1 / 16

APT in Corporate America and the Exposure to Foothold Scenarios

Nathaniel Puffer Technical Lead, Neohapsis Labs. APT in Corporate America and the Exposure to Foothold Scenarios. Background Shaping My Views. Public Sector consulting across verticals Penetration Testing Forensics Publically available information

paniz
Download Presentation

APT in Corporate America and the Exposure to Foothold Scenarios

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nathaniel Puffer Technical Lead, Neohapsis Labs APT in Corporate America and the Exposure to Foothold Scenarios

  2. Background Shaping My Views • Public Sector consulting across verticals • Penetration Testing • Forensics • Publically available information • Peer groups within the penetration testing community

  3. Cyber-warfare will be most effective as a way to force Nation-States to look inward, or weaken resolve It is better to rely on footholds than rely on previously unknown exploit code at the critical moment It is preferable to leverage exploit code as close to the time of discovery as possible

  4. An Outsiders View of Cyber-War • Estonia • Online banking was unavailable • Disruption of Government Services • Cyber Shockwave • Table Top Exercise • Scenarios involved loss of use for cellular networks, power grid • CIA / DoD friendly fire? • Forcible removal of a known intelligence asset

  5. Compared to Corporate Breaches • Heartland Payment Systems • Organized group of individuals • Largest payment card breach • Aurora • Focus on Silicon Valley technology firms • Loss of Intellectual property

  6. Classification Cyberwar Corporate Breaches Blended use of 0-Day and known Attacks Significant time between initial breach and detection/leverage • Denial of Service (DoS) • Estonia • 0-Day Exploitation • Cyber Shockwave • Leverage Known Insecurity • CIA/DoD Asset

  7. 0-Day Exploits • Require investment in time, skill • Have a window of effectiveness • Changes to the target systems • Discovery and exposure by third parties • Why Stockpile 0-Day? • Metaphorical Arsenal • An effective way to win laptops

  8. 0-Day, Disclosure, and COTS

  9. But Your Systems Are My Systems • Reliance on Commercial Off the Shelf Components (COTS) • What if you’re using the same systems? • What if the companies that people rely on are using the same systems? Cyber-warfare will be most effective as a way to force Nation-States to look inward, or weaken resolve

  10. Competing Motivations • Offensive • Keep knowledge and weaponized code a secret • You maintain short-term capability but leave organizations you depend on exposed • Defensive • Disclose knowledge to vendors and assist with fixing problems • You place an expiration on your capability; requires timing and discretion to not have exposure and public exploit code • Attempted Hybrid • Disclose issues to vendors, keep weaponized code a secret • Core Impact, Immunity Canvas • Attempt to keep NDA; manipulate timing • Goal to is reach a fixed state

  11. Logical Offensive Capability - Foothold • Research security issues in systems to find weaknesses • Maintain a well organized vendor disclosure program • Provide assistance to vendors; Pressure vendors • Promote public disclosure • Provide hooks into corporate vulnerability management • Exploit target systems • Maintain presence • Ensure survivability after the fix is released

  12. Plausible? • Heartland Payment Systems • Systems were compromised for over a year • Initial off the shelf malware was detected • ‘Anti-virus’ did its job, Whew! • Custom malware was introduced • Pop, Pivot, Repeat • Detection was due to fraud, by a system specifically designed to catch fraud • Additional signs were there

  13. Plausible? • Aurora • Google blows the whistle in January • 20 companies targeted, interrelated malware • “The major pattern of attacks previously identified as occurring in mid-December 2009 targeting Google appear to originate in July 2009 from mainland China” • http://www.damballa.com/research/aurora/ • Detected on egress to command and control, internal behavior • Of all the companies impacted, timelines on AV response indicate Google was the first that discovered / disclosed

  14. Anecdotal Accounts • Verizon Business • Presentation at the PCI group meeting in Las Vegas • An attacker had built a network diagram more detailed than any owned by the corporation • Mandiant • Corporate systems in Florida • Initial breach of a limited number of systems leads to a realization that thousands of nodes are compromised

  15. Defensive Solutions • The purpose of corporations, groups we rely on for our way of live, is to make money; not to run the most secure networks • Shore up loopholes for Financial Disclosure • “Misrouted Funds” • Promote additional legal requirements for disclosure • Look for macro-correlation and trends • Provide financial incentives for Vendors to create secure code • Provide regulatory and incentive based “carrot and stick” to maintain secure systems

  16. Thank you Questions and Feedback Welcome! npuffer@neohapsis.com

More Related