doten apt presentaiton (2)

INFORMATION SYSTEMS & GLOBAL SOLUTIONS

1

Demystifying Advance Persistent Threats:Reversing the Course of a Perceived Asymmetric Cyber Battle

Rick Doten, CISSP, RKCChief ScientistLockheed MartinCenter for Cyber Security Innovation


Cyber Security Is like…

Images courtesy PopCap; used with permission


Advanced Persistent Threat

We Never Forget Who We’re Working For®

… and neither do the bad guys!

Advanced Characteristics:

• Using unreported exploits (zero day)

• Advanced, custom malware that isn’t detected by

antivirus products

• Coordinated intrusions using a variety of vectors

• Intruder will adjust actions based on

countermeasures

• Intruder will use least sophisticated exploits and

techniques first and escalate only as required

Persistent Characteristics:

• Intrusions lasting for months or years

• Adversaries install multiple backdoors to ensure

continued access to the targets

• Adversaries are patient and dedicated (or

assigned) to the target.

Threat Characteristics:

• Targeted at specific individuals and groups within

an organization

• Social Engineering is typically the first step to an

intrusion: people manipulating people

• Assume they know which information they are

targeting

• Because there is a real person behind the actions,

they will respond quickly to countermeasures


What APT is Not...

• Bot nets, Rogue antispyware, DOS and DDOS attacks

• Categorized by the techniques of intrusion, and not considering the people or motive

• Typically defined as:• Any intrusion not discovered by current security

technology

• Any intrusion that uses advanced techniques, such as zero day exploits

One reason for confusion:

Many Cyber Criminal teams are adopting (buying or bartering) APT-built techniques because of their effectiveness.


APT campaigns are not about being the anomaly,

but part of the normal:

• APT campaign will take advantage of trust relationship

• APT campaign is low and slow, as opposed to broad attempts, aggressive, or obvious

• APT campaign is patient and will take time to achieve their objectives

• APT campaign will conceal actions by using legitimate accounts and protocols

• APT campaign will utilize a current account and enumerate information with those privileges

• APT campaign will attempt to create new accounts with administrative privilege


So, how is PvZ like APT campaigns?



“To protect our infrastructure, we have to be right every step; the bad guys only have to be right once.”“To compromise our infrastructure, the bad guys have to

be right every step; we only have to be right once.”


Cyber Threat Kill Chain

Intrusion

Reconnaissance

Weaponization

Delivery

Exploit

Installation

Command and Control

Act on Objectives


1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command & Control7. Act on Objectives

Cyber Kill Chain Animation

• No matter where you block the sequence in the

chain, you stop the attack.


Threat-focused Risk Reduction

RiskTarget Value

Vulnerability Threat= x x

RiskTarget Value

Vulnerability Capability= x x

Opportunity

Intent

Our Objectives:

• Erode capability

• Increase Cost of Intrusion

• Understand intent


Same Technique works on these Guys!



Attack Vector Escalation

Email spoofing Parking lot entry vector Fake sites that look real

Man-in-the-Mailbox Supply ChainCompromised sites with

embedded malware

The

nN

ow


Benefits of Framework

• Articulates Prioritization

• Articulates data collection requirements

1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command & Control7. Act on Objectives


Putting them Together

Detect Degrade Deny Disrupt Deceive

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Act on Objectives

Drives detection, mitigation measures


Which is not unlike…



Because in the end, you don’t want…



Questions?


18

Thank You!

Rick Doten, CISSP, RKC

Chief Scientist

Lockheed Martin

Center for Cyber Security Innovation

[email protected]

doten apt presentaiton (2)

Documents