Download - © Copyright 2010 Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27, 2013
© Copyright 2010
Advanced Attack Groups
(Objectives, Tactics, Countermeasures)
February 27, 2013
© Copyright 2010
MANDIANT CORPORATION
Computer Information Security Consulting Software: Host Inspection/Network Monitoring Tools Enterprise-Wide Intrusion Investigations Financial Crimes, National Security Compromises 380+ Investigations Since 2008, >2M and >20K Hosts Offices: DC, NYC, LA, San Francisco PCI PFI Certified, FS-ISAC Affiliate Member,
GCHQ/CESG/CPNI Cyber Incident Response Pilot
2
© Copyright 2010
Agenda
Information Targeted By Attackers Attack Group Profiles Intrusion Case Examples Investigative Approach Why It Continues To Happen Countermeasures – Strategic and Tactical The Future Questions and Answers
3
© Copyright 2010
Targeted Information
© Copyright 2010
Information Targeted By Attackers
Category Objective Examples
Financial
Personally Identifiable Info Identity Theft Or Inadvertent Loss
ATM Withdrawals RBS Worldpay $9.3M
Payment Card Data TJX, Hannaford, Heartlands
ACH Transactions Finance Person Targeted
Intelligence
Intellectual Property Corporate Misdeeds
Corporate Strategy Senior Exec E-Mail
Attorney/Client Comm Gipson Hoffman & Pancione
R&D Material Many Industries
Government Plans Democratic Nat’l Committee
Military Secrets F35 Lightning Fighter Jet
Energy Infra Architecture Rumored Data Collection
Other Destruction/Disruption/Leaks Insiders, Hacktivists
© Copyright 2010
Major Attack Groups
© Copyright 2010
Not As Sophisticated Or Practiced Limited Resources Available Smallest Impact Easier To Investigate Than Other Actors
The Rogue/The Disgruntled
7
© Copyright 2010
Hacktivists
Focused On Notoriety/Cause Loosely Organized: Small Groups Low (Follow Script) To Moderate (SQL Injection) Skills Frequent Use Of Publicly Available Tools Capitalize On Common Security Vulnerabilities More Disruptive Than Dangerous
8
© Copyright 2010
Financially Motivated: Obtain/Sell Info Good Bankers: Understand ATM/PIN/HSM Microsoft-Centric: Bypass Mainframe, AS/400 Highly Automated: Move Fast, Reuse Tools Compromise More Systems Than Used Persistence Has Not Been A Hallmark
Organized Crime
9
© Copyright 2010
Organized Crime
10
© Copyright 2010
Focused On Intelligence Gathering and Occupation Target Specific Organizations Nation State Sponsored
What It Is Not: − Botnet/Worm− Script Kiddies− Financial Criminals− “Simplistic” Malware
The Advanced Persistent Threat
© Copyright 2010
How The APT Is Different
12
Motivation & Tenacity
Their goal is occupationPersistent access to network resources
Political and economic insightFuture use / fear / deterrent
Organization & Orchestration
Division of laborMalware change management
Escalation only as necessaryCountermeasures increase attack
sophistication
Technology
Custom MalwareLeverage various IP blocks to avoid filtering and detection
Few sustainable signatures (pack & modify binaries)Malware recompiled days before installation
Constant feature additionsVPN Subversion
Encryption
© Copyright 2010
Intrusion Examples
© Copyright 2010
Scareware
Ill-Advised Browsing iFrame Popup With Virus Warning Install Rootkit Malware (Broad Functionality) Charge Victim’s Payment Card Harvest Victim’s Payment Card Information
Valid Transaction, Rarely Reported Millions Of Victims User Awareness Is Primary Defense
14
© Copyright 2010
Typical APT Attack - Conglomerate
Law Enforcement Notification: April 2010 2007 Phishing Email Attack (Conference Attendance) 93 Systems Compromised Five Attack Groups Active Concurrently/Independently Lost Credentials: User, Domain Admin, Service Accounts 1 GB Of Email, Credentials (Incremental Only) Attacker Focus: Green Fuel Materials, R&D, Mfg Data
15
© Copyright 2010
Financial Services Attack
Law Enforcement Notification Server Misconfiguration Attack Vector In Network Two Months Prior to Theft Moved Laterally With Blank SA Passwords, RDP Dumped Credentials From Domain Controller Compromised/Accessed ~350 Systems Dumped Several Dozen Records from Target Database Determined PINs Using IVR Web Service Made $13M In Withdrawals At 2,300 ATMs Repeated Attacks from Unmanaged Infrastructure
16
© Copyright 2010
Investigation: How Do We Investigate?
