Advanced Persistent Threat What APT Means To Your Enterprise Greg Hoglund

APT – What is it? A human being or organization, who operates a campaign of intellectual property theft using cyber-methods Malware, malware, malware Basically, the same old problem, but it’s getting far worse and far more important than ever before

Wake Up Google cyber attacks a 'wake-up' call -Director of National Intelligence Dennis Blair http://www.csmonitor.com/USA/2010/0204/Google-cyber-attacks-a-wake-up-call-for-US-intel-chief-says

Command and Control Server Anatomy of APT Malware Survive Reboot Command and Control Server C&C Protocol File Search Process Injection Update Keylogger USB Stick

IP is Leaving The Network Right Now Everybody in this room who manages an Enterprise with more than 10,000 nodes They are STEALING right now, as you sit in that chair.

The Coming Age Advanced nations are under constant cyber attack. This is not a future threat, this is now. This has been going on for YEARS. Cyber Cartels are rapidly going to surpass Drug Cartels in their impact on Global Security The scope of finance will surpass drug cartels The extent of the operation internationally

Economy Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

MI5 says the Chinese government “represents one of the most significant espionage threats” http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece

Cash is not the only motive State sponsored (economic power) Stealing of state secrets (intelligence & advantage) Stealing of IP (competitive / strategic advantage – longer term) Infrastructure & SCADA (wartime strike capable) Info on people (not economic) i.e., political dissidents

Why malware isn’t going away

The True Threat Malware is a human issue Bad guys are targeting your digital information, intellectual property, and personal identity Malware is only a vehicle for intent Theft of Intellectual Property Business Intelligence for Competitive Advantage Identity Theft for Online Fraud

The Scale Over 100,000 malware are automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale.

Not an antivirus problem Malware isn’t released until it bypasses all the AV products! Testing against AV is part of the QA process AV doesn’t address the actual threat – the human who is targeting you AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

Annealing Value Horizon Hardness of Windows remote RPC Use of Windows remote RPC overflows

Continuous area of attack Continuum Value Horizon Continuous area of attack Windows remote RPC GDI Image Bugs Flash Overflows IIS Server overflows

Technology Lifecycle Value Horizon Area of attack

Continuous Area of Attack By the time all the surfaces in a given technology are hardened, the technology is obsolete Value Horizon Continuous area of attack We secured java, but now we have flash We secure the web, but now we have Second Life Technology Lifecycle

The Global Malware Economy

A Global Theatre There are thousands of actors involved in the theft of information, from technology developers to money launderers Over the last decade, an underground economy has grown to support espionage and fraud This “malware ecosystem” supports both Crimeware and e-Espionage

Payment system developer $500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold* ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $100.00 per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10% *http://en.wikipedia.org/wiki/E-gold

China “There are the intelligence-oriented hackers inside the People's Liberation Army” “There are hacker conferences, hacker training academies and magazines” “Loosely defined community of computer devotees working independently, but also selling services to corporations and even the military” When asked whether hackers work for the government, or the military, [he] says "yes." http://news.cnet.com/Hacking-for-fun-and-profit-in-Chinas-underworld/2100-1029_3-6250439.html

C&C map from Shadowserver, C&C for 24 hour period

Crimeware Affiliate Networks Grown out of older adware business models

Pay-per-install.org

Earning4u Pays per 1,000 infections * http://www.secureworks.com/research/threats/ppi/

PPI Programs * http://www.secureworks.com/research/threats/ppi/

Custom Crimeware Programming Houses

Anatomy of an APT Operation

Anatomy of an APT Operation You must understand that an ongoing operation is underway – this involves one or more primary actors, and potentially many secondary actors

Malware Distribution Systems Large scale systems to deploy malware Browser component attacks Precise spear-phising attacks Contain boobytrapped documents Backdoored physical media USB, Camera, CD’s left in parking lot, ‘gifts’

Boobytrapped Documents This is the current trend Single most effective focused attack today Human crafts text

Social Networking Space Web-based attack Social Networking Space Injected Java-script Used heavily for large scale infections Social network targeting is possible

Trap Postings I www.somesite.com/somepage.php <script> Some text to be posted to… the site ….

