1. Advanced Persistent Threat
What APT Means To Your Enterprise
Greg Hoglund

2. APT – What is it?
A human being or organization, who operates a campaign of intellectual property theft using cyber-methods
Malware, malware, malware
Basically, the same old problem, but it’s getting far worse and far more important than ever before

3. Wake Up Google cyber attacks a 'wake-up' call
-Director of National Intelligence Dennis Blair

4. Command and Control Server
Anatomy of APT Malware
Survive Reboot
Command and Control Server
C&C Protocol
File Search
Process Injection
Update
Keylogger
USB Stick

5. IP is Leaving The Network Right Now
Everybody in this room who manages an Enterprise with more than 10,000 nodes
They are STEALING right now, as you sit in that chair.

6. The Coming Age
Advanced nations are under constant cyber attack. This is not a future threat, this is now. This has been going on for YEARS.
Cyber Cartels are rapidly going to surpass Drug Cartels in their impact on Global Security
The scope of finance will surpass drug cartels
The extent of the operation internationally

7. Economy
Russian Mafia made more money in online banking fraud last year than the drug cartels made selling cocaine
An entire industry has cropped up to support the theft of digital information with players in all aspects of the marketplace

8. MI5 says the Chinese government “represents one of the most significant espionage threats”

9. Cash is not the only motive
State sponsored (economic power)
Stealing of state secrets (intelligence & advantage)
Stealing of IP (competitive / strategic advantage – longer term)
Infrastructure & SCADA (wartime strike capable)
Info on people (not economic)
i.e., political dissidents

10. Why malware isn’t going away

11. The True Threat Malware is a human issue
Bad guys are targeting your digital information, intellectual property, and personal identity
Malware is only a vehicle for intent
Theft of Intellectual Property
Business Intelligence for Competitive Advantage
Identity Theft for Online Fraud

12. The Scale
Over 100,000 malware are automatically generated and released daily. Signature based solutions are tightly coupled to individual malware samples, thus cannot scale.

13. Not an antivirus problem
Malware isn’t released until it bypasses all the AV products!
Testing against AV is part of the QA process
AV doesn’t address the actual threat – the human who is targeting you
AV has been diminished to a regulatory checkbox – it’s not even managed by the security organization, it’s an IT problem

14. Annealing Value Horizon Hardness of Windows remote RPC
Use of Windows remote RPC overflows

15. Continuous area of attack
Continuum
Value Horizon
Continuous area of attack
Windows remote RPC
GDI Image Bugs
Flash Overflows
IIS Server overflows

16. Technology Lifecycle
Value Horizon
Area of attack

17. Continuous Area of Attack
By the time all the surfaces in a given technology are hardened, the technology is obsolete
Value Horizon
Continuous area of attack
We secured java, but now we have flash
We secure the web, but now we have Second Life
Technology Lifecycle

18. The Global Malware Economy

19. A Global Theatre
There are thousands of actors involved in the theft of information, from technology developers to money launderers
Over the last decade, an underground economy has grown to support espionage and fraud
This “malware ecosystem” supports both Crimeware and e-Espionage

20. Payment system developer
$500+
Implant Vendor
$1,000+
Exploit Pack Vendor
$10,000+ for 0-day
Exploit Developer
$10,000+ for 0-day
Rootkit Developer
Rogueware Developer
Back Office Developer
$1000+
Wizard
Bot Vendor
eGold*
~4% of bank customers
Payment system developer
Country that doesn’t co-op w/ LE
Secondary
atm
Keep 10%
Victims
Small Transfers
A single operator here may recruit 100’s of mules per week
$5,000 incrm.
Drop Man
Account
Buyer
Affiliate Botmaster
ID Thief
Endpoint Exploiters
Keep 50%
$ per 1000 infections
PPI
Forger
Cashier / Mule
Bank Broker
Sells accounts in bulk
Country where account is physically located
$5.00 per
$50
Keep 10% *

21. China
“There are the intelligence-oriented hackers inside the People's Liberation Army”
“There are hacker conferences, hacker training academies and magazines”
“Loosely defined community of computer devotees working independently, but also selling services to corporations and even the military”
When asked whether hackers work for the government, or the military, [he] says "yes."

