advanced persistent threat (apt)
TRANSCRIPT
Advanced Persistent Threat(APT)
Presented by:QuratulAin Najeeb
Agenda
.• Advance persistent threat
.• Stages of APT
.• Problem in Detection
.• Events
.• Detection Framework
Advanced Persistent ThreatBiggest Cyber Security Threat 2013
Advanced Use of advanced techniques
PersistentRemain in system for long period“Low” and “Slow”
ThreatAgenda of stealing data
AP
TElements of APT
APT charactersticsDon't destroy systemsDon't interrupt normal operationTry to stay hidden and keep the stolen data flowingTrick a user into installing malware
Spear-Phishing
Stages of APT
6. Exfiltration
5. Data Collection
4.Operation
3. Exploitation
2. Delivery
1. ReconnaissanceCollecting information about Organization’s resources
Spear phishing emails are prepared and sent
Command and control connection is build from targeted employee’s machine via remote access
Persistent presence in network and gain access to data
Information is packed, compressed and encrypted
Data is moved over channels to various external servers
APT Example
Step 1: ReconTwitter Starbucks
LinkedIn Sniffing
Captured: Email address ([email protected])Friend’s email ([email protected])Interests (www.ITECH-2013.com)
Hey look! An email from Engineer2. With a catalog attached!
Spoofed, of course Most
certainly clicking
here
Step 2: Targeted Attack
CLICK HERE TO VIEW “ITECH” EVENT 2013
Step 3: Gaining AccessThe PDF gets clicked.Code gets dropped.The backdoor is opened.
Step 4: Command & ControlThe attacker connects to the listening port i.e. Remote Access
Step 5: Data Packaging
At this point, the attacker could do any number of things to get more sensitive data
New APT Model
Attack Tree A mean to detect potential vulnerable elements towards the targeted data
Attack tree of APT aimed at source data
AND
Attack ModelProblem
An attack path may go across multiple planes
PLANES EVENTSPhysical Physical devices, working
locationUser Recording sensitive data
accessNetwork Firewall /logs/ IDS/IPSApplication Information deliver through
gateway
SOLUTIONEvent logging for APT detection
Candidate EventsSuspicious EventsAttack Events
Attack Pyramid
Attack Pyramid Unfolded Attack Pyramid
DETECTION FRAMEWORKAlert SystemUsing AlgorithmsG={G1,…..Gn}Gi = {P1, . . . , Pn} Pi = {e1 ………….eK } Put together the events relevant to an attack contextDetection Rule
Signature based rules (Connecting to blacklisted domain)Anomaly detection rules (Send more data than usual)Policy based rules (Overloaded VPN connection)
Conclusion
In research papers APT is defined, and proposed an attack model for problem detection i.e. Attack Pyramid
Thank you
Q/A …….
References
http://www.research.att.com/techdocs/TD_101075.pdf (2012) http://www.infosecurityproject.com/2012/Download/K7_Advanced%20Persistent%20Threat%20and%20Modern%20Malware_Jones%20Leung.pdf