SlideShare uma empresa Scribd logo

APT Threats Explained

Ammar WK
Ammar WK

The document discusses Advanced Persistent Threats (APTs). It begins by defining APTs and noting some common misconceptions about them. It then discusses notable APT attacks from 2003 to 2017. Finally, it outlines the typical lifecycle of an APT attack, including preparation such as researching targets, acquiring tools, and testing for detection, as well as the intrusion deployment phase.

Internet
1 de 77
Baixar para ler offline
ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT
•PROFESSIONAL HACKER/PENETRATION TESTER •DOING OFFENSIVE SECURITY/HACKING SINCE 2002 •FOUNDER OF ECHO.OR.ID & IDSECCONF.ORG •WEB: HTTP://AMMAR.WEB.ID •EMAIL: ME@AMMAR.WEB.ID •TWITTER/MASTODON: @Y3DIPS AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT HTTPS://XKCD.COM/302/
COMMON MISCONCEPTIONS A.P.T
SOME IT ADMINISTRATORS TEND TO THINK THAT TARGETED ATTACKS ARE A ONE-TIME EFFORT — THAT BEING ABLE TO DETECT AND STOP ONE RUN MEANS THE END OF THE ATTACK ITSELF. A TARGETED ATTACK IS A ONE-TIME EFFORT
THE DEMAND FOR A COMPLETE AND EFFECTIVE SOLUTION AGAINST TARGETED ATTACKS IS QUITE HIGH, BUT A SOLUTION SIMPLY CAN NOT EXIST CONSIDERING THE NATURE OF TARGETED ATTACKS. THERE IS A ONE-SIZE-FITS-ALL SOLUTION AGAINST TARGETED ATTACKS
UNFORTUNATELY, THE IMPORTANCE OF CERTAIN DATA MAY BE RELATIVE TO THE INTENTION OF WHOEVER IS TRYING TO GET HOLD OF IT YOUR COMPANY IS NOT IMPORTANT ENOUGH TO BE ATTACKED.
HOWEVER, BASED ON ANALYSIS OF TARGETED ATTACKS SEEN IN THE PAST, OLDER VULNERABILITIES ARE USED MORE FREQUENTLY. TARGETED ATTACKS ALWAYS INVOLVE ZERO-DAY VULNERABILITIES
ALTHOUGH IT IS A VALID CONCERN,  FOCUSING ON MALWARE WILL ONLY SOLVE PART OF THE PROBLEM. TARGETED ATTACKS ARE A MALWARE PROBLEM.
LET'S GET TO KNOW MORE A.P.T
•THE TERM ORIGINALLY WAS DEVELOPED AS A CODE NAME FOR CHINESE-RELATED INTRUSIONS AGAINST US MILITARY ORGANIZATIONS. IN 2006, THE UNITED STATES AIR FORCE (USAF) ANALYSTS COINED THE TERM ADVANCED PERSISTENT THREAT (APT) TO FACILITATE DISCUSSION OF INTRUSION ACTIVITIES WITH THEIR UNCLEARED CIVILIAN COUNTERPARTS. •TODAY, THE TERM APT HAS EVOLVED AND DIFFERENT PEOPLE REFER TO IT AS DIFFERENT THINGS. •STEALTHY, TARGETED, ADAPTIVE, AND DATA FOCUSED. [1] ADVANCED PERSISTENT THREAT
ADVANCEDOPERATORS BEHIND THE THREAT HAVE A FULL SPECTRUM OF INTELLIGENCE-GATHERING TECHNIQUES AT THEIR DISPOSAL. THEY OFTEN COMBINE MULTIPLE TARGETING METHODS, TOOLS, AND TECHNIQUES IN ORDER TO REACH AND COMPROMISE THEIR TARGET AND MAINTAIN ACCESS TO IT.
PERSISTENTTHE ATTACKERS ARE GUIDED BY EXTERNAL ENTITIES. THE TARGETING IS CONDUCTED THROUGH CONTINUOUS MONITORING AND INTERACTION IN ORDER TO ACHIEVE THE DEFINED OBJECTIVES. ONE OF THE OPERATOR'S GOALS IS TO MAINTAIN LONG-TERM ACCESS TO THE TARGET, IN CONTRAST TO THREATS WHO ONLY NEED ACCESS TO EXECUTE A SPECIFIC TASK.
THREATAPTS ARE A THREAT BECAUSE THEY HAVE BOTH CAPABILITY AND INTENT. APT ATTACKS ARE EXECUTED BY COORDINATED HUMAN ACTIONS, RATHER THAN BY MINDLESS AND AUTOMATED PIECES OF CODE. THE OPERATORS HAVE A SPECIFIC OBJECTIVE AND ARE SKILLED, MOTIVATED, ORGANIZED AND WELL FUNDED.
THE GOAL, THE STRUCTURE OF THE ATTACKER, AND THE METHODS CONVENTIONAL THREAT VS APT
THE TRADITIONAL THREAT WAS ABOUT THE IMMEDIATE NEED. E.G: A WORM WOULD TARGET AN ORGANIZATION, EXTRACT WHAT THEY WANTED, AND LEAVE, WHILE THE ULTIMATE GOAL OF APT IS TO MAINTAIN A LONG-TERM BEACHHEAD ON YOUR NETWORK. THE GOAL CONVENTIONAL THREAT VS APT
DENIAL OF SERVICE CONVENTIONAL THREAT GOAL
WEB DEFACEMENT CONVENTIONAL THREAT GOAL
WEB DEFACEMENT HTTPS://XKCD.COM/932/
RANSOMWARE CONVENTIONAL THREAT GOAL
FRAUD CONVENTIONAL THREAT GOAL
ADVANCED PERSISTENT THREAT GOAL?
ADVANCED PERSISTENT THREAT GOAL
THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL, WHILE THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS. THE STEPS OF THE ATTACK ARE BROKEN DOWN INTO CLEAR DIVISION OF LABOR AND EACH PERSON ON THE TEAM IS WELL TRAINED IN THEIR RESPECTIVE SKILL THE STRUCTURE OF THE ATTACKER CONVENTIONAL THREAT VS APT
CONVENTIONAL ATTACKER HTTP://WWW.BBC.COM/INDONESIA/TRENSOSIAL-39288096 THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL
“HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS“ HTTPS://WWW.SLIDESHARE.NET/BURGUZBOZO/HUNTING-THE-SHADOWS-IN-DEPTH-ANALYSIS-OF-ESCALATED-APT-ATTACKS THE APT ATTACKER THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS.
THE METHOD USE BY CONVENTIONAL THREAT ARE MOSTLY SIMPLE WHILE THE METHODS USED BY APT ALSO TAKE ADVANTAGE OF ADVANCED TECHNOLOGY. MOST MALWARE THAT IS USED IS CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS CONVENTIONAL THREAT VS APT
CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS
CONVENTIONAL THREAT VS ADVANCED PERSISTENT THREAT
NOTABLE ATTACKS A.P.T
NOTABLE APT ATTACK 2010 2009 TITAN RAIN 20092006 2003 SYKIPOT GHOSTNET OPERATION AURORA STUXNET 2012 FLAME 2007 ZEUS 2011 RSA HACK
TITAN RAIN WAS THE CODE NAME GIVEN BY THE U.S. GOVERNMENT TO A SERIES OF CYBER ESPIONAGE ATTACKS LAUNCHED IN 2003 ON U.S. DEFENSE CONTRACTORS, INCLUDING THOSE AT LOCKHEED MARTIN, SANDIA NATIONAL LABORATORIES, REDSTONE ARSENAL AND NASA. THE ATTACKS WERE CLAIMED TO BE OF CHINESE ORIGIN, ALTHOUGH THE CHINESE GOVERNMENT DENIED ANY INVOLVEMENT. TITAN RAIN
SYKIPOT IS MALWARE THAT HAS BEEN USED IN SPEARPHISHING CAMPAIGNS SINCE APPROXIMATELY 2007 AGAINST VICTIMS PRIMARILY IN THE US. SYKIPOT HAS BEEN COLLECTING AND STEALING SECRETS AND INTELLECTUAL PROPERTY, INCLUDING DESIGN, FINANCIAL, MANUFACTURING AND STRATEGIC PLANNING INFORMATION. ONE VARIANT OF SYKIPOT HIJACKS SMART CARDS ON VICTIMS. SYKIPOT
