ADVANCED PERSISTENT

THREATGroup B

Sagar Patil Raghav TripathiMayur Nanotkar

2

AGENDA• Introduction• What is APT?• How does it work?• Illustration• Exploitation Cycle• Case Studies• Security Solutions For APT

4

5

WHAT IS APT?• “An advanced and normally clandestine means to gain continual,

persistent intelligence on an individual, or group of individuals” [Wikipedia]

• “… a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will.” [McAfee]

• “… a sophisticated and organized cyber attack to access and steal information from compromised computers.” [MANDIANT]

6

WHY THE TERM APTs?• Advanced

– Attacker adapts to defenders’ efforts – Can develop or buy Zero-Day exploits– Higher level of sophistication

• Persistent – Attacks are objective specific– Will continue until goal is reached– Intent to maintain long term connectivity

• Threats – Entity/s behind the attack– Not the malware/exploit/attack alone

7

HOW DO THEY WORK? - APTS

8

KEY DIFFERENCES: INCURSION

Establish Breach head for campaign

9

KEY DIFFERENCES: DISCOVERY

10

KEY DIFFERENCES: CAPTURE

11

KEY DIFFERENCES: EXFILTRATION

12

13

14

TARGETING AND EXPLOITATION

CYCLEStep

1• Reconnaissance

Step 2

• Initial Intrusion into the Network

Step 3

• Establish a Backdoor into the Network

Step 4

• Obtain User Credentials

Step 5

• Install Various Utilities

Step 6

• Privilege Escalation / Lateral Movement / Data Exfiltration

Step 7

• Maintain Persistence

15

16

RECONNAISSANCE• A reconnaissance attack occurs when an adversary tries to learn

information about your network.• Unauthorized discovery and mapping of systems, services, or

vulnerabilities. • Also known as information gathering and, in most cases, precedes

an actual access or DoS attack. o First, the malicious intruder typically conducts a ping sweep of

the target network to determine which IP addresses are alive. o Then the intruder determines which services or ports are active

on the live IP addresses. o From this information, the intruder queries the ports to

determine the type and version of the application and operating system running on the target host.

17

RECONNAISSANCE (Cont..) • In multiple cases, Mandiant identified a number of

public website pages from which a victim’s contact information was extracted and subsequently used in targeted social engineering messages.

• Preventive Measures: Network DLP (Prevent sensitive data from leaving)

18

INITIAL INTRUSION INTO THE

NETWORK• Social Engineering combined with Email - The

most common and successful• The spoofed email will contain an attachment

or a link to a zip file.o A CHM file containing malwareo A Microsoft Office document exploito Some other client software exploit, like

an Adobe Reader exploit.• The attackers typically operate late in the

night (U.S. Time) between the hours of 10 p.m. and 4 a.m. These time correlate to daytime in China

• Preventive Measure : o Firewall (blocks APT connection via IP

reputation) o Web Gateway (detects/blocks obfuscated

malware) o Email Gateway (block spear-phishing emails,

links to malicious sites) o Network Threat Response (detects obfuscated

malware) o Network Security Platform (stops malicious

exploit delivery)

19

ESTABLISH A BACKDOOR INTO THE

NETWORK• Attempt to obtain domain administrative credentials . . . Transfer the credentials

out of the network• The attackers then established a stronger foothold in the environment by moving

laterally through the network and installing multiple backdoors with different configurations.

• The malware is installed with system level privileges through the use of process injection, registry modification or scheduled services.

• Malware characteristics:o Continually updatedo Encryption and Obfuscation techniques of its network traffico Uses Built-in Microsoft librarieso Uses legitimate user credentialso Do not listen for inbound connections

• Preventive Measures : o Firewall (detects/blocks APT back- channel communication) o Network Threat Response (detects APT destination IPs) o Application Whitelisting (prevent backdoor installation)

20

OBTAIN USER CREDENTIALS

• The attackers often target domain controllers to obtain user accounts and corresponding password hashes en masse.

