Security Intelligence: Advanced Persistent Threats
-
Upload
peter-wood -
Category
Technology
-
view
122 -
download
0
description
Transcript of Security Intelligence: Advanced Persistent Threats
Security Intelligence:Advanced Persistent Threats
Peter WoodChief Executive Officer
First•Base Technologies LLP
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2012
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2012
Security Intelligence and This Presentation
“SI is a recognition of the evolution of sophisticated adversaries, the study of that evolution, and the application of this information in an actionable way to the defence of systems, networks, and data. In short, it is threat-focused defence, or as I occasionally refer to it, intelligence-driven response.
The “intelligence” in intelligence-driven response is the information acquired about one's adversaries, or collectively the threat landscape. Each industry has a different threat landscape, and each organisation in each industry has a different risk profile, even to the same adversary.
Understanding one's threat environment is collecting actionable information on known threat actors for computer network defence, whether that action is purely detection or detection with prevention.”
Source: Mike Cloppert http://computer-forensics.sans.org/blog/
Slide 4 © First Base Technologies 2012
Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 5 © First Base Technologies 2012
Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 6 © First Base Technologies 2012
Advanced Persistent Threat (APT)
• “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia]
• “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee]
• “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT]
Slide 7 © First Base Technologies 2012
Advanced, Persistent, Threat
• They combine multiple attack methodologies and tools in order to reach and compromise their target
• The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives
• It does not mean a barrage of constant attacks and malware updates - in fact, a “low-and-slow” approach is usually more successful
• There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code
• The operators have a specific objective and are skilled, motivated, organized and well funded
Slide 8 © First Base Technologies 2012
The Aurora attack http://threatpost.com/
Slide 9 © First Base Technologies 2012
The Aurora attack http://threatpost.com/
Slide 10 © First Base Technologies 2012
The Aurora attack
If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years.Nor is it a new development that the attackers used an 0day client-side exploit along with targeted social engineering as their initial access vector.What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack.And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.
Dino Dai Zovi
http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/
Slide 11 © First Base Technologies 2012
Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 12 © First Base Technologies 2012http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Slide 13 © First Base Technologies 2012
The RSA attack
1. Research public information about employees2. Select low-value targets3. Spear phishing email “2011 Recruitment Plan” with.xls
attachment4. Spreadhseet contains 0day exploit that installs backdoor
through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected)
5. Digital shoulder surf & harvest credentials6. Performed privilege escalation7. Target and compromise high-value accounts8. Copy data from target servers9. Move data to staging servers and aggregate, compress and
encrypt it10. FTP to external staging server at compromised hosting site11. Finally pull data from hosted server and remove traces
Slide 14 © First Base Technologies 2012
RSA Security Brief, February 2012
Slide 15 © First Base Technologies 2012
Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 16 © First Base Technologies 2012
Entry Points
Slide 17 © First Base Technologies 2012
Identifying ‘The Mark’
Slide 18 © First Base Technologies 2012
Social Networking
Slide 19 © First Base Technologies 2012
Slide 20 © First Base Technologies 2012
Facebook Scams
Slide 21 © First Base Technologies 2012
Document MetaData Harvesting
Slide 22 © First Base Technologies 2012
Infosecurity Europe 2012 Experiment
• Open WiFi on a laptop on our stand
• Network name:‘Infosec free wifi’
• Fake AP using airbase-ng on BackTrack
• In one day we collected 86 unique devices
Slide 23 © First Base Technologies 2012
Wireless Eavesdropping
Packet sniffing unprotected WiFi can reveal:
• logons and passwords for unencrypted sites
• all plain-text traffic (e-mails, web browsing, file transfers)
Slide 24 © First Base Technologies 2012
Firesheep Capturing
Slide 25 © First Base Technologies 2012
Firesheep: Game Over
Slide 26 © First Base Technologies 2012
Telephone Social Engineering
Sometimes all they have to do is call up and ask!
Slide 27 © First Base Technologies 2012
Information Leakage
Exposure of:
• Corporate hierarchy
• E-mail addresses
• Phone numbers
• Technical infrastructure
• Business plans
• Sensitive information
• Passwords!
Slide 28 © First Base Technologies 2012
Spear Phishing
Slide 29 © First Base Technologies 2012
Phishing Emails
Slide 30 © First Base Technologies 2012
Phishing Emails
Slide 31 © First Base Technologies 2012
Spear phishing
Slide 32 © First Base Technologies 2012
Privilege Escalation
Slide 33 © First Base Technologies 2012
Password ‘Quality’
http://iqsecur.blogspot.ca/2012/04/analysis-of-leaked-militarysinglesorg.html
Slide 34 © First Base Technologies 2012
Case study:Windows Administrator Passwords
admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow
Global organisation:
• 67 Administrator accounts
• 43 simple passwords (64%)
• 15 were “password” (22%)
• Some examples we found ->
Slide 35 © First Base Technologies 2012
Case study: Password Crack
• 26,310 passwords from a Windows domain
• 11,279 (42.9%) cracked in 2½ minutes
• It’s not a challenge!
Slide 36 © First Base Technologies 2012
Password Issues
• Passwords based on dictionary words and names
• Service accounts with simple/stupid passwords
• Other easy-to-guess passwords
• Little or no use of passphrases
• Password policies not tailored to specific environments (e.g. Windows LM hash problem)
• Old fashioned rules no longer apply(rainbow tables, parallel cracking,video processors)
• Just general ignorance and apathy?
• One password to rule them all …
Slide 37 © First Base Technologies 2012
Agenda
• APT Primer
• Case Studies
• Entry Points
• Prevention and Detection
Slide 38 © First Base Technologies 2012
Identifying “The Mark”:Social Networking
• Don’t reveal personal or sensitive information in social
networking sites or blogs
• Set the privacy options in social networking sites
• Don’t discuss confidential information online
• Don’t ‘friend’ people you don’t know
Remember – what goes on the Internet, stays on the Internet!
Slide 39 © First Base Technologies 2012
Identifying “The Mark”:Telephone Social Engineering
• If you receive a suspicious phone call, hang up and call back
on a number you know is legitimate
• Never reveal personal or sensitive information in response to
a phone call unless you have verified the caller
• Don’t answer questions about your organisation or
colleagues unless it’s your job to do so
• Report any phone calls that you suspect might be social
engineering attacks
Slide 40 © First Base Technologies 2012
Identifying “The Mark”:Public and Open WiFi
• Remember: open and WEP-encrypted WiFi networks are
visible to almost anyone
• Never use public WiFi for sensitive information
• Don’t use the same password for web sites and for corporate
systems
• Make sure your email connections are encrypted
Slide 41 © First Base Technologies 2012
Spear Phishing
• Never reveal personal or sensitive information in response to
an email, no matter who appears to have sent it
• If you receive an email that appears suspicious, call the
person or organisation in the ‘From’ field before you respond
or open any attached files
• Never click links in an email message that requests personal
or sensitive information. Enter the web address into your
browser instead
• Report any email that you suspect might be a spear phishing
campaign within your company
Slide 42 © First Base Technologies 2012
Privilege Escalation
• Don’t use passwords based on dictionary words and names
• Use complex passphrases for service accounts
• Tailor password policies to specific environments
(e.g. Windows vs. web sites)
• Remember: old fashioned rules no longer apply
(rainbow tables, parallel cracking, video processors)
• Never re-use passwords: “one password to rule them all …”
Slide 43 © First Base Technologies 2012
Think Like an Attacker!
Hacking is a way of thinking:
- A hacker is someone who thinks outside the box
- It's someone who discards conventional wisdom, and does something else instead
- It's someone who looks at the edge and wonders what's beyond
- It's someone who sees a set of rules and wonders what happens if you don't follow them
[Bruce Schneier]
Hacking applies to all aspects of life - not just computers
Slide 44 © First Base Technologies 2012
The Human Firewall
The money you spent on security products, patching systems
and conducting audits could be wasted if you don’t prevent
social engineering attacks …
Invest in
Marketing security awareness
and
Intelligent, practical policies
Peter WoodChief Executive Officer
First•Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Blog: fpws.blogspot.comTwitter: peterwoodx
Need more information?