Advanced Persistent Threats Craig Harwood Channel Manager SADC and Indian Ocean Islands 1
Agenda Introduction Today s Threat landscape What is an Advance persistent Threat How are these crimes perpetrated Why traditional security measures alone are no longer effective Why is security Management and compliance so important Solutions and Technologies to help YOU! 2
The Hyperextended Enterprise Expanding entities, explosive information growth, increased regulation Enterprise HQ Hijacks Data Theft Application Hacking Remote Offices Cookies Screen Scraping Service Theft Spoofing, BOTNETS Phishing Virtualization, Cloud Computing & other ISPs Threats are Everywhere Cyber Attacks on Apps. & Infrastructure Retail Stores Service Provider Distribution Centers Industrial Espionage Extortion Identity Theft, Privacy Viruses, Worms, P2P Content Piracy, SPAM Solicitation Mobile Workers Telecommuter s Supply Chain & Collaboration Partners Consumers 3
The Attacking Community is Professionalizing Governments Enterprise HQ Hijacks Data Theft Application Hacking Remote Offices Cookies Screen Scraping Organized Crime PII, Government, Defense, Industrial Base, IP Rich Enterprises Anti- Establishment Vigilantes Service Theft Spoofing, BOTNETS Phishing Virtualization, Cloud Computing & other ISPs Threats are Everywhere Cyber Attacks on Apps. & Infrastructure Retail Stores Service Provider Distribution Centers Industrial Espionage Extortion Identity Theft, Privacy Viruses, Worms, P2P Content Piracy, SPAM Solicitation Mobile Workers Supply Chain & Collaboration Partners Telecommuters Consumers Organized, sophisticated Supply chains (PII, Financial Services, Retail) Terrorists Hacktivists Targets of Opportunity In 2010-88% of the Global 500 had BOTNET Agencies activity associated with their domains RSA Security Brief, February 2011 Malware and the Enterprise Between 2006 and 2010 there was a 660% Agencies increase in Cyber Incidents reported from Government Agencies Government Accountability Office and Time Magazine, July 2011 PII, Government Critical Infrastructure 4
On the surface all may seem calm! 5
What are we facing? Well organized, well funded entities with a specific set of Collection Requirements (CR) that may be controlled by a gov t or criminal entity CR s could be anything from military secrets to source code to pharmaceutical intellectual property to documentation about critical infrastructure 6
Advanced Persistent Threat (APT) Targeted Computer Attacks By Government Agencies, Cyber Criminals, Terrorists And/Or Individuals With The Intent Of Stealing Intellectual Property, Trade Secrets Or Other Political/Economical Motivation. 7
Advanced Persistent Threats The New Norm 18 months of high-profile sophisticated cyber attacks; pandemic levels, not a passing fad Advanced Persistent Threats have moved from realm of military to mainstream Highly targeted, well researched and well funded Moving beyond credit card data to intellectual property Multiple vectors: social engineering, zero-day vulnerabilities, application-layer exploits, etc. The primary attack vector has shifted from technology to people Of companies 83% 71% 65% believe that they have been the victim of advanced threat have seen an increase in advanced threats in the last 12 months believe they have insufficient resources to prevent advanced threats Of advanced persistent 51% 45% threats 44% result in IT downtime result in the theft of intellectual property result in the theft of confidential or sensitive information Source: Ponemon Institute Survey Growing Risk of Advanced Threats It is now not a question of IF but WHEN you are attacked but more importantly will you notice, and can you react? 8
The Age of Advanced Persistent Threats Who Cyber Criminals How Open Source Intelligence Collection Third Countries Nation State Actors Advanced Persistent Threats Foreign Nationals Black Markets Non-Nation State Sophisticate d attacks and well resourced adversaries Sub Contractors Supply Chain Tampering 9
Tactics, Techniques and Procedures (TTP s) There are typically precursors to APT attacks. Knowing the TTP s used by threat actors can give an organization a jump start on defending the network. The following are the steps used by APT threat actors when staging attacks. This is referred to as the APT killchain Open Source Collection Malware and toolkit creation Delivery of malware Exploitation Command and Control communications (C2 beaconing) Exfiltration 10
Open source collection TTP Identify high value programs, technology and people Threat actors will use open source data to research their targets. There is a surprising amount of information freely available Clean documents are harvested from Internet sources A company s public website News stories (CNN, FOX News, etc) Relationships are researched which can be leveraged in an attack 11
Malware and toolkit creation The act of placing malicious payload inside the delivery mechanism (i.e. DOC or PDF file) APT actors use a variety of custom toolkits to create malware Metasploit modules bring toolkits to a larger audience Link based attacks are on the rise and much harder to detect 13
Delivery methods Threat actors will utilize intelligence gathered from their collections to target specific users. Emails will typically contain a link or attachment that entices the recipient. The malware is sophisticated and will evade most standard COTS software. Other server side attacks have also been observed such as SQL Injections Water holing is another popular technique 15
Exploitation Threat actors will attempt to exploit a system using specially crafted malware. The main goal is to compromise the target asset that will allow the attacker access to the system This is a key phase of the attack, If exploitation is successful, the machine is compromised Tendency toward multi-stage exploits Shellcode delivered which in turns downloads & executes other malware Exploitation depends on Vulnerability, proper execution and compatibility 17
Command and Control Communications (C2) C2 communications is established once the target system can communicate with the threat actors infrastructure. Attackers could perform the following Tool dropping System enumeration Lateral movement Credential harvesting 19
Exfiltration Once the threat locates the data they are after they usually will compress the data and send out. Intellectual Property PII Government Data 21
