Crack the Code
- 1. 1 | © 2015, Palo Alto Networks. Confidential and Proprietary.
CRACK THE CODE
DEFEATING ADVANCED
ATTACKERS
- 2. Key Perspectives
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Who is the Adversary?
Understanding the Cyber Attack Lifecycle
How Attacks Happen
- 3. Challenges and Change Introduce Risks
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Reliance on Multiple Layers of Security Vendors
Application Economy
Consumerization of IT
Internet of Things
Social, Mobile, Analytics, CloudOrganizational
RiskRisk
Exposure
Rate of Change/Complexity
Decreasing
Visibility
and Control
- 5. The Advanced Adversary
Majority of adversaries are just doing their job:
• Bosses, families, bills to pay.
• Want to get in, accomplish their task, and get out (un-detected).
• Goal isn’t making your life hard.
=
- 6. The Advanced Adversary
Adversaries have a set of tools
available to accomplish their task
Defenders need a combination of
people, process and technology
Increase the cost for adversaries.
- 7. Cyber Attack Lifecycle
Reconnaissance Weaponization
and Delivery
Exploitation Command-and-Control Actions on
the Objective
Unauthorized Access Unauthorized Use
Installation
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
There is no predictable path for the
advanced adversary.
- 10. Reconnaissance
Identify the tools used to protect an organization
Content from
corporate websites
Third-party sites to
identify key targets
Common search
techniques
- 12. Exploitation
Why use malware when you
have legitimate credentials?
Users are typically the
path of least resistance.
Exploiting the user
1
- 14. Exploitation
Technology:
If you can’t patch systems, limit access via user-based policy.
Deploy solutions that can prevent exploitation on the endpoint and
network, even those that have not been seen before.
Use systems that learn from new exploits and can stop them in real-
time.
Process:
Keep software patched to reduce the attack surface.
People:
Training to recognize phishing attempts and be
careful with credentials.
- 16. Delivery
Delivering the Exploit or Malware
Attackers with a
specific target
Malicious USB Drives,
Network Exploitation,
etc.
Strategic Web
Compromise for attackers
targeting people with
specific interests
Phishing
Everything Else
Watering Hole
- 17. Phishing & Drive-by Download
User clicks on link to a
malicious website
Targeted malicious
email sent to user Malicious website silently
exploits client-side vulnerability
with Web Attack Toolkit
System infected,
attacker has full
access to steal data
Drive-by
download of
malicious
payload
- 20. Common Tools
20 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Remote Shell
Direct access to the OS
as logged in user Keylogger
Audio Capture
Screen Capture
Webcam Capture
- 22. The Underground Economy
“A tool for creating Botnets on Android […] $4,000”
• Easily purchase
tools.
• Discuss tactics with
other attackers.
Active marketplace
for attacks:
• Remote access
tools.
• Malware.
• Exploits.
• Etc.
- 24. Preventing Delivery and Installation
Technology:
Prevent
malware and
exploits at the
network level
Deploy a solution
that can detect
new exploits and
malware,
dynamically
updated your
protections
across AV, URL
and DNS.
Prevent exploits
that have never
been seen
before on the
endpoint
User-based
policy such as
limiting the
download of
executable files
from the
Internet
Block
commonly
exploited file-
types on your
network
- 25. Command and Control (CnC)
Communicating with infected hosts and providing instructions
http://...
Customized protocols,
with unique encryption
types are used for CnC.
HTTP is most common
for custom backdoors.
RealityMyth
- 26. Command and Control (CnC)
User Land
DMZ
Ingress/Egress
Data Center/Infrastructure
Internet
Adversary Infrastructure
Enterprise and adversary infrastructure
- 30. Actions on the Objective
Goals Inside
the Network
“And Then the
Bad Guys Steal
All Your Data”
These are
Completed by an
Active Operator
- 31. User Land
DMZ
Ingress/Egress
Data Center/Infrastructure
Internet
Adversary Infrastructure
Command and Control (CnC)
CnC ultimately enables the attacker’s endgame, Actions on Objectives
31 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Objective
based
commands
Information
exfiltration
Dump domain
credentials
Steal repository
information
Steal local credentials
Deface or host
malware from site
Steal local
information
- 32. New Strategic Approaches to Security Are Needed
32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Security Organizations
Are Not Innovating
Fast Enough
Existing controls ineffective
against new threats
Controls not
evolving fast
enough
Attackers Are
Innovating Faster
Sophistication of global attackers
Increasing value of information
Easier targets
Vulnerability Gap
Continues to Widen
Goal: reduce threat exposure by
strengthening controls
- 33. Detect & Prevent Threats at Every Point
33 | ©2014, Palo Alto Networks. Confidential and Proprietary.
At the
Internet Edge
Between
Employees and
Devices within
the LAN
At the
Data Center
Edge and
between VMs
At the
Mobile Device
Cloud
Within Private
and
Public Clouds
Prevent attacks, both known and unknown
Protect all users and applications, in the cloud or virtualized
Integrate network and endpoint security
Analytics that correlate across the cloud
- 34. Preventing Across the Cyber Attack Lifecycle
34 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Reconnaissance Weaponization
and Delivery
Exploitation Command-and-Control Actions on
the Objective
Unauthorized Access Unauthorized Use
Installation
Exfiltrate Data4Lateral Movement3Deliver the Malware2Breach the Perimeter1
Editor's Notes
- SMAC: Social, Mobile, Analytics, Cloud/Virtualization is creating advanced vulnerabilities and complexities to manage
Perfect storm: Apps create the attack horse to ride in on, mobility creates a massive increase in the number of points of entry, and cloud creates the chance to strike once and win a thousand points of access.
Change results in tremendous risk.
Visibility, as well as the controls involved to mitigate risk, must increase within a constantly changing landscape.
Dramatic increase in organized, well-funded organizations bent on causing harm through sophisticated, orchestrated, persistent attacks
Advanced suites of hackware readily available and shared/sold on the internet
Perimeter-based security is ineffective
Endpoint AV is ineffective
Proliferation of security solutions is ineffective and difficult to manage
Detect approach is ineffective
Sandboxes are not created equal
- Talking Points:
Cyber is in front of all of these as a reminder that these motivations are not new, it is just a matter of the medium the attacker is using
Motivations as “hats” an attacker can wear
Some fuzzy areas between motivations; an attacker might wear two or more “hats” for a single attack (opportunistic or other shifting factor)
Although motivations may shift for a single actor, that actor will often employ the same TTPs, tools and other resources in all of their attacks
Concept: Defending against the adversary operating in the aggregate (not just an incident, but a series of events leading to that objective)
- Advanced adversaries aren’t these mythic figures or groups with unlimited resources, crafting every piece in a custom made attack, there are only 3-5 groups like this in the entire world, and they are the .01%. 99.9% of attackers are just like you and me.
Humans are responsible for all of the attacks you experience.
They have bosses, families, bills to pay.
They want to get in, accomplish their task, and get out (un-detected)
Their goal isn’t making your life hard
The media and others may try to convince you differently – but these assumptions are wrong!
- Adversaries have a set of tools available to accomplish their task
Use the right tool for the job, no need to use a bazooka if a lock-pick will open the door.
Functionality can be extended
Exfiltration
Command & Control
Post-Operation
Defenders need a combination of people, process and technology
Having only one of the components invalidates the other. For instance, the greatest security products in the world can’t prevent attacks if they are not configured and monitored correctly. The also cannot stop a user from revealing sensitive information.
Ensure adversaries NEED the bazooka, not the lock-picks or
Don’t be the low-hanging fruit
- Most of us have the means to stop known attacks, but what’s been historically difficult is stopping unknown attacks.
To gain a better understanding of adversaries and the stages that each attack follows, here’s a quick look at the Attack Kill Chain.
The Attack Kill Chain is a sequence of events that an attacker goes through to successfully infiltrate a network and exfiltrate data from it. The good news is that blocking just one step in this chain is all that is needed to protect a company’s network and data from attack.
We’ve borrowed from the pioneering work that Lockheed Martin did when they created the Cyber Kill Chain and here is how we view each stage in the kill chain:
Reconnaissance: Just like burglars and thieves, attackers carefully plan their attacks. They research, identify, and select targets, oftentimes using phishing tactics or extracting public information from an employee’s LinkedIn profile or corporate websites. These criminals also scan for network vulnerabilities and services or applications they can exploit.
Weaponization & Delivery: Next, the attackers determine which methods to use. They may choose to embed intruder code within seemingly innocuous files like a PDF or Word document or email message. Or, for highly-targeted attacks, attackers may craft deliverables to catch specific interests of an individual.
Exploitation: Once attackers gain access “inside” an organization, they can activate attack code on the victim’s host and ultimately take control of the target machine.
Installation: Attackers will seek to establish privileged operations, root kit, escalate privileges, and establish persistence.
Command-and-Control: Attackers establish a command channel back through the Internet to a specific server so they can communicate and pass data back and forth between infected devices and their server.
Actions on the Objective: Attackers may have many different motivations for attack, and it’s not always for profit. Their reasons could be data exfiltration, destruction of critical infrastructure, or to deface web property or create fear/extortion.
- They get in via Hr or finance, for example….
Target Organization Website
PDFs, Powerpoint, XLS, etc
Conference/Event Websites
Attendee Lists, Presentations
Google Foo
filetype:xls inurl:attendees
Social Networks/Job Postings
Identify technologies in Used
This isn’t about “spray-and-pray” attacks
Corp websites: , which may include email addresses, customer lists, partner lists, etc.
- Google Search reveals XLS spreadsheets containing names, titles, e-mail addresses and phone numbers of attendees to a “National Defense Industrial Association” event.
- Job posting for a firewall engineer reveals which products this company is deploying.
LinkedIn Profile for security analyst at a large company reveals which products they are using.
Does this fit in weapon? I’m going to buy a weapon that can defeat these.
- This is your wake-up call for basic training and good process!
Know what the adversary knows on your corporate website and third-party content sources with regular checks
Preform “red-team” exercises to identify possible targets within your organization
Pay special attention the training and access of privileges or highly visibility users
Configure hardware and software not to give away any unnecessary information, like type and version number
Technology can only prevent a few recon techniques, like port scans and host sweeps.
- This phishing page was used in one of the attack’s Trend Micro calls “Operation Pawn Storm”. Phishing using fake Outlook Web Access pages is commonly used against businesses because nearly everyone uses it and the log-in pages look almost the same. This attack was on Academi, a security training organization. The attackers registered a similar domain for this attack.
Phishing (OWA)
Why use malware when you have credentials?
Spam with email link to fake site, exploit kits, etc.
- Old Vulnerabilities
Why use an 0-day when 2012-0158/2010-3333 still open?
0-Days are the Bazooka
Printers – can be used to break into an org. They never patch these things.
Not all exploits are created equal
Zero days
Sudden, widespread impact
Targets trending to lower patch rates
Opportunistic — 99% of exploited vulnerabilities are more than 1 year old (discovery)
Software security patches (attempt to) fix vulnerabilities that might be exploited
Talking points:
Zero days are the height of exploitation, as they target vulnerabilities for which there is little or no awareness and for which there are no patches
Add to that sudden, widespread vulnerabilities when they are disclosed. Recent years have been full of these. Heartbleed anyone?
Then think about some of those production systems for various organizations where the fear of loss of availability or just poor patch management has historically led to a ripe platform for exploitation. ColdFusion is a great historical example of this.
Often, when an exploit is disclosed, the associated vulnerability is fixed through a patch
But think about the points above and you can see why exploitation thrives in the wild
Also bear in mind that sometimes patches don’t actually fix the vulnerability and that patches are software as well. In other words, they may introduce additional vulnerabilities of their own.
DBIR 99.9% of attacks used CVE more than 1 year old
- Exploited in the Wild?
Patch it now
Can’t patch this system?
Limit web/email access to minimum using policies.
Eliminate the old gaps, catch the 0-days.
Something about WildFire and/or Traps.
- This is your wake-up call for basic training and good process!
Assume you’ve done everything right, trained your people and instituted processes to mitigate risk
As we move to new stages of the cyber kill-chain, Technology becomes even more critical to preventing advanced attacks
- Phishing, including spear phishing, is by far the most-common tactic used because it’s simple and effective. It relies on good information gathered during the recon phase. Users are conditioned to read e-mails and open attachments if they seem relevant to their positions, training them to do otherwise isn’t really feasible. Watering Hole attacks are harder to pull off because they require compromising a web server, but that’s really just a 2-stage attack. Attack the website owner first (through spear phishing) then take over the web server. If these two primary mechanisms fail, the pragmatic adversary might start getting creative but typically only if they couldn’t get in using the simpler methods.
Note to audience: You can always use Direct malware via email. Skip the exploitation.
- Off-the-shelf tools Common
Advantage: Highly capable tools, freely available.
Disadvantage: Common use means AV may detect
Complete control over infected system, easy to use.
Many Options
PoisonIvy, gh0st RAT, NetWire, Dark Comet, CyberGate, XtremeRAT…
Used by all levels of attacker.
Custom Tools
Disadvantage: Larger investment up front
Advantage: Very unlikely to be detected by AV
Normally much simpler than OTS RATs, remote shell is the goal.
Often only used as initial implant to gain a foothold.
- Poison Ivy exploit kit
- HTTP is most common for custom backdoors
Passes through proxies, blends in, unlikely to be blocked.
29/40 named in APT1 report use HTTP for CnC (“WEBC2”)
Dynamic DNS Domains
Free, harder to correlate
SSL helps evade detection
- Talking points:
Now we’ve reached the malware Command and Control (CnC) phase
This slide and the next one describe some visual components that will be used
The first is this conceptual view of a notional enterprise
There is userland where the standard users perform their work
The data center and infrastructure components house core servers like the domain controllers, IS platforms and data repositories
There is a DMZ, which also might include any other public facing portals or services extended to remote users
Finally, there is an ingress / egress point (which may be broken out by the above conceptual groupings) that allows access to and from the Internet
- Talking points:
Now, let’s put this all together and start looking at some common CnC patterns
Something to keep in mind for the following CnC slides is that a defender ultimately needs to focus on breaking an attacker’s CnC before Actions on Objectives are met
As a convention, objects in red represent malicious activity
So, let’s get started with the first CnC pattern.