FIRST DISCOVERED IN 2007, WHEN IT WAS USED TO STEAL INFORMATION FROM THE U.S. DEPARTMENT OF TRANSPORTATION, ZEUS IS A TROJAN HORSE USED TO STEAL CREDENTIALS USED FOR BANKING AND CREDIT CARD PAYMENTS OR FOR LOGGING IN TO SOCIAL NETWORKS. ZEUS IS NOT A SPECIFIC ATTACK FROM A SINGLE SOURCE, BUT A COMPLETE TOOL KIT PROVIDING A WIDE RANGE OF AUTOMATED AND MANUAL TOOLS USED BY CRIMINALS AS PART OF AN APT ATTACK. ZEUS
GHOSTNET WAS REPORTED TO HAVE INFILTRATED THE COMPUTERS OF POLITICAL, ECONOMIC AND MEDIA TARGETS IN MORE THAN 100 COUNTRIES, INCLUDING THE EMBASSIES OF INDIA, SOUTH KOREA, INDONESIA, ROMANIA, CYPRUS, MALTA, THAILAND, TAIWAN, PORTUGAL, GERMANY, PAKISTAN AND THE OFFICE OF THE PRIME MINISTER OF LAOS. THE FOREIGN MINISTRIES OF IRAN, BANGLADESH, LATVIA, INDONESIA, PHILIPPINES, BRUNEI, BARBADOS AND BHUTAN WERE ALSO TARGETED. COMPUTERS IN THE DALAI LAMA’S TIBETAN EXILE CENTERS IN INDIA, LONDON AND NEW YORK WERE ALSO COMPROMISED. GHOSTNET
OPERATION AURORA WAS A SERIES OF CYBER ATTACKS CONDUCTED BY ADVANCED PERSISTENT THREATS SUCH AS THE ELDERWOOD GROUP BASED IN BEIJING, CHINA, WITH TIES TO THE PEOPLE'S LIBERATION ARMY. FIRST PUBLICLY DISCLOSED BY GOOGLE ON JANUARY 12, 2010, IN A BLOG POST, THE ATTACKS BEGAN IN MID-2009 AND CONTINUED THROUGH DECEMBER 2009. THE ATTACK HAS BEEN AIMED AT DOZENS OF OTHER ORGANIZATIONS, OF WHICH ADOBE SYSTEMS, JUNIPER NETWORKS AND RACKSPACE HAVE PUBLICLY CONFIRMED THAT THEY WERE TARGETED. ACCORDING TO MEDIA REPORTS, GOOGLE, YAHOO, SYMANTEC, NORTHROP GRUMMAN, MORGAN STANLEY AND DOW CHEMICAL WERE ALSO AMONG THE TARGETS. OPERATION AURORA
DISCOVERED IN JUNE 2010, WAS THE FIRST PIECE OF MALWARE FOUND IN THE PUBLIC DOMAIN THAT IS DESIGNED TO SPY ON AND SUBVERT INDUSTRIAL PROCESS SYSTEMS. STUXNET WAS CLAIMED TO HAVE BEEN CREATED BY THE U.S. AND ISRAEL IN ORDER TO ATTACK IRAN’S NUCLEAR FACILITIES. THE MALWARE WAS REPORTED TO HAVE CAUSED SUBSTANTIAL DAMAGE TO THE CENTRIFUGES AT THE NATANZ NUCLEAR ENRICHMENT LABORATORY IN IRAN. THE WORM SPECIFICALLY TARGETED SIEMENS INDUSTRIAL SOFTWARE AND EQUIPMENT, MAKING ITSELF INERT IF THE TARGET SOFTWARE WAS NOT FOUND AND CONTAINING SAFEGUARDS TO LIMIT THE SPREAD OF THE INFECTION. IT WAS THE FIRST PIECE OF MALWARE TO INCLUDE A PROGRAMMABLE LOGIC CONTROLLER (PLC) ROOTKIT. STUXNET
ON 17 MARCH 2011, RSA ANNOUNCED THAT THEY HAD BEEN VICTIMS OF "AN EXTREMELY SOPHISTICATED CYBER ATTACK". CONCERNS WERE RAISED SPECIFICALLY IN REFERENCE TO THE SECURID SYSTEM. RSA OFFERED TOKEN REPLACEMENTS OR FREE SECURITY MONITORING SERVICES TO ANY OF ITS MORE THAN 30,000 SECURID CUSTOMERS, FOLLOWING AN ATTEMPTED CYBER BREACH ON DEFENSE CUSTOMER LOCKHEED MARTIN THAT APPEARED TO BE RELATED TO THE SECURID INFORMATION STOLEN FROM RSA. RSA HACK
FLAME WAS DISCOVERED BY IRAN’S NATIONAL COMPUTER EMERGENCY RESPONSE TEAM IN 2012. IT WAS USED TO MOUNT SOPHISTICATED CYBER ESPIONAGE ATTACKS ON GOVERNMENTAL MINISTRIES, EDUCATIONAL INSTITUTIONS AND INDIVIDUALS IN MIDDLE EASTERN COUNTRIES, INFECTING AROUND 1,000 MACHINES IN IRAN, ISRAEL, SUDAN, SYRIA, LEBANON, SAUDI ARABIA AND EGYPT. THE FLAME MALWARE WAS LARGE AND COMPLEX, DESIGNED TO SPREAD OVER LOCAL NETWORKS OR VIA USB STICKS. IT COULD RECORD AUDIO, SCREENSHOTS, KEYBOARD ACTIVITY AND NETWORK TRAFFIC, INCLUDING SKYPE CONVERSATIONS. IT WAS ALSO CAPABLE OF STEALING CONTACT INFORMATION FROM ANY NEARBY BLUETOOTH-ENABLED DEVICES. FLAME
LIFECYCLE A.P.T
APT LIFECYCLE
TARGETED ATTACK, GOV, BANK, PERSON, ? PREPARATION: DEFINE TARGET HTTPS://WWW.WHATTODOMEDIA.COM/WP-CONTENT/UPLOADS/2016/01/TARGET-MARKETING.PNG
VERY WELL FUNDED AND ORGANIZED PREPARATION: FIND AND ORGANIZE ACCOMPLICES HTTP://KINGOFWALLPAPERS.COM/THE-EXPENDABLES.HTML
NOT ALWAYS USING 0DAY OR ADVANCED/SOPHISTICATED TECHNIQUE, CUSTOMIZED TO FIT THE TARGET PREPARATION: BUILD OR ACQUIRE A TOOL HTTPS://CNET1.CBSISTATIC.COM/IMG/VJTJB73BEWOCTBWKYAL7TMERPCI=/FIT-IN/970X0/2015/07/20/D5C13BFE-5F5E-4128-AC6C-0A3A90391E58/SWORDSPARKS.JPG
NOTABLE HACK AGAINST SECURITY/APT COMPANY WHICH MOST OF THE TOOLS BEING USED WIDELY OR BY APT 2017 2016 2015HB GARY 2015 2014 2011 GAMMA GROUP/ FIN FISHER HACKING TEAM KASPERSKY, CYBER ROAM EQUATION GROUP/NSA CIA/VAULT7
HBGARY FEDERAL FOCUSED ON TECHNOLOGY SECURITY, PROVIDE SERVICES AND TOOLS TO THE US GOVERNMENT. ON FEBRUARY 5–6, 2011, ANONYMOUS COMPROMISED THE HBGARY WEBSITE, COPIED TENS OF THOUSANDS OF DOCUMENTS FROM BOTH HBGARY FEDERAL AND HBGARY, INC HBGARY FEDERAL
GAMMA GROUP GAMMA GROUP IS AN ANGLO-GERMAN TECHNOLOGY COMPANY THAT SELLS SURVEILLANCE SOFTWARE TO GOVERNMENTS AND POLICE FORCES AROUND THE WORLD. IN 2014, GAMMA GROUP WAS HACKED AND A 40 GB DUMP OF INFORMATION WAS RELEASED DETAILING GAMMA'S 'CLIENT LISTS, PRICE LISTS, SOURCE CODE, DETAILS ABOUT THE EFFECTIVENESS OF FINFISHER MALWAREAND MUCH MORE.
HACKING TEAM HACKINGTEAM IS A MILAN-BASED INFORMATION TECHNOLOGY COMPANY THAT SELLS OFFENSIVE INTRUSION AND SURVEILLANCE CAPABILITIES TO GOVERNMENTS, LAW ENFORCEMENT AGENCIES AND CORPORATIONS. ON JULY 5, 2015, THE TWITTER ACCOUNT OF THE COMPANY WAS COMPROMISED BY AN UNKNOWN INDIVIDUAL WHO PUBLISHED AN ANNOUNCEMENT OF A DATA BREACH AGAINST HACKINGTEAM'S COMPUTER SYSTEMS.
KASPERSKY KASPERSKY LAB IS A RUSSIAN MULTINATIONAL CYBERSECURITY AND ANTI-VIRUS PROVIDER HEADQUARTERED IN MOSCOW, RUSSIA AND OPERATED BY A HOLDING COMPANY IN THE UNITED KINGDOM. IN JUNE 2015, KASPERSKY REPORTED THAT ITS OWN NETWORK HAD BEEN INFILTRATED BY GOVERNMENT-SPONSORED MALWARE
