SEC204
Advanced Persistent Threat - прицельные кибер-атаки. Сопротивление бесполезно?
Бешков Андрей Руководитель программы информационной безопасностиMicrosoft
Содержание
Что такое APTТекущее состояние индустрии APTВлияние APT на ИТ индустриюВарианты обнаружения APTЗащита от APT
Что происходит?
Сотни организаций подверглись взломам и
скомпрометированы
Неужели правда???Так уж и сотни?
APT
dvancedersistenthreat
Не каждая атака APT…
Advanced Persistent ThreatЧем отличается от привычных атак?
Хорошо организованаРаботает профессиональная команда. В случае необходимости долгие месяцы посменно или с 9 до 18 с перерывом на обед.
Точно знают за чем охотятся и чего хотятКрадут секреты или интеллектуальную собственностьИспользуют любые виды атак. От физического проникновения до найма инсайдеров и использования свежих уязвимостей.Намерены оставаться внутри жертвы навсегдаАдаптируются к защитным мерам, не сдаютсяВозвращаются при первой же возможности
Нет намерения разрушать
инфраструктуру или
убивать жертву
Advanced Persistent ThreatКто?
Advanced Persistent ThreatЧто же это?
Прицельные атаки с помощью широко распространенных автоматизированных средств,
скоординировано исполняемые неизвестным кругом лиц, настойчиво и достаточно
профессионально с целью достижения долговременных стратегических целей
Advanced Persistent ThreatПочему?
Наш план экстренного реагирования и восстановления
после катастрофы
Advanced Persistent ThreatЧто делать?
Предотвращение Восстановление
– INTERNAL ONLY
Advanced Persistent ThreatWhat to do? - Prevention
Raise awarenessRaise the bar
Adopt risk based strategyDefense in depth
Expect to be compromised
– INTERNAL ONLY
Advanced Persistent ThreatWhat to do? - Recovery
The Perfect PlanClose all internet / remote accessChange all passwordsRebuild Active DirectoryRebuild all hosts from scratchUpdate all software, defenses, policiesFix vulnerabilitiesRestore data and legitimate applicationsEducate end-usersTurn everything back on
You can’t clean a compromised system by patching it.You can’t clean a compromised system by removing the back doors.You can’t clean a compromised system by using some “vulnerability remover.”You can’t clean a compromised system by using a virus scanner. You can’t clean a compromised system by reinstalling over the existing installation.You can’t trust any data copied from a compromised system. You can’t trust the event logs on a compromised system. You may not be able to trust your latest backup.
The only way to clean a
compromised system is to
flatten and rebuild
– INTERNAL ONLY
Advanced Persistent ThreatWhat to do? - Recovery
The “Perfect” Plan: not so muchToo bigToo complexToo costlyToo disruptive
Which leaves… “Plan B”
– INTERNAL ONLY
Advanced Persistent ThreatWhat to do? - Plan B
Women and children first!Define & locate “Crown Jewels”Create safe havenMove crown jewels over
Declare old environment to be aZooGraveyard
– INTERNAL ONLY
ContosoGlobal Enterprise200+ officesOutsourcedCentralized IT
Single forest Active DirectoryWindows 2000/2003/2008100.000+ users/desktops10.000+ servers
– INTERNAL ONLY
What Happened At Contoso?Unusual logons of AD admin account account disabled
Malware found on 50+ servers and dozens of laptopsAffected systems reimaged
Service account logon detected
Upload of new malware detected
Most Confidential data extracted
Compromised DCPSS case raised
MS and ISP incident response team
Help Desk procedures and remote access software extracted
Silence...Initial breach?
Malware installed on extranet server
July Aug Sept OctJuneOct 2009
– INTERNAL ONLY
How Did They Get In?
Internet
1. Exploit vulnerability2. Placed Malware3. Cracked AD admin
account
• RDP to internal systems • Placement of malware• Remotely executed
commands
Contoso VPN connected systems
DMZ
Intranet
So what about IDS or AV?