Trap Postings II www.somesite.com/somepage.php <IFRAME src= style=“display:none”></IFRAME> Some text to be posted to… the site ….

SQL attack, inserts IFRAME or script tags SQL Injection www.somesite.com/somepage.php SQL attack, inserts IFRAME or script tags

‘Reflected’ injection Link contains a URL variable w/ embedded script or IFRAME * User clicks link, thus submitting the variable too Trusted site, like .com, .gov, .edu The site prints the contents of the variable back as regular HTML *For an archive of examples, see xssed.com

A three step infection Exploit Server Redirect Browser Exploit Injected Java-script Exploit Server Redirect 1010101010 Browser Exploit Payload Server Dropper

Eleonore (exploit pack)

Tornado (exploit pack)

Napoleon / Siberia (exploit pack)

Rogueware 35 million computers infected every month with rogueware* Many victims pay for these programs, $50-$70, and stats show bad guys are making upwards of $34 million dollars a month with this scam* Many are fake anti-virus scanners *http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf

Rogueware

Payload Server A machine that has the actual malware dropper ready for download. The exploit server will redirect the victim to download a binary from this location

Command and Control Once installed, the malware phones home… TIMESTAMP SOURCE COMPUTER USERNAME VICTIM IP ADMIN? OS VERSION HD SERIAL NUMBER

Command and Control Server The C&C system may vary Custom protocol (Aurora-like) Plain Old Url’s IRC (not so common anymore) Stealth / embedded in legitimate traffic Machine identification Stored infections in a back end SQL database

Command and Control These commands map to a foreign language keyboard.

IRC C&C IRC control channel for a DDOS botnet Most of the C&C has moved to the web.

Triad (botnet)

ZeuS (botnet)

Fragus (botnet)

Implants The ‘persistent’ backdoor program Hide in plain sight strategy General purpose hacking tool Stealth capabilities In-field update capabilities

Poison Ivy (implant)

CRUM (protector)

Intellectual Property Threats

Steal Credentials Outlook Email Password Generic stored passwords

All the file types that are exfiltrated Steal Files All the file types that are exfiltrated

Staging Server A place to store all the stolen goods before it gets ‘exfiltrated’ Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

Drop Site Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

Drop-point is in Reston, VA in the AOL netblock

Attribution and Actionable Intelligence How Digital DNA™ works behind the scenes…

Digital DNA™ Automated malware detection Software classification system 3500 software and malware behavioral traits Example Huge number of key logger variants in the wild About 10 logical ways to build a key logger

Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA™ Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits

B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} What’s in a Trait? 04 0F 51 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

Scalable Detection The “bad guy” keeps using the same methods Repeated use of the same exploit methods Repeated use of same C&C system Detect the rest of the malware using perimeter security and registry / file scans Cut off egress & C&C

Hunting Cyber Spies and Digital Criminals How HBGary keeps a constant edge…

Why fingerprint the developers? One actor leads to others, and subsequently more malicious technology that can be fingerprinted as well Relate separate infection events as part of the same operation, and likely the same attackers & intentions of attack Predict the kinds of attacks that will be launched in the future The ‘bad guy’ won’t go away, but you will catch him next time

Where Digital Fingerprints Occur Several actors in the underground economy will leave digital fingerprints Malware system components that have digital fingerprints (different developers for each): Distribution system Exploitation capability Command and Control Payload (what does it do once its in)

The developer != operator The developer may not have any relation to those who operate the malware The operation is what’s important Ideally, we want to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Code idioms remains consistent

In-memory analysis tends to defeat packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader In-memory analysis tends to defeat packers Starting Malware Packed Malware Unpacked portions remains consistent

