1 / 29

Advanced Targeted Malware or Advanced Persistent Threat

Advanced Targeted Malware or Advanced Persistent Threat. without the marketing BS. APT in this presentation. The original meaning when US Navy coined the phrase Before it started being used by every IT Security vendor, anti-malware vendor, and everyone with “Cyber” in their marketing portfolio.

maddox
Download Presentation

Advanced Targeted Malware or Advanced Persistent Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Targeted MalwareorAdvanced Persistent Threat without the marketing BS

  2. APT in this presentation • The original meaning when US Navy coined the phrase • Before it started being used by every IT Security vendor, anti-malware vendor, and everyone with “Cyber” in their marketing portfolio

  3. Agenda • What APT is – its background/history • Detection and elimination • The people and what they attack • The on-going fight • Reminder checklist • Some difficult truths • Questions.

  4. APT • Targeted Malware with the intent to • Enter your estate • Stay in your estate • Obtain your data • Commercial advantage • Technology leapfrog • etc

  5. APT is a new threat • Wrong • Very wrong • Instances of well developed attacks and associated malware seen since before 2006 • Some folks working on these issues since perhaps as early as 2002 • Candidly, if you haven’t seen this stuff you probably are not looking properly.

  6. APT family • It isn't • Single attack type • Single type of malware • Single attack group

  7. APT Family • It is • Range of attack types • Spearphishing • Generic social engineered attacks • Very well targeted social engineering attacks • Targeted drive-by attacks • Range of malware types • Relatively simple through to • Quite sophisticated • Perhaps 7 to 9 different levels of complexity • Generally use the simplest malware needed

  8. APT Activity • Gain a foot hold that can obtain command and control instructions • Via some quite interesting approaches • “interactive” sessions • instructions by hidden means eg jpeg images • Usually (always?) via other parties • Other compromised companies/web-sites • University systems • “mom & pop shops” • Compromised systems unlikely to initiate a web connection to … • Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

  9. What a rush! • There is no rush • from the attackers point of view • Marathon not sprint • Sleeper malware • Long period beaconing • Check in only every few months • A bit more on this later…

  10. Elimination • How do you get rid of it after you first detect it? • Or after you have had a tip-off that you might have a problem • You may get a tip-off from…

  11. Whack-a-Mole? • Very dynamic – lots of IT folks doing stuff • But dangerous and not very effective • Attackers will notice • They will change attack approach • They will remain in your estate

  12. Structured approach You will probably need help with some of this Who you gonna call? • Competent • Capable • Trusted • Much less fun, much harder work, much more effective • Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • The new normal

  13. Detection • Log file analysis • dns, dhcp, vpn, firewall, ids/ips, proxy, AV • Network Analysis • packet capture and analysis, network sensors • Host Capability • process maps, memory maps, file structures, registry contents, file contents • One third/one third/one third

  14. Prepare/Understand • Do you know your estate? • Network connections • Password policies • Password and application interactions • Understand how the malware works • Command and control • How it persists • How it moves/how it is moved

  15. Structured approach       • Detect/locate  • Prepare/Understand  • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

  16. New Normal • They will re-attack • They will get in • Your processes have to: • Detect • Investigate • Eliminate • Adapt

  17. The Human Element • Groups • Developers • Doers • Follow-up • Below the radar • Working patterns • Comms patterns • Multiple Groups? • Probably • May not always be aware of each other

  18. They are only human • Oops! • Human script followers • Identified keyboard drivers • Typos • Mistakes • Repeat commands • May not be sure of where they are • Sometimes careless/sloppy • Compressed archives not fully deleted

  19. The Attack Surface • Microsoft / Adobe / Java • Because they are the most popular platforms. “I rob banks ‘cause that’s where the money is” • Patching and the role it can play…

  20. The products that fix the problem • Unfortunately none • Needs a structured approach to robust monitoring and a number of products to help manage the risk • An approach based on • People – at all levels of the organisation • Process • Technology In that order of priority

  21. The approach that handles the problem • This is about our approach, but others have similar. • SOC – multi-geography, 24*365 • Evolution of tools • Externally sourced • Internally sourced • Evolution of people skills • Better understanding of the subject • Better analysis skills

  22. Tools • Log consolidation and analysis • DHCP, dns, proxy, firewall, ids, vpn etc • Network traffic monitoring and analysis • Host data capture • To aid in incident identification • To aid in incident investigation

  23. Tool Effectiveness • Initially • 34% / 33% / 33% (log/network/host) • Now • 65% / 30% / 5% (log/network/host) • Future? • 45%? / 50%? / 5%? (log/network/host)

  24. The approach takes time

  25. Summary • Bad folks are doing bad stuff very well • They see it as huge commercial benefit • We need to get better at detecting/eliminating/protecting • It can be done but must be done in a structured and on-going fashion to be effective • It is an evolving threat so there are no “fit and forget” solutions

  26. Remember, you may have to….       • Detect/locate  • Prepare/Understand  • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal

  27. Difficult Truths • Safe harbours will continue to exist • Traditional prevention and detection has failed • Governments cannot prevent intrusions • Data loss is inevitable • Attacks will continue • Companies often breached for years

  28. Additional Reading • http://www.rsa.com/innovation/docs/sbic_rpt_0711.pdf • Write-up from RSA on the threat and what can be done to help reduce the risk and the impact.

  29. Any Questions ?

More Related