“EQUATION GROUP” THE EQUATION GROUP, CLASSIFIED AS AN ADVANCED PERSISTENT THREAT, IS A HIGHLY SOPHISTICATED THREAT ACTOR SUSPECTED OF BEING TIED TO THE UNITED STATES NATIONAL SECURITY AGENCY (NSA). IN AUGUST 2016, A HACKING GROUP CALLING ITSELF "THE SHADOW BROKERS" ANNOUNCED THAT IT STOLE MALWARE CODE FROM THE EQUATION GROUP
CIA/VAULT7 VAULT 7 IS A SERIES OF DOCUMENTS THAT WIKILEAKS BEGAN TO PUBLISH ON 7 MARCH 2017, THAT DETAIL ACTIVITIES AND CAPABILITIES OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY TO PERFORM ELECTRONIC SURVEILLANCE AND CYBER WARFARE.
DEDICATE A MONTH/YEAR TO LEARN ABOUT THEIR TARGET PREPARATION: RESEARCH TARGET/INFRASTRUCTURE/EMPLOYEE HTTP://CDN2.HUBSPOT.NET/HUBFS/159642/B4_THE-5-BEST-WAYS-TO-RESEARCH-YOUR-ELEARNING-COURSE-TARGET-AUDIENCE.PNG
ATTACK NEED TO BE TESTED BEFORE INTRUSION PHASE PREPARATION: TEST FOR DETECTION HTTP://WWW.OCCUPYFORANIMALS.NET/UPLOADS/7/7/3/5/7735203/2784119.JPG?870
CRAFTED, DEPLOY THE PAYLOAD (MALWARE, EXPLOIT, TOOLKIT) INTRUSION: DEPLOYMENT HTTP://RHYTHMTRAFFIC.COM/WP-CONTENT/UPLOADS/2012/10/INSTALLATION.JPG
GAIN A FOOTHOLD IN THE TARGET’S ENVIRONMENT INTRUSION: INITIAL INTRUSION HTTPS://4.BP.BLOGSPOT.COM/-JSC9IISSZEM/VYMC4TTMWTI/AAAAAAAAN5S/KNN0ZYJFNKWLKZEQZNSR_FYFIRNLM0DAACLCB/S1600/HACK-ANY-COMPUTER.PNG
NOTIFY THE APT ACTOR THAT THE INITIAL INTRUSION ATTEMPT WAS SUCCESSFUL AND THAT IT IS READY TO ACCEPT COMMANDS INTRUSION: OUTBOUND CONNECTION INITIATED HTTP://0.TQN.COM/D/NP/KIDS-PUZZLES/9781580626873_0128_008.JPG
GAIN ACCESS TO ADDITIONAL SYSTEMS AND AUTHENTICATION MATERIAL THAT WILL ALLOW ACCESS TO FURTHER SYSTEMS/MAIN TARGET EXPANSION: EXPAND ACCESS AND OBTAIN CREDENTIALS HTTP://WWW.FRAUDSCOOP.COM/WP-CONTENT/UPLOADS/2016/09/IDENTITY-THEFT-8-SIMPLE-STEPS-TO-KEEP-YOU-SAFE.JPG
APT ACTORS EMPLOY VARIOUS STRATEGIES TO MAINTAIN ACCESS. EXPANSION: STRENGTHEN FOOTHOLD HTTP://WWW.AKTUAL.COM/WP-CONTENT/UPLOADS/2016/04/TOLAK-PABRIK-SEMEN-12-4-2016-223-681X430.JPG
SEARCHING DOCUMENTS AT THE TARGET’S SITE FOR KEYWORDS AND METADATA THAT INDICATE THE DOCUMENT MAY BE OF INTEREST TO THE ACTORS AND SEND IT EXIFILTRATE: EXFILTRATE DATA HTTP://I.DAILYMAIL.CO.UK/I/PIX/2015/03/17/26B9D3B400000578-2998897-IMAGE-A-116_1426605591270.JPG
AVOIDING DETECTION, REMOVING EVIDENCE OF THE INTRUSION AND WHAT WAS TARGETED AND ELIMINATING EVIDENCE OF WHO WAS BEHIND THE EVENT CLEANUP: COVER TRACKS AND REMAIN UNDETECTED HTTPS://S-MEDIA-CACHE-AK0.PINIMG.COM/564X/98/3E/C9/983EC95273FEBD893BE8F0BC135C18BD.JPG
HTTPS://WWW.TRENDMICRO.COM/VINFO/US/SECURITY/NEWS/CYBER-ATTACKS/TARGETED-ATTACKS-SIX-COMPONENTS 0. PREPARATION 1. DEPLOYMENT 2. INITIAL INTRUSION 3. OUTBOUND CONNECTION INITIATED 4. EXPANSION 6. EXFILTRATE DATA 5. STRENGTHEN FOOTHOLD
•THE BREACH INTO RSA'S NETWORK WAS CARRIED OUT BY CRACKERS WHO SENT PHISHING EMAILS TO TWO TARGETED, SMALL GROUPS OF EMPLOYEES OF RSA. •ATTACHED TO THE EMAIL WAS AN EXCEL FILE CONTAINING MALWARE. •WHEN AN RSA EMPLOYEE OPENED THE EXCEL FILE, THE MALWARE EXPLOITED A VULNERABILITY IN ADOBE FLASH. •THE EXPLOIT ALLOWED THE HACKERS TO USE THE POISON IVY REMOTE ADMINISTRATION TOOL TO GAIN CONTROL OF MACHINES AND ACCESS SERVERS IN RSA'S NETWORK. RSA HACK CASE
DEMO
APT LIFECYCLE VS HACKING VS COMMODITY THREATS HTTPS://EN.WIKIPEDIA.ORG/WIKI/ADVANCED_PERSISTENT_THREAT
WHERES THE PROBLEM APT
THE THREAT HAS CHANGED BUT ORGANIZATION’S APPROACH TO SECURITY HAS NOT CHANGED.
SOME ORGANIZATIONS ARE DOING GOOD THINGS TO HELP PROTECT THE ENVIRONMENT, BUT THEY ARE NOT DOING THE RIGHT THING WHICH WILL STOP ADVANCED ATTACKERS. HTTPS://XKCD.COM/463/
ORGANIZATIONS THINK MONEY EQUAL SECURITY. JUST BECAUSE AN ORGANIZATION BUYS A LOT OF PRODUCTS DOES NOT MEAN THEY WILL BE SECURE.
MOST ORGANIZATIONS DO NOT UNDERSTAND HOW THE OFFENSE OPERATES AND IN MANY CASES ARE NOT FIXING THE RIGHT PROBLEMS
HOW TO SURVIVE A.P.T
UNDERSTAND RISK DISCOVER CONTROL IMPLEMENT CIA (CONFIDENTIALITY, INTEGRITY, AVAILABILITY) CONCEPT CLASSIFY ENCRYPTION PROTECT YOUR CRITICAL DATA
PREVENTION IS IDEAL BUT DETECTION IS A MUST INBOUND PREVENTION AND OUTBOUND DETECTION PROACTIVE (INSTEAD OF REACTIVE) SECURITY OFFENSE MUST GUIDE THE DEFENSE. PREVENT AND DETECT
ATTACKERS WERE DISCOVERED DURING A ROUTINE AUDIT PREVENTION IS IDEAL BUT DETECTION IS A MUST HTTPS://TWITTER.COM/X0RZ/STATUS/854706307395461121
INCIDENT RESPONSE IS A NECESSITY SINCE ALL ATTACKS CANNOT BE STOPPED INCIDENT HAS BEEN DETERMINED AND FIXED, THE NEXT PHASE IS TO RECOVER/REBUILD THE SYSTEMS AND DATA PUT THE SYSTEMS BACK INTO PRODUCTION RESPOND AND RECOVER
THE FUTURE A.P.T
THE LANDSCAPE HAS CHANGED: CLOUD COMPUTING AND MOBILE INFRASTRUCTURE
1. “COMMON MISCONCEPTIONS IT ADMINS HAVE ON TARGETED ATTACKS“ - HTTP:// BLOG.TRENDMICRO.COM/TRENDLABS-SECURITY-INTELLIGENCE/COMMON-MISCONCEPTIONS-IT- ADMINS-HAVE-ON-TARGETED-ATTACKS/ 2. SYNGRESS - “ADVANCED PERSISTENT THREAT UNDERSTANDING THE DANGER AND HOW TO PROTECT YOUR ORGANIZATION” - DR. ERIC COLE 3. “THE MOST FAMOUS ADVANCED PERSISTENT THREATS IN HISTORY” - HTTP:// WWW.ITBUSINESSEDGE.COM/SLIDESHOWS/THE-MOST-FAMOUS-ADVANCED-PERSISTENT-THREATS- IN-HISTORY.HTML - ACCESSED APRIL 23, 2017 4. “WIKIPEDIA” - HTTP://WIKIPEDIA.ORG 5. “LIFECYCLE OF AN ADVANCED PERSISTENT THREAT” - HTTP://WWW.REDTEAMUSA.COM/PDF/ LIFECYCLE%20OF%20AN%20ADVANCED%20PERSISTENT%20THREAT.PDF 6. MOST OF THE IMAGES - SEARCH VIA HTTP://IMAGES.GOOGLE.COM REFERENCE
ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT

Recomendados

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
EDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxEDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxSMIT PAREKH
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 

Recomendados

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
EDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxEDR(End Point Detection And Response).pptx
EDR(End Point Detection And Response).pptxSMIT PAREKH
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityADGP, Public Grivences, Bangalore
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness TrainingBuy Custom Papers
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
CYBERSECURITY
CYBERSECURITYCYBERSECURITY
CYBERSECURITYKeshavGarg153749
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 

Mais conteúdo relacionado

Mais procurados

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness TrainingBuy Custom Papers
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskMighty Guides, Inc.
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentalsCloudflare
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat huntingVikas Jain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 

Mais procurados (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness Training
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity Risk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Soc and siem and threat hunting
Soc and siem and threat huntingSoc and siem and threat hunting
Soc and siem and threat hunting
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 

Semelhante a APT Threats Explained

Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxMALCOMNORONHA1
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer CrimesMar Soriano
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industryNumaan Huq
 
Beza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza Belayneh
 
Analysis of Rogue Access Points using Software-Defined Radio
Analysis of Rogue Access Points using Software-Defined RadioAnalysis of Rogue Access Points using Software-Defined Radio
Analysis of Rogue Access Points using Software-Defined RadioJuanRios179
 
A Secure Network Bridging the Gap
A Secure Network Bridging the GapA Secure Network Bridging the Gap
A Secure Network Bridging the GapColloqueRISQ
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityJohn Kingsley
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber securityiFluidsEng
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
02 fundamental aspects of security
02 fundamental aspects of security02 fundamental aspects of security
02 fundamental aspects of securityGemy Chan
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdfHiYeti1
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetijctet
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
 

