SlideShare a Scribd company logo

UN Presentation - 10-17-2018 - Maccaglia

S
Stefano Maccaglia

UN session about modern ICT threat landscape. The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.

Technology
1 of 56
Download to read offline
The New Age of Cyberthreats
Who am I?  Hacker and Cracker of the nineties, turn to good before major disasters…  I am actually Principal Advisory Consultant for RSA Incident Response team.  Prior to join RSA I worked in several big IT corporations such as Digital, HP and Cisco.  I led IR teams engaged against cybercriminals and sophisticated attackers.
Agenda  Introduction to modern ICT Threat landscape  APT Attacks and cases  Reasons to be concerned  What to do  What to avoid  Detailed review of most threatening actors  Recommendations
Back then… Richard Pryce Richard Pryce Albert Gonzalez "Captain Crunch" John Draper Jeanson James Ancheta “Phiber Optik” Mark Abene Kevin Poulsen
Now… Mexico Brazil Turkey Saudi Arabia Iran India Bangladesh Russia China Taiwan Rep of Korea Malaysia Indonesia Vietnam Lazarus Group targets Lazarus Group is a malicious adversary responsible for crippling ICT attacks and cyberespionage campaigns targeting financial, media and manufacturing sectors. US
… and more... US Brazil Canada Morocco Spain Iceland UK France Switzerland Italy Germany Norway Czech Rep Poland Bulgaria Ukraine Russia Pakistan India Nepal China Hong Kong Taiwan Australia Qatar UAE Carbanak gang area of activities Carbanak is a sophisticated cybercriminal gang targeting the financial sector worldwide.
What has changed?  Interconnected environments  Nearly 3 billion people (40%) have access to the Internet!  Collective Nerve system – our lives now depend on many devices  Technology is transforming how we interact and live with each other. WE HAVE
What has changed?  Different types of players - From traditional cybercriminals to hacktivists to sophisticated frauds to cyber espionage groups  Varied actions from ransomware to spear-phishing to drive-by download  New tools used to perform attacks  Data has become an end goal, users trust a means and malware the tools  Sophisticated tools . Modern malware is able to defuse antivirus and intrusion prevention mechanisms The threat landscape
Type of attacks Cybercrime  Identiy theft  Money theft  Phishing  Bullying  Cyber stalking  Theft of personal or company data  Ransomware  Cryptominers Cyberwarfare  Cyber espionage  Cyber attacks  Propaganda  Infiltration support  Targeted DDoS
APT Attacks  Targeted against «strategic» users to gain access to key assets  Can do much damage long before an organization knows that it can be hit!  69% of victims learn from a third party that they have been compromised  Focus on the weakest links of your defense chain targeting specific system vulnerabilities and specific people.
Recent attacks France The Netherland Switzerland Germany Ukraine Russia Olympic Destroyer – probably APT28 attack On February 9, shortly before the Pyeongchang opening ceremonies, televisions at the main press centre, wi-fi at the Olympic Stadium and the official website were taken down. Hackers used the so-called “Olympic Destroyer”, a strain of malware that allowed the attackers to wipe files and make systems inoperable. Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.
Recent attacks Epic Turla– also known as Uroburos APT group Turla is a Russian cyber espionage APT active since at least 2007. It targets government organizations and private businesses. The list of known victims is long and includes the Swiss defense firm RUAG, US Department of State, and the US Central Command. Recently ESET revealed that Epic Turla breached Germany’s Federal Foreign Office syphoning data for almost the whole of 2017. US UK Germany Italy Syria Iraq Azerbaijan Turkmenistan Kazakhstan Tunisia Venezuela Brazil Paraguay Pakistan Iran Qatar Kuwait Saudi Arabia Uzbekistan Kyrgyzstan Tajikistan Afghanistan
Case study – Tracking dissidents In 2012 the Axion APT group targeted a an international non-governmental organization that conducts research and advocacy on human rights. The attack was aimed to collect data on Tibetan and Chinese dissidents living abroad¹. The attack started against a webserver exploiting a Coldfusion vulnerability and proceeded internally by stealing users and administrator accounts. ¹ https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf Coldfusion exploit Target web server 1 2 3 Stole admin accounts Bulletproof servers (China)
Case study – Tracking dissidents Leveraging the stolen accounts and implanting GhostRat and Derusbi malware, the attacker sneaked into the environment and collected information related to Tibetan, Chinese and Uyghur dissidents. 4 2 5 6 7 8 When the attacker transferred the stolen data, he alerted the victim. My team was able to track the entire attack, blocking the data hemorrhage. Bulletproof servers (China)
Another case – a UN breach In May 2017 selected individuals of the United Nations Committee investigating violations of sanctions on North Korea (UN 1718 Committee) received a zip file with a sounding email from a “known” source. Exploited email server 1 2 Somewhere in North Korea Public VPN Servers The email was written with a highly personalized message which shows the hackers have very detailed insight into the panel’s structure and working methods. 3 Victim
Another case – a UN breach The victims opened the malicious attachment activating a sophisticated Trojan. Few hours later, the attacker moved laterally to the internal Committee database, were a significant number of evidences and documents were stored. The attacker showed interest in both Committee staff credentials and the data stored in the database, probably counting on the harvested credentials to perform additional actions. 4 Somewhere in North Korea Public VPN Servers 5 Victim UN Committee Database The attack lasted a week and was identified by verifying access to the database on non-business hours. It was attributed to North Korea’s main spy agency (Unit 180), known as “Lazarus Group” or APT37. 6
Can an organization like us be attacked? YES
Why would anyone want to attack the UN ?
Here are a few reasons...  A number of Governments are interested in evaluating preliminarily the actions planned by UN missions in several key areas such as:  Yemen  Syria  Central Africa  Sudan  A number of organizations and corporations are interested in anticipating actions aimed to support local farmers and redevelop territories in Africa, by purchasing these territories from local farmers before they would receive UN support.  A number of Governments are interested in being able to create fake documentation under the UN insignia, to simplify the jobs of their local spy under cover or to give their fake identities the chance to transit with diplomatic visas.
Biggest threat? Targeted Attacks While cyber frauds target every type of organization and could be fought with traditional tech and resources, targeted attacks are the biggest threat for any modern public and private company. While APTs may use the same techniques as traditional attacks, such as drive-by download and spear phishing, they differ from common infections because they target strategic users to gain undetected access to key assets. APTs can do insidious damage long before an organization knows that it has been hit. The attribution of APT attack is mainly based on the uniqueness of the tools any APT group uses.
What can we do to protect ourselves?
As an organization….  Mixed approach based on technology and human knowledge  Modern antispam, host intrusion prevention systems and firewalls  Incident Response capabilities to ensure proper reaction  Incident Response tools to empower IR personnel  Training on how to spot cyber attacks As an individual…  Keep yourself informed about ICT risks  Avoid to disseminate sensible information of you and your work  Avoid to click on links or attachments sent from untrusted channels  Avoid to use unsecure channels while working  Don’t try to solve a potential infection alone, but escalate the issue to dedicated staff
Ok, you got attacked...now what?
What to do – how to react  Protect against APT attacks is a major concern in the field of cybersecurity.  APTs can evade traditional detection, causing tremendous damage to organizations.  Compared with traditional cyberattacks, APTs exhibit two distinctive characteristics: a) The attacker of an APT is a well-resourced and well-organized group, with the goal of stealing as many sensitive data as possible from a specific organization. b) Based on meticulous reconnaissance, the attacker is going to launch a preliminary advanced social engineering attack on a few target users to gain footholds in the organization and then to gain access to critical information stealthily and slowly.  To date, the detection of APTs is far from mature.  Consequently, To successfully respond to an APT attack is to ensure all internal staff is aware of the risks and act accordingly in any “suspicious” or clearly malicious situation.
What to do…  Again… don’t panic  Follow the rules and procedures for these cases  Don’t turn off your computer  Don’t modify your credentials  Escalate the problem to the proper, dedicated staff  Use a separate channel to communicate the problem internally (by phone or from a different computer)  Inform your manager  Don’t use the potentially breached computer until dedicated staff has investigate it and cleared it of any compromise.
WHY? Why care?
Don’t leave info of your workplace
Privacy issues with a mobile browser Search for ‘human factor”