Once malware lands on a box and is installed, it might execute preset commands, typically of a smash-and-grab variety
These communications normally use common ports and protocols (e.g., http, https) to increase the likelihood of successful communication
This is network traffic that can be detected and potentially blocked
- Talking points:
This slide depicts another common pattern
More interesting malware reaches out for additional malware and/or commands from the attacker
This step is where second-stage malware might be downloaded and run
Once a suitable stage of malware is installed on the victim machine, like a Remote Administration Tool (RAT), it will then attempt to establish a CnC channel
This is the point at which a periodic phone home, typically referred to as a beacon, begins
Beacons are mainly used to obtain the next set of commands from an attacker
Beacons or other initial malware communication can also contain recon information from the compromised target, such as OS configuration, loaded software versions, and logged on user information.
Clever malware also moves beyond simple web requests for CnC and tries to emulate human behavior (e.g., Gmail, Pastebin, Twitter, Facebook) in receiving its attacker commands
- Blocking sub-features, like file sharing or chat
Controlling access to and within SaaS applications
- Goals Inside the Network
Find the target data
Access the target data
Exfiltrate the data
Avoid getting caught.
These are completed by an active operator:
An individual issuing commands through the malware
Operators have a goal, may follow a script and often make mistakes (typos)
Longest, most complex phase
May last days, weeks or months
Consists of many short-term goals, not necessarily linear
Often ignored phase of the Attack Lifecycle
“And then the bad guys steal all your data”
- Talking points:
This slide focuses on what can happen once target assets are reached
A good rule of thumb for any environment is to operate under the assumption that the adversary is already inside the perimeter
The different kinds of objectives here map to motivations for different adversary types
Most environment will have their own blend on these threats that they must mitigate
Once they are in the network, the malware doesn’t matter.
The Pragmatic Adversary won’t create a custom tool to do what a built-in tool already can.
- The takeaway here is the security organizations are not innovating fast enough, and attackers are becoming much more sophisticated in their planning, with their tactics continuously evolving as well.
This polarization creates a continuously widening vulnerability gap in an organization’s security.
And the stakes are even higher when the value of information is increasing.
Example: “Stolen medical and healthcare records are the ‘Rolls Royce’ with a black market value of approximately $200 per record as evidenced in hacker forums. As a comparison, credit card records sell for about $1 per record.” – Value from prescription (controlled substances) and access to bank account information.
Goal is to reduce threat exposure by strengthening controls.
- Traditionally, businesses have focused on “detect and respond.” But inadequate - generally provide alerts on threats only and take a “detection-focused” approach, which requires manual intervention or costly Incidence Response once a breach occurs. Plus, these legacy solutions are a “patchwork” of point products that not only lack the ability to protect against all threat vectors, but also make it very difficult to coordinate and share intelligence among the various devices.
At Palo Alto Networks, we focus strongly on designing for prevention, preparing for remediation. We believe a security strategy must be formed from a philosophical position of “I can prevent attacks” with the correct implementation of best practices across people-process-technology.
As such, your architecture must be able to detect and prevent threats at every point across the organization:
Attacks targeting your mobile workers
Attacks targeting your perimeter
Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network
Attacks targeting the heart of your virtualized data center
Attacks targeting your cloud-based infrastructure, both private and public
- Here’s an example of how a comprehensive security solution can work together to block an advanced cyberattack.
Each critical stage within the kill chain is covered - from the initial attempt to breach your perimeter, to delivering malware on the endpoint, then moving laterally through your network until they get to their ultimately target and attempt to exfiltrate data. Each of these steps is met with a multi-layered defense model that
Prevents known Delivery mechanisms from functioning (NGFW App-ID & SSL decryption, GlobalProtect, URL Filtering; Threat Prevention; Wildfire).
Prevents known malicious code from Installing (Threat Prevention, Wildfire, Traps).
Prevents known Command & Control channels from communicating (NGFW App-ID, Threat Prevention, URL Filtering, WildFire).
Prevents known Exfiltration schemes from sending sensitive information out of the enterprise (NGFW App-ID & SSL decryption, Threat Prevention, URL Filtering).
Detects unknown threats (WildFire and Traps) and automatically deploys new prevention controls across the platform, and to the global subscriber base, within minutes of discovery. Transforming the previously unknown into a known.
Many best of breed point products can detect and some can prevent at key elements in the kill chain, but they rely on the organization to manually integrate them into a seamless architecture.