Trends in Advanced Threat Protection NZISF

© 2012 IBM Corporation

IBM Security Systems

1© 2013 IBM Corporation

Trends in Advanced Threat Protection

John MartinSenior Security ArchitectIBM Security Systems Division



2

John MartinSenior Security ArchitectIBM Security Systems DivisionSecurity Practice Leader

http://nz.linkedin.com/pub/john-martin/1/582/604

@caute_cautim

• Ex UK Government• Security Consultant • Risk Management• IBM Certified Architect• CISSP-ISSAP• CISM



3

� The Current Threat Landscape

� Analysis of Advanced Cyber Attacks

� Technologies to counter Advanced Cyber Attacks

� Conclusions

Overview



4

Current Threat Landscape



5

Advanced Threats: The sophistication of Cyber threats, attackers and motives is rapidly escalating

Adversary

National Security

Monetary Gain

Espionage,Political Activism

Revenge

Curiosity Script-kiddies or hackers using tools, web-based “how-to’s”

Insiders, using inside information

Organised Crime, using sophisticated tools

Competitors, Hacktivists

Nation-state Actors; Targeted Attacks / Advanced Persistent Threat

1995 – 20051st Decade of the Commercial Internet

2005 – 20152nd Decade of the Commercial Internet

Motive



6

Attacker motivations remain similar, although methods evolve



7



8

Source: IBM X-Force® Research 2012 Trend and Risk Report

2012 Sampling of Security Incidents by Attack Type, Time and ImpactConjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses



9

Source: IBM X-Force® Research 2013 Trend and Risk Report



10

Hackers Steal $45 Million In 10 Hours

• Payment processor was compromised

• Targeted MasterCard pre-paid cards

• Targeted Oman based Bank of Muscat

• 12 accounts were compromised

• Card limits removed, daily limits removed

• ‘Cashing Crews’ in 24 countries given ‘track data’

• 10 Hours time ran 36,000 ATM transactions

• Sophisticated structure of an organised crime enterprise

http://www.dailymail.co.uk/news/article-2322062/Sev en-cyber-hackers-caught-stealing-45-million-10-hours-second-biggest- bank-robbery-history-New-York.html



11

SAN FRANCISCO - For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

New York Times Attack

http://www.nytimes.com/2013/01/31/technology/chines e-hackers-infiltrate-new-york-times-computers.html?pagewanted=all&_r=

Relatives of Wen Jiabao, China's Prime Minister had accumulated a fortune worth in the billions



12

� Attack started with spear phishing on a list of employees� The focus was to get access to journalists email� Access and downloaded emails and files � Attackers tried to hide their tracks by using intermediary computers in the United States� Installed various malware known to originate in a hacking group in China� New York Times decided to rebuild all infected computers� Out of the 45 malware instances found by Mandiant, anti-virus software had only discovered one of them

The New York Times



13

“Though our visibility of APT1’s activities is incomplete, we have analysed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, andprocedures).”

Mandiant Report – APT1 -Chinese Advanced Cyber Army

http://intelreport.mandiant.com/



14

� The report provides numerous details of the activities of one of the Chinese militaries key cyber attack agencies� Unit 63918 in Shanghai� Location, IP address, key personel� How the executed attacks

� Spear Phishing emails� Variety of malware used� Use of staging servers� RAR compression, encryption for data

retrieval� Suggested hundreds of workers involved

� Used for both commercial and government espionage

APT1 - Chinese Advanced Cyber Army



15

� RSA forced to replace nearly all of its millions of tokens after security breach - RSA Security is offering to provide security monitoring or replace its well-known SecurID tokens --devices used by millions of corporate workers to securely log on to their computers -- "for virtually every customer we have," the company's chairman Art Coviello said in an interview …

RSA Security

http://www.theaustralian.com.au/business/rsa-forced -to-replace-nearly-all-of-its-millions-of-tokens-after-security-breach/story- e6frgak6-1226071087832



16

� Attack started with spear phishing on a list of RSA employees listed on social media sites� Two spear phishing emails to two small groups of employees� Email carried “Recruitment Plan.xls” that contained a zero day exploit that installed a Remote Access Terminal (RAT)� The first computer compromised was not the target and attacker collected admin credentials from other servers� Discovered server with highly confidential two-factor authentication algorithms and “seeds”� Collected key data, RAR compressed and encrypted and moved to staging servers using FTP.

RSA Security



17

The network of defense contractor Lockheed-Martin was attacked using counterfeit electronic keys. Since the RSA Security network was hacked and the keys to its SecurID tokens were compromised a few months ago, the world has been waiting for the proverbial other shoe to drop. Well, it dropped..

Lockheed-Martin Attack Signals New Era of Cyber Espionage

http://www.pcworld.com/article/228927/lockheedmarti n_attack_signals_new_era_of_cyber_espionage.html



18

Analysis of Advanced Cyber Attacks



19

� The term was defined by information security analysts in the US AirForce in 2006

� Advanced : The attacker is an expert in cyber intrusion methods and is capable of crafting custom exploits and tools.

� Persistent : The attacker has a long-term objective and will persistently work to achieve it without detection and without regard for time.

� Threat : The attacker is organised, funded, well trained, and highly motivated.

