how to fight an apt attack: identifying and responding to a visit from china
TRANSCRIPT
How to fight an APT attack: Identifying and Responding to a
visit from China
How to fight an APT attack: Identifying and Responding to a
visit from China
Trends of Cyber EspionageTrends of Cyber Espionage
• “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.”
-Verizon DBIR
• “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.”
-Verizon DBIR
Cyber Espionage StatisticsCyber Espionage Statistics
2013 Compromises
• 511 Reported Incidents
• 306 Confirmed Data Disclosures
Malware Threat Vectors
• 78% Email Attachments
• 20% Drive By Downloads
• 2% Email Link
2013 Compromises
• 511 Reported Incidents
• 306 Confirmed Data Disclosures
Malware Threat Vectors
• 78% Email Attachments
• 20% Drive By Downloads
• 2% Email Link
Discovery TimelineDiscovery Timeline
• 0% Seconds
• 0% Minutes
• 9% Hours
• 8% Days
• 16% Weeks
• 62% Months
• 5% Years
• 0% Seconds
• 0% Minutes
• 9% Hours
• 8% Days
• 16% Weeks
• 62% Months
• 5% Years
Discovery MethodsDiscovery Methods
• 85% External
• 15% Internal
• Which breaks down as follows:
• 67% External Unrelated Party
• 16% External Law Enforcement
• 8% Internal Anti-Virus
• 2% Internal Network IDS
• 2% Reported by User
• 1% Internal Log Review
• 1% Other
• 85% External
• 15% Internal
• Which breaks down as follows:
• 67% External Unrelated Party
• 16% External Law Enforcement
• 8% Internal Anti-Virus
• 2% Internal Network IDS
• 2% Reported by User
• 1% Internal Log Review
• 1% Other
SpearphishSpearphish
• Spoofed sender
• Looks legitimate, will research your social media presence for customization
• Will leverage a reconnaissance tool such as “TheHarvester” to acquire email targets
• Email Attachments (typically PDF, Word, or Excel documents) contain embedded malware
• Once attachment is opened, malware is installed and beacons to it’s Command and Control Server
• Spoofed sender
• Looks legitimate, will research your social media presence for customization
• Will leverage a reconnaissance tool such as “TheHarvester” to acquire email targets
• Email Attachments (typically PDF, Word, or Excel documents) contain embedded malware
• Once attachment is opened, malware is installed and beacons to it’s Command and Control Server
Drive By DownloadsDrive By Downloads
• Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page– Excel Forums, NBC, Council on Foreign Relations
• Once the Exploit Kit is successful, malware is dropped on the victim’s system
• The malware installs and beacons back to the Command and Control server
• Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page– Excel Forums, NBC, Council on Foreign Relations
• Once the Exploit Kit is successful, malware is dropped on the victim’s system
• The malware installs and beacons back to the Command and Control server
Pondurance Network Sensors > Drive By Downloads
Now we’re just showing off….
Cyber Espionage Attack StructureCyber Espionage Attack Structure
• The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access.
• The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found.
• The attacker now has access to the system and dumps account names and passwords from the domain controller.
• The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected.
• The attacker performs reconnaissance to identify and gather data.
• Data is collected on a staging server.
• Data is exfiltrated from the staging server.
• The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity.
• The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access.
• The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found.
• The attacker now has access to the system and dumps account names and passwords from the domain controller.
• The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected.
• The attacker performs reconnaissance to identify and gather data.
• Data is collected on a staging server.
• Data is exfiltrated from the staging server.
• The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity.
Lateral MovementLateral Movement
• Scan the network for targets– Copy the backdoor malware file over– Schedule an “at” job to execute the malware
• PsExec
• Internal Remote Access Tools (TeamViewer!)
• Scan the network for targets– Copy the backdoor malware file over– Schedule an “at” job to execute the malware
• PsExec
• Internal Remote Access Tools (TeamViewer!)
Incident Response ProcedureIncident Response Procedure
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
Network Sensors – Initial DetectionNetwork Sensors – Initial Detection
The POST included:
HTTP/1.1 200 OK Host: militarysurpluspotsandpans.comDst: {“status”:”1”}
Notice a pattern in these beacons?Notice a pattern in these beacons?
