APT in Corporate America and the Exposure to Foothold Scenarios

Nathaniel PufferTechnical Lead, Neohapsis Labs

2

Background Shaping My Views

• Public Sector consulting across verticals • Penetration Testing• Forensics

• Publically available information• Peer groups within the penetration testing community

3

Cyber-warfare will be most effective as a way to force Nation-States to look inward, or weaken resolve

It is better to rely on footholds than rely on previously unknown exploit code at the critical moment

It is preferable to leverage exploit code as close to the time of discovery as possible

4

An Outsiders View of Cyber-War

• Estonia • Online banking was unavailable• Disruption of Government Services

• Cyber Shockwave• Table Top Exercise • Scenarios involved loss of use for cellular networks, power grid

• CIA / DoD friendly fire?• Forcible removal of a known intelligence asset

5

Compared to Corporate Breaches

• Heartland Payment Systems• Organized group of individuals• Largest payment card breach

• Aurora • Focus on Silicon Valley technology firms• Loss of Intellectual property

6

Classification

Cyberwar• Denial of Service (DoS)

• Estonia

• 0-Day Exploitation• Cyber Shockwave

• Leverage Known Insecurity• CIA/DoD Asset

Corporate Breaches• Blended use of 0-Day and

known Attacks• Significant time between

initial breach and detection/leverage

7

0-Day Exploits

• Require investment in time, skill• Have a window of effectiveness

• Changes to the target systems• Discovery and exposure by third parties

• Why Stockpile 0-Day? • Metaphorical Arsenal• An effective way to win laptops

8

0-Day, Disclosure, and COTS

Discover Weaponize Store Exploit

9

But Your Systems Are My Systems

• Reliance on Commercial Off the Shelf Components (COTS)• What if you’re using the same systems?• What if the companies that people rely on are using the

same systems?

Cyber-warfare will be most effective as a way to force Nation-States to look inward,

or weaken resolve

10

Competing Motivations

• Offensive• Keep knowledge and weaponized code a secret• You maintain short-term capability but leave organizations you

depend on exposed

• Defensive• Disclose knowledge to vendors and assist with fixing problems• You place an expiration on your capability; requires timing and

discretion to not have exposure and public exploit code

• Attempted Hybrid• Disclose issues to vendors, keep weaponized code a secret

• Core Impact, Immunity Canvas• Attempt to keep NDA; manipulate timing• Goal to is reach a fixed state

11

Logical Offensive Capability - Foothold

• Research security issues in systems to find weaknesses• Maintain a well organized vendor disclosure program

• Provide assistance to vendors; Pressure vendors• Promote public disclosure• Provide hooks into corporate vulnerability management

• Exploit target systems• Maintain presence • Ensure survivability after the fix is released

12

Plausible?

Heartland Payment Systems• Systems were compromised for over a year• Initial off the shelf malware was detected• ‘Anti-virus’ did its job, Whew!• Custom malware was introduced

• Pop, Pivot, Repeat

• Detection was due to fraud, by a system specifically designed to catch fraud

• Additional signs were there

13

Plausible?

Aurora• Google blows the whistle in January• 20 companies targeted, interrelated malware • “The major pattern of attacks previously identified as

occurring in mid-December 2009 targeting Google appear to originate in July 2009 from mainland China”• http://www.damballa.com/research/aurora/

• Detected on egress to command and control, internal behavior

• Of all the companies impacted, timelines on AV response indicate Google was the first that discovered / disclosed

14

Anecdotal Accounts

Verizon Business• Presentation at the PCI group meeting in Las Vegas• An attacker had built a network diagram more detailed

than any owned by the corporation

Mandiant• Corporate systems in Florida• Initial breach of a limited number of systems leads to a

realization that thousands of nodes are compromised

15

Defensive Solutions

The purpose of corporations, groups we rely on for our way of live, is to make money;

not to run the most secure networks

• Shore up loopholes for Financial Disclosure• “Misrouted Funds”

• Promote additional legal requirements for disclosure• Look for macro-correlation and trends • Provide financial incentives for Vendors to create secure

code• Provide regulatory and incentive based “carrot and stick”

to maintain secure systems

16

Thank you

Questions and Feedback Welcome!npuffer@neohapsis.com