O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

International Cooperative: APT Hunting


Confira estes a seguir

1 de 39 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (19)

Semelhante a International Cooperative: APT Hunting (20)


Mais recentes (20)

International Cooperative: APT Hunting

  1. 1. International Cooperative APT Hunting
  2. 2. Andre Ludwig Current: CTO - Global Cyber Alliance Past: CEO - Honeynet Project Sr Technical Director - Novetta Principal Security Engineer -DARPA
  3. 3. Zachary Hanif Current: Head of Security Data Machine Learning - Capital One Past: Director of Applied Data Science - Novetta Holmes-Totem Principal Data Scientist - Endgame BinaryPig
  4. 4. So you want to hunt APT's?
  5. 5. 01What is an “APT”? What does APT stand for? A basic history of the term How has this term evolved over time?
  6. 6. Where did the term come from? Advanced Persistent Threats: Originated from a term created by Colonel Greg Rattray (USAF) in 2006 to describe a certain “class” of threat actor that the USAF was dealing with.
  7. 7. An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology What is the Official definition?
  8. 8. Catch all phrase for any attacker or group of attackers who demonstrate persistence and/or sophistication in their attempts to gain unauthorized access to computers/networks/data. AKA CHINA/RUSSIA/US/UK/HackTeam/FinFisher/Anyone who ever used Metasploit How people (mis)use the term
  9. 9. ● APT tends to get thrown around a great deal (THANKS MARKETING DEPT!) ● Too often, it becomes a byword for “state sponsored” or “technically sophisticated” malware ○ This is not nuanced, and can misrepresent reality ○ Many professionals dislike the term as a result ● In general, the actor is the differentiating factor, not the malware itself ○ Technical sophistication is not the sole meaning of “Advanced” in APT Resultant Confusion
  10. 10. 02The reality of APTs Introduction to the Intelligence Process Realities of APT’s
  11. 11. ● Nation states are typically APTs, but not all APTs are nation states. ● Multistage, long term attacks, focused on their strategic objectives ● Not necessarily deep technical sophistication through the tool chain ● Attack vectors and persistence strategies range widely, even into the physical realm ● Attacker probability of success approaches 1 over time (sooner or later, they’ll achieve their goals) ○ These are players on the world stage at the end of the day ○ This is their full-time job, and there is a large support structure around most operations Realities of APTs
  12. 12. 03Interacting with APTs Good guy motivations Cautionary tales Knowing when to stop (or continue) Appropriate responses
  13. 13. ● Defense of an organization, network, customer base, etc ● Public Participation in an effort/PR and marketing ○ Potential sales by being seen as “experts” ○ Personal/organizational fame ● General “internet cleanliness” ● Political motivations ○ The support of or opposition to an actor or victim ○ This can be seen in the candidate selection process and reporting style ● Desire to have an impact against “the bad guys” Good Guy’s motivations
  14. 14. ● Ok, so you’ve muscled onto the stage of geopolitics...now what? ○ It’s strongly unlikely that you are prepared to tango here ● Interacting with an APT is a very delicate thing, with many concerns ○ Public Attribution? ■ What are the goals? ○ What kind of escalation may occur? ■ Against individuals, organizations, our home countries, etc? ■ rm -rf / (aka Sony attacks) ■ DDOS attacks?!? ■ Non cyber related escalations? ■ Or do they just re-tool and do the same old stuff? ● Think how an organized group would react to their prized tool being removed from their toolset, what's the next best tool? World Stage
  15. 15. ● Ok, let’s say it IS a nation-state behind things ● Maybe they retaliate? ○ PII leaks against people or organizations? ○ Blackmail? ○ Kinetic retaliation? ● Potential Diplomatic issues? ○ Official statements made by national representatives ○ Complicate ongoing official investigations ■ Intel gain/loss concerns ● Potential Personal Security Issues? ○ Increased interest by international LE/Intel agencies? ● Economic impacts on participating organizations ○ Sanctions, “lost paperwork”, other economic punishment World Stage pt2
  16. 16. 04The Generic Process of Interdiction Target Selection Setting of strategic goals Discovery process Knowledge creation Planning of actions Impact Assessment Dealing with follow up responses
  17. 17. ● Infection populations ○ Analysis of overall infections from telemetry of partners ● Overall threat and harm ○ What does the threat do, how, why, etc ● Random selection ○ No really, just randomly select from a list ○ Darts are also good ● Based on industry the threat targets ○ Sector based threats (retail banking, energy sector, etc) ● Some “basic” analysis is being done at this step already ○ Type of threat ○ Type of victims ○ Potential impact of mitigating the threat Target Selection
  18. 18. ● What does the end result look like ○ Slowing the actor’s progress? ○ Bringing the actor’s actions to the general public knowledge? ○ Stopping the actor entirely (rarely, if ever) ● Participants ○ Multi organizational effort? ○ Inclusion of law enforcement? ○ Inclusion of national security apparatus? ● What level of reporting should be done ○ Full exhaustive reporting or something lighter? ○ Should you only publish signatures (av/IDS)? ● Analysis and understanding of the threat should be pushed forward by this step as well Setting of Strategic Goals
  19. 19. ● Sample discovery though open measures ○ Trolling of private industry sources ○ VirusTotal ● Sample Collection from private sources ○ Sample trading ○ Group/Partner contributions ● Infrastructure mapping ○ Domain name analysis (passive DNS) ○ Port scanning ○ Whois analysis ● Identifying what other parties you’re likely conflicting with ○ Or, in Blockbuster, might conflict with you Discovery Process
  20. 20. ● Capturing background data ○ Previous reporting ○ Daily news (geopolitical issues/conflicts/tensions) ● Dynamic malware analysis ○ Generates limited data quickly! ○ Can aid in “basic” clustering of malware families ● Reverse engineering output ○ Capture and instrumentation of reverse engineering process ○ Only real way to cluster families with strong confidence ● Potentially related attacks by the actor ○ Previous reporting ○ Previous misreporting ● TTP mapping and signature generation ○ You can find a large repository of good resources on past APT’s here Knowledge Creation
  21. 21. ● Level of involvement with ecosystem maintainers and owners ● Strategy for marketing and publication ● Strategy for group management and coordinated release ● Deconfliction with other organizations which may be independently pursuing the actor ● Timelines for public reporting, and which components of research to be released ○ Written agreements and NDAs ○ Continual group communication ● Definitions of operational security measures ○ Encrypted email and other digital communications ○ Discussion only with small, known groups Planning of Actions
