Transcript Advanced Attack Groups (Objectives, Tactics

Advanced Attack Groups
(Objectives, Tactics, Countermeasures)
February 27, 2013
© Copyright 2010
MANDIANT CORPORATION

Computer Information Security Consulting
 Software: Host Inspection/Network Monitoring Tools
 Enterprise-Wide Intrusion Investigations
 Financial Crimes, National Security Compromises
 380+ Investigations Since 2008, >2M and >20K Hosts
 Offices: DC, NYC, LA, San Francisco
 PCI PFI Certified, FS-ISAC Affiliate Member,
GCHQ/CESG/CPNI Cyber Incident Response Pilot
2
© Copyright 2010
Agenda

Information Targeted By Attackers
 Attack Group Profiles
 Intrusion Case Examples
 Investigative Approach
 Why It Continues To Happen
 Countermeasures – Strategic and Tactical
 The Future
 Questions and Answers
3
© Copyright 2010
Targeted Information
© Copyright 2010
Information Targeted By Attackers
Category
Financial
Intelligence
Other
© Copyright 2010
Objective
Examples
Personally Identifiable Info
Identity Theft Or Inadvertent Loss
ATM Withdrawals
RBS Worldpay $9.3M
Payment Card Data
TJX, Hannaford, Heartlands
ACH Transactions
Finance Person Targeted
Intellectual Property
Corporate Misdeeds
Corporate Strategy
Senior Exec E-Mail
Attorney/Client Comm
Gipson Hoffman & Pancione
R&D Material
Many Industries
Government Plans
Democratic Nat’l Committee
Military Secrets
F35 Lightning Fighter Jet
Energy Infra Architecture
Rumored Data Collection
Destruction/Disruption/Leaks
Insiders, Hacktivists
Major Attack Groups
© Copyright 2010
The Rogue/The Disgruntled




7
Not As Sophisticated Or Practiced
Limited Resources Available
Smallest Impact
Easier To Investigate Than Other Actors
© Copyright 2010
Hacktivists

Focused On Notoriety/Cause
 Loosely Organized: Small Groups
 Low (Follow Script) To Moderate (SQL Injection) Skills
 Frequent Use Of Publicly Available Tools
 Capitalize On Common Security Vulnerabilities
 More Disruptive Than Dangerous
8
© Copyright 2010
Organized Crime

Financially Motivated: Obtain/Sell Info
 Good Bankers: Understand ATM/PIN/HSM
 Microsoft-Centric: Bypass Mainframe, AS/400
 Highly Automated: Move Fast, Reuse Tools
 Compromise More Systems Than Used
 Persistence Has Not Been A Hallmark
9
© Copyright 2010
Organized Crime
10
© Copyright 2010
The Advanced Persistent Threat


Focused On Intelligence Gathering and Occupation
Target Specific Organizations
Nation State Sponsored

What It Is Not:

−
Botnet/Worm
− Script Kiddies
− Financial Criminals
− “Simplistic” Malware
© Copyright 2010
How The APT Is Different
Motivation & Tenacity
Organization & Orchestration
Their goal is occupation
Persistent access to network resources
Political and economic insight
Future use / fear / deterrent
Division of labor
Malware change management
Escalation only as necessary
Countermeasures increase attack
sophistication
Technology
Custom Malware
Leverage various IP blocks to avoid filtering and detection
Few sustainable signatures (pack & modify binaries)
Malware recompiled days before installation
Constant feature additions
VPN Subversion
Encryption
12
© Copyright 2010
Intrusion Examples
© Copyright 2010
Scareware

Ill-Advised Browsing
 iFrame Popup With Virus Warning
 Install Rootkit Malware (Broad Functionality)
 Charge Victim’s Payment Card
 Harvest Victim’s Payment Card Information

Valid Transaction, Rarely Reported
 Millions Of Victims
 User Awareness Is Primary Defense
14
© Copyright 2010
Typical APT Attack - Conglomerate

Law Enforcement Notification: April 2010
 2007 Phishing Email Attack (Conference Attendance)
 93 Systems Compromised
 Five Attack Groups Active Concurrently/Independently
 Lost Credentials: User, Domain Admin, Service Accounts
 1 GB Of Email, Credentials (Incremental Only)
 Attacker Focus: Green Fuel Materials, R&D, Mfg Data
15
© Copyright 2010
Financial Services Attack

Law Enforcement Notification
 Server Misconfiguration Attack Vector
 In Network Two Months Prior to Theft
 Moved Laterally With Blank SA Passwords, RDP
 Dumped Credentials From Domain Controller
 Compromised/Accessed ~350 Systems
 Dumped Several Dozen Records from Target Database
 Determined PINs Using IVR Web Service
 Made $13M In Withdrawals At 2,300 ATMs
 Repeated Attacks from Unmanaged Infrastructure
16
© Copyright 2010
Investigation: How Do We Investigate?
© Copyright 2010
Conducting Investigations

Determine Incident History, Steps Taken, Technical
Environment, Objectives
 Collect Relevant Data
 Increase Monitoring And Enterprise-Wide Inspection
Capabilities As Needed
 Conduct Forensic, Log and Malware Analysis To Identify
Network And Host-Based Indicators Of Compromise
 Identify Attack Vector, Attacker Activities, Compromise
Systems/Accounts, Data Exposure
 Report Status, Findings, Remediation Recommendations
18
© Copyright 2010
Investigative Cycle
Primary Sources of Information

Host inspection

Full network monitoring/analysis

Log analysis
−
−
Near real-time
Historical

Malware reverse engineering

Systems inspection
−
−
−
Live response analysis
In-depth forensic analysis
Memory analysis
© Copyright 2010
Successful Investigations Require

Technical Expertise:
−

Forensics, Malware, Log Analysis
Investigative Skills:
−
Organize The Situation
− Understand The Attacker
− Recognize/Take The Right Next Step

Management Skills:
−
Identification/Elimination of Obstacles
− Communication Skills: When/How Needed
20
© Copyright 2010
Why Does It Continue To Happen?
© Copyright 2010
Why Does It Continue To Happen?
Limited Awareness of:
1.
−
The Threats/Attackers/Actors and Their Motives
− What is Possible: Advanced Phishing, Defeating TwoFactor, Obtaining Valid Credentials
Lack Understanding of Actual Attacker Tactics:
2.
−
Hacking Web Apps or Staging Phishing Campaigns?
− Using Cached Credentials or Attacking Domain
Controllers?
− Using Backdoors, VPN Accounts or Web Shells?
22
© Copyright 2010
Why Does It Continue To Happen?
Tendency to Focus on “Security Best Practices”
3.
−
Instead of What Attackers Actually Do
Lack of Visibility:
4.
−
Inadequate Logging - Detail/Retention
− Unmanaged Infrastructure
− Unreconciled M&A Activity
Operational Expediency:
5.
−
Two-Factor Authentication Is Hard to Administer
− Dealing With Multiple Complex Passwords Creates Issues
− Network Segmentation Makes App Deployment Difficult
23
© Copyright 2010
Why Does It Continue To Happen?
Misplaced Faith in Compliance Audits:
6.
−
Last 50 PCI Breaches – How Many Were Compliant?
Spend Money Instead of Time:
7.
−
Solving Problems with Technology Is Appealing
− Fixing People Problems Is Hard
− Fixing Process Problems Is Hard/Boring
24
© Copyright 2010
Addressing The Issues
© Copyright 2010
Addressing The Issues - Strategic
Educate Your People, Clients, Suppliers, Partners:
1.
−
Security Awareness, Attacker Profiles/Tactics
Turn Up Logging/Monitoring, Gain Visibility
Obtain Senior Management Awareness/Support
Invest in “Appropriate Practices”:
2.
3.
4.
−
Focus on People and Process First
− Implement Technology That Addresses True Issues:



5.
26
Install Whitelisting on Domain Controllers
Establish/Enforce Strong Passwords: User, Admin, Service
Limit Number of Cached Local Credentials
Recognize That Execution Trumps Strategy
© Copyright 2010
Addressing The Issues - Tactical
Understand What They Do And Take It Away
2. Conduct In Parallel With Investigation
3. Rebuild Systems
4. Whitelist Domain Controllers
5. Remove Local Admin Rights
6. Conduct Enterprise-Wide Credential Change
7. Increase Logging
8. Establish Host Inspection Capability
9. Establish Network Monitoring Capability
10. Segment Networks
1.
27
© Copyright 2010
Prioritizing Remediation Initiatives
Maintain
Presence
Initial
Recon
Initial
Compromise
Initial
Recon
Initial
Compromise
Establish
Foothold
Establish
Foothold
Escalate
Privileges
Move
Laterally
Internal
Recon
Escalate
Privileges
Internal
Recon
Move
Laterally
Complete
Mission
Maintain
Presence
Complete
Mission
Detect
Inhibit
Respond
Threat
Intelligence
28
© Copyright 2010
Operational
Visibility
Operational
Complexities
Business
Drivers
Resource
Constraints
The Future
© Copyright 2010
The Future

We See Progress with Victim Organizations:
−
Small Number Unable to Remove Attacker (<5%)
− Small Number Have Another Large Incident (<5%)
− Most Deal Effectively with Subsequent Attacks (90%+)
30

Greater Market Awareness

More Industry Collaboration

Recognize That “Victory” Is Minimizing Impact
© Copyright 2010
Questions and Answers
31
© Copyright 2010