Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido...
-
Upload
security-b-sides -
Category
Technology
-
view
1.892 -
download
1
description
Transcript of Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret) - Will Gragido...
Cassandra Security Analysis of the Security Industry and that it influences
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret)
Will Gragido | CISSP, CISA, IAM, IEM John Pirc | CEH, IAM, SANS Thought Leader
BSidesSanFrancisco
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Agenda
• Introductions • Advanced Persistent Threats – An Introduction • Dynamic Shifts In the Threat Landscape • Foreign Country Activity – Session Analysis
Validation • Subversive Multi-Vector Threats • Gods of War: Blended Attacks • Cryptovirology • CrimeWare as a Service (CaaS) • Question and Answer
2
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats: An Introduction
• Well Documented and Quite Old ▫ Earliest known instances
date to the early 1990s Department of Defense
Parlance “Events of Interest”
▫ State Sponsored ▫ Industrial Espionage ▫ Colloquially referred to as
‘events of interest’
• Advanced Persistent Threats” ▫ Named by the United
States Air Force ▫ What’s old is new again:
Origination points State sponsored infowar
labs Intelligence agencies The underground
Though not not necessarily in the same fashion which threats such as ‘MyDoom’, ‘CodeRed’, or ‘Sql Slammer’ did; this is simply not the case
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats: An Introduction • Easy Definition for a Non-
Trivial Challenge: ▫ Opportunistic form of cyber
attack developed and designed to meet the needs of its architects in compromising a specific system or group of systems in order acquire and exfiltrate data to those behind the original attack
• Historical Targets of Opportunity & Interest: ▫ Military ▫ Intelligence ▫ Defense Intelligence Base ▫ High Tech (Intellectual Property
Lucent Technologies, Motorola etc.)
• Sophistication Level: ▫ Only as sophisticated as they
need to be ▫ Sophistication is determined and
dictated by aggressors after intelligence gathering has occurred
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Advanced Persistent Threats
Solar Sunrise
Moonlight Maze
Titan Rain
Byzantine Foothold
Aurora
Eligible Receiver Exxon
1997 1998 2004 1999 2009 2007 2010
US Power Grid
The Classics The Subversives SMT’s
Operation Shockwave
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Dynamic Shifts in Threat Landscape • Your Father’s Internet ▫ Perimeters use to be will defined and so was the protection
Static & Informational Firewall and AV saved the day Web defacements and breaking into a network through open
ports or OS vulnerabilities were par for the course • Today’s Internet (Better have a virtual hazmat suit) ▫ Floating perimeters ▫ Dynamic, Interactive & Mobile ▫ App Driven ▫ Web browsers and plugins
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
U.S. military OKs use of online social Seriously…Seriously?
Washington (CNN) -- U.S. military personnel are officially allowed to tweet. That's the upshot of the Pentagon's long-awaited policy on rank and file personnel using online social media, unveiled Friday. The new rules authorize access to Facebook, Twitter, YouTube, and other social media Web sites from nonclassified government computers -- as long as such activity doesn't compromise operational security or involve prohibited activities or Web sites.
• Security Risk & Social Media Trade-off
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Hacking not Required Imagine the Possibilities
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
None (Normal End-User)
Routes to the Cyber Market
Fame
Destruction
Motivation Expertise Result
Moral��� Agenda
Money
Notoriety
Theft
Espionage���Corporate/Government
Fun
Unwitting
Compromise of an Asset/Policy ���and/or ���
Intellectual Property
Novice���(Script Kiddie)
Intermediate���(Hacker for Hire)
Expert (Foreign Intel Service, ���Terrorist Organization ���
and/or Organized Crime)
Intentional Act Non-Intentional Act
Attack Vector
IM,IRC,P2P
Open Ports
Web Browsers Apps
Email and
Attachments
Vulnerable���Operating System
+ + =
Cassandra Security Analysis of the Security Industry and that it influences
Foreign Country Activity – Drive-By Why Session Based Analysis in Needed!