Semelhante a APT Threats Explained (20)

CYBERSECURITY
CYBERSECURITYCYBERSECURITY
CYBERSECURITY
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptx
 
Chapter 3 Computer Crimes
Chapter 3 Computer CrimesChapter 3 Computer Crimes
Chapter 3 Computer Crimes
 
wp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industrywp-cyber-threats-to-the-mining-industry
wp-cyber-threats-to-the-mining-industry
 
Beza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza belayneh information_warfare_brief
Beza belayneh information_warfare_brief
 
Analysis of Rogue Access Points using Software-Defined Radio
Analysis of Rogue Access Points using Software-Defined RadioAnalysis of Rogue Access Points using Software-Defined Radio
Analysis of Rogue Access Points using Software-Defined Radio
 
A Secure Network Bridging the Gap
A Secure Network Bridging the GapA Secure Network Bridging the Gap
A Secure Network Bridging the Gap
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber security
 
Digital danger zone tackling cyber security
Digital danger zone tackling cyber securityDigital danger zone tackling cyber security
Digital danger zone tackling cyber security
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
02 fundamental aspects of security
02 fundamental aspects of security02 fundamental aspects of security
02 fundamental aspects of security
 
ISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism AnalysisISIS Cyber Terrorism Analysis
ISIS Cyber Terrorism Analysis
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!
 
Survey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manetSurvey of apt and other attacks with reliable security schemes in manet
Survey of apt and other attacks with reliable security schemes in manet
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
 

Mais de Ammar WK

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssnAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryAmmar WK
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0dayAmmar WK
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteAmmar WK
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)Ammar WK
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet AnalysisAmmar WK
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)Ammar WK
 
Network security
Network securityNetwork security
Network securityAmmar WK
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsAmmar WK
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationAmmar WK
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A HackerAmmar WK
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?Ammar WK
 

Mais de Ammar WK (20)

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssn
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industry
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0day
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or White
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Network security
Network securityNetwork security
Network security
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigation
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A Hacker
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
 

Último

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 

Último (20)

FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 

APT Threats Explained

  • 1. ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT
  • 2. •PROFESSIONAL HACKER/PENETRATION TESTER •DOING OFFENSIVE SECURITY/HACKING SINCE 2002 •FOUNDER OF ECHO.OR.ID & IDSECCONF.ORG •WEB: HTTP://AMMAR.WEB.ID •EMAIL: ME@AMMAR.WEB.ID •TWITTER/MASTODON: @Y3DIPS AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT HTTPS://XKCD.COM/302/
  • 4. SOME IT ADMINISTRATORS TEND TO THINK THAT TARGETED ATTACKS ARE A ONE-TIME EFFORT — THAT BEING ABLE TO DETECT AND STOP ONE RUN MEANS THE END OF THE ATTACK ITSELF. A TARGETED ATTACK IS A ONE-TIME EFFORT
  • 5. THE DEMAND FOR A COMPLETE AND EFFECTIVE SOLUTION AGAINST TARGETED ATTACKS IS QUITE HIGH, BUT A SOLUTION SIMPLY CAN NOT EXIST CONSIDERING THE NATURE OF TARGETED ATTACKS. THERE IS A ONE-SIZE-FITS-ALL SOLUTION AGAINST TARGETED ATTACKS
  • 6. UNFORTUNATELY, THE IMPORTANCE OF CERTAIN DATA MAY BE RELATIVE TO THE INTENTION OF WHOEVER IS TRYING TO GET HOLD OF IT YOUR COMPANY IS NOT IMPORTANT ENOUGH TO BE ATTACKED.
  • 7. HOWEVER, BASED ON ANALYSIS OF TARGETED ATTACKS SEEN IN THE PAST, OLDER VULNERABILITIES ARE USED MORE FREQUENTLY. TARGETED ATTACKS ALWAYS INVOLVE ZERO-DAY VULNERABILITIES
  • 8. ALTHOUGH IT IS A VALID CONCERN,  FOCUSING ON MALWARE WILL ONLY SOLVE PART OF THE PROBLEM. TARGETED ATTACKS ARE A MALWARE PROBLEM.
  • 9. LET'S GET TO KNOW MORE A.P.T
  • 10. •THE TERM ORIGINALLY WAS DEVELOPED AS A CODE NAME FOR CHINESE-RELATED INTRUSIONS AGAINST US MILITARY ORGANIZATIONS. IN 2006, THE UNITED STATES AIR FORCE (USAF) ANALYSTS COINED THE TERM ADVANCED PERSISTENT THREAT (APT) TO FACILITATE DISCUSSION OF INTRUSION ACTIVITIES WITH THEIR UNCLEARED CIVILIAN COUNTERPARTS. •TODAY, THE TERM APT HAS EVOLVED AND DIFFERENT PEOPLE REFER TO IT AS DIFFERENT THINGS. •STEALTHY, TARGETED, ADAPTIVE, AND DATA FOCUSED. [1] ADVANCED PERSISTENT THREAT
  • 11. ADVANCEDOPERATORS BEHIND THE THREAT HAVE A FULL SPECTRUM OF INTELLIGENCE-GATHERING TECHNIQUES AT THEIR DISPOSAL. THEY OFTEN COMBINE MULTIPLE TARGETING METHODS, TOOLS, AND TECHNIQUES IN ORDER TO REACH AND COMPROMISE THEIR TARGET AND MAINTAIN ACCESS TO IT.
  • 12. PERSISTENTTHE ATTACKERS ARE GUIDED BY EXTERNAL ENTITIES. THE TARGETING IS CONDUCTED THROUGH CONTINUOUS MONITORING AND INTERACTION IN ORDER TO ACHIEVE THE DEFINED OBJECTIVES. ONE OF THE OPERATOR'S GOALS IS TO MAINTAIN LONG-TERM ACCESS TO THE TARGET, IN CONTRAST TO THREATS WHO ONLY NEED ACCESS TO EXECUTE A SPECIFIC TASK.
  • 13. THREATAPTS ARE A THREAT BECAUSE THEY HAVE BOTH CAPABILITY AND INTENT. APT ATTACKS ARE EXECUTED BY COORDINATED HUMAN ACTIONS, RATHER THAN BY MINDLESS AND AUTOMATED PIECES OF CODE. THE OPERATORS HAVE A SPECIFIC OBJECTIVE AND ARE SKILLED, MOTIVATED, ORGANIZED AND WELL FUNDED.
  • 14. THE GOAL, THE STRUCTURE OF THE ATTACKER, AND THE METHODS CONVENTIONAL THREAT VS APT
  • 15. THE TRADITIONAL THREAT WAS ABOUT THE IMMEDIATE NEED. E.G: A WORM WOULD TARGET AN ORGANIZATION, EXTRACT WHAT THEY WANTED, AND LEAVE, WHILE THE ULTIMATE GOAL OF APT IS TO MAINTAIN A LONG-TERM BEACHHEAD ON YOUR NETWORK. THE GOAL CONVENTIONAL THREAT VS APT
  • 23. THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL, WHILE THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS. THE STEPS OF THE ATTACK ARE BROKEN DOWN INTO CLEAR DIVISION OF LABOR AND EACH PERSON ON THE TEAM IS WELL TRAINED IN THEIR RESPECTIVE SKILL THE STRUCTURE OF THE ATTACKER CONVENTIONAL THREAT VS APT
  • 25. “HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS“ HTTPS://WWW.SLIDESHARE.NET/BURGUZBOZO/HUNTING-THE-SHADOWS-IN-DEPTH-ANALYSIS-OF-ESCALATED-APT-ATTACKS THE APT ATTACKER THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS.
  • 26. THE METHOD USE BY CONVENTIONAL THREAT ARE MOSTLY SIMPLE WHILE THE METHODS USED BY APT ALSO TAKE ADVANTAGE OF ADVANCED TECHNOLOGY. MOST MALWARE THAT IS USED IS CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS CONVENTIONAL THREAT VS APT
  • 27. CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS
  • 28. CONVENTIONAL THREAT VS ADVANCED PERSISTENT THREAT
  • 30. NOTABLE APT ATTACK 2010 2009 TITAN RAIN 20092006 2003 SYKIPOT GHOSTNET OPERATION AURORA STUXNET 2012 FLAME 2007 ZEUS 2011 RSA HACK
  • 31. TITAN RAIN WAS THE CODE NAME GIVEN BY THE U.S. GOVERNMENT TO A SERIES OF CYBER ESPIONAGE ATTACKS LAUNCHED IN 2003 ON U.S. DEFENSE CONTRACTORS, INCLUDING THOSE AT LOCKHEED MARTIN, SANDIA NATIONAL LABORATORIES, REDSTONE ARSENAL AND NASA. THE ATTACKS WERE CLAIMED TO BE OF CHINESE ORIGIN, ALTHOUGH THE CHINESE GOVERNMENT DENIED ANY INVOLVEMENT. TITAN RAIN
  • 32. SYKIPOT IS MALWARE THAT HAS BEEN USED IN SPEARPHISHING CAMPAIGNS SINCE APPROXIMATELY 2007 AGAINST VICTIMS PRIMARILY IN THE US. SYKIPOT HAS BEEN COLLECTING AND STEALING SECRETS AND INTELLECTUAL PROPERTY, INCLUDING DESIGN, FINANCIAL, MANUFACTURING AND STRATEGIC PLANNING INFORMATION. ONE VARIANT OF SYKIPOT HIJACKS SMART CARDS ON VICTIMS. SYKIPOT
  • 33. FIRST DISCOVERED IN 2007, WHEN IT WAS USED TO STEAL INFORMATION FROM THE U.S. DEPARTMENT OF TRANSPORTATION, ZEUS IS A TROJAN HORSE USED TO STEAL CREDENTIALS USED FOR BANKING AND CREDIT CARD PAYMENTS OR FOR LOGGING IN TO SOCIAL NETWORKS. ZEUS IS NOT A SPECIFIC ATTACK FROM A SINGLE SOURCE, BUT A COMPLETE TOOL KIT PROVIDING A WIDE RANGE OF AUTOMATED AND MANUAL TOOLS USED BY CRIMINALS AS PART OF AN APT ATTACK. ZEUS
