Advanced Targeted Malwareor

Advanced Persistent Threatwithout the marketing BS

APT in this presentation• The original meaning when US Navy coined the phrase• Before it started being used by every IT Security vendor,

anti-malware vendor, and everyone with “Cyber” in their marketing portfolio

Agenda• What APT is – its background/history• Detection and elimination• The people and what they attack• The on-going fight• Reminder checklist• Some difficult truths• Questions.

APT• Targeted Malware with the intent to

– Enter your estate– Stay in your estate– Obtain your data

• Commercial advantage• Technology leapfrog• etc

APT is a new threat• Wrong

– Very wrong• Instances of well developed attacks and associated

malware seen since before 2006• Some folks working on these issues since perhaps

as early as 2002

• Candidly, if you haven’t seen this stuff you probably are not looking properly.

APT family• It isn't

– Single attack type– Single type of malware– Single attack group

APT Family• It is

– Range of attack types• Spearphishing• Generic social engineered attacks• Very well targeted social engineering attacks• Targeted drive-by attacks

– Range of malware types• Relatively simplethrough to• Quite sophisticated• Perhaps 7 to 9 different levels of complexity• Generally use the simplest malware needed

APT Activity• Gain a foot hold that can obtain command and control

instructions– Via some quite interesting approaches

• “interactive” sessions• instructions by hidden means eg jpeg images

• Usually (always?) via other parties– Other compromised companies/web-sites– University systems– “mom & pop shops”– Compromised systems unlikely to initiate a web

connection to …

• Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

What a rush!• There is no rush

• from the attackers point of view• Marathon not sprint• Sleeper malware

– Long period beaconing• Check in only every few months

• A bit more on this later…

Elimination• How do you get rid of it after you first detect it?

– Or after you have had a tip-off that you might have a problem

– You may get a tip-off from…

Whack-a-Mole?• Very dynamic – lots of

IT folks doing stuff

• But dangerous and not very effective

• Attackers will notice• They will change attack approach• They will remain in your estate

Structured approach

You will probably need help with some of this

Who you gonna call?•Competent•Capable•Trusted

• Much less fun, much harder work, much more effective– Detect/locate– Prepare/Understand– Disconnect– Eliminate– Protect– Future processes– Re-connect– The new normal

Detection• Log file analysis

– dns, dhcp, vpn, firewall, ids/ips, proxy, AV• Network Analysis

– packet capture and analysis, network sensors• Host Capability

– process maps, memory maps, file structures, registry contents, file contents

• One third/one third/one third

Prepare/Understand• Do you know your estate?

– Network connections– Password policies– Password and application interactions

• Understand how the malware works– Command and control– How it persists– How it moves/how it is moved

Structured approach

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

New Normal• They will re-attack• They will get in• Your processes have to:

– Detect– Investigate– Eliminate– Adapt

The Human Element• Groups

– Developers– Doers– Follow-up

• Below the radar– Working patterns– Comms patterns

• Multiple Groups?– Probably– May not always be aware of each other

They are only human• Oops!

– Human script followers• Identified keyboard drivers• Typos• Mistakes• Repeat commands• May not be sure of where they are• Sometimes careless/sloppy

– Compressed archives not fully deleted

The Attack Surface• Microsoft / Adobe / Java

– Because they are the most popular platforms.

“I rob banks ‘cause that’s where the money is”

• Patching and the role it can play…

The products that fix the problem

• Unfortunately none• Needs a structured approach to robust monitoring and a

number of products to help manage the risk• An approach based on

– People – at all levels of the organisation– Process– TechnologyIn that order of priority

The approach that handles the problem• This is about our approach, but others have similar.• SOC – multi-geography, 24*365• Evolution of tools

– Externally sourced– Internally sourced

• Evolution of people skills– Better understanding of the subject– Better analysis skills

Tools• Log consolidation and analysis

– DHCP, dns, proxy, firewall, ids, vpn etc• Network traffic monitoring and analysis• Host data capture

– To aid in incident identification– To aid in incident investigation

Tool Effectiveness• Initially

– 34% / 33% / 33% (log/network/host)

• Now– 65% / 30% / 5% (log/network/host)

• Future?– 45%? / 50%? / 5%? (log/network/host)

The approach takes time

Summary• Bad folks are doing bad stuff very well• They see it as huge commercial benefit• We need to get better at detecting/eliminating/protecting• It can be done but must be done in a structured and on-

going fashion to be effective• It is an evolving threat so there are no “fit and forget”

solutions

Remember, you may have to….

• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

Difficult Truths• Safe harbours will continue to exist• Traditional prevention and

detection has failed• Governments cannot

prevent intrusions• Data loss is inevitable• Attacks will continue• Companies often breached for years

Additional Reading• http://www.rsa.com/innovation/docs/sbic_rpt_07

11.pdf– Write-up from RSA on the threat and what can be done

to help reduce the risk and the impact.

Any Questions

?