1. Advanced Persistent Threat
What APT Means To Your Enterprise

2. APT – What is it?
A human being or organization, who operates a campaign of intellectual property theft using cyber-methods
Malware, malware, malware
Basically, the same old problem, but it’s getting far worse and far more important than ever before

3. Wake Up Google cyber attacks a 'wake-up' call
-Director of National Intelligence Dennis Blair

4. Command and Control Server
Anatomy of APT Malware
Survive Reboot
Command and Control Server
C&C Protocol
File Search
Process Injection
Update
Keylogger
USB Stick

5. IP is Leaving The Network Right Now
Everybody in this room who manages an Enterprise with more than 10,000 nodes
YOU ARE ALREADY OWNED
They are STEALING right now, as you sit in that chair.

6. The Coming Age
Advanced nations are under constant cyber attack. This is not a future threat, this is now. This has been going on for YEARS.
Cyber Cartels are rapidly going to surpass Drug Cartels in their impact on Global Security
The scope of finance will surpass drug cartels
The extent of the operation internationally

7. Economy
Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine
An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

8. Espionage

9. MI5 says the Chinese government “represents one of the most significant espionage threats”

10. Why Enterprise Security Products DON’T WORK

11. The True Threat Malware is a human issue
Bad guys are targeting your digital information, intellectual property, and personal identity
Malware is only a vehicle for intent
Theft of Intellectual Property
Business Intelligence for Competitive Advantage
Identity Theft for Online Fraud

12. The Scale
Over 100,000 malware are automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale.

13. Surfaces The attacks today are just as effective as they were in 1999
The bad guys STILL HAVE their zero day, STILL HAVE their vectors, and STILL HAVE their malware

14. Not an antivirus problem
Malware isn’t released until it bypasses all the AV products
Testing against AV is part of the QA process
AV doesn’t address the actual threat – the human who is targeting you
AV has been shown as nearly useless in stopping the threat
AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

15. Annealing Value Horizon Hardness of Windows remote RPC
Use of Windows remote RPC overflows

16. Cycling Value Horizon Windows remote RPC GDI Image Bugs
Flash Overflows
IIS Server overflows

17. Continuous area of attack
Continuum
Value Horizon
Continuous area of attack
Windows remote RPC
GDI Image Bugs
Flash Overflows
IIS Server overflows

18. Continuous area of attack
Value Horizon
Continuous area of attack
GDI Image Bugs
Flash Overflows
IIS Server overflows
Windows remote RPC
Dominant attack surface areas over time

19. Technology Lifecycle
Value Horizon
Area of attack

20. Continuous area of attack
FASTER
By the time all the surfaces in a given technology are hardened, the technology is obsolete
Value Horizon
Continuous area of attack
We secured java, but now we have flash
We secure the web, but now we have Second Life
Technology Lifecycle

21. The Global Malware Economy

22. A Global Theatre
There are thousands of actors involved in the theft of information, from technology developers to money launderers
Over the last decade, an underground economy has grown to support espionage and fraud
This “malware ecosystem” supports both Crimeware and e-Espionage

23. Payment system developer
$500+
Implant Vendor
$1,000+
Exploit Pack Vendor
$10,000+ for 0-day
Exploit Developer
$10,000+ for 0-day
Rootkit Developer
Rogueware Developer
Back Office Developer
$1000+
Wizard
Bot Vendor
eGold
~4% of bank customers
Payment system developer
Country that doesn’t co-op w/ LE
Secondary
atm
Keep 10%
Victims
Small Transfers
A single operator here may recruit 100’s of mules per week
$5,000 incrm.
Drop Man
Account
Buyer
Affiliate Botmaster
ID Thief
Endpoint Exploiters
Keep 50%
$ per 1000 infections
PPI
Forger
Cashier / Mule
Bank Broker
Sells accounts in bulk
Country where account is physically located
$5.00 per
$50
Keep 10%

24. Cash is not the only motive
State sponsored (economic power)
Stealing of state secrets (intelligence & advantage)
Stealing of IP (competitive / strategic advantage – longer term)
Infrastructure & SCADA (wartime strike capable)
Info on people (not economic)
i.e., Chinese dissidents

25. Big Brother
Opennet.net

26. Crimeware and the State
Using crimeware collected from the underground makes it harder to attribute the attack, since it looks like every other criminal attack
There is no custom code that can be fingerprinted

27. China
“there are the intelligence-oriented hackers inside the People's Liberation Army”
“There are hacker conferences, hacker training academies and magazines”
“loosely defined community of computer devotees working independently, but also selling services to corporations and even the military”
When asked whether hackers work for the government, or the military, [he] says "yes."

