Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

29
Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS

Transcript of Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Page 1: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Advanced Targeted Malwareor

Advanced Persistent Threat

without the marketing BS

Page 2: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT in this presentation

• The original meaning when US Navy coined the phrase• Before it started being used by every IT Security vendor,

anti-malware vendor, and everyone with “Cyber” in their marketing portfolio

Page 3: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Agenda

• What APT is – its background/history• Detection and elimination• The people and what they attack• The on-going fight• Reminder checklist• Some difficult truths• Questions.

Page 4: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT

• Targeted Malware with the intent to– Enter your estate– Stay in your estate– Obtain your data

• Commercial advantage• Technology leapfrog• etc

Page 5: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT is a new threat

• Wrong– Very wrong

• Instances of well developed attacks and associated malware seen since before 2006

• Some folks working on these issues since perhaps as early as 2002

• Candidly, if you haven’t seen this stuff you probably are not looking properly.

Page 6: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT family

• It isn't– Single attack type– Single type of malware– Single attack group

Page 7: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT Family

• It is– Range of attack types

• Spearphishing• Generic social engineered attacks• Very well targeted social engineering attacks• Targeted drive-by attacks

– Range of malware types• Relatively simplethrough to• Quite sophisticated• Perhaps 7 to 9 different levels of complexity• Generally use the simplest malware needed

Page 8: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

APT Activity

• Gain a foot hold that can obtain command and control instructions– Via some quite interesting approaches

• “interactive” sessions• instructions by hidden means eg jpeg images

• Usually (always?) via other parties– Other compromised companies/web-sites– University systems– “mom & pop shops”– Compromised systems unlikely to initiate a web

connection to …

• Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

Page 9: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

What a rush!

• There is no rush • from the attackers point of view

• Marathon not sprint• Sleeper malware

– Long period beaconing• Check in only every few months

• A bit more on this later…

Page 10: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Elimination

• How do you get rid of it after you first detect it?

– Or after you have had a tip-off that you might have a problem

– You may get a tip-off from…

Page 11: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Whack-a-Mole?

• Very dynamic – lots of IT folks doing stuff

• But dangerous and not very effective

• Attackers will notice• They will change attack approach• They will remain in your estate

Page 12: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Structured approach

You will probably need help with some of this

Who you gonna call?•Competent•Capable•Trusted

• Much less fun, much harder work, much more effective– Detect/locate– Prepare/Understand– Disconnect– Eliminate– Protect– Future processes– Re-connect– The new normal

Page 13: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Detection

• Log file analysis– dns, dhcp, vpn, firewall, ids/ips, proxy, AV

• Network Analysis– packet capture and analysis, network sensors

• Host Capability– process maps, memory maps, file structures, registry

contents, file contents• One third/one third/one third

Page 14: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Prepare/Understand

• Do you know your estate?– Network connections– Password policies– Password and application interactions

• Understand how the malware works– Command and control– How it persists– How it moves/how it is moved

Page 15: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Structured approach

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

Page 16: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

New Normal

• They will re-attack• They will get in• Your processes have to:

– Detect– Investigate– Eliminate– Adapt

Page 17: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

The Human Element

• Groups– Developers– Doers– Follow-up

• Below the radar– Working patterns– Comms patterns

• Multiple Groups?– Probably– May not always be aware of each other

Page 18: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

They are only human

• Oops!– Human script followers

• Identified keyboard drivers• Typos• Mistakes• Repeat commands• May not be sure of where they are• Sometimes careless/sloppy

– Compressed archives not fully deleted

Page 19: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

The Attack Surface

• Microsoft / Adobe / Java– Because they are the most popular platforms.

“I rob banks ‘cause that’s where the money is”

• Patching and the role it can play…

Page 20: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

The products that fix the problem

• Unfortunately none• Needs a structured approach to robust monitoring and a

number of products to help manage the risk• An approach based on

– People – at all levels of the organisation– Process– TechnologyIn that order of priority

Page 21: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

The approach that handles the problem• This is about our approach, but others have similar.• SOC – multi-geography, 24*365• Evolution of tools

– Externally sourced– Internally sourced

• Evolution of people skills– Better understanding of the subject– Better analysis skills

Page 22: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Tools

• Log consolidation and analysis– DHCP, dns, proxy, firewall, ids, vpn etc

• Network traffic monitoring and analysis• Host data capture

– To aid in incident identification– To aid in incident investigation

Page 23: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Tool Effectiveness

• Initially– 34% / 33% / 33% (log/network/host)

• Now– 65% / 30% / 5% (log/network/host)

• Future?– 45%? / 50%? / 5%? (log/network/host)

Page 24: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

The approach takes time

Page 25: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Summary

• Bad folks are doing bad stuff very well• They see it as huge commercial benefit• We need to get better at detecting/eliminating/protecting• It can be done but must be done in a structured and on-

going fashion to be effective• It is an evolving threat so there are no “fit and forget”

solutions

Page 26: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Remember, you may have to….

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

Page 27: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Difficult Truths

• Safe harbours will continue to exist

• Traditional prevention and detection has failed

• Governments cannot prevent intrusions

• Data loss is inevitable

• Attacks will continue

• Companies often breached for years

Page 28: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Additional Reading

• http://www.rsa.com/innovation/docs/sbic_rpt_0711.pdf– Write-up from RSA on the threat and what can be done

to help reduce the risk and the impact.

Page 29: Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Any Questions

?