1 Advanced Persistent ThreatWhat APT Means To Your Enterprise

2 APT – What is it? A human being or organization, who operates a campaign of intellectual property theft using cyber-methods Malware, malware, malware Basically, the same old problem, but it’s getting far worse and far more important than ever before

3 Wake Up Google cyber attacks a 'wake-up' call-Director of National Intelligence Dennis Blair

4 Command and Control ServerAnatomy of APT Malware Survive Reboot Command and Control Server C&C Protocol File Search Process Injection Update Keylogger USB Stick

5 IP is Leaving The Network Right NowEverybody in this room who manages an Enterprise with more than 10,000 nodes YOU ARE ALREADY OWNED They are STEALING right now, as you sit in that chair.

6 The Coming Age Advanced nations are under constant cyber attack. This is not a future threat, this is now. This has been going on for YEARS. Cyber Cartels are rapidly going to surpass Drug Cartels in their impact on Global Security The scope of finance will surpass drug cartels The extent of the operation internationally

7 Economy Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

8 Espionage

9 MI5 says the Chinese government “represents one of the most significant espionage threats”

10 Why Enterprise Security Products DON’T WORK

11 The True Threat Malware is a human issueBad guys are targeting your digital information, intellectual property, and personal identity Malware is only a vehicle for intent Theft of Intellectual Property Business Intelligence for Competitive Advantage Identity Theft for Online Fraud

12 The Scale Over 100,000 malware are automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale.

13 Surfaces The attacks today are just as effective as they were in 1999The bad guys STILL HAVE their zero day, STILL HAVE their vectors, and STILL HAVE their malware

14 Not an antivirus problemMalware isn’t released until it bypasses all the AV products Testing against AV is part of the QA process AV doesn’t address the actual threat – the human who is targeting you AV has been shown as nearly useless in stopping the threat AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

15 Annealing Value Horizon Hardness of Windows remote RPCUse of Windows remote RPC overflows

16 Cycling Value Horizon Windows remote RPC GDI Image BugsFlash Overflows IIS Server overflows

17 Continuous area of attackContinuum Value Horizon Continuous area of attack Windows remote RPC GDI Image Bugs Flash Overflows IIS Server overflows

18 Continuous area of attackValue Horizon Continuous area of attack GDI Image Bugs Flash Overflows IIS Server overflows Windows remote RPC Dominant attack surface areas over time

19 Technology Lifecycle Value Horizon Area of attack

20 Continuous area of attackFASTER By the time all the surfaces in a given technology are hardened, the technology is obsolete Value Horizon Continuous area of attack We secured java, but now we have flash We secure the web, but now we have Second Life Technology Lifecycle

21 The Global Malware Economy

22 A Global Theatre There are thousands of actors involved in the theft of information, from technology developers to money launderers Over the last decade, an underground economy has grown to support espionage and fraud This “malware ecosystem” supports both Crimeware and e-Espionage

23 Payment system developer$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

24 Cash is not the only motiveState sponsored (economic power) Stealing of state secrets (intelligence & advantage) Stealing of IP (competitive / strategic advantage – longer term) Infrastructure & SCADA (wartime strike capable) Info on people (not economic) i.e., Chinese dissidents

25 Big Brother Opennet.net

26 Crimeware and the StateUsing crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack There is no custom code that can be fingerprinted

27 China “there are the intelligence-oriented hackers inside the People's Liberation Army” “There are hacker conferences, hacker training academies and magazines” “loosely defined community of computer devotees working independently, but also selling services to corporations and even the military” When asked whether hackers work for the government, or the military, [he] says "yes."