Recommended behavior  Reduce the risks of being targeted by advanced actors by avoiding to publish information related to your job and private information about your life.  Avoid to point your browser to malicious or untrusted website  Avoid to trust unknown “Third parties” through chats, IMs and other media when at work and using corporate assets.  Avoid to click on any link or potential content not inspected by your company Antivirus and Antispam.  Don’t use cracked software  Don’t install programs collected from untrusted sources on p2p networks  DON’T USE THE SAME PASSWORD ON MULTIPLE CONTEXTS AND PUBLIC SERVICES
Questions? And remember… We will be watching…
Naikon (APT30)  Naikon is a state-sponsored gang able to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets.  It has carried out attacks in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).  To get into target networks, Naikon relies on email as attack vector and studies his victims through social engineering techniques and social media.  Data collection, prior to an attack, includes a significant set of private or public data related to the most “interesting” targets.  Naikon initial attacks uses decoy content maintaining local topics of interest for the victims and showing.  The adversary showed remarkable capabilities to adapt his initial attack strategy to the most effective way to breach into, keeping the user trust as the initial main objective of the infection.
Naikon attack strategy The attacker uses to study the target to ensure the success of his initial Spear-phishing by preparing proper content and to distributed it to specific and selected victims of the targeted organization. Once successful with the infection the attacker moves laterally and extend his control upon the victim organization using commonly available tools such as psexec, procdump and other Microsoft sys admin tools Only for specific tasks he uses a custom backdoor based on HDoor family  Much of Naikon’s spear-phish and decoy documents matches highly-charged geopolitical events.  The consistent list of military, economic, and political targets clearly illustrates the actor’s areas of interest.  The name “Naikon” was derived from the User-Agent string “NOKIAN95” found in the beacons of the II stage backdoor.
Emissary Panda (APT 27)  Also known as TG-3390, it is a hacking group with Chinese origins which targets selected organizations related with education, energy and technology.  In the past, Emissary Panda has used many ways to target their victims, with the most notable being the exploits from the Hacking Team leak.  Usually, Emissary Panda malware is either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, tools with clear Chinese origins and with a usage limited to Chinese APTs.  Typical APT 27 attacks are based on an initial compromise of victim servers, used as trampoline to move laterally or to execute spear-phishing attacks against internal users, sending messages via trusted systems (the exploited servers already into the victim perimeter).  To compromise web servers, Emissary Panda leverages on zero-day exploits and webshells¹. ¹ Webshells are malicious code based on .php, aspx or other common web-based languages and extentions.
Emissary Panda and webshells  Below is shown a typical first stage attack of APT 27 targeting a public web server and implanting a Webshell.  The reported webshell is called “China Chopper”. It is a simple backdoor composed of two key modules:  the Webshell (client) binary  The text-based Webshell payload (server component).  The China Chopper client communicates over TCP using HTTP/HTTPS POST requests to the server component.  The webshell is very small and powerful allowing the attacker to use it as a real Trojan.  The server component includes a significant set of options allowing terminal access and file system management  APT 27 seems to stick with China Chopper webshell more than any other APT group.
APT27 attack strategy Dump credentials and attempt lateral movements Implant webshell Exploit vulnerable services Scan and fingerprint web services Exfiltrate data Move data to controlled machines Collect data Scan networks Implant backdoor on interesting targets Sends messages to selected victims including malicious content or links Forge messages If fails  The group uses to steal intellectual property, through his custom backdoors: PlugX and , HttpBrowser RAT.  After the initial compromise, the adversary leverages on typical scanners like nbtscan or scanline network scanner to identify additional targets and to prepare his lateral movements through the network.
APT 27 latest trend  In recent days, a growing number of security researchers reported a new infection campaign attributed to APT27 with a number of peculiar characteristics as reported from Bitdefender:  https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao- inside-a-highly-specialized-espionage-infrastructure/  In particular, the infection campaign, named “Pzchao”, is based on highly targeted spam messages, but more interesting, the attacker adopted on a certain stage of the attack, Cryptominers (Monero) implanted on a number of systems after the traditional exfiltration stage.  The reason behind the adoption of such noisy software is still under scrutiny.  The actions have been reported in recent attacks against UN agencies as well. We studied some of these cases involving UN environments this year .
APT 28  APT28, also known as “Fancy Bear”, “Sofacy Group” or ”Sednit” is a cyber espionage group associated with the Russian military intelligence agency GRU.  In 2018, an indictment¹ by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455.  Fancy Bear's methods are consistent with the capabilities of state actors.  The group targets government, military, and security organizations, such as Caucasian countries and NATO-aligned states.  Fancy Bear is responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, the Democratic National Committee, Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.  The group promotes the political interests of the Russian government by helping favored foreign political candidates win elections. ¹ See source: https://www.justice.gov/file/1080281/download
APT 28 compromise strategy  APT 28 attack strategies leverage on a set of specialized malware.  The attack is multistage.  In the first stage, the adversary attempts to infect less protected targets, such as non-IT personnel and roaming systems.  During the second stage the attacker tends to maintain persistence implementing backdoors.  The third stage evolves by only if the attackers need to escalate control upon strategic systems such as:  Points of Contact - systems that could be used to access the environment from outside (typical Point of Contact is a laptop or a VPN concentrator).  Strategic Systems - Hosts holding interesting data or that could be used as Jumpbox to other network segments (typical Strategic System is an Active Directory Server or a Jumpbox).
First Stage attack  The “First stage” targets are chosen with extreme care.  The malware used in this phase is a dropper with basic info-stealing capabilities (named Coreshell).  The malcode has the option to extract information such as accounts or other similar data and to upload the stolen information to an external C2 server.  From the C2 the attacker can command the malware to “evolve”, by downloading and executing the second stage: the Backdoor. Note: Coreshell is the evolution of the Sourface dropper (the latter was used till early 2015). Once the infected machine communicates with the external C2 the attacker is aware of the infected system, its users and about additional interesting data. The attacker could expand the control upon the victim or to leave it moving to other targets. Usually, at this stage, the less interesting victims are cleared of any malware. The attacker prefers to keep control upon just a handful of interesting systems to lower the risks of being caught.
Second stage  Second stage involves a backdoor: “Eviltoss”.  The backdoor serves as the preferred point of entrance to the target environment.  Eviltoss infection is limited to a small subset of initial infected hosts.  The backdoor shares a number of commonalities with Coreshell.  The communication mechanism is protected with the same algorithm.  Eviltoss is usually packed (encrypted) and has a set of hardcoded configuration shared with Coreshell. Eviltoss is extremely functional for the persistence in a target system. The setup of Eviltoss is carried out via download and execution through the C2 or additional dropzones. Once Eviltoss is active, the attacker can access the victim’s Filesystem and steal any type of data. Also, he can activate a shell to directly execute additional commands. Eviltoss allows the attacker to move laterally to other systems, further extending the magnitude of the attack and the exposure of the environment.
APT 28 attack strategy  Usually, it takes weeks or months for APT 28 attacks to escalate from stage 2 to stage 3.  APT 28 usually starts monitoring the controlled hosts and moves “laterally” before even considering a further enhancement of his control.  Once the attacker has the “big picture” of “how the environment works”, he could decide to implement a tailored implant against strategic hosts.  The implant is a highly customized Trojan named Chopstick that is configured to work only into the targeted environment.  The implant is used only when the persistence must be granted at all costs or if the victim is a highly interesting target.  APT 28 has a version of this implant tailored to work on mobile devices such as iOS systems (x-Agent malware).
