Advanced Persistent Threat

Transcription

1 Advanced Persistent Threat

2 APT What is it?

3 Wake Up Google cyber attacks a 'wake up' call Director of National Intelligence Dennis Blair cyber attacks a wake up callfor US intel chief says

4 Anatomy of APT Malware Survive Reboot C&C Protocol Command and Control Server File Search Update Process Injection Keylogger USB Stick

5 IP is Leaving The Network Right Now YOU ARE ALREADY OWNED They are STEALING right now, as you sit in that chair.

6 The Coming Age

7 Economy

8 Espionage

9 MI5 says the Chinese government represents one of the most significant espionage threats

10 Opennet.net Big Brother

11 Cash is not the only motive

12 Why Enterprise Security Products DON T WORK

13 The True Threat

14 The Scale Over 100,000malware are automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale. htt // tl b / h/bl /i d h /2009/03/10/ t il t 20 illi passes milestone 20 millionmalware samples/

15 Surfaces The bad guys STILL HAVE their zero day STILL HAVE their The bad guys STILL HAVE their zero day, STILL HAVE their vectors, and STILL HAVE their malware

16 Not an antivirus problem

17 Value Horizon Annealing

18 Continuum Value Horizon Continuous area of attack

19 Technology Lifecycle Value Horizon Area of attack

20 Continuous Area of Attack By the time all the surfaces in a given technology are hardened, the technology is obsolete Value Horizon Continuous area of attack Technology Lifecycle

21 The Global Malware Economy

22 A Global Theatre

23 $10,000+ for 0 day Rootkit Developer $500+ $1,000+ $10,000+ for 0 day Implant egold Vendor $1000+ Exploit Pack Vendor Rogueware Developer Exploit Developer Back Office Developer Country that doesn t co op op w/ LE Keep 10% Secondary A single operator here may recruit Keep 100 s of mules 50% per week Small Transfers Drop Man Wizard $5,000 incrm. atm Account Buyer Bot Vendor Affiliate Botmaster ID Thief Payment system developer PPI ~4% of bank customers Victims $ per 1000 infections Endpoint Exploiters Forger $50 Cashier / Mule Bank Broker Keep 10% Country where account is physically located Sells accounts in bulk $5.00 per

24 Crimeware and the State

25 China Therearetheintelligence oriented hackers inside thepeople's Liberation Army There are hacker conferences, hacker training i academies and magazines Loosely defined community of computer devotees working independently, but also selling services to corporations and even the military When asked whether hackers work for the government, or the military, [he] says "yes."" for fun and profit in Chinas underworld/ _ html

26

27 Crimeware Affiliate Networks

28 Pay-per-install.org

29 Earning4u Pays per 1,000 infections *

30 PPI Programs *

31 Custom Crimeware Programming Houses

32 Anatomy of an APT Operation

33 Anatomy of an APT Operation

34 Malware Distribution Systems

35 Boobytrapped Documents Single most effective focused attack today Human crafts text

36 Web-based based attack Social Networking Space Injected Java script Used heavily for large scale infections Social network ktargeting ti is possible

37 Trap Postings I p p Some text to be posted to <script> </script> the site.

38 Trap Postings II p p Some text to be posted to <IFRAME src= style= display:none ></IF tl l RAME> the site.

39 SQL Injection p p SQL attack, inserts IFRAME or script tags

40 Reflected injection Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too The site prints the contents of the variable back as regular HTML Trusted site, like.com,.gov,.edu *For an archive of examples, see xssed.com

41 A three step infection Injected Javascript Redirect Exploit Server Browser Exploit Payload Server Dropper

42 Eleonore (exploit pack)

43 Tornado (exploit pack)

44 Napoleon / Siberia (exploit pack)

45 Rogueware *

46 Rogueware

47 Payload Server

48 Command and Control Once installed, the malware phones home TIMESTAMP SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

49 Command and Control Server

50 Command and Control These commands map to a foreign language keyboard.

51 IRC l h lf DDOS b IRC control channel for a DDOS botnet Most of the C&C has moved to the web. IRC C&C

52 Triad (botnet)

53 ZeuS (botnet)

54

55 Fragus (botnet)

56 Implants

57 Poison Ivy (implant)

58 CRUM (protector)

59 Steal Credentials Outlook Password Generic stored passwords

60 Steal Files All the file types that are exfiltrated

61 Staging Server

62 Drop Site

63 Drop point is in Reston, VA in the AOL netblock

64 Part II Countering the Threat

65 Malware Threat Attribution i

66 Why Attribution?

67 Threat Intelligence

68 Enterprise Information Sources

69 Information Points

70 Intel Feeds

71 Forensic Marks left by Actors

72 Fingerprinting Actors within the Theatre

73 Digital Fingerprints

74 The developer!= operator

75 DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Load der MD5 Checksums all different Code idioms remains consistent

76 IN MEMORY IMAGE Packer #1 Packer #2 OS Loader Decrypted Original Starting Malware Packed Malware Unpacked portions remains consistent In memory analysis tends to defeat packers

77 IN MEMORY IMAGE Malware Tookit Different Malware Authors Using Same Toolkit Packed OS Loader Toolkit Marks Detected Toolkits and developer signatures can be detected

78 Country of Origin C&C map from Shadowserver, C&C for 24 hour period

79 Language

80 Actor: Endpoint Exploiter $ per 1000 infections Endpoint Exploiters

81 URL artifact Codenamed Botmaster C&C Fingerprint Unique Affiliate ID s Endpoints Link Analysis

82 Actor: Bot Master

83 Actor: Account Buyer

84 Actor: Mules & Cashiers

85 Actor: Wizards

86 Actor: Developers

87 We want to find a connection here Botmaster C&C Fingerprint Affiliate ID URL artifact Developer Protocol Fingerprint Developer Endpoints C&C products Link Analysis

88 Softlinking into the Social Space

89 Software Author Software Author Social Space Social Space Link Analysis

90 Working back the timeline

91 Software Author Social Space i.e., Technical Support Query made AFTER version 1.4 Release Use of timeline to differentiate links Link Analysis

92 Actor: Vuln Researchers

93 Conclusion

94 Take Away

95 HBGary