  22. 22. ● Important to know if your efforts had any meaningful effect, or were just hot air ○ Measurement is hard, and is always a cooperative process ● Telemetry gathering and analysis ○ Partners are likely the best mechanism for gathering this data ○ Victims are often incentivized to not report additional problems ● Long-term information gathering ○ Monitoring for TTPs or other indicators of infrastructure reuse ○ This can include wide-spectrum scanning for some threat infrastructure Impact Assessment
  23. 23. ● Most actors will not go away after a single operation ○ Or for that matter, any number of operations ○ Can actually be an indicator of success, an attempted compromise ○ This reinfection can be across a vertical (other, similar orgs) ● Anti-APT efforts are a continual struggle - just like us, these actors make their living through this activity ● Likely, even if the actors abandon their efforts, the infection will not be cleaned worldwide, and multiple stages of signatures, etc will need to be pushed ● In some situations, you might never know exactly how effective your efforts were - for good and bad Follow Up
  24. 24. 05Prior Takedowns Storm Conficker Waledec Operation SMN Operation Blockbuster
  25. 25. ● First real P2P botnet ○ Focused on spam ○ Heavily monetized ● Several parallel researchers were “messing with the botnet” ○ P2P poisoning, C2 take overs, etc. ● Microsoft and other large Vendors pushed “detections” ○ MS pushed a MSRT update ○ Honeynet pushes out Stormfucker tool ● Actors behind the botnet start to slice it up and sell it off ● New version appears: Stormbot 2 ● Authors may have moved on to other things?!? Storm Botnet
  26. 26. ● Started as a worm exploiting MS08-067 ○ Spread at an alarming rate ○ Multiple infection vectors ● Multiple Generations of malware (three major versions) ● Very suspicious functionality (Ukrainian keyboard detection) Conficker
  27. 27. ● Operation B49 by microsoft 2010 ○ Via legal action MS took control of 276 c2 domains used by the bot ● Attempt by Dell Secureworks/Kaspersky/Honeynet to take down Kehlios.b in 2012 ○ Worked for a few weeks, but two weeks later actors introduced a new version .c with new protocols being used. ● 2013 Kehlios.c live take down on stage at Black Hat by Tillmann Werner ● Different malware families have been installed by the various versions over the years ● Effects: ○ Multiple generations of botnet (authors really liked to make $$) Waledec/Kehlios
  28. 28. ● Discovery ○ Brought to our attention by our customers ○ Discovered malware on their networks, and wanted to investigate ● Actor ○ Highly coordinated group of actors ○ Appeared to have a multi-stage victim funnel ○ Primarily engaged in information theft ● Techniques/TTPs (report) ○ Initial method of infection varied (phishing, watering hole attacks) ○ Heavy use of compromised/misappropriated infrastructure ○ Later stages were very “smash and grab” oriented Operation SMN
  29. 29. ● Resultant Tooling and Lessons ○ Interdiction group coordination (rosetta stone, announcements) ○ Coordinated press releases are hard ○ Large scale infrastructure scanning and collection ○ Static analysis and machine learning (Skald/Holmes-Totem) ■ Large sample sets are hard for everyone to work with ■ Became large open source project, partnership with TUM and GSoC (hi George, Christian, Marcel, Max) ● Nine public industry partners involved ○ First coordinated industry effort against an APT group ● Purpose was to expose and clean the entire toolset used by the threat actor ○ Coordinated high quality signature release across partners ○ Shared those signatures on “publication” date with 155 other security vendors across the globe Operation SMN
  30. 30. ● Led to follow up reporting ○ Bad guys shifted, found new tools at last minute ○ This is a good thing: forced the retooling goal we were looking for ● Effects: ○ Public FBI assertion that the attacks originated from China ○ Decrease in attacks attributed to this group ○ Reduction/Disappearance of some of the specialized tools from use Operation SMN
  31. 31. ● Discovery ○ Very public announcement of hack by the attackers ○ We got involved after becoming frustrated with follow-on reporting ● Actor ○ Strong operational capabilities, issues with technical implementation ● Techniques/TTPs ○ Extremely detailed internal knowledge of the target ● Resultant Tooling and Lessons ○ Machine learning based triage system ○ Function/malware clustering algorithm ○ Big take away - a small team can have a huge effect on keeping the Internet safe Operation Blockbuster
  32. 32. ● Coordinated AV push ○ Kaspersky, AlienVault, Symantec, TrendMicro, netrisk.io, other private and public participants ● Large scale distribution of in depth RE/Technical info to industry ○ Main resources page ● Public reporting of TTP's ○ Securelist Blog Announcement ● Effects ○ Thousands of infections detected and cleaned (that we know of) ○ Swift banking attacks attributed to Lazarus Group (951 million attempted, 81 Million laundered) ○ Continued interest and larger working base of knowledge in industry Operation Blockbuster
  33. 33. 06Future of Interdictions GCA Takedown Task Force Following the Changing threat landscape
  34. 34. ● Global Cyber Alliance is a US/UK based not for profit organization ○ Funded by District Attorney of New York and City of London Police ● GCA would act like a middleman to coordinate, help plan, and manage operations for industry partners ○ Partners would sponsor/suggest threats to pursue ○ GCA would help build reasonable coalitions ○ GCA would aid in the management and planning ● A goal is to drive continued and sustained efforts to coordinate across industries and build lasting coalitions to address malware based risks GCA Takedown Task Force
  35. 35. ● As technology evolves and new attack surfaces appear, the good guys will have to follow into those realms and defend them ○ Internet of Things ○ Mobile/Wireless networks ● This really ends up being a bunch of education work aimed at new industries where security may not be “built in” ● We have to try and project beyond what a “bad guy” can do so we can strategically build technology, relationships, and processes to address future issues Following the Changing Landscape
  36. 36. Key Points Four key points for thinking about in the future This is not just a technical problem In order to coordinate and build long lasting partnerships you must master the art of relationship building and understand each stakeholder's needs and motivations. APT is differentiated by humans, not code While APT actors will display sophisticated technical skills, the ultimate differentiator is their operational capabilities and coordination Anyone can start an interdiction effort All it takes is some technical skills, a lot of motivation, and the ability to communicate and build relationships to execute an interdiction. The landscape is changing rapidly The last 10 years have seen massive changes in threat actor sophistication and motivation. This evolutionary process shows no signs of slowing down.
  37. 37. THANK YOU! Andre Ludwig - Aludwig@globalcyberalliance.org Key id: 2238C189 Zachary Hanif - zachary.hanif@capitalone.com