Third Stage  Sometimes, APT 28 is forced to evolve his attack onto stage 3 in order to access air-gapped environments, such as in the case of Italian Navy¹.  In these cases, the attacker collects data and credentials related to the target system and then implants the Trojan (named “Chopstick” or “X-Agent”).  Compared to Eviltoss, the Trojan is far morecomplex, to the point that the samples worked only if we replicated the exact same conditions of the original victim or after reversing the malware code patching it. Chopstick allows the attacker to gain full control of the infected system and it can also include specific features such as °activation° in specific conditions or replication in specific cases. All this is included in Chopstick configuration file, bundled with the malware. Chopstick uses C2, but can also work without direct contact with them for long periods of time. APT28 uses to pass from Eviltoss to Chopstick only on key systems for the economy of his attack. APT28 tends to implement strong encryption and strong anti-reverse measures on every variant of Chopstick.
APT29  APT29, also known as Cozy Bear is a Russian black hat group associated with Russian intelligence.  The Dutch AIVD deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR) ¹.  Cybersecurity firm CrowdStrike suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR.  Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.  Cozy Bear is behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data. ¹ See source https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/
APT 29 First Stage attack  As seen in APT 28 attacks, the first stage is executed against a small number or selected targets pertaining to the victim infrastructure.  The targets are usually chosen with extreme care.  The attackers carefully avoid to infect IT or Security related personnel.  Usually, at this stage the malware used is a common dropper aimed to detonate the Hammertoss backdoor. The spear phishing hits the victim with emails containing malicious attachments or links to malicious websites aimed to compromise the victim browser via web access (“Drive-by Download). Hammertoss Backdoor, is dropped and installed via exploit of Office applications or via “Drive-by Download” through Browser vulnerabilities. At this point the attacker can enhance the control by moving to a second stage for a handful of interesting hosts. The remaining machines are cleared of any malware or artifact in order to avoid DFIR analysis and lowering the chance to find the original “patient-zero”. Once infected, the backdoor communicates with the external C2 via Twitter or other HTTP/HTTPs based applications. All communications are encrypted with basic encryption.
APT 29 Second Stage  The upgrade commands were published via Twitter accounts (in our case).  The upgrade forced the infected system to download plugins as encrypted images (using steganography).  The encrypted data included instructions to execute commands via PowerShell, or to execute a file, or to save a file and execute it.  In several cases, the powershell commands directed HAMMERTOSS to upload data from the victim to cloud storage services using login credentials received via Twitter. APT29 tends to avoid long persistence on the victim environment. In a relatively high number of cases, once the data has been exfiltrated, the attacker quitted completely the persistence on the target environment. Through Twitter channel, the attacker sent commands publishing them in his account. Each infected host was managed separately (using separated twitter channels). Once the malware is upgraded, the attacker can access the victim’s Filesystem and steal any type of data. Also he can activate command shells to directly execute several tasks. Once the interesting data was collected APT 29 cleared all involved systems by using secure removal techniques The malware can process the commands, decrypt the content from the image and execute the interesting data. Hammertoss allowed the attacker to access the system and control the target supporting the setup of other malicious tools and to move laterally to other systems in the environment.
APT 29 characteristics  APT29 uses mainly Hammertoss malware.  The group work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg.  The group appeared to cease operations on Russian holidays.  The group showed discipline and consistency to clear tracks of his attack after reaching his goal.  APT29 almost always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them.  The group appears to almost solely uses compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection.  The group targets a wide set of different type of targets such as political parties, security companies, military and political institutions worldwide.  The approach, the malware used and the way APT 29 acts in infected networks show similarities with advanced cybercriminal groups such as Carbanak.
APT 37  APT 37, also known as Reaper, is a group carrying out attacks on behalf of the North Korean government, as malware artifacts and targets are aligned with North Korean state interests.  The group operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware.  Prevalent targets of APT 37 are South Korea, Japan, Vietnam and the Middle East in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.  Recently, APT 37 was involved in cyber-espionage against UN agencies.  Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately are typical attack vectors and strategies adopted by the adversary.  The group has demonstrated access to zero-day vulnerabilities (CVE-2018- 0802), and the ability to incorporate them into operations.
APT 37  APT37 employs a suite of malware for initial intrusion and exfiltration.  Their malware is characterized by a focus on stealing information from victims, with many set up to automatically exfiltrate data of interest.  Along with custom malware APT37 has access to destructive malware.  In April 2017, he targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware.  RUHAPPY can overwrite a machine's Master Boot Record (MBR), causing the system to fail to boot into preconfigured partitions.  It is possible that APT 37’s distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of- service (DDoS) attacks, or for other activity such as financially motivated campaigns or disruptive operations. Disruptive and destructive cyber threat activity, including the use of wiper malware, public leaks of proprietary materials by false hacktivist personas, DDoS attacks and electronic warfare tactics such as GPS signal jamming is consistent with past behavior by other North Korean actors.
Organization recommendations  Effective defense against these attackers can be ensured only through Incident Response (IR) capabilities.  Ideally, organizations empowered by IR should balance between people, process and technology.  Solid incident responders with solid technology but no well designed, validated and, established processes and procedures will leave an organization less than optimally defended.  An effective IR enabled agency requires all three dimensions – people, process, technology – to work well and improve together.  It is important to create lightweight policies, plans, and procedures related to incident response with management buy-in to effectively protect the environment against cyber security attacks.  In addition, IR team must adopt a methodology to investigate attacks.
How to investigate APT attacks  The matter is discussed frequently between subject matter experts  Several approaches have been evaluated.  The most effective, based on public works and researches, is arranged around a mix of technologies and skills. Ensure complete Network visibility Ensure System and Logs visibility Analyze malicious artifacts to extract IOCs Network, system and log indicators. Classification and attribution. Incident surface. Triage planned from a tailored set of strategic actions.
 The investigative methodology we use is based on Actionable IOCs (AIOCs).  To build AIOCs, we employ a systematic approach that relies on the synergy of network and host visibility with log and malware analysis in order to identify key indicators that can be formalized and stored in an organized knowledge base for rapid reuse during subsequent investigations.  The knowledge base aggregates the Actionable IOCs, otherwise they remain atomic indicators, to build actor attack profiles that can be quickly applied to investigations in order to streamline response efforts and give non-circumstantial evidence towards attribution of malicious actors.  Succeed in a rapid attribution during the early stages of an incident investigation can significantly lower the time required to scope the presence of the attacker and to prepare a proper mitigation strategy to expel the adversary in the proper fashion. Our investigation
IoCs from the analysis • In our approach, the malware analysis is a key element to generate reliable IOCs because it is the moment when the artifacts discovered in the compromised systems can “talk” to the analyst and presents the indicators that are needed to measure the extension and the goal of the actual attack. • There are several IOCs that could be extracted from a good malware analysis process and I am not assuming this means necessarily to reverse engineer the malware. • Even a simple Yara rule that allows the analysts to perform a file sweep on the entire segment of a network or an entire enterprise could be enough. • The most important aspect to transform atomic IOCs to Actionable IOCs is the formalization process, made through comparison with the consolidated KB, lab analyses and peer review. • An important support for the formalization of AIOCs is the “retrohunting” feature offered by Virustotal.
 Actionable IOCs is an answer to the need solid indicators to support the investigation, the attribution and the triage, of incidents generated by malicious actors.  The adoption of this methodology can positively impact investigation and triage, but also improves knowledge of the tools and strategies adopted by the adversaries.  The formalization process behind it can facilitate the exchange of information and indicators without the risk of unintentional leakage of sensitive information and, in short, strengthen the proactive and reactive capabilities of any structure. Conclusion
UN Presentation - 10-17-2018 - Maccaglia

