Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM
-
Upload
meredith-moss -
Category
Documents
-
view
35 -
download
3
description
Transcript of Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM
![Page 1: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/1.jpg)
Advanced Persistent Threat
&
Effective Counter Actions
By
Dave Whipple, CISSP, CISA, NSA-IAM/IEM
![Page 2: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/2.jpg)
Briefing to Secretary of Defense
![Page 3: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/3.jpg)
Meeting Agenda
Introduction
Effective Counter Measures
Who am I?
Case StudyMy experience in the wild...
Advanced Persistent ThreatHow did they do that?
What has 30 years taught me…
![Page 4: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/4.jpg)
4
![Page 5: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/5.jpg)
5
Now lets look at a few problems…
How’s your Calculus?
![Page 6: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/6.jpg)
My Background
![Page 7: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/7.jpg)
Know the Enemy…
He who knows the enemy and himself will never in a hundred battles be at risk; He who does not know the enemy but knows himself will sometimes win and sometimes lose; He who knows neither the enemy nor himself will be at risk in every battle.
-Sun-Tzu
![Page 8: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/8.jpg)
Advanced Persistent Threat (APT)
![Page 9: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/9.jpg)
MI5 says the Chinese government “represents one of the most significant espionage threats”
![Page 10: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/10.jpg)
What is it?
Mandiant defines the APT as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. Government and Commercial networks for years. The vast majority of APT activity observed by Mandiant has been linked to China.
APT is a term coined by the U.S. Air Force in 2006
![Page 11: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/11.jpg)
Advanced Persistent Threat
Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Richard Bejtlich’s Blog
![Page 12: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/12.jpg)
Threat Landscape
![Page 13: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/13.jpg)
Targeting and Exploitation Cycle
![Page 14: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/14.jpg)
Example
![Page 15: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/15.jpg)
APT’s Objectives
Political Includes suppression of their own population for stability
Economic Theft of IP, to gain competitive advantage
Technical Obtain source code for further exploit development
Military Identifying weaknesses that allow inferior military forces
to defeat superior military forces
![Page 16: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/16.jpg)
Recon / Intelligence
Systems, resources, connections (Easier to attack a trusted partner?)
• (E.g., target’s ISP, legal firm, contractor?)
Individuals of interest (Good targets for spear phishing?)
Possible access methods (Attacks on systems, partners, people)
![Page 17: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/17.jpg)
Initial Intrusion
Spear phishing is pretty common (Because it seems to work well enough because we are so
weak. )
Email to one or more targeted individuals
• Spoofed follow-up to conference, meeting, etc.
• Or email “follow-up” to customer complaint …
Malware payload
• Zip file typical (harder to scan for malware)
• Different people may get different attacks
If even one attack works – they’re in
![Page 18: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/18.jpg)
Looks Real Doesn't it?
![Page 19: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/19.jpg)
What about this one?
![Page 20: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/20.jpg)
What about my dream Job?
![Page 21: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/21.jpg)
There is no safe Porn site!!!
![Page 22: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/22.jpg)
Consolidation
Install additional malware Multiple copies (various locations)
Different kinds & configurations
Crack & exfiltrate credentials For re-login from outside (unusual)
Provide for malware updates
![Page 23: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/23.jpg)
Credentials
(To look like a local user/admin) Identify local usernames
Active Directory
Local machine user database
Attack local authentication data Password guessing (Nvidia CUDA GPU)
Brute force decryption
![Page 24: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/24.jpg)
NVIDIA CUDA GPU
![Page 25: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/25.jpg)
Tools
Backdoor install Password dump Get email List processes (Normal, useful stuff )
(Doesn’t trip AV alarms)
![Page 26: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/26.jpg)
Exfiltration
Disguise via RAR, CAB, encryption (Make it difficult to see what’s leaving)
Multiple hops to final destination (Harder to ID where data is going)
Outgoing connections only, IP tunnel, etc.
Expect discovery of more tricks Piggyback on other traffic? Slow torrent?
![Page 27: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/27.jpg)
Command / Control
Outgoing connections preferred Firewall less of an issue (mistake)
Imitates “normal” traffic Looks like (but isn’t) Windows Update
Looks like chat, actually C/C rendevous
C/C in web comments & image headers
Scan-signatures more difficult to find Random content, multiple encryption
![Page 28: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/28.jpg)
APT Maintenance
Tries to keep your system infected Multiple copies
“Seeds” to re-infect
Multiple small custom programs
Leverage existing system components
Updates, to change AV signatures
• (Only 20% trip AV alarms – so change ‘em)
![Page 29: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/29.jpg)
APT Case Study
![Page 30: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/30.jpg)
Night Dragon – Oil Companies
![Page 31: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/31.jpg)
APT Case Study
Major Defense Contractor – Electronic Systems Attacks consistent with US-CERT CIIN-07-332-01 Attackers been in almost a year before noticed Attacks came from Shandong Providence Exfiltrated 20 GB/360 GB staged and encrypted 8 known variants of malware Corporate PII from HR taken as well
![Page 32: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/32.jpg)
APT Case Study - Methodology
Poison Ivy Remote Admin
Keystroke logger
Mine Trojan Full Remote Admin
Capture user credentials
Exfiltrates Data
MS Gina Password sniffer
Remote RDP
![Page 33: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/33.jpg)
Case Study – Process of Attack
This Information is on a Master Target List Search unclassified information using Google operands Use Maltego To target individual – Facebook /Linkedin Get HR Records – Target HR Boss Send SE email to VP he had access to everything Harvest user credentials – Move latterly… Harvest Access Servers – establish test connection Port 53/443 Access Data – Compress/Encrypt Pass out port 53 or 443 done
![Page 34: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/34.jpg)
SE - Email
Use Maltego/Facebook/Linkedin– find the weak-link someone who is possibly underappreciated /underpaid. Find the person who has porn issue (eastern block owns this), gambling (mostly US organized crime), or is searching for a new job (someone who is frustrated).
Email target and appeal to their pride! “We have conducted an exhaustive nationwide search for someone with these skills and you are in the top 3 of your peers” “We are willing to fly you and your spouse to our Corporate Headquarters for an interview”
![Page 35: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/35.jpg)
What should we do?
End “Default Permit” mentality – sandbox everything coming in Enable “White Lists” for corporate user groups – kill all default permit! Don’t allow “corporate users (n00bs)”
to install their favorite software – take them
out of local Admin Group on local box Learn how to operate Back-Track 4
– become proficient in Linux Don’t trust anyone…everyone on the inside of the network is a hacker Know what “normal” looks like – data coming in, data going out. Don’t allow port 443 to pass-through firewall without looking at it.
Dave and Muts (Mati Aharoni)
![Page 36: Advanced Persistent Threat & Effective Counter Actions By Dave Whipple, CISSP, CISA, NSA-IAM/IEM](https://reader037.fdocuments.us/reader037/viewer/2022103006/56813039550346895d95cfa3/html5/thumbnails/36.jpg)
You want a good job – Then look like you want a good job. Polish your social skills for interviews Customers and Employers like
certifications – Get over it. Don’t be afraid in an interview “What
educational opportunities do you give your employees?” Always keep in mind your continuing
education – you don’t want to be working
for a young snot-nose boss when your 55
What has 30 years taught me?