View
49
Download
0
Category
Tags:
Preview:
DESCRIPTION
Threat Intel Sharing: Deciphering the APTs secret handshakes. Adam Lange Mark Manglicmot. Adam Lange & Mark Manglicmot. Senior Consultant at Delta Risk LLC CISM, GCIA, GSEC, GCIH, CEH, Sec +, - PowerPoint PPT Presentation
Citation preview
Threat Intel Sharing: Deciphering the APTs secret
handshakes
Adam LangeMark Manglicmot
1
2
Adam Lange & Mark Manglicmot
• Senior Consultant at Delta Risk LLC
• CISM, GCIA, GSEC, GCIH, CEH, Sec+,
• Advanced threat consulting &
counter APT team building for Fortune 500’s, federal gov, and allied governments
• Senior Consultant in Ernst & Young’s Advanced Security Center
• CISSP, GCIH, CEH, Sec+,
• Advanced threat, Incident Response, & SOC consulting
@MGManglicmot@LangeSecurity
3
The Data Doesn’t lie!
Past habits can help predict future behavior
By analyzing data-trends over time, Target could tell a 15 yr old girl was pregnant before her family knew
The Problems Defenders FaceAdvanced Adversaries evolve faster than we can
There is no delineation between routine incidents and incidents that may be APT activity
Industry improvements are being made all the time and integration into government operations tends to lag behind
We don’t have all the processes, tools and understanding to take on APT actors
5
Demystifying Threat IntelEveryone has it!
6
The Role of Intel Major driver to catch the top tier of threat
Detection Prevention Response
Types of Intel Behavioral Indicators
7
APT is bad stuff APT makes up 20% of workload
80% is “garbage” What is the difference? There is no “APT differentiation analyst”
Targets industries whose intellectual property provides a strategic advantage for the attacker
Intelligence on APT actors comes from three major areas: Internally derived Commercially purchased Sharing partners
8
A Quick Look at the Adversaries
9
APT
Cyber Crime
Hacktivists
Script kiddies, college kids, others
Strategic Gains
Financial Gains
Sociopolitical Gains
Thrill of the exploit,Learning the systemGeneric mayhem
Top 20% -- High impact
The good news is that because they tend to repeat attacks with recycled tactics, organizations can trend their behavior over time
Bottom 80% -- Lower impact
They don’t trend well, so mitigate and move on
Sophistication vs Intel
Patching
Firewalls
IDS/IPSNetwork Traffic
Analysis
Honeynets
High QualityForensics and
Incident Reporting
DDOSMitigation
DeceptionOperations
Behavior/EventCapture/Analysis
HIPS
HIGH
LOW
Atta
cker
Kno
wle
dge
and
Tech
nolo
gy
Defense Sophistication
PasswordGuessing
PasswordCracking
VulnerabilityExploitation
SessionHijacking
Backdoors
SniffersAnd Spoofing
Stealth andAnti-Audit
Technologies
DDoS andDistributedAttack tools
AdvancedScanning
Tools
BinaryEncryption
THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL,EVENT, AND INFORMATION BASED TOOLS TO DETECT
MOST OF THESE ATTACKS CAN BE IDENTIFIED USING TRADITIONAL RULE-BASED TECHNOLOGIES
No intel – Actors have OPSEC
Plenty of intel – attackers talk too much
No intel – Hacks of opportunity
Lockheed Martin PerspectiveThis paper was published back in 2011 and was the cornerstone of many advances in the DIB.
This model and its implications can be studied in depth to understand how to counter advanced adversaries
Mandiant: APT1The first major civilian expose on a state sponsored group. It reveals APT1 TTPs and C2 infrastructure.
It provided actionable intelligence for every organization to leverage.
It is likely that APT1 is going to start over in several organizations, however for some orgs it appears that APT1 is conducting business as usual.
NOTE: What we really liked about this report was the appendices – they contained all the TECHNICAL INDICATORS needed to actually do something about the threat.
13
Malware.lu based in Luxembourg, was able to do some additional deep dives into APT1 Activity.
Much of this may be illegal to do in the US. The report is worth taking a look at.
Who? What do they want? How do they attack?
14
Industry CompetitorStrategic InterestInnovatorCultural Threat
Various Ways to Model Adversaries
15
16
An Advanced Adversary Model Full spectrum cyber operations
More targeted & tactical indicators
Ability to correlate seemingly disparate activities
Metrics and strategic trends
17
How most defenses work Detection is somewhere in the middle of an
attackers operation Look for one or so indicators to stop discrete
attack, but the campaign continues
18
19
Defensive Campaigns Two types of Defensive Campaigning
Adversary-Based Campaign Event-Driven Campaign
What do each of these have in common?
An event begins and ends at some point
An adversary operation begins at ends at some point
Now, I suddenly realize that the initial attack is NOT success for them, so it’s not failure for me. I have TIME to do something about it…
Elements of ‘Good’ Intel Tactical
Timeliness <48hrs IP FQDN File Hash
Strategic Trends Vectors Patches/Updates Profiles
20
The Government Common complaint: “Its all classified” The good news: It doesn’t really matter Look at intel from a SIGINT perspective Tries to share as it can
21http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines
Industry Methods
22
Collective Intelligence FrameworkSOCK Puppets
OpenIOC
23
24
Account Link URI Win Kernel HookAddress Linux Package UNIX File Win Kernel
MemoryUNIX Network Route Entry Win Mailslot
Artifact Mutex UNIX PipeWin Memory Page Region
Code Network Route UNIX Process Win Mutex
CustomNetwork Connection
UNIX User Account
Win Network Route Entry
DNS Cache Network Flow UNIX VolumeWin Network Share
DNS Query Network Packet User Account Win Pipe
DNS RecordNetwork Route Entry User Session Win Prefetch
Device Network Subnet Volume Win ProcessDisk PDF File WhoIS Win Registry Key
Disk Partition PipeWin Computer Account Win Semaphore
Email Message PortWind Critical Selection Win Service
File Process Win Driver Win System
GUI Dialogbox Win Event LogWin System Restore
GUI Semaphore Win Event Win Task
GUI Window SocketWin Executable File Win Thread
HTTP Session Socket Address Win File Win User AccountLibrary System Win Handle Win Volume
Win Waitable Timer
X509
25
26
How reliable is it?Analysis of Competing Hypothesis
27
Intel & SOC/CERT Integration
28
Threat Intel
RTAInvestigatio
nDigital
ForensicsATA
Countermeasures
Learning & sharing: Where to start Start small
Look in the mirror Friends (Real, not imaginary) Read!
Get involved ISAC’s Local FBI office (InfraGard) Join the online communities
29
What are the next steps? Try to understand who is interested in you Not always necessary to get 100% attribution Understand that once your are targeted by
APT, you will forever be on their target cycle list
Continue to iterate: That’s what the APT does Shorten the Kill Chain
30
What You’ll Gain Ask the right questions…generate the right metrics
“We had 27 ‘incidents’ this month” Trends
These guys only attack us when we do some conference
Group X only attacks when specific 0-days are published
Group Y is only active between these hours Group Z never attacks during “insert country”
holidays (i.e Cinco de Mayo)
31
Impacts Work smarter, not harder Improves efficiency Drives targeted investment Ultimately improves security, and protects
the business
32
“By leveraging threat intelligence, you can tactically and strategically campaign against the APT and defend your
business.”
Thanks for you time
33
Questions?Follow us on Twitter!
@LangeSecurity@MGManglicmot
Recommended