Recommended

Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatStefano Maccaglia
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 

Recommended

Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyStefano Maccaglia
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
From velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatFrom velvet to silk there is still a lot of sweat
From velvet to silk there is still a lot of sweatStefano Maccaglia
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetCylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetInnovation Network Technologies: InNet
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingijtsrd
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)Elsayed Muhammad
 

More Related Content

What's hot

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 

What's hot (20)

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest Threat
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheetCylance Ransomware-Remediation & Prevention Consulting Data-sheet
Cylance Ransomware-Remediation & Prevention Consulting Data-sheet
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions
 

Similar to UN Presentation - 10-17-2018 - Maccaglia

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingijtsrd
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aMark Henshaw
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Awareness seminar on Advanced Persistent Threats
Awareness seminar on Advanced Persistent ThreatsAwareness seminar on Advanced Persistent Threats
Awareness seminar on Advanced Persistent ThreatsGary Hinson
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Exposing Cybercriminals Tactics: Understanding the Threat Landscape
Exposing Cybercriminals Tactics: Understanding the Threat LandscapeExposing Cybercriminals Tactics: Understanding the Threat Landscape
Exposing Cybercriminals Tactics: Understanding the Threat Landscapecyberprosocial
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Cyber Malware Programs And The Internet
Cyber Malware Programs And The InternetCyber Malware Programs And The Internet
Cyber Malware Programs And The InternetHeidi Maestas
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Exploring Cyber Attack Types: Understanding the Threat Landscape
Exploring Cyber Attack Types: Understanding the Threat LandscapeExploring Cyber Attack Types: Understanding the Threat Landscape
Exploring Cyber Attack Types: Understanding the Threat Landscapecyberprosocial
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Hamisi Kibonde
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 

Similar to UN Presentation - 10-17-2018 - Maccaglia (20)

