Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido...

Cassandra Security Analysis of the Security Industry and that it influences

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret)

Will Gragido | CISSP, CISA, IAM, IEM John Pirc | CEH, IAM, SANS Thought Leader

BSidesSanFrancisco

Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security

Analysis of the Security Industry and that it influences

Agenda

•  Introductions • Advanced Persistent Threats – An Introduction • Dynamic Shifts In the Threat Landscape •  Foreign Country Activity – Session Analysis

Validation •  Subversive Multi-Vector Threats • Gods of War: Blended Attacks • Cryptovirology • CrimeWare as a Service (CaaS) • Question and Answer

2



Advanced Persistent Threats: An Introduction

•  Well Documented and Quite Old ▫  Earliest known instances

date to the early 1990s   Department of Defense

Parlance   “Events of Interest”

▫  State Sponsored ▫  Industrial Espionage ▫  Colloquially referred to as

‘events of interest’

•  Advanced Persistent Threats” ▫  Named by the United

States Air Force ▫  What’s old is new again:

Origination points   State sponsored infowar

labs   Intelligence agencies   The underground

  Though not not necessarily in the same fashion which threats such as ‘MyDoom’, ‘CodeRed’, or ‘Sql Slammer’ did; this is simply not the case



Advanced Persistent Threats: An Introduction •  Easy Definition for a Non-

Trivial Challenge: ▫  Opportunistic form of cyber

attack developed and designed to meet the needs of its architects in compromising a specific system or group of systems in order acquire and exfiltrate data to those behind the original attack

•  Historical Targets of Opportunity & Interest: ▫  Military ▫  Intelligence ▫  Defense Intelligence Base ▫  High Tech (Intellectual Property

Lucent Technologies, Motorola etc.)

•  Sophistication Level: ▫  Only as sophisticated as they

need to be ▫  Sophistication is determined and

dictated by aggressors after intelligence gathering has occurred



Advanced Persistent Threats

Solar Sunrise

Moonlight Maze

Titan Rain

Byzantine Foothold

Aurora

Eligible Receiver Exxon

1997 1998 2004 1999 2009 2007 2010

US Power Grid

The Classics The Subversives SMT’s

Operation Shockwave



Dynamic Shifts in Threat Landscape •  Your Father’s Internet ▫  Perimeters use to be will defined and so was the protection

  Static & Informational   Firewall and AV saved the day   Web defacements and breaking into a network through open

ports or OS vulnerabilities were par for the course •  Today’s Internet (Better have a virtual hazmat suit) ▫  Floating perimeters ▫  Dynamic, Interactive & Mobile ▫  App Driven ▫  Web browsers and plugins



U.S. military OKs use of online social Seriously…Seriously?

Washington (CNN) -- U.S. military personnel are officially allowed to tweet. That's the upshot of the Pentagon's long-awaited policy on rank and file personnel using online social media, unveiled Friday. The new rules authorize access to Facebook, Twitter, YouTube, and other social media Web sites from nonclassified government computers -- as long as such activity doesn't compromise operational security or involve prohibited activities or Web sites.

•  Security Risk & Social Media Trade-off



Hacking not Required Imagine the Possibilities



None (Normal End-User)

Routes to the Cyber Market

Fame

Destruction

Motivation Expertise Result

Moral�� Agenda

Money

Notoriety

Theft

Espionage��Corporate/Government

Fun

Unwitting

Compromise of an Asset/Policy ��and/or ��

Intellectual Property

Novice��(Script Kiddie)

Intermediate��(Hacker for Hire)

Expert (Foreign Intel Service, ��Terrorist Organization ��

and/or Organized Crime)

Intentional Act Non-Intentional Act

Attack Vector

IM,IRC,P2P

Open Ports

Web Browsers Apps

Email and

Attachments

Vulnerable��Operating System

+ + =


Foreign Country Activity – Drive-By Why Session Based Analysis in Needed!

Compliments of Netwitness ;-) 1. Examine traffic to foreign countries 2. Follow the clues



Suspicious outbound traffic to various countries….

