1 / 20

Advanced Persistent Threats (APT)

Advanced Persistent Threats (APT). Sasha Browning. Breakdown . Advanced Combination of attack methods and tools Persistent Continuous monitoring and interaction “Low-and-slow” approach Threat Attacker is skilled, motivated, organized and well funded. What is an APT?. Definition

sibley
Download Presentation

Advanced Persistent Threats (APT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Persistent Threats(APT) Sasha Browning

  2. Breakdown • Advanced • Combination of attack methods and tools • Persistent • Continuous monitoring and interaction • “Low-and-slow” approach • Threat • Attacker is skilled, motivated, organized and well funded

  3. What is an APT? • Definition • Sophisticated attack that tries to accessand stealinformation from computers • Requirement • Remain invisible for as long as possible

  4. Why are APTs Important? • Then • Just because • Demonstrate their skills • Now • Attacks have evolved • Specific targets • Intend to maintain a long term presence

  5. Problem with APTs • File size is small • File names don’t raise any red flags • Almost always are successful • Undetectable until it's too late • More frequent • No one is immune

  6. Targets • .mil and .govsites • Department of Defense contractors • Infrastructure companies • power and water • CEOs or leaders of powerful enterprise or gov. agencies

  7. Stages of an APT Attack • Reconnaissance • Intrusioninto the network • Establishing a backdoor • Obtaining user credentials • Installing multiple utilities • Data exfiltration • Maintaining persistence

  8. Step 1: Reconnaissance • Research and identify targets • Using public search or other methods • Obtain email addresses or IM handles

  9. Step 2: Intrusion into the Network • Spear-phishing emails • Target specific people • Spoofed emails • include malicious links or attachments • Infect the employee's machine • Gives the attacker a foot in the door

  10. Step 3: Establishing a Backdoor • Try to obtain domainadmin credentials • grab password hashes from network DCs • Decrypt credentials to gain elevated user privileges • Move within the network • Installbackdoors here and there • Typically install malware

  11. Step 4: Obtaining User Credentials • Use valid user credentials • Average of 40 systems accessed using these credentials • Most common type of credentials: • Domain admin

  12. Step 5: Installing Multiple Utilities • Utility programs conduct system admin. • Installing backdoors • grabbing passwords • getting emails • Typically found on systems without backdoors

  13. Step 6: Data Exfiltration • Grab emails, attachments, and files • Funnel the stolen data to staging servers • Encrypt and compress • Delete the compressed

  14. Step 7: Maintaining Persistence • Use any and all methods • Revamp malware if needed

  15. Problems with APTs • Self-destructingmalware • Erases if it fails to reach its destination • Nobody monitors outbound traffic • Can look legitimate • Sniffers • Dynamically create credentials to mimic communication

  16. Disguising Activity • Process injections • introduce malicious code into a trusted process • Conceals malicious activity • Stub malware • Code with only minimal functionality • Remotely add new capabilities • Runs in the network’s virtual memory

  17. Stopping APTs • Weakness • Interactive access • Solution • Find the link between you and the attacker • Block it • Afterwards • Attacker will have to re-infectanew host

  18. Summary • Targets are carefully selected • Persistent • Will not leave • Changes strategy/attack • Control focused • Not financially driven • Crucial information • It's automated, but on a small scale • Targets a few people

  19. Questions

  20. Sources • Wired http://www.wired.com/threatlevel/2010/02/apt-hacks/ • Dark Reading http://www.securityweek.com/anatomy-advanced-persistent-threat • Damballa http://www.damballa.com/knowledge/advanced-persistent-threats.php

More Related