  • 34. GHOSTNET WAS REPORTED TO HAVE INFILTRATED THE COMPUTERS OF POLITICAL, ECONOMIC AND MEDIA TARGETS IN MORE THAN 100 COUNTRIES, INCLUDING THE EMBASSIES OF INDIA, SOUTH KOREA, INDONESIA, ROMANIA, CYPRUS, MALTA, THAILAND, TAIWAN, PORTUGAL, GERMANY, PAKISTAN AND THE OFFICE OF THE PRIME MINISTER OF LAOS. THE FOREIGN MINISTRIES OF IRAN, BANGLADESH, LATVIA, INDONESIA, PHILIPPINES, BRUNEI, BARBADOS AND BHUTAN WERE ALSO TARGETED. COMPUTERS IN THE DALAI LAMA’S TIBETAN EXILE CENTERS IN INDIA, LONDON AND NEW YORK WERE ALSO COMPROMISED. GHOSTNET
  • 35. OPERATION AURORA WAS A SERIES OF CYBER ATTACKS CONDUCTED BY ADVANCED PERSISTENT THREATS SUCH AS THE ELDERWOOD GROUP BASED IN BEIJING, CHINA, WITH TIES TO THE PEOPLE'S LIBERATION ARMY. FIRST PUBLICLY DISCLOSED BY GOOGLE ON JANUARY 12, 2010, IN A BLOG POST, THE ATTACKS BEGAN IN MID-2009 AND CONTINUED THROUGH DECEMBER 2009. THE ATTACK HAS BEEN AIMED AT DOZENS OF OTHER ORGANIZATIONS, OF WHICH ADOBE SYSTEMS, JUNIPER NETWORKS AND RACKSPACE HAVE PUBLICLY CONFIRMED THAT THEY WERE TARGETED. ACCORDING TO MEDIA REPORTS, GOOGLE, YAHOO, SYMANTEC, NORTHROP GRUMMAN, MORGAN STANLEY AND DOW CHEMICAL WERE ALSO AMONG THE TARGETS. OPERATION AURORA
  • 36. DISCOVERED IN JUNE 2010, WAS THE FIRST PIECE OF MALWARE FOUND IN THE PUBLIC DOMAIN THAT IS DESIGNED TO SPY ON AND SUBVERT INDUSTRIAL PROCESS SYSTEMS. STUXNET WAS CLAIMED TO HAVE BEEN CREATED BY THE U.S. AND ISRAEL IN ORDER TO ATTACK IRAN’S NUCLEAR FACILITIES. THE MALWARE WAS REPORTED TO HAVE CAUSED SUBSTANTIAL DAMAGE TO THE CENTRIFUGES AT THE NATANZ NUCLEAR ENRICHMENT LABORATORY IN IRAN. THE WORM SPECIFICALLY TARGETED SIEMENS INDUSTRIAL SOFTWARE AND EQUIPMENT, MAKING ITSELF INERT IF THE TARGET SOFTWARE WAS NOT FOUND AND CONTAINING SAFEGUARDS TO LIMIT THE SPREAD OF THE INFECTION. IT WAS THE FIRST PIECE OF MALWARE TO INCLUDE A PROGRAMMABLE LOGIC CONTROLLER (PLC) ROOTKIT. STUXNET
  • 37. ON 17 MARCH 2011, RSA ANNOUNCED THAT THEY HAD BEEN VICTIMS OF "AN EXTREMELY SOPHISTICATED CYBER ATTACK". CONCERNS WERE RAISED SPECIFICALLY IN REFERENCE TO THE SECURID SYSTEM. RSA OFFERED TOKEN REPLACEMENTS OR FREE SECURITY MONITORING SERVICES TO ANY OF ITS MORE THAN 30,000 SECURID CUSTOMERS, FOLLOWING AN ATTEMPTED CYBER BREACH ON DEFENSE CUSTOMER LOCKHEED MARTIN THAT APPEARED TO BE RELATED TO THE SECURID INFORMATION STOLEN FROM RSA. RSA HACK
  • 38. FLAME WAS DISCOVERED BY IRAN’S NATIONAL COMPUTER EMERGENCY RESPONSE TEAM IN 2012. IT WAS USED TO MOUNT SOPHISTICATED CYBER ESPIONAGE ATTACKS ON GOVERNMENTAL MINISTRIES, EDUCATIONAL INSTITUTIONS AND INDIVIDUALS IN MIDDLE EASTERN COUNTRIES, INFECTING AROUND 1,000 MACHINES IN IRAN, ISRAEL, SUDAN, SYRIA, LEBANON, SAUDI ARABIA AND EGYPT. THE FLAME MALWARE WAS LARGE AND COMPLEX, DESIGNED TO SPREAD OVER LOCAL NETWORKS OR VIA USB STICKS. IT COULD RECORD AUDIO, SCREENSHOTS, KEYBOARD ACTIVITY AND NETWORK TRAFFIC, INCLUDING SKYPE CONVERSATIONS. IT WAS ALSO CAPABLE OF STEALING CONTACT INFORMATION FROM ANY NEARBY BLUETOOTH-ENABLED DEVICES. FLAME
  • 41. TARGETED ATTACK, GOV, BANK, PERSON, ? PREPARATION: DEFINE TARGET HTTPS://WWW.WHATTODOMEDIA.COM/WP-CONTENT/UPLOADS/2016/01/TARGET-MARKETING.PNG
  • 42. VERY WELL FUNDED AND ORGANIZED PREPARATION: FIND AND ORGANIZE ACCOMPLICES HTTP://KINGOFWALLPAPERS.COM/THE-EXPENDABLES.HTML
  • 43. NOT ALWAYS USING 0DAY OR ADVANCED/SOPHISTICATED TECHNIQUE, CUSTOMIZED TO FIT THE TARGET PREPARATION: BUILD OR ACQUIRE A TOOL HTTPS://CNET1.CBSISTATIC.COM/IMG/VJTJB73BEWOCTBWKYAL7TMERPCI=/FIT-IN/970X0/2015/07/20/D5C13BFE-5F5E-4128-AC6C-0A3A90391E58/SWORDSPARKS.JPG
  • 44. NOTABLE HACK AGAINST SECURITY/APT COMPANY WHICH MOST OF THE TOOLS BEING USED WIDELY OR BY APT 2017 2016 2015HB GARY 2015 2014 2011 GAMMA GROUP/ FIN FISHER HACKING TEAM KASPERSKY, CYBER ROAM EQUATION GROUP/NSA CIA/VAULT7
  • 45. HBGARY FEDERAL FOCUSED ON TECHNOLOGY SECURITY, PROVIDE SERVICES AND TOOLS TO THE US GOVERNMENT. ON FEBRUARY 5–6, 2011, ANONYMOUS COMPROMISED THE HBGARY WEBSITE, COPIED TENS OF THOUSANDS OF DOCUMENTS FROM BOTH HBGARY FEDERAL AND HBGARY, INC HBGARY FEDERAL
  • 46. GAMMA GROUP GAMMA GROUP IS AN ANGLO-GERMAN TECHNOLOGY COMPANY THAT SELLS SURVEILLANCE SOFTWARE TO GOVERNMENTS AND POLICE FORCES AROUND THE WORLD. IN 2014, GAMMA GROUP WAS HACKED AND A 40 GB DUMP OF INFORMATION WAS RELEASED DETAILING GAMMA'S 'CLIENT LISTS, PRICE LISTS, SOURCE CODE, DETAILS ABOUT THE EFFECTIVENESS OF FINFISHER MALWAREAND MUCH MORE.
  • 47. HACKING TEAM HACKINGTEAM IS A MILAN-BASED INFORMATION TECHNOLOGY COMPANY THAT SELLS OFFENSIVE INTRUSION AND SURVEILLANCE CAPABILITIES TO GOVERNMENTS, LAW ENFORCEMENT AGENCIES AND CORPORATIONS. ON JULY 5, 2015, THE TWITTER ACCOUNT OF THE COMPANY WAS COMPROMISED BY AN UNKNOWN INDIVIDUAL WHO PUBLISHED AN ANNOUNCEMENT OF A DATA BREACH AGAINST HACKINGTEAM'S COMPUTER SYSTEMS.
  • 48. KASPERSKY KASPERSKY LAB IS A RUSSIAN MULTINATIONAL CYBERSECURITY AND ANTI-VIRUS PROVIDER HEADQUARTERED IN MOSCOW, RUSSIA AND OPERATED BY A HOLDING COMPANY IN THE UNITED KINGDOM. IN JUNE 2015, KASPERSKY REPORTED THAT ITS OWN NETWORK HAD BEEN INFILTRATED BY GOVERNMENT-SPONSORED MALWARE
  • 49. “EQUATION GROUP” THE EQUATION GROUP, CLASSIFIED AS AN ADVANCED PERSISTENT THREAT, IS A HIGHLY SOPHISTICATED THREAT ACTOR SUSPECTED OF BEING TIED TO THE UNITED STATES NATIONAL SECURITY AGENCY (NSA). IN AUGUST 2016, A HACKING GROUP CALLING ITSELF "THE SHADOW BROKERS" ANNOUNCED THAT IT STOLE MALWARE CODE FROM THE EQUATION GROUP