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
 
Bright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 aBright talk intrusion prevention are we joking - henshaw july 2010 a
Bright talk intrusion prevention are we joking - henshaw july 2010 a
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Awareness seminar on Advanced Persistent Threats
Awareness seminar on Advanced Persistent ThreatsAwareness seminar on Advanced Persistent Threats
Awareness seminar on Advanced Persistent Threats
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Exposing Cybercriminals Tactics: Understanding the Threat Landscape
Exposing Cybercriminals Tactics: Understanding the Threat LandscapeExposing Cybercriminals Tactics: Understanding the Threat Landscape
Exposing Cybercriminals Tactics: Understanding the Threat Landscape
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Cyber Malware Programs And The Internet
Cyber Malware Programs And The InternetCyber Malware Programs And The Internet
Cyber Malware Programs And The Internet
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Exploring Cyber Attack Types: Understanding the Threat Landscape
Exploring Cyber Attack Types: Understanding the Threat LandscapeExploring Cyber Attack Types: Understanding the Threat Landscape
Exploring Cyber Attack Types: Understanding the Threat Landscape
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Zero Trust.pptx
Zero Trust.pptxZero Trust.pptx
Zero Trust.pptx
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Understanding the Impact of Cyber Security in Health Care
Understanding the Impact of Cyber Security in Health CareUnderstanding the Impact of Cyber Security in Health Care
Understanding the Impact of Cyber Security in Health Care
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

