250 likes | 265 Views
Top Strategies for Detecting & Combating Advanced Persistent Threats. MENA ISC 2012. Mr. Raed Albuliwi Vice President ANRC LLC. www.anrc-services.com TRAINING :: CONSULTING :: SOLUTIONS. Top Strategies for Detecting & Combating Advanced Persistent Threats: Agenda. Introduction
E N D
Top Strategies for Detecting & Combating Advanced Persistent Threats MENA ISC 2012 Mr. Raed Albuliwi Vice President ANRC LLC. www.anrc-services.com TRAINING :: CONSULTING :: SOLUTIONS
Top Strategies for Detecting & Combating Advanced Persistent Threats:Agenda • Introduction • APT’s • APT Walkthrough • Top Strategies For Dealing With APT’s • Summary
Top Strategies for Detecting & Combating Advanced Persistent Threats:Introduction • Who Are We? • ANRC delivers advanced cyber security training, consulting and development services to clients world-wide. • We tailor our service offerings to provide cyber security solutions that address specific goals. • Our approach emphasizes a close relationship with our clients as an integral part of our service offerings. • We’re in the process of expanding our company into the Middle East region, most recently sponsoring Black Hat Abu Dhabi 2011 and appearing here at the MENA ISC conference.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • What’s an Advanced Persistent Threat (APT)? • APT’s are used in cyber threats (or cyber attacks) • Advanced • The network intruder has sophisticated cyber capabilities. • They can breach extremely well protected networks, and maintain long-term access using custom developed tools and exploits. • This attacker targets sensitive information and is well funded and resourced. • Persistent • Even if you find evidence of an intrusion and attempt to remove infected or compromised systems, this attacker has embedded themselves deep into your network and can regain their presence through backup communication methods. • Normal COTS solutions will not keep this adversary out. • Threat • The attacker knows the network contains vital information and has the ability to leverage resources to eventually compromise the security infrastructure.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • What’s an Advanced Persistent Threat (APT)? • Where do APT’s lie in spectrum of Cyber Threats? APT Ongoing Active Targeted Directed Normal Automated “Script Kiddie” Hacker Groups Cyber Criminals Extremely Capable
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Walkthrough of a publicly reported APT. • The Wall Street Journal recently reported on an intrusion into the Chamber of Commerce that serves as a good example. • Image from online.wsj.com
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT reconnaissance: Open source research. • The APT intruders mentioned in the WSJ article did their homework prior to launching the sophisticated attack on the Chamber of Commerce. • Using open source research methods, they gathered publicly available intelligence on who to send emails to and what information to put in them to increase the likelihood of the user opening it. • How much information is available about your organization online? • Successful attacks using information from an organization’s own website include: • An attacker downloading an IT account request form, filling it out and sending it in. • Company templates, documents that allow for “real” looking emails. • Company directory of email addresses, individuals’ names, their positions in the company and organizational structure.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Identify public critical information and limit / remove it. • We see it countless times. Companies put too much information about their organizations online, making this information publicly available to everyone. • If critical information needs to be public then assume it will be used for a targeted attack and adjust your security posture accordingly. • Critical information includes: employee forms, names / email addresses, banners and logos, signed documents …etc.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Monitor your Internet-facing network infrastructure. • An APT campaign is the result of a long-term research effort. • IP addresses scanning and scraping your subnets may indicate that you are under surveillance. (Be concerned about physical security as well.) • Employ COTS solutions to generate massive amounts of logs. Data mining solutions exist but you need a skilled analyst to sort through them. • As an alternative you can outsource a network defense solution. 111
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT primary initial access vector: “Spearphishing” • “Spearphishing” continues to be the primary method used by APT’s to penetrate hardened networks. • “Spearphishing” targets an organization’s users by leveraging Social Engineering techniques. • Bottom line: If an attacker spends enough time and research targeting an individual or organization, they can craft the perfect email that will fool anyone into opening an attachment or following a link. • Image from online.wsj.com
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: User education is paramount. • “Spearphishing” is more difficult to repel using spam filters because it is not aimed at many users (like most spam campaigns). Instead, they target specific users, utilizing information gathered from open source research. • They directly ask you for data ("please send me your password") by impersonating an official such as your IT department lead. • They want you to click a link (“Watch this video on YouTube about the idiot that hurt himself!"). • They want you to open an attachment or forward an attachment.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Leverage existing technology. • Email servers should be configured to filter executable content. • Sending emails to SPAM folders is worthless if users can get them. • Implement a sandboxing solution for client apps (Browsers, Email Clients). This allows user to open suspicious emails in a confined area without exposing the user’s desktop environment to attack. • Image from www.sandboxie.com
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT gaining an initial foothold: Exploiting the target computer. • Getting the user to click a link or open an attachment is only the first step. • The attacker requires a method for allowing the execution of trojan horse malware to be installed onto the victim computer (more on this later). • This is accomplished by circumventing a specific application or operating system vulnerability using an exploit. • Typically in an APT scenario, these exploits are “zero”-day or unknown to the public and have no protection. Exploitation of the host is nearly guaranteed. • Sometimes APT attackers use exploits against recently patched vulnerabilities (1-day exploits) Because it takes time to patch vulnerable systems. • Top targeted client software: Microsoft Office Suite, Adobe Products, Browsers (Internet Explorer and Firefox) and even the Windows Operating System itself.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Enterprise patch management solutions. • Your organization should be employing an enterprise patch management solution capable of testing and rolling out updates rapidly against all of your software. • APT intruders also leverage vendor security bulletins and patch updates for researching and developing 1-day exploits. • If you’re not paying attention to these vendor updates, rest assured your adversaries are. • Typical Process: Monitor for Release/Advisory, Evaluate (if no patches are available yet, develop a shield or workaround), acquire patch, prioritize and schedule, test and approve the patch, create and test deployment package, deploy, confirm deployment, cleanup package, document update baseline.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Employ anti-zero day technology. • APT’s largely target a host with a zero day assuming little or no host protection. • By using specifically developed zero-day detection technology, organizations can effectively protect against this intrusion vector using the assumption that attackers cannot exploit what they don’t know about and are not expecting. APT RI SK 0-DAY ADVISORY VENDOR PATCH CREATED PATCH MADE PUBLIC PoC DEPLOYED TIME
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT gaining access to the network: Custom tools & malware. • Once the victim’s computer has been successfully exploited and the payload executes, malware (malicious software) is executed. • In the Chamber of Commerce attack, chances are there was an anti-virus with recently updated signatures running on the host, yet the attacker was able to successfully bypass this protection mechanism and gain access to the host. • Another key difference in the APT threat is their ability to develop malware that is capable of evading detection from common security solutions. In some instances, if evasion is not possible the malware will attack the anti-virus itself. • There is an underground market for selling security bypass techniques for malware, and well-funded APT campaigns have acquired or developed them. • APT campaigns will make use of malware and tools that have been tested against popular anti-virus products in order to bypass this front-line security mechanism.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Computer forensics and intrusion analysis. • Every organization should be able to conduct a forensics investigation at a basic level. For APT intruders, however, chances are you will need to defer to intrusion experts who specialize in finding the infected hosts, servers, routers …etc. • Persistence is the key differentiator between APT’s and other intrusions. These attackers embed themselves deep within a network to maintain long-term access. • Hacking tools are left behind either as binaries on disk or resident only in memory. To identify these tools there are forensic techniques that include auditing your network for only authorized and digitally signed software. • For memory resident only tools and malware you will have to extract the rogue process running in memory and reverse engineer it to understand the code. • Additionally, thorough network traffic analysis of your subnets will highlight suspicious connections and traffic entering and leaving your organization via the Internet. Find the programs that are communicating to find more potentially infected hosts and locations APTs are persistent in.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Malware analysis. • Malware analysis is one of the most sophisticated fields in the computer security arena. By reverse-engineering malware and tools left behind by an attacker, an organization can greatly increase its defense against an APT threat by understanding their tools at a low level. • Malware analysis can feed your existing computer security solutions in terms of unique signatures, indicators and provide your security team with the ability to detect and protect against similar attacks. • Malware analysis also aids in getting a “feel” for what the APT campaign is targeting and is a first step at determining attribution for who might be conducting the attack. • Having a malware analysis capability either internally, or outsourcing one, is paramount in being about to defend against existing threats and protect against future ones.
2. Find infected hosts, servers, routers …etc. 1. Monitor network traffic and hosts for suspicious activity. APT STRATEGY 3. Conduct forensics, intrusion and malware analysis. 5. Deploy network detection signatures to IDS/IPS and scan devices and hosts across the Enterprise. 4. Develop mitigation strategy using what you learned. Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Continuous analysis should feed your defense systems.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT propagating throughout the network: Finding the goldmine. • Chances are the host exploited by the APT intruder doesn’t have the information they are looking for. Using tools they download into the network, they will eventually deploy sniffers, password extraction utilities and escalate to Administrator or Root level credentials. • With these newfound credentials, it won’t be long before these adversaries login to enough routers, data warehouses and servers to locate the information they desire. • At what point does your network security policies alert you to this suspicious and unauthorized activity? • The APT adversary is interested in information, whether that be source code, technical schematics, proprietary company trade secrets, credit cards, formulas …etc. • How protected is this information in your organization?
2. Track all users and administrator activity. 1. Develop and satisfy Org. specific security policies. APT STRATEGY 3. Identify security holes in your existing policy and unauthorized accesses. 5. Proactively investigate and prevent all security violations. 4. Determine causes of attempted access violations. Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Implement and execute network security auditing.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • APT getting the data out: Phoning home. • Once the data store has been located the intruders will need to get information out of the network as covertly as possible. Sometimes APTs use standard ports and services (ex. WWW, 80, 443) other times they might use non-standard ports. • Your network filtering, routing rules and access control lists (ACLs) should prevent non-standard traffic from leaving your network. • Most likely, APTs will leverage encryption (SSL or other) over a standard port (443) to transfer the stolen data to their remote server. • Connections to unknown or suspicious IP addresses passing large amounts of enciphered or encrypted data should be a clear indicator that a theft is taking place. • Are your organization's network security policies and configurations equipped to report this anomalous information?
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Strategy: Employ network anomaly detection systems. • Network anomaly detection systems can “bubble to the top” suspicious connections leaving your network. • The downside to these systems is you need a skilled network traffic analyst capable of digesting the data. • Is it a false positive or do you really have an active intruder present within your network? • As mentioned earlier, there are companies than can monitor your network for anomalies and report these events to you in near real-time.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Summary • Identify critical information available to the public and limit / remove it. • Monitor your Internet-facing network infrastructure. • User education is paramount. • Leverage existing technology. • Use an Enterprise patch management solution. • Employ anti-zero day technology. • Employ computer forensics and intrusion analysis (incident response). • Understand the threat, use malware analysis reporting. • Continuous analysis should feed your defense systems. • Implement and execute network security auditing. • Employ network anomaly detection systems.
Top Strategies for Detecting & Combating Advanced Persistent Threats:Advanced Persistent Threats • Strategies for detecting and combating APT’s. • Questions • Contact Information: • Mr. Raed Albuliwi • Vice President, ANRC LLC. • raed@anrc-services.com • 1-800-742-7931