  • 50. CIA/VAULT7 VAULT 7 IS A SERIES OF DOCUMENTS THAT WIKILEAKS BEGAN TO PUBLISH ON 7 MARCH 2017, THAT DETAIL ACTIVITIES AND CAPABILITIES OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY TO PERFORM ELECTRONIC SURVEILLANCE AND CYBER WARFARE.
  • 51. DEDICATE A MONTH/YEAR TO LEARN ABOUT THEIR TARGET PREPARATION: RESEARCH TARGET/INFRASTRUCTURE/EMPLOYEE HTTP://CDN2.HUBSPOT.NET/HUBFS/159642/B4_THE-5-BEST-WAYS-TO-RESEARCH-YOUR-ELEARNING-COURSE-TARGET-AUDIENCE.PNG
  • 52. ATTACK NEED TO BE TESTED BEFORE INTRUSION PHASE PREPARATION: TEST FOR DETECTION HTTP://WWW.OCCUPYFORANIMALS.NET/UPLOADS/7/7/3/5/7735203/2784119.JPG?870
  • 53. CRAFTED, DEPLOY THE PAYLOAD (MALWARE, EXPLOIT, TOOLKIT) INTRUSION: DEPLOYMENT HTTP://RHYTHMTRAFFIC.COM/WP-CONTENT/UPLOADS/2012/10/INSTALLATION.JPG
  • 54. GAIN A FOOTHOLD IN THE TARGET’S ENVIRONMENT INTRUSION: INITIAL INTRUSION HTTPS://4.BP.BLOGSPOT.COM/-JSC9IISSZEM/VYMC4TTMWTI/AAAAAAAAN5S/KNN0ZYJFNKWLKZEQZNSR_FYFIRNLM0DAACLCB/S1600/HACK-ANY-COMPUTER.PNG
  • 55. NOTIFY THE APT ACTOR THAT THE INITIAL INTRUSION ATTEMPT WAS SUCCESSFUL AND THAT IT IS READY TO ACCEPT COMMANDS INTRUSION: OUTBOUND CONNECTION INITIATED HTTP://0.TQN.COM/D/NP/KIDS-PUZZLES/9781580626873_0128_008.JPG
  • 56. GAIN ACCESS TO ADDITIONAL SYSTEMS AND AUTHENTICATION MATERIAL THAT WILL ALLOW ACCESS TO FURTHER SYSTEMS/MAIN TARGET EXPANSION: EXPAND ACCESS AND OBTAIN CREDENTIALS HTTP://WWW.FRAUDSCOOP.COM/WP-CONTENT/UPLOADS/2016/09/IDENTITY-THEFT-8-SIMPLE-STEPS-TO-KEEP-YOU-SAFE.JPG
  • 57. APT ACTORS EMPLOY VARIOUS STRATEGIES TO MAINTAIN ACCESS. EXPANSION: STRENGTHEN FOOTHOLD HTTP://WWW.AKTUAL.COM/WP-CONTENT/UPLOADS/2016/04/TOLAK-PABRIK-SEMEN-12-4-2016-223-681X430.JPG
  • 58. SEARCHING DOCUMENTS AT THE TARGET’S SITE FOR KEYWORDS AND METADATA THAT INDICATE THE DOCUMENT MAY BE OF INTEREST TO THE ACTORS AND SEND IT EXIFILTRATE: EXFILTRATE DATA HTTP://I.DAILYMAIL.CO.UK/I/PIX/2015/03/17/26B9D3B400000578-2998897-IMAGE-A-116_1426605591270.JPG
  • 59. AVOIDING DETECTION, REMOVING EVIDENCE OF THE INTRUSION AND WHAT WAS TARGETED AND ELIMINATING EVIDENCE OF WHO WAS BEHIND THE EVENT CLEANUP: COVER TRACKS AND REMAIN UNDETECTED HTTPS://S-MEDIA-CACHE-AK0.PINIMG.COM/564X/98/3E/C9/983EC95273FEBD893BE8F0BC135C18BD.JPG
  • 60. HTTPS://WWW.TRENDMICRO.COM/VINFO/US/SECURITY/NEWS/CYBER-ATTACKS/TARGETED-ATTACKS-SIX-COMPONENTS 0. PREPARATION 1. DEPLOYMENT 2. INITIAL INTRUSION 3. OUTBOUND CONNECTION INITIATED 4. EXPANSION 6. EXFILTRATE DATA 5. STRENGTHEN FOOTHOLD
  • 61. •THE BREACH INTO RSA'S NETWORK WAS CARRIED OUT BY CRACKERS WHO SENT PHISHING EMAILS TO TWO TARGETED, SMALL GROUPS OF EMPLOYEES OF RSA. •ATTACHED TO THE EMAIL WAS AN EXCEL FILE CONTAINING MALWARE. •WHEN AN RSA EMPLOYEE OPENED THE EXCEL FILE, THE MALWARE EXPLOITED A VULNERABILITY IN ADOBE FLASH. •THE EXPLOIT ALLOWED THE HACKERS TO USE THE POISON IVY REMOTE ADMINISTRATION TOOL TO GAIN CONTROL OF MACHINES AND ACCESS SERVERS IN RSA'S NETWORK. RSA HACK CASE
  • 62. DEMO
  • 63. APT LIFECYCLE VS HACKING VS COMMODITY THREATS HTTPS://EN.WIKIPEDIA.ORG/WIKI/ADVANCED_PERSISTENT_THREAT
  • 65. THE THREAT HAS CHANGED BUT ORGANIZATION’S APPROACH TO SECURITY HAS NOT CHANGED.
  • 66. SOME ORGANIZATIONS ARE DOING GOOD THINGS TO HELP PROTECT THE ENVIRONMENT, BUT THEY ARE NOT DOING THE RIGHT THING WHICH WILL STOP ADVANCED ATTACKERS. HTTPS://XKCD.COM/463/
  • 67. ORGANIZATIONS THINK MONEY EQUAL SECURITY. JUST BECAUSE AN ORGANIZATION BUYS A LOT OF PRODUCTS DOES NOT MEAN THEY WILL BE SECURE.
  • 68. MOST ORGANIZATIONS DO NOT UNDERSTAND HOW THE OFFENSE OPERATES AND IN MANY CASES ARE NOT FIXING THE RIGHT PROBLEMS
  • 70. UNDERSTAND RISK DISCOVER CONTROL IMPLEMENT CIA (CONFIDENTIALITY, INTEGRITY, AVAILABILITY) CONCEPT CLASSIFY ENCRYPTION PROTECT YOUR CRITICAL DATA
  • 71. PREVENTION IS IDEAL BUT DETECTION IS A MUST INBOUND PREVENTION AND OUTBOUND DETECTION PROACTIVE (INSTEAD OF REACTIVE) SECURITY OFFENSE MUST GUIDE THE DEFENSE. PREVENT AND DETECT
  • 72. ATTACKERS WERE DISCOVERED DURING A ROUTINE AUDIT PREVENTION IS IDEAL BUT DETECTION IS A MUST HTTPS://TWITTER.COM/X0RZ/STATUS/854706307395461121
  • 73. INCIDENT RESPONSE IS A NECESSITY SINCE ALL ATTACKS CANNOT BE STOPPED INCIDENT HAS BEEN DETERMINED AND FIXED, THE NEXT PHASE IS TO RECOVER/REBUILD THE SYSTEMS AND DATA PUT THE SYSTEMS BACK INTO PRODUCTION RESPOND AND RECOVER
  • 75. THE LANDSCAPE HAS CHANGED: CLOUD COMPUTING AND MOBILE INFRASTRUCTURE
  • 76. 1. “COMMON MISCONCEPTIONS IT ADMINS HAVE ON TARGETED ATTACKS“ - HTTP:// BLOG.TRENDMICRO.COM/TRENDLABS-SECURITY-INTELLIGENCE/COMMON-MISCONCEPTIONS-IT- ADMINS-HAVE-ON-TARGETED-ATTACKS/ 2. SYNGRESS - “ADVANCED PERSISTENT THREAT UNDERSTANDING THE DANGER AND HOW TO PROTECT YOUR ORGANIZATION” - DR. ERIC COLE 3. “THE MOST FAMOUS ADVANCED PERSISTENT THREATS IN HISTORY” - HTTP:// WWW.ITBUSINESSEDGE.COM/SLIDESHOWS/THE-MOST-FAMOUS-ADVANCED-PERSISTENT-THREATS- IN-HISTORY.HTML - ACCESSED APRIL 23, 2017 4. “WIKIPEDIA” - HTTP://WIKIPEDIA.ORG 5. “LIFECYCLE OF AN ADVANCED PERSISTENT THREAT” - HTTP://WWW.REDTEAMUSA.COM/PDF/ LIFECYCLE%20OF%20AN%20ADVANCED%20PERSISTENT%20THREAT.PDF 6. MOST OF THE IMAGES - SEARCH VIA HTTP://IMAGES.GOOGLE.COM REFERENCE
  • 77. ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT