Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data Dave Shackleford February, 2012
Agenda Attacks We ve Seen Advanced Threats what s that mean? A Simple Example What can we do? A cycle: Prevent Detect React
What are we seeing? (2009- The attacks are getting worse More stealthy, more damaging, for longer term compromises April 2009: US Electrical Grid compromised by Chinese & Russian hackers US Joint Strike Fighter Program compromised through contractor networks data was encrypted June 2010 2010) Stuxnet discovered, affecting Siemens SCADA control systems
What are we seeing in 2011-2012? RSA Breach in March 2011 Compromised token seed files via initial vector of social engineering (email) + 0-day Flash exploit Lockheed Martin compromised 2 months later with fake tokens Possibly other victims too, including Northrop Grumman Citigroup hacked in June 2011 210,000 customer records exposed And there s plenty of hacktivism targeting that s happening with Lulzsec and Anonymous
What s an APT? The APT is A more methodical, professional attack conducted by well-organized and possibly well-funded attackers The APT is NOT Just malware. Or any one attack. We ve settled on this term for anything even remotely sophisticated or targeted Is this a cop out? Are all of these breaches that sophisticated at all?
The APT: An Attack Cycle The APT is really an attack cycle: Reconnaissance Intrusion Backdoors and persistence Advancement Privilege escalation Data theft Additional attacks Maintenance Maintenance Advancement Recon Backdoors & malware Initial intrusion
Advanced Attacks Methods? The methods, techniques, and technology we see now, more than ever: Social engineering, especially phishing Use of 0-day exploits HTTP and HTTPS C&C channels Memory-resident payloads Use of common document formats for delivery, such as PDF, DOC, XLS, etc. Focus on client-side software exploits Data stealing code components
A Targeted Attack Example Competitor wants to gain access to R&D documents They decide to target the firm s engineers Step 1: Recon Step 2: Targeted Attack Step 3: Gaining Access Step 4: Command and Control Step 5: Data Access/Exfiltration
Step 1: Recon Twitter Starbucks Starbucks Sniffing Captured: Email address (engineer@gmail.com) Friend s email (engineer2@gmail.com) Interests (www.techstuff.com)
Step 2: Targeted Attack Hey look! An email from Engineer2. With a catalog attached! Spoofed, of course Most certainly clicking here
Step 3: Gaining Access The PDF gets clicked. Code gets dropped. The backdoor is opened.
Step 4: Command & Control The attacker connects back to the listening port A more likely scenario would be the other way around an outbound shell ( Shoveling Shell ) or a more robust bot/rootkit
Step 5: Adios to the Data At this point, the attacker could do any number of things to get more sensitive data FTP/SFTP SSH/SCP Custom encrypted channels (Base64/UDP)
Today s Security Programs $$$ People Security Information Tools Decrease Risk Increase Security Maintain Compliance
How most security shops spend their time
Changing our Risk Profile Today s attacks require a different focus: 1. Prevention techniques should protect you from 80% or more of the issues 2. Detection techniques should be focused on continuous monitoring 3. Reaction capabilities are inevitable, and should be focused on speed and thoroughness With 90% Detection and Reaction - we are just doing knee jerk security This is bad.
Prevention: Education Educating users about the dangers of the Internet (!) is important Browsing safely Not giving out personal or sensitive information over the phone Separating work and personal life on social media networks Being wary of links and emails with attachments However, many security awareness programs don t seem to work well - why?
Prevention: Communication Risk needs to be articulated in audience-specific formats What are the best ways to communicate and work with groups internally & externally? Internally: Proactive communications: Share news stories and new threat information with executive management, IT management, and employees (via newsletter or Intranet) Externally: Develop and nurture contacts and relationships with law enforcement, ISP, and key partners and customers Set a threshold or trigger for when to communicate potential issues
Prevention: Testing Yourself Find holes before attackers do! Prove that security issues exist to skeptical management Raise overall security awareness Verify secure system configurations Test new technology Discover gaps in compliance posture and satisfy legal, industry and/or governmental requirements such as HIPAA, SOX or PCI DSS.
Prioritized and risk-focused remediation guidance Define what is important to you in terms of risk Confidentiality for PII and other data? Availability concerns with systems and apps? Integrity with MitM and other attacks? Build on this for the report Ensure both attacks and successful exploits are framed in the context of priorities to your business Any VA/PT should be focused on your actual risks not just a scan or exploit to prove you re vulnerable
Pen Testing Metrics What kinds of metrics make sense for penetration testing and vulnerability assessments? For more continual vulnerability assessments: Number of vulnerabilities found Criticality and types of vulnerabilities Percentage of systems/apps scanned Number of unowned or questionable assets detected For penetration tests, the key is a baseline: How many critical vulnerabilities were found vs. the last test? User accounts / passwords compromised Data records accessed (or similar)
The Rub: Wrapping Up The APT is not malware, or one specific type of attack Any targeted attacks with forethought, custom exploits or malware, and social engineering will likely fall into the APT realm Embedded document code is a very common attack vector We have a huge gap in our risk profile right now: PROACTIVE ASSESSMENT Better knowledge of attack vectors = better security overall.
Final Discussion & Questions Thanks for attending!