Malware - Backdoors
File Name Descriptionapp.aspx Backdoor:ASP/Aspy.A ASPX Spy enables uploading of files through the web
browser and executing them on the web server.Download: http://code.google.com/p/aspxspy/downloads/list
mt.exe Backdoor:Win32/Agent.JT Backdoor + password stealerrebind.exe Backdoor:Win32/Small Remote command shellweb.asp Backdoor:ASP/Ace ASP backdoorzwshlx.exe Backdoor:Win32/Rat Remote administration tool, backdoorver.exe Backdoor:Win32/
Remosh.A.drMulti functional backdoor
sethc.exe Backdoor:AutoIt/Acidoor.A “Control panel applet” that provides a command shell
More Stuff From the Dark SideFile Name Descriptionapi.asp HackTool:ASP/Oxess.A Allows retrieval of websites similar to a proxylcx.exe Tool:Win32/Transmit Proxy toolapp.s23.aspx HackTool:ASP/Websniff.A ASPX network sniffer and password stealerhash.exe HackTool:Win32/Gsecdump Password dumpertmplugin.dll PWS:Win32/Lsagrab LSA secrets dumping DLLp.exe HackTool:Win32/PWDump.A Password dumperfgdump.exe HackTool:Win32/Fgdump Tools to dump LSA secrets and other credentials
hash2.exePart of commercial password recovery tool (SAMInside)
hookmsgina.dll PWS:Win32/Hine.A!dll Password stealing hooks.exe Tool:Win32/Tcpportscan.D portscan utility
Random Bits and Pieces
File Name Descriptionnc.exe NetCat Port scanner, tunneling, proxy, webserverpsexec.exe Psexec Telnet-replacement, execute processes, remote console
rar.exe RAR Compression utility
portqry.exe PortQuery utility to test TCP/IP connectivity strexp.exe StringExpander String expandertestport.exe TestPort portscan utility
powershell.exe PowerShell …hyena.exe Hyena Active Directory administration tool
– INTERNAL ONLY
Malware Phone Home DynDNS…is-a-chef.com
contoso.is-a-chef.comnorthwind.is-a-chef.comtailspintoys.is-a-chef.comwoodgrove.is-a-chef.com
thruhere.netoffice-on-the.netselfip.com
– INTERNAL ONLY
Outbound Monitoring
Each packet of the ZW malware protocol contains: “hW$.” (hex “68572413”) at offset 0x42
– INTERNAL ONLY
Initial Response
Establish incident response organizationEstablish separate communication channelsAssess the extent of compromiseAssess the vulnerability of environmentDefine remediation plans
– INTERNAL ONLY
Remediation Plans
Anti malwareVerify AdminsDisable LMReset credentialsOutbound monitoringAssess environmentCode reviews
Remediation effort
New environmentCurrent environment Migrate crown jewels
Short term<90 days
Mid term<18 months
Long term<36 months
Design and build new environmentMigration strategyMigrate critical systemsSecure Development Lifecycle
Migrate remaining assetsDecide on old environment (zoo/graveyard)
time“Raising the bar” “Securing the crown jewels” “Back to normal”
– INTERNAL ONLY
Assessment FindingsApplication security code reviewsADRAP / AD Security AssessmentPKI Security AssessmentAsset management
Crown jewelsInternet access pointsExtranet systemsEtc, etc
In short: environment not defensible
Finding ValueMany Admins 75%Admins with "Password Never Expires" 91%LAN Manager Hash enabled 75%Group Policies not used to enforce security 61%No documented disaster recovery plan 50%Backups not secured 53%
– INTERNAL ONLY
Where Are We Now @Contoso?Good
Management (finally) understands riskMore insight into environment than everStructural improvement plans starting upTrusted advisor
– INTERNAL ONLY
Where Are We Now @Contoso?Bad
Sloooowwwwremediation
Decreasedsense of urgency
Wishfuldenial
– INTERNAL ONLY
Where Are We Now @Contoso?Ugly
– INTERNAL ONLY
In short…
This thing is realBe alertDon’t assume anythingDon’t underestimate the power of wishful denialWe can helpHelp our customers raise the bar
– INTERNAL ONLY
Session Takeaways
The IT (security) landscape has changed dramaticallyResistance is futile?Know thy self, know thy enemy
– INTERNAL ONLY
Related ContentBreakout Sessions/Chalk Talks
SIP213 High Security Admin Desktop (New MCS Cybersecurity Solution)SIP216 Threat Landscape and the Measurement of Antimalware Protection TechnologiesSIP303 Combating Cyber Threats: Doing Incident Response for CustomersSIP319 Malware Hunting with Mark Russinovich and the Sysinternals ToolsSIPCT305 Good, Bad, Ugly: Malware in the Real World and Fighting it with Data AnalysisSIP338 High Security Web Access (New MCS Cybersecurity Solution)
Additional content:TR12: Advance Persistent Threat (APT): Real-World Examples and How to Fight (SIP337)WP: Rethinking the Cyber Threat - A Framework and Path Forward (Scott Charney)
– INTERNAL ONLY
More Related Stuff
Managing cyber risk in the face of sophisticated adversariesMicrosoft ACE team services on ISRM portalBeating the APT, ghetto style (Maarten Van Horenbeeck)Your blind trust in the Internet (John Howie)Infrastructure Planning and Design Guide for Malware Response DamballaMandiant
“Automation applied to an efficient operation will magnify the efficiency… automation applied to an inefficient operation will magnify the inefficiency”
- Bill Gates
Заголовок слайда
Первый уровень Второй уровень
Третий уровень Четвертый уровень
Пятый уровень
Рекомендации к оформлению
Старайтесь избегать текста пятого уровняИспользуйте предлагаемые цветаЦвет гиперссылок: www.microsoft.com
Sample FillSample FillSample Fill
Sample FillSample FillSample Fill
Пример диаграммы
Category 1
Category 2
Category 3
Category 4
0
1
2
3
4
5
Series 1Series 2Series 3
Демонстрация
Заголовок демонстрации
Имя Фамилия
Видео
Заголовок видео
Анонс
Заголовок
Пример кода
Get-Process –computername srv1
class TechEdProgram{
public static void Main(){
System.Console.WriteLine("Hello, Tech·Ed!");
}}
Итоги
Сессии по теме
Ресурсы
Обратная связь
Ваше мнение очень важно для нас. Пожалуйста, оцените сессию, заполните анкету и сдайте ее при выходе из зала
Спасибо!
Вопросы
Код сессии Имя и фамилия докладчика
ДолжностьEmail Адрес блога…
Вы сможете задать вопросы докладчикам в зоне «Спроси эксперта» в течение часа после завершения этой сессии