Crack the Code

Editor's Notes

1. SMAC: Social, Mobile, Analytics, Cloud/Virtualization is creating advanced vulnerabilities and complexities to manage Perfect storm: Apps create the attack horse to ride in on, mobility creates a massive increase in the number of points of entry, and cloud creates the chance to strike once and win a thousand points of access. Change results in tremendous risk. Visibility, as well as the controls involved to mitigate risk, must increase within a constantly changing landscape. Dramatic increase in organized, well-funded organizations bent on causing harm through sophisticated, orchestrated, persistent attacks Advanced suites of hackware readily available and shared/sold on the internet Perimeter-based security is ineffective Endpoint AV is ineffective Proliferation of security solutions is ineffective and difficult to manage Detect approach is ineffective Sandboxes are not created equal
2. Talking Points: Cyber is in front of all of these as a reminder that these motivations are not new, it is just a matter of the medium the attacker is using Motivations as “hats” an attacker can wear Some fuzzy areas between motivations; an attacker might wear two or more “hats” for a single attack (opportunistic or other shifting factor) Although motivations may shift for a single actor, that actor will often employ the same TTPs, tools and other resources in all of their attacks Concept: Defending against the adversary operating in the aggregate (not just an incident, but a series of events leading to that objective)
3. Advanced adversaries aren’t these mythic figures or groups with unlimited resources, crafting every piece in a custom made attack, there are only 3-5 groups like this in the entire world, and they are the .01%. 99.9% of attackers are just like you and me. Humans are responsible for all of the attacks you experience. They have bosses, families, bills to pay. They want to get in, accomplish their task, and get out (un-detected) Their goal isn’t making your life hard The media and others may try to convince you differently – but these assumptions are wrong!
4. Adversaries have a set of tools available to accomplish their task Use the right tool for the job, no need to use a bazooka if a lock-pick will open the door. Functionality can be extended Exfiltration Command & Control Post-Operation Defenders need a combination of people, process and technology Having only one of the components invalidates the other. For instance, the greatest security products in the world can’t prevent attacks if they are not configured and monitored correctly. The also cannot stop a user from revealing sensitive information. Ensure adversaries NEED the bazooka, not the lock-picks or Don’t be the low-hanging fruit
5. Most of us have the means to stop known attacks, but what’s been historically difficult is stopping unknown attacks. To gain a better understanding of adversaries and the stages that each attack follows, here’s a quick look at the Attack Kill Chain. The Attack Kill Chain is a sequence of events that an attacker goes through to successfully infiltrate a network and exfiltrate data from it. The good news is that blocking just one step in this chain is all that is needed to protect a company’s network and data from attack. We’ve borrowed from the pioneering work that Lockheed Martin did when they created the Cyber Kill Chain and here is how we view each stage in the kill chain: Reconnaissance: Just like burglars and thieves, attackers carefully plan their attacks. They research, identify, and select targets, oftentimes using phishing tactics or extracting public information from an employee’s LinkedIn profile or corporate websites. These criminals also scan for network vulnerabilities and services or applications they can exploit. Weaponization & Delivery: Next, the attackers determine which methods to use. They may choose to embed intruder code within seemingly innocuous files like a PDF or Word document or email message. Or, for highly-targeted attacks, attackers may craft deliverables to catch specific interests of an individual. Exploitation: Once attackers gain access “inside” an organization, they can activate attack code on the victim’s host and ultimately take control of the target machine. Installation: Attackers will seek to establish privileged operations, root kit, escalate privileges, and establish persistence. Command-and-Control: Attackers establish a command channel back through the Internet to a specific server so they can communicate and pass data back and forth between infected devices and their server. Actions on the Objective: Attackers may have many different motivations for attack, and it’s not always for profit. Their reasons could be data exfiltration, destruction of critical infrastructure, or to deface web property or create fear/extortion.
6. They get in via Hr or finance, for example…. Target Organization Website PDFs, Powerpoint, XLS, etc Conference/Event Websites Attendee Lists, Presentations Google Foo filetype:xls inurl:attendees Social Networks/Job Postings Identify technologies in Used This isn’t about “spray-and-pray” attacks Corp websites: , which may include email addresses, customer lists, partner lists, etc.
7. Google Search reveals XLS spreadsheets containing names, titles, e-mail addresses and phone numbers of attendees to a “National Defense Industrial Association” event.
