Trends in Advanced Threat Protection

Transcription

1 Trends in Advanced Threat Protection John Martin Senior Security Architect IBM Security Systems Division IBM Corporation

2 John Martin Senior Security Architect IBM Security Systems Division Security Practice Leader Ex UK Government Security Consultant Risk Management IBM Certified Architect CISSP-ISSAP CISM 2

3 Overview The Current Threat Landscape Analysis of Advanced Cyber Attacks Technologies to counter Advanced Cyber Attacks Conclusions 3

4 Current Threat Landscape 4

5 Advanced Threats: The sophistication of Cyber threats, attackers and motives is rapidly escalating Motive National Security Espionage, Political Activism st Decade of the Commercial Internet nd Decade of the Commercial Internet Nation-state Actors; Targeted Attacks / Advanced Persistent Threat Competitors, Hacktivists Monetary Gain Organised Crime, using sophisticated tools Revenge Insiders, using inside information Curiosity Script-kiddies or hackers using tools, web-based how-to s Adversary 5

6 Attacker motivations remain similar, although methods evolve 6

7 7

8 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Source: IBM X-Force Research 2012 Trend and Risk Report 8

9 Source: IBM X-Force Research 2013 Trend and Risk Report 9

10 Hackers Steal $45 Million In 10 Hours Payment processor was compromised Targeted MasterCard pre-paid cards Targeted Oman based Bank of Muscat 12 accounts were compromised Card limits removed, daily limits removed Cashing Crews in 24 countries given track data 10 Hours time ran 36,000 ATM transactions Sophisticated structure of an organised crime enterprise 10 caught-stealing-45-million-10-hours-second-biggest-bank-robbery-history- New-York.html

11 New York Times Attack SAN FRANCISCO - For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in. Relatives of Wen Jiabao, China's Prime Minister had accumulated a fortune worth in the billions 11

12 The New York Times Attack started with spear phishing on a list of employees The focus was to get access to journalists Access and downloaded s and files Attackers tried to hide their tracks by using intermediary computers in the United States Installed various malware known to originate in a hacking group in China New York Times decided to rebuild all infected computers Out of the 45 malware instances found by Mandiant, antivirus software had only discovered one of them 12

13 Mandiant Report APT1 - Chinese Advanced Cyber Army Though our visibility of APT1 s activities is incomplete, we have analysed the group s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1 s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). 13

14 APT1 - Chinese Advanced Cyber Army 14 The report provides numerous details of the activities of one of the Chinese militaries key cyber attack agencies Unit in Shanghai Location, IP address, key personel How the executed attacks Spear Phishing s Variety of malware used Use of staging servers RAR compression, encryption for data retrieval Suggested hundreds of workers involved Used for both commercial and government espionage

15 RSA Security RSA forced to replace nearly all of its millions of tokens after security breach - RSA Security is offering to provide security monitoring or replace its well-known SecurID tokens -- devices used by millions of corporate workers to securely log on to their computers -- "for virtually every customer we have," the company's chairman Art Coviello said in an interview 15

16 RSA Security Attack started with spear phishing on a list of RSA employees listed on social media sites Two spear phishing s to two small groups of employees carried Recruitment Plan.xls that contained a zero day exploit that installed a Remote Access Terminal (RAT) The first computer compromised was not the target and attacker collected admin credentials from other servers Discovered server with highly confidential two-factor authentication algorithms and seeds Collected key data, RAR compressed and encrypted and moved to staging servers using FTP. 16

17 Lockheed-Martin Attack Signals New Era of Cyber Espionage The network of defense contractor Lockheed-Martin was attacked using counterfeit electronic keys. Since the RSA Security network was hacked and the keys to its SecurID tokens were compromised a few months ago, the world has been waiting for the proverbial other shoe to drop. Well, it dropped.. als_new_era_of_cyber_espionage.html 17

18 Analysis of Advanced Cyber Attacks 18

19 Advanced Persistent Threat The term was defined by information security analysts in the US AirForce in 2006 Advanced: The attacker is an expert in cyber intrusion methods and is capable of crafting custom exploits and tools. Persistent: The attacker has a long-term objective and will persistently work to achieve it without detection and without regard for time. Threat: The attacker is organised, funded, well trained, and highly motivated. 19

20 APT Attack LifeCycle The lifecycle of an APT Attack is consistent: Stage 1: Initial intrusion through system exploitation Stage 2: Malware is installed on compromised system Stage 3: Outbound connection is initiated Stage 4: Attacker spreads laterally Stage 5: Compromised data is extracted Reference: The Definitive Guide to Next Generation Threat Protection, 20

21 Stage 1: Initial intrusion through system exploitation System exploits are through Web: The exploit code is embedded within a Web object (e.g.,javascript, JPG) The exploit code is embedded within a file (e.g. XLS, PDF, ZIP) Aim is to compromise the vulnerable OS or application enabling an attacker to run code The code is usually a small script for making a call-back. In RSA example, an employee was tricked into opening a file Recruitment Plan.xls 21

22 Stage 2: Malware is installed on compromised system The script code is executed enabling malware to be installed on the compromised system There is often a hidden address referring to a dropsite This dropsite is unrelated to the initial point of infection, and may be temporary (some cloud VM compromised) At the end of this phase there is a Remote Administration Tool (RAT) installed on the end point 22

23 Stage 3: Outbound connection is initiated The RAT phones home to a C&C server operated by the attacker Connection often not identified e.g. HTTPS, which looks to the infrastructure like a user browsing the web Bypass traditional firewalls and IPSs, which allow session traffic to flow bi-directionally if initiated from within the trusted network. The C&C server then issues the RAT instructions 23

24 Stage 4: Attacker spreads laterally The initial breach is to get a foot hold and is not the target The aim is now to spread laterally, looking for other hosts Possibly download other malware, or just use remote access tools already available from the OS, or go after directories (Active Directory / LDAP) Obtain credentials of admin users. Continually escalate privileges The end goal is to get to high value servers e.g. databases 24

25 Stage 5: Compromised data is extracted The attacker has three challenges Size of data is very large (often gigabytes). How to get this out without triggering anomaly detection engines The receiving host can't be linked back to the attacker Transferred data does not trigger a DLP system Often split data into very small pieces using RAR files for transfer e.g. part1.rar, part2.rar Usually use a third party server for staging area. Cloud based sites are often the target. Encrypt the RAR data to hide from DLP 25

26 Finally, Cover Tracks The following are tactics that APT attackers employ during and after the attack to minimize the risk of detection: Planting alternate malware to distract the IT security staff and keep them busy doing other things. Deleting the compressed files after they ve been extracted from the staging server. Deleting the staging server. if it s hosted in the cloud or taking it offline; if under control by the attacker. Uninstalling malware at the initial point of entry and on any other servers 26

27 Technology to counter Advanced Cyber Attacks 27

28 Strong Enterprise Boundary not sufficient as only control Strong enterprise boundaries Firewalls Intrusion Prevention Systems (IPS) Problems Attackers are bypassing enterprise boundary USB sticks Spear Phishing attacks The boundary is designed to stop entry and not exit C&C connections originating on the inside are not blocked (HTTPS) 28

29 Intrusion Prevention Systems Signature Based not sufficient Zero-day attacks No signature Polymorphic malware Mutating Signature (e.g. SNORT) based IPS cannot detect modern attacks Need Deep packet inspection Protocol aware Heuristics aware All ports/all protocols 29

30 Next Generation Devices 30

31 Endpoint Fraud Detection Technologies Prevent fraud on the end user s laptop or desktop Windows, OSX, Linux Preventing malware being installed Removing malware already installed NOT Anti-virus Not based on signatures Based on invariant characteristics of malware Also provide patch protection module loading protection anti-screenshot anti-keylogging 31

32 Endpoint Fraud Detection Technologies Prevent fraud on the end user s mobile Mobile SDK Build applications from SDK detect and remove malware, detect jailbreaking, pharming attacks.. Mobile Browser Built from SDK with same malware capabilities Mobile will soon be more secure than desktop computing Out of Band Authentication Risk Based Authentication Device fingerprinting Precise determination of mobile device Device management 32

33 Detecting and Profiling Malware Execute files in a safe environment Web interactions s attachments Scan file systems Create MD5 signatures Understand the characteristics of the malware IP Address / URLs Cloud Based Interaction Sandboxes aim to stay ahead of malware Change clock if dormant Hide the fact that it is a sandbox mouse driver 33

34 Next Generation SIEM - Detecting when something has gone wrong 34

35 Conclusions 35

36 Conclusions Its time to disconnect OR No , no Internet, no electricity, no APTs 36 Its time for security architects to understand the advanced threats we are facing To change their thinking about protection Understand that you may have already been hacked Look at new technologies and approaches for dealing with the threat

37 ibm.com/security 37