Advanced Persistent Threat



20

� The lifecycle of an APT Attack is consistent:

Stage 1: Initial intrusion through systemexploitationStage 2: Malware is installed on compromisedsystemStage 3: Outbound connection is initiatedStage 4: Attacker spreads laterallyStage 5: Compromised data is extracted

APT Attack LifeCycle

Reference: “The Definitive Guide to Next Generation Threat Protection”,http://www2.fireeye.com/definitive-guide-next-gen-t hreats.htm l



21

� System exploits are through� Web: The exploit code is embedded within a Web

object (e.g.,JavaScript, JPG) � Email: The exploit code is embedded within a file

(e.g. XLS, PDF, ZIP)

� Aim is to compromise the vulnerable OS or application enabling an attacker to run code

� The code is usually a small script for making a call-back.

� In RSA example, an employee was tricked into opening a file “Recruitment Plan.xls”

Stage 1: Initial intrusion through system exploitation



22

� The script code is executed enabling malware to be installed on the compromised system

� There is often a hidden address referring to a dropsite

� This dropsite is unrelated to the initial point of infection, and may be temporary (some cloud VM compromised)

� At the end of this phase there is a Remote Administration Tool (RAT) installed on the end point

Stage 2: Malware is installed on compromised system



23

� The RAT phones home to a C&C server operated by the attacker

� Connection often not identified e.g. HTTPS, which looks to the infrastructure like a user browsing the web

� Bypass traditional firewalls and IPSs, which allow session traffic to flow bi-directionally if initiated from within the trusted network.

� The C&C server then issues the RAT instructions

Stage 3: Outbound connection is initiated



24

� The initial breach is to get a “foot hold” and is not the target

� The aim is now to spread laterally, looking for other hosts

� Possibly download other malware, or just use remote access tools already available from the OS, or go after directories (Active Directory / LDAP)

� Obtain credentials of admin users. Continually escalate privileges

� The end goal is to get to high value servers e.g. databases

Stage 4: Attacker spreads laterally



25

� The attacker has three challenges� Size of data is very large (often gigabytes). How to get

this out without triggering anomaly detection engines� The receiving host can't be linked back to the attacker� Transferred data does not trigger a DLP system

� Often split data into very small pieces using RAR files for transfer e.g. part1.rar, part2.rar

� Usually use a third party server for staging area. Cloud based sites are often the target.

� Encrypt the RAR data to hide from DLP

Stage 5: Compromised data is extracted



26

�The following are tactics that APT attackers employ during and after the attack to minimize the risk of detection:

� Planting alternate malware to distract the IT security staff and keep them busy doing other things.

� Deleting the compressed files after they’ve been extracted from the staging server.

� Deleting the staging server. if it’s hosted in the cloud or taking it offline; if under control by the attacker.

� Uninstalling malware at the initial point of entry and on any other servers

Finally, Cover Tracks



27

Technology to counter Advanced Cyber Attacks



28

� Strong enterprise boundaries� Firewalls� Intrusion Prevention Systems (IPS)

� Problems � Attackers are bypassing enterprise

boundary� USB sticks � Spear Phishing attacks

� The boundary is designed to stop entry and not exit

� C&C connections originating on the inside are not blocked (HTTPS)

Strong Enterprise Boundary – not sufficient as only control



29

� Zero-day attacks� No signature

� Polymorphic malware� Mutating

� Signature (e.g. SNORT) based IPS cannot detect modern attacks� Need

� Deep packet inspection� Protocol aware� Heuristics aware� All ports/all protocols

Intrusion Prevention Systems – Signature Based not sufficient



30

Next Generation Devices



31

Endpoint Fraud Detection Technologies

� Prevent fraud on the end user’s laptop or desktop

� Windows, OSX, Linux� Preventing malware being installed� Removing malware already installed� NOT Anti-virus

� Not based on signatures � Based on“invariant characteristics” of malware

� Also provide � patch protection� module loading protection� anti-screenshot� anti-keylogging� …



32

Endpoint Fraud Detection Technologies

� Prevent fraud on the end user’s mobile� Mobile SDK

� Build applications from SDK� detect and remove malware, detect

“jailbreaking”, pharming attacks ..� Mobile Browser

� Built from SDK with same malware capabilities

� Mobile will soon be more secure than desktop computing

� Out of Band Authentication� Risk Based Authentication� Device “fingerprinting”

� Precise determination of mobile device� Device management



33

� Execute files in a safe environment� Web interactions� Emails attachments� Scan file systems� Create MD5 signatures

� Understand the characteristics of the malware

� IP Address / URLs � Cloud Based Interaction

� Sandboxes aim to stay ahead of malware

� Change clock if dormant� Hide the fact that it is a sandbox

� mouse driver

Detecting and Profiling Malware



34

Next Generation SIEM - Detecting when something has gone wrong



35

Conclusions



36

� Its time to disconnect� No email, no Internet, no electricity,

no APTs

OR

� Its time for security architects to understand the advanced threats we are facing�To change their thinking about protection

� Understand that you may have already been hacked

� Look at new technologies and approaches for dealing with the threat

Conclusions



37

ibm.com/security

Trends in Advanced Threat Protection NZISF

Documents

Transcript of Trends in Advanced Threat Protection NZISF