Introduction to the advanced persistent threat and hactivism
27
SAFE NEVER SLEEPS A peak into the underworld… Hosted by: Jathniel Meyer & Christo van Staden, McAfee South Africa Date: 17-19 October 2011
-
Upload
global-micro-solutions -
Category
Technology
-
view
1.226 -
download
1
description
Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner
Transcript of Introduction to the advanced persistent threat and hactivism
SAFE NEVER SLEEPS A peak into the underworld…
Hosted by: Jathniel Meyer & Christo van Staden, McAfee South Africa Date: 17-19 October 2011
Introduction to the Advanced Persistent Threat & Hactivism
3
Advanced Persistent Threats (APT’s)
Countermeasures
Questions and Answers
Agenda
1
2
3
Advanced Persistent Threat,
How was it Done
APT In action
Advanced Persistent Threats
Advanced Persistent Threats
6
1. An attack by a sophisticated adversary with deep resources and advanced penetration skills engaged in electronic espionage to support long-term strategic goals
2. Over abused marketing term used by point product security vendors to refer to “bad things from the Internet”
What is an Advanced Persistent Threat?
APTs have specific targets
7
Advanced Persistent Threats
Simple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives.
8
Average file size 121.85 kb
Most common AP
file names Svchost.exe, explore.exe,
lprinp.dll, wiinzf21.dll
Anomaly detection
avoidance Outbound HTTP connections
Process injection and
Service persistence
Communication 100 percent of backdoors
connect outbound-only
83 percent use TCP port
80 or 443; 17 percent are mixed
Malware Used in APTs
Operation Shady RAT
Shady RAT advanced persistent threat (APT).
10
Active command and control (C&C) server accessed by Mcafee® Labs™
Evidence of five years of attacks
Most common attack vector: Spearphishing
Operation Shady RAT
Coveted Data
11
Operation Shady RAT
Motivation
12
Operation Shady RAT
MONEY POLITICS
Operation Night Dragon
Targeted attacks & advanced persistent threats
14
Night Dragon
15
Methodical and Progressive
Night Dragon
Internet Email
1. Attacker sends a spear-phishing email containing a link to a compromised web server
2. User opens infected email and the compromised website is accessed; a RAT is downloaded.
3. User account information and host configuration information is sent to a C&C server
4. Attacker uses RAT malware to conduct additional reconnaissance and systems compromises and to harvest confidential data
Web
C&C
Operation StuxNet
17
Used 20 Zero day vulnerabilities
Stuxnet
CVE-2010-2772 – SCADA WinCC/PCS 7 vulnerability
CVE-2010-2568 - MS10-046 - LNK
CVE-2010-2729 - MS10-061 - Print Spooler
CVE-2010-2743 - MS010-073 - Privilege escalation via keyboard layout file
CVE-2010-3338 – MS010-092 - Privilege escalation via Task Scheduler
Win32k.sys (waiting CVE)
Stuxnet
18
The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.
It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.
The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.
The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database.
Stuxnet
Hacktivism
20
Anonymous Group stands up for Wikileaks
Hactivism
21
Anonymous publishes BofA emails
Stuxnet
Countermeasures
23
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks
Steps to Protection
Step 1 Reconnaissance
Network DLP (Prevent sensitive data from leaving)
Step 2 Network Intrusion
Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to malicious sites) Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery)
Step 3 Establish Backdoor
Firewall (detects/blocks APT back-channel communication) Network Threat Response (detects APT destination IPs) Application Whitelisting (prevent backdoor installation)
24
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks
Steps to Protection
Step 4 Install Command and Control Utilities
Web Gateway (detects/blocks access to malicious applications) Application Whitelisting (prevent unauthorized changes to systems)
Step 5 Data Ex-Filtration
Unified DLP (prevent data from leaving the network)
Step 6 Maintaining Persistence
Network User Behavioral Analysis (identifies unexpected user behavior during APT reconnaissance and data collection phases)
25
Collaboration Proxies
Agent-based Collectors
Threat Feeds
Vulnerability Probes
Real-time Threat Analyzers
Data Protection Vaults
Authentication and Trust Brokers
Intelligent Dashboards
McAfee SaaS Architecture Vision
26
McAfee SaaS Architecture Vision An intelligent security fabric that wraps around the Enterprise
27
Find out more
Visit Global Micro Solutions: http://www.globalmicro.co.za
