Advanced Targeted Malwareor
Advanced Persistent Threat
without the marketing BS
APT in this presentation
• The original meaning when US Navy coined the phrase• Before it started being used by every IT Security vendor,
anti-malware vendor, and everyone with “Cyber” in their marketing portfolio
Agenda
• What APT is – its background/history• Detection and elimination• The people and what they attack• The on-going fight• Reminder checklist• Some difficult truths• Questions.
APT
• Targeted Malware with the intent to– Enter your estate– Stay in your estate– Obtain your data
• Commercial advantage• Technology leapfrog• etc
APT is a new threat
• Wrong– Very wrong
• Instances of well developed attacks and associated malware seen since before 2006
• Some folks working on these issues since perhaps as early as 2002
• Candidly, if you haven’t seen this stuff you probably are not looking properly.
APT family
• It isn't– Single attack type– Single type of malware– Single attack group
APT Family
• It is– Range of attack types
• Spearphishing• Generic social engineered attacks• Very well targeted social engineering attacks• Targeted drive-by attacks
– Range of malware types• Relatively simplethrough to• Quite sophisticated• Perhaps 7 to 9 different levels of complexity• Generally use the simplest malware needed
APT Activity
• Gain a foot hold that can obtain command and control instructions– Via some quite interesting approaches
• “interactive” sessions• instructions by hidden means eg jpeg images
• Usually (always?) via other parties– Other compromised companies/web-sites– University systems– “mom & pop shops”– Compromised systems unlikely to initiate a web
connection to …
• Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later
What a rush!
• There is no rush • from the attackers point of view
• Marathon not sprint• Sleeper malware
– Long period beaconing• Check in only every few months
• A bit more on this later…
Elimination
• How do you get rid of it after you first detect it?
– Or after you have had a tip-off that you might have a problem
– You may get a tip-off from…
Whack-a-Mole?
• Very dynamic – lots of IT folks doing stuff
• But dangerous and not very effective
• Attackers will notice• They will change attack approach• They will remain in your estate
Structured approach
You will probably need help with some of this
Who you gonna call?•Competent•Capable•Trusted
• Much less fun, much harder work, much more effective– Detect/locate– Prepare/Understand– Disconnect– Eliminate– Protect– Future processes– Re-connect– The new normal
Detection
• Log file analysis– dns, dhcp, vpn, firewall, ids/ips, proxy, AV
• Network Analysis– packet capture and analysis, network sensors
• Host Capability– process maps, memory maps, file structures, registry
contents, file contents• One third/one third/one third
Prepare/Understand
• Do you know your estate?– Network connections– Password policies– Password and application interactions
• Understand how the malware works– Command and control– How it persists– How it moves/how it is moved
Structured approach
• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal
New Normal
• They will re-attack• They will get in• Your processes have to:
– Detect– Investigate– Eliminate– Adapt
The Human Element
• Groups– Developers– Doers– Follow-up
• Below the radar– Working patterns– Comms patterns
• Multiple Groups?– Probably– May not always be aware of each other
They are only human
• Oops!– Human script followers
• Identified keyboard drivers• Typos• Mistakes• Repeat commands• May not be sure of where they are• Sometimes careless/sloppy
– Compressed archives not fully deleted
The Attack Surface
• Microsoft / Adobe / Java– Because they are the most popular platforms.
“I rob banks ‘cause that’s where the money is”
• Patching and the role it can play…
The products that fix the problem
• Unfortunately none• Needs a structured approach to robust monitoring and a
number of products to help manage the risk• An approach based on
– People – at all levels of the organisation– Process– TechnologyIn that order of priority
The approach that handles the problem• This is about our approach, but others have similar.• SOC – multi-geography, 24*365• Evolution of tools
– Externally sourced– Internally sourced
• Evolution of people skills– Better understanding of the subject– Better analysis skills
Tools
• Log consolidation and analysis– DHCP, dns, proxy, firewall, ids, vpn etc
• Network traffic monitoring and analysis• Host data capture
– To aid in incident identification– To aid in incident investigation
Tool Effectiveness
• Initially– 34% / 33% / 33% (log/network/host)
• Now– 65% / 30% / 5% (log/network/host)
• Future?– 45%? / 50%? / 5%? (log/network/host)
The approach takes time
Summary
• Bad folks are doing bad stuff very well• They see it as huge commercial benefit• We need to get better at detecting/eliminating/protecting• It can be done but must be done in a structured and on-
going fashion to be effective• It is an evolving threat so there are no “fit and forget”
solutions
Remember, you may have to….
• Detect/locate • Prepare/Understand • Disconnect • Eliminate • Protect • Future processes • Re-connect • New normal
Difficult Truths
• Safe harbours will continue to exist
• Traditional prevention and detection has failed
• Governments cannot prevent intrusions
• Data loss is inevitable
• Attacks will continue
• Companies often breached for years
Additional Reading
• http://www.rsa.com/innovation/docs/sbic_rpt_0711.pdf– Write-up from RSA on the threat and what can be done
to help reduce the risk and the impact.
Any Questions
?