29. Crimeware Affiliate Networks
Grown out of older adware business models

30. Pay-per-install.org

31. Earning4u Pays per 1,000 infections*

32. PPI Programs *

33. Custom Crimeware Programming Houses

34. APT Operations

35. Anatomy of an APT Operation
You must understand that an ongoing operation is underway – this involves one or more primary actors, and potentially many secondary actors

36. Example Operation
Bad Guy is using (SE) whalephishing to gain a foothold into a specific physical network
Bad Guy is using SE to track dissidents
TODO add example of outlook guid attack

37. Malware Distribution System
Large scale systems to deploy malware
Browser component attacks
Precise spearphising attacks
Contain boobytrapped documents
Backdoored physical media
USB, Camera, CD’s left in parking lot, ‘gifts’

38. Boobytrapped Documents
This is the current trend
Single most effective focused attack today
Human crafts text

39. Social Networking Space
Web based attack
Social Networking Space
Injected Java-script
Used heavily for large scale infections
Social network targeting is possible

40. A three step infection Exploit Server Redirect Browser Exploit
Injected Java-script
Exploit Server
Redirect
Browser Exploit
Payload Server
Dropper

41. Payload Server
A machine that has the actual malware dropper ready for download.
The exploit server will redirect the victim to download a binary from this location

42. Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME
VICTIM IP
ADMIN?
OS VERSION
HD SERIAL NUMBER

43. Command and Control Server
The C&C system may vary
Custom protocol (Aurora-like)
Plain Old Url’s
IRC (not so common anymore)
Stealth / embedded in legitimate traffic
Machine identification
Stored infections in a back end SQL database

44. Implants The ‘persistent’ backdoor program
Hide in plain sight strategy
General purpose hacking tool
Stealth capabilities
In-field update capabilities

45. Steal Credentials
Outlook Password
Generic stored passwords

46. All the file types that are exfiltrated
Steal Files
All the file types that are exfiltrated

47. Staging Server
A place to store all the stolen goods before it gets ‘exfiltrated’
Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

48. Drop Site
Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

49. Drop-point is in Reston, VA in the AOL netblock

50. Malware Threat Attribution

51. Threat Intelligence Who is targeting you? What are they after?
Have they succeeded?
How long have they been succeeding?
What have I lost so far?
What can I do to counter their methods?
Are there legal actions I can take?

52. Threat Intelligence (II)
Requires that you combine many small facts into a big picture
More information means better analysis
I refer to specific attackers as “threats” – information regarding a specific attack is called “threat intelligence”

53. Threat Intelligence within Enterprise
Locations where threat intel can be gathered
Endpoint, physical memory snapshot
Multiple endpoints will be involved, need to view them as a group
Endpoint, live-state forensics, ongoing monitoring
Message Archives
Netflow / Packet Archives

54. Threat Intelligence External to Enterprise
Locations where intel can be gathered
Dropsite where IP is being dropped
Command and Control Server
Designed to survive takedowns
Hot staged failovers likely
Exploit Pack Server
Large Traffic Gateways
Possible subscriptions to various intel feeds available
Cooperation likely

55. Attribution Challenges
Lack of gov. intervention
No consequences
Russia is a crime state
China turns a blind eye

56. Attribution Challenges
Lack of global LE cooperation
No sharing of data
ICANN and Registrar slow to respond to takedown requests
A lot of good data is classified and not available for commercial consumption

57. Primary – what is the target?
What is being targeted
IP, identity, logins to google?
File searches for source code? XLS documents?
Who
C-level execs? Developers? Falun Gong?

58. Primary – Who is running the op?
Country of origin
Is the bot designed for use by certain nationality?
Geolocation of IP is NOT a strong indicator
However, there are notable examples
Is the IP in a network that is very unlikely to have a third-party proxy installed?
For example, it lies within a government installation
C&C map from Shadowserver, C&C for 24 hour period

59. C&C servers
C&C servers are not usually designed to proxy route through infected end-nodes
The IP geolocation is more useful in this case
Netblock lookups are a decent starting point
If the C&C leads to a broadband consumer network in the US, this is more likely to be an exploited machine that performs proxy routing – IP geolocation is not useful
It may be possible to get LE or the broadband provider to help ‘trace back’ in this case (multihop will become a problem)

