Embed Size (px)
Citation preview
The Anatomy of a Targeted Attack
Eric Chien Distinguished Engineer
SYMANTEC VISION 2014
A targeted attack is an attack on a narrow set of recipients based on their association with a targeted organization in order to gain access to intellectual property and confidential information.
Anatomy of a Targeted Attack 2
SYMANTEC VISION 2014
91% Anatomy of a Targeted Attack 3
increase in targeted attacks in 2013
SYMANTEC VISION 2014
RECONNAISANCE
INCURSION
DISCOVERY
CAPTURE
EXFILTRATION
5 Stages
Anatomy of a Targeted Attack 4
SYMANTEC VISION 2014
REC
ON
NA
ISA
NC
E
Anatomy of a Targeted Attack 5
SYMANTEC VISION 2014
INC
UR
SIO
N
Anatomy of a Targeted Attack 6
spear phishing email
@
watering hole websites
SYMANTEC VISION 2014
INC
UR
SIO
N
Anatomy of a Targeted Attack 7
spear phishing email
@
watering hole websites
Trojan.Naid
SYMANTEC VISION 2014
DIS
CO
VER
Y
Anatomy of a Targeted Attack 8
Trojan.Naid
@
@ Domain Controller
SYMANTEC VISION 2014
DIS
CO
VER
Y
Anatomy of a Targeted Attack 9
C:\> ipconfig /all
C:\> net localgroup administrators
C:\> net localgroup administrators /domain
C:\> net group "domain admins" /domain
C:\> net view /domain
C:\> net view
C:\> netstat -an -p tcp
C:\> nbtstat -a
Trojan.Naid
SYMANTEC VISION 2014
CA
PTU
RE
Anatomy of a Targeted Attack 10
Trojan.Naid
@
@ Domain Controller
crack passwords
SYMANTEC VISION 2014
EXFI
LTR
ATI
ON
Anatomy of a Targeted Attack 11
Trojan.Naid
@
@ Domain Controller
SYMANTEC VISION 2014
EXFI
LTR
ATI
ON
Anatomy of a Targeted Attack 12
Trojan.Naid
@
@ Domain Controller
SYMANTEC VISION 2014 Anatomy of a Targeted Attack 13
Email security (.cloud)
Intrusion prevention system (IPS)
Generic exploit protection (Canary)
Reputation (Insight)
Antivirus
Behavior blocking (SONAR) System lockdown (CSP)
Two-factor authentication (VIP)
Data leakage prevention (DLP)
No Administrator Proxy
The Kill Chain
@
C2 server
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Anatomy of a Targeted Attack 14
