SlideShare uma empresa Scribd logo
1 de 18
Baixar para ler offline
CIS 166 Highline Community College
           February 2013
     Advanced persistent threat (APT) usually refers to a group, such
      as a foreign government, with both the capability and the intent to
      persistently and effectively target a specific entity.
     The term is commonly used to refer to cyber threats, in particular
      that of Internet-enabled espionage using a variety of intelligence
      gathering techniques to access sensitive information, but applies
      equally to other threats such as that of traditional espionage or
      attack.
     Other recognized attack vectors include infected media, supply
      chain compromise, and social engineering. Individuals, such as an
      individual hacker, are not usually referred to as an APT as they
      rarely have the resources to be both advanced and persistent even
      if they are intent on gaining access to, or attacking, a specific
      target
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat
   Bodmer, Kilger, Carpenter and Jones defined the following APT
    criteria:
       Objectives - The end goal of the threat, your adversary
       Timeliness - The time spent probing and accessing your system
       Resources - The level of knowledge and tools used in the event (skills and
        methods will weigh on this point)
       Risk tolerance - The extent the threat will go to remain undetected
       Skills and methods - The tools and techniques used throughout the event
       Actions - The precise actions of a threat or numerous threats
       Attack origination points - The number of points where the event
        originated
       Numbers involved in the attack - How many internal and external systems
        were involved in the event, and how many people's systems have different
        influence/importance weights
       Knowledge source - The ability to discern any information regarding any
        of the specific threats through online information gathering (you might be
        surprised by what you can find by a little proactive)
   Actors behind advanced persistent
    threats create a growing and
    changing risk to organizations'
    financial assets, intellectual
    property, and reputation by
    following a continuous process:

       Target specific organizations for a
        singular objective
       Attempt to gain a foothold in the
        environment, common tactics
        include spear phishing emails.
       Use the compromised systems as
        access into the target network
       Deploy additional tools that help
        fulfill the attack objective
       Cover tracks to maintain access for
        future initiatives
   Maltego
       Develop a method and standard to identify targets
        within an organization that we can social engineer
   Metasploit
       So we can write URL’s, PDF’s and other items to
        send to our target within an organization
       So we can “hack into a system” leaving behind a
        username and password for access later on
   ZenMap/NMAP
       So we can identify weak targets on a network
      Initial compromise — performed by use of Social engineering (security)
    and spear phishing, over email, using zero-day viruses. Another popular
    infection method was planting malware on a website that the victim
    employees will be likely to visit.
      Establish Foothold — plant remote administration software in victim's
    network, create network backdoors and tunnels allowing stealth access to
    its infrastructure.
      Escalate Privileges — use exploits and password cracking to acquire
    administrator privileges over victim's computer and possibly expand it to
    Windows domain administrator accounts.
      Internal Reconnaissance — collect information on surrounding
    infrastructure, trust relationships, Windows domain structure.
      Move Laterally — expand control to other workstations, servers and
    infrastructure elements and perform data harvesting on them.
      Maintain Presence — ensure continued control over access channels
    and credentials acquired in previous steps.
      Complete Mission — exfiltrate stolen data from victim's network.
Understanding advanced persistent threats (APT)
   Abuse and compromise of
    “trusted connections” is a key
    ingredient for many APTs.
    While the targeted organization
    may employ sophisticated
    technologies in order to prevent
    infection and compromise of
    their digital systems, criminal
    operators often tunnel in to an
    organization using the hijacked
    credentials of employees or
    business partners, or via less-
    secured remote offices.
   As such, almost any
    organization or remote site may
    fall victim to an APT and be
    utilized as a soft entry or
    information harvesting point.
                                       https://www.damballa.com/knowledge/advanced-persistent-threats.php
Understanding advanced persistent threats (APT)
   So when you find
    “awesome”
     Passwords
     Configurations
     Databases
     E-Mail
   The whole company
    can be yours, and
    often is
   To take short cuts
   Not think that they
    could be a victim of
    social profiling or
    grooming
   To “Friday” their job
    (not pay attention)
   To forget “details”
   To get around
    “roadblocks”
Understanding advanced persistent threats (APT)
   APT sign No. 1: Increase in elevated log-ons late at night
   APTs rapidly escalate from compromising a single
    computer to taking over the whole environment. They do
    this by reading an authentication database, stealing
    credentials, and reusing them.
   They learn which user (or service) accounts have elevated
    privileges and permissions, then go through those accounts
    to compromise assets within the environment. Often, a high
    volume of elevated log-ons occur at night because the
    attackers live on the other side of the world. If you suddenly
    notice a high volume of elevated log-ons while the
    legitimate work crew is at home, start to worry.
   Source: http://www.infoworld.com/d/security/5-signs-
    youve-been-hit-advanced-persistent-threat-
    204941?page=0,0#sthash.SouQCZzM.dpuf
   APT sign No. 2: Finding widespread backdoor Trojans
   APT hackers often install backdoor Trojan programs on
    compromised computers within the exploited environment.
    They do this to ensure they can always get back in, even if
    the captured log-on credentials get changed when the victim
    gets a clue. Another related trait: Once discovered, APT
    hackers don't go away like normal attackers. Why should
    they? They own computers in your environment, and you
    aren't likely to see them in a court of law.
   These days, Trojans deployed through social engineering
    provide the avenue through which most companies are
    exploited. They are fairly common in every environment --
    and they proliferate in APT attacks.
   Source: http://www.infoworld.com/d/security/5-signs-
    youve-been-hit-advanced-persistent-threat-
    204941?page=0,0#sthash.SouQCZzM.dpuf
   APT sign No. 3: Unexpected information flows
   If I could pick the single best way to detect APT activities, this
    would be it: Look for large, unexpected flows of data from internal
    origination points to other internal computers or to external
    computers. It could be server to server, server to client, or network
    to network.
   Those data flows may also be limited, but targeted -- such as
    someone picking up email from a foreign country. I wish every
    email client had the ability to show where the latest user logged in
    to pick up email and where the last message was accessed. Gmail
    and some other cloud email systems already offer this.
   Of course, in order to detect a possible APT, you have to
    understand what your data flows look like before your
    environment is compromised. Start now and learn your baselines.
   Source: http://www.infoworld.com/d/security/5-signs-youve-
    been-hit-advanced-persistent-threat-
    204941?page=0,0#sthash.SouQCZzM.dpuf
   APT sign No. 4: Discovering unexpected data
    bundles
   APTs often aggregate stolen data to internal
    collection points before moving it outside. Look for
    large (we're talking gigabytes, not megabytes)
    chunks of data appearing in places where that data
    should not be, especially if compressed in archive
    formats not normally used by your company.
   Source:
    http://www.infoworld.com/d/security/5-signs-
    youve-been-hit-advanced-persistent-threat-
    204941?page=0,1#sthash.Jw5b5REJ.dpuf
   APT sign No. 5: Detecting pass-the-hash hacking
    tools
   Although APTs don't always use pass-the-hash
    attack tools, they frequently pop up. Strangely,
    after using them, hackers often forget to delete
    them. If you find pass-the-hash attack tools
    hanging around, it's OK to panic a little or at least
    consider them as evidence that should be
    investigated further.
   Source:
    http://www.infoworld.com/d/security/5-signs-
    youve-been-hit-advanced-persistent-threat-
    204941?page=0,1#sthash.Jw5b5REJ.dpuf
   All the tools you used in this class help you
    understand more about APT
     If you know how to do it, you know what to look for
     If you know what to look for you know how to
      protect your company
     If you know how to protect your company, you are
      going to be one awesome Information Security
      Engineer