• The attackers also obtain local credentials from compromised systems

• The APT intruders access approximately 40 systems on a victim network using compromised credentials

• Mandiant has seen as few as 10 compromised systems to in excess of 150 compromised systems

• Preventive Measure: o Web Gateway (detects/blocks access to malicious applications)o Application Whitelisting (prevent unauthorized changes to

systems)

21

INSTALL VARIOUS UTILITIES• Programs functionality includes:

o Installing backdoorso Dumping passwordso Obtaining email from serverso List running processeso Many other tasks

• More Malware Characteristics:o Only 24% detected by security softwareo Utilize spoofed SSL Certificates

• i.e.. Microsoft, Yahooo Most NOT packedo Common File names

• i.e.. Svchost.exe, iexplore.exeo Malware in sleep mode from a few weeks to a few months to up to a yearo Target executives’ systemso Use of a stub file to download malware into memory (Minimal Forensic Footprint)o Preventive Measures: Firewall (blocks APT connection via IP reputation) Web

Gateway (detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to malicious sites) Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery)

22

PRIVILEGE ESCALATION / DATA

EXFILTRATION

• Once a secure foothold has been established:o Exfiltrate data such as emails and attachments, or files residing on user

workstations or project file serverso The data is usually compressed and put into a password protected RAR

or Microsoft Cabinet File.o They often use “Staging Servers” to aggregate the data they intend to

stealo They then delete the compressed files they exfiltrated from the “Staging

Servers.”

• Preventive Measures: Unified DLP (prevent data from leaving the network)

23

MAINTAIN PERSISTENCE• As the attackers detect remediation, they will

attempt to establish additional footholds and improve the sophistication of their malware

• Preventive Measures: o Network User Behavioural Analysis (identifies

unexpected user behaviour during APT reconnaissance and data collection phases)

24

Case Study Analysis: RSA Secure Id Hack

1. Research public information about employees2. Select low-value targets3. Spear phishing email “2011 Recruitment

Plan” with.xls attachment4. Spread sheet contains 0day exploit that

installs backdoor through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected)

5. Digital shoulder surf & harvest credentials6. Performed privilege escalation7. Target and compromise high-value accounts8. Copy data from target servers9. Move data to staging servers and aggregate,

compress and encrypt it10. FTP to external staging server at

compromised hosting site11. Finally pull data from hosted server and

remove traces

25

26

Case Study Analysis: Operation Aurora

• Operation Aurora was a cyber attack which was first publicly disclosed by Google on January 12, 2010, in a blog post.

• Highlights:o Google said the attack originated in China.o Demonstrated

• high degree of sophistication,• strong indications of well resourced and consistent APT attack.

o Aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc.

o Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices.

• Primary goal: was to gain access to and potentially modify source code repositories at these high tech, security and defence contractor companies.

27

Case Study: CHINESE SPY TEAM HACKS

FORBES.COM

28

SECURITY SOLUTIONS FOR APT

29

EMET (Enhanced Mitigation Experience

Toolkit) • EMET (Enhanced Mitigation Experience Toolkit)

o free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution.

o It does so by opt-ing in software to the latest security mitigation technologies. o The result is that a wide variety of software is made significantly more resistant

to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.

• Highlights Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration

• EMET 3.0 comes with three default "Protection Profiles". o Protection Profiles are XML files that contain pre-configured EMET settings for

common Microsoft and third-party applications.

30

• Bit9 Parity Suiteo Endpoint Threat Protection Solution.o This solution provides an extensive list of features for protection

against APT’s: • Features of Bit9:

Application Control/White-listing Software Reputation Service File Integrity Monitoring Threat Identification Device Control File Integrity Monitoring Registry Protection Memory Protection

Bit9 Parity Suite

31

REFERENCES• https://www.bluecoat.com/• www.symantec.com/en/in/• www.mcafee.com/• www.kaspersky.co.in/• https://www.mandiant.com/• www.informationweek.com/ - Case Studies

32

THANK YOU!