Stop! Acquisition is so 2013…Stop! Acquisition is so 2013…
• Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology
• When an incident related to foreign nation-state cyber espionage goes to court, let me know ;)
• Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds
• Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology
• When an incident related to foreign nation-state cyber espionage goes to court, let me know ;)
• Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds
The Culprit – Captured in Real TimeThe Culprit – Captured in Real Time
PDF AnalysisPDF Analysis
• http://blog.didierstevens.com/programs/pdf-tools/
• http://blog.zeltser.com/post/3235995383/pdf-stream-dumper-malicious-file-analysis
• Malware embedded within PDF documents typically involve Shellcode, JavaScript or .swf (flash) files
• These tools allow you to identify and extract these objects for further analysis
• http://blog.didierstevens.com/programs/pdf-tools/
• http://blog.zeltser.com/post/3235995383/pdf-stream-dumper-malicious-file-analysis
• Malware embedded within PDF documents typically involve Shellcode, JavaScript or .swf (flash) files
• These tools allow you to identify and extract these objects for further analysis
Memory AnalysisMemory Analysis
Command Line Input
root@ubuntu:/home/john/Volatility# python vol.py cmdscan
Cmd #0 @ 0x300500: hostname
Cmd #1 @ 0x310038: whoami
Cmd #2 @ 0x31002d: netstat -ano
Cmd #3 @ 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01
Cmd #4 @ 0x310037: psexec \\user-xp-pc cmd.exe
Cmd #5 @ 0x2d0030: netstat -ano
Command Line Input
root@ubuntu:/home/john/Volatility# python vol.py cmdscan
Cmd #0 @ 0x300500: hostname
Cmd #1 @ 0x310038: whoami
Cmd #2 @ 0x31002d: netstat -ano
Cmd #3 @ 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01
Cmd #4 @ 0x310037: psexec \\user-xp-pc cmd.exe
Cmd #5 @ 0x2d0030: netstat -ano
Memory AnalysisMemory Analysis
• Suspicious Exited Connection
• Umm…..
• Suspicious Exited Connection
• Umm…..
Memory Analysis - ProcessesMemory Analysis - Processes
Memory Analysis – Acquiring ProcessesMemory Analysis – Acquiring Processes
• Process saved as an executable to your local directory in seconds• From there you may proceed with malware analysis• Works for DLLs as well
Malware AnalysisMalware Analysis
Malware AnalysisMalware Analysis
Capabilities:
• Remote Access Trojan [RAT]– Able to provide a reverse shell to the attacker for backdoor
level access
• Keylogger– Able to steal credentials from the affected system
• How does this influence the remediation strategy?
Capabilities:
• Remote Access Trojan [RAT]– Able to provide a reverse shell to the attacker for backdoor
level access
• Keylogger– Able to steal credentials from the affected system
• How does this influence the remediation strategy?
Malware Analysis – C2 TrafficMalware Analysis – C2 Traffic
Domains IP Address
g.ceipmsn.com 131.253.40.10
microsoftwlsearchcrm.112.2o7.net 66.235.138.225
puppydepo.com 120.199.31.8
414780153.log.optimizely.com 54.235.178.178
militarysurpluspotsandpans.com 54.196.135.175
az10143.vo.msecnd.net 65.54.89.229
ajax.aspnetcdn.com 68.232.34.200
static.revenyou.com 198.232.124.224
Oh look….Oh look….
Basic Dynamic AnalysisBasic Dynamic Analysis
• Regshot will allow the analyst to identify how the malware influences the Registry upon execution
• On a test machine, use Regshot to “snapshot” the Registry
• Run the malware
• Use Regshot to take a second “snapshot” of the Registry
• Regshot will then output the difference
• Regshot will allow the analyst to identify how the malware influences the Registry upon execution
• On a test machine, use Regshot to “snapshot” the Registry
• Run the malware
• Use Regshot to take a second “snapshot” of the Registry
• Regshot will then output the difference
Scoping the AttackScoping the Attack
• IOC Sweeps– Indicators of Compromise – OpenIOC Framework– XML Format– Leverage threat intelligence of the malware (registry keys it
writes to, file names, file sizes, compilation timestamps, etc)– Forensically scan every node on the network to see if these
exist
• IOC Sweeps– Indicators of Compromise – OpenIOC Framework– XML Format– Leverage threat intelligence of the malware (registry keys it
writes to, file names, file sizes, compilation timestamps, etc)– Forensically scan every node on the network to see if these
exist
Finding Evil with AutorunscFinding Evil with Autorunsc
• for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete”
• Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files
• Example:
• SYSTEM\CurrentControlSet\Services
• If Start Key is set to 0x02 then service will start at boot
• Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy
• for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete”
• Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files
• Example:
• SYSTEM\CurrentControlSet\Services
• If Start Key is set to 0x02 then service will start at boot
• Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy
Containment – Get it right the first time or elseContainment – Get it right the first time or else
• Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines)
• Sinkhole all the C2 Domains in DNS Servers
• Suspend all user accounts related to the attack
• Submit malware to AV Vendor for signature creation
• Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines)
• Sinkhole all the C2 Domains in DNS Servers
• Suspend all user accounts related to the attack
• Submit malware to AV Vendor for signature creation
EradicationEradication
• Pull affected machines from the network IN UNISON
• Rebuild machines from a known clean base image
• Issue new credentials to affected users
• Ensure AV Signatures are updated throughout the environment
• Pull affected machines from the network IN UNISON
• Rebuild machines from a known clean base image
• Issue new credentials to affected users
• Ensure AV Signatures are updated throughout the environment
RecoveryRecovery
• Bring remediated machines back on the network
• Remove ACL restrictions that isolated affected subnets
• Ensure business returns to normal
• Continue monitoring and sweeping network
• Bring remediated machines back on the network
• Remove ACL restrictions that isolated affected subnets
• Ensure business returns to normal
• Continue monitoring and sweeping network
Lessons LearnedLessons Learned
• Review incident with team
• Discuss what went right, what went wrong
• Document and implement these strategies in future scenarios
• Review incident with team
• Discuss what went right, what went wrong
• Document and implement these strategies in future scenarios
Any Questions?Any Questions?