28

29 Crimeware Affiliate NetworksGrown out of older adware business models

30 Pay-per-install.org

31 Earning4u Pays per 1,000 infections*

32 PPI Programs *

33 Custom Crimeware Programming Houses

34 APT Operations

35 Anatomy of an APT OperationYou must understand that an ongoing operation is underway – this involves one or more primary actors, and potentially many secondary actors

36 Example Operation Bad Guy is using (SE) whalephishing to gain a foothold into a specific physical network Bad Guy is using SE to track dissidents TODO add example of outlook guid attack

37 Malware Distribution SystemLarge scale systems to deploy malware Browser component attacks Precise spearphising attacks Contain boobytrapped documents Backdoored physical media USB, Camera, CD’s left in parking lot, ‘gifts’

38 Boobytrapped DocumentsThis is the current trend Single most effective focused attack today Human crafts text

39 Social Networking SpaceWeb based attack Social Networking Space Injected Java-script Used heavily for large scale infections Social network targeting is possible

40 A three step infection Exploit Server Redirect Browser ExploitInjected Java-script Exploit Server Redirect Browser Exploit Payload Server Dropper

41 Payload Server A machine that has the actual malware dropper ready for download. The exploit server will redirect the victim to download a binary from this location

42 Command and Control Once installed, the malware phones home… TIMESTAMPSOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

43 Command and Control ServerThe C&C system may vary Custom protocol (Aurora-like) Plain Old Url’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

44 Implants The ‘persistent’ backdoor programHide in plain sight strategy General purpose hacking tool Stealth capabilities In-field update capabilities

45 Steal Credentials Outlook Password Generic stored passwords

46 All the file types that are exfiltratedSteal Files All the file types that are exfiltrated

47 Staging Server A place to store all the stolen goods before it gets ‘exfiltrated’ Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

48 Drop Site Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

49 Drop-point is in Reston, VA in the AOL netblock

50 Malware Threat Attribution

51 Threat Intelligence Who is targeting you? What are they after?Have they succeeded? How long have they been succeeding? What have I lost so far? What can I do to counter their methods? Are there legal actions I can take?

52 Threat Intelligence (II)Requires that you combine many small facts into a big picture More information means better analysis I refer to specific attackers as “threats” – information regarding a specific attack is called “threat intelligence”

53 Threat Intelligence within EnterpriseLocations where threat intel can be gathered Endpoint, physical memory snapshot Multiple endpoints will be involved, need to view them as a group Endpoint, live-state forensics, ongoing monitoring Message Archives Netflow / Packet Archives

54 Threat Intelligence External to EnterpriseLocations where intel can be gathered Dropsite where IP is being dropped Command and Control Server Designed to survive takedowns Hot staged failovers likely Exploit Pack Server Large Traffic Gateways Possible subscriptions to various intel feeds available Cooperation likely

55 Attribution ChallengesLack of gov. intervention No consequences Russia is a crime state China turns a blind eye

56 Attribution ChallengesLack of global LE cooperation No sharing of data ICANN and Registrar slow to respond to takedown requests A lot of good data is classified and not available for commercial consumption

57 Primary – what is the target?What is being targeted IP, identity, logins to google? File searches for source code? XLS documents? Who C-level execs? Developers? Falun Gong?

58 Primary – Who is running the op?Country of origin Is the bot designed for use by certain nationality? Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period

59 C&C servers C&C servers are not usually designed to proxy route through infected end-nodes The IP geolocation is more useful in this case Netblock lookups are a decent starting point If the C&C leads to a broadband consumer network in the US, this is more likely to be an exploited machine that performs proxy routing – IP geolocation is not useful It may be possible to get LE or the broadband provider to help ‘trace back’ in this case (multihop will become a problem)

60 Forensic Marks left by ActorsForensic marks occur at all points where software development occurs They also occur in less obvious places All points where binary is translated into new forms (parsed, packed, packaged, etc) These forensic marks may identify the original developer of the software Obviously, only certain actors leave marks

61 Fingerprinting Actors within the Theatre

62 Digital Fingerprints Several actors in the underground economy will leave digital fingerprints What is represented digitally Distribution system Exploitation capability Command and Control Payload (what does it do once its in)

63 Same malware compiled in three different waysDISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Code idioms remains consistent

64 In-memory analysis tends to defeat packersIN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader In-memory analysis tends to defeat packers Starting Malware Packed Malware Unpacked portions remains consistent

65 Toolkits and developer signatures can be detectedIN MEMORY IMAGE OS Loader Toolkits and developer signatures can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit Marks Detected Packed

