© Copyright 2010

Advanced Attack Groups

(Objectives, Tactics, Countermeasures)

February 27, 2013

© Copyright 2010

MANDIANT CORPORATION

Computer Information Security Consulting Software: Host Inspection/Network Monitoring Tools Enterprise-Wide Intrusion Investigations Financial Crimes, National Security Compromises 380+ Investigations Since 2008, >2M and >20K Hosts Offices: DC, NYC, LA, San Francisco PCI PFI Certified, FS-ISAC Affiliate Member,

GCHQ/CESG/CPNI Cyber Incident Response Pilot

2

© Copyright 2010

Agenda

Information Targeted By Attackers Attack Group Profiles Intrusion Case Examples Investigative Approach Why It Continues To Happen Countermeasures – Strategic and Tactical The Future Questions and Answers

3

© Copyright 2010

Targeted Information

© Copyright 2010

Information Targeted By Attackers

Category Objective Examples

Financial

Personally Identifiable Info Identity Theft Or Inadvertent Loss

ATM Withdrawals RBS Worldpay $9.3M

Payment Card Data TJX, Hannaford, Heartlands

ACH Transactions Finance Person Targeted

Intelligence

Intellectual Property Corporate Misdeeds

Corporate Strategy Senior Exec E-Mail

Attorney/Client Comm Gipson Hoffman & Pancione

R&D Material Many Industries

Government Plans Democratic Nat’l Committee

Military Secrets F35 Lightning Fighter Jet

Energy Infra Architecture Rumored Data Collection

Other Destruction/Disruption/Leaks Insiders, Hacktivists

© Copyright 2010

Major Attack Groups

© Copyright 2010

Not As Sophisticated Or Practiced Limited Resources Available Smallest Impact Easier To Investigate Than Other Actors

The Rogue/The Disgruntled

7

© Copyright 2010

Hacktivists

Focused On Notoriety/Cause Loosely Organized: Small Groups Low (Follow Script) To Moderate (SQL Injection) Skills Frequent Use Of Publicly Available Tools Capitalize On Common Security Vulnerabilities More Disruptive Than Dangerous

8

© Copyright 2010

Financially Motivated: Obtain/Sell Info Good Bankers: Understand ATM/PIN/HSM Microsoft-Centric: Bypass Mainframe, AS/400 Highly Automated: Move Fast, Reuse Tools Compromise More Systems Than Used Persistence Has Not Been A Hallmark

Organized Crime

9

© Copyright 2010

Organized Crime

10

© Copyright 2010

Focused On Intelligence Gathering and Occupation Target Specific Organizations Nation State Sponsored

What It Is Not: − Botnet/Worm− Script Kiddies− Financial Criminals− “Simplistic” Malware

The Advanced Persistent Threat

© Copyright 2010

How The APT Is Different

12

Motivation & Tenacity

Their goal is occupationPersistent access to network resources

Political and economic insightFuture use / fear / deterrent

Organization & Orchestration

Division of laborMalware change management

Escalation only as necessaryCountermeasures increase attack

sophistication

Technology

Custom MalwareLeverage various IP blocks to avoid filtering and detection

Few sustainable signatures (pack & modify binaries)Malware recompiled days before installation

Constant feature additionsVPN Subversion

Encryption

© Copyright 2010

Intrusion Examples

© Copyright 2010

Scareware

Ill-Advised Browsing iFrame Popup With Virus Warning Install Rootkit Malware (Broad Functionality) Charge Victim’s Payment Card Harvest Victim’s Payment Card Information

Valid Transaction, Rarely Reported Millions Of Victims User Awareness Is Primary Defense

14

© Copyright 2010

Typical APT Attack - Conglomerate

Law Enforcement Notification: April 2010 2007 Phishing Email Attack (Conference Attendance) 93 Systems Compromised Five Attack Groups Active Concurrently/Independently Lost Credentials: User, Domain Admin, Service Accounts 1 GB Of Email, Credentials (Incremental Only) Attacker Focus: Green Fuel Materials, R&D, Mfg Data

15

© Copyright 2010

Financial Services Attack

Law Enforcement Notification Server Misconfiguration Attack Vector In Network Two Months Prior to Theft Moved Laterally With Blank SA Passwords, RDP Dumped Credentials From Domain Controller Compromised/Accessed ~350 Systems Dumped Several Dozen Records from Target Database Determined PINs Using IVR Web Service Made $13M In Withdrawals At 2,300 ATMs Repeated Attacks from Unmanaged Infrastructure

16

© Copyright 2010

Investigation: How Do We Investigate?

