APTs
advertisement
Advanced Persistent Threats (APT) Sasha Browning Breakdown • Advanced – Combination of attack methods and tools • Persistent – Continuous monitoring and interaction – “Low-and-slow” approach • Threat – Attacker is skilled, motivated, organized and well funded What is an APT? • Definition – Sophisticated attack that tries to access and steal information from computers • Requirement – Remain invisible for as long as possible Why are APTs Important? • Then – Just because – Demonstrate their skills • Now – Attacks have evolved – Specific targets – Intend to maintain a long term presence Problem with APTs • File size is small • File names don’t raise any red flags • Almost always are successful • Undetectable until it's too late • More frequent • No one is immune Targets • .mil and .gov sites • Department of Defense contractors • Infrastructure companies – power and water • CEOs or leaders of powerful enterprise or gov. agencies Stages of an APT Attack 1. 2. 3. 4. 5. 6. 7. Reconnaissance Intrusion into the network Establishing a backdoor Obtaining user credentials Installing multiple utilities Data exfiltration Maintaining persistence Step 1: Reconnaissance • Research and identify targets – Using public search or other methods • Obtain email addresses or IM handles Step 2: Intrusion into the Network • Spear-phishing emails – Target specific people – Spoofed emails – include malicious links or attachments • Infect the employee's machine • Gives the attacker a foot in the door Step 3: Establishing a Backdoor • Try to obtain domain admin credentials – grab password hashes from network DCs • Decrypt credentials to gain elevated user privileges • Move within the network – Install backdoors here and there – Typically install malware Step 4: Obtaining User Credentials • Use valid user credentials • Average of 40 systems accessed using these credentials • Most common type of credentials: – Domain admin Step 5: Installing Multiple Utilities • Utility programs conduct system admin. – Installing backdoors – grabbing passwords – getting emails • Typically found on systems without backdoors Step 6: Data Exfiltration • Grab emails, attachments, and files • Funnel the stolen data to staging servers – Encrypt and compress – Delete the compressed Step 7: Maintaining Persistence • Use any and all methods • Revamp malware if needed Problems with APTs • Self-destructing malware – Erases if it fails to reach its destination • Nobody monitors outbound traffic – Can look legitimate • Sniffers – Dynamically create credentials to mimic communication Disguising Activity • Process injections – introduce malicious code into a trusted process – Conceals malicious activity • Stub malware – Code with only minimal functionality – Remotely add new capabilities – Runs in the network’s virtual memory Stopping APTs • Weakness – Interactive access • Solution – Find the link between you and the attacker – Block it • Afterwards – Attacker will have to re-infect a new host Summary • Targets are carefully selected • Persistent – Will not leave – Changes strategy/attack • Control focused – Not financially driven – Crucial information • It's automated, but on a small scale – Targets a few people Questions Sources • Wired http://www.wired.com/threatlevel/2010/02/apt-hacks/ • Dark Reading http://www.securityweek.com/anatomy-advanced-persistent-threat • Damballa http://www.damballa.com/knowledge/advanced-persistent-threats.php