UN Presentation - 10-17-2018 - Maccaglia

  • 1. The New Age of Cyberthreats
  • 2. Who am I?  Hacker and Cracker of the nineties, turn to good before major disasters…  I am actually Principal Advisory Consultant for RSA Incident Response team.  Prior to join RSA I worked in several big IT corporations such as Digital, HP and Cisco.  I led IR teams engaged against cybercriminals and sophisticated attackers.
  • 3. Agenda  Introduction to modern ICT Threat landscape  APT Attacks and cases  Reasons to be concerned  What to do  What to avoid  Detailed review of most threatening actors  Recommendations
  • 4. Back then… Richard Pryce Richard Pryce Albert Gonzalez "Captain Crunch" John Draper Jeanson James Ancheta “Phiber Optik” Mark Abene Kevin Poulsen
  • 5. Now… Mexico Brazil Turkey Saudi Arabia Iran India Bangladesh Russia China Taiwan Rep of Korea Malaysia Indonesia Vietnam Lazarus Group targets Lazarus Group is a malicious adversary responsible for crippling ICT attacks and cyberespionage campaigns targeting financial, media and manufacturing sectors. US
  • 6. … and more... US Brazil Canada Morocco Spain Iceland UK France Switzerland Italy Germany Norway Czech Rep Poland Bulgaria Ukraine Russia Pakistan India Nepal China Hong Kong Taiwan Australia Qatar UAE Carbanak gang area of activities Carbanak is a sophisticated cybercriminal gang targeting the financial sector worldwide.
  • 7. What has changed?  Interconnected environments  Nearly 3 billion people (40%) have access to the Internet!  Collective Nerve system – our lives now depend on many devices  Technology is transforming how we interact and live with each other. WE HAVE
  • 8. What has changed?  Different types of players - From traditional cybercriminals to hacktivists to sophisticated frauds to cyber espionage groups  Varied actions from ransomware to spear-phishing to drive-by download  New tools used to perform attacks  Data has become an end goal, users trust a means and malware the tools  Sophisticated tools . Modern malware is able to defuse antivirus and intrusion prevention mechanisms The threat landscape
  • 9. Type of attacks Cybercrime  Identiy theft  Money theft  Phishing  Bullying  Cyber stalking  Theft of personal or company data  Ransomware  Cryptominers Cyberwarfare  Cyber espionage  Cyber attacks  Propaganda  Infiltration support  Targeted DDoS
  • 10. APT Attacks  Targeted against «strategic» users to gain access to key assets  Can do much damage long before an organization knows that it can be hit!  69% of victims learn from a third party that they have been compromised  Focus on the weakest links of your defense chain targeting specific system vulnerabilities and specific people.
  • 11. Recent attacks France The Netherland Switzerland Germany Ukraine Russia Olympic Destroyer – probably APT28 attack On February 9, shortly before the Pyeongchang opening ceremonies, televisions at the main press centre, wi-fi at the Olympic Stadium and the official website were taken down. Hackers used the so-called “Olympic Destroyer”, a strain of malware that allowed the attackers to wipe files and make systems inoperable. Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.
  • 12. Recent attacks Epic Turla– also known as Uroburos APT group Turla is a Russian cyber espionage APT active since at least 2007. It targets government organizations and private businesses. The list of known victims is long and includes the Swiss defense firm RUAG, US Department of State, and the US Central Command. Recently ESET revealed that Epic Turla breached Germany’s Federal Foreign Office syphoning data for almost the whole of 2017. US UK Germany Italy Syria Iraq Azerbaijan Turkmenistan Kazakhstan Tunisia Venezuela Brazil Paraguay Pakistan Iran Qatar Kuwait Saudi Arabia Uzbekistan Kyrgyzstan Tajikistan Afghanistan
  • 13. Case study – Tracking dissidents In 2012 the Axion APT group targeted a an international non-governmental organization that conducts research and advocacy on human rights. The attack was aimed to collect data on Tibetan and Chinese dissidents living abroad¹. The attack started against a webserver exploiting a Coldfusion vulnerability and proceeded internally by stealing users and administrator accounts. ¹ https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf Coldfusion exploit Target web server 1 2 3 Stole admin accounts Bulletproof servers (China)
  • 14. Case study – Tracking dissidents Leveraging the stolen accounts and implanting GhostRat and Derusbi malware, the attacker sneaked into the environment and collected information related to Tibetan, Chinese and Uyghur dissidents. 4 2 5 6 7 8 When the attacker transferred the stolen data, he alerted the victim. My team was able to track the entire attack, blocking the data hemorrhage. Bulletproof servers (China)
  • 15. Another case – a UN breach In May 2017 selected individuals of the United Nations Committee investigating violations of sanctions on North Korea (UN 1718 Committee) received a zip file with a sounding email from a “known” source. Exploited email server 1 2 Somewhere in North Korea Public VPN Servers The email was written with a highly personalized message which shows the hackers have very detailed insight into the panel’s structure and working methods. 3 Victim
  • 16. Another case – a UN breach The victims opened the malicious attachment activating a sophisticated Trojan. Few hours later, the attacker moved laterally to the internal Committee database, were a significant number of evidences and documents were stored. The attacker showed interest in both Committee staff credentials and the data stored in the database, probably counting on the harvested credentials to perform additional actions. 4 Somewhere in North Korea Public VPN Servers 5 Victim UN Committee Database The attack lasted a week and was identified by verifying access to the database on non-business hours. It was attributed to North Korea’s main spy agency (Unit 180), known as “Lazarus Group” or APT37. 6
  • 17. Can an organization like us be attacked? YES
  • 18. Why would anyone want to attack the UN ?
  • 19. Here are a few reasons...  A number of Governments are interested in evaluating preliminarily the actions planned by UN missions in several key areas such as:  Yemen  Syria  Central Africa  Sudan  A number of organizations and corporations are interested in anticipating actions aimed to support local farmers and redevelop territories in Africa, by purchasing these territories from local farmers before they would receive UN support.  A number of Governments are interested in being able to create fake documentation under the UN insignia, to simplify the jobs of their local spy under cover or to give their fake identities the chance to transit with diplomatic visas.
  • 20. Biggest threat? Targeted Attacks While cyber frauds target every type of organization and could be fought with traditional tech and resources, targeted attacks are the biggest threat for any modern public and private company. While APTs may use the same techniques as traditional attacks, such as drive-by download and spear phishing, they differ from common infections because they target strategic users to gain undetected access to key assets. APTs can do insidious damage long before an organization knows that it has been hit. The attribution of APT attack is mainly based on the uniqueness of the tools any APT group uses.
  • 21. What can we do to protect ourselves?
  • 22. As an organization….  Mixed approach based on technology and human knowledge  Modern antispam, host intrusion prevention systems and firewalls  Incident Response capabilities to ensure proper reaction  Incident Response tools to empower IR personnel  Training on how to spot cyber attacks As an individual…  Keep yourself informed about ICT risks  Avoid to disseminate sensible information of you and your work  Avoid to click on links or attachments sent from untrusted channels  Avoid to use unsecure channels while working  Don’t try to solve a potential infection alone, but escalate the issue to dedicated staff
  • 23. Ok, you got attacked...now what?
  • 24.
  • 25. What to do – how to react  Protect against APT attacks is a major concern in the field of cybersecurity.  APTs can evade traditional detection, causing tremendous damage to organizations.  Compared with traditional cyberattacks, APTs exhibit two distinctive characteristics: a) The attacker of an APT is a well-resourced and well-organized group, with the goal of stealing as many sensitive data as possible from a specific organization. b) Based on meticulous reconnaissance, the attacker is going to launch a preliminary advanced social engineering attack on a few target users to gain footholds in the organization and then to gain access to critical information stealthily and slowly.  To date, the detection of APTs is far from mature.  Consequently, To successfully respond to an APT attack is to ensure all internal staff is aware of the risks and act accordingly in any “suspicious” or clearly malicious situation.
  • 26. What to do…  Again… don’t panic  Follow the rules and procedures for these cases  Don’t turn off your computer  Don’t modify your credentials  Escalate the problem to the proper, dedicated staff  Use a separate channel to communicate the problem internally (by phone or from a different computer)  Inform your manager  Don’t use the potentially breached computer until dedicated staff has investigate it and cleared it of any compromise.
  • 28.
  • 29. Don’t leave info of your workplace
  • 30. Privacy issues with a mobile browser Search for ‘human factor”
  • 31. Recommended behavior  Reduce the risks of being targeted by advanced actors by avoiding to publish information related to your job and private information about your life.  Avoid to point your browser to malicious or untrusted website  Avoid to trust unknown “Third parties” through chats, IMs and other media when at work and using corporate assets.  Avoid to click on any link or potential content not inspected by your company Antivirus and Antispam.  Don’t use cracked software  Don’t install programs collected from untrusted sources on p2p networks  DON’T USE THE SAME PASSWORD ON MULTIPLE CONTEXTS AND PUBLIC SERVICES
