Post on 24-Jun-2020
TARGETED CYBER ATTACKS ANATOMY, VIVISECTION AND PROTECTION
Sergey Gordeychik
Deputy CTO, Kaspersky Lab
Targeted Attack Discovery
APT Advanced threats Intelligence
Abnormal Behavior Threat Hunting
The case of the
CRYPTOBANK
INVESTIGATION RESULTS
3
1000 workstations, 200 servers
2 weeks of unsuccessful encryption attempts
Backups servers hacked also
FDE tool/unique encryption key for each device
PowerShell scripts…
TTP
4
Enterprise wipers/cryptors
Black Energy
HDDCryptor
Shamoon 2
…
Full disk encryption
Malware-less
“Tailored” encryption
https://kas.pr/aAg2
PowerShell scripts?..
PowerShell scripts?..
INVESTIGATION RESULTS
9
The initial breach occurred 6 months before
Spear phishing “from” jd@wincor-nixdorf.net
Cobalt Strike beacon
Privilege escalation (Mimikatz, Pass-the-Hash)
Access to ATM management station
Silence…
15 countries
Near East
Asia
East/West Europe
Russia
40+ banks
XFS ATM withdraw
sdelete.exe wipe
“Offensive Security Certified” hacking
CYBER THREAT VELOCITY
https://www.youtube.com/watch?v=e50DpEvKJ-k
TECHNIQUES, TACTICS AND PROCEDURES
12
Pentest-style attack
Massive breach post processing
Targets selection and profiling
Black market
Remote access
Insiders
Passwords
Drops
Organized activity
http://www.scmagazine.com/kaspersky-confirms-return-of-carbanak-and-two-more-banking-apt-groups/article/472224/ https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist https://www.elevenpaths.com/wp-content/uploads/2016/11/Financial_Threats_Q3-2016_EN.pdf https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/
THREAT VELOCITY
ATM
+15 Countries
Swift
Poland
..
Local payment systems
We don’t know yet…
The case of the
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
OOPS, THEY DID IT AGAIN
16
Domain controllers under control since 2013
psexec for lateral movement
Steganography for C2 communications
Checks for (only) Qihoo 360 AV
3 days for ”do it again” after cleanup
• Trusted domain in daughter company
• Overseas branch
• Backdoor VPN channel
THEY NETHER GIVE UP
17
You don't have to be a target to be a
victim
Supply chain attack
Multiply C2 channel
Malware-less attacks
Server side implants
Taidoor/ Whitewhile
Poisoned Flight/Elirks
PlugX/ ZeroT
TropicTrooper
https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/
http://census2012.sourceforge.net/paper.html
A THOUSAND BATTLES, A THOUSAND VICTORIES
THREAT HUNTING
21
https://sqrrl.com/solutions/cyber-threat-hunting/
Cyber threat hunting is
the practice of
searching iteratively
through data to detect
advanced threats that
evade traditional
security solutions.
WHY THREAT HUNTING?
22
Minimize residual risks
Minimize time between attack and detection
Unknown targeted attacks detection
TTP based detection
“Time machine” for evidence analysis
Non-malware attacks detection
Iteratively process
Se
curi
ty T
oo
ls
Mo
nit
ori
ng
H
un
tin
g
Prevention
Threat hunting
SOC Alerting
Risks
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
http://info.isightpartners.com/definitive-guide
Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
http://info.isightpartners.com/definitive-guide
Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation
FROM THE OTHER SIDE OF THE FENCES
https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/
SANS 2016 (THREAT HUNTING, MDR*)
https://www.sans.org/reading-room/whitepapers/threats/automated-defense-threat-intelligence-augment-35692
DAVID BIANCO - PYRAMID OF PAIN
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
WHAT DO WE NEED/HAVE?
Hypothesis
Security assessment
SOC practice
APT/Breach reports
Situational awareness
Analytics
Machine learning
Linked data analysis
IOC
Data feeds: MAF, C&C, pDNS, etc.
White lists
Popularity
Similarity
https://www.gartner.com/doc/reprints?id=1-2WQY2BI&ct=160121&st=sb
THREAT HUNTING CYCLE
Goals Priorities
Detect scenarios
Scenarios deploymen
t
Detection Evidence collection
Data analysis
Validation
Categorization
Prioritization
Live response
Memory dump
Disk dump
Malware analysis
Live response analysis
Forensic examination
Network forensics
Host forensics
THREAT HUNTING (PAIN) CYCLE
Goals Priorities
Detect scenarios
Scenarios deploymen
t
Detection Evidence collection
Data analysis
Validation
Categorization
Prioritization
Live response
Memory dump
Disk dump
Malware analysis
Live response analysis
Forensic examination
Network forensics
Host forensics
How to deliver quickly?
How and with what to detect? TP or FP?
“tailored” for me or seen before? Is this really important?
How? Tools to use?
What really has happened? How to withstand in the
future?
Who? How and with
what? Attack goals?
IMPLEMENTATION: THREAT INTELLIGENCE PLATFORM
32
Leve 1: TI Farm
pDNS
Files IoC
C&C
Distributed SandBox
Ext. IoCs
Level 2: TTP
ML
Objects (MD5, FQDN)
Events
SOC practice
IR, DF
Security Assessment
Objects behavior (system, network,
identity)
Object tags
Manual analysis
Suspicions objects Suspicious behavior
Level 3: Analyst
Sandbox/КАТА
AV
IR team
WL
APT Hunt
Automatic analysis
Exploit detection
THREAT HUNTING FUNNEL
CYBER THREAT HUNTING ”TOOLKIT”
34
Intelligence
• TTP: Incident Response/Pentest cases
• MRTI: Feeds
Sensors
• Host
• Network
• Infrastructure
• Apps
Collection and analysis
• Collection cloud
• Storage
• Analytical engine(s)
Threat Hunting Team
SOC/IR/THREAT HUNTING
Goals Priorities
Detect scenarios
Scenarios deploymen
t
Detection Evidence collection
Data analysis
Validation
Categorization
Prioritization
Live response
Memory dump
Disk dump
Malware analysis
Live response analysis
Forensic examination
Network forensics
Host forensics
Threat Hunting
Incident Response
Monitoring
THREAT HUNTING…
36
Helps to detect new threats
On the top of SOC
TTP based detection
“Time machine”
Non-malware attacks
Iteratively process
Pain cycle
https://www.linkedin.com/pulse/threat-hunting-reference-model-part-2-loop-ely-kahn
37
Know the enemy
Know you self
Follow tends
Use what you have
Looks forward
Remember the past
Hunt the hunters
SILENCE IS A SCARY SOUND
BE SAFE! Sergey Gordeychik
1337@kaspersky.com
@scadasl
Targeted Attack Discovery
APT Advanced threats IT issues
Abnormal Behavior Internal threats