This short 45 minutes presentation is aimed at ICS/SCADA and general IT engineers who want to understand basic concepts related to the much discussed threat that is APT.
The audience is first introduced to the concepts, who employs APTs before going into how they manifest before finally closing out with mitigation and defense strategies.
4. 4
Advanced: i.e. not basic
Persistent: i.e. not non-persistent
Threat: i.e. backdoor, remote access,
retained control, root kit etc.
APT: definition
10. 10
Ensures remote and desired level of access
Persistent but minimizes forensic artefacts
Minimizes likelihood of detection
Frustrates analysis
Modular, upgradable and versatile
APT: manifestation - goals
11. 11
December 2014 NCC Group dealt with the compromise of
REDACTED who had been compromised by Shell Crew
http://www.emc.com/collateral/white-papers/h12756-wp-shell-
crew.pdf
This actor uses the Derusbi trojan family to maintain access which
supports a form of port-knocking.
APT: manifestation
15. 15
A program (i.e. on Windows, Mac OS X, Linux, iOS/Android etc.)
A kernel driver (i.e. on Windows, Mac OS X, Linux etc.)
A non-persistent patch to existing code (anything)
A malicious firmware (embedded devices)
APT: implementation
16. 16
Summer 2014 NCC Group detect a malicious RTF (document)
containing the Havex RAT
We then developed signatures and detected numerous trojaned ICS /
SCADA tools in malware zoos
Actor has been compromising ICS / SCADA tool vendor web sites,
trojaning legitimate binaries with havex and waiting for downloads
APT: manifestation
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/june/extracting-the-payload-from-a-cve-2014-1761-rtf-document/
34. 34
observe – from the network or on host
identify – the program code
extract – from the host / device
analyse – statically / dynamically
APT: analysis
41. 41
Once we have an OS* we trust
.. we can do things like
hypervisor level malicious code scanning
early launch malware detection (Windows)
APT: mitigation
* caveat is now hardware with DMA access and if IOMMUs are used or if data/code in RAM
is otherwise protected from manipulation
43. 43
persistent element:
encrypted to host
not persistent until shutdown
persisted via secondary host
command and control
adding to legitimate network connections
APT: putting the advanced in APT
45. 45
Europe
Manchester - Head Office
Amsterdam
Cambridge
Copenhagen
Cheltenham
Edinburgh
Glasgow
Leatherhead
London
Luxembourg
Munich
Zurich
Australia
Sydney
North America
Atlanta
Austin
Chicago
New York
San Francisco
Seattle
Sunnyvale
Ollie Whitehouse
ollie.whitehouse@nccgroup.trust