Toolkits and developer signatures can be detected IN MEMORY IMAGE OS Loader Toolkits and developer signatures can be detected Malware Tookit Different Malware Authors Using Same Toolkit Toolkit Marks Detected Packed

Country of Origin Country of origin Is the bot designed for use by certain nationality? Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period

Language Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality Be aware some technologies have multiple language support Language codes in resources

Actor: Endpoint Exploiter Endpoint Exploiters Actor: Endpoint Exploiter $100.00 per 1000 infections The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects Newcomers can learns various attack methods from their PPI affiliate site (mini-training) These are generally recruited hackers from forums (social space) The malware will have an affiliate ID “somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

Link Analysis URL artifact Unique Affiliate ID’s Codenamed Botmaster C&C Fingerprint Endpoints Link Analysis

Actor: Developers Sell bot systems for four figures $4,000 - $8,000 with complete C&C and SQL backend Sell advanced rootkits for low five figures Possibly integrated into a bot system Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this All of this development is strongly fingerprinted in the malware chain

Link Analysis We want to find a connection here C&C Fingerprint Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis

Softlinking into the Social Space Where is it sold, does that location have a social space? If it has a social space, then this can be targeted Forum, IRC, instant messaging Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space Slightly harder link if the two have communicated directly If someone asks for tech support, indicates they have purchased If someone queries price, etc, then possibly they have purchased

Link Analysis Software Author Software Author Social Space

Working back the timeline Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

Software Author Social Space i.e., Technical Support Query made AFTER version 1.4 Release Use of timeline to differentiate links Link Analysis

Actor: Vuln Researchers Paid well into the five figures for a good, reliable exploit $20,000 or more for a dependable IE exploit on latest version Injection vector & activation point can be fingerprinted Method for heap grooming, etc Delivery vehicle

Detect, Diagnose, Respond

Threat Intelligence Who is targeting you? What are they after? Have they succeeded? How long have they been succeeding? What have I lost so far? What can I do to counter their methods? Are there legal actions I can take?

Primary Internal Data Sources Endpoint physical memory snapshots There is more evidence in physical memory than any other source Physical memory is where Digital DNA™ will be calculated Other sources Message archives Netflow data

External Evidence Dropsite where IP is being dropped IP Address, Server Version, Country of Origin Command and Control Server Version of C&C, Fingerprint Designed to survive takedowns Hot staged failovers likely Exploit Pack Server Version of Exploit Pack, Fingerprint

Intel Feeds (external) malwaredomainlist.com abuse.ch spamcop.net team-cymru.org shadowserver.org

HBGary and Verdasys Integration Responder Professional Digital Guardian Console Analysis Reporting Policies Actions DG Server DG Agents (Endpoints) SQL Results Livebins Live Bins DDNA Extensions HBGary DDNA

Integrated License Management © 2009 Verdasys All rights reserved

DDNA Deployment & Activation Scheduled or ad hoc endpoint scans © 2009 Verdasys All rights reserved

Detect Malware alert reporting Configure risk reporting thresholds © 2009 Verdasys All rights reserved

Diagnose Extract malware (livebins) from endpoint nodes Analyze with HBGary Responder Professional © 2009 Verdasys All rights reserved

Respond Create DG policy rules to contain malware discovered by Digital DNA Examples Block host/hijacked applications from running Limit which apps can act on sensitive data Block network access to specific URLs/IDs Prevent read/write to files used by malware

Conclusion

Take Away ‘Hands off’ IDS and AV security isn’t enough to keep bad guys out Go ‘beyond the checkbox’ You have to investigate and respond to funded adversaries Determine their intent, and defend yourself against their methods DG + DDNA allows detection and rapid response countermeasures

HBGary Enterprise Offerings www.hbgary.com Digital DNA™ - Malware detection Without using signatures Based on malicious behaviors, developer code idioms, and trait patterns Integrated into Verdasys Digital Guardian Responder™ – Malware investigation and incident response platform