Mais conteúdo relacionado

Mais procurados

Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamMohammed Adam
 
Deception Technology: Use Cases & Implementation Approaches
 Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
 Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughSavvius, Inc
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules  - Detecting more with RSA Security AnalyticsThe Golden Rules  - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSaqib Raza
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
 

Mais procurados (20)

Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Career Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed AdamCareer Guidance on Cybersecurity by Mohammed Adam
Career Guidance on Cybersecurity by Mohammed Adam
 
How secure are your systems
How secure are your systemsHow secure are your systems
How secure are your systems
 
Deception Technology: Use Cases & Implementation Approaches
 Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Incident Response: Validation, Containment & Forensics
 Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
Cyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enoughCyber Security - IDS/IPS is not enough
Cyber Security - IDS/IPS is not enough
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules  - Detecting more with RSA Security AnalyticsThe Golden Rules  - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefYehia Mamdouh @ DTS Solution - The Gentleman Thief
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
 

Destaque

NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...North Texas Chapter of the ISSA
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
 

Destaque (7)

NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 

Semelhante a Understanding advanced persistent threats (APT)

What is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolenWhat is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolenKlaus Drosch
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malwareaspiretss
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hackingparag101
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Ethical hacking at warp speed
Ethical hacking at warp speedEthical hacking at warp speed
Ethical hacking at warp speedSreejith.D. Menon
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Komal Mehfooz
 
Firewalls in cryptography
Firewalls in cryptographyFirewalls in cryptography
Firewalls in cryptographyT7Unknown
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking pptNitesh Dubey
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Nicholas Davis
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Cengage Learning
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecCMR WORLD TECH
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosecErfan Mallick
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 

Semelhante a Understanding advanced persistent threats (APT) (20)

What is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolenWhat is a Hacker (part 2): How data is stolen
What is a Hacker (part 2): How data is stolen
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malware
 