Destination China



Instant Correlation

Mostly unknown service

Executables exist

Breadcrumb



Anti-Virus triggered on content rendering

Must be bad…

JavaScript

www.333292.com??

Get: 1.exe,2.exe,…

Breadcrumb



Malicious Content in the same session

Obfuscated JavaScript

Executables downloaded

Bogus 404 error



Foreign Country Traffic Summary •  Scrutinize outbound traffic to China •  Unknown services with .exe transfers •  Content review triggered Anti-Virus - “Infostealer” •  Content review shows malicious obfuscated JavaScript

and .exe downloads •  Classic drive-by exploit

•  Rule Example: ▫  Dst.country = “China” && extension =“exe”

•  FlexParse Example: ▫  Obfuscated Javascript patterns ▫  Executable file signatures – for those that don’t have

correct extension


Subversive Multi-Vector Threats (SMTs)



Subversive Multi-Vector Threats •  Definition: ▫  Highly sophisticated, well

crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends

▫  These threats are designed to, in a dynamic fashion, place a greater or lesser amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them

•  Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open source intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result. (Gragido 12122009 http://cassandrasecurity.com/?p=960)


Analysis of the Security Industry and that it influences Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats

(APT) •  Differ dramatically from other well-

known threat types in a number of ways, some more obvious than others

•  The greatest differences noted between the types of threats ▫  Lies in the targets of interest ▫  Approaches employed in selecting and

exploiting the target ▫  Whether they be targets of opportunity or

selected targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT)   The avenues for exploitation may change

though their overall relevance is entrenched in the realm of the technical

▫  As such, APTs, contrary to popular belief are focused and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals

▫  Not so with the Subversive Multi-Vector Threat   These threats are not bound to technology

alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.



Identifying and Addressing Subversive Multi-Vector Threats (SMT)

•  Subversive Multi-Vector Threats (SMTs) ▫  Employment of intellectual honesty

  Reality dictates we will be targeted   “When” not “If”

▫  Requires risk management ▫  Repeatable processes and

procedures are non-negotiable; they are imperative

▫  Metrics employed   What gets measured gets results   Aids in establishing the known from

the unknown while demonstrating progression or regression

  Our assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology

•  Uncompromising Diligence Is Required

•  Progressive approaches required ▫  Creativity ▫  Collaboration ▫  Iron sharpens Iron

•  Innovative technological solutions coupled with innovative comprehensive approaches to practical, risk based information security management imperative ▫  Are there technologies which can aid us

in achieving these goals?   Yes

▫  Are they already in our environments?   Perhaps, but odds are they are not

but will be or should be considered in the near future


Gods of War: Blended Attacks



Gods of War: Blended Attacks •  ZeuS (also known as Zbot /

WSNPoem •  Crimeware kit which is best

known for its tenacity, intelligent design and ability to steal credentials (in a voluminous manner), from a truly impressive, disparate base of sources including but not limited to the following: ▫  Social Networks (Facebook, Twitter,

MySpace, Linkedin, Foursquare, Yelp etc.)

▫  Online financial accounts (Banking, Brokerage, Retirement etc.)

▫  FTP accounts (yes people still use unsecured ftp accounts…)

▫  E-Mail accounts (Phishing / Spear Phishing)

▫  Cloud Computing Based Environments (Amazon EC2)



Gods of War: Blended Attacks •  ZeuS’ DNA ▫  Crimeware Kit which contains the following

modules   A web interface for administering and

managing the botnet (ZeuS Admin Panel)   A customized tool used in the creation of the

Trojan binaries and in encrypting the configuration file (commonly referred to as an executable generator)

▫  ZeuS Hosts   Typically Consist of Three Components

  A configuration file (most commonly associated file name extension is *.bin)

  A binary file which contains the newest version of the ZeuS Trojan code (updated periodically by the Bot Master to ensure highest degree of functionality and feature use / availability)

  A dropzone (most commonly seen as a php file used for storage)

