Upload
isc2-hellenic
View
281
Download
1
Tags:
Embed Size (px)
Citation preview
APTs – Playing Defense
The New Era of Cyber Security University of Piraeus
8/12/2014
Christos Ventouris cventouris@isc2-‐chapter.gr @clechuck
• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-‐known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Targeted AHack Campaigns
5
Email per Campaign 122
78 29
Recipients/Campaign 61
111
23
Campaigns 165
408
779
2011 2012 2013
DuraQon of Campaign 4 days 3 days 8.3 days
Establish a Backdoor into the Network
• Attempt to obtain domain administrative credentials . . . Transfer the credentials out of the network
• The attackers then established a stronger foothold in the environment by moving laterally through the network and installing multiple backdoors with different configurations.
• The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.
• Malware characteristics: – Malware is continually updated – Malware uses encryption and obfuscation techniques of its network
traffic – The attackers’ malware uses built-‐in Microsoft libraries – The attackers’ malware uses legitimate user credentials so they can
better blend in with typical user activity – Do not listen for inbound connections
“UQliQes” • Programs functionality includes:
– Installing backdoors – Dumping passwords – Obtaining email from servers – List running processes – Tunnel connections via trusted systems and stay low (see Beacon)
• More Malware Characteristics: – Only a small % detected by security software – Utilize spoofed or stolen SSL Certificates
• ie. Microsoft, Yahoo – Most NOT packed – Common File names
• ie. Svchost.exe, iexplore.exe
Capture
• Long-‐term occupancy – Longest known span was 660 days – Average detecQon span is 150 days
• Control – Maintain control of industrial systems or business related hardware.
Methods of exfiltraQon
• EncrypQng prior to exfiltraQon – Defeat DLP network monitoring
• Webmail • SSL via vicQm’s proxy • Abuse of other protocols – DNS – ICMP
Tools Used Some of these tools are custom built by the APT group, while others are publicly available. Shell Creator 2 – A custom built tool used to check connecQons to their staging server. Ensuring that the members are uQlizing proxy connecQons by rejecQng any connecQon aHempts made in Iran. Net Crawler – A worm-‐like malware used to gather cached credenQals in a Windows network. TinyZBot – A custom built bot with varying funcQonaliQes. This tool is the primary weapon of choice for this group. PrivEsc – A copy of another tool named “KiTrap0D” exploit which was released publicly. This tool uQlizes the vulnerability MS10-‐015 to achieve privilege escalaQons. Logger Module – A key logger component of custom built PVZ bot tool set. CCProxy – A publicly available proxy server for Windows. NMap – A publicly available tool used to map networks and for reconnaissance. Squid proxy – A publicly available tool that caches Internet content closer to a requestor than its original point of origin.
AHack & Incusion/Expansion This group was observed using the publicly known compiled exploit “PrivEsc” also known as “KiTrap0D”. This exploit leverages an already patched vulnerability in Microsog Windows Kernel (CVE-‐2010-‐0232). Cached CredenDal Dumping – Uses ‘Mimikatz’ and ‘Windows CredenQal’ Editor Tools to extract users’ credenQals from cache. “ZhMimikatz” and “MimikatzWrapper” – Custom built applicaQon to automate execuQon of ‘Mimikatz’ & ‘Windows CredenQal’ and parsing the result to get usable credenQal details. PsExec – Uses this tool to logon to other computers with credenQals obtained from zhMimikatz and MimikatzWrapper. NetCrawler – CombinaQon of PsExec and cached credenQal-‐dumping tools where first it gets credenQals from the infected machine’s cache and then scans the local subnet for SMB port communicaQon. Once another computer is idenQfied, it copies itself to it and gathers credenQals using the same method and reports results back to source of infecQon. It then propagates over the network. MS08-‐067 Exploit – This is the same vulnerability used by the conficker worm. This aHack group customizes the publicly available exploit for this vulnerability and incorporated in NetCrawler. Jasus – Custom built applicaQon to perform ARP cache poisoning. Cain & Abel – Publicly available password cracking tool. This tool is used to crack the passwords that are obtained from the cache credenQal dumping method.
Persistence TinyZBot – It is customized malware developed on C#, which collects sensiQve informaQon such as keystrokes of infected machines and sends them to aHackers. It also maintains access into compromised network. • Log keystrokes, Monitor clipboard acQvity • SMTP exfiltraQon, Enable a SOAP-‐based command and control channel • Self-‐updaQng, Download and execute arbitrary code • Capture screenshots, Extract saved passwords for Internet Explorer • Install as a service, Establish persistence by shortcut in startup folder • Provide unique malware campaign idenQfiers for tracking and control purposes • FTP exfiltraQon • Security sogware detecQon • Ability to disable Avira anQvirus • Ability to modify PE resources • Dynamic plugin structure • Command and Control communicaQon: TinyZbot also exfiltrates sensiQve informaQon over SOAP protocol which is sub-‐protocol communicated via HTTP.
ExfiltraQon
Anonymous FTP – ExfiltraQng data through some Anonymous FTP on the internet. NetCat – Publicly available tool to transport informaQon over the network between configured server and client. zhCat – Customized tool to replace NetCat. This tool lets them transport informaQon over the network in obfuscated or encrypted form. Plink – A uQlity provided in PuTTY(SSH) which is used by the aHack group to forward local RDP ports over SSH. SMTP – Customized malware such as TinyZbot & Csext, which collects sensiQve informaQon such as keystrokes of the infected machine and sends them to aHackers over email as aHachment. SOAP – TinyZbot also exfiltrates sensiQve informaQon over SOAP protocol which is sub-‐protocol communicated via HTTP.
One ring to rule them all. not.
Install AV I need DLP
Someone get me an anQ-‐APT gateway
But… we have a firewall
I’m gerng a SIEM now !
I will have more regular pentests …
I will be patching like there’s no tomorrow
Not enough anymore
Ever heard of the “gender changer” using socat ?
You need a team to work with it. Its not a fishtank.
… same way I promise my wife to put the toilet seat up the next Qme.
Piece of the puzzle, not the puzzle soluQon.
No problem. I guess you know what to protect, right ?
Ever heard of red-‐teaming ?
The AnQ-‐AnQAPT
• DetecQon of virtual environment – NIC idenQfiers – Storage IdenQfiers
• Delay to execute • Run on targeted system only. • Detect other environment characterisQcs. – IP subnet – Joined in a domain. – Does “My Documents” have files ? – Is there an mail client with an acQve profile and full mailbox ?
– Previous logged in users ?
A successful monitoring program requires both numerous sources of security data and the automaQon, personnel and services to
appropriately correlate and respond to intelligence.
Signature-‐Based NIDS Monitoring
NIDS Monitoring with Global Intelligence
Firewall Log AssociaQon
Firewall Analysis: Scan DetecQon
Firewall Analysis: Anomaly DetecQon
Firewall Analysis: Backdoor DetecQon
Firewall Analysis: Botnet C&C DetecQon
Firewall Analysis: IP Watchlist DetecQon
Web Proxy Analysis
Web ApplicaQon Firewall Alerts
Host IDS/IPS Alerts
OS and ApplicaQon Logs Analysis
Endpoint ProtecQon Alerts
So, you have a SIEM
One step back, see the big picture
• What do I need to protect ? – Do I know what I need to protect?
• Where is it ? • How’s it been used ?
– Do I need to apply same controls everywhere ? • InformaQon value vs. Security Control cost
– Is my management aware and supporQve ? • PrevenQve measures – What do I have in place ? – Can I improve my security with what I have ? – Where shall I invest first ?
• People • Processes • Technologies • USE THIS ORDER
One step back, see the big picture
– Assume Breach • How fast can I detect? • How fast can I respond?
– Play to learn (kids do it all the Qme) • Look out for CTFs • Play – organize challenges with your peers • Take aHacker or –beHer-‐ defender sides • You gain more with experience than with educaQon.
Ok, I’m pulling the plug of my Datacenter
• Not yet. Start with what you have. • People – Educate the employees
• Many sources of informaQon on the internet • Small group classes. • Different content per group • Throw a few baits here and there. Give them a safe environment to fail.
Ok, I’m pulling the plug of my Datacenter
• Not yet. Start with what you have. • Are you uQlizing 100% of your security soluQons? – Endpoint Security is NOT AV. Enable all the capabiliQes.
– Is your FW/UTM using all of its security features? – Can you monitor for changes in files and configuraQons ? • Why should a Windows 8.1 system have Windows XP files ? • Why have the DNS serngs here? • Who just created a new mail rule to delete emails.
IdenQty Protect Detect Respond Recover
NIST Categorie
s FuncQo
n What are my assets, risks and business goals? Asset Mgmt Business Environment Governance Risk Assessment Risk Mgmt Strategy
What are my safeguards to block a\ackers? Access Control Training Data Security Processes Maintenance ProtecQve Technology
How do I know when a security event has happened? Anomalies and Events ConQnuous Monitoring DetecQon Processes
How do I respond to a cyber security event? Response Planning CommunicaQons Analysis MiQgaQon Improvement
How do I restore services a]er an event? Recovery Planning Improvements CommunicaQons
NIST Cybersecurity Framework Summary
The framework provides a consensus descripQon of what's needed for a comprehensive cybersecurity program, and allows organizaQons—regardless of size, degree of cyber risk or cybersecurity sophisQcaQon—to apply the principles and best pracQces of risk management to improve the security and resilience of criQcal infrastructure
References
• hHp://www.symantec.com/content/en/us/enterprise/white_papers/b-‐advanced_persistent_threats_WP_21215957.en-‐us.pdf
• hHp://www.cylance.com/operaQon-‐cleaver/ • hHp://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr-‐19 • hHp://azure.microsog.com/blog/2014/11/11/red-‐teaming-‐using-‐curng-‐edge-‐threat-‐
simulaQon-‐to-‐harden-‐the-‐microsog-‐enterprise-‐cloud/