Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS APT in this presentation • The original meaning when US Navy coined the phrase • Before it started being used by every IT Security vendor, antimalware vendor, and everyone with “Cyber” in their marketing portfolio Agenda • • • • • • • What APT is – its background/history Detection and elimination The people and what they attack The on-going fight Reminder checklist Some difficult truths Questions. APT • Targeted Malware with the intent to – Enter your estate – Stay in your estate – Obtain your data • Commercial advantage • Technology leapfrog • etc APT is a new threat • Wrong – Very wrong • Instances of well developed attacks and associated malware seen since before 2006 • Some folks working on these issues since perhaps as early as 2002 • Candidly, if you haven’t seen this stuff you probably are not looking properly. APT family • It isn't – Single attack type – Single type of malware – Single attack group APT Family • It is – Range of attack types • Spearphishing • Generic social engineered attacks • Very well targeted social engineering attacks • Targeted drive-by attacks – Range of malware types • Relatively simple through to • Quite sophisticated • Perhaps 7 to 9 different levels of complexity • Generally use the simplest malware needed APT Activity • Gain a foot hold that can obtain command and control instructions – Via some quite interesting approaches • “interactive” sessions • instructions by hidden means eg jpeg images • Usually (always?) via other parties – Other compromised companies/web-sites – University systems – “mom & pop shops” – Compromised systems unlikely to initiate a web connection to … • Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later What a rush! • There is no rush • from the attackers point of view • Marathon not sprint • Sleeper malware – Long period beaconing • Check in only every few months • A bit more on this later… Elimination • How do you get rid of it after you first detect it? – Or after you have had a tip-off that you might have a problem – You may get a tip-off from… Whack-a-Mole? • Very dynamic – lots of IT folks doing stuff • But dangerous and not very effective • Attackers will notice • They will change attack approach • They will remain in your estate Structured approach • Much less fun, much harder work, much more effective – – – – – – – – Detect/locate Prepare/Understand Disconnect Eliminate Protect Future processes Re-connect The new normal You will probably need help with some of this Who you gonna call? • Competent • Capable • Trusted Detection • Log file analysis – dns, dhcp, vpn, firewall, ids/ips, proxy, AV • Network Analysis – packet capture and analysis, network sensors • Host Capability – process maps, memory maps, file structures, registry contents, file contents • One third/one third/one third Prepare/Understand • Do you know your estate? – Network connections – Password policies – Password and application interactions • Understand how the malware works – Command and control – How it persists – How it moves/how it is moved Structured approach • • • • • • • • Detect/locate Prepare/Understand Disconnect Eliminate Protect Future processes Re-connect New normal New Normal • They will re-attack • They will get in • Your processes have to: – Detect – Investigate – Eliminate – Adapt The Human Element • Groups – Developers – Doers – Follow-up • Below the radar – Working patterns – Comms patterns • Multiple Groups? – Probably – May not always be aware of each other They are only human • Oops! – Human script followers • Identified keyboard drivers • Typos • Mistakes • Repeat commands • May not be sure of where they are • Sometimes careless/sloppy – Compressed archives not fully deleted The Attack Surface • Microsoft / Adobe / Java – Because they are the most popular platforms. “I rob banks ‘cause that’s where the money is” • Patching and the role it can play… The products that fix the problem • Unfortunately none • Needs a structured approach to robust monitoring and a number of products to help manage the risk • An approach based on – People – at all levels of the organisation – Process – Technology In that order of priority The approach that handles the problem • This is about our approach, but others have similar. • SOC – multi-geography, 24*365 • Evolution of tools – Externally sourced – Internally sourced • Evolution of people skills – Better understanding of the subject – Better analysis skills Tools • Log consolidation and analysis – DHCP, dns, proxy, firewall, ids, vpn etc • Network traffic monitoring and analysis • Host data capture – To aid in incident identification – To aid in incident investigation Tool Effectiveness • Initially – 34% / 33% / 33% (log/network/host) • Now – 65% / 30% / 5% (log/network/host) • Future? – 45%? / 50%? / 5%? (log/network/host) The approach takes time Summary • • • • Bad folks are doing bad stuff very well They see it as huge commercial benefit We need to get better at detecting/eliminating/protecting It can be done but must be done in a structured and on-going fashion to be effective • It is an evolving threat so there are no “fit and forget” solutions Remember, you may have to…. • • • • • • • • Detect/locate Prepare/Understand Disconnect Eliminate Protect Future processes Re-connect New normal Difficult Truths • Safe harbours will continue to exist • Traditional prevention and detection has failed • Governments cannot prevent intrusions • Data loss is inevitable • Attacks will continue • Companies often breached for years Additional Reading • http://www.rsa.com/innovation/docs/sbic_rpt_0711. pdf – Write-up from RSA on the threat and what can be done to help reduce the risk and the impact. Any Questions ?