8. Job posting for a firewall engineer reveals which products this company is deploying. LinkedIn Profile for security analyst at a large company reveals which products they are using. Does this fit in weapon? I’m going to buy a weapon that can defeat these.
9. This is your wake-up call for basic training and good process! Know what the adversary knows on your corporate website and third-party content sources with regular checks Preform “red-team” exercises to identify possible targets within your organization Pay special attention the training and access of privileges or highly visibility users Configure hardware and software not to give away any unnecessary information, like type and version number Technology can only prevent a few recon techniques, like port scans and host sweeps.
10. This phishing page was used in one of the attack’s Trend Micro calls “Operation Pawn Storm”. Phishing using fake Outlook Web Access pages is commonly used against businesses because nearly everyone uses it and the log-in pages look almost the same. This attack was on Academi, a security training organization. The attackers registered a similar domain for this attack. Phishing (OWA) Why use malware when you have credentials? Spam with email link to fake site, exploit kits, etc.
11. Old Vulnerabilities Why use an 0-day when 2012-0158/2010-3333 still open? 0-Days are the Bazooka Printers – can be used to break into an org. They never patch these things. Not all exploits are created equal Zero days Sudden, widespread impact Targets trending to lower patch rates Opportunistic — 99% of exploited vulnerabilities are more than 1 year old (discovery) Software security patches (attempt to) fix vulnerabilities that might be exploited Talking points: Zero days are the height of exploitation, as they target vulnerabilities for which there is little or no awareness and for which there are no patches Add to that sudden, widespread vulnerabilities when they are disclosed. Recent years have been full of these. Heartbleed anyone? Then think about some of those production systems for various organizations where the fear of loss of availability or just poor patch management has historically led to a ripe platform for exploitation. ColdFusion is a great historical example of this. Often, when an exploit is disclosed, the associated vulnerability is fixed through a patch But think about the points above and you can see why exploitation thrives in the wild Also bear in mind that sometimes patches don’t actually fix the vulnerability and that patches are software as well. In other words, they may introduce additional vulnerabilities of their own. DBIR 99.9% of attacks used CVE more than 1 year old
12. Exploited in the Wild? Patch it now Can’t patch this system? Limit web/email access to minimum using policies. Eliminate the old gaps, catch the 0-days. Something about WildFire and/or Traps.
13. This is your wake-up call for basic training and good process! Assume you’ve done everything right, trained your people and instituted processes to mitigate risk As we move to new stages of the cyber kill-chain, Technology becomes even more critical to preventing advanced attacks
14. Phishing, including spear phishing, is by far the most-common tactic used because it’s simple and effective. It relies on good information gathered during the recon phase. Users are conditioned to read e-mails and open attachments if they seem relevant to their positions, training them to do otherwise isn’t really feasible. Watering Hole attacks are harder to pull off because they require compromising a web server, but that’s really just a 2-stage attack. Attack the website owner first (through spear phishing) then take over the web server. If these two primary mechanisms fail, the pragmatic adversary might start getting creative but typically only if they couldn’t get in using the simpler methods. Note to audience: You can always use Direct malware via email. Skip the exploitation.
15. Off-the-shelf tools Common Advantage: Highly capable tools, freely available. Disadvantage: Common use means AV may detect Complete control over infected system, easy to use. Many Options PoisonIvy, gh0st RAT, NetWire, Dark Comet, CyberGate, XtremeRAT… Used by all levels of attacker. Custom Tools Disadvantage: Larger investment up front Advantage: Very unlikely to be detected by AV Normally much simpler than OTS RATs, remote shell is the goal. Often only used as initial implant to gain a foothold.