Notas do Editor

  • Link to NIST publication: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
  • Image sourced from: https://www.solutionary.com/_assets/imgs/threat-intel-lifecycle-web.png
  • Image sourced from: https://upload.wikimedia.org/wikipedia/commons/e/ee/Relationship_of_data,_information_and_intelligence.png
    Originally: https://digital-forensics.sans.org/blog/2015/07/09/your-threat-feed-is-not-threat-intelligence
  • https://en.wikipedia.org/wiki/Storm_botnet
  • https://en.wikipedia.org/wiki/Conficker
  • Tillmann Werner, Brett Stone-Gross were the two main industry folks who drove a majority of activity against Waledec/Kehlios esp in the later generations. Gregory Sinclair, also gets credit with doing work on earlier version of Waledec

  • The coordination and processing pipline of Skald/Holmes-Totem was prominently used for this effort, and was the start of the merger between Totem and Skald
    Accepted paper: https://www.sec.in.tum.de/assets/Uploads/skald.pdf
    Blackhat Presentation: https://www.blackhat.com/docs/us-15/materials/us-15-Hanif-Internet-Scale-File-Analysis-wp.pdf
  • Swift Banking Numbers: http://www.newsweek.com/how-north-korea-hacks-our-banks-478421
  • Swift Banking Numbers: http://www.newsweek.com/how-north-korea-hacks-our-banks-478421
    Please contact us for samples/data