introduction to advanced persistent threats (apt) for non-security engineers
TRANSCRIPT
APT for EngineersIET - Cyber Security for Critical InfrastructureOllie Whitehouse, Technical Director
Agenda
APT: definition
APT: manifestation and implementation
APT: mitigation, detection and remediation
Conclusions
2
3
definition
4
Advanced: i.e. not basic
Persistent: i.e. not non-persistent
Threat: i.e. backdoor, remote access, retained control, root kit etc.
APT: definition
5
Intelligence agencies
6
Intelligence agenciesOrganised criminals
7
manifestation and implementation
8
APT: manifestation
http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/
9
APT: manifestation - key functionsCommand
& Control
(C2)
Persistence
Security & Defence
Functionality & Maintenance
10
Ensures remote and desired level of access
Persistent but minimizes forensic artefacts
Minimizes likelihood of detection
Frustrates analysis
Modular, upgradable and versatile
APT: manifestation - goals
11
December 2014 NCC Group dealt with the compromise of REDACTED who had been compromised by Shell Crew
http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
This actor uses the Derusbi trojan family to maintain access which supports a form of port-knocking.
APT: manifestation
12
APT: manifestation
13
APT: implementation
14
APT: implementation
15
A program (i.e. on Windows, Mac OS X, Linux, iOS/Android etc.)
A kernel driver (i.e. on Windows, Mac OS X, Linux etc.)
A non-persistent patch to existing code (anything)
A malicious firmware (embedded devices)
APT: implementation
16
Summer 2014 NCC Group detect a malicious RTF (document) containing the Havex RAT
We then developed signatures and detected numerous trojaned ICS / SCADA tools in malware zoos
Actor has been compromising ICS / SCADA tool vendor web sites, trojaning legitimate binaries with havex and waiting for downloads
APT: manifestation
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/june/extracting-the-payload-from-a-cve-2014-1761-rtf-document/
17
APT: manifestation
http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/
18
APT: manifestation
Cheap(ish) &
normally simple
deployment
19
APT: manifestation
Moderately
costly &
semi-complex
deployment
20
APT: manifestation
Cheap but
complex
deployment
21
APT: manifestation
Typically very
cheap but
variable cost to
deployment
APT: manifestation
22
APT: manifestation
23
APT: manifestation
24
APT: manifestation
25
APT: manifestation
26
APT: manifestation
27
APT: manifestation
28
29
Software stacks are today very complex
Re-writable software is everywhere
Cryptographic code signing etc. is not
APT: manifestation - reality
30
detection
31
Known knowns = Indicators of Compromise (IOCs)
IOCs = signatures for network traffic or files
APT: detection – known knowns
32
Monitoring and measurementnetworkOSdevice
Anomaly detection and investigationusing monitoring and measurement
APT: detection – unknown unknowns
33
analysis
34
observe – from the network or on host
identify – the program code
extract – from the host / device
analyse – statically / dynamically
APT: analysis
35
mitigation and remediation
36
APT: mitigation – 2002 proposal
https://en.wikipedia.org/wiki/Next-Generation_Secure_Computing_Base
37
APT: mitigation - TPMs
https://en.wikipedia.org/wiki/Trusted_Platform_Module
38
APT: mitigation – UEFI Secure Boot
http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1
39
APT: mitigation – UEFI Secure Boot
http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1
40
APT: mitigation – UEFI Secure Boot
http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1
41
Once we have an OS* we trust
.. we can do things likehypervisor level malicious code scanningearly launch malware detection (Windows)
APT: mitigation
* caveat is now hardware with DMA access and if IOMMUs are used or if data/code in RAM is otherwise protected from manipulation
42
putting the advanced in APT
43
persistent element: encrypted to hostnot persistent until shutdownpersisted via secondary host
command and controladding to legitimate network connections
APT: putting the advanced in APT
44
Conclusions
45
EuropeManchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
AustraliaSydney
North AmericaAtlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie [email protected]