3. Context: Key Security Trends
Challenging Strategic
Evolving Increasing
Threat Importance of
Infrastructure Complexity
Landscape Information
Advanced Persistent Threats: Cutting Through the Hype 3
4. Why APTs Are Getting Attention Now
Adversaries
are evolving
Attack surface Private is
growing now public
Advanced Persistent Threats: Cutting Through the Hype 4
5. Getting it Straight: Definition of an APT
• Active, targeted, long-term campaign
• Tries to remain in place & undetected for extended period
What is an
• Includes multiple “kill chains” in parallel to ensure success
Advanced • Mutates and adapts to evade detection
Persistent • Well organized and resourced
Threat?
• An individual attack (drive-by-download, SQL injection)
What isn’t • Smash & grab cybercriminal op for mere financial gain
an Advanced • Run of the mill malware infection
Persistent
Threat?
Advanced Persistent Threats: Cutting Through the Hype 5
6. How Are Targeted Attacks and APTs Related?
An APT is always a targeted attack, but…
Targeted Attacks
a targeted attack is not necessarily an APT
Targeted Attacks
APTs
Advanced Persistent Threats: Cutting Through the Hype 6
7. Why Should You Care About APTs?
Information is power
• It can have strategic value to nation states
• Can have immense financial value to your adversaries
APT’s are very real and quite serious
• Means of attack via APT have advanced considerably
• Even if you are not a target, you need to understand them
You need to reconsider security protections now in place
• Today’s APT technique is tomorrow’s standard practice
• Must look at reinforcements to defense-in-depth now
Advanced Persistent Threats: Cutting Through the Hype 7
8. How They Work: Advanced Persistent Threats
1 2 3 4
INCURSION DISCOVERY CAPTURE EXFILTRATION
Attacker breaks into the Hacker then maps Accesses data on Data sent to enemy’s
network by delivering organization’s defenses unprotected systems “home base” for analysis
targeted malware to from the inside and further
vulnerable systems and Installs malware to exploitation/fraud
employees Creates a battle plan secretly acquire data or
disrupt operations
Advanced Persistent Threats: Cutting Through the Hype 8
8
9. Key Differences: Incursion
1 Goal: Establish beach head for campaign
APT Methods:
•Reconnaissance using non-public resources
•Innovative social engineering
•Exploit 0-day vulnerabilities
•Rarely automated
INCURSION
Attacker breaks into the
network by delivering
targeted malware to
vulnerable systems and
employees
Advanced Persistent Threats: Cutting Through the Hype 9
10. Key Differences: Discovery
2 Goal: Ensure kill-chain is not compromised
APT Methods:
•Examine infected systems
•Exploit SW/HW vulnerabilities
• Gather credentials & passwords
•Monitor for other resources or access points
• Deploy multiple parallel “kill chains”
• Go “low and slow” to avoid detection
DISCOVERY
Hacker then maps
organization’s defenses
from the inside
Creates a battle plan
Advanced Persistent Threats: Cutting Through the Hype 10
11. Key Differences: Capture
3 Goals:
•Long-term occupancy and/or
•Disruption of physical operations
•Capture of crucial data
APT Methods:
•Ongoing capture of data
•Manual analysis of data
CAPTURE
Accesses data on
unprotected systems
Installs malware to
secretly acquire data or
disrupt operations
Advanced Persistent Threats: Cutting Through the Hype 11
12. Key Differences: Exfiltration
4 Goal: Get valuable data back to home base
APT Methods:
•P2P networks
•Clear text
•Onion routing applications
•Encryption
•Steganography
EXFILTRATION
Data sent to enemy’s
“home base” for analysis
and further
exploitation/fraud
Advanced Persistent Threats: Cutting Through the Hype 12
13. APT or Not?
Hydraq RSA SecurID Anonymous
Stuxnet Conficker
(Aurora) Incident / LulzSec
Advanced Persistent Threats: Cutting Through the Hype 13
14. APT or Not?
Hydraq RSA SecurID Anonymous
Stuxnet Conficker
(Aurora) Incident / LulzSec
Advanced Persistent Threats: Cutting Through the Hype 14
15. Emerging Techniques Used by APTs
• Spamming to disguise the intended target
• Using off-the-shelf malware to hide real type of attack
• Steganography to hide communication with C&C server
• Attacking web mail accounts to avoid enterprise network
• IP cloaking
• Layer -1 attacks
Advanced Persistent Threats: Cutting Through the Hype 15
16. Common Techniques Used by APTs
Social Engineering
Attacker
http://example.com/abc.html
Victim
Advanced Persistent Threats: Cutting Through the Hype 16
17. Common Techniques Used by APTs
Payload Install and Execution
http://example.com/abc.html
Victim
Malicious Server
Backdoor Program
Malicious Server
Confidential Information Attacker
Advanced Persistent Threats: Cutting Through the Hype 17
18. How Big is the Problem?
+3 Billion Malware Attacks in 2010
1 in 25 customer organizations have been targeted
U.S. Cyberwarfare Doctrine is under development
Sources: Symantec Internet Security Threat Report, 2011
Message Labs Intelligence Report, 2011
Foreign Policy Magazine, May 3, 2011
Advanced Persistent Threats: Cutting Through the Hype 18
19. What Can You Do?
Security Assessments to Reveal Gaps in Protection
Data Loss Risk Vulnerability
Assessment Assessment
Malicious Activity Targeted Attack
Assessment Assessment
Advisory Services
• Penetration Testing
• Vulnerability Assessment
• Security Program Assessment
Advanced Persistent Threats: Cutting Through the Hype 19