Hacking
HackingHacking
Hacking
 
Parag presentation on ethical hacking
Parag presentation on ethical hackingParag presentation on ethical hacking
Parag presentation on ethical hacking
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Ethical hacking at warp speed
Ethical hacking at warp speedEthical hacking at warp speed
Ethical hacking at warp speed
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Computer security
Computer securityComputer security
Computer security
 
Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz) Security & threats Presentation => (Presenter: Komal Mehfooz)
Security & threats Presentation => (Presenter: Komal Mehfooz)
 
Firewalls in cryptography
Firewalls in cryptographyFirewalls in cryptography
Firewalls in cryptography
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 

Mais de Dan Morrill

Windows power shell and active directory
Windows power shell and active directoryWindows power shell and active directory
Windows power shell and active directoryDan Morrill
 
Windows power shell basics
Windows power shell basicsWindows power shell basics
Windows power shell basicsDan Morrill
 
Understanding web site analytics
Understanding web site analyticsUnderstanding web site analytics
Understanding web site analyticsDan Morrill
 
Process monitoring in UNIX shell scripting
Process monitoring in UNIX shell scriptingProcess monitoring in UNIX shell scripting
Process monitoring in UNIX shell scriptingDan Morrill
 
Creating a keystroke logger in unix shell scripting
Creating a keystroke logger in unix shell scriptingCreating a keystroke logger in unix shell scripting
Creating a keystroke logger in unix shell scriptingDan Morrill
 
Understanding UNIX CASE and TPUT
Understanding UNIX CASE and TPUTUnderstanding UNIX CASE and TPUT
Understanding UNIX CASE and TPUTDan Morrill
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Using Regular Expressions in Grep
Using Regular Expressions in GrepUsing Regular Expressions in Grep
Using Regular Expressions in GrepDan Morrill
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
You should ask before copying that media
You should ask before copying that mediaYou should ask before copying that media
You should ask before copying that mediaDan Morrill
 
Cis 216 – shell scripting
Cis 216 – shell scriptingCis 216 – shell scripting
Cis 216 – shell scriptingDan Morrill
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewDan Morrill
 
What is cloud computing
What is cloud computingWhat is cloud computing
What is cloud computingDan Morrill
 
Social Media Plan for CityU of Seattle
Social Media Plan for CityU of SeattleSocial Media Plan for CityU of Seattle
Social Media Plan for CityU of SeattleDan Morrill
 
Case Studies In Social Media Chinese
Case Studies In Social Media ChineseCase Studies In Social Media Chinese
Case Studies In Social Media ChineseDan Morrill
 
Case Studies In Social Media
Case Studies In Social MediaCase Studies In Social Media
Case Studies In Social MediaDan Morrill
 
Turn On Tune In Step Out
Turn On Tune In Step OutTurn On Tune In Step Out
Turn On Tune In Step OutDan Morrill
 
Technology And The Future Of Management
Technology And The Future Of ManagementTechnology And The Future Of Management
Technology And The Future Of ManagementDan Morrill
 

Mais de Dan Morrill (19)

Windows power shell and active directory
Windows power shell and active directoryWindows power shell and active directory
Windows power shell and active directory
 
Windows power shell basics
Windows power shell basicsWindows power shell basics
Windows power shell basics
 
Understanding web site analytics
Understanding web site analyticsUnderstanding web site analytics
Understanding web site analytics
 
Process monitoring in UNIX shell scripting
Process monitoring in UNIX shell scriptingProcess monitoring in UNIX shell scripting
Process monitoring in UNIX shell scripting
 
Creating a keystroke logger in unix shell scripting
Creating a keystroke logger in unix shell scriptingCreating a keystroke logger in unix shell scripting
Creating a keystroke logger in unix shell scripting
 
Understanding UNIX CASE and TPUT
Understanding UNIX CASE and TPUTUnderstanding UNIX CASE and TPUT
Understanding UNIX CASE and TPUT
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Using Regular Expressions in Grep
Using Regular Expressions in GrepUsing Regular Expressions in Grep
Using Regular Expressions in Grep
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
You should ask before copying that media
You should ask before copying that mediaYou should ask before copying that media
You should ask before copying that media
 
Cis 216 – shell scripting
Cis 216 – shell scriptingCis 216 – shell scripting
Cis 216 – shell scripting
 
AWS Hadoop and PIG and overview
AWS Hadoop and PIG and overviewAWS Hadoop and PIG and overview
AWS Hadoop and PIG and overview
 
What is cloud computing
What is cloud computingWhat is cloud computing
What is cloud computing
 
Social Media Plan for CityU of Seattle
Social Media Plan for CityU of SeattleSocial Media Plan for CityU of Seattle
Social Media Plan for CityU of Seattle
 