Compliments of Netwitness ;-) 1. Examine traffic to foreign countries 2. Follow the clues
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Suspicious outbound traffic to various countries….
Destination China
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Instant Correlation
Mostly unknown service
Executables exist
Breadcrumb
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Anti-Virus triggered on content rendering
Must be bad…
JavaScript
www.333292.com??
Get: 1.exe,2.exe,…
Breadcrumb
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Malicious Content in the same session
Obfuscated JavaScript
Executables downloaded
Bogus 404 error
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Foreign Country Traffic Summary • Scrutinize outbound traffic to China • Unknown services with .exe transfers • Content review triggered Anti-Virus - “Infostealer” • Content review shows malicious obfuscated JavaScript
and .exe downloads • Classic drive-by exploit
• Rule Example: ▫ Dst.country = “China” && extension =“exe”
• FlexParse Example: ▫ Obfuscated Javascript patterns ▫ Executable file signatures – for those that don’t have
correct extension
Cassandra Security Analysis of the Security Industry and that it influences
Subversive Multi-Vector Threats (SMTs)
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Subversive Multi-Vector Threats • Definition: ▫ Highly sophisticated, well
crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends
▫ These threats are designed to, in a dynamic fashion, place a greater or lesser amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them
• Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open source intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result. (Gragido 12122009 http://cassandrasecurity.com/?p=960)
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats
(APT) • Differ dramatically from other well-
known threat types in a number of ways, some more obvious than others
• The greatest differences noted between the types of threats ▫ Lies in the targets of interest ▫ Approaches employed in selecting and
exploiting the target ▫ Whether they be targets of opportunity or
selected targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT) The avenues for exploitation may change
though their overall relevance is entrenched in the realm of the technical
▫ As such, APTs, contrary to popular belief are focused and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals
▫ Not so with the Subversive Multi-Vector Threat These threats are not bound to technology
alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
• Subversive Multi-Vector Threats (SMTs) ▫ Employment of intellectual honesty
Reality dictates we will be targeted “When” not “If”
▫ Requires risk management ▫ Repeatable processes and
procedures are non-negotiable; they are imperative
▫ Metrics employed What gets measured gets results Aids in establishing the known from
the unknown while demonstrating progression or regression
Our assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology
• Uncompromising Diligence Is Required
• Progressive approaches required ▫ Creativity ▫ Collaboration ▫ Iron sharpens Iron
• Innovative technological solutions coupled with innovative comprehensive approaches to practical, risk based information security management imperative ▫ Are there technologies which can aid us
in achieving these goals? Yes
▫ Are they already in our environments? Perhaps, but odds are they are not
but will be or should be considered in the near future
Cassandra Security Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks • ZeuS (also known as Zbot /
WSNPoem • Crimeware kit which is best
known for its tenacity, intelligent design and ability to steal credentials (in a voluminous manner), from a truly impressive, disparate base of sources including but not limited to the following: ▫ Social Networks (Facebook, Twitter,
MySpace, Linkedin, Foursquare, Yelp etc.)
▫ Online financial accounts (Banking, Brokerage, Retirement etc.)
