Advanced Targeted Malwareor

Advanced Persistent Threat

without the marketing BS

APT in this presentation

• The original meaning when US Navy coined the phrase• Before it started being used by every IT Security vendor,

anti-malware vendor, and everyone with “Cyber” in their marketing portfolio

Agenda

• What APT is – its background/history• Detection and elimination• The people and what they attack• The on-going fight• Reminder checklist• Some difficult truths• Questions.

APT

• Targeted Malware with the intent to– Enter your estate– Stay in your estate– Obtain your data

• Commercial advantage• Technology leapfrog• etc

APT is a new threat

• Wrong– Very wrong

• Instances of well developed attacks and associated malware seen since before 2006

• Some folks working on these issues since perhaps as early as 2002

• Candidly, if you haven’t seen this stuff you probably are not looking properly.

APT family

• It isn't– Single attack type– Single type of malware– Single attack group

APT Family

• It is– Range of attack types

• Spearphishing• Generic social engineered attacks• Very well targeted social engineering attacks• Targeted drive-by attacks

– Range of malware types• Relatively simplethrough to• Quite sophisticated• Perhaps 7 to 9 different levels of complexity• Generally use the simplest malware needed

APT Activity

• Gain a foot hold that can obtain command and control instructions– Via some quite interesting approaches

• “interactive” sessions• instructions by hidden means eg jpeg images

• Usually (always?) via other parties– Other compromised companies/web-sites– University systems– “mom & pop shops”– Compromised systems unlikely to initiate a web

connection to …

• Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

What a rush!

• There is no rush • from the attackers point of view

• Marathon not sprint• Sleeper malware

– Long period beaconing• Check in only every few months

• A bit more on this later…

Elimination

• How do you get rid of it after you first detect it?

– Or after you have had a tip-off that you might have a problem

– You may get a tip-off from…

Whack-a-Mole?

• Very dynamic – lots of IT folks doing stuff

• But dangerous and not very effective

• Attackers will notice• They will change attack approach• They will remain in your estate

Structured approach

You will probably need help with some of this

Who you gonna call?•Competent•Capable•Trusted

• Much less fun, much harder work, much more effective– Detect/locate– Prepare/Understand– Disconnect– Eliminate– Protect– Future processes– Re-connect– The new normal

Detection

• Log file analysis– dns, dhcp, vpn, firewall, ids/ips, proxy, AV

• Network Analysis– packet capture and analysis, network sensors

• Host Capability– process maps, memory maps, file structures, registry

contents, file contents• One third/one third/one third

Prepare/Understand

• Do you know your estate?– Network connections– Password policies– Password and application interactions

• Understand how the malware works– Command and control– How it persists– How it moves/how it is moved

Structured approach

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

New Normal

• They will re-attack• They will get in• Your processes have to:

– Detect– Investigate– Eliminate– Adapt

The Human Element

• Groups– Developers– Doers– Follow-up

• Below the radar– Working patterns– Comms patterns

• Multiple Groups?– Probably– May not always be aware of each other

They are only human

• Oops!– Human script followers

• Identified keyboard drivers• Typos• Mistakes• Repeat commands• May not be sure of where they are• Sometimes careless/sloppy

– Compressed archives not fully deleted

The Attack Surface

• Microsoft / Adobe / Java– Because they are the most popular platforms.

“I rob banks ‘cause that’s where the money is”

• Patching and the role it can play…

The products that fix the problem

• Unfortunately none• Needs a structured approach to robust monitoring and a

number of products to help manage the risk• An approach based on

– People – at all levels of the organisation– Process– TechnologyIn that order of priority

The approach that handles the problem• This is about our approach, but others have similar.• SOC – multi-geography, 24*365• Evolution of tools

– Externally sourced– Internally sourced

• Evolution of people skills– Better understanding of the subject– Better analysis skills

Tools

• Log consolidation and analysis– DHCP, dns, proxy, firewall, ids, vpn etc

• Network traffic monitoring and analysis• Host data capture

– To aid in incident identification– To aid in incident investigation

Tool Effectiveness

• Initially– 34% / 33% / 33% (log/network/host)

• Now– 65% / 30% / 5% (log/network/host)

• Future?– 45%? / 50%? / 5%? (log/network/host)

The approach takes time

Summary

• Bad folks are doing bad stuff very well• They see it as huge commercial benefit• We need to get better at detecting/eliminating/protecting• It can be done but must be done in a structured and on-

going fashion to be effective• It is an evolving threat so there are no “fit and forget”

solutions

Remember, you may have to….

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

Difficult Truths

• Safe harbours will continue to exist

• Traditional prevention and detection has failed

• Governments cannot prevent intrusions

• Data loss is inevitable

• Attacks will continue

• Companies often breached for years

Additional Reading

• http://www.rsa.com/innovation/docs/sbic_rpt_0711.pdf– Write-up from RSA on the threat and what can be done

to help reduce the risk and the impact.

Any Questions

?