Targeted & Persistent Attacks in EU
1 like423 views
The document discusses the need for improved coordination and information sharing between EU member states to address targeted and persistent cyber attacks. It outlines common tactics used by adversaries, including initial weak intrusions, spreading malware to undermine security monitoring and exfiltrate data while avoiding detection. The document argues for consolidating knowledge of adversaries across borders, establishing standards for secure information exchange, and properly containing incidents to effectively eradicate intruders.
Targeted & Persistent Attacks in EU
- 1. Targeted & Persistent Attacks in EU The need for coordination and information sharing between EU member states Eoghan Casey, CASEITE & DFLabs
- 2. 2012 Copyright Eoghan Casey and CASEITE All rights reserved Attack against RSA -‐ http://blogs.rsa.com/rivner/anatomy-‐of-‐an-‐attack/
- 3. Large-‐scale credit card robbery Initial intrusion into regional office Weak internal security Servers with well known vulnerabilities Unrestricted access to central servers Weak egress filtering File transfer permitted from central servers to Internet Weak system monitoring Intruder created account on central server Installed sniffer on server Sniffer and file transfer log files created on server Weak network monitoring Network level logs recorded file transfers 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 4. Coordinated Linux intrusions Attacker's modus operandi Repository of stolen SSH credentials Privilege escalation LKM rootkits & tricky backdoor Trojanized SSH daemon Resilient C2 and exfiltration Destroy digital evidence 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 5. Common mistakes 1) Underestimating the adversary Too quick to containment 2) Lack of evidence No centralized logging infrastructure 3) Improper evidence handling Update antivirus and scan compromised systems 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 6. Know the adversary Initial intrusions not necessarily sophisticated Spear phishing or vulnerable servers Once inside, they spread virulently Inside out attacks circumvent egress filtering Undermine security monitoring File system tampering Multiple malware versions with custom packing Blend in with normal traffic Encrypt command, control and exfiltration 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 7. Quick containment? Current recommendation: When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. Most incidents require containment, so it is important to consider it early in the course of handling each incident. - NIST SP800-61 Rev. 1, page 3-19 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 8. Managing a data breach effectively 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 9. Effective eradication of intruders 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 10. Cross border information sharing Same attackers targeting all EU member states > Consolidate adversary knowledge Trust between government and industry Confidentiality agreements More information to examine the better Sanitize what is shared to protect victims 2012 Copyright Eoghan Casey and CASEITE All rights reserved
- 11. Information exchange standards STIX Structured Threat Information eXpression 2012 Copyright Eoghan Casey and CASEITE All rights reserved STIX Whitepaper -‐ makingsecuritymeasurable.mitre.org/docs/STIX-‐Whitepaper.pdf
- 12. Get in touch Eoghan Casey DFLabs Business Partner Risk Prevention and Response Co-‐manager eoghan@dflabs.com www.dflabs.com 2012 Copyright Eoghan Casey and CASEITE All rights reserved