BSIS Overview
BSIS OverviewBSIS Overview
BSIS Overview
 
Case Studies In Social Media Chinese
Case Studies In Social Media ChineseCase Studies In Social Media Chinese
Case Studies In Social Media Chinese
 
Case Studies In Social Media
Case Studies In Social MediaCase Studies In Social Media
Case Studies In Social Media
 
Turn On Tune In Step Out
Turn On Tune In Step OutTurn On Tune In Step Out
Turn On Tune In Step Out
 
Technology And The Future Of Management
Technology And The Future Of ManagementTechnology And The Future Of Management
Technology And The Future Of Management
 

Último

Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptxraviapr7
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 

Último (20)

Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
Finals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quizFinals of Kant get Marx 2.0 : a general politics quiz
Finals of Kant get Marx 2.0 : a general politics quiz
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptxClinical Pharmacy  Introduction to Clinical Pharmacy, Concept of clinical pptx
Clinical Pharmacy Introduction to Clinical Pharmacy, Concept of clinical pptx
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 

Understanding advanced persistent threats (APT)

  • 1. CIS 166 Highline Community College February 2013
  • 2. Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity.  The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack.  Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat
  • 3. Bodmer, Kilger, Carpenter and Jones defined the following APT criteria:  Objectives - The end goal of the threat, your adversary  Timeliness - The time spent probing and accessing your system  Resources - The level of knowledge and tools used in the event (skills and methods will weigh on this point)  Risk tolerance - The extent the threat will go to remain undetected  Skills and methods - The tools and techniques used throughout the event  Actions - The precise actions of a threat or numerous threats  Attack origination points - The number of points where the event originated  Numbers involved in the attack - How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights  Knowledge source - The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by a little proactive)
  • 4. Actors behind advanced persistent threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process:  Target specific organizations for a singular objective  Attempt to gain a foothold in the environment, common tactics include spear phishing emails.  Use the compromised systems as access into the target network  Deploy additional tools that help fulfill the attack objective  Cover tracks to maintain access for future initiatives
  • 5. Maltego  Develop a method and standard to identify targets within an organization that we can social engineer  Metasploit  So we can write URL’s, PDF’s and other items to send to our target within an organization  So we can “hack into a system” leaving behind a username and password for access later on  ZenMap/NMAP  So we can identify weak targets on a network
  • 6. Initial compromise — performed by use of Social engineering (security) and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim employees will be likely to visit.  Establish Foothold — plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure.  Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.  Internal Reconnaissance — collect information on surrounding infrastructure, trust relationships, Windows domain structure.  Move Laterally — expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.  Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.  Complete Mission — exfiltrate stolen data from victim's network.
  • 8. Abuse and compromise of “trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization using the hijacked credentials of employees or business partners, or via less- secured remote offices.  As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point. https://www.damballa.com/knowledge/advanced-persistent-threats.php
  • 10. So when you find “awesome”  Passwords  Configurations  Databases  E-Mail  The whole company can be yours, and often is
  • 11. To take short cuts  Not think that they could be a victim of social profiling or grooming  To “Friday” their job (not pay attention)  To forget “details”  To get around “roadblocks”
  • 13. APT sign No. 1: Increase in elevated log-ons late at night  APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them.  They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons while the legitimate work crew is at home, start to worry.  Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
  • 14. APT sign No. 2: Finding widespread backdoor Trojans  APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials get changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.  These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment -- and they proliferate in APT attacks.  Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
  • 15. APT sign No. 3: Unexpected information flows  If I could pick the single best way to detect APT activities, this would be it: Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.  Those data flows may also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.  Of course, in order to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.  Source: http://www.infoworld.com/d/security/5-signs-youve- been-hit-advanced-persistent-threat- 204941?page=0,0#sthash.SouQCZzM.dpuf
  • 16. APT sign No. 4: Discovering unexpected data bundles  APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (we're talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.  Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,1#sthash.Jw5b5REJ.dpuf
  • 17. APT sign No. 5: Detecting pass-the-hash hacking tools  Although APTs don't always use pass-the-hash attack tools, they frequently pop up. Strangely, after using them, hackers often forget to delete them. If you find pass-the-hash attack tools hanging around, it's OK to panic a little or at least consider them as evidence that should be investigated further.  Source: http://www.infoworld.com/d/security/5-signs- youve-been-hit-advanced-persistent-threat- 204941?page=0,1#sthash.Jw5b5REJ.dpuf
  • 18. All the tools you used in this class help you understand more about APT  If you know how to do it, you know what to look for  If you know what to look for you know how to protect your company  If you know how to protect your company, you are going to be one awesome Information Security Engineer

Notas do Editor

  1. http://www.youtube.com/watch?v=6p7FqSav6Ho&feature=player_embedded
  2. http://www.youtube.com/watch?v=bTiAuFGs0oM&feature=player_embedded