Embed Size (px)
Citation preview
Persistence is Key:
Advanced Persistent
Threats
By: Sameer Thadani
Objectives
What is an APT
What is an AET
Past targets
What to look for in the future
Advanced Persistent Threats
Advanced
Higher levels of sophistication
Has access to Zero-Day exploits
Adapts to the victims defenses
Persistent
Attacks are specific
Continue until the specific goals are met
Intend to maintain communication with victim
compromised systems
Threats
Real power players behind attacks such as nation-states
Not your mom and pop hacking job
APT Malware Anatomy
APT Attack Flow
Step 1 • Reconnaissance
Step 2 • Initial Intrusion into the Network
Sep 3 • Establish a Backdoor into the Network
Step 5 • Install Various Utilities
Step 6 • Lateral Movement and Data Exfiltration
Reconnaissance
First stage of an APT
Learning about the victims business
processes and technology
Tools
Whois
Nmap
Netcraft.com
Social Media Searching
Acting SKILLZ
Network Access
Spear-Phishing = #1 Way
Targeting specific high value people
Sending highly realistic email addresses
with attachments
Attachments include remote trojans or
malware
BUT WAIT, how does my malware get
passed IDS/IPS, Firewalls, and Email
Filters?
ADVANCED EVASION TECHNIQUES
Advance Evasion Techniques
Key techniques used to disguise threats to evade and bypass security systems
Why are they advanced?
They combine multiple evasion techniques that focus on multiple protocol layers.
Evasions change during the attack
They allow malicious payloads or exploits, such as malware to look normal
A wide variety of techniques
Combinations are endless
Polymorphic Shellcode
Constantly changing packet injected
code… using ADMmutate
Polymorphic Shellcode
Packet Splitting
Establish Backdoors
Establish backdoors
Backdoors allow attackers to stay in
constant contact with the compromised
machine. Ex. Poison Ivy
Install Utilities
Install key-logger
Ex: iSam
Lateral Movement Compromise more machines on the network and setup more
back doors, this allows for lateral movement and persistence
Ex. TRiAD Botnet Control System
EXFILTRATE DATA!
Why is this happening?
Nation-State intelligence to aid in wartime
strategy and exploitation
Diminish competition and improve strategic
advantage by stealing intellectual property
To extort or ruin VIP
To gain $$$$ and gain economic power
Learning from the past…
Google - Hydraq
RSA SecureID
Iran’s Nuclear Plant - Stuxnet
All targeted attacks on huge companies
Anyone can be targeted.
Preparing for the Future..
Keep your eyes open
Elevated log-ons at unexpected times
Finding any backdoor Trojans
Look for any anomalies for information flow
Look for HUGE data bundles
Questions?
Sources
http://www.infoworld.com/article/2615666/security/5-signs-you-ve-been-hit-with-an-advanced-persistent-threat.html
https://www.youtube.com/watch?v=ugXyzkkYN9E
https://www.youtube.com/watch?v=J9MmrqatA1w
http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
http://www.symantec.com/theme.jsp?themeid=apt-infographic-1
http://searchsecurity.techtarget.com/definition/advanced-evasion-technique-AET
http://www.csoonline.com/article/2138125/what-are-advanced-evasion-techniques-dont-expect-cios-to-know-says-mcafee.html
Issa.org