66 Language Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support

67 Actor: Endpoint ExploiterEndpoint Exploiters Actor: Endpoint Exploiter $ per 1000 infections The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects Newcomers can learns various attack methods from their PPI affiliate site (mini-training) These are generally recruited hackers from forums (social space) The malware will have an affiliate ID “somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

68 Link Analysis URL artifact Unique Affiliate ID’s Codenamed BotmasterC&C Fingerprint Endpoints Link Analysis

69 Actor: Bot Master Owns the box that accepts inbound infection requests, pays out by ID Pays for numbers of collected credentials Collect stolen identities and resell Accounting system for all successful infections Pay-per-infection business model This implies a social space Configuration settings on server will be reflected in client infections (additional resolution to differentiate multiple actors using the same bot technology) Version of bot system offers more resolution, and potential indicator of when it was stood up The Bot Master will have a preference for a particular bot control system – can be softlinked to this actor

70 Actor: Account Buyer Buy stolen creds from the collectorsUse stolen credentials to move money out of victim bank accounts These guys touch the victim accounts Source IP of transaction, Use of TOR / HackTOR, Use of botnet to redirect, etc. This part is audited in your network logs, so … Multiple attacks by the same person are likely to be cross-referenced Not a very strong fingerprint

71 Actor: Mules & CashiersAccept stolen money into accounts in the native country of the subverted bank and redirect that money back out into foreign accounts These transactions must stay below trigger levels $5,000 or less These actors do not leave forensic marks on the malware chain Banking records only

72 Actor: Wizards Move E-Gold into ATM accounts that can be withdrawn in the masters home country Will take a percentage of the money for himself This actor does not leave a forensic mark on the malware chain Banking records typically don’t even work here, as the transaction has already been processed thru e-Gold

73 Actor: Developers Sell bot systems for four figures$4,000 - $8,000 with complete C&C and SQL backend Sell advanced rootkits for low five figures Possibly integrated into a bot system Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this All of this development is strongly fingerprinted in the malware chain

74 The developer != operatorThe developer may not have any relation to those who operate the malware The operation is what’s important We need to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

75 Link Analysis We want to find a connection here C&C FingerprintBotmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis

76 Softlinking into the Social SpaceWhere is it sold, does that location have a social space? If it has a social space, then this can be targeted Forum, IRC, instant messaging Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space Slightly harder link if the two have communicated directly If someone asks for tech support, indicates they have purchased If someone queries price, etc, then possibly they have purchased

77 Link Analysis Software Author Software Author Social Space

78 Working back the timelineWho sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

79 Software Author Social Space i.e., Technical Support Query made AFTER version 1.4 Release Use of timeline to differentiate links Link Analysis

80 Actor: Vuln ResearchersPaid well into the five figures for a good, reliable exploit $20,000 or more for a dependable IE exploit on latest version Injection vector & activation point can be fingerprinted Method for heap grooming, etc Delivery vehicle

81 Fingerprinting Malware Distribution Systems

82 Malware Distribution Systems, Instant Message, and Exploited Web Boobytrapped documents Rogueware & trojan downloads Clientside exploits Injected javascript Command and Control server

83 Freed Memory (endpoint)Freed memory will still contain evidence Blocks of obfuscated javascript that can be tied to specific exploit packs (redirectors) Leftover HTML remnants of subverted websites URL paths to the exploit server itself These are key to identification TODO: put a few examples here

84 Spearphishes Email archives may contain boobytrapped documentsThese can be detonated with a deep tracer attached (packet sniffer at a minimum, REcon if you’re really hard core, CW sandbox & Norman also options)

85 Detonate & Trace Getting the exploit to detonate allows you to observe the secondary download step Malware payload will be sent to you, command and control IP will be established, communication with exploit server and C&C can be sniffed

86 Trap Postings Sql injection (dyno content) asprox wormReflected XSS ( … ) xssed.com Plain XSS: Comments not stripped (javascript) Renders in HTML, pops in admin creds (persistent XSS) Logs in html format

87 Trap Postings I www.somesite.com/somepage.php