APT - Hunting 0Day Malware
-
Upload
mustafa-qasim -
Category
Technology
-
view
634 -
download
2
description
Transcript of APT - Hunting 0Day Malware
APT: Hunting ÖDay Malware
Mustafa Qasim
Since this presentation started
of organizations will have some malware event successfully evade their IT defenses.
On average, malware events occur at a single organization once every
3 MIN
UT
ES
Introduction
Once upon a time...
According to IDC, between 2003 and 2011, total IT security spend grew from $12 billion to $28 billion.
$12 Billion2003
$28 Billion2011
reActive
Vs
proActive
Fear of False Positive!
So called Defenders!
Firewalls
- Yes/No
- NexGen Firewall Buzz
- Latency Impact
IPS
- Traffic Signatures
- 0Day Prevention Buzz (Exploit > Vulnerability)
- Network Services vs. Client Side Attacks
Web Gateways
Called: Defense In-depth
In Actual: Iteration
Anti-Virus (L0L)
- Signatures
- Heuristics
- Sandbox
Anti-Virus (L0L)
- VIP entry via signed binary– Flame by Microsoft ;-)
Signatures
- Binary / Traffic
- Morphing, Obfuscation, Encryption
Heuristics Dilemma
Heuristics Dilemma
Isn't Sandbox made up of sand?
Disheartened by Backward Looking Defenders?
The highest technique is to have no technique.
My technique is a result of your technique; my movement is a result of your movement.
APT Malware vs. Traditional
APT Attack Life Cycle
Stage 1
Intrusion through exploitation
- Remote Exploit / Local Exploit
- Social Engineering
Stage 2
Malware is dropped
- Single Click
- 64base Encrypted Hidden Link
- Java revoke list check disabled
- Legacy vs Advanced
* pdf not exe
* DLL search order hijacking
Stage 3
Phones Home
- RAT
- Outbound Encrypted Connection
- Proxy CnC for a network
Stage 4
Spreads laterally
- Not always hits target
- Clear entry point
Stage 5
Data extraction
- Small Chunks
- Staged Host
- Encrypted RAR
Case Studies
- RSA breach
- Operation Aurora
Forensics & Challenges
- Behavior
- Code
* Packed
* Obfuscated
* Anti Debugger
* Anti VM
* Time
NGTP
- Signature less
- Protection not Detection
- Virtual Execution Engine
Pakistan Cyber Space
First things FIRST!
“ If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
— Sun Tzu, The Art of War
Honeynet Pakistan
- 6 Deployments
- Avg. 400 malware per day
- Around 100 Unique
ISPs
FinancialInstitutions
NADRA
Government Organizations
Honeytoken Snort Rule
alert ip any any -> any any (msg:"Alert! Token c86"; content:"r71p@g3r";)
Catch Me
Twitter: mustafaqasim
Freenode: mustu @ #offsec