Targeted  &  Persistent  Attacks  in  EU  

The  need  for  coordination  and  information  sharing  between  EU  member  states  

 Eoghan  Casey,  CASEITE  &  DFLabs  

 

   

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  Attack  against  RSA  -­‐  http://blogs.rsa.com/rivner/anatomy-­‐of-­‐an-­‐attack/  

 

Large-­‐scale  credit  card  robbery  Initial  intrusion  into  regional  office  Weak  internal  security  

Servers  with  well  known  vulnerabilities  Unrestricted  access  to  central  servers  

Weak  egress  filtering  File  transfer  permitted  from  central  servers  to  Internet  

Weak  system  monitoring  Intruder  created  account  on  central  server  Installed  sniffer  on  server  Sniffer  and  file  transfer  log  files  created  on  server  

Weak  network  monitoring  Network  level  logs  recorded  file  transfers  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Coordinated  Linux  intrusions  

Attacker's  modus  operandi  Repository  of  stolen  SSH  credentials  Privilege  escalation  LKM  rootkits  &  tricky  backdoor  Trojanized  SSH  daemon  Resilient  C2  and  exfiltration  Destroy  digital  evidence  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Common  mistakes  

1)  Underestimating  the  adversary  Too  quick  to  containment  

 2)  Lack  of  evidence  

No  centralized  logging  infrastructure    3)  Improper  evidence  handling  

Update  antivirus  and  scan  compromised  systems  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Know  the  adversary  

Initial  intrusions  not  necessarily  sophisticated  Spear  phishing  or  vulnerable  servers  

Once  inside,  they  spread  virulently  Inside  out  attacks  circumvent  egress  filtering  Undermine  security  monitoring  

File  system  tampering  Multiple  malware  versions  with  custom  packing  Blend  in  with  normal  traffic  Encrypt  command,  control  and  exfiltration  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Quick  containment?  

Current  recommendation:  

When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. Most incidents require containment, so it is important to consider it early in the course of handling each incident. - NIST SP800-61 Rev. 1, page 3-19

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Managing  a  data  breach  effectively  

 

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Effective  eradication  of  intruders    

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  

Cross  border  information  sharing  

Same  attackers  targeting    all  EU  member  states  >        Consolidate  adversary  knowledge  Trust  between  government  and  industry  Confidentiality  agreements  More  information  to  examine  the  better  Sanitize  what  is  shared  to  protect  victims  2012  Copyright  Eoghan  Casey  and  CASEITE  

All  rights  reserved  

Information  exchange  standards  STIX    Structured  Threat  Information  eXpression  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved  STIX  Whitepaper  -­‐  makingsecuritymeasurable.mitre.org/docs/STIX-­‐Whitepaper.pdf  

 

Get  in  touch  

 Eoghan  Casey  

DFLabs  Business  Partner  Risk  Prevention  and  Response  Co-­‐manager  

 eoghan@dflabs.com  www.dflabs.com  

2012  Copyright  Eoghan  Casey  and  CASEITE  All  rights  reserved