1 / 31

Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27 , 2013

Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27 , 2013. MANDIANT CORPORATION. Computer Information Security Consulting Software: Host Inspection/Network Monitoring Tools Enterprise-Wide Intrusion Investigations Financial Crimes, National Security Compromises

calder
Download Presentation

Advanced Attack Groups (Objectives, Tactics, Countermeasures ) February 27 , 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Attack Groups(Objectives, Tactics, Countermeasures)February 27, 2013

  2. MANDIANT CORPORATION • Computer Information Security Consulting • Software: Host Inspection/Network Monitoring Tools • Enterprise-Wide Intrusion Investigations • Financial Crimes, National Security Compromises • 380+ Investigations Since 2008, >2M and >20K Hosts • Offices: DC, NYC, LA, San Francisco • PCI PFI Certified, FS-ISAC Affiliate Member, GCHQ/CESG/CPNI Cyber Incident Response Pilot

  3. Agenda Information Targeted By Attackers Attack Group Profiles Intrusion Case Examples Investigative Approach Why It Continues To Happen Countermeasures – Strategic and Tactical The Future Questions and Answers

  4. Targeted Information

  5. Information Targeted By Attackers

  6. Major Attack Groups

  7. The Rogue/The Disgruntled Not As Sophisticated Or Practiced Limited Resources Available Smallest Impact Easier To Investigate Than Other Actors

  8. Hacktivists Focused On Notoriety/Cause Loosely Organized: Small Groups Low (Follow Script) To Moderate (SQL Injection) Skills Frequent Use Of Publicly Available Tools Capitalize On Common Security Vulnerabilities More Disruptive Than Dangerous

  9. Organized Crime Financially Motivated: Obtain/Sell Info Good Bankers: Understand ATM/PIN/HSM Microsoft-Centric: Bypass Mainframe, AS/400 Highly Automated: Move Fast, Reuse Tools Compromise More Systems Than Used Persistence Has Not Been A Hallmark

  10. Organized Crime

  11. The Advanced Persistent Threat • Focused On Intelligence Gathering and Occupation • Target Specific Organizations • Nation State Sponsored • What It Is Not: • Botnet/Worm • Script Kiddies • Financial Criminals • “Simplistic” Malware

  12. How The APT Is Different Motivation & Tenacity Their goal is occupation Persistent access to network resources Political and economic insight Future use / fear / deterrent Organization & Orchestration Division of labor Malware change management Escalation only as necessary Countermeasures increase attack sophistication Technology Custom Malware Leverage various IP blocks to avoid filtering and detection Few sustainable signatures (pack & modify binaries) Malware recompiled days before installation Constant feature additions VPN Subversion Encryption

  13. Intrusion Examples

  14. Scareware • Ill-Advised Browsing • iFrame Popup With Virus Warning • Install Rootkit Malware (Broad Functionality) • Charge Victim’s Payment Card • Harvest Victim’s Payment Card Information • Valid Transaction, Rarely Reported • Millions Of Victims • User Awareness Is Primary Defense

  15. Typical APT Attack - Conglomerate • Law Enforcement Notification: April 2010 • 2007 Phishing Email Attack (Conference Attendance) • 93 Systems Compromised • Five Attack Groups Active Concurrently/Independently • Lost Credentials: User, Domain Admin, Service Accounts • 1 GB Of Email, Credentials (Incremental Only) • Attacker Focus: Green Fuel Materials, R&D, Mfg Data

  16. Financial Services Attack • Law Enforcement Notification • Server Misconfiguration Attack Vector • In Network Two Months Prior to Theft • Moved Laterally With Blank SA Passwords, RDP • Dumped Credentials From Domain Controller • Compromised/Accessed ~350 Systems • Dumped Several Dozen Records from Target Database • Determined PINs Using IVR Web Service • Made $13M In Withdrawals At 2,300 ATMs • Repeated Attacks from Unmanaged Infrastructure

  17. Investigation: How Do We Investigate?

  18. Conducting Investigations • Determine Incident History, Steps Taken, Technical Environment, Objectives • Collect Relevant Data • Increase Monitoring And Enterprise-Wide Inspection Capabilities As Needed • Conduct Forensic, Log and Malware Analysis To Identify Network And Host-Based Indicators Of Compromise • Identify Attack Vector, Attacker Activities, Compromise Systems/Accounts, Data Exposure • Report Status, Findings, Remediation Recommendations

  19. Investigative Cycle Primary Sources of Information • Host inspection • Full network monitoring/analysis • Log analysis • Near real-time • Historical • Malware reverse engineering • Systems inspection • Live response analysis • In-depth forensic analysis • Memory analysis

  20. Successful Investigations Require • Technical Expertise: • Forensics, Malware, Log Analysis • Investigative Skills: • Organize The Situation • Understand The Attacker • Recognize/Take The Right Next Step • Management Skills: • Identification/Elimination of Obstacles • Communication Skills: When/How Needed

  21. Why Does It Continue To Happen?

  22. Why Does It Continue To Happen? • Limited Awareness of: • The Threats/Attackers/Actors and Their Motives • What is Possible: Advanced Phishing, Defeating Two-Factor, Obtaining Valid Credentials • Lack Understanding of Actual Attacker Tactics: • Hacking Web Apps or Staging Phishing Campaigns? • Using Cached Credentials or Attacking Domain Controllers? • Using Backdoors, VPN Accounts or Web Shells?

  23. Why Does It Continue To Happen? • Tendency to Focus on “Security Best Practices” • Instead of What Attackers Actually Do • Lack of Visibility: • Inadequate Logging - Detail/Retention • Unmanaged Infrastructure • Unreconciled M&A Activity • Operational Expediency: • Two-Factor Authentication Is Hard to Administer • Dealing With Multiple Complex Passwords Creates Issues • Network Segmentation Makes App Deployment Difficult

  24. Why Does It Continue To Happen? • Misplaced Faith in Compliance Audits: • Last 50 PCI Breaches – How Many Were Compliant? • Spend Money Instead of Time: • Solving Problems with Technology Is Appealing • Fixing People Problems Is Hard • Fixing Process Problems Is Hard/Boring

  25. Addressing The Issues

  26. Addressing The Issues - Strategic • Educate Your People, Clients, Suppliers, Partners: • Security Awareness, Attacker Profiles/Tactics • Turn Up Logging/Monitoring, Gain Visibility • Obtain Senior Management Awareness/Support • Invest in “Appropriate Practices”: • Focus on People and Process First • Implement Technology That Addresses True Issues: • Install Whitelisting on Domain Controllers • Establish/Enforce Strong Passwords: User, Admin, Service • Limit Number of Cached Local Credentials • Recognize That Execution Trumps Strategy

  27. Addressing The Issues - Tactical Understand What They Do And Take It Away Conduct In Parallel With Investigation Rebuild Systems Whitelist Domain Controllers Remove Local Admin Rights Conduct Enterprise-Wide Credential Change Increase Logging Establish Host Inspection Capability Establish Network Monitoring Capability Segment Networks

  28. Prioritizing Remediation Initiatives Maintain Presence Move Laterally Internal Recon Initial Recon Initial Compromise Establish Foothold Escalate Privileges Complete Mission Threat Intelligence Operational Visibility Operational Complexities Business Drivers Resource Constraints

  29. The Future

  30. The Future • We See Progress with Victim Organizations: • Small Number Unable to Remove Attacker (<5%) • Small Number Have Another Large Incident (<5%) • Most Deal Effectively with Subsequent Attacks (90%+) • Greater Market Awareness • More Industry Collaboration • Recognize That “Victory” Is Minimizing Impact

  31. Questions and Answers

More Related