  • 32. Questions? And remember… We will be watching…
  • 33. Naikon (APT30)  Naikon is a state-sponsored gang able to infiltrate and steal sensitive data and intellectual property from military, diplomatic and enterprise targets.  It has carried out attacks in a number of Asian countries, as well as the United Nations Development Programme and the Association of Southeast Asian Nations (ASEAN).  To get into target networks, Naikon relies on email as attack vector and studies his victims through social engineering techniques and social media.  Data collection, prior to an attack, includes a significant set of private or public data related to the most “interesting” targets.  Naikon initial attacks uses decoy content maintaining local topics of interest for the victims and showing.  The adversary showed remarkable capabilities to adapt his initial attack strategy to the most effective way to breach into, keeping the user trust as the initial main objective of the infection.
  • 34. Naikon attack strategy The attacker uses to study the target to ensure the success of his initial Spear-phishing by preparing proper content and to distributed it to specific and selected victims of the targeted organization. Once successful with the infection the attacker moves laterally and extend his control upon the victim organization using commonly available tools such as psexec, procdump and other Microsoft sys admin tools Only for specific tasks he uses a custom backdoor based on HDoor family  Much of Naikon’s spear-phish and decoy documents matches highly-charged geopolitical events.  The consistent list of military, economic, and political targets clearly illustrates the actor’s areas of interest.  The name “Naikon” was derived from the User-Agent string “NOKIAN95” found in the beacons of the II stage backdoor.
  • 35. Emissary Panda (APT 27)  Also known as TG-3390, it is a hacking group with Chinese origins which targets selected organizations related with education, energy and technology.  In the past, Emissary Panda has used many ways to target their victims, with the most notable being the exploits from the Hacking Team leak.  Usually, Emissary Panda malware is either the well-known ‘PlugX’ or ‘HttpBrowser’ RAT, tools with clear Chinese origins and with a usage limited to Chinese APTs.  Typical APT 27 attacks are based on an initial compromise of victim servers, used as trampoline to move laterally or to execute spear-phishing attacks against internal users, sending messages via trusted systems (the exploited servers already into the victim perimeter).  To compromise web servers, Emissary Panda leverages on zero-day exploits and webshells¹. ¹ Webshells are malicious code based on .php, aspx or other common web-based languages and extentions.
  • 36. Emissary Panda and webshells  Below is shown a typical first stage attack of APT 27 targeting a public web server and implanting a Webshell.  The reported webshell is called “China Chopper”. It is a simple backdoor composed of two key modules:  the Webshell (client) binary  The text-based Webshell payload (server component).  The China Chopper client communicates over TCP using HTTP/HTTPS POST requests to the server component.  The webshell is very small and powerful allowing the attacker to use it as a real Trojan.  The server component includes a significant set of options allowing terminal access and file system management  APT 27 seems to stick with China Chopper webshell more than any other APT group.
  • 37. APT27 attack strategy Dump credentials and attempt lateral movements Implant webshell Exploit vulnerable services Scan and fingerprint web services Exfiltrate data Move data to controlled machines Collect data Scan networks Implant backdoor on interesting targets Sends messages to selected victims including malicious content or links Forge messages If fails  The group uses to steal intellectual property, through his custom backdoors: PlugX and , HttpBrowser RAT.  After the initial compromise, the adversary leverages on typical scanners like nbtscan or scanline network scanner to identify additional targets and to prepare his lateral movements through the network.
  • 38. APT 27 latest trend  In recent days, a growing number of security researchers reported a new infection campaign attributed to APT27 with a number of peculiar characteristics as reported from Bitdefender:  https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao- inside-a-highly-specialized-espionage-infrastructure/  In particular, the infection campaign, named “Pzchao”, is based on highly targeted spam messages, but more interesting, the attacker adopted on a certain stage of the attack, Cryptominers (Monero) implanted on a number of systems after the traditional exfiltration stage.  The reason behind the adoption of such noisy software is still under scrutiny.  The actions have been reported in recent attacks against UN agencies as well. We studied some of these cases involving UN environments this year .
  • 39. APT 28  APT28, also known as “Fancy Bear”, “Sofacy Group” or ”Sednit” is a cyber espionage group associated with the Russian military intelligence agency GRU.  In 2018, an indictment¹ by the United States Special Counsel identified Fancy Bear as two GRU units known as Unit 26165 and Unit 74455.  Fancy Bear's methods are consistent with the capabilities of state actors.  The group targets government, military, and security organizations, such as Caucasian countries and NATO-aligned states.  Fancy Bear is responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, the Democratic National Committee, Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.  The group promotes the political interests of the Russian government by helping favored foreign political candidates win elections. ¹ See source: https://www.justice.gov/file/1080281/download
  • 40. APT 28 compromise strategy  APT 28 attack strategies leverage on a set of specialized malware.  The attack is multistage.  In the first stage, the adversary attempts to infect less protected targets, such as non-IT personnel and roaming systems.  During the second stage the attacker tends to maintain persistence implementing backdoors.  The third stage evolves by only if the attackers need to escalate control upon strategic systems such as:  Points of Contact - systems that could be used to access the environment from outside (typical Point of Contact is a laptop or a VPN concentrator).  Strategic Systems - Hosts holding interesting data or that could be used as Jumpbox to other network segments (typical Strategic System is an Active Directory Server or a Jumpbox).
  • 41. First Stage attack  The “First stage” targets are chosen with extreme care.  The malware used in this phase is a dropper with basic info-stealing capabilities (named Coreshell).  The malcode has the option to extract information such as accounts or other similar data and to upload the stolen information to an external C2 server.  From the C2 the attacker can command the malware to “evolve”, by downloading and executing the second stage: the Backdoor. Note: Coreshell is the evolution of the Sourface dropper (the latter was used till early 2015). Once the infected machine communicates with the external C2 the attacker is aware of the infected system, its users and about additional interesting data. The attacker could expand the control upon the victim or to leave it moving to other targets. Usually, at this stage, the less interesting victims are cleared of any malware. The attacker prefers to keep control upon just a handful of interesting systems to lower the risks of being caught.
  • 42. Second stage  Second stage involves a backdoor: “Eviltoss”.  The backdoor serves as the preferred point of entrance to the target environment.  Eviltoss infection is limited to a small subset of initial infected hosts.  The backdoor shares a number of commonalities with Coreshell.  The communication mechanism is protected with the same algorithm.  Eviltoss is usually packed (encrypted) and has a set of hardcoded configuration shared with Coreshell. Eviltoss is extremely functional for the persistence in a target system. The setup of Eviltoss is carried out via download and execution through the C2 or additional dropzones. Once Eviltoss is active, the attacker can access the victim’s Filesystem and steal any type of data. Also, he can activate a shell to directly execute additional commands. Eviltoss allows the attacker to move laterally to other systems, further extending the magnitude of the attack and the exposure of the environment.
  • 43. APT 28 attack strategy  Usually, it takes weeks or months for APT 28 attacks to escalate from stage 2 to stage 3.  APT 28 usually starts monitoring the controlled hosts and moves “laterally” before even considering a further enhancement of his control.  Once the attacker has the “big picture” of “how the environment works”, he could decide to implement a tailored implant against strategic hosts.  The implant is a highly customized Trojan named Chopstick that is configured to work only into the targeted environment.  The implant is used only when the persistence must be granted at all costs or if the victim is a highly interesting target.  APT 28 has a version of this implant tailored to work on mobile devices such as iOS systems (x-Agent malware).
