APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs

2 Background Shaping My Views Public Sector consulting across verticals Penetration Testing Forensics Publically available information Peer groups within the penetration testing community

3 Cyber-warfare will be most effective as a way to force Nation-States to look inward, or weaken resolve It is better to rely on footholds than rely on previously unknown exploit code at the critical moment It is preferable to leverage exploit code as close to the time of discovery as possible

4 An Outsiders View of Cyber-War Estonia Online banking was unavailable Disruption of Government Services Cyber Shockwave Table Top Exercise Scenarios involved loss of use for cellular networks, power grid CIA / DoD friendly fire? Forcible removal of a known intelligence asset

5 Compared to Corporate Breaches Heartland Payment Systems Organized group of individuals Largest payment card breach Aurora Focus on Silicon Valley technology firms Loss of Intellectual property

6 Classification Cyberwar Denial of Service (DoS) Estonia 0-Day Exploitation Cyber Shockwave Leverage Known Insecurity CIA/DoD Asset Corporate Breaches Blended use of 0-Day and known Attacks Significant time between initial breach and detection/leverage

7 0-Day Exploits Require investment in time, skill Have a window of effectiveness Changes to the target systems Discovery and exposure by third parties Why Stockpile 0-Day? Metaphorical Arsenal An effective way to win laptops

8 0-Day, Disclosure, and COTS DiscoverWeaponizeStoreExploit

9 But Your Systems Are My Systems Reliance on Commercial Off the Shelf Components (COTS) What if you’re using the same systems? What if the companies that people rely on are using the same systems? Cyber-warfare will be most effective as a way to force Nation-States to look inward, or weaken resolve

10 Competing Motivations Offensive Keep knowledge and weaponized code a secret You maintain short-term capability but leave organizations you depend on exposed Defensive Disclose knowledge to vendors and assist with fixing problems You place an expiration on your capability; requires timing and discretion to not have exposure and public exploit code Attempted Hybrid Disclose issues to vendors, keep weaponized code a secret Core Impact, Immunity Canvas Attempt to keep NDA; manipulate timing Goal to is reach a fixed state

11 Logical Offensive Capability - Foothold Research security issues in systems to find weaknesses Maintain a well organized vendor disclosure program Provide assistance to vendors; Pressure vendors Promote public disclosure Provide hooks into corporate vulnerability management Exploit target systems Maintain presence Ensure survivability after the fix is released

12 Plausible? Heartland Payment Systems Systems were compromised for over a year Initial off the shelf malware was detected ‘Anti-virus’ did its job, Whew! Custom malware was introduced Pop, Pivot, Repeat Detection was due to fraud, by a system specifically designed to catch fraud Additional signs were there

13 Plausible? Aurora Google blows the whistle in January 20 companies targeted, interrelated malware “The major pattern of attacks previously identified as occurring in mid-December 2009 targeting Google appear to originate in July 2009 from mainland China” Detected on egress to command and control, internal behavior Of all the companies impacted, timelines on AV response indicate Google was the first that discovered / disclosed

14 Anecdotal Accounts Verizon Business Presentation at the PCI group meeting in Las Vegas An attacker had built a network diagram more detailed than any owned by the corporation Mandiant Corporate systems in Florida Initial breach of a limited number of systems leads to a realization that thousands of nodes are compromised

15 Defensive Solutions The purpose of corporations, groups we rely on for our way of live, is to make money; not to run the most secure networks Shore up loopholes for Financial Disclosure “Misrouted Funds” Promote additional legal requirements for disclosure Look for macro-correlation and trends Provide financial incentives for Vendors to create secure code Provide regulatory and incentive based “carrot and stick” to maintain secure systems

16 Thank you Questions and Feedback Welcome!