PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers...
-
Upload
norah-alexander -
Category
Documents
-
view
219 -
download
1
Transcript of PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers...
![Page 1: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/1.jpg)
PRESENTED BY:
© 2013 Mandiant Corporation. All rights reserved.
APT1 & M-Trends 2013
Grady Summers MAY 9, 2013
![Page 2: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/2.jpg)
2
At Mandiant We Live the Headlines
Experts in Advanced Targeted Threats• Incident responders to the biggest breaches• We train the FBI & Secret Service• Our CEO wrote the book (literally) on incident response
Our Products Are Based on Our Experience• Built to fill a gap for incident responders• We use our own products in our investigations• SC Magazine 2012 & 2013 “Best Security Company”
Nationwide Presence• 350+ employees• Offices in DC, New York, LA, San Francisco, and
Albuquerque
Best SecurityCompany
![Page 3: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/3.jpg)
3
Free tools Redline IOC Editor IOC Finder Memoryze Memoryze for Mac Highlighter Web Historian
Resources M-Trends M-Unition
blog.mandiant.com Forums
Forums.mandiant.com
Education Black Hat classes Custom classes
Webinar series
Free Resources
![Page 4: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/4.jpg)
4
Anatomy of a Targeted Attack
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
Attackers Move Methodically to GainPersistent & Ongoing Access to Their Targets
At organizations where Mandiant responded to a targeted attack in the last year, the typical attacker went undetected for 273 days.
MoveLaterally
MaintainPresence
• Custom malware
• Command and control
• 3rd party application exploitation
• Credential theft
• Password cracking
• “Pass-the-hash”
• Critical system recon
• System, active directory & user enumeration
• Staging servers
• Data consolidation
• Data theft
• Social engineering
• Spear phishing e-mail with custom malware
• Net use commands
• Reverse shell access
• Backdoor variants
• VPN subversion
• Sleeper malware
![Page 5: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/5.jpg)
5
Visibility is critical
Of all of the compromised machines Mandiantidentified in 2011, only 54% had malware on them.
EVIDENCE OF COMPROMISE
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
MoveLaterally
MaintainPresence
Unauthorized Use of Valid
Accounts
Known & Unknown Malware
Command & Control Activity
Suspicious Network Traffic
Files Accessed by Attackers
Valid Programs Used for Evil
Purposes
Trace Evidence & Partial Files
![Page 6: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/6.jpg)
Inside APT 1
![Page 7: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/7.jpg)
Monday, February 18, 2013 Mandiant released intelligence report on threat group: APT1 Linked APT1 to PLA unit 61398 Provided hard evidence Released 3000+ immediately actionable indicators of
compromise OpenIOC format Malware reports IPs/domain names MD5s SSL Certificates
5 minute video showing footage of the attacker in action Set the bar for actionable intelligence sharing
Background
![Page 8: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/8.jpg)
8
~30 core people worked on actual report Threat Intelligence IOCs M-Labs Marketing, legal, execs…
Significant effort to validate and consolidate data (and conduct open source research) under tight deadline
Though the “surge” was intense, it was made possible by 7 years of previous research
The People
![Page 9: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/9.jpg)
Prolific Volume of data stolen Comprehensive understanding of tools, tactics, and
procedures Example of actionable information sharing The timing felt right
Traffic Light Protocol (TLP): Green indicator disclosure Not as intel-sensitive as other groups
Why?
![Page 10: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/10.jpg)
APT 1 – Targets by Industry
![Page 11: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/11.jpg)
APT 1 – Victims by Country
![Page 12: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/12.jpg)
APT 1 – Impact
![Page 13: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/13.jpg)
APT 1 – Command and Control Infrastructure
![Page 14: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/14.jpg)
We’ve received lots of it! Why do you always pick on China?! Focusing on the country of origin is the wrong issue Don’t focus on the attacker, focus on your defenses Mandiant disclosed sensitive intel and ruined intelligence
operations Publicity stunt
Criticisms
![Page 15: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/15.jpg)
CNN video shows military chasing CNN vehicle near the building while filming
https://www.youtube.com/watch?v=yG2ezzLHSD0
Sen. Feinstein, Chairman Senate Intelligence Committee: “I read the Mandiant report. I've also read other reports,
classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct,”
http://thehill.com/blogs/global-affairs/terrorism/284721-intel-chairwoman-report-on-chinas-cyber-war-unit-essentially-correct
Accuracy
![Page 16: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/16.jpg)
DOTA phone number discovered used in 2009 for apartment rental – 600 feet from unit 61398.
SuperHard_M (aka Mei Qiang) likely studied at famous PLA Information Engineering University in 2005.
2004 recruitment notice on Zhejiang University website advertising for “Unit 61398 of China’s PLA (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.”
LA Times found blog of possible 61398 worker: http://lat.ms/12OATUY
https://www.mandiant.com/blog/netizen-research-bolsters-apt1-attribution
Accuracy – Netizen Research
![Page 17: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/17.jpg)
Monday 2/18 – Business as usual Report is released at 10 PM EST – 11 AM CST
Tuesday 2/19 – Clear signs of action plan being invoked Domains getting parked WHOIS registry getting changed Backdoor/tools removed Staging/working directories cleared New backdoors implanted (leverage public communications
channels – hotmail/gmail/MSN) MACROMAIL malware from APT1 report
Today: many indicators changed, but otherwise business as usual
APT1 – Reaction after a week
![Page 18: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/18.jpg)
NY Times disclosed internal name APT12 Tools:
APT1 – WEBC2, public communication channels, noisy APT12 – DNS calc, cmdline backdoors, more stealthy
Data theft: APT1 – everything APT12 - discriminating
Skill: APT1 – good enough, large range of skillsets APT12 – more skilled
Industries targeted: APT1 – everything APT12 – satellite, crypto, media
APT1 vs. APT12
![Page 19: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/19.jpg)
M-Trends 2013
![Page 20: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/20.jpg)
Targeted industries
![Page 21: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/21.jpg)
Compromise Detection
![Page 22: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/22.jpg)
Dwell Time
![Page 23: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/23.jpg)
Trend #1 – Outside In
When targeted organizations increase their prevention and detection capability, weaker service providers and partners become targets
Mandiant investigated several organizations that had been compromised through 3rd party connections
15% of victims in 2012 were notified by a service provider
![Page 24: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/24.jpg)
Trend #2 – ‘X’ Marks the Spot
Attacks are becoming more surgical in nature: immediately targeting administrators for network diagrams, sensitive asset lists
Change from historical reliance on internal network reconnaissance
One victim had followed all the necessary precautions to protect their financial information, yet attacks against system administrators yielded necessary data to breach the environment
![Page 25: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/25.jpg)
Trend #3 – Once a Target, Always a Target
Though long known anecdotally, Mandiant measured repeat victimization in 2012
38% of victims were re-compromised within the year
Reminder that persistence means constant attempts at re-compromise until mission is accomplished
![Page 26: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/26.jpg)
Trend #4 – Strategic Web Compromise
Mandiant observed frequent use of strategic web compromises, or “watering hole attacks” over the last year
Financial institutions attacked via Java exploits on local news web sites
Energy companies compromised through an industry portal
Significant collateral damage
![Page 27: PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.](https://reader035.fdocuments.in/reader035/viewer/2022062515/56649cc55503460f9498f2cc/html5/thumbnails/27.jpg)