  • 44. Third Stage  Sometimes, APT 28 is forced to evolve his attack onto stage 3 in order to access air-gapped environments, such as in the case of Italian Navy¹.  In these cases, the attacker collects data and credentials related to the target system and then implants the Trojan (named “Chopstick” or “X-Agent”).  Compared to Eviltoss, the Trojan is far morecomplex, to the point that the samples worked only if we replicated the exact same conditions of the original victim or after reversing the malware code patching it. Chopstick allows the attacker to gain full control of the infected system and it can also include specific features such as °activation° in specific conditions or replication in specific cases. All this is included in Chopstick configuration file, bundled with the malware. Chopstick uses C2, but can also work without direct contact with them for long periods of time. APT28 uses to pass from Eviltoss to Chopstick only on key systems for the economy of his attack. APT28 tends to implement strong encryption and strong anti-reverse measures on every variant of Chopstick.
  • 45. APT29  APT29, also known as Cozy Bear is a Russian black hat group associated with Russian intelligence.  The Dutch AIVD deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR) ¹.  Cybersecurity firm CrowdStrike suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR.  Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.  Cozy Bear is behind the 'HAMMERTOSS' remote access tool which uses commonly visited websites like Twitter and GitHub to relay command data. ¹ See source https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/
  • 46. APT 29 First Stage attack  As seen in APT 28 attacks, the first stage is executed against a small number or selected targets pertaining to the victim infrastructure.  The targets are usually chosen with extreme care.  The attackers carefully avoid to infect IT or Security related personnel.  Usually, at this stage the malware used is a common dropper aimed to detonate the Hammertoss backdoor. The spear phishing hits the victim with emails containing malicious attachments or links to malicious websites aimed to compromise the victim browser via web access (“Drive-by Download). Hammertoss Backdoor, is dropped and installed via exploit of Office applications or via “Drive-by Download” through Browser vulnerabilities. At this point the attacker can enhance the control by moving to a second stage for a handful of interesting hosts. The remaining machines are cleared of any malware or artifact in order to avoid DFIR analysis and lowering the chance to find the original “patient-zero”. Once infected, the backdoor communicates with the external C2 via Twitter or other HTTP/HTTPs based applications. All communications are encrypted with basic encryption.
  • 47. APT 29 Second Stage  The upgrade commands were published via Twitter accounts (in our case).  The upgrade forced the infected system to download plugins as encrypted images (using steganography).  The encrypted data included instructions to execute commands via PowerShell, or to execute a file, or to save a file and execute it.  In several cases, the powershell commands directed HAMMERTOSS to upload data from the victim to cloud storage services using login credentials received via Twitter. APT29 tends to avoid long persistence on the victim environment. In a relatively high number of cases, once the data has been exfiltrated, the attacker quitted completely the persistence on the target environment. Through Twitter channel, the attacker sent commands publishing them in his account. Each infected host was managed separately (using separated twitter channels). Once the malware is upgraded, the attacker can access the victim’s Filesystem and steal any type of data. Also he can activate command shells to directly execute several tasks. Once the interesting data was collected APT 29 cleared all involved systems by using secure removal techniques The malware can process the commands, decrypt the content from the image and execute the interesting data. Hammertoss allowed the attacker to access the system and control the target supporting the setup of other malicious tools and to move laterally to other systems in the environment.
  • 48. APT 29 characteristics  APT29 uses mainly Hammertoss malware.  The group work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg.  The group appeared to cease operations on Russian holidays.  The group showed discipline and consistency to clear tracks of his attack after reaching his goal.  APT29 almost always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them.  The group appears to almost solely uses compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection.  The group targets a wide set of different type of targets such as political parties, security companies, military and political institutions worldwide.  The approach, the malware used and the way APT 29 acts in infected networks show similarities with advanced cybercriminal groups such as Carbanak.
  • 49. APT 37  APT 37, also known as Reaper, is a group carrying out attacks on behalf of the North Korean government, as malware artifacts and targets are aligned with North Korean state interests.  The group operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware.  Prevalent targets of APT 37 are South Korea, Japan, Vietnam and the Middle East in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.  Recently, APT 37 was involved in cyber-espionage against UN agencies.  Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately are typical attack vectors and strategies adopted by the adversary.  The group has demonstrated access to zero-day vulnerabilities (CVE-2018- 0802), and the ability to incorporate them into operations.
  • 50. APT 37  APT37 employs a suite of malware for initial intrusion and exfiltration.  Their malware is characterized by a focus on stealing information from victims, with many set up to automatically exfiltrate data of interest.  Along with custom malware APT37 has access to destructive malware.  In April 2017, he targeted South Korean military and government organizations with the DOGCALL backdoor and RUHAPPY wiper malware.  RUHAPPY can overwrite a machine's Master Boot Record (MBR), causing the system to fail to boot into preconfigured partitions.  It is possible that APT 37’s distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of- service (DDoS) attacks, or for other activity such as financially motivated campaigns or disruptive operations. Disruptive and destructive cyber threat activity, including the use of wiper malware, public leaks of proprietary materials by false hacktivist personas, DDoS attacks and electronic warfare tactics such as GPS signal jamming is consistent with past behavior by other North Korean actors.
  • 51. Organization recommendations  Effective defense against these attackers can be ensured only through Incident Response (IR) capabilities.  Ideally, organizations empowered by IR should balance between people, process and technology.  Solid incident responders with solid technology but no well designed, validated and, established processes and procedures will leave an organization less than optimally defended.  An effective IR enabled agency requires all three dimensions – people, process, technology – to work well and improve together.  It is important to create lightweight policies, plans, and procedures related to incident response with management buy-in to effectively protect the environment against cyber security attacks.  In addition, IR team must adopt a methodology to investigate attacks.
  • 52. How to investigate APT attacks  The matter is discussed frequently between subject matter experts  Several approaches have been evaluated.  The most effective, based on public works and researches, is arranged around a mix of technologies and skills. Ensure complete Network visibility Ensure System and Logs visibility Analyze malicious artifacts to extract IOCs Network, system and log indicators. Classification and attribution. Incident surface. Triage planned from a tailored set of strategic actions.
  • 53.  The investigative methodology we use is based on Actionable IOCs (AIOCs).  To build AIOCs, we employ a systematic approach that relies on the synergy of network and host visibility with log and malware analysis in order to identify key indicators that can be formalized and stored in an organized knowledge base for rapid reuse during subsequent investigations.  The knowledge base aggregates the Actionable IOCs, otherwise they remain atomic indicators, to build actor attack profiles that can be quickly applied to investigations in order to streamline response efforts and give non-circumstantial evidence towards attribution of malicious actors.  Succeed in a rapid attribution during the early stages of an incident investigation can significantly lower the time required to scope the presence of the attacker and to prepare a proper mitigation strategy to expel the adversary in the proper fashion. Our investigation
  • 54. IoCs from the analysis • In our approach, the malware analysis is a key element to generate reliable IOCs because it is the moment when the artifacts discovered in the compromised systems can “talk” to the analyst and presents the indicators that are needed to measure the extension and the goal of the actual attack. • There are several IOCs that could be extracted from a good malware analysis process and I am not assuming this means necessarily to reverse engineer the malware. • Even a simple Yara rule that allows the analysts to perform a file sweep on the entire segment of a network or an entire enterprise could be enough. • The most important aspect to transform atomic IOCs to Actionable IOCs is the formalization process, made through comparison with the consolidated KB, lab analyses and peer review. • An important support for the formalization of AIOCs is the “retrohunting” feature offered by Virustotal.
  • 55.  Actionable IOCs is an answer to the need solid indicators to support the investigation, the attribution and the triage, of incidents generated by malicious actors.  The adoption of this methodology can positively impact investigation and triage, but also improves knowledge of the tools and strategies adopted by the adversaries.  The formalization process behind it can facilitate the exchange of information and indicators without the risk of unintentional leakage of sensitive information and, in short, strengthen the proactive and reactive capabilities of any structure. Conclusion