310 likes | 445 Views
Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27 , 2013. MANDIANT CORPORATION. Computer Information Security Consulting Software: Host Inspection/Network Monitoring Tools Enterprise-Wide Intrusion Investigations Financial Crimes, National Security Compromises
E N D
Advanced Attack Groups(Objectives, Tactics, Countermeasures)February 27, 2013
MANDIANT CORPORATION • Computer Information Security Consulting • Software: Host Inspection/Network Monitoring Tools • Enterprise-Wide Intrusion Investigations • Financial Crimes, National Security Compromises • 380+ Investigations Since 2008, >2M and >20K Hosts • Offices: DC, NYC, LA, San Francisco • PCI PFI Certified, FS-ISAC Affiliate Member, GCHQ/CESG/CPNI Cyber Incident Response Pilot
Agenda Information Targeted By Attackers Attack Group Profiles Intrusion Case Examples Investigative Approach Why It Continues To Happen Countermeasures – Strategic and Tactical The Future Questions and Answers
The Rogue/The Disgruntled Not As Sophisticated Or Practiced Limited Resources Available Smallest Impact Easier To Investigate Than Other Actors
Hacktivists Focused On Notoriety/Cause Loosely Organized: Small Groups Low (Follow Script) To Moderate (SQL Injection) Skills Frequent Use Of Publicly Available Tools Capitalize On Common Security Vulnerabilities More Disruptive Than Dangerous
Organized Crime Financially Motivated: Obtain/Sell Info Good Bankers: Understand ATM/PIN/HSM Microsoft-Centric: Bypass Mainframe, AS/400 Highly Automated: Move Fast, Reuse Tools Compromise More Systems Than Used Persistence Has Not Been A Hallmark
The Advanced Persistent Threat • Focused On Intelligence Gathering and Occupation • Target Specific Organizations • Nation State Sponsored • What It Is Not: • Botnet/Worm • Script Kiddies • Financial Criminals • “Simplistic” Malware
How The APT Is Different Motivation & Tenacity Their goal is occupation Persistent access to network resources Political and economic insight Future use / fear / deterrent Organization & Orchestration Division of labor Malware change management Escalation only as necessary Countermeasures increase attack sophistication Technology Custom Malware Leverage various IP blocks to avoid filtering and detection Few sustainable signatures (pack & modify binaries) Malware recompiled days before installation Constant feature additions VPN Subversion Encryption
Scareware • Ill-Advised Browsing • iFrame Popup With Virus Warning • Install Rootkit Malware (Broad Functionality) • Charge Victim’s Payment Card • Harvest Victim’s Payment Card Information • Valid Transaction, Rarely Reported • Millions Of Victims • User Awareness Is Primary Defense
Typical APT Attack - Conglomerate • Law Enforcement Notification: April 2010 • 2007 Phishing Email Attack (Conference Attendance) • 93 Systems Compromised • Five Attack Groups Active Concurrently/Independently • Lost Credentials: User, Domain Admin, Service Accounts • 1 GB Of Email, Credentials (Incremental Only) • Attacker Focus: Green Fuel Materials, R&D, Mfg Data
Financial Services Attack • Law Enforcement Notification • Server Misconfiguration Attack Vector • In Network Two Months Prior to Theft • Moved Laterally With Blank SA Passwords, RDP • Dumped Credentials From Domain Controller • Compromised/Accessed ~350 Systems • Dumped Several Dozen Records from Target Database • Determined PINs Using IVR Web Service • Made $13M In Withdrawals At 2,300 ATMs • Repeated Attacks from Unmanaged Infrastructure
Conducting Investigations • Determine Incident History, Steps Taken, Technical Environment, Objectives • Collect Relevant Data • Increase Monitoring And Enterprise-Wide Inspection Capabilities As Needed • Conduct Forensic, Log and Malware Analysis To Identify Network And Host-Based Indicators Of Compromise • Identify Attack Vector, Attacker Activities, Compromise Systems/Accounts, Data Exposure • Report Status, Findings, Remediation Recommendations
Investigative Cycle Primary Sources of Information • Host inspection • Full network monitoring/analysis • Log analysis • Near real-time • Historical • Malware reverse engineering • Systems inspection • Live response analysis • In-depth forensic analysis • Memory analysis
Successful Investigations Require • Technical Expertise: • Forensics, Malware, Log Analysis • Investigative Skills: • Organize The Situation • Understand The Attacker • Recognize/Take The Right Next Step • Management Skills: • Identification/Elimination of Obstacles • Communication Skills: When/How Needed
Why Does It Continue To Happen? • Limited Awareness of: • The Threats/Attackers/Actors and Their Motives • What is Possible: Advanced Phishing, Defeating Two-Factor, Obtaining Valid Credentials • Lack Understanding of Actual Attacker Tactics: • Hacking Web Apps or Staging Phishing Campaigns? • Using Cached Credentials or Attacking Domain Controllers? • Using Backdoors, VPN Accounts or Web Shells?
Why Does It Continue To Happen? • Tendency to Focus on “Security Best Practices” • Instead of What Attackers Actually Do • Lack of Visibility: • Inadequate Logging - Detail/Retention • Unmanaged Infrastructure • Unreconciled M&A Activity • Operational Expediency: • Two-Factor Authentication Is Hard to Administer • Dealing With Multiple Complex Passwords Creates Issues • Network Segmentation Makes App Deployment Difficult
Why Does It Continue To Happen? • Misplaced Faith in Compliance Audits: • Last 50 PCI Breaches – How Many Were Compliant? • Spend Money Instead of Time: • Solving Problems with Technology Is Appealing • Fixing People Problems Is Hard • Fixing Process Problems Is Hard/Boring
Addressing The Issues - Strategic • Educate Your People, Clients, Suppliers, Partners: • Security Awareness, Attacker Profiles/Tactics • Turn Up Logging/Monitoring, Gain Visibility • Obtain Senior Management Awareness/Support • Invest in “Appropriate Practices”: • Focus on People and Process First • Implement Technology That Addresses True Issues: • Install Whitelisting on Domain Controllers • Establish/Enforce Strong Passwords: User, Admin, Service • Limit Number of Cached Local Credentials • Recognize That Execution Trumps Strategy
Addressing The Issues - Tactical Understand What They Do And Take It Away Conduct In Parallel With Investigation Rebuild Systems Whitelist Domain Controllers Remove Local Admin Rights Conduct Enterprise-Wide Credential Change Increase Logging Establish Host Inspection Capability Establish Network Monitoring Capability Segment Networks
Prioritizing Remediation Initiatives Maintain Presence Move Laterally Internal Recon Initial Recon Initial Compromise Establish Foothold Escalate Privileges Complete Mission Threat Intelligence Operational Visibility Operational Complexities Business Drivers Resource Constraints
The Future • We See Progress with Victim Organizations: • Small Number Unable to Remove Attacker (<5%) • Small Number Have Another Large Incident (<5%) • Most Deal Effectively with Subsequent Attacks (90%+) • Greater Market Awareness • More Industry Collaboration • Recognize That “Victory” Is Minimizing Impact