossetia Wary Destabilization / PsyOps support / Mis-Information
yTargeted:y 7 August: Georgian servers and the Internet traffic were seized
and placed under external control;y 8 August, country wide cyber attack. Alleged connections to
“Russian Business Network”;y 9 August, Defacement of Georgian MFA, MIA, MOD. DDOS
National bank of Georgia as well as news portals;y 12 August, President Saakashvili’s website, Georgian TV websites
were attacked;y 12-13 August, the Georgian MOD website suffered direct attack
as well as compromise.
41
Operation Aurora
yObjectivey Dubbed “Operation Aurora” based on a filename in the malicious
payload traced to one of the hackersy leveraged a Windows Internet Explorer browser vulnerability
(CVE-2010-0249)
yTargeted: y Intellectual property, y software configuration management (SCM) systemsy Gmail e-mail accounts of Chinese human rights activists and
three dozen large enterprises.y Google, IBM, Juniper, +28 othersy STILL IN THE WILD
42
Operation Aurora (Con’t)
yStages of infectiony A targeted user received a link in email or instant message from a
“trusted” source.y The user clicked on the link which caused them to visit a website
hosted in Taiwan that also contained a malicious JavaScript payload.
y The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit
y The exploit downloaded a binary disguised as an image from Taiwan servers and executed the malicious payload.
y The payload set up a backdoor and connected to command and control servers in Taiwan.
y As a result, attackers had complete access to internal systems.
43
GhostNet (Ghostrat)
yObjectivey Infection and Exfiltration
yTargetedy over 1,2000 infected in over 100 countries.
yStages of Infectionsy infected host downloads trojans that give the attacker control of
actions made on host computer.y the trojan attacks the computer by downloading files and
activating the host’s webcams and microphones.
44
APT – GhostNet by distinct IP
45
53130
148
92
1517
13
12192413
65
1136
113
225
Infected IP / CountryIndia
Vietnam
Signed Code abuse
ySTUXNET
yTook advantage of Jmicron / Realtek private keys to hack drivers that were signed by these companies
yLegitimate signatures.
yCyber-sabotage
46
Valid Certificates ?!?!
47
Certificates – Con’t
48
Stuxnet - Dissected
Certificate•Jmicron•Realtek
USB
• Initial infection vector•USB
replication (x3)
Windows 0day
•4 unique Vulns•Each found on
most MS 2003
Rogue PLC logic
•Discovers PLC Device•Pushes new logic
49
Stuxnet - Process
Step7
s7otbxdx.dll
PLC: s7/315-2
Step7
s7otbxsx.dll
PLC: s7/315-2
50
Stuxnet – 0day
y2 Privileges Escalation Vulnerabilitiesy SMB – MS08-067
yPrint Spoolery CVE-2010-2729y MS10-061
yUSB Proliferation VulnerabilityBID 41732 +
y ~WTR4141.tmpy ~WTR4132.tmp
51
APT – Steps to compromise
52
APT – Phased Compromise
53
Exfiltration /
Propagation
Command & ControlInitiation
First Contact
Discovery Hosts / Devices
Spread 0Day / Vuln
Orders
Radio Silence
Infect
DataCollect
Transmit
Mitigation StrategyReal world solutions to combat the APT Threat
54
Education and Awareness
y Half Day:y Executive Briefingy High Level / Consumable
y Full Day:y More Detailedy Focus on Sector Specific requirements
y 3 Day Intermediate:y Intensive Reviewy Split of Theory / Practical
y 5 Day:y Hands Ony Advanced Defence / Tradecraft
55
R & D: Security/Automation Lab
yActive / Functional y Replication of actual processes in
the Fieldy Scaled Automation network
yFocus:y Patchingy Testing Signatures (AV / IDS)y More robust DCS Environment
y Technology is available and cost effective
56
Compliance ≠ Security
yBack to Basicsy “you can’t buy security; You have to get security”
yProduct Panaceay Configurationy Inspectiony Dissection
yStandardsy Jump Off pointy Security Conversationy What works for you / othersy One size fits none
57
Defence Strategy
y Conduct External/Internal Security Assessmentsy What you don’t know can STILL hurt youy Assessments from External / Internal perspective
y Education / Awarenessy Trainingy Regular Briefingsy Foster environment of Security / Communication
y INTRA Departmental
y Security Bulletinsy Weekly remindersy Trends
y Advanced Persistent Diligencey Truth, but Verify
58
APT meet APD
Advanced Persistent Diligence
y Testing patches before pushingy Development of a lab environmenty Functionaly Compressed version of ACTUAL devices and configuration
y SOCNETy Truth, and Verify
y Cyber Security Awarenessy Employees are the best security barometer
59
Event HorizonWhat do we see on the way
60
The Horizon
yMutating Bots / Command & Controly Quiet installationy Obfuscated Exfiltration (HTTP, DNS, Masked)
yDirected Social Engineeringy Staggered Attacky Combined with other stylesy Building relationships over time
y Leverage of Social Networks (SOCNET)y Facebook is not your friendy Twitter or Linkedin aren’t too fond of you either…
61