Advanced Persistent Threat(APT)

Presented by:QuratulAin Najeeb

Agenda

.• Advance persistent threat

.• Stages of APT

.• Problem in Detection

.• Events

.• Detection Framework

Advanced Persistent ThreatBiggest Cyber Security Threat 2013

Advanced Use of advanced techniques

PersistentRemain in system for long period“Low” and “Slow”

ThreatAgenda of stealing data

AP

TElements of APT

APT charactersticsDon't destroy systemsDon't interrupt normal operationTry to stay hidden and keep the stolen data flowingTrick a user into installing malware

Spear-Phishing

Stages of APT

6. Exfiltration

5. Data Collection

4.Operation

3. Exploitation

2. Delivery

1. ReconnaissanceCollecting information about Organization’s resources

Spear phishing emails are prepared and sent

Command and control connection is build from targeted employee’s machine via remote access

Persistent presence in network and gain access to data

Information is packed, compressed and encrypted

Data is moved over channels to various external servers

APT Example

Step 1: ReconTwitter Starbucks

LinkedIn Sniffing

Captured: Email address (engineer@gmail.com)Friend’s email (engineer2@gmail.com)Interests (www.ITECH-2013.com)

Hey look! An email from Engineer2. With a catalog attached!

Spoofed, of course Most

certainly clicking

here

Step 2: Targeted Attack

CLICK HERE TO VIEW “ITECH” EVENT 2013

Step 3: Gaining AccessThe PDF gets clicked.Code gets dropped.The backdoor is opened.

Step 4: Command & ControlThe attacker connects to the listening port i.e. Remote Access

Step 5: Data Packaging

At this point, the attacker could do any number of things to get more sensitive data

New APT Model

Attack Tree A mean to detect potential vulnerable elements towards the targeted data

Attack tree of APT aimed at source data

AND

Attack ModelProblem

An attack path may go across multiple planes

PLANES EVENTSPhysical Physical devices, working

locationUser Recording sensitive data

accessNetwork Firewall /logs/ IDS/IPSApplication Information deliver through

gateway

SOLUTIONEvent logging for APT detection

Candidate EventsSuspicious EventsAttack Events

Attack Pyramid

Attack Pyramid Unfolded Attack Pyramid

DETECTION FRAMEWORKAlert SystemUsing AlgorithmsG={G1,…..Gn}Gi = {P1, . . . , Pn} Pi = {e1 ………….eK } Put together the events relevant to an attack contextDetection Rule

Signature based rules (Connecting to blacklisted domain)Anomaly detection rules (Send more data than usual)Policy based rules (Overloaded VPN connection)

Conclusion

In research papers APT is defined, and proposed an attack model for problem detection i.e. Attack Pyramid

Thank you

Q/A …….

References

http://www.research.att.com/techdocs/TD_101075.pdf (2012) http://www.infosecurityproject.com/2012/Download/K7_Advanced%20Persistent%20Threat%20and%20Modern%20Malware_Jones%20Leung.pdf