24.02.2015© IKARUS Security Software GmbH 1

APT

24.02.2015© IKARUS Security Software GmbH 2

Agenda

24.02.2015© IKARUS Security Software GmbH 3

What is APT

Staying inside a network as long as possible without

detection to grab tons of information

Something special for everyone and yet another

„special“ product

From back then until today

– Since malware is/was born

– Spear phishing / social engineering

Marketing & scaring of businesses

– Stoned Bootkit, Conficker, Stuxnet, Operation Shady RAT…

24.02.2015© IKARUS Security Software GmbH 4

1st. Apt?

24.02.2015© IKARUS Security Software GmbH 5

1st AV solution (1986)

24.02.2015© IKARUS Security Software GmbH 6© 2012 IKARUS Security Software GmbH

1 Year present in each AV-Vendors Virus Database without knowing the potential

Stuxnet.

24.02.2015© IKARUS Security Software GmbH 7

Comparison Industry Computer - PC

Industry Computer

Priority on stability

Usage > 20 years

24/7 uptime

Updates dangerous/impossible

System designed for stability, not security

Proprietary systems and protocols

Standalone concept, no network connection planned

Little knowledge about the complete system

PC

5-6 years lifetime

24/7 uptime not necessary

Updates possible

System designed for stability AND security

Standard protocols

Networking integral part of the system

Good knowledge about the complete system

24.02.2015© IKARUS Security Software GmbH 8

Why is APT detection relevant?

Industry espionage through targeted attacks

Little awareness for threats and security practices (APT

detection „software as a service“ based)

No basis for decisions for further actions

– Which hosts have been infected?

– What has happened? Has customer data been affected?

24.02.2015© IKARUS Security Software GmbH 9

Open Problems 08/15 AV

Is my network currently compromised?

Has my network been compromised in the past?

Track attack over time

Provide good basis for further decisions

External contractors cost a lot of money (forensic

analysis)

24.02.2015© IKARUS Security Software GmbH 10

Our motivation for APT detection

Traditional solutions have limitations

– Targeted attacks are hard to detect

– Detection, containment and cleanup are costly

– Total number of malware rising fast

– AV-vendor have to generate detection fast enough

Enhance visibility and transparence

Extensive and universal endpoint monitoring in contrast

to special-case protection mechanisms

24.02.2015© IKARUS Security Software GmbH 11

Cyber Kill Chain

1. Reconnaissance

2. Craft an attack

3. Deliver the malware

4. Exploit security holes

5. Install malware

6. Command & Control

7. Perform malicious acts

24.02.2015© IKARUS Security Software GmbH 12

Cyber Kill Chain for 08/15 AV solution

1.

2.

3. Deliver: Scan engine, (Spam/URL Filter, FW)

4.

5. Install: Scan engine

6.

7.

24.02.2015© IKARUS Security Software GmbH 13

Behavior-based Solutions

Collect a lot of data

– Network data (Appliance, endpoint)

– Host data

Detection info database

– Cloud service containing detection information (not real-time)

– Local detection information

Detection/prevention:

– Use IOCs to block delivery or execution of malware

– Use data to notify about suspicious behavior

(Live) inspection

Forensic and time-line information

24.02.2015© IKARUS Security Software GmbH 14

Predictive solutions

Collection

– Collect malware

– Algorithms forecast future malware, generate derivatives

– Collect behavior information

Analysis

– Derivatives and behavior information are used to train detectors

Protect

– Protect endpoints from future versions of malware

24.02.2015© IKARUS Security Software GmbH 15

IKARUS APT

Host-based solution, not based on network traffic

Collect data

Provide visibility

Machine learning

Detect deviations

24.02.2015© IKARUS Security Software GmbH 16

Data collection

Process activities

Thread activities

Network connections

Registry access

File access

…

24.02.2015© IKARUS Security Software GmbH 17

Anomaly detection

Use collected data to learn benign behavior of a user

Once normal and abnormal behavior is known, any

deviations are considered suspicious

Send notification once suspicious behavior is detected

Future steps

– Block execution of unwanted programs

– Generate IOCs to detect actively detect malicious behavior

Example:

– A user always uses certain programs each day

– An executable that has never before been executed is started

– Create notification about that event

24.02.2015© IKARUS Security Software GmbH 18

The End!

“I think it’s important to recognize that you can’t have 100

per cent security and also then have 100 per cent privacy

and zero inconvenience”Barack Obama about the NSA, San Jose, California, on June 7, 2013