© Copyright 2010
Conducting Investigations
Determine Incident History, Steps Taken, Technical Environment, Objectives
Collect Relevant Data Increase Monitoring And Enterprise-Wide Inspection
Capabilities As Needed Conduct Forensic, Log and Malware Analysis To Identify
Network And Host-Based Indicators Of Compromise Identify Attack Vector, Attacker Activities, Compromise
Systems/Accounts, Data Exposure Report Status, Findings, Remediation Recommendations
18
© Copyright 2010
Investigative Cycle
Primary Sources of Information Host inspection
Full network monitoring/analysis
Log analysis− Near real-time− Historical
Malware reverse engineering
Systems inspection− Live response analysis− In-depth forensic analysis− Memory analysis
© Copyright 2010
Successful Investigations Require
Technical Expertise:− Forensics, Malware, Log Analysis
Investigative Skills: − Organize The Situation− Understand The Attacker− Recognize/Take The Right Next Step
Management Skills:− Identification/Elimination of Obstacles− Communication Skills: When/How Needed
20
© Copyright 2010
Why Does It Continue To Happen?
© Copyright 2010
Why Does It Continue To Happen?
1. Limited Awareness of:− The Threats/Attackers/Actors and Their Motives− What is Possible: Advanced Phishing, Defeating Two-
Factor, Obtaining Valid Credentials
2. Lack Understanding of Actual Attacker Tactics:− Hacking Web Apps or Staging Phishing Campaigns?− Using Cached Credentials or Attacking Domain
Controllers?− Using Backdoors, VPN Accounts or Web Shells?
22
© Copyright 2010
Why Does It Continue To Happen?
3. Tendency to Focus on “Security Best Practices”− Instead of What Attackers Actually Do
4. Lack of Visibility:− Inadequate Logging - Detail/Retention− Unmanaged Infrastructure− Unreconciled M&A Activity
5. Operational Expediency:− Two-Factor Authentication Is Hard to Administer− Dealing With Multiple Complex Passwords Creates Issues− Network Segmentation Makes App Deployment Difficult
23
© Copyright 2010
Why Does It Continue To Happen?
6. Misplaced Faith in Compliance Audits:− Last 50 PCI Breaches – How Many Were Compliant?
7. Spend Money Instead of Time:− Solving Problems with Technology Is Appealing− Fixing People Problems Is Hard− Fixing Process Problems Is Hard/Boring
24
© Copyright 2010
Addressing The Issues
© Copyright 2010
Addressing The Issues - Strategic
1. Educate Your People, Clients, Suppliers, Partners:− Security Awareness, Attacker Profiles/Tactics
2. Turn Up Logging/Monitoring, Gain Visibility
3. Obtain Senior Management Awareness/Support
4. Invest in “Appropriate Practices”:− Focus on People and Process First− Implement Technology That Addresses True Issues:
Install Whitelisting on Domain Controllers Establish/Enforce Strong Passwords: User, Admin, Service Limit Number of Cached Local Credentials
5. Recognize That Execution Trumps Strategy
26
© Copyright 2010
Addressing The Issues - Tactical
1. Understand What They Do And Take It Away
2. Conduct In Parallel With Investigation
3. Rebuild Systems
4. Whitelist Domain Controllers
5. Remove Local Admin Rights
6. Conduct Enterprise-Wide Credential Change
7. Increase Logging
8. Establish Host Inspection Capability
9. Establish Network Monitoring Capability
10. Segment Networks
27
© Copyright 2010
Prioritizing Remediation Initiatives
28
Initial Recon
Initial Compromise
Establish Foothold
Escalate Privileges
Internal Recon
Move Laterally
Maintain Presence
Complete Mission
Detect
Inhibit
Respond
Threat Intelligence
Operational Complexities
Resource Constraints
Operational Visibility
Business Drivers
Initial Recon
Establish Foothold
Escalate Privileges
Complete Mission
Initial Compromise
Internal Recon
Maintain Presence
Move Laterally
© Copyright 2010
The Future
© Copyright 2010
The Future
We See Progress with Victim Organizations:− Small Number Unable to Remove Attacker (<5%)− Small Number Have Another Large Incident (<5%)− Most Deal Effectively with Subsequent Attacks (90%+)
Greater Market Awareness
More Industry Collaboration
Recognize That “Victory” Is Minimizing Impact
30
© Copyright 201031
Questions and Answers