▫ FTP accounts (yes people still use unsecured ftp accounts…)
▫ E-Mail accounts (Phishing / Spear Phishing)
▫ Cloud Computing Based Environments (Amazon EC2)
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks • ZeuS’ DNA ▫ Crimeware Kit which contains the following
modules A web interface for administering and
managing the botnet (ZeuS Admin Panel) A customized tool used in the creation of the
Trojan binaries and in encrypting the configuration file (commonly referred to as an executable generator)
▫ ZeuS Hosts Typically Consist of Three Components
A configuration file (most commonly associated file name extension is *.bin)
A binary file which contains the newest version of the ZeuS Trojan code (updated periodically by the Bot Master to ensure highest degree of functionality and feature use / availability)
A dropzone (most commonly seen as a php file used for storage)
• ZeuS Botnet Features: ▫ Framework design
Unintelligent program which hooks itsef into the Operating System (need to verify if it is hooking at ring 3 or 0) and hides itself
All logic for the botnet itself is contained within the configuration file
The configuration file for ZeuS / Zbot acts like a definitions database for AV products; without this the bot is fairly benign Often times lists of targets (financial
institutions for example) are contained within it in addition to other data such as urls for other components the bot relies upon for command & control purposes, the lists of information gathered from targets to populate fields which the bot completes in order to steal details / credentials and other information
The configuration file is always ciphered; it’s never found in clear ▫ The older versions of ZeuS used a hard-
coded cipher which could be reverse engineered however the current versions use a more sophisticated level of cryptovirology (using unique keys for encrypting the config file, the key is then stored in the executable – which is also ‘packed’); this eliminates the potential for deciphering all botted hosts universally
▫ The key is 256 bytes long making it a non-trivial task for brute forcing
Courtesy of abuse.ch ZeuS Tracker
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Gods of War: Blended Attacks Credentials Capturing
HTTP HTTPS FTP POP3 Botnets Protected Storage
Area (PSTORE) Organize / Assemble /
Group infected hosts into different botnets for: Ease of use Flexibility Meeting customer needs
Integrated SOCKS-Proxy Web based form for
searching captured credentials
Ciphered configuration files
Kill Operating System Functions (becoming more common in botnets the world over)
Well QA’d Exhaustively tested before
release
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology • What is cryptovirology? ▫ A wonderful question with a myriad of plausible
responses ▫ What cryptovirology is not is obvious, common, trivial or
new ▫ Cryptovirology as a discipline has a lineage dating back
to the mid to late 1990s something that seems to be (along with other things in our industry as of late), often over looked
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology: • The earliest observed instances
where crypto viral attacks were utilized have become known as ‘cryptoviral extortion’.
• AKA ‘cryptoviral ransom’ attacks however
• An attack by any other name would smell as sweet… ▫ The intent and logical outcomes
are the same: via a virus, worm, Trojan etc a victim’s files (whether discriminately chosen or not so), are identified and encrypted with the file owner being notified that should she wish to receive them back intact, she must first make payment to the author of the malicious code in question in order to receive the proper session key.
▫ If payment is not brought forward the author / attacker may make a variety of threats / claims as to what he / she will do with the files to and including destruction.
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
CryptoVirology • There are many examples of
malicious code and contact which use questionable encryption schemes however the distinction which must be made and taken note of is the purpose for which it is used today versus the past
• In the past, cryptography was used by malicious code and content authors to solely avoid detection by mitigation solutions such as Anti-Virus. In these scenarios the payload was not ciphered and thusly not considered ‘ransomware’. Today, the world has changed and as such payloads are ciphered and subsequently the game has changed.
• Historical Examples Include Are Not Limited To the Following: ▫ ZeuS ▫ Blazebot ▫ Storm / Waldec
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
CrimeWare as a Service (CaaS): Service with a Smile
• Globalization The World Is Flat! (Friedman) ▫ Leveled the playing for some ▫ Introduced the game and
built the field for others ▫ Torn the game asunder
rendering it forever changed for still others
▫ Ensured that the free hand of the open market is allowed to move freely for all including criminals
• As a result a myriad of service offerings and providers have emerged the world over ready, willing, and able to meet your needs better than their competitors while offering you maximum RO ▫ Hacking as a Service (HaaS) ▫ Fraud as a Service (FaaS) ▫ DDoSing as a Service ▫ Spamming as a Service ▫ Spear phishing as a Service ▫ Designer / Custom Malware
Creation as a Service
Cassandra Security Analysis of the Security Industry and that it influences Cassandra Security
Analysis of the Security Industry and that it influences
Key Point’s
▫ Known Current Solutions Not Good Enough
▫ Advanced Persistent Threats Will Become Pervasive
▫ Subversive Multi-Vector Threats Will Eclipse APTs
▫ Cryptovirology Is Alive and Well
▫ Inaction Equals To Acceptance
28