•  ZeuS Botnet Features: ▫  Framework design

  Unintelligent program which hooks itsef into the Operating System (need to verify if it is hooking at ring 3 or 0) and hides itself

  All logic for the botnet itself is contained within the configuration file

  The configuration file for ZeuS / Zbot acts like a definitions database for AV products; without this the bot is fairly benign   Often times lists of targets (financial

institutions for example) are contained within it in addition to other data such as urls for other components the bot relies upon for command & control purposes, the lists of information gathered from targets to populate fields which the bot completes in order to steal details / credentials and other information

  The configuration file is always ciphered; it’s never found in clear ▫  The older versions of ZeuS used a hard-

coded cipher which could be reverse engineered however the current versions use a more sophisticated level of cryptovirology (using unique keys for encrypting the config file, the key is then stored in the executable – which is also ‘packed’); this eliminates the potential for deciphering all botted hosts universally

▫  The key is 256 bytes long making it a non-trivial task for brute forcing

Courtesy of abuse.ch ZeuS Tracker



Gods of War: Blended Attacks   Credentials Capturing

  HTTP   HTTPS   FTP   POP3   Botnets Protected Storage

Area (PSTORE)   Organize / Assemble /

Group infected hosts into different botnets for:   Ease of use   Flexibility   Meeting customer needs

  Integrated SOCKS-Proxy   Web based form for

searching captured credentials

  Ciphered configuration files

  Kill Operating System Functions (becoming more common in botnets the world over)

  Well QA’d   Exhaustively tested before

release



CryptoVirology • What is cryptovirology? ▫  A wonderful question with a myriad of plausible

responses ▫  What cryptovirology is not is obvious, common, trivial or

new ▫  Cryptovirology as a discipline has a lineage dating back

to the mid to late 1990s something that seems to be (along with other things in our industry as of late), often over looked



CryptoVirology: •  The earliest observed instances

where crypto viral attacks were utilized have become known as ‘cryptoviral extortion’.

•  AKA ‘cryptoviral ransom’ attacks however

•  An attack by any other name would smell as sweet… ▫  The intent and logical outcomes

are the same: via a virus, worm, Trojan etc a victim’s files (whether discriminately chosen or not so), are identified and encrypted with the file owner being notified that should she wish to receive them back intact, she must first make payment to the author of the malicious code in question in order to receive the proper session key.

▫  If payment is not brought forward the author / attacker may make a variety of threats / claims as to what he / she will do with the files to and including destruction.



CryptoVirology •  There are many examples of

malicious code and contact which use questionable encryption schemes however the distinction which must be made and taken note of is the purpose for which it is used today versus the past

•  In the past, cryptography was used by malicious code and content authors to solely avoid detection by mitigation solutions such as Anti-Virus. In these scenarios the payload was not ciphered and thusly not considered ‘ransomware’. Today, the world has changed and as such payloads are ciphered and subsequently the game has changed.

•  Historical Examples Include Are Not Limited To the Following: ▫  ZeuS ▫  Blazebot ▫  Storm / Waldec



CrimeWare as a Service (CaaS): Service with a Smile

•  Globalization The World Is Flat! (Friedman) ▫  Leveled the playing for some ▫  Introduced the game and

built the field for others ▫  Torn the game asunder

rendering it forever changed for still others

▫  Ensured that the free hand of the open market is allowed to move freely for all including criminals

•  As a result a myriad of service offerings and providers have emerged the world over ready, willing, and able to meet your needs better than their competitors while offering you maximum RO ▫  Hacking as a Service (HaaS) ▫  Fraud as a Service (FaaS) ▫  DDoSing as a Service ▫  Spamming as a Service ▫  Spear phishing as a Service ▫  Designer / Custom Malware

Creation as a Service



Key Point’s

▫ Known Current Solutions Not Good Enough

▫ Advanced Persistent Threats Will Become Pervasive

▫  Subversive Multi-Vector Threats Will Eclipse APTs

▫  Cryptovirology Is Alive and Well

▫  Inaction Equals To Acceptance

28

Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido...

Technology

Transcript of Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido...