SlideShare a Scribd company logo

Advanced Persistent Threat

Ammar WK
Ammar WK

The document discusses Advanced Persistent Threats (APTs). It begins by defining APTs and noting some common misconceptions about them. It then discusses notable APT attacks from 2003 to 2017. Finally, it outlines the typical lifecycle of an APT attack, including preparation such as researching targets, acquiring tools, and testing for detection, as well as the intrusion deployment phase.

1 of 77
Download to read offline
ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT
•PROFESSIONAL HACKER/PENETRATION TESTER •DOING OFFENSIVE SECURITY/HACKING SINCE 2002 •FOUNDER OF ECHO.OR.ID & IDSECCONF.ORG •WEB: HTTP://AMMAR.WEB.ID •EMAIL: ME@AMMAR.WEB.ID •TWITTER/MASTODON: @Y3DIPS AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT HTTPS://XKCD.COM/302/
COMMON MISCONCEPTIONS A.P.T
SOME IT ADMINISTRATORS TEND TO THINK THAT TARGETED ATTACKS ARE A ONE-TIME EFFORT — THAT BEING ABLE TO DETECT AND STOP ONE RUN MEANS THE END OF THE ATTACK ITSELF. A TARGETED ATTACK IS A ONE-TIME EFFORT
THE DEMAND FOR A COMPLETE AND EFFECTIVE SOLUTION AGAINST TARGETED ATTACKS IS QUITE HIGH, BUT A SOLUTION SIMPLY CAN NOT EXIST CONSIDERING THE NATURE OF TARGETED ATTACKS. THERE IS A ONE-SIZE-FITS-ALL SOLUTION AGAINST TARGETED ATTACKS
UNFORTUNATELY, THE IMPORTANCE OF CERTAIN DATA MAY BE RELATIVE TO THE INTENTION OF WHOEVER IS TRYING TO GET HOLD OF IT YOUR COMPANY IS NOT IMPORTANT ENOUGH TO BE ATTACKED.
HOWEVER, BASED ON ANALYSIS OF TARGETED ATTACKS SEEN IN THE PAST, OLDER VULNERABILITIES ARE USED MORE FREQUENTLY. TARGETED ATTACKS ALWAYS INVOLVE ZERO-DAY VULNERABILITIES
ALTHOUGH IT IS A VALID CONCERN,  FOCUSING ON MALWARE WILL ONLY SOLVE PART OF THE PROBLEM. TARGETED ATTACKS ARE A MALWARE PROBLEM.
LET'S GET TO KNOW MORE A.P.T
•THE TERM ORIGINALLY WAS DEVELOPED AS A CODE NAME FOR CHINESE-RELATED INTRUSIONS AGAINST US MILITARY ORGANIZATIONS. IN 2006, THE UNITED STATES AIR FORCE (USAF) ANALYSTS COINED THE TERM ADVANCED PERSISTENT THREAT (APT) TO FACILITATE DISCUSSION OF INTRUSION ACTIVITIES WITH THEIR UNCLEARED CIVILIAN COUNTERPARTS. •TODAY, THE TERM APT HAS EVOLVED AND DIFFERENT PEOPLE REFER TO IT AS DIFFERENT THINGS. •STEALTHY, TARGETED, ADAPTIVE, AND DATA FOCUSED. [1] ADVANCED PERSISTENT THREAT
ADVANCEDOPERATORS BEHIND THE THREAT HAVE A FULL SPECTRUM OF INTELLIGENCE-GATHERING TECHNIQUES AT THEIR DISPOSAL. THEY OFTEN COMBINE MULTIPLE TARGETING METHODS, TOOLS, AND TECHNIQUES IN ORDER TO REACH AND COMPROMISE THEIR TARGET AND MAINTAIN ACCESS TO IT.
PERSISTENTTHE ATTACKERS ARE GUIDED BY EXTERNAL ENTITIES. THE TARGETING IS CONDUCTED THROUGH CONTINUOUS MONITORING AND INTERACTION IN ORDER TO ACHIEVE THE DEFINED OBJECTIVES. ONE OF THE OPERATOR'S GOALS IS TO MAINTAIN LONG-TERM ACCESS TO THE TARGET, IN CONTRAST TO THREATS WHO ONLY NEED ACCESS TO EXECUTE A SPECIFIC TASK.
THREATAPTS ARE A THREAT BECAUSE THEY HAVE BOTH CAPABILITY AND INTENT. APT ATTACKS ARE EXECUTED BY COORDINATED HUMAN ACTIONS, RATHER THAN BY MINDLESS AND AUTOMATED PIECES OF CODE. THE OPERATORS HAVE A SPECIFIC OBJECTIVE AND ARE SKILLED, MOTIVATED, ORGANIZED AND WELL FUNDED.
THE GOAL, THE STRUCTURE OF THE ATTACKER, AND THE METHODS CONVENTIONAL THREAT VS APT
THE TRADITIONAL THREAT WAS ABOUT THE IMMEDIATE NEED. E.G: A WORM WOULD TARGET AN ORGANIZATION, EXTRACT WHAT THEY WANTED, AND LEAVE, WHILE THE ULTIMATE GOAL OF APT IS TO MAINTAIN A LONG-TERM BEACHHEAD ON YOUR NETWORK. THE GOAL CONVENTIONAL THREAT VS APT
DENIAL OF SERVICE CONVENTIONAL THREAT GOAL
WEB DEFACEMENT CONVENTIONAL THREAT GOAL
WEB DEFACEMENT HTTPS://XKCD.COM/932/
RANSOMWARE CONVENTIONAL THREAT GOAL
FRAUD CONVENTIONAL THREAT GOAL
ADVANCED PERSISTENT THREAT GOAL?
ADVANCED PERSISTENT THREAT GOAL
THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL, WHILE THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS. THE STEPS OF THE ATTACK ARE BROKEN DOWN INTO CLEAR DIVISION OF LABOR AND EACH PERSON ON THE TEAM IS WELL TRAINED IN THEIR RESPECTIVE SKILL THE STRUCTURE OF THE ATTACKER CONVENTIONAL THREAT VS APT
CONVENTIONAL ATTACKER HTTP://WWW.BBC.COM/INDONESIA/TRENSOSIAL-39288096 THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL
“HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS“ HTTPS://WWW.SLIDESHARE.NET/BURGUZBOZO/HUNTING-THE-SHADOWS-IN-DEPTH-ANALYSIS-OF-ESCALATED-APT-ATTACKS THE APT ATTACKER THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS.
THE METHOD USE BY CONVENTIONAL THREAT ARE MOSTLY SIMPLE WHILE THE METHODS USED BY APT ALSO TAKE ADVANTAGE OF ADVANCED TECHNOLOGY. MOST MALWARE THAT IS USED IS CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS CONVENTIONAL THREAT VS APT
CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS
CONVENTIONAL THREAT VS ADVANCED PERSISTENT THREAT
NOTABLE ATTACKS A.P.T
NOTABLE APT ATTACK 2010 2009 TITAN RAIN 20092006 2003 SYKIPOT GHOSTNET OPERATION AURORA STUXNET 2012 FLAME 2007 ZEUS 2011 RSA HACK
TITAN RAIN WAS THE CODE NAME GIVEN BY THE U.S. GOVERNMENT TO A SERIES OF CYBER ESPIONAGE ATTACKS LAUNCHED IN 2003 ON U.S. DEFENSE CONTRACTORS, INCLUDING THOSE AT LOCKHEED MARTIN, SANDIA NATIONAL LABORATORIES, REDSTONE ARSENAL AND NASA. THE ATTACKS WERE CLAIMED TO BE OF CHINESE ORIGIN, ALTHOUGH THE CHINESE GOVERNMENT DENIED ANY INVOLVEMENT. TITAN RAIN
SYKIPOT IS MALWARE THAT HAS BEEN USED IN SPEARPHISHING CAMPAIGNS SINCE APPROXIMATELY 2007 AGAINST VICTIMS PRIMARILY IN THE US. SYKIPOT HAS BEEN COLLECTING AND STEALING SECRETS AND INTELLECTUAL PROPERTY, INCLUDING DESIGN, FINANCIAL, MANUFACTURING AND STRATEGIC PLANNING INFORMATION. ONE VARIANT OF SYKIPOT HIJACKS SMART CARDS ON VICTIMS. SYKIPOT
FIRST DISCOVERED IN 2007, WHEN IT WAS USED TO STEAL INFORMATION FROM THE U.S. DEPARTMENT OF TRANSPORTATION, ZEUS IS A TROJAN HORSE USED TO STEAL CREDENTIALS USED FOR BANKING AND CREDIT CARD PAYMENTS OR FOR LOGGING IN TO SOCIAL NETWORKS. ZEUS IS NOT A SPECIFIC ATTACK FROM A SINGLE SOURCE, BUT A COMPLETE TOOL KIT PROVIDING A WIDE RANGE OF AUTOMATED AND MANUAL TOOLS USED BY CRIMINALS AS PART OF AN APT ATTACK. ZEUS
GHOSTNET WAS REPORTED TO HAVE INFILTRATED THE COMPUTERS OF POLITICAL, ECONOMIC AND MEDIA TARGETS IN MORE THAN 100 COUNTRIES, INCLUDING THE EMBASSIES OF INDIA, SOUTH KOREA, INDONESIA, ROMANIA, CYPRUS, MALTA, THAILAND, TAIWAN, PORTUGAL, GERMANY, PAKISTAN AND THE OFFICE OF THE PRIME MINISTER OF LAOS. THE FOREIGN MINISTRIES OF IRAN, BANGLADESH, LATVIA, INDONESIA, PHILIPPINES, BRUNEI, BARBADOS AND BHUTAN WERE ALSO TARGETED. COMPUTERS IN THE DALAI LAMA’S TIBETAN EXILE CENTERS IN INDIA, LONDON AND NEW YORK WERE ALSO COMPROMISED. GHOSTNET
OPERATION AURORA WAS A SERIES OF CYBER ATTACKS CONDUCTED BY ADVANCED PERSISTENT THREATS SUCH AS THE ELDERWOOD GROUP BASED IN BEIJING, CHINA, WITH TIES TO THE PEOPLE'S LIBERATION ARMY. FIRST PUBLICLY DISCLOSED BY GOOGLE ON JANUARY 12, 2010, IN A BLOG POST, THE ATTACKS BEGAN IN MID-2009 AND CONTINUED THROUGH DECEMBER 2009. THE ATTACK HAS BEEN AIMED AT DOZENS OF OTHER ORGANIZATIONS, OF WHICH ADOBE SYSTEMS, JUNIPER NETWORKS AND RACKSPACE HAVE PUBLICLY CONFIRMED THAT THEY WERE TARGETED. ACCORDING TO MEDIA REPORTS, GOOGLE, YAHOO, SYMANTEC, NORTHROP GRUMMAN, MORGAN STANLEY AND DOW CHEMICAL WERE ALSO AMONG THE TARGETS. OPERATION AURORA
DISCOVERED IN JUNE 2010, WAS THE FIRST PIECE OF MALWARE FOUND IN THE PUBLIC DOMAIN THAT IS DESIGNED TO SPY ON AND SUBVERT INDUSTRIAL PROCESS SYSTEMS. STUXNET WAS CLAIMED TO HAVE BEEN CREATED BY THE U.S. AND ISRAEL IN ORDER TO ATTACK IRAN’S NUCLEAR FACILITIES. THE MALWARE WAS REPORTED TO HAVE CAUSED SUBSTANTIAL DAMAGE TO THE CENTRIFUGES AT THE NATANZ NUCLEAR ENRICHMENT LABORATORY IN IRAN. THE WORM SPECIFICALLY TARGETED SIEMENS INDUSTRIAL SOFTWARE AND EQUIPMENT, MAKING ITSELF INERT IF THE TARGET SOFTWARE WAS NOT FOUND AND CONTAINING SAFEGUARDS TO LIMIT THE SPREAD OF THE INFECTION. IT WAS THE FIRST PIECE OF MALWARE TO INCLUDE A PROGRAMMABLE LOGIC CONTROLLER (PLC) ROOTKIT. STUXNET
ON 17 MARCH 2011, RSA ANNOUNCED THAT THEY HAD BEEN VICTIMS OF "AN EXTREMELY SOPHISTICATED CYBER ATTACK". CONCERNS WERE RAISED SPECIFICALLY IN REFERENCE TO THE SECURID SYSTEM. RSA OFFERED TOKEN REPLACEMENTS OR FREE SECURITY MONITORING SERVICES TO ANY OF ITS MORE THAN 30,000 SECURID CUSTOMERS, FOLLOWING AN ATTEMPTED CYBER BREACH ON DEFENSE CUSTOMER LOCKHEED MARTIN THAT APPEARED TO BE RELATED TO THE SECURID INFORMATION STOLEN FROM RSA. RSA HACK
FLAME WAS DISCOVERED BY IRAN’S NATIONAL COMPUTER EMERGENCY RESPONSE TEAM IN 2012. IT WAS USED TO MOUNT SOPHISTICATED CYBER ESPIONAGE ATTACKS ON GOVERNMENTAL MINISTRIES, EDUCATIONAL INSTITUTIONS AND INDIVIDUALS IN MIDDLE EASTERN COUNTRIES, INFECTING AROUND 1,000 MACHINES IN IRAN, ISRAEL, SUDAN, SYRIA, LEBANON, SAUDI ARABIA AND EGYPT. THE FLAME MALWARE WAS LARGE AND COMPLEX, DESIGNED TO SPREAD OVER LOCAL NETWORKS OR VIA USB STICKS. IT COULD RECORD AUDIO, SCREENSHOTS, KEYBOARD ACTIVITY AND NETWORK TRAFFIC, INCLUDING SKYPE CONVERSATIONS. IT WAS ALSO CAPABLE OF STEALING CONTACT INFORMATION FROM ANY NEARBY BLUETOOTH-ENABLED DEVICES. FLAME
LIFECYCLE A.P.T
APT LIFECYCLE
TARGETED ATTACK, GOV, BANK, PERSON, ? PREPARATION: DEFINE TARGET HTTPS://WWW.WHATTODOMEDIA.COM/WP-CONTENT/UPLOADS/2016/01/TARGET-MARKETING.PNG
VERY WELL FUNDED AND ORGANIZED PREPARATION: FIND AND ORGANIZE ACCOMPLICES HTTP://KINGOFWALLPAPERS.COM/THE-EXPENDABLES.HTML
NOT ALWAYS USING 0DAY OR ADVANCED/SOPHISTICATED TECHNIQUE, CUSTOMIZED TO FIT THE TARGET PREPARATION: BUILD OR ACQUIRE A TOOL HTTPS://CNET1.CBSISTATIC.COM/IMG/VJTJB73BEWOCTBWKYAL7TMERPCI=/FIT-IN/970X0/2015/07/20/D5C13BFE-5F5E-4128-AC6C-0A3A90391E58/SWORDSPARKS.JPG
NOTABLE HACK AGAINST SECURITY/APT COMPANY WHICH MOST OF THE TOOLS BEING USED WIDELY OR BY APT 2017 2016 2015HB GARY 2015 2014 2011 GAMMA GROUP/ FIN FISHER HACKING TEAM KASPERSKY, CYBER ROAM EQUATION GROUP/NSA CIA/VAULT7
HBGARY FEDERAL FOCUSED ON TECHNOLOGY SECURITY, PROVIDE SERVICES AND TOOLS TO THE US GOVERNMENT. ON FEBRUARY 5–6, 2011, ANONYMOUS COMPROMISED THE HBGARY WEBSITE, COPIED TENS OF THOUSANDS OF DOCUMENTS FROM BOTH HBGARY FEDERAL AND HBGARY, INC HBGARY FEDERAL
GAMMA GROUP GAMMA GROUP IS AN ANGLO-GERMAN TECHNOLOGY COMPANY THAT SELLS SURVEILLANCE SOFTWARE TO GOVERNMENTS AND POLICE FORCES AROUND THE WORLD. IN 2014, GAMMA GROUP WAS HACKED AND A 40 GB DUMP OF INFORMATION WAS RELEASED DETAILING GAMMA'S 'CLIENT LISTS, PRICE LISTS, SOURCE CODE, DETAILS ABOUT THE EFFECTIVENESS OF FINFISHER MALWAREAND MUCH MORE.
HACKING TEAM HACKINGTEAM IS A MILAN-BASED INFORMATION TECHNOLOGY COMPANY THAT SELLS OFFENSIVE INTRUSION AND SURVEILLANCE CAPABILITIES TO GOVERNMENTS, LAW ENFORCEMENT AGENCIES AND CORPORATIONS. ON JULY 5, 2015, THE TWITTER ACCOUNT OF THE COMPANY WAS COMPROMISED BY AN UNKNOWN INDIVIDUAL WHO PUBLISHED AN ANNOUNCEMENT OF A DATA BREACH AGAINST HACKINGTEAM'S COMPUTER SYSTEMS.
KASPERSKY KASPERSKY LAB IS A RUSSIAN MULTINATIONAL CYBERSECURITY AND ANTI-VIRUS PROVIDER HEADQUARTERED IN MOSCOW, RUSSIA AND OPERATED BY A HOLDING COMPANY IN THE UNITED KINGDOM. IN JUNE 2015, KASPERSKY REPORTED THAT ITS OWN NETWORK HAD BEEN INFILTRATED BY GOVERNMENT-SPONSORED MALWARE
“EQUATION GROUP” THE EQUATION GROUP, CLASSIFIED AS AN ADVANCED PERSISTENT THREAT, IS A HIGHLY SOPHISTICATED THREAT ACTOR SUSPECTED OF BEING TIED TO THE UNITED STATES NATIONAL SECURITY AGENCY (NSA). IN AUGUST 2016, A HACKING GROUP CALLING ITSELF "THE SHADOW BROKERS" ANNOUNCED THAT IT STOLE MALWARE CODE FROM THE EQUATION GROUP
CIA/VAULT7 VAULT 7 IS A SERIES OF DOCUMENTS THAT WIKILEAKS BEGAN TO PUBLISH ON 7 MARCH 2017, THAT DETAIL ACTIVITIES AND CAPABILITIES OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY TO PERFORM ELECTRONIC SURVEILLANCE AND CYBER WARFARE.
DEDICATE A MONTH/YEAR TO LEARN ABOUT THEIR TARGET PREPARATION: RESEARCH TARGET/INFRASTRUCTURE/EMPLOYEE HTTP://CDN2.HUBSPOT.NET/HUBFS/159642/B4_THE-5-BEST-WAYS-TO-RESEARCH-YOUR-ELEARNING-COURSE-TARGET-AUDIENCE.PNG
ATTACK NEED TO BE TESTED BEFORE INTRUSION PHASE PREPARATION: TEST FOR DETECTION HTTP://WWW.OCCUPYFORANIMALS.NET/UPLOADS/7/7/3/5/7735203/2784119.JPG?870
CRAFTED, DEPLOY THE PAYLOAD (MALWARE, EXPLOIT, TOOLKIT) INTRUSION: DEPLOYMENT HTTP://RHYTHMTRAFFIC.COM/WP-CONTENT/UPLOADS/2012/10/INSTALLATION.JPG
GAIN A FOOTHOLD IN THE TARGET’S ENVIRONMENT INTRUSION: INITIAL INTRUSION HTTPS://4.BP.BLOGSPOT.COM/-JSC9IISSZEM/VYMC4TTMWTI/AAAAAAAAN5S/KNN0ZYJFNKWLKZEQZNSR_FYFIRNLM0DAACLCB/S1600/HACK-ANY-COMPUTER.PNG
NOTIFY THE APT ACTOR THAT THE INITIAL INTRUSION ATTEMPT WAS SUCCESSFUL AND THAT IT IS READY TO ACCEPT COMMANDS INTRUSION: OUTBOUND CONNECTION INITIATED HTTP://0.TQN.COM/D/NP/KIDS-PUZZLES/9781580626873_0128_008.JPG
GAIN ACCESS TO ADDITIONAL SYSTEMS AND AUTHENTICATION MATERIAL THAT WILL ALLOW ACCESS TO FURTHER SYSTEMS/MAIN TARGET EXPANSION: EXPAND ACCESS AND OBTAIN CREDENTIALS HTTP://WWW.FRAUDSCOOP.COM/WP-CONTENT/UPLOADS/2016/09/IDENTITY-THEFT-8-SIMPLE-STEPS-TO-KEEP-YOU-SAFE.JPG
APT ACTORS EMPLOY VARIOUS STRATEGIES TO MAINTAIN ACCESS. EXPANSION: STRENGTHEN FOOTHOLD HTTP://WWW.AKTUAL.COM/WP-CONTENT/UPLOADS/2016/04/TOLAK-PABRIK-SEMEN-12-4-2016-223-681X430.JPG
SEARCHING DOCUMENTS AT THE TARGET’S SITE FOR KEYWORDS AND METADATA THAT INDICATE THE DOCUMENT MAY BE OF INTEREST TO THE ACTORS AND SEND IT EXIFILTRATE: EXFILTRATE DATA HTTP://I.DAILYMAIL.CO.UK/I/PIX/2015/03/17/26B9D3B400000578-2998897-IMAGE-A-116_1426605591270.JPG
AVOIDING DETECTION, REMOVING EVIDENCE OF THE INTRUSION AND WHAT WAS TARGETED AND ELIMINATING EVIDENCE OF WHO WAS BEHIND THE EVENT CLEANUP: COVER TRACKS AND REMAIN UNDETECTED HTTPS://S-MEDIA-CACHE-AK0.PINIMG.COM/564X/98/3E/C9/983EC95273FEBD893BE8F0BC135C18BD.JPG
HTTPS://WWW.TRENDMICRO.COM/VINFO/US/SECURITY/NEWS/CYBER-ATTACKS/TARGETED-ATTACKS-SIX-COMPONENTS 0. PREPARATION 1. DEPLOYMENT 2. INITIAL INTRUSION 3. OUTBOUND CONNECTION INITIATED 4. EXPANSION 6. EXFILTRATE DATA 5. STRENGTHEN FOOTHOLD
•THE BREACH INTO RSA'S NETWORK WAS CARRIED OUT BY CRACKERS WHO SENT PHISHING EMAILS TO TWO TARGETED, SMALL GROUPS OF EMPLOYEES OF RSA. •ATTACHED TO THE EMAIL WAS AN EXCEL FILE CONTAINING MALWARE. •WHEN AN RSA EMPLOYEE OPENED THE EXCEL FILE, THE MALWARE EXPLOITED A VULNERABILITY IN ADOBE FLASH. •THE EXPLOIT ALLOWED THE HACKERS TO USE THE POISON IVY REMOTE ADMINISTRATION TOOL TO GAIN CONTROL OF MACHINES AND ACCESS SERVERS IN RSA'S NETWORK. RSA HACK CASE
DEMO
APT LIFECYCLE VS HACKING VS COMMODITY THREATS HTTPS://EN.WIKIPEDIA.ORG/WIKI/ADVANCED_PERSISTENT_THREAT
WHERES THE PROBLEM APT
THE THREAT HAS CHANGED BUT ORGANIZATION’S APPROACH TO SECURITY HAS NOT CHANGED.
SOME ORGANIZATIONS ARE DOING GOOD THINGS TO HELP PROTECT THE ENVIRONMENT, BUT THEY ARE NOT DOING THE RIGHT THING WHICH WILL STOP ADVANCED ATTACKERS. HTTPS://XKCD.COM/463/
ORGANIZATIONS THINK MONEY EQUAL SECURITY. JUST BECAUSE AN ORGANIZATION BUYS A LOT OF PRODUCTS DOES NOT MEAN THEY WILL BE SECURE.
MOST ORGANIZATIONS DO NOT UNDERSTAND HOW THE OFFENSE OPERATES AND IN MANY CASES ARE NOT FIXING THE RIGHT PROBLEMS
HOW TO SURVIVE A.P.T
UNDERSTAND RISK DISCOVER CONTROL IMPLEMENT CIA (CONFIDENTIALITY, INTEGRITY, AVAILABILITY) CONCEPT CLASSIFY ENCRYPTION PROTECT YOUR CRITICAL DATA
PREVENTION IS IDEAL BUT DETECTION IS A MUST INBOUND PREVENTION AND OUTBOUND DETECTION PROACTIVE (INSTEAD OF REACTIVE) SECURITY OFFENSE MUST GUIDE THE DEFENSE. PREVENT AND DETECT
ATTACKERS WERE DISCOVERED DURING A ROUTINE AUDIT PREVENTION IS IDEAL BUT DETECTION IS A MUST HTTPS://TWITTER.COM/X0RZ/STATUS/854706307395461121
INCIDENT RESPONSE IS A NECESSITY SINCE ALL ATTACKS CANNOT BE STOPPED INCIDENT HAS BEEN DETERMINED AND FIXED, THE NEXT PHASE IS TO RECOVER/REBUILD THE SYSTEMS AND DATA PUT THE SYSTEMS BACK INTO PRODUCTION RESPOND AND RECOVER
THE FUTURE A.P.T
THE LANDSCAPE HAS CHANGED: CLOUD COMPUTING AND MOBILE INFRASTRUCTURE
1. “COMMON MISCONCEPTIONS IT ADMINS HAVE ON TARGETED ATTACKS“ - HTTP:// BLOG.TRENDMICRO.COM/TRENDLABS-SECURITY-INTELLIGENCE/COMMON-MISCONCEPTIONS-IT- ADMINS-HAVE-ON-TARGETED-ATTACKS/ 2. SYNGRESS - “ADVANCED PERSISTENT THREAT UNDERSTANDING THE DANGER AND HOW TO PROTECT YOUR ORGANIZATION” - DR. ERIC COLE 3. “THE MOST FAMOUS ADVANCED PERSISTENT THREATS IN HISTORY” - HTTP:// WWW.ITBUSINESSEDGE.COM/SLIDESHOWS/THE-MOST-FAMOUS-ADVANCED-PERSISTENT-THREATS- IN-HISTORY.HTML - ACCESSED APRIL 23, 2017 4. “WIKIPEDIA” - HTTP://WIKIPEDIA.ORG 5. “LIFECYCLE OF AN ADVANCED PERSISTENT THREAT” - HTTP://WWW.REDTEAMUSA.COM/PDF/ LIFECYCLE%20OF%20AN%20ADVANCED%20PERSISTENT%20THREAT.PDF 6. MOST OF THE IMAGES - SEARCH VIA HTTP://IMAGES.GOOGLE.COM REFERENCE
ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT

More Related Content

Advanced Persistent Threat

  • 1. ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT
  • 2. •PROFESSIONAL HACKER/PENETRATION TESTER •DOING OFFENSIVE SECURITY/HACKING SINCE 2002 •FOUNDER OF ECHO.OR.ID & IDSECCONF.ORG •WEB: HTTP://AMMAR.WEB.ID •EMAIL: ME@AMMAR.WEB.ID •TWITTER/MASTODON: @Y3DIPS AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT HTTPS://XKCD.COM/302/
  • 4. SOME IT ADMINISTRATORS TEND TO THINK THAT TARGETED ATTACKS ARE A ONE-TIME EFFORT — THAT BEING ABLE TO DETECT AND STOP ONE RUN MEANS THE END OF THE ATTACK ITSELF. A TARGETED ATTACK IS A ONE-TIME EFFORT
  • 5. THE DEMAND FOR A COMPLETE AND EFFECTIVE SOLUTION AGAINST TARGETED ATTACKS IS QUITE HIGH, BUT A SOLUTION SIMPLY CAN NOT EXIST CONSIDERING THE NATURE OF TARGETED ATTACKS. THERE IS A ONE-SIZE-FITS-ALL SOLUTION AGAINST TARGETED ATTACKS
  • 6. UNFORTUNATELY, THE IMPORTANCE OF CERTAIN DATA MAY BE RELATIVE TO THE INTENTION OF WHOEVER IS TRYING TO GET HOLD OF IT YOUR COMPANY IS NOT IMPORTANT ENOUGH TO BE ATTACKED.
  • 7. HOWEVER, BASED ON ANALYSIS OF TARGETED ATTACKS SEEN IN THE PAST, OLDER VULNERABILITIES ARE USED MORE FREQUENTLY. TARGETED ATTACKS ALWAYS INVOLVE ZERO-DAY VULNERABILITIES
  • 8. ALTHOUGH IT IS A VALID CONCERN,  FOCUSING ON MALWARE WILL ONLY SOLVE PART OF THE PROBLEM. TARGETED ATTACKS ARE A MALWARE PROBLEM.
  • 9. LET'S GET TO KNOW MORE A.P.T
  • 10. •THE TERM ORIGINALLY WAS DEVELOPED AS A CODE NAME FOR CHINESE-RELATED INTRUSIONS AGAINST US MILITARY ORGANIZATIONS. IN 2006, THE UNITED STATES AIR FORCE (USAF) ANALYSTS COINED THE TERM ADVANCED PERSISTENT THREAT (APT) TO FACILITATE DISCUSSION OF INTRUSION ACTIVITIES WITH THEIR UNCLEARED CIVILIAN COUNTERPARTS. •TODAY, THE TERM APT HAS EVOLVED AND DIFFERENT PEOPLE REFER TO IT AS DIFFERENT THINGS. •STEALTHY, TARGETED, ADAPTIVE, AND DATA FOCUSED. [1] ADVANCED PERSISTENT THREAT
  • 11. ADVANCEDOPERATORS BEHIND THE THREAT HAVE A FULL SPECTRUM OF INTELLIGENCE-GATHERING TECHNIQUES AT THEIR DISPOSAL. THEY OFTEN COMBINE MULTIPLE TARGETING METHODS, TOOLS, AND TECHNIQUES IN ORDER TO REACH AND COMPROMISE THEIR TARGET AND MAINTAIN ACCESS TO IT.
  • 12. PERSISTENTTHE ATTACKERS ARE GUIDED BY EXTERNAL ENTITIES. THE TARGETING IS CONDUCTED THROUGH CONTINUOUS MONITORING AND INTERACTION IN ORDER TO ACHIEVE THE DEFINED OBJECTIVES. ONE OF THE OPERATOR'S GOALS IS TO MAINTAIN LONG-TERM ACCESS TO THE TARGET, IN CONTRAST TO THREATS WHO ONLY NEED ACCESS TO EXECUTE A SPECIFIC TASK.
  • 13. THREATAPTS ARE A THREAT BECAUSE THEY HAVE BOTH CAPABILITY AND INTENT. APT ATTACKS ARE EXECUTED BY COORDINATED HUMAN ACTIONS, RATHER THAN BY MINDLESS AND AUTOMATED PIECES OF CODE. THE OPERATORS HAVE A SPECIFIC OBJECTIVE AND ARE SKILLED, MOTIVATED, ORGANIZED AND WELL FUNDED.
  • 14. THE GOAL, THE STRUCTURE OF THE ATTACKER, AND THE METHODS CONVENTIONAL THREAT VS APT
  • 15. THE TRADITIONAL THREAT WAS ABOUT THE IMMEDIATE NEED. E.G: A WORM WOULD TARGET AN ORGANIZATION, EXTRACT WHAT THEY WANTED, AND LEAVE, WHILE THE ULTIMATE GOAL OF APT IS TO MAINTAIN A LONG-TERM BEACHHEAD ON YOUR NETWORK. THE GOAL CONVENTIONAL THREAT VS APT
  • 23. THE TRADITIONAL THREAT IS AN INDIVIDUAL OR A SMALL HACKER CELL, WHILE THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS. THE STEPS OF THE ATTACK ARE BROKEN DOWN INTO CLEAR DIVISION OF LABOR AND EACH PERSON ON THE TEAM IS WELL TRAINED IN THEIR RESPECTIVE SKILL THE STRUCTURE OF THE ATTACKER CONVENTIONAL THREAT VS APT
  • 25. “HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS“ HTTPS://WWW.SLIDESHARE.NET/BURGUZBOZO/HUNTING-THE-SHADOWS-IN-DEPTH-ANALYSIS-OF-ESCALATED-APT-ATTACKS THE APT ATTACKER THE APT ATTACKER ARE VERY WELL ORGANIZED, WELL-STRUCTURED ORGANIZATIONS.
  • 26. THE METHOD USE BY CONVENTIONAL THREAT ARE MOSTLY SIMPLE WHILE THE METHODS USED BY APT ALSO TAKE ADVANTAGE OF ADVANCED TECHNOLOGY. MOST MALWARE THAT IS USED IS CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS CONVENTIONAL THREAT VS APT
  • 27. CUSTOMIZED FOR MAXIMUM SUCCESS AGAINST A SPECIFIC CLIENT THE METHODS
  • 28. CONVENTIONAL THREAT VS ADVANCED PERSISTENT THREAT
  • 30. NOTABLE APT ATTACK 2010 2009 TITAN RAIN 20092006 2003 SYKIPOT GHOSTNET OPERATION AURORA STUXNET 2012 FLAME 2007 ZEUS 2011 RSA HACK
  • 31. TITAN RAIN WAS THE CODE NAME GIVEN BY THE U.S. GOVERNMENT TO A SERIES OF CYBER ESPIONAGE ATTACKS LAUNCHED IN 2003 ON U.S. DEFENSE CONTRACTORS, INCLUDING THOSE AT LOCKHEED MARTIN, SANDIA NATIONAL LABORATORIES, REDSTONE ARSENAL AND NASA. THE ATTACKS WERE CLAIMED TO BE OF CHINESE ORIGIN, ALTHOUGH THE CHINESE GOVERNMENT DENIED ANY INVOLVEMENT. TITAN RAIN
  • 32. SYKIPOT IS MALWARE THAT HAS BEEN USED IN SPEARPHISHING CAMPAIGNS SINCE APPROXIMATELY 2007 AGAINST VICTIMS PRIMARILY IN THE US. SYKIPOT HAS BEEN COLLECTING AND STEALING SECRETS AND INTELLECTUAL PROPERTY, INCLUDING DESIGN, FINANCIAL, MANUFACTURING AND STRATEGIC PLANNING INFORMATION. ONE VARIANT OF SYKIPOT HIJACKS SMART CARDS ON VICTIMS. SYKIPOT
  • 33. FIRST DISCOVERED IN 2007, WHEN IT WAS USED TO STEAL INFORMATION FROM THE U.S. DEPARTMENT OF TRANSPORTATION, ZEUS IS A TROJAN HORSE USED TO STEAL CREDENTIALS USED FOR BANKING AND CREDIT CARD PAYMENTS OR FOR LOGGING IN TO SOCIAL NETWORKS. ZEUS IS NOT A SPECIFIC ATTACK FROM A SINGLE SOURCE, BUT A COMPLETE TOOL KIT PROVIDING A WIDE RANGE OF AUTOMATED AND MANUAL TOOLS USED BY CRIMINALS AS PART OF AN APT ATTACK. ZEUS
  • 34. GHOSTNET WAS REPORTED TO HAVE INFILTRATED THE COMPUTERS OF POLITICAL, ECONOMIC AND MEDIA TARGETS IN MORE THAN 100 COUNTRIES, INCLUDING THE EMBASSIES OF INDIA, SOUTH KOREA, INDONESIA, ROMANIA, CYPRUS, MALTA, THAILAND, TAIWAN, PORTUGAL, GERMANY, PAKISTAN AND THE OFFICE OF THE PRIME MINISTER OF LAOS. THE FOREIGN MINISTRIES OF IRAN, BANGLADESH, LATVIA, INDONESIA, PHILIPPINES, BRUNEI, BARBADOS AND BHUTAN WERE ALSO TARGETED. COMPUTERS IN THE DALAI LAMA’S TIBETAN EXILE CENTERS IN INDIA, LONDON AND NEW YORK WERE ALSO COMPROMISED. GHOSTNET
  • 35. OPERATION AURORA WAS A SERIES OF CYBER ATTACKS CONDUCTED BY ADVANCED PERSISTENT THREATS SUCH AS THE ELDERWOOD GROUP BASED IN BEIJING, CHINA, WITH TIES TO THE PEOPLE'S LIBERATION ARMY. FIRST PUBLICLY DISCLOSED BY GOOGLE ON JANUARY 12, 2010, IN A BLOG POST, THE ATTACKS BEGAN IN MID-2009 AND CONTINUED THROUGH DECEMBER 2009. THE ATTACK HAS BEEN AIMED AT DOZENS OF OTHER ORGANIZATIONS, OF WHICH ADOBE SYSTEMS, JUNIPER NETWORKS AND RACKSPACE HAVE PUBLICLY CONFIRMED THAT THEY WERE TARGETED. ACCORDING TO MEDIA REPORTS, GOOGLE, YAHOO, SYMANTEC, NORTHROP GRUMMAN, MORGAN STANLEY AND DOW CHEMICAL WERE ALSO AMONG THE TARGETS. OPERATION AURORA
  • 36. DISCOVERED IN JUNE 2010, WAS THE FIRST PIECE OF MALWARE FOUND IN THE PUBLIC DOMAIN THAT IS DESIGNED TO SPY ON AND SUBVERT INDUSTRIAL PROCESS SYSTEMS. STUXNET WAS CLAIMED TO HAVE BEEN CREATED BY THE U.S. AND ISRAEL IN ORDER TO ATTACK IRAN’S NUCLEAR FACILITIES. THE MALWARE WAS REPORTED TO HAVE CAUSED SUBSTANTIAL DAMAGE TO THE CENTRIFUGES AT THE NATANZ NUCLEAR ENRICHMENT LABORATORY IN IRAN. THE WORM SPECIFICALLY TARGETED SIEMENS INDUSTRIAL SOFTWARE AND EQUIPMENT, MAKING ITSELF INERT IF THE TARGET SOFTWARE WAS NOT FOUND AND CONTAINING SAFEGUARDS TO LIMIT THE SPREAD OF THE INFECTION. IT WAS THE FIRST PIECE OF MALWARE TO INCLUDE A PROGRAMMABLE LOGIC CONTROLLER (PLC) ROOTKIT. STUXNET
  • 37. ON 17 MARCH 2011, RSA ANNOUNCED THAT THEY HAD BEEN VICTIMS OF "AN EXTREMELY SOPHISTICATED CYBER ATTACK". CONCERNS WERE RAISED SPECIFICALLY IN REFERENCE TO THE SECURID SYSTEM. RSA OFFERED TOKEN REPLACEMENTS OR FREE SECURITY MONITORING SERVICES TO ANY OF ITS MORE THAN 30,000 SECURID CUSTOMERS, FOLLOWING AN ATTEMPTED CYBER BREACH ON DEFENSE CUSTOMER LOCKHEED MARTIN THAT APPEARED TO BE RELATED TO THE SECURID INFORMATION STOLEN FROM RSA. RSA HACK
  • 38. FLAME WAS DISCOVERED BY IRAN’S NATIONAL COMPUTER EMERGENCY RESPONSE TEAM IN 2012. IT WAS USED TO MOUNT SOPHISTICATED CYBER ESPIONAGE ATTACKS ON GOVERNMENTAL MINISTRIES, EDUCATIONAL INSTITUTIONS AND INDIVIDUALS IN MIDDLE EASTERN COUNTRIES, INFECTING AROUND 1,000 MACHINES IN IRAN, ISRAEL, SUDAN, SYRIA, LEBANON, SAUDI ARABIA AND EGYPT. THE FLAME MALWARE WAS LARGE AND COMPLEX, DESIGNED TO SPREAD OVER LOCAL NETWORKS OR VIA USB STICKS. IT COULD RECORD AUDIO, SCREENSHOTS, KEYBOARD ACTIVITY AND NETWORK TRAFFIC, INCLUDING SKYPE CONVERSATIONS. IT WAS ALSO CAPABLE OF STEALING CONTACT INFORMATION FROM ANY NEARBY BLUETOOTH-ENABLED DEVICES. FLAME
  • 41. TARGETED ATTACK, GOV, BANK, PERSON, ? PREPARATION: DEFINE TARGET HTTPS://WWW.WHATTODOMEDIA.COM/WP-CONTENT/UPLOADS/2016/01/TARGET-MARKETING.PNG
  • 42. VERY WELL FUNDED AND ORGANIZED PREPARATION: FIND AND ORGANIZE ACCOMPLICES HTTP://KINGOFWALLPAPERS.COM/THE-EXPENDABLES.HTML
  • 43. NOT ALWAYS USING 0DAY OR ADVANCED/SOPHISTICATED TECHNIQUE, CUSTOMIZED TO FIT THE TARGET PREPARATION: BUILD OR ACQUIRE A TOOL HTTPS://CNET1.CBSISTATIC.COM/IMG/VJTJB73BEWOCTBWKYAL7TMERPCI=/FIT-IN/970X0/2015/07/20/D5C13BFE-5F5E-4128-AC6C-0A3A90391E58/SWORDSPARKS.JPG
  • 44. NOTABLE HACK AGAINST SECURITY/APT COMPANY WHICH MOST OF THE TOOLS BEING USED WIDELY OR BY APT 2017 2016 2015HB GARY 2015 2014 2011 GAMMA GROUP/ FIN FISHER HACKING TEAM KASPERSKY, CYBER ROAM EQUATION GROUP/NSA CIA/VAULT7
  • 45. HBGARY FEDERAL FOCUSED ON TECHNOLOGY SECURITY, PROVIDE SERVICES AND TOOLS TO THE US GOVERNMENT. ON FEBRUARY 5–6, 2011, ANONYMOUS COMPROMISED THE HBGARY WEBSITE, COPIED TENS OF THOUSANDS OF DOCUMENTS FROM BOTH HBGARY FEDERAL AND HBGARY, INC HBGARY FEDERAL
  • 46. GAMMA GROUP GAMMA GROUP IS AN ANGLO-GERMAN TECHNOLOGY COMPANY THAT SELLS SURVEILLANCE SOFTWARE TO GOVERNMENTS AND POLICE FORCES AROUND THE WORLD. IN 2014, GAMMA GROUP WAS HACKED AND A 40 GB DUMP OF INFORMATION WAS RELEASED DETAILING GAMMA'S 'CLIENT LISTS, PRICE LISTS, SOURCE CODE, DETAILS ABOUT THE EFFECTIVENESS OF FINFISHER MALWAREAND MUCH MORE.
  • 47. HACKING TEAM HACKINGTEAM IS A MILAN-BASED INFORMATION TECHNOLOGY COMPANY THAT SELLS OFFENSIVE INTRUSION AND SURVEILLANCE CAPABILITIES TO GOVERNMENTS, LAW ENFORCEMENT AGENCIES AND CORPORATIONS. ON JULY 5, 2015, THE TWITTER ACCOUNT OF THE COMPANY WAS COMPROMISED BY AN UNKNOWN INDIVIDUAL WHO PUBLISHED AN ANNOUNCEMENT OF A DATA BREACH AGAINST HACKINGTEAM'S COMPUTER SYSTEMS.
  • 48. KASPERSKY KASPERSKY LAB IS A RUSSIAN MULTINATIONAL CYBERSECURITY AND ANTI-VIRUS PROVIDER HEADQUARTERED IN MOSCOW, RUSSIA AND OPERATED BY A HOLDING COMPANY IN THE UNITED KINGDOM. IN JUNE 2015, KASPERSKY REPORTED THAT ITS OWN NETWORK HAD BEEN INFILTRATED BY GOVERNMENT-SPONSORED MALWARE
  • 49. “EQUATION GROUP” THE EQUATION GROUP, CLASSIFIED AS AN ADVANCED PERSISTENT THREAT, IS A HIGHLY SOPHISTICATED THREAT ACTOR SUSPECTED OF BEING TIED TO THE UNITED STATES NATIONAL SECURITY AGENCY (NSA). IN AUGUST 2016, A HACKING GROUP CALLING ITSELF "THE SHADOW BROKERS" ANNOUNCED THAT IT STOLE MALWARE CODE FROM THE EQUATION GROUP
  • 50. CIA/VAULT7 VAULT 7 IS A SERIES OF DOCUMENTS THAT WIKILEAKS BEGAN TO PUBLISH ON 7 MARCH 2017, THAT DETAIL ACTIVITIES AND CAPABILITIES OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY TO PERFORM ELECTRONIC SURVEILLANCE AND CYBER WARFARE.
  • 51. DEDICATE A MONTH/YEAR TO LEARN ABOUT THEIR TARGET PREPARATION: RESEARCH TARGET/INFRASTRUCTURE/EMPLOYEE HTTP://CDN2.HUBSPOT.NET/HUBFS/159642/B4_THE-5-BEST-WAYS-TO-RESEARCH-YOUR-ELEARNING-COURSE-TARGET-AUDIENCE.PNG
  • 52. ATTACK NEED TO BE TESTED BEFORE INTRUSION PHASE PREPARATION: TEST FOR DETECTION HTTP://WWW.OCCUPYFORANIMALS.NET/UPLOADS/7/7/3/5/7735203/2784119.JPG?870
  • 53. CRAFTED, DEPLOY THE PAYLOAD (MALWARE, EXPLOIT, TOOLKIT) INTRUSION: DEPLOYMENT HTTP://RHYTHMTRAFFIC.COM/WP-CONTENT/UPLOADS/2012/10/INSTALLATION.JPG
  • 54. GAIN A FOOTHOLD IN THE TARGET’S ENVIRONMENT INTRUSION: INITIAL INTRUSION HTTPS://4.BP.BLOGSPOT.COM/-JSC9IISSZEM/VYMC4TTMWTI/AAAAAAAAN5S/KNN0ZYJFNKWLKZEQZNSR_FYFIRNLM0DAACLCB/S1600/HACK-ANY-COMPUTER.PNG
  • 55. NOTIFY THE APT ACTOR THAT THE INITIAL INTRUSION ATTEMPT WAS SUCCESSFUL AND THAT IT IS READY TO ACCEPT COMMANDS INTRUSION: OUTBOUND CONNECTION INITIATED HTTP://0.TQN.COM/D/NP/KIDS-PUZZLES/9781580626873_0128_008.JPG
  • 56. GAIN ACCESS TO ADDITIONAL SYSTEMS AND AUTHENTICATION MATERIAL THAT WILL ALLOW ACCESS TO FURTHER SYSTEMS/MAIN TARGET EXPANSION: EXPAND ACCESS AND OBTAIN CREDENTIALS HTTP://WWW.FRAUDSCOOP.COM/WP-CONTENT/UPLOADS/2016/09/IDENTITY-THEFT-8-SIMPLE-STEPS-TO-KEEP-YOU-SAFE.JPG
  • 57. APT ACTORS EMPLOY VARIOUS STRATEGIES TO MAINTAIN ACCESS. EXPANSION: STRENGTHEN FOOTHOLD HTTP://WWW.AKTUAL.COM/WP-CONTENT/UPLOADS/2016/04/TOLAK-PABRIK-SEMEN-12-4-2016-223-681X430.JPG
  • 58. SEARCHING DOCUMENTS AT THE TARGET’S SITE FOR KEYWORDS AND METADATA THAT INDICATE THE DOCUMENT MAY BE OF INTEREST TO THE ACTORS AND SEND IT EXIFILTRATE: EXFILTRATE DATA HTTP://I.DAILYMAIL.CO.UK/I/PIX/2015/03/17/26B9D3B400000578-2998897-IMAGE-A-116_1426605591270.JPG
  • 59. AVOIDING DETECTION, REMOVING EVIDENCE OF THE INTRUSION AND WHAT WAS TARGETED AND ELIMINATING EVIDENCE OF WHO WAS BEHIND THE EVENT CLEANUP: COVER TRACKS AND REMAIN UNDETECTED HTTPS://S-MEDIA-CACHE-AK0.PINIMG.COM/564X/98/3E/C9/983EC95273FEBD893BE8F0BC135C18BD.JPG
  • 60. HTTPS://WWW.TRENDMICRO.COM/VINFO/US/SECURITY/NEWS/CYBER-ATTACKS/TARGETED-ATTACKS-SIX-COMPONENTS 0. PREPARATION 1. DEPLOYMENT 2. INITIAL INTRUSION 3. OUTBOUND CONNECTION INITIATED 4. EXPANSION 6. EXFILTRATE DATA 5. STRENGTHEN FOOTHOLD
  • 61. •THE BREACH INTO RSA'S NETWORK WAS CARRIED OUT BY CRACKERS WHO SENT PHISHING EMAILS TO TWO TARGETED, SMALL GROUPS OF EMPLOYEES OF RSA. •ATTACHED TO THE EMAIL WAS AN EXCEL FILE CONTAINING MALWARE. •WHEN AN RSA EMPLOYEE OPENED THE EXCEL FILE, THE MALWARE EXPLOITED A VULNERABILITY IN ADOBE FLASH. •THE EXPLOIT ALLOWED THE HACKERS TO USE THE POISON IVY REMOTE ADMINISTRATION TOOL TO GAIN CONTROL OF MACHINES AND ACCESS SERVERS IN RSA'S NETWORK. RSA HACK CASE
  • 62. DEMO
  • 63. APT LIFECYCLE VS HACKING VS COMMODITY THREATS HTTPS://EN.WIKIPEDIA.ORG/WIKI/ADVANCED_PERSISTENT_THREAT
  • 65. THE THREAT HAS CHANGED BUT ORGANIZATION’S APPROACH TO SECURITY HAS NOT CHANGED.
  • 66. SOME ORGANIZATIONS ARE DOING GOOD THINGS TO HELP PROTECT THE ENVIRONMENT, BUT THEY ARE NOT DOING THE RIGHT THING WHICH WILL STOP ADVANCED ATTACKERS. HTTPS://XKCD.COM/463/
  • 67. ORGANIZATIONS THINK MONEY EQUAL SECURITY. JUST BECAUSE AN ORGANIZATION BUYS A LOT OF PRODUCTS DOES NOT MEAN THEY WILL BE SECURE.
  • 68. MOST ORGANIZATIONS DO NOT UNDERSTAND HOW THE OFFENSE OPERATES AND IN MANY CASES ARE NOT FIXING THE RIGHT PROBLEMS
  • 70. UNDERSTAND RISK DISCOVER CONTROL IMPLEMENT CIA (CONFIDENTIALITY, INTEGRITY, AVAILABILITY) CONCEPT CLASSIFY ENCRYPTION PROTECT YOUR CRITICAL DATA
  • 71. PREVENTION IS IDEAL BUT DETECTION IS A MUST INBOUND PREVENTION AND OUTBOUND DETECTION PROACTIVE (INSTEAD OF REACTIVE) SECURITY OFFENSE MUST GUIDE THE DEFENSE. PREVENT AND DETECT
  • 72. ATTACKERS WERE DISCOVERED DURING A ROUTINE AUDIT PREVENTION IS IDEAL BUT DETECTION IS A MUST HTTPS://TWITTER.COM/X0RZ/STATUS/854706307395461121
  • 73. INCIDENT RESPONSE IS A NECESSITY SINCE ALL ATTACKS CANNOT BE STOPPED INCIDENT HAS BEEN DETERMINED AND FIXED, THE NEXT PHASE IS TO RECOVER/REBUILD THE SYSTEMS AND DATA PUT THE SYSTEMS BACK INTO PRODUCTION RESPOND AND RECOVER
  • 75. THE LANDSCAPE HAS CHANGED: CLOUD COMPUTING AND MOBILE INFRASTRUCTURE
  • 76. 1. “COMMON MISCONCEPTIONS IT ADMINS HAVE ON TARGETED ATTACKS“ - HTTP:// BLOG.TRENDMICRO.COM/TRENDLABS-SECURITY-INTELLIGENCE/COMMON-MISCONCEPTIONS-IT- ADMINS-HAVE-ON-TARGETED-ATTACKS/ 2. SYNGRESS - “ADVANCED PERSISTENT THREAT UNDERSTANDING THE DANGER AND HOW TO PROTECT YOUR ORGANIZATION” - DR. ERIC COLE 3. “THE MOST FAMOUS ADVANCED PERSISTENT THREATS IN HISTORY” - HTTP:// WWW.ITBUSINESSEDGE.COM/SLIDESHOWS/THE-MOST-FAMOUS-ADVANCED-PERSISTENT-THREATS- IN-HISTORY.HTML - ACCESSED APRIL 23, 2017 4. “WIKIPEDIA” - HTTP://WIKIPEDIA.ORG 5. “LIFECYCLE OF AN ADVANCED PERSISTENT THREAT” - HTTP://WWW.REDTEAMUSA.COM/PDF/ LIFECYCLE%20OF%20AN%20ADVANCED%20PERSISTENT%20THREAT.PDF 6. MOST OF THE IMAGES - SEARCH VIA HTTP://IMAGES.GOOGLE.COM REFERENCE
  • 77. ADVANCED PERSISTENT THREAT A.P.T BALI, 27 APRIL 2017 AHMAD MUAMMAR WK, OSCP, OSCE, EMAPT