Security Intelligence: Advanced Persistent Threats

Security Intelligence:Advanced Persistent Threats

Peter WoodChief Executive Officer

First•Base Technologies LLP

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2012

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Security Intelligence and This Presentation

“SI is a recognition of the evolution of sophisticated adversaries, the study of that evolution, and the application of this information in an actionable way to the defence of systems, networks, and data. In short, it is threat-focused defence, or as I occasionally refer to it, intelligence-driven response.

The “intelligence” in intelligence-driven response is the information acquired about one's adversaries, or collectively the threat landscape. Each industry has a different threat landscape, and each organisation in each industry has a different risk profile, even to the same adversary.

Understanding one's threat environment is collecting actionable information on known threat actors for computer network defence, whether that action is purely detection or detection with prevention.”

Source: Mike Cloppert http://computer-forensics.sans.org/blog/


Agenda

• APT Primer

• Case Studies

• Entry Points

• Prevention and Detection


Agenda

• APT Primer

• Case Studies

• Entry Points



Advanced Persistent Threat (APT)

• “An advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals” [Wikipedia]

• “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee]

• “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT]


Advanced, Persistent, Threat

• They combine multiple attack methodologies and tools in order to reach and compromise their target

• The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives

• It does not mean a barrage of constant attacks and malware updates - in fact, a “low-and-slow” approach is usually more successful

• There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code

• The operators have a specific objective and are skilled, motivated, organized and well funded


The Aurora attack http://threatpost.com/


The Aurora attack http://threatpost.com/


The Aurora attack

If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years.Nor is it a new development that the attackers used an 0day client-side exploit along with targeted social engineering as their initial access vector.What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack.And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.

Dino Dai Zovi

http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/


Agenda

• APT Primer

• Case Studies

• Entry Points


Slide 12 © First Base Technologies 2012http://blogs.rsa.com/rivner/anatomy-of-an-attack/


The RSA attack

1. Research public information about employees2. Select low-value targets3. Spear phishing email “2011 Recruitment Plan” with.xls

attachment4. Spreadhseet contains 0day exploit that installs backdoor

through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected)

5. Digital shoulder surf & harvest credentials6. Performed privilege escalation7. Target and compromise high-value accounts8. Copy data from target servers9. Move data to staging servers and aggregate, compress and

encrypt it10. FTP to external staging server at compromised hosting site11. Finally pull data from hosted server and remove traces


RSA Security Brief, February 2012


Agenda

• APT Primer

• Case Studies

• Entry Points



Entry Points


Identifying ‘The Mark’


Social Networking



Facebook Scams


Document MetaData Harvesting


Infosecurity Europe 2012 Experiment

• Open WiFi on a laptop on our stand

• Network name:‘Infosec free wifi’

• Fake AP using airbase-ng on BackTrack

• In one day we collected 86 unique devices


Wireless Eavesdropping

Packet sniffing unprotected WiFi can reveal:

• logons and passwords for unencrypted sites

• all plain-text traffic (e-mails, web browsing, file transfers)


Firesheep Capturing


Firesheep: Game Over


Telephone Social Engineering

Sometimes all they have to do is call up and ask!


Information Leakage

Exposure of:

• Corporate hierarchy

• E-mail addresses

• Phone numbers

• Technical infrastructure

• Business plans

• Sensitive information

• Passwords!


Spear Phishing


Phishing Emails


Phishing Emails


Spear phishing


Privilege Escalation


Password ‘Quality’

http://iqsecur.blogspot.ca/2012/04/analysis-of-leaked-militarysinglesorg.html


Case study:Windows Administrator Passwords

admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow

Global organisation:

• 67 Administrator accounts

• 43 simple passwords (64%)

• 15 were “password” (22%)

• Some examples we found ->


Case study: Password Crack

• 26,310 passwords from a Windows domain

• 11,279 (42.9%) cracked in 2½ minutes

• It’s not a challenge!


Password Issues

• Passwords based on dictionary words and names

• Service accounts with simple/stupid passwords

• Other easy-to-guess passwords

• Little or no use of passphrases

• Password policies not tailored to specific environments (e.g. Windows LM hash problem)

• Old fashioned rules no longer apply(rainbow tables, parallel cracking,video processors)

• Just general ignorance and apathy?

• One password to rule them all …


Agenda

• APT Primer

• Case Studies

• Entry Points



Identifying “The Mark”:Social Networking

• Don’t reveal personal or sensitive information in social

networking sites or blogs

• Set the privacy options in social networking sites

• Don’t discuss confidential information online

• Don’t ‘friend’ people you don’t know

Remember – what goes on the Internet, stays on the Internet!


Identifying “The Mark”:Telephone Social Engineering

• If you receive a suspicious phone call, hang up and call back

on a number you know is legitimate

• Never reveal personal or sensitive information in response to

a phone call unless you have verified the caller

• Don’t answer questions about your organisation or

colleagues unless it’s your job to do so

• Report any phone calls that you suspect might be social

engineering attacks


Identifying “The Mark”:Public and Open WiFi

• Remember: open and WEP-encrypted WiFi networks are

visible to almost anyone

• Never use public WiFi for sensitive information

• Don’t use the same password for web sites and for corporate

systems

• Make sure your email connections are encrypted


Spear Phishing

• Never reveal personal or sensitive information in response to

an email, no matter who appears to have sent it

• If you receive an email that appears suspicious, call the

person or organisation in the ‘From’ field before you respond

or open any attached files

• Never click links in an email message that requests personal

or sensitive information. Enter the web address into your

browser instead

• Report any email that you suspect might be a spear phishing

campaign within your company


Privilege Escalation

• Don’t use passwords based on dictionary words and names

• Use complex passphrases for service accounts

• Tailor password policies to specific environments

(e.g. Windows vs. web sites)

• Remember: old fashioned rules no longer apply

(rainbow tables, parallel cracking, video processors)

• Never re-use passwords: “one password to rule them all …”


Think Like an Attacker!

Hacking is a way of thinking:

- A hacker is someone who thinks outside the box

- It's someone who discards conventional wisdom, and does something else instead

- It's someone who looks at the edge and wonders what's beyond

- It's someone who sees a set of rules and wonders what happens if you don't follow them

[Bruce Schneier]

Hacking applies to all aspects of life - not just computers


The Human Firewall

The money you spent on security products, patching systems

and conducting audits could be wasted if you don’t prevent

social engineering attacks …

Invest in

Marketing security awareness

and

Intelligent, practical policies

Peter WoodChief Executive Officer

First•Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Blog: fpws.blogspot.comTwitter: peterwoodx

Need more information?

Technology

Security Intelligence: Advanced Persistent Threats