Advanced Targeted Malware
or
Advanced Persistent Threat
without the marketing BS
APT in this presentation
• The original meaning when US Navy coined the phrase
• Before it started being used by every IT Security vendor, antimalware vendor, and everyone with “Cyber” in their
marketing portfolio
Agenda
•
•
•
•
•
•
•
What APT is – its background/history
Detection and elimination
The people and what they attack
The on-going fight
Reminder checklist
Some difficult truths
Questions.
APT
• Targeted Malware with the intent to
– Enter your estate
– Stay in your estate
– Obtain your data
• Commercial advantage
• Technology leapfrog
• etc
APT is a new threat
• Wrong
– Very wrong
• Instances of well developed attacks and associated
malware seen since before 2006
• Some folks working on these issues since perhaps as
early as 2002
• Candidly, if you haven’t seen this stuff you probably
are not looking properly.
APT family
• It isn't
– Single attack type
– Single type of malware
– Single attack group
APT Family
• It is
– Range of attack types
• Spearphishing
• Generic social engineered attacks
• Very well targeted social engineering attacks
• Targeted drive-by attacks
– Range of malware types
• Relatively simple
through to
• Quite sophisticated
• Perhaps 7 to 9 different levels of complexity
• Generally use the simplest malware needed
APT Activity
• Gain a foot hold that can obtain command and control
instructions
– Via some quite interesting approaches
• “interactive” sessions
• instructions by hidden means eg jpeg images
• Usually (always?) via other parties
– Other compromised companies/web-sites
– University systems
– “mom & pop shops”
– Compromised systems unlikely to initiate a web
connection to …
• Knowledge of these “other parties” can often lead to the
discovery of new victims … more on that later
What a rush!
• There is no rush
• from the attackers point of view
• Marathon not sprint
• Sleeper malware
– Long period beaconing
• Check in only every few months
• A bit more on this later…
Elimination
• How do you get rid of it after you first detect it?
– Or after you have had a tip-off that you might have a
problem
– You may get a tip-off from…
Whack-a-Mole?
• Very dynamic – lots of
IT folks doing stuff
• But dangerous and not
very effective
• Attackers will notice
• They will change attack approach
• They will remain in your estate
Structured approach
• Much less fun, much harder work, much more
effective
–
–
–
–
–
–
–
–
Detect/locate
Prepare/Understand
Disconnect
Eliminate
Protect
Future processes
Re-connect
The new normal
You will probably need help
with some of this
Who you gonna call?
• Competent
• Capable
• Trusted
Detection
• Log file analysis
– dns, dhcp, vpn, firewall, ids/ips, proxy, AV
• Network Analysis
– packet capture and analysis, network sensors
• Host Capability
– process maps, memory maps, file structures, registry
contents, file contents
• One third/one third/one third
Prepare/Understand
• Do you know your estate?
– Network connections
– Password policies
– Password and application interactions
• Understand how the malware works
– Command and control
– How it persists
– How it moves/how it is moved
Structured approach
•
•
•
•
•
•
•
•
Detect/locate
Prepare/Understand
Disconnect
Eliminate
Protect
Future processes
Re-connect
New normal








New Normal
• They will re-attack
• They will get in
• Your processes have to:
– Detect
– Investigate
– Eliminate
– Adapt
The Human Element
• Groups
– Developers
– Doers
– Follow-up
• Below the radar
– Working patterns
– Comms patterns
• Multiple Groups?
– Probably
– May not always be aware of each other
They are only human
• Oops!
– Human script followers
• Identified keyboard drivers
• Typos
• Mistakes
• Repeat commands
• May not be sure of where they are
• Sometimes careless/sloppy
– Compressed archives not fully deleted
The Attack Surface
• Microsoft / Adobe / Java
– Because they are the most popular platforms.
“I rob banks ‘cause that’s where the money is”
• Patching and the role it can play…
The products that fix the
problem
• Unfortunately none
• Needs a structured approach to robust monitoring and a
number of products to help manage the risk
• An approach based on
– People – at all levels of the organisation
– Process
– Technology
In that order of priority
The approach that handles the problem
• This is about our approach, but others have similar.
• SOC – multi-geography, 24*365
• Evolution of tools
– Externally sourced
– Internally sourced
• Evolution of people skills
– Better understanding of the subject
– Better analysis skills
Tools
• Log consolidation and analysis
– DHCP, dns, proxy, firewall, ids, vpn etc
• Network traffic monitoring and analysis
• Host data capture
– To aid in incident identification
– To aid in incident investigation
Tool Effectiveness
• Initially
– 34% / 33% / 33% (log/network/host)
• Now
– 65% / 30% / 5% (log/network/host)
• Future?
– 45%? / 50%? / 5%? (log/network/host)
The approach takes time
Summary
•
•
•
•
Bad folks are doing bad stuff very well
They see it as huge commercial benefit
We need to get better at detecting/eliminating/protecting
It can be done but must be done in a structured and on-going
fashion to be effective
• It is an evolving threat so there are no “fit and forget”
solutions
Remember, you may have to….
•
•
•
•
•
•
•
•
Detect/locate
Prepare/Understand
Disconnect
Eliminate
Protect
Future processes
Re-connect
New normal








Difficult Truths
• Safe harbours will continue to exist
• Traditional prevention and
detection has failed
• Governments cannot
prevent intrusions
• Data loss is inevitable
• Attacks will continue
• Companies often breached for years
Additional Reading
• http://www.rsa.com/innovation/docs/sbic_rpt_0711.
pdf
– Write-up from RSA on the threat and what can be done to
help reduce the risk and the impact.
Any Questions
?