1 / 0

The solution for APT attacks ~For the world safe for exchanging digital information~

The solution for APT attacks ~For the world safe for exchanging digital information~. Trend Micro Inc. December 2010 Cyber attack on Iranian nuclear facilities. January 2011 21-year-old George Hotz decrypts Sony PS3 root key.

feivel
Download Presentation

The solution for APT attacks ~For the world safe for exchanging digital information~

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The solution for APT attacks~For the world safe for exchanging digital information~

    Trend Micro Inc.
  2. December 2010 Cyber attack on Iranian nuclear facilities January 201121-year-old George Hotz decrypts Sony PS3 root key February 2011 HBGary hacked by Anonymousand resulted data leakage March 2011 Authentication product related information leaked from RSA April 2011 77 millioncustomers’ data leakage from Sony PSN users May 2011360,000US City Group customers’ data leaked June 2011 Major US defense contractor Lockheed Martin attacked July 2011 leakage of personal data of 35 million users of Korean social network site August 2011 Japanese defense related firms suffered from cyber attacks September 2011Japanese National Personnel Authority and Cabinet Office sites were temporarily unavailable by DDoS attacks October 2011 PCs in Japanese House of representatives infected by virus; possible data leakage ※ These information are all extracts from news 2
  3. Repeated damages caused by Advanced Persistent Attacks What is the Advanced Persistent Attacks? The series of attacks which intend to penetrate inside of target firms and organizations using several methods like Emails with malicious program attached or exploiting vulnerabilities to steal information or hijack computers communicating with the external parties. < 2 typical types of penetration in Advanced Persistent Attack > < Examples of principal motives > Exploiting vulnerabilities in public servers, penetrate into target networks directly from outside. ・ for fun ・ for a justice ・ for money ・ spying ・ agitation ・ terrorism Advanced Persistent Attack Using social engineering and other techniques, penetrate into target network by manipulating users inside target networks
  4. Repeated damages caused by Advanced Persistent Attacks Reasons why combating these attacks is difficult ・・・ Their technique cunningly exploits not only systems but alsohuman weakness as a means to gain access Prior to the attack, the attackers confirm that their attack will not detected by major antivirus solutions It is difficult to cope with new threats which are born every seconds in real time manner only with pattern file deployment. Because the attacker knows the target’s internal environmenton attacking, the attack can be delivered very efficiently. Because the back door facilitates unauthorized traffic from inside out, it is hard to cope with this by traditional entry solution. When traffic is encrypted by viruses detection by IDS or IPS is difficult
  5. The Targeted Attack Process Stage 0 Stage 1 Stage 2 Stage 3 Stage 4 Preparation for attack Initial penetration Establishment of attack platform System investigation Attack on the ultimate target They steal information via the backdoor. In some cases, using information stolen, they repeat attacks. APT is the attack which the attackers keep attack platform which established in the target organizations to repeat penetrations and data thefts. This attack is the one tend to be repeated several times. As a preparation stage before they conduct attacks, the attackers investigate information of target organization. For that, they attack organizations around target to collect platform information for initial intrusion like Emails exchanges between that organization and the target. Using this information, they conduct attacks which increase the success rate of the initial penetration. Various methods are used in the initial penetration stage. Suspicious (targeted) email is one such method. These methods are used to deploy viruses deep within the organization. In this stage, the attack can achieve the goal only when one employee open that Email. In the initial penetration stage, there is no need for virus to infect many systems. It is thought that the attack methods used at this stage are expected to be detected and cleaned. That mean they are disposable. Once the attackers succeed to get into the system, they quickly establish a backdoor for communication with a server they prepare. Unlike the traditional backdoors , this backdoor is the one that uses HTTP and other communication protocols that are used in the business in the target organization. Thus it cannot be blocked by a firewall. Using this backdoor, they will add functions needed for next system investigation stage, and an attack platform will be established. Using the attack plat-form established in the prior stage, the attackers search for internal system information. At this time, a back door is used to communicate with the attackers and the search will be continued while confirming system information. Source: IPA design/ maintenance guide to aim for the solution against “new type of attack”.
  6. What actually happens at each stages? Stage 0 Stage 1 Stage 2 Stage 3 Stage 4 Preparation for attack Initial penetration Establishment of attack platform System investigation Attack on the ultimate target Direct attack exploiting system vulnerabilities Searching for server vulnerabilities and spreading viruses Unauthorized exporting of key data Investigation of IP, applications, used updated status etc. Execution of initial stage virus. Penetration into affiliated companies, overseas branches etc.. Email with malicious PDF attachment sent from attacker which pretend to be come from a superior or a business contact Download and execution of backdoor virus Exporting ID, passwords etc.. Communication with external command server and new malicious activity Installing key logger and obtaining sysadmin authority Accessing confidential data by exploiting acquired ID and password Information about target organization gathered via Facebook or other social media Penetration via USB memory Using target as a springboard for attacking other systems Downloading bots and other new viruses System falsification Penetration via PC brought into organization Assuming rules for generating email addresses.
  7. The type of malicious files attached Stage 0 Stage 1 Stage 2 Stage 3 Stage 4 Preparation for attack Initial penetration Establishment of attack platform System investigation Attack on the ultimate target Direct attack exploiting system vulnerabilities Searching for server vulnerabilities and spreading viruses Unauthorized exporting of key data Investigation of IP, applications, used updated status etc. Execution of initial stage virus. Types of malicious attachments Penetration into affiliated companies, overseas branches etc.. Email with malicious PDF attachment sent from attacker which pretend to be come from a superior or a business contact Download and execution of backdoor virus Email with malicious PDF attachment sent from attacker which pretend to be come from a superior or a business contact Exporting ID, passwords etc.. Executables 30% Communication with external command server and new malicious activity Document files like PDF, Word and EXCEL 70% Installing key logger and obtaining sysadmin authority Accessing confidential data by exploiting acquired ID and password Information about target organization gathered via Facebook or other social media Penetration via USB memory Using target as a springboard for attacking other systems Source: Trend Micro Downloading bots and other new viruses System falsification Penetration via PC brought into organization Assuming rules for generating email addresses.
  8. The point in the solution recommended by IPA Based on that idea, IPA studied about the solution to cope with “new type of attacks”. And we noticed that there was a common methods in that kind of “new type of attacks” in which, for example, viruses communicate with attackers. And then, we considered that we need both of the solution like the Outside-In solutionwhich prevent traditional attacks and the solution which block the common attack methods to prevent sensitive information to be stolen by external attackers even though organization allow the part of attacks to get into their environment. As a solution for the organization, it is very important to spread this Inside-Out solution . solution to prevent information theft from external attackers. Inside-Out Outside-In solution to prevent traditional attacks Outside-In solution Can prevent the impact on the organization by Inside-Out solution even though there’s an intrusion. Company A Some cases which cannot be prevented by Outside-In solution. Information theft and system corruption. Inside-Out solution Company A Sensitive information theft. Can’t stop some attacks. Prevent information theft. Inside-Out solution Outside-In solution Source: IPA design/ maintenance guide to aim for the solution against “new type of attack”.
  9. How we can prevent them? Stage 0 Stage 1 Stage 2 Stage 3 Stage 4 Preparation for attack Initial penetration Establishment of attack platform System investigation Attack on the ultimate target Direct attack exploiting system vulnerabilities Searching for server vulnerabilities and spreading viruses Unauthorized exporting of key data Investigation of IP, applications, used updated status etc. Execution of initial stage virus. Patches vulnerabilities Patches Vulnerabilities Patches Vulnerabilities Penetration into affiliated companies, overseas branches etc.. Email with malicious PDF attachment sent from attacker which pretend to be come from a superior or a business contact Download and execution of backdoor virus Exporting ID, passwords etc.. Detect virus activities and disable them Communication with external command server and new malicious activity Installing key logger and obtaining sysadmin authority Accessing confidential data by exploiting acquired ID and password Information about target organization gathered via Facebook or other social media Detect virus activities and disable them Penetration via USB memory Device control Using target as a springboard for attacking other systems Downloading bots and other new viruses System falsification Penetration via PC brought into organization Prevents unauthorized data intrusion Assuming rules for generating email addresses. Detect a falsification
  10. Protect vulnerabilities and establish environments which are safe from attacks. Outside-In solution Trend MicroDeep Security
  11. PCI-DSS compliant The functions DeepSecurity provides 5 Protection Modules Protects web applications from SQL injection, XSS and other attacks IPS/IDS Web application protection Protects vulnerabilities on OS and applications Blockt DoS attacks and other malicious traffic Virus searches carried out in real time on a scheduled basis Antivirus Firewall Centralized monitoring of security events involving OS, middleware etc.. Security log monitoring File integrity monitoring Monitors changes in files and registry Protection by agent and virtual appliance
  12. Recommendation scan ● Agent automatically searches for vulnerable points ● Applies virtual patches automatically CVE-2000-1205 CVE-2002-0081 WebServer Deep Security Manager CVE-2006-0265 CVE-2008-0107 Database Server Pain points this function can solve ✔ Patch management accuracy is greatly increased (no leaks) ✔ Automation lightens administrators’ burden ✔ Automatic application of virtual patches reduces server risk
  13. Virtual patching ● Virtually creates the condition that security patches are applied ● Protects server from attacks on vulnerabilities Vulnerability discovered! Official patch released from all vendors Register public database Deep Securityvirtual patch release Time line Apply virtual patch Apply official patches Remove virtual patches Official patch validation Work by customer Pain points this function can solve No need to panic and you can focus on your verification. ✔ Virtual patch can be applied without stopping server ✔ No worries about impact on other systems (side-effects) ✔ Users can control patch schedule flexibly.
  14. Japan original solution Deep SecuritySecure Pack Deep Security Secure Pack is a product that comes with antivirus solution (Server Protect)and Vulnerability protection(DS Agent). And that comes in the form of SaaS, so that there is no need to setup or manage management server. You only need to install the modules on the appropriate server to be able to use them. The Product Concept: Keeps you informed! Attack status + Report Provided via Web! Easy! Antivirus + Vulnerability protection Both in one ! Simple ! No settings + No management Just install!
  15. On intrusion, detect anomalies rapidly and prevent damages to spread. Inside-Out solution Trend MicroThreat Management Solution
  16. Pattern matching Behavior monitoring Differences from traditional countermeasures OfficeScan Corporate Edition Assesses whether a particular file is a virus or not. Detect and cleanup EXISTING virus effectively. Clearly distinguishes “black” and “white”. Suspicious items will not be detected as malicious. Feature ・・・etc. Challenge Cannot detect new virus which have not analyzed before. A mutually complementary relationship with traditional methods Threat Management Solution Assesses based on program behavior s and virus activities. Can detect new viruses which have never been analyzed before. “Gray” items will be targets of action. Suspicious items will be under further investigation. Feature Challenge Requires discreet judgment based on expert knowledge Specialist Assessment performed by Threat Management Services
  17. Threat Management SolutionOverview Inside-Out solution Detect backdoors which deployed by unknown viruses attached in Email and exploiting document vulnerabilities. Also block download of further threats. Detection not depend on pattern files Detect backdoors from network traffic. The solution for urgent attack and reportting Visualize the trend in the network Collect traffic log even though normal status and provide report analyze by Trend Micro. Internet Transmission of detection log(HTTPS) Log Analysis Analysis Report Downloading Analysis Result Report Proxy Server Mirror Port Monitoring Device For TDA traffic Administrator 17
  18. Prevent threat from Email and Web at the gateway Outside-In solution Trend MicroEnterprise Security for Gateways
  19. Japan original solution Reinforce the protection at the gateway to prevent initial intrusion Virtual appliance which establish safe environment by preventing malicious intrusion from Email and Web* [Trend Micro Enterprise Security for Gateways]will : Block threat intrusion via Web and access to the malicious Web sites to prevent various threats at network gateway. Delete malicious mail at the gateway before it gets to customer’s network by correlate with Trend Micro data center (Smart Protection Network). Malicious websites Malicious email Smart Protection Network Phishing sites, virus-infected sites etc. Spam etc. Block malicious email Blocks malicious websites Customer Network Mail server DNS IMSVA IWSVA URL filtering Anti-spam Vmware / Hyper-V Contents filtering Antivirus *Trend Micro Enterprise Security for Gateways is a comprehensive gateway solution that ship together with the messaging security product“InterScan Messaging Security Virtual Appliance” and the web access security product “InterScan Web Security Virtual Appliance”. TrendMicro Enterprise Security for Gateways DMZ
  20. Be prepared for intrusion from devices like USB Outside-In solution Trend MicroOfficeScan Corporate Edition
  21. Controls devices bringing in and prevent virus intrusion from outside With DLP plug-in option for Office Scan Corporate Edition, you can control the USB devices that can be used in-house, and thereby reduce the risk of malware infection. Deploy settings Copying forbidden Inspects data content and monitors/blocks its being taken out Log collection USB memory OfficeScan Corporate Edition OfficeScan Corporate Edition Management server Client Device control function Log Allowed USB memory 【Reference Information】Trend Micro USB Security WithTrend Micro USB Security, which implements a security function within itself, you can protect your PCs in more secure way.. Authorized removable memory Unauthorized removable memory ◆List of our partners◆
  22. What sort of countermeasures do we need?... I wish I knew! Still Don’t know which solution is needed…
  23. Professional Service
  24. Diagnose your environment with 25 questions Security Assessment Tool Comments on diagnosis Customers’ status Comparison with all other businesses diagnosed Comparison with same business size companies Comparison with same industries URL:http://satool.trendmicro.co.jp
  25. Trend MicroInternal Threat Assessment TMITA is the service which diagnose if the network is under cyber attack or not, if there are any bots / backdoors or not. Short-term internal network diagnostic service with a monitoring sensor which detects virus behaviours. - Trend Micro will place and collect monitoring sensor. - Customers need to set up a mirror port on switch product that connects to the monitoring sensor - Monitoring period is 1 month Diagnostic report
  26. Trend Micro VulnerabilityManagement Services TMVMSis… a set of vulnerability management services that turn the vulnerability management life-cycle into a process Service components Diagnosis for external public server(SaaS service) Diagnosis for internal IT resources(need to install hardware inside target network) Advantages of this service Detects and diagnoses IT resources on your network, automates security audit and can enforce compliancewith external rules and internal policies The vulnerability management life cycle Detection IT resource prioritization Assessment and analysis Improvement Validation Policy compliance
  27. For the world safe for exchanging digital information Services Trend Micro’s services which support security solution Services Trend Micro’s solutions which realize security solution Technical support Monitoring service Compliance Professional service Knowledge sharing Trend Labs Trend Micro Smart Protection NetworkRegionalTrend Labs Action Assessment Control Monitoring Monitoring Device control Application control Antivirus IDS/IPS Firewall Behavior monitoring Sandbox encryption DLP Vulnerability mgmnt. Network quarantine FIM Anti-Spam Reputaion Visualize attacks Outside-In solution Inside-Out solution Integrity Availability Confidentiality Assets Strategy 3 step approach which protect customers’ asset Security Life Cycle Life cycle which enables security solution effectively
  28. Summary: The proper way to deal with cyber attacks Understand present status Outside-In solution Clearly understand the status of your company Create an environment that is hard to attack OfficeScan Corporate Edition Trend MicroUSBSecurity Trend Micro Enterprise Security for Gateways TrendMicro Deep Security Deep SecuritySecure Pack Professional services Security assessment tools Trend MicroInternal Threat Assessment Trend MicroVulnerabilityManagement Services Exit solution TrendMicro Threat Management Solution Create a scheme that detects signs of attack promptly Block transmission of malware!
