Crack the Code: Defeat the Advanced Adversary

Transcription

1 Crack the Code: Defeat the Advanced Adversary Security Summit Clusit Verona 1st October 2015 Andrea Zapparoli Manzoni Head of Cyber Security KPMG Advisory Stefania Iannelli System Engineer Palo Alto Networks

2 Key Perspectives Who is the Adversary? Understanding the Cyber Attack Lifecycle How Attacks Happen , Palo Alto Networks. Confidential and Proprietary.

3 Challenges and Change Introduce Risks Risk Exposure Organiza,onal Risk Social, Mobile, Analy(cs, Cloud Internet of Things Applica(on Economy Consumeriza(on of IT Decreasing Visibility and Control Rate of Change/Complexity Reliance on Mul,ple Layers of Service Providers , Palo Alto Networks. Confidential and Proprietary.

4 Exploring Actor Motivations These are not mutually exclusive Cyber Espionage Cyber Crime Cyber Hack(vism Cyber Warfare Cyber Terrorism Cyber Mischief $$$

5 The Advanced Adversary Majority of adversaries are just doing their job: Bosses, families, bills to pay. Want to get in, accomplish their task, and get out (un-detected). Goal isn t making your life hard. =

6 The Advanced Adversary Increase the cost for adversaries. Defenders need a Adversaries combination have of a people, set of tools available process to accomplish and technology their task

7 Cyber Attack Lifecycle Reconnaissance Weaponiza,on and Delivery Exploita,on Installa,on Command- and- Control Ac,ons on the Objec,ve Unauthorized Access Unauthorized Use There is no predictable path for the advanced adversary , Palo Alto Networks. Confidential and Proprietary.

8 Reconnaissance Identify a specific target within an organization: SLIDESOURCE Join Login Find more webinars and videos Search Presenting a Webinar? HOME > All SLIDESOURCE > Enterprise Security Enterprise Security Protecting Critical Assets Channel Profile Leading a new era in cybersecurity by protecting thousands of enterprise, government Protect your company Our amazing new product provides unprecedented protection from 100% of all threats. You will never need to buy anything else. (12,000 Subscribers) CIO News Leading a new era in cybersecurity by protecting thousands of enterprise, Sandboxing is enough Leading a new era in cybersecurity by protecting thousands of enterprise, Find the topics that interest you Third-party sites to identify key targets Common search techniques Date Rating Views Channel RSS Feed Content from corporate websites Standalone IPS Leading a new era in cybersecurity by protecting thousands of enterprise,

9 Reconnaissance Simple Google Search List of Attendees at a National Defense Industrial Association

10 Reconnaissance Identify the tools used to protect an organization

11 Preventing Recon People & Process Nothing the Adversary Did Could Have Been Prevented by Technology

12 Exploitation Exploiting the user 1 Why use malware when you have legitimate credentials? Users are typically the path of least resistance.

13 Exploitation Exploit Exploiting the software 2 Why use a 0-day when / still open? Old vulnerabilities may not be patched.

14 Exploitation People: Training to recognize phishing attempts and be careful with credentials. Process: Keep software patched to reduce the attack surface. Technology: If you can t patch systems, limit access via user-based policy. Deploy solutions that can prevent exploitation on the endpoint and network, even those that have not been seen before. Use systems that learn from new exploits and can stop them in real-time.

15 Delivery Technology Technology Becomes Critical to Preventing Advanced Attacks

16 Delivery Delivering the Exploit Spear Phishing Attackers with a specific target Watering Hole AKA: Strategic Web Compromise for attackers targeting people with specific interests Everything Else Malicious USB Drives, Network Exploitation, etc.

17 Spear Phishing & Drive-by Download System infected, attacker has full access to steal data Targeted malicious sent to user Malicious website silently exploits client-side vulnerability with Web Attack Toolkit User clicks on link to a malicious website Drive-by download of malicious payload

18 Watering hole

19 Installation Myth Reality Highly customized and unique tools are used for every attack. Off-the-shelf tools are the most common method of attack.

20 Common Tools Remote Shell Direct access to the OS as logged in user Keylogger Audio Capture Screen Capture Webcam Capture , Palo Alto Networks. Confidential and Proprietary.

21 Common Tools

22 Common Tools , Palo Alto Networks. Confidential and Proprietary.

23 The Underground Economy Active Easily marketplace purchase for tools. attacks: Conversations Remote access on each tools. aspect of the Malware. kill-chain. Discuss Exploits. tactics A tool for creating Botnets on Android with Etc. [ ] other $4,000 attackers.

24 The Underground Economy Peer-to-peer Botnet [ ] $15, , Palo Alto Networks. Confidential and Proprietary.

25 Preventing Delivery and Installation Technology: Prevent malware and exploits at the network level Deploy a solution that can detect new exploits and malware, dynamically updated your protections across AV, URL and DNS. Prevent exploits that have never been seen before on the endpoint User-based policy such as limiting the download of executable files from the Internet Block commonly exploited filetypes on your network

26 Command and Control (C2) Communicating with infected hosts and providing instructions Myth Reality Customized protocols, with unique encryption types are used for CnC. HTTP is most common for custom backdoors.

