ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

Slides:

Advertisements

Similar presentations

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.

Advertisements

James D. Brown Chief Engineer and Senior Fellow Information Resource Management L-3 Communications.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

Internet…issues Managing the Internet

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

7 Information Security.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11.

IT internet security. The Internet The Internet - a physical collection of many networks worldwide which is referred to in two ways: The internet (lowercase.

Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.

Internet Business Foundations © 2004 ProsoftTraining All rights reserved.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Internet Architecture and Governance

Topic 5: Basic Security.

Evaluating & Maintaining a Site Domain 6. Conduct Technical Tests Dreamweaver provides many tools to assist in finalizing and testing your website for.

Advanced Persistent Threats (APT) Sasha Browning.

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Malicious Software.

CSI 3125, Preliminaries, page 1 Networking. CSI 3125, Preliminaries, page 2 Networking A network represents interconnection of computers that is capable.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

2 pt 3 pt 4 pt 5pt 1 pt 2 pt 3 pt 4 pt 5 pt 1 pt 2pt 3 pt 4pt 5 pt 1pt 2pt 3 pt 4 pt 5 pt 1 pt 2 pt 3 pt 4pt 5 pt 1pt Internet History Computer Networks.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

and Internet Explorer.  The transmission of messages and files via a computer network  Messages can consist of simple text or can contain attachments,

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.

Internet addresses By Toni Grey & Rashida Swan HTTP Stands for HyperText Transfer Protocol Is the underlying stateless protocol used by the World Wide.

Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.

Uniform Resource Locator URL protocol URL host Path to file Every single website on the Internet has its own unique.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.

Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon

Proactive Incident Response

BASIC CONCEPTS ON INTERNET &

The Internet & World Wide Web

Employee clicks on fake

HISTORY OF COMPUTERS AND TECHNOLOGY

TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊

Conquering all phases of the attack lifecycle

Computer Security Fundamentals

SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES

Forensics Week 12.

CMSC 491/691 Malware Analysis

WJEC GCSE Computer Science

Presentation transcript:

ECE Prof. John A. Copeland Advanced Persistent Threat Material excerpted from Mandiant APT1 Report – Feb. 22, 2013

APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. »»Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries. »»APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property. »» Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and s and contact lists from victim organizations’ leadership. »» APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal — GETMAIL and MAPIGET. * * * »»Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period. »»In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries. 2/24/2013 Mandiant APT1 Report – 2

2/24/2013 Mandiant APT1 Report – 3 APT1 maintains an extensive infrastructure of computer systems around the world. »» APT1 controls thousands of systems in support of their computer intrusion activities. »»In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109). »»In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses. »»Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system. »»In the last several years we have confirmed 2,551 FQDNs attributed to APT1.

Initial Reconnaissance Study the target’s Web Pages, do Google and Bing searches. Learn the names of employees, particularly executives and engineers. Study them on social networks (YouTube, LinkedIn, Facebook, Twitter, … ). Initial Compromise Craft spear-phishing messages with Trojan Horse attachments, links, jpegs, … - or - Take advantage of a fortuitous compromise by a wide-spread exploit. Establish Foothold Add root kits and backdoors. Initial Compromise Initial Recon. 2/24/2013 Mandiant APT1 Report – 4 Establish Foothol d Escalate Privileges Internal Recon. Complete Mission (leave back doors) Move Laterally Maintain Presence

2/24/2013 Mandiant APT1 Report – 5 On some occasions, unsuspecting recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse back: “It’s legit.” It’s legit ->

2/24/2013 Mandiant APT1 Report – 6 FIGURE 20: APT1 bundles stolen files into “rar” archives before moving data to China. rar After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Figure 19 above shows a RAR command with the option “-v200m”, which means that the RAR file should be split up into 200MB portions.

2/24/20137 Worth Noting The APT has only collected information (commercial, government, military), trying not to leave a trace of its presence. Unlike gangster hacking organizations, there have been no deliberate damages (deletion of data, denial of service, …) or demands for payment. The APT (and other nation-level organizations) have reconnoitered Internet backbones and utility infrastructure networks, and have put back doors and logic bombs in place. They are apparently developing to capability to do extensive physical damage to the U.S. infrastructure and economy if (or maybe, when) it becomes advantageous to do so. Ref. "Cyberwar, the Next Threat to National Security, and What to Do About It," by Richard C. Clark (2010).