16. Poison Ivy exploit kit
17. HTTP is most common for custom backdoors Passes through proxies, blends in, unlikely to be blocked. 29/40 named in APT1 report use HTTP for CnC (“WEBC2”) Dynamic DNS Domains Free, harder to correlate SSL helps evade detection
18. Talking points: Now we’ve reached the malware Command and Control (CnC) phase This slide and the next one describe some visual components that will be used The first is this conceptual view of a notional enterprise There is userland where the standard users perform their work The data center and infrastructure components house core servers like the domain controllers, IS platforms and data repositories There is a DMZ, which also might include any other public facing portals or services extended to remote users Finally, there is an ingress / egress point (which may be broken out by the above conceptual groupings) that allows access to and from the Internet
19. Talking points: Now, let’s put this all together and start looking at some common CnC patterns Something to keep in mind for the following CnC slides is that a defender ultimately needs to focus on breaking an attacker’s CnC before Actions on Objectives are met As a convention, objects in red represent malicious activity So, let’s get started with the first CnC pattern. Once malware lands on a box and is installed, it might execute preset commands, typically of a smash-and-grab variety These communications normally use common ports and protocols (e.g., http, https) to increase the likelihood of successful communication This is network traffic that can be detected and potentially blocked
20. Talking points: This slide depicts another common pattern More interesting malware reaches out for additional malware and/or commands from the attacker This step is where second-stage malware might be downloaded and run Once a suitable stage of malware is installed on the victim machine, like a Remote Administration Tool (RAT), it will then attempt to establish a CnC channel This is the point at which a periodic phone home, typically referred to as a beacon, begins Beacons are mainly used to obtain the next set of commands from an attacker Beacons or other initial malware communication can also contain recon information from the compromised target, such as OS configuration, loaded software versions, and logged on user information. Clever malware also moves beyond simple web requests for CnC and tries to emulate human behavior (e.g., Gmail, Pastebin, Twitter, Facebook) in receiving its attacker commands
21. Blocking sub-features, like file sharing or chat Controlling access to and within SaaS applications
22. Goals Inside the Network Find the target data Access the target data Exfiltrate the data Avoid getting caught. These are completed by an active operator: An individual issuing commands through the malware Operators have a goal, may follow a script and often make mistakes (typos) Longest, most complex phase May last days, weeks or months Consists of many short-term goals, not necessarily linear Often ignored phase of the Attack Lifecycle “And then the bad guys steal all your data”
23. Talking points: This slide focuses on what can happen once target assets are reached A good rule of thumb for any environment is to operate under the assumption that the adversary is already inside the perimeter The different kinds of objectives here map to motivations for different adversary types Most environment will have their own blend on these threats that they must mitigate Once they are in the network, the malware doesn’t matter. The Pragmatic Adversary won’t create a custom tool to do what a built-in tool already can.
24. The takeaway here is the security organizations are not innovating fast enough, and attackers are becoming much more sophisticated in their planning, with their tactics continuously evolving as well. This polarization creates a continuously widening vulnerability gap in an organization’s security. And the stakes are even higher when the value of information is increasing. Example: “Stolen medical and healthcare records are the ‘Rolls Royce’ with a black market value of approximately $200 per record as evidenced in hacker forums. As a comparison, credit card records sell for about $1 per record.” – Value from prescription (controlled substances) and access to bank account information. Goal is to reduce threat exposure by strengthening controls.
25. Traditionally, businesses have focused on “detect and respond.” But inadequate - generally provide alerts on threats only and take a “detection-focused” approach, which requires manual intervention or costly Incidence Response once a breach occurs. Plus, these legacy solutions are a “patchwork” of point products that not only lack the ability to protect against all threat vectors, but also make it very difficult to coordinate and share intelligence among the various devices. At Palo Alto Networks, we focus strongly on designing for prevention, preparing for remediation.  We believe a security strategy must be formed from a philosophical position of “I can prevent attacks” with the correct implementation of best practices across people-process-technology. As such, your architecture must be able to detect and prevent threats at every point across the organization: Attacks targeting your mobile workers Attacks targeting your perimeter Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network Attacks targeting the heart of your virtualized data center Attacks targeting your cloud-based infrastructure, both private and public
26. Here’s an example of how a comprehensive security solution can work together to block an advanced cyberattack. Each critical stage within the kill chain is covered - from the initial attempt to breach your perimeter, to delivering malware on the endpoint, then moving laterally through your network until they get to their ultimately target and attempt to exfiltrate data. Each of these steps is met with a multi-layered defense model that Prevents known Delivery mechanisms from functioning (NGFW App-ID & SSL decryption, GlobalProtect, URL Filtering; Threat Prevention; Wildfire). Prevents known malicious code from Installing (Threat Prevention, Wildfire, Traps). Prevents known Command & Control channels from communicating (NGFW App-ID, Threat Prevention, URL Filtering, WildFire). Prevents known Exfiltration schemes from sending sensitive information out of the enterprise (NGFW App-ID & SSL decryption, Threat Prevention, URL Filtering). Detects unknown threats (WildFire and Traps) and automatically deploys new prevention controls across the platform, and to the global subscriber base, within minutes of discovery. Transforming the previously unknown into a known. Many best of breed point products can detect and some can prevent at key elements in the kill chain, but they rely on the organization to manually integrate them into a seamless architecture.