Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
APT - Hunting 0Day Malware
-
Upload
mustafa-qasim -
Category
Technology
-
view
637 -
download
2
description
Transcript of APT - Hunting 0Day Malware
![Page 1: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/1.jpg)
APT: Hunting ÖDay Malware
Mustafa Qasim
![Page 2: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/2.jpg)
Since this presentation started
of organizations will have some malware event successfully evade their IT defenses.
![Page 3: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/3.jpg)
On average, malware events occur at a single organization once every
3 MIN
UT
ES
![Page 4: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/4.jpg)
Introduction
![Page 5: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/5.jpg)
Once upon a time...
![Page 6: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/6.jpg)
![Page 7: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/7.jpg)
![Page 8: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/8.jpg)
According to IDC, between 2003 and 2011, total IT security spend grew from $12 billion to $28 billion.
$12 Billion2003
$28 Billion2011
![Page 9: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/9.jpg)
reActive
Vs
proActive
![Page 10: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/10.jpg)
![Page 11: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/11.jpg)
Fear of False Positive!
![Page 12: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/12.jpg)
So called Defenders!
![Page 13: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/13.jpg)
Firewalls
- Yes/No
- NexGen Firewall Buzz
- Latency Impact
![Page 14: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/14.jpg)
IPS
- Traffic Signatures
- 0Day Prevention Buzz (Exploit > Vulnerability)
- Network Services vs. Client Side Attacks
![Page 15: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/15.jpg)
Web Gateways
Called: Defense In-depth
In Actual: Iteration
![Page 16: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/16.jpg)
Anti-Virus (L0L)
- Signatures
- Heuristics
- Sandbox
![Page 17: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/17.jpg)
Anti-Virus (L0L)
- VIP entry via signed binary– Flame by Microsoft ;-)
![Page 18: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/18.jpg)
Signatures
- Binary / Traffic
- Morphing, Obfuscation, Encryption
![Page 19: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/19.jpg)
Heuristics Dilemma
![Page 20: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/20.jpg)
Heuristics Dilemma
![Page 21: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/21.jpg)
Isn't Sandbox made up of sand?
![Page 22: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/22.jpg)
![Page 23: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/23.jpg)
![Page 24: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/24.jpg)
Disheartened by Backward Looking Defenders?
![Page 25: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/25.jpg)
The highest technique is to have no technique.
My technique is a result of your technique; my movement is a result of your movement.
![Page 26: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/26.jpg)
APT Malware vs. Traditional
![Page 27: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/27.jpg)
APT Attack Life Cycle
![Page 28: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/28.jpg)
![Page 29: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/29.jpg)
Stage 1
Intrusion through exploitation
- Remote Exploit / Local Exploit
- Social Engineering
![Page 30: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/30.jpg)
Stage 2
Malware is dropped
- Single Click
- 64base Encrypted Hidden Link
- Java revoke list check disabled
- Legacy vs Advanced
* pdf not exe
* DLL search order hijacking
![Page 31: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/31.jpg)
Stage 3
Phones Home
- RAT
- Outbound Encrypted Connection
- Proxy CnC for a network
![Page 32: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/32.jpg)
Stage 4
Spreads laterally
- Not always hits target
- Clear entry point
![Page 33: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/33.jpg)
Stage 5
Data extraction
- Small Chunks
- Staged Host
- Encrypted RAR
![Page 34: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/34.jpg)
Case Studies
- RSA breach
- Operation Aurora
![Page 35: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/35.jpg)
Forensics & Challenges
- Behavior
- Code
* Packed
* Obfuscated
* Anti Debugger
* Anti VM
* Time
![Page 36: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/36.jpg)
NGTP
- Signature less
- Protection not Detection
- Virtual Execution Engine
![Page 37: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/37.jpg)
Pakistan Cyber Space
![Page 38: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/38.jpg)
First things FIRST!
![Page 39: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/39.jpg)
“ If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
— Sun Tzu, The Art of War
![Page 40: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/40.jpg)
Honeynet Pakistan
- 6 Deployments
- Avg. 400 malware per day
- Around 100 Unique
![Page 41: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/41.jpg)
![Page 42: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/42.jpg)
ISPs
FinancialInstitutions
NADRA
Government Organizations
![Page 43: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/43.jpg)
Honeytoken Snort Rule
alert ip any any -> any any (msg:"Alert! Token c86"; content:"r71p@g3r";)
![Page 44: APT - Hunting 0Day Malware](https://reader033.fdocuments.net/reader033/viewer/2022052620/5575d471d8b42a917e8b4b97/html5/thumbnails/44.jpg)
Catch Me
Twitter: mustafaqasim
Freenode: mustu @ #offsec