  29. Appendix (Future technology section) 30
  30. Technology and products scheduled for future releaseStatic Analysis Engine:Addressing Document Vulnerabilities Virus Scan Applications Programming Interface+ (VSAPI+): Virus scan engine for files. ・Scanning function: Scans files at binary level and detects malware Detects vulnerabilities in document files(Document Exploit Engine) Uses pattern files with a high detection rate ・Filtering Function(Extension and data types): Identifies file ・Decode/Decompress Function: Expands files and decompresses compressed files IntelliTrap: Detects files (suspicious files) packed with Packer. Tips : The Purpose of the Document Exploit Engine TheDocument Exploit Engine was developed to deal with targeted attack email message, which have become a problem in recent years. A feature of targeted attacks is a Email message which exploits social engineering technique with a virus pretends to be a document file attached.. IPA clearly reports the existence of targeted attack Email messages. It also reports that viruses attached to Email messages pretend to be a word processor document files or PDF files. *Source IPA: http://www.ipa.go.jp/security/virus/fushin110.html 31
  31. Technology and Products Scheduled for Future ReleaseDynamic Analysis:Sandbox Technology DOC/PDF Virtual Space Information about process behavior, system changes etc. Supported file types EXE DLL LNK VBS SWF PDF RTF DOC PPT XLS Etc… Malicious file hash value Malicious URL Malicious connection address Various operation log data Network packet information etc.. 23 categories 500+ rules Correlative analysis engine
  32. Illustration of solution Illustration of future products Smart Protection Network 6) MTA Global Feedback 5)-b IMSVA 1) 4) with Static Analysis Engine Pass Dynamic Analysis System 2) 3) Analysis System Validation System Manager MTA Internal Feedback Analysis Static analysis engine 5)-a ✔static analysis malicious document ✔ extremely fast speed (less than 1 sec) ✔ 0day exploit detection ✔ High detection rate: 93 % ✔ Very low false-positive
  33. Appendix (Customer cases section) 34
  34. Cyber attacks in may places ■After 2010, cyber attack have been in increasing trend. ■Targets of attacks may change according to social situations. ■Also domestic companies and organizations can be targets as well as global ones.
  35. Cyber attacks ~Incident in Japan~The cyber attacks on major Japanese defence related companies Example characteristics of general target attack email Report from Japanese Media Attackers Intermediate Target Target Characteristics ・Scale of Infection:11 locations throughout Japan, 45 servers,38 PCs (Attack targets include head offices of Kobe, Nagasaki , Sagamihara and Nagoya.) ・Viruses: Possibly more than 50 types (spyware, backdoor, downloader and other types) ・Infection route: Undergo investigation. Possibly infected from PC in Nagoya through spoofed Email ・Time of infection: Under investigation. Possibly started in January (Came to light because servers abnormally rebooted on 11 August) ・Damage: Possible leak of some system data ;anti-ship missile data may have been leaked to unsecured external segment. ・NOTE: Server involved may have been subjected to 300,000 instances of unauthorized access Related information sent to unspecified number of companies Mail spoof type Email in appropriate template sent from sender pretend to be existing related organizations. Related business spoof type Email with the information which only known by relatives which pretend to be come from existing acquaintance. Specific Individual spoof type 36
  36. Cyber attacks ~Incident in Japan~Appendix Observed malware targeting specific companies in Japan <Observations> ・Malware: 8 types (see table in the left side) ・Confirmation that this was a targeted attack aimed at a specified company ・Period in which attacks occurred: mid-July to early August ・Real impact unknown ・Attack scenario: It is hypothesized on the basis of our observations that the attack scenario was as illustrated below Attacker’s server Attacker (3) (6) Finally… (1) Proxy in the organiation Account passwords to important server and other information stolen (2) (4) (5) TROJ_PIDIEF.EED ・・・ BKDR_HUPIGON.ZXS, BKDR_HUPIGON.ZUY,… BKDR_HUPIG.B BKDR_ZAPCHAST.QZ (6) There was a subsequent series of malware penetrations and data leakages (2) When file was opened it attacked the Adobe product vulnerability (CVE_2011-0611) and BKDR_ZAPCHAST.QZ automatically infected (1) Attacker sent TROJ_PIDIEF.EED in PDF containing EXPLOIT to target. (4) Based on those acquired information, the target was made to download BKDR_HUPIG.B from the attacker’s server (5) BKDR_HUPIG.B communicated with outside, using the acquired company proxy data. The target was also made to download new malware:BKDR_HUPIGON.ZXS BKDR_HUPIGON.ZUY (3) In the PC that had been penetrated by BKDR_ZAPCHAST.QZ the virus collected and sent the following data to the attacker’s server: ・PC names, IP addresses, OS, proxy data ・System times, user names, etc..
