15
1 These speaker notes explain and expand upon the slides for the benefit of seminar leaders and participants. To print these notes and slides as handouts, select “Notes Pages” from the print dialogue.

Awareness seminar on Advanced Persistent Threats

Embed Size (px)

DESCRIPTION

A security awareness seminar for general staff about malware, focusing on APTs ... but without delving into the gory tech details.

Citation preview

Page 1: Awareness seminar on Advanced Persistent Threats

1

These speaker notes explain and expand upon the slides for the benefit ofseminar leaders and participants. To print these notes and slides as handouts,select “Notes Pages” from the print dialogue.

Page 2: Awareness seminar on Advanced Persistent Threats

2

Read – click – read – click …

Information security professionals are genuinely concerned about “Advanced Persistent Threats” (APTs).

We’re risk-averse by nature, but this issue has us worried. Here’s why …

Page 3: Awareness seminar on Advanced Persistent Threats

3

APT incidents are technically advanced, using sophisticated techniques tobypass or undermine security controls.

This makes them hard to detect and stop.

Page 4: Awareness seminar on Advanced Persistent Threats

4

Attackers are determined and resourceful enough to keep on trying differentforms of attack (e.g. viruses, social engineering, hacking, physical penetration)until eventually they succeed in compromising their target.

Once they succeed in getting inside the target organization, they remain undercover for MONTHS, maybe YEARS.

This allows them to penetrate the defenses deeply over the long term, and hencecompromise the most sensitive and valuable information.

Page 5: Awareness seminar on Advanced Persistent Threats

5

It is difficult to characterize the threat agents or adversaries responsible for APTssince they do their level best to remain under cover.

Most APTs appear to be the work of, or sponsored by, government agencies.

The Chinese government is currently in the media spotlight (quite possibly forpolitical reasons), but in truth various nations (including the US, Israel, Franceand others) are understood to be actively engaged in information warfare foreconomic, espionage or other purposes, and APT techniques are almost certainlypart of their armory.

Some organized criminals also use APT-like techniques, and quite possiblyterrorist and pressure groups are similarly engaged.

All of these groups can be assumed to be well-resourced, highlycommitted or determined, and not averse to acting illegally. They aresubstantial threats to anyone in their sights.

Page 6: Awareness seminar on Advanced Persistent Threats

6

Bringing it all together, APTs are a genuine cause for concern.

They represent the latest generation of active information security threats, onethat is not yet fully understood.

Page 7: Awareness seminar on Advanced Persistent Threats

7

The organizations that have suffered APT attacks are generally consideredsecure or highly secure: nuclear facilities, oil companies, defense contractors,computer security firms, government departments and more. They have theresources, skills, capabilities and good sense to make information security a highpriority.

If APTs can succeed here, what hope is there for ordinary commercialorganizations and small businesses?

Page 8: Awareness seminar on Advanced Persistent Threats

8

Did you hear about the Stuxnet incident from 2010? This busy diagram is just ahigh-level overview of a complex incident.

Stuxnet involved a sophisticated network worm that was custom-written for thisattack by US and Israeli government agencies. It targeted an Iranian nuclear fuelprocessing plant, specifically, enabling the attackers to bypass the strong networksecurity controls and cause serious physical damage to the industrial equipment.

Stuxnet was discovered by the Iranian authorities in June 2010, but is thought tohave originated back in 2009 – in other words it is thought to have lainundetected for many months.

Page 9: Awareness seminar on Advanced Persistent Threats

RSA is a major global computer security company. The APT attack on RSAcompromised the encryption keys used in their key-fob authentication tokens,and as such they had little choice but to ‘go public’ about the incident.

It was very embarrassing for RSA and no doubt very costly in respect of handlingthe incident, investigating and resolving the attack, contacting customers,replacing key-fobs, losing current and prospective customers etc.

RSA’s business depends on securing those encryption keys and otherinformation. This incident could easily have led to their downfall, if they hadremained independent. The effect on EMC2 is unclear but the APT incidentprobably caused a substantial reduction on the $2.1bn they paid for RSA in 2006.

9

Page 10: Awareness seminar on Advanced Persistent Threats

The initial phase of an APT attack typically involves:

• Selecting a target. APT attacks are unlike generic virus incidents that canaffect almost anyone – they are highly specific. The perpetrators havesomething definite in mind, for example, trade secrets or national securitysecrets.

• Gathering intelligence on the target – looking for weak spots

• Planning and preparing the attack

• Developing custom tools for the job, such as a novel worm, virus or Trojan thatwon’t be detected by conventional antivirus software

10

Page 11: Awareness seminar on Advanced Persistent Threats

Moving on, phase II is the start of the APT attack itself, and probably the firstopportunity for the target organization to notice that it is under attack.

This phase may be over almost immediately if the target organization isunprepared and poorly defended! It will take longer to penetrate a more secureorganization, but generally it’s just a matter of the time and resources needed. Ifthe attacker is sufficiently persistent, patient and capable, he will probablysucceed in the end.

Notice that immediately after getting in to the organization, the attacker’s priorityis to “go to ground” in other words blending-in to the background, seeming todisappear from view. Staying undetected is key for the next and most damagingphase.

11

Page 12: Awareness seminar on Advanced Persistent Threats

Phase III is the highest risk part of the attack – highest risk both for the attackerand for their target.

Phase III may last for months, maybe years hence the squiggle on the timeaxis.

During this time, the attacker has internal access to the organization, probablyincluding many of its IT systems and people, possibly across multiple locations.The attacker can remote-control his malicious software running on the networksystems, using encrypted communications that are difficult to spot. Takingadvantage of his insider-access, the attacker can penetrate very deeply,exploiting relatively weak internal controls and trust relationships.

Along the way, he will start stealing or sabotaging information assets, for examplesending trade secret processes, recipes, databases etc. out through anonymousnetwork links that are all bar impossible to spot and trace.

At some point, if the victim is “lucky”, the attacker will have had enough and willdisappear without a trace, perhaps turning his attention to other victims (includingbusiness partners of the first). If the victim’s luck is out, the attacker will continuebleeding the organization dry and remain infiltrated over the long term, waiting forfurther opportunities to profit, including, perhaps, obtaining and selling the victim’sinformation to third parties.

12

Page 13: Awareness seminar on Advanced Persistent Threats

APTs will often compromise low-level employees in the first instance, gaining afoothold in the organization. From there, they will work their way up to morevaluable targets with greater access and knowledge, but the starting point couldbe something as simple as:

• A phone call to a random employee asking for contact details for someoneelse, or other seemingly innocuous information, or a face-to-face conversationbetween an employee and a stranger in a local restaurant or bar, or at aconference or business meeting

• An email attachment containing a virus, Trojan, spyware etc., or a link to aninfectious website

• Hacking the network and systems directly

• Theft of a briefcase, laptop or smartphone from an employee, possibly athome or on the road (e.g. hotel room thefts while attending a businessconference)

• Entering the premises as a burglar, a visitor, a candidate attending a jobinterview, a temp, an intern, an auditor, a security guard, or in fact an actualemployee (i.e. a spy or mole working for a third party) to steal information orplant bugs.

This is why we are talking to you about APTs: we are all under threat!

13

Page 14: Awareness seminar on Advanced Persistent Threats

14

As in many areas of information security, there is only so much that can be donein the way of technical and physical controls. If those controls are strong,compromising employees may be the easiest option, initially at least.

Page 15: Awareness seminar on Advanced Persistent Threats

15

Now is a good opportunity to ask about APTs.

If questions occur to you later, feel free to call the IT Help/Service Desk, checkout the Security Zone, or contact Information Security.