sherlock holmes and the case of the advanced persistent threat … · 2019-10-16 · sherlock...
TRANSCRIPT
![Page 1: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/1.jpg)
Sherlock Holmes and the Case of the Advanced Persistent Threat
RSA Laboratories
April 24, 2012
Ari Juels Ting-Fang Yen
![Page 2: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/2.jpg)
In the news
2
![Page 3: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/3.jpg)
What is APT?
• Advanced
– “Operate[s] in the full spectrum of computer intrusion.” [Bejtlich’10]
• Persistent
– Maintains presence
– Targeted
• Threat
– Well-resourced, organized, motivated
3
![Page 4: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/4.jpg)
Is this new?
• Who cares?
4
Traditional attackers APT
Means of exploitation
Software vulnerabilities, Social engineering
Objective Spam, DoS attack, Identity theft
Espionage, Intellectual property theft
Motive Fame, Financial gain Military, Political, Technical
Target Machines with certain configurations
Users
Scope Promiscuous Specific
Timing Fast Slow
Control Automated malware Manual intervention
![Page 5: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/5.jpg)
How does it work?
5
Social Engineering
Command-and-Control
Lateral Movement
Data Exfiltration
![Page 6: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/6.jpg)
An APT isn’t a playbook. It’s a campaign.
6
![Page 7: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/7.jpg)
Let’s explore the possibilities…
7
![Page 8: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/8.jpg)
The Adventure of the Red-Headed League
[ From north, south, east, and west every man who had a
shade of red in his hair had tramped into the city to answer the
advertisement. Fleet Street was choked with red-headed folk...]
8
![Page 9: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/9.jpg)
The Red-Headed-League Attack: Encompass a victim in a general event that
conceals a targeted attack.
9
![Page 10: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/10.jpg)
Example: A Red-Headed Botnet
10
![Page 11: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/11.jpg)
Other Red-Headed Attacks
• Open source software
• Social networks
– “Friend-finding” feature [Irani et al.’2011]
• Free USB sticks
11
![Page 12: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/12.jpg)
The Adventure of the Blue Carbuncle
12
[ I was leaning against the wall at the time and looking at the geese
which were waddling about round my feet, and suddenly an idea came
into my head...]
![Page 13: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/13.jpg)
The Blue-Carbuncle Attack: Conceal unauthorized communications within
commonplace objects or activities.
13
![Page 14: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/14.jpg)
Blue Carbuncles in APTs
14
HTTP, FTP
![Page 15: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/15.jpg)
A Scandal in Bohemia
15
[The alarm of fire was admirably done. The smoke and
shouting were enough to shake nerves of steel. She
responded beautifully.]
![Page 16: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/16.jpg)
The Bohemian-Scandal Attack: Create disturbances to the victim to obtain
intelligence about a target resource.
16
![Page 17: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/17.jpg)
A Bohemian APT
• Recommended responses to a breach…
17
✖
can reveal… - Location of valuables - Critical services - What you know
about the attack
![Page 18: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/18.jpg)
The Adventure of the Speckled-Band
18
[… it became clear to me that whatever danger threatened an occupant of the room could not come either from the window or the door. My attention was speedily drawn, as I have already remarked to you, to this ventilator… ]
![Page 19: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/19.jpg)
The Speckled-Band Attack: Breach a security perimeter through
unconventional means.
19
![Page 20: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/20.jpg)
A Speckled Robot
20
![Page 21: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/21.jpg)
Other Ropes and Ventilators
• Infected digital photo frames
• Infected mobile phones
• Bluetooth vulnerabilities
• Compromised device drivers
• The locked-room illusion…
21
![Page 22: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/22.jpg)
APT is a campaign
• Broaden conceptualization of APTs
– No formula or playbook of tactics
• How about detection?
– Behavior profiling
– Defensive deception
– Information sharing
22
![Page 23: Sherlock Holmes and the Case of the Advanced Persistent Threat … · 2019-10-16 · Sherlock Holmes and the Case of the Advanced Persistent Threat RSA Laboratories April 24, 2012](https://reader034.vdocuments.us/reader034/viewer/2022042123/5e9dd960d778227c510e2c8b/html5/thumbnails/23.jpg)
Thank you!