60. Forensic Marks left by Actors
Forensic marks occur at all points where software development occurs
They also occur in less obvious places
All points where binary is translated into new forms (parsed, packed, packaged, etc)
These forensic marks may identify the original developer of the software
Obviously, only certain actors leave marks

61. Fingerprinting Actors within the Theatre

62. Digital Fingerprints
Several actors in the underground economy will leave digital fingerprints
What is represented digitally
Distribution system
Exploitation capability
Command and Control
Payload (what does it do once its in)

63. Same malware compiled in three different ways
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
MD5 Checksums
all different
Code idioms remains consistent

64. In-memory analysis tends to defeat packers
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
In-memory analysis tends to defeat packers
Starting Malware
Packed
Malware
Unpacked portions remains consistent

65. Toolkits and developer signatures can be detected
IN MEMORY IMAGE
OS Loader
Toolkits and developer signatures can be detected
Malware
Tookit
Different
Malware
Authors
Using
Same Toolkit
Toolkit Marks Detected
Packed

66. Language
Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality
Be aware some technologies have multiple language support

67. Actor: Endpoint Exploiter
Endpoint Exploiters
Actor: Endpoint Exploiter
$ per 1000 infections
The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects
Newcomers can learns various attack methods from their PPI affiliate site (mini-training)
These are generally recruited hackers from forums (social space)
The malware will have an affiliate ID
“somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

68. Link Analysis URL artifact Unique Affiliate ID’s Codenamed Botmaster
C&C Fingerprint
Endpoints
Link Analysis

69. Actor: Bot Master
Owns the box that accepts inbound infection requests, pays out by ID
Pays for numbers of collected credentials
Collect stolen identities and resell
Accounting system for all successful infections
Pay-per-infection business model
This implies a social space
Configuration settings on server will be reflected in client infections (additional resolution to differentiate multiple actors using the same bot technology)
Version of bot system offers more resolution, and potential indicator of when it was stood up
The Bot Master will have a preference for a particular bot control system – can be softlinked to this actor

70. Actor: Account Buyer Buy stolen creds from the collectors
Use stolen credentials to move money out of victim bank accounts
These guys touch the victim accounts
Source IP of transaction, Use of TOR / HackTOR, Use of botnet to redirect, etc.
This part is audited in your network logs, so …
Multiple attacks by the same person are likely to be cross-referenced
Not a very strong fingerprint

71. Actor: Mules & Cashiers
Accept stolen money into accounts in the native country of the subverted bank and redirect that money back out into foreign accounts
These transactions must stay below trigger levels
$5,000 or less
These actors do not leave forensic marks on the malware chain
Banking records only

72. Actor: Wizards
Move E-Gold into ATM accounts that can be withdrawn in the masters home country
Will take a percentage of the money for himself
This actor does not leave a forensic mark on the malware chain
Banking records typically don’t even work here, as the transaction has already been processed thru e-Gold

73. Actor: Developers Sell bot systems for four figures
$4,000 - $8,000 with complete C&C and SQL backend
Sell advanced rootkits for low five figures
Possibly integrated into a bot system
Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this
All of this development is strongly fingerprinted in the malware chain

74. The developer != operator
The developer may not have any relation to those who operate the malware
The operation is what’s important
We need to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

75. Link Analysis We want to find a connection here C&C Fingerprint
Botmaster
URL artifact
Affiliate ID
Developer
Protocol Fingerprint
Endpoints
Developer
C&C products
Link Analysis

76. Softlinking into the Social Space
Where is it sold, does that location have a social space?
If it has a social space, then this can be targeted
Forum, IRC, instant messaging
Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space
Slightly harder link if the two have communicated directly
If someone asks for tech support, indicates they have purchased
If someone queries price, etc, then possibly they have purchased

77. Link Analysis Software Author Software Author Social Space

78. Working back the timeline
Who sells it, when did that capability first emerge?
Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces
Requires budget for acquisition of emerging malware products

79. Software
Author
Social Space
i.e., Technical Support Query made AFTER version 1.4 Release
Use of timeline to differentiate links
Link Analysis

80. Actor: Vuln Researchers
Paid well into the five figures for a good, reliable exploit
$20,000 or more for a dependable IE exploit on latest version
Injection vector & activation point can be fingerprinted
Method for heap grooming, etc
Delivery vehicle

81. Fingerprinting Malware Distribution Systems

82. Malware Distribution Systems
, Instant Message, and Exploited Web
Boobytrapped documents
Rogueware & trojan downloads
Clientside exploits
Injected javascript
Command and Control server

