Persistence is Key: Advanced Persistent Threats
- 1. Persistence is Key: Advanced Persistent Threats By: Sameer Thadani
- 2. Objectives What is an APT What is an AET Past targets What to look for in the future
- 3. Advanced Persistent Threats Advanced Higher levels of sophistication Has access to Zero-Day exploits Adapts to the victims defenses Persistent Attacks are specific Continue until the specific goals are met Intend to maintain communication with victim compromised systems Threats Real power players behind attacks such as nation-states Not your mom and pop hacking job
- 5. APT Attack Flow Step 1 • Reconnaissance Step 2 • Initial Intrusion into the Network Sep 3 • Establish a Backdoor into the Network Step 5 • Install Various Utilities Step 6 • Lateral Movement and Data Exfiltration
- 6. Reconnaissance First stage of an APT Learning about the victims business processes and technology Tools Whois Nmap Netcraft.com Social Media Searching Acting SKILLZ
- 7. Network Access Spear-Phishing = #1 Way Targeting specific high value people Sending highly realistic email addresses with attachments Attachments include remote trojans or malware BUT WAIT, how does my malware get passed IDS/IPS, Firewalls, and Email Filters? ADVANCED EVASION TECHNIQUES
- 8. Advance Evasion Techniques Key techniques used to disguise threats to evade and bypass security systems Why are they advanced? They combine multiple evasion techniques that focus on multiple protocol layers. Evasions change during the attack They allow malicious payloads or exploits, such as malware to look normal A wide variety of techniques Combinations are endless
- 9. Polymorphic Shellcode Constantly changing packet injected code… using ADMmutate
- 11. Packet Splitting
- 12. Establish Backdoors Establish backdoors Backdoors allow attackers to stay in constant contact with the compromised machine. Ex. Poison Ivy
- 14. Lateral Movement Compromise more machines on the network and setup more back doors, this allows for lateral movement and persistence Ex. TRiAD Botnet Control System EXFILTRATE DATA!
- 15. Why is this happening? Nation-State intelligence to aid in wartime strategy and exploitation Diminish competition and improve strategic advantage by stealing intellectual property To extort or ruin VIP To gain $$$$ and gain economic power
- 16. Learning from the past… Google - Hydraq RSA SecureID Iran’s Nuclear Plant - Stuxnet All targeted attacks on huge companies Anyone can be targeted.
- 17. Preparing for the Future..
- 18. Keep your eyes open Elevated log-ons at unexpected times Finding any backdoor Trojans Look for any anomalies for information flow Look for HUGE data bundles
- 19. Questions?
- 20. Sources http://www.infoworld.com/article/2615666/security/5-signs- you-ve-been-hit-with-an-advanced-persistent-threat.html https://www.youtube.com/watch?v=ugXyzkkYN9E https://www.youtube.com/watch?v=J9MmrqatA1w http://searchsecurity.techtarget.com/definition/advanced- persistent-threat-APT http://www.symantec.com/theme.jsp?themeid=apt- infographic-1 http://searchsecurity.techtarget.com/definition/advanced- evasion-technique-AET http://www.csoonline.com/article/2138125/what-are- advanced-evasion-techniques-dont-expect-cios-to-know- says-mcafee.html Issa.org