Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Adam Lange Mark Manglicmot 1 Adam Lange & Mark Manglicmot • Senior Consultant at Delta Risk LLC • CISM, GCIA, GSEC, GCIH, CEH, Sec+, • Advanced threat consulting & counter APT team building for Fortune 500’s, federal gov, and allied governments @LangeSecurity • Senior Consultant in Ernst & Young’s Advanced Security Center • CISSP, GCIH, CEH, Sec+, • Advanced threat, Incident Response, & SOC consulting @MGManglicmot 2 The Data Doesn’t lie! Past habits can help predict future behavior By analyzing data-trends over time, Target could tell a 15 yr old girl was pregnant before her family knew 3 The Problems Defenders Face There is no delineation between routine incidents and incidents that may be APT activity Industry improvements are being made all the time and integration into government operations tends to lag behind Advanced Adversaries evolve faster than we can We don’t have all the processes, tools and understanding to take on APT actors Demystifying Threat Intel Everyone has it! 5 6 The Role of Intel Major driver to catch the top tier of threat Detection Prevention Response Types of Intel Behavioral Indicators 7 APT is bad stuff APT makes up 20% of workload 80% is “garbage” What is the difference? There is no “APT differentiation analyst” Targets industries whose intellectual property provides a strategic advantage for the attacker Intelligence on APT actors comes from three major areas: Internally derived Commercially purchased Sharing partners 8 A Quick Look at the Adversaries APT Strategic Gains Cyber Crime Financial Gains Hacktivists Sociopolitical Gains Script kiddies, college kids, others Thrill of the exploit, Learning the system Generic mayhem Top 20% -- High impact The good news is that because they tend to repeat attacks with recycled tactics, organizations can trend their behavior over time Bottom 80% -- Lower impact They don’t trend well, so mitigate and move on 9 Sophistication vs Intel Attacker Knowledge and Technology HIGH DDoS and No intel – Actors have OPSEC LOW Binary Scanning Encryption Distributed Tools THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL, tools Stealth and Attack EVENT, AND INFORMATION BASED TOOLS TO DETECT Vulnerability Exploitation Anti-Audit Technologies Session Sniffers Behavior/Event Hijacking And Spoofing Capture/Analysis DDOS Backdoors Mitigation Plenty of intel Password – attackers talkCracking too much Firewalls HIPS MOST OF THESE ATTACKS CANHoneynets BE IDENTIFIED USING IDS/IPS TRADITIONAL RULE-BASED TECHNOLOGIES Password Network Traffic Guessing Patching Analysis High Quality No intel – Forensics and Hacks of opportunity Advanced Incident Reporting Defense Sophistication Deception Operations Lockheed Martin Perspective This paper was published back in 2011 and was the cornerstone of many advances in the DIB. This model and its implications can be studied in depth to understand how to counter advanced adversaries Mandiant: APT1 The first major civilian expose on a state sponsored group. It reveals APT1 TTPs and C2 infrastructure. It provided actionable intelligence for every organization to leverage. It is likely that APT1 is going to start over in several organizations, however for some orgs it appears that APT1 is conducting business as usual. NOTE: What we really liked about this report was the appendices – they contained all the TECHNICAL INDICATORS needed to actually do something about the threat. Malware.lu based in Luxembourg, was able to do some additional deep dives into APT1 Activity. Much of this may be illegal to do in the US. The report is worth taking a look at. 13 Who? What do they want? How do they attack? Cultural Threat Industry Strategic Innovator Competitor Interest 14 Various Ways to Model Adversaries 15 An Advanced Adversary Model Full spectrum cyber operations More targeted & tactical indicators Ability to correlate seemingly disparate activities Metrics and strategic trends 16 How most defenses work Detection is somewhere in the middle of an attackers operation Look for one or so indicators to stop discrete attack, but the campaign continues 17 18 Defensive Campaigns Two types of Defensive Campaigning Adversary-Based Campaign Event-Driven Campaign What do each of these have in common? An event begins and ends at some point An adversary operation begins at ends at some point Now, I suddenly realize that the initial attack is NOT success for them, so it’s not failure for me. I have TIME to do something about it… 19 Elements of ‘Good’ Intel Tactical Timeliness <48hrs IP FQDN File Hash Strategic Trends Vectors Patches/Updates Profiles 20 The Government Common complaint: “Its all classified” The good news: It doesn’t really matter Look at intel from a SIGINT perspective Tries to share as it can http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines 21 Industry Methods Puppets CollectiveSOCK Intelligence Framework 22 OpenIOC 23 Account Address Memory URI UNIX File UNIX Network Route Entry Mutex Network Route Network Connection UNIX Pipe UNIX Process UNIX User Account UNIX Volume User Account DNS Record Device Network Network Network Entry Network Win Mailslot Win Memory Page Region Win Mutex Win Network Route Entry Win Network Share Win Pipe User Session Volume Win Prefetch Win Process Disk PDF File Win Registry Key Disk Partition Pipe Email Message File Port Process WhoIS Win Computer Account Wind Critical Selection Win Driver Artifact Code Custom DNS Cache DNS Query Link Linux Package Flow Packet Route Subnet GUI Dialogbox GUI Semaphore GUI Window HTTP Session Library Socket Socket Address System Win Win Win File Win Win Event Log Event Executable File Handle Win Kernel Hook Win Kernel Win Semaphore Win Service Win System Win System Restore Win Task Win Thread Win User Account Win Volume Win Waitable Timer 24 X509 25 How reliable is it? Analysis of Competing Hypothesis 26 27 Intel & SOC/CERT Integration RTA Investigation ATA Countermeasures Digital Forensics Threat Intel 28 Learning & sharing: Where to start Start small Look in the mirror Friends (Real, not imaginary) Read! Get involved ISAC’s Local FBI office (InfraGard) Join the online communities 29 What are the next steps? Try to understand who is interested in you Not always necessary to get 100% attribution Understand that once your are targeted by APT, you will forever be on their target cycle list Continue to iterate: That’s what the APT does Shorten the Kill Chain 30 What You’ll Gain Ask the right questions…generate the right metrics “We had 27 ‘incidents’ this month” Trends These guys only attack us when we do some conference Group X only attacks when specific 0-days are published Group Y is only active between these hours Group Z never attacks during “insert country” holidays (i.e Cinco de Mayo) 31 Impacts Work smarter, not harder Improves efficiency Drives targeted investment Ultimately improves security, and protects the business “By leveraging threat intelligence, you can tactically and strategically campaign against the APT and defend your business.” 32 Thanks for you time Questions? Follow us on Twitter! @LangeSecurity @MGManglicmot 33