27 Command and Control (C2) Enterprise and adversary infrastructure User Land Data Center/Infrastructure Adversary Infrastructure Ingress/Egress Internet DMZ

28 Command and Control (C2) Malware for automated exfiltration User Land Data Center/Infrastructure Information exfiltration Adversary Infrastructure Ingress/Egress Internet Malware automatically captures information DMZ , Palo Alto Networks. Confidential and Proprietary.

29 Command and Control (C2) 2 nd stage download and establish C2 channel User Land Data Center/Infrastructure Second stage+ Adversary Infrastructure Ingress/Egress Internet Establish C2 Malware downloads 2nd stage or beacons DMZ , Palo Alto Networks. Confidential and Proprietary.

30 Preventing Command-and-Control URL Filtering Dynamic DNS DNS Sinkholing Detect and Block Proactively Block Unnecessary URLs Dynamic DNS category Identify source of malicious DNS queries. Common RAT C2 signatures

31 Actions on the Objective Goals Inside the Network These are Completed by an Active Operator And Then the Bad Guys Steal All Your Data

32 Command and Control (C2) C2 ultimately enables the attacker s endgame, Actions on Objectives Steal local credentials User Land Data Center/Infrastructure Steal repository information Adversary Infrastructure Dump domain credentials Ingress/Egress Internet Information exfiltration Objective based commands Steal local information DMZ Deface or host malware from site , Palo Alto Networks. Confidential and Proprietary.

33 Example: XCodeGhost APTs in action

34 XcodeGhost Summary Report released on 9/17 Thousands of ios Apps infected in the official Apple App store. Millions of users impacted, primarily in China but around the globe. First widespread infection of Apps in the official store.

35 XcodeGhost Infects Developers Xcode is the tool Apple provides to developers to write and build ios Apps March 2015 Attacker uploads modified Xcode packages to Baidu cloud storage server Attacker posted links to modified Xcode Packages on Chinese developer forums Chinese developers download Xcode package and build Apps, most likely due to very slow downloads from Apple

36 XcodeGhost Modifies Apps Modified Xcode contains an altered CoreServices library that is added to every app built. Modified apps report to command and control servers and retrieve commands from attacker. Infected apps can display pop-ups and open new URLs on the phone Many Chinese-developed Apps, including WeChat infected.

37 XcodeGhost Response DNS signatures for three C2 servers released on 9/17. C2 servers shut down shortly after publication Thousands of additional apps discovered including the malware. Apple pulls infected apps from their store, promises a local Chinesedownload server for Xcode. Attacker posts source code to Github, claims it as only an experiment.

38 XcodeGhost What you should do Check your logs for systems accessing the 3 C2 servers to identify infected phones. init.crash-analytics[.]com init.icloud-diagnostics[.]com init.icloud-analysis[.]com Update apps as soon as clean versions are available, or delete infected Apps Never trust development tools that haven t originated with their source.

39 New Strategic Approaches to Security Are Needed Security Organiza,ons Are Not Innova,ng Fast Enough Exis(ng controls ineffec(ve against new threats Controls not evolving fast enough ANackers Are Innova,ng Faster Sophis(ca(on of global afackers Increasing value of informa(on Easier targets Vulnerability Gap Con,nues to Widen Goal: reduce threat exposure by strengthening controls , Palo Alto Networks. Confidential and Proprietary.

40 WHY BREACHES STILL HAPPEN COMMON TRAITS Port based Firewall Sta,c IPS 0- Day Malware and Exploits used ID creden(als hijacked

41 Next-Generation Security Platform THREAT INTELLIGENCE CLOUD AUTOMATED NATIVELY INTEGRATED EXTENSIBLE NEXT- GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION , Palo Alto Networks. Confidential and Proprietary.

42 Detect & Prevent Threats at Every Point Cloud At the Mobile Device At the Internet Edge Between Employees and Devices within the LAN At the Data Center Edge and between VMs Within Private, Public and Hybrid Clouds Prevent afacks, both known and unknown Protect all users and applica(ons, in the cloud or virtualized Integrate network and endpoint security Analy(cs that correlate across the cloud , Palo Alto Networks. Confidential and Proprietary.

43 Preventing Across the Cyber Attack Lifecycle 1 Breach the Perimeter 2 Deliver the Malware 3 Lateral Movement 4 Exfiltrate Data Reconnaissance Weaponiza,on and Delivery Exploita,on Installa,on Command- and- Control Ac,ons on the Objec,ve Unauthorized Access Unauthorized Use , Palo Alto Networks. Confidential and Proprietary.

44 , Palo Alto Networks. Confidential and Proprietary.