Persistence is Key: Advanced Persistent Threats
-
Upload
sameer-thadani -
Category
Technology
-
view
71 -
download
3
Transcript of Persistence is Key: Advanced Persistent Threats
![Page 1: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/1.jpg)
Persistence is Key:
Advanced Persistent
Threats
By: Sameer Thadani
![Page 2: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/2.jpg)
Objectives
What is an APT
What is an AET
Past targets
What to look for in the future
![Page 3: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/3.jpg)
Advanced Persistent Threats
Advanced
Higher levels of sophistication
Has access to Zero-Day exploits
Adapts to the victims defenses
Persistent
Attacks are specific
Continue until the specific goals are met
Intend to maintain communication with victim
compromised systems
Threats
Real power players behind attacks such as nation-states
Not your mom and pop hacking job
![Page 4: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/4.jpg)
APT Malware Anatomy
![Page 5: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/5.jpg)
APT Attack Flow
Step 1 • Reconnaissance
Step 2 • Initial Intrusion into the Network
Sep 3 • Establish a Backdoor into the Network
Step 5 • Install Various Utilities
Step 6 • Lateral Movement and Data Exfiltration
![Page 6: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/6.jpg)
Reconnaissance
First stage of an APT
Learning about the victims business
processes and technology
Tools
Whois
Nmap
Netcraft.com
Social Media Searching
Acting SKILLZ
![Page 7: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/7.jpg)
Network Access
Spear-Phishing = #1 Way
Targeting specific high value people
Sending highly realistic email addresses
with attachments
Attachments include remote trojans or
malware
BUT WAIT, how does my malware get
passed IDS/IPS, Firewalls, and Email
Filters?
ADVANCED EVASION TECHNIQUES
![Page 8: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/8.jpg)
Advance Evasion Techniques
Key techniques used to disguise threats to evade and bypass security systems
Why are they advanced?
They combine multiple evasion techniques that focus on multiple protocol layers.
Evasions change during the attack
They allow malicious payloads or exploits, such as malware to look normal
A wide variety of techniques
Combinations are endless
![Page 9: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/9.jpg)
Polymorphic Shellcode
Constantly changing packet injected
code… using ADMmutate
![Page 10: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/10.jpg)
Polymorphic Shellcode
![Page 11: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/11.jpg)
Packet Splitting
![Page 12: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/12.jpg)
Establish Backdoors
Establish backdoors
Backdoors allow attackers to stay in
constant contact with the compromised
machine. Ex. Poison Ivy
![Page 13: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/13.jpg)
Install Utilities
Install key-logger
Ex: iSam
![Page 14: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/14.jpg)
Lateral Movement Compromise more machines on the network and setup more
back doors, this allows for lateral movement and persistence
Ex. TRiAD Botnet Control System
EXFILTRATE DATA!
![Page 15: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/15.jpg)
Why is this happening?
Nation-State intelligence to aid in wartime
strategy and exploitation
Diminish competition and improve strategic
advantage by stealing intellectual property
To extort or ruin VIP
To gain $$$$ and gain economic power
![Page 16: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/16.jpg)
Learning from the past…
Google - Hydraq
RSA SecureID
Iran’s Nuclear Plant - Stuxnet
All targeted attacks on huge companies
Anyone can be targeted.
![Page 17: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/17.jpg)
Preparing for the Future..
![Page 18: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/18.jpg)
Keep your eyes open
Elevated log-ons at unexpected times
Finding any backdoor Trojans
Look for any anomalies for information flow
Look for HUGE data bundles
![Page 19: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/19.jpg)
Questions?
![Page 20: Persistence is Key: Advanced Persistent Threats](https://reader030.fdocuments.in/reader030/viewer/2022020110/55a878121a28ab88218b4589/html5/thumbnails/20.jpg)
Sources
http://www.infoworld.com/article/2615666/security/5-signs-you-ve-been-hit-with-an-advanced-persistent-threat.html
https://www.youtube.com/watch?v=ugXyzkkYN9E
https://www.youtube.com/watch?v=J9MmrqatA1w
http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
http://www.symantec.com/theme.jsp?themeid=apt-infographic-1
http://searchsecurity.techtarget.com/definition/advanced-evasion-technique-AET
http://www.csoonline.com/article/2138125/what-are-advanced-evasion-techniques-dont-expect-cios-to-know-says-mcafee.html
Issa.org