Importance of knowing these TTP s These APT TTP s are commonly known in the security world as the Kill Chain Reconnaissance Delivery Command & Control Weaponization Installation & Exploitation Exfiltration 23
The Anatomy of an Attack Attacker Surveillance Target Analysis Access Probe Attack Set-up System Intrusion Attack Begins Cover-up Starts Discovery / Persistence Leap Frog Attacks Complete Cover-up Complete Maintain foothold Time ATTACKER FREE TIME Need to collapse attacker free time Need to ID attack precursors Physical Security Threat Analysis Attack Forecast Defender discovery Monitoring & Controls Attack Identified Incident Reporting Containment & eradication Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) Impact Analysis Damage Identification System Reaction Response Recovery 24
What Can you do About APT s? Focus is on breaking the kill-chain before exfiltration Deveopment of a proactive approach to the detection of APT Understanding the methodologies used by attackers allows organizations to select safeguards and security controls to counter the threat. 25
Customer Breached by Hackers, APT s or Malicious Code 26
Companies that have been compromised 27
More examples 28
More examples 29
More Examples 30
More Examples 31
Security Today (and for the last 5 years) 32
Traditional Security is Not Working 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 33
Transforming Security address the pervasiveness of dynamic, focused adversaries Advanced Security Traditional Security Close Signature-based the risk gap Perimeter oriented Compliance Driven Deliver new intelligence Enable agility Advanced Threat Agile Definitive Intelligent 34
Security Paradigm Shift Shift From Perimeter-Based Security Model To An Intelligence-Based Model. Risk-Based Agile Contextual Information Sharing Peers, Government, etc Intel Cannot Just Be Gathered Internally, It Also Needs To Come From External Sources Pattern Recognition Predictive Big-Data Analytics 35
Today s tools need to adapt Today s tools need to be able to detect and investigate Lateral movement of threats as they gain foothold Covert characteristics of attack tools, techniques & procedures Exfiltration or sabotage of critical data Today s tools need to be able to scale To collect and store the volume and diversity of data required To provide analytic tools to support security work streams Time to respond is critical in a breach situations and SIEM often falls short 36
Identities Service Theft Spoofing, BOTNETS Phishing Hijacks Data Theft Application Hacking Cyber Attacks on Apps. & Infrastructure Industrial Espionage Extortion Identity Theft, Privacy Viruses, Worms, P2P Content Piracy, SPAM Solicitation Cookies Screen Scraping Integrated Advanced Security Manage Governance, Risk and Compliance BUSINESS DRIVERS GOVERNANCE, RISK AND COMPLIANCE MANAGEMENT DASHBOARD DEFINE POLICIES POLICIES AND PROCESSES CONTROLS PROTECT AND DEFEND Monitor DETECT Enterprise HQ Virtualization, Cloud Computing & other ISPs Threats are Everywhere Remote Offices Service Provider Retail Stores Supply Chain & Collaboration Partners Distribution Centers Mobile Workers Telecommuters Consumers Information INVESTIGATE REMEDIATE Infrastructure Update controls 37
SIEM has been a good start SIEM can provide: Valuable reporting on device and application activity Basic alerting on known sequences (i.e. basic correlation) Proof of compliance for internal and external auditors Central view into disparate event sources being collected In today s world Threats are multi-faceted, dynamic and stealthy The most dangerous attacks have never been seen before Threats often don t leave a footprint in logs 38
Introducing RSA Security Analytics 39
What is RSA Security Analytics? RSA Security Analytics is RSA s platform for Security monitoring Incident investigation Malware analytics Log compliance reporting Is the cornerstone of RSA s Security Management & Big Data strategy Going beyond envision and NetWitness a new approach to security operations RSA Security Analytics is the convergence of envision/siem with Netwitness high speed analytics and forensics 40
Suspect Attack Scenario Spike in Suspect Network Traffic IP Address shows multiple RDP connections tunneled over non-standard port Authorized User Logged in to AD AD Logs show user logged in from suspect IP with authorized credentials PASSWORD 1 2 Different user logged into VPN from same IP VPN logs show a different set of authorized credentials used to log into VPN 3 4 PASSWORD Data ex-filtration Encrypted ZIP file transferred out to Internet via FTP server 42
Only RSA Security Analytics can tell you the impact of the attack Attack Step Traditional SIEM RSA Security Analytics Alert for RDP tunneled over nonstandard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data No No Yes Yes No Yes Yes Yes Yes Yes 43
Investigation Scenario Find Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation 1 Find out how the workstation got infected User clicked on the link and got infected by Trojan from drive-by download. 2 Analyze malware Determine whether targeted or vanilla malware in use 4 Recreate phishing e-mail message Determine whether targeted phishing attack at play 3 44
Only RSA Security Analytics can tell if this is a targeted attack Attack Step Traditional SIEM RSA Security Analytics Alert for suspected SPAM host Yes Yes Show all WWW requests where executable downloaded Recreate email with suspect link No No Yes Yes Analyze malware and incorporate community intelligence Determine whether attack is part of a targeted campaign No No Yes Yes 45
Separating Bad from Good is Increasingly Difficult = BAD = BAD Understand what bad looks like and look for similarities Antivirus Intrusion Prevention Systems Understand Thresholds what exceeded good looks like and look for meaningful differences Network analysis and baselining Anomaly detection Predictive failure analysis Key Point: Increasingly sophisticated models of both good and bad are needed. Better models require more data and analytics. 46
Security Analytics Methodology: Ripping away the hay with automated queries Start with all network traffic and logs SHOW ME all downloads of executable content (pdf, doc, exe, xls, jar etc) SHOW ME files where file type does not match extension ALERT ME for sessions to/from critical assets No SIEM will let you do this! 47
Know Everything Answer Anything 48
THANK YOU 49