© Copyright 2010

Conducting Investigations

Determine Incident History, Steps Taken, Technical Environment, Objectives

Collect Relevant Data Increase Monitoring And Enterprise-Wide Inspection

Capabilities As Needed Conduct Forensic, Log and Malware Analysis To Identify

Network And Host-Based Indicators Of Compromise Identify Attack Vector, Attacker Activities, Compromise

Systems/Accounts, Data Exposure Report Status, Findings, Remediation Recommendations

18

© Copyright 2010

Investigative Cycle

Primary Sources of Information Host inspection

Full network monitoring/analysis

Log analysis− Near real-time− Historical

Malware reverse engineering

Systems inspection− Live response analysis− In-depth forensic analysis− Memory analysis

© Copyright 2010

Successful Investigations Require

Technical Expertise:− Forensics, Malware, Log Analysis

Investigative Skills: − Organize The Situation− Understand The Attacker− Recognize/Take The Right Next Step

Management Skills:− Identification/Elimination of Obstacles− Communication Skills: When/How Needed

20

© Copyright 2010

Why Does It Continue To Happen?

© Copyright 2010

Why Does It Continue To Happen?

1. Limited Awareness of:− The Threats/Attackers/Actors and Their Motives− What is Possible: Advanced Phishing, Defeating Two-

Factor, Obtaining Valid Credentials

2. Lack Understanding of Actual Attacker Tactics:− Hacking Web Apps or Staging Phishing Campaigns?− Using Cached Credentials or Attacking Domain

Controllers?− Using Backdoors, VPN Accounts or Web Shells?

22

© Copyright 2010

Why Does It Continue To Happen?

3. Tendency to Focus on “Security Best Practices”− Instead of What Attackers Actually Do

4. Lack of Visibility:− Inadequate Logging - Detail/Retention− Unmanaged Infrastructure− Unreconciled M&A Activity

5. Operational Expediency:− Two-Factor Authentication Is Hard to Administer− Dealing With Multiple Complex Passwords Creates Issues− Network Segmentation Makes App Deployment Difficult

23

© Copyright 2010

Why Does It Continue To Happen?

6. Misplaced Faith in Compliance Audits:− Last 50 PCI Breaches – How Many Were Compliant?

7. Spend Money Instead of Time:− Solving Problems with Technology Is Appealing− Fixing People Problems Is Hard− Fixing Process Problems Is Hard/Boring

24

© Copyright 2010

Addressing The Issues

© Copyright 2010

Addressing The Issues - Strategic

1. Educate Your People, Clients, Suppliers, Partners:− Security Awareness, Attacker Profiles/Tactics

2. Turn Up Logging/Monitoring, Gain Visibility

3. Obtain Senior Management Awareness/Support

4. Invest in “Appropriate Practices”:− Focus on People and Process First− Implement Technology That Addresses True Issues:

Install Whitelisting on Domain Controllers Establish/Enforce Strong Passwords: User, Admin, Service Limit Number of Cached Local Credentials

5. Recognize That Execution Trumps Strategy

26

© Copyright 2010

Addressing The Issues - Tactical

1. Understand What They Do And Take It Away

2. Conduct In Parallel With Investigation

3. Rebuild Systems

4. Whitelist Domain Controllers

5. Remove Local Admin Rights

6. Conduct Enterprise-Wide Credential Change

7. Increase Logging

8. Establish Host Inspection Capability

9. Establish Network Monitoring Capability

10. Segment Networks

27

© Copyright 2010

Prioritizing Remediation Initiatives

28

Initial Recon

Initial Compromise

Establish Foothold

Escalate Privileges

Internal Recon

Move Laterally

Maintain Presence

Complete Mission

Detect

Inhibit

Respond

Threat Intelligence

Operational Complexities

Resource Constraints

Operational Visibility

Business Drivers

Initial Recon

Establish Foothold

Escalate Privileges

Complete Mission

Initial Compromise

Internal Recon

Maintain Presence

Move Laterally

© Copyright 2010

The Future

© Copyright 2010

The Future

We See Progress with Victim Organizations:− Small Number Unable to Remove Attacker (<5%)− Small Number Have Another Large Incident (<5%)− Most Deal Effectively with Subsequent Attacks (90%+)

Greater Market Awareness

More Industry Collaboration

Recognize That “Victory” Is Minimizing Impact

30

© Copyright 201031

Questions and Answers