  37. Cyber attacks ~global incidents~Leakage of RSA SecurIDcaused attack on Lockheed Martin TARGET Intermediate target (RSA) Spam filter server (5) Penetration exploiting data stolen from the intermediate target (3) FTP server account data stolen. Connection to FTP server with confidential data (1) For2 days, 2 phishing emails sent to 2 different small groups (4) RAR file storing passwords was taken from file server(it is surmised that this was used as a springboard for access via the hosting company’s server). FTPserver (2) Email recognized as spam and discarded into spam folders, but an employee opened the attached file and executed the malware. A remote tool was installed in a client PC. Target information(surmised) ・Data related to defense secrets ・Data related to intellectual property, etc. File server http://www.rsa.com/node.aspx?id=3872 38
  38. Cyber attacks~global incidents~Attack on Iranian nuclear facilities(Siemens of Germany) (3) Access gained by a backend SQL and a vulnerable SCADA system is brought under control. (2) Specific backdoor activity in a accessible terminal (1) Penetrated via an OS or USB vulnerability Information network Control information network Control network http://about-threats.trendmicro.com/RelatedThreats.aspx?language=jp&name=STUXNET+Malware+Targets+SCADA+Systems 39
  39. Cyber attacks ~Incident in Japan~A clever attack targeting central government (2) One of the parliamentarians opened and viewed the attachment, and this caused infection with trojan horse malware (including a key logger feature) (3) Infection of 4 parliamentarian account servers and 2 management terminals, and infection of 25 parliamentarians’ terminals. (5) Data sent from infected terminals to malicious sites in China, within Japan, and in other foreign countries. (4) Possible unauthorized access to admin servers, mail eavesdropping , leakage of ID, passwords and documents (1) Using the name of a journalist (Hiroko Yasukuri of “Weekly Focus”) an email was sent to 3 parliamentarians from a free aol address containing a request for a face photograph for the magazine’s latest weekly issue with an attachment with the filename photo.zip. (Other 2 parliamentarians f thought the message suspicious and deleted it) 40
  40. Cyber attacks ~Incident of Japan~Targeted attack aimed at theft of confidential space industry-related data (2) Infection by trojan-horse-type malware, including a keyboard logger feature, when 1 employee who thought that the message was from an acquaintance and pened the attached file. (4)-b For 4 times, downloaded additional data to enhance malicious program with attack features. (4)-a Data sent from infected terminal to server using Colombia domain (3) Eavesdropping malware collected information on the employee’s terminal when the employee was working on the email system (screenshots, directory lists etc.). (1) Message pretended to be as coming from an acquaintance (written in Japanese with a PDF attachment) sent to a number of individuals inviting them to a party (Other staff thought the message suspicious and deleted the file) 41
  41. Appendix (Competitive Analysis section) This material is for internal use only –handle with care. 42
  42. Competitive Positioning (Functional Aspects) Detection capability Trend Micro can differentiate with service enhancement ○ Sandbox ○ AV vendor ○ TMC advisory reports (Advisory) ○ (TPS) × Only 1 sandbox Risk for Trend Micro that they can enhance coverage ○ Multiple sandboxes ○ When recognizing a new threat, shows it as “known” × Only detects (nonAV) × Report depends on SIer ○ Cloud Sandbox ○ Application control × nonAV × Reports depend on SIer Risk for Trend Micro that they can enhance features by further development. Detection Capability Comparison ○ Cloud Sandbox ○ AV vendor × only can monitor limited protocols like Web × Detects only executable files Reactive capacity * Based on Trend Micro’s own research and observations. (Ax3/Bx2/Cx1/Dx0) 43
  43. Competitive Positioning (Distribution/Price Aspects) Price-competitiveness Email MPS: 130,000 USD Web MPS: 130,000 USD CMS: Price: Unknown Total about 300,000 USD Market price around 180,000 USD Deep Discovery: 43,000 USD Advisory+: TBD Expecting market price up to 71,000 USD They established some partnership with major Siers and NIers PA5040 (5Gbps) Units: 90,000 USD Maintenance: 20,000 USD IPS licenses: 18,000 USD Total about 128,000 USD Market price around 71,000 USD Low price coupled with their endpoint 8250 Appliance: 8,3000 USD Web Gateway licenses:150,000 USD URL filtering licenses: 130,000 USD Total: 280,000 USD Market price around 178,000 USD (There is a proposal to give a discount if buying appliance coupled with their endpoint) High end hardware only cost 59,000 USD Enhancing partnership under major SIer Partner Coverage ※Based on Trend Micro’s own research and observations.
More Related