83. Freed Memory (endpoint)
Freed memory will still contain evidence
Blocks of obfuscated javascript that can be tied to specific exploit packs (redirectors)
Leftover HTML remnants of subverted websites
URL paths to the exploit server itself
These are key to identification
TODO: put a few examples here

84. Spearphishes Email archives may contain boobytrapped documents
These can be detonated with a deep tracer attached (packet sniffer at a minimum, REcon if you’re really hard core, CW sandbox & Norman also options)

85. Detonate & Trace
Getting the exploit to detonate allows you to observe the secondary download step
Malware payload will be sent to you, command and control IP will be established, communication with exploit server and C&C can be sniffed

86. Trap Postings Sql injection (dyno content) asprox worm
Reflected XSS ( … ) xssed.com
Plain XSS: Comments not stripped (javascript)
Renders in HTML, pops in admin creds
(persistent XSS)
Logs in html format

87. Trap Postings I www.somesite.com/somepage.php <script>
Some text to be posted to…
the site ….

88. Trap Postings II www.somesite.com/somepage.php
<IFRAME src=
style=“display:none”></IFRAME>
Some text to be posted to…
the site ….

89. SQL attack, inserts IFRAME or script tags
SQL Injection
SQL attack, inserts IFRAME or script tags

90. ‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME *
User clicks link, thus submitting the variable too
Trusted site, like
.com, .gov, .edu
The site prints the contents of the variable back as regular HTML
*For an archive of examples, see xssed.com

91. Rogueware 35 million computers infected every month with rogueware*
Many victims pay for these programs, $50-$70, and stats show bad guys are making upwards of $34 million dollars a month with this scam*
Many are fake anti-virus scanners *

92. Rogueware

93. Exploit Packs… No skill needed, buy and use auto-exploiter systems
Highly effective
These types of systems are extremely dangerous
Consider that Islamic Terrorists, who until now haven’t had strong technical abilities in cyber, can now just buy an attack kit for $1000

94. Eleonore (exploit pack)

95. Tornado (exploit pack)

96. Napoleon / Siberia (exploit pack)

97. Fingerprinting Command and Control

98. Command and Control
These commands map to a foreign language keyboard.

99. IRC C&C IRC control channel for a DDOS botnet
Most of the C&C has moved to the web.

100. Triad (botnet)

101. ZeuS (botnet)

103. Fragus (botnet)

104. Fingerprinting Malware Implants

105. TODO: be sure to mention server-side polymorphism

106. Staged reinfection server
Machine that gots the APT, in memory, on disk
Infector machine in the same network, memory resident only
Just re-infects the endnode
This machine has no on-disk code

107. Poison Ivy (implant)

108. CRUM (protector)

109. Advanced Persistent Threat

110. Difference between APT and Banking Malware
Banking malware targets stored digital identity and authentication tokens
Bank transaction systems (internal, funds transfers)
A lot of money is leaving the banks
Manipulate trades on the markets
Manipulate the digits on the trading boards

111. Polymer Materials Group
Joe
BIGCHEMICAL, INC.
Fulfillment
Fred
BadGuy
Polymer Materials Group
Sally
Bob
Adam
Waits for Fred to be AFK
NOT COMPLETE

112. Polymer Materials Group
Joe
RBN
Fred
BIGCHEMICAL, INC.
Polymer Materials Group
Sally
Bob
Adam
Priceless $
NOT COMPLETE

113. APT Operational Analysis
These info ops have a fingerprint
Bad guys have a specific way they write code
They have specific targets in mind
Stealing XLS or PDF files
Preference for a particular bot framework
These fingerprints will be specific to an operation

114. APT Operational Analysis
Each individual fingerprint, when viewed alone, may only identify the original developer of the software
When all fingerprints are viewed together, a more complete picture forms about the ‘operation’ – who is running the operation that targets you

115. APT Operational Analysis
Do they pack their software
Do they rename DLL’s to hide in plain site?
Which toolkit do they use
Did they bypass the accounting department and go straight for the developers?
What triggers a malware to wake up?
How was the payload delivered? Spearphish attachment?

116. Conclusions

120. HTML Injection BHO has injected this HTML into the live banking page
This screenshot provided by threatexpert.com

121. Searching Google™ on each of the
symbols clearly indicates they all can
access a remote process.

122. USB STICK

123. SOYSAUCE 2

124. SERVICES

125. PACKING

126. CAC Card Attack

127. REMOTE DESKTOP

128. AUDIO VIDEO BUGGING

129. STAGING SERVER