22. C&C map from Shadowserver, C&C for 24 hour period

23. Crimeware Affiliate Networks
Grown out of older adware business models

24. Pay-per-install.org

25. Earning4u Pays per 1,000 infections*

26. PPI Programs *

27. Custom Crimeware Programming Houses

28. Anatomy of an APT Operation

29. Anatomy of an APT Operation
You must understand that an ongoing operation is underway – this involves one or more primary actors, and potentially many secondary actors

30. Malware Distribution Systems
Large scale systems to deploy malware
Browser component attacks
Precise spear-phising attacks
Contain boobytrapped documents
Backdoored physical media
USB, Camera, CD’s left in parking lot, ‘gifts’

31. Boobytrapped Documents
This is the current trend
Single most effective focused attack today
Human crafts text

32. Social Networking Space
Web-based attack
Social Networking Space
Injected Java-script
Used heavily for large scale infections
Social network targeting is possible

33. Trap Postings I www.somesite.com/somepage.php <script>
Some text to be posted to…
the site ….

34. Trap Postings II www.somesite.com/somepage.php
<IFRAME src=
style=“display:none”></IFRAME>
Some text to be posted to…
the site ….

35. SQL attack, inserts IFRAME or script tags
SQL Injection
SQL attack, inserts IFRAME or script tags

36. ‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME *
User clicks link, thus submitting the variable too
Trusted site, like
.com, .gov, .edu
The site prints the contents of the variable back as regular HTML
*For an archive of examples, see xssed.com

37. A three step infection Exploit Server Redirect Browser Exploit
Injected Java-script
Exploit Server
Redirect
Browser Exploit
Payload Server
Dropper

38. Eleonore (exploit pack)

39. Tornado (exploit pack)

40. Napoleon / Siberia (exploit pack)

41. Rogueware 35 million computers infected every month with rogueware*
Many victims pay for these programs, $50-$70, and stats show bad guys are making upwards of $34 million dollars a month with this scam*
Many are fake anti-virus scanners *

42. Rogueware

43. Payload Server
A machine that has the actual malware dropper ready for download.
The exploit server will redirect the victim to download a binary from this location

44. Command and Control Once installed, the malware phones home… TIMESTAMP
SOURCE COMPUTER USERNAME
VICTIM IP
ADMIN?
OS VERSION
HD SERIAL NUMBER

45. Command and Control Server
The C&C system may vary
Custom protocol (Aurora-like)
Plain Old Url’s
IRC (not so common anymore)
Stealth / embedded in legitimate traffic
Machine identification
Stored infections in a back end SQL database

46. Command and Control
These commands map to a foreign language keyboard.

47. IRC C&C IRC control channel for a DDOS botnet
Most of the C&C has moved to the web.

48. Triad (botnet)

49. ZeuS (botnet)

51. Fragus (botnet)

52. Implants The ‘persistent’ backdoor program
Hide in plain sight strategy
General purpose hacking tool
Stealth capabilities
In-field update capabilities

53. Poison Ivy (implant)

54. CRUM (protector)

55. Intellectual Property Threats

56. Steal Credentials
Outlook Password
Generic stored passwords

57. All the file types that are exfiltrated
Steal Files
All the file types that are exfiltrated

58. Staging Server
A place to store all the stolen goods before it gets ‘exfiltrated’
Data is moved off the network in a variety of ways – ‘Hacking Exposed’ level behavior

59. Drop Site
Sometimes the stolen data is moved to a tertiary system, not the same as the C&C

60. Drop-point is in Reston, VA in the AOL netblock

61. Attribution and Actionable Intelligence
How Digital DNA™ works behind the scenes…

62. Digital DNA™ Automated malware detection
Software classification system
3500 software and malware behavioral traits
Example
Huge number of key logger variants in the wild
About 10 logical ways to build a key logger

63. Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA™
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F F B ED C D
8A C2
Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys.
0F 51
0F 64
Software Behavioral Traits

64. B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait?
04 0F 51
B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user.
Unique hash code
Weight / Control flags
The trait, description, and underlying rule are held in a database

65. Scalable Detection The “bad guy” keeps using the same methods
Repeated use of the same exploit methods
Repeated use of same C&C system
Detect the rest of the malware using perimeter security and registry / file scans
Cut off egress & C&C

66. Hunting Cyber Spies and Digital Criminals How HBGary keeps a constant edge…

67. Why fingerprint the developers?
One actor leads to others, and subsequently more malicious technology that can be fingerprinted as well
Relate separate infection events as part of the same operation, and likely the same attackers & intentions of attack
Predict the kinds of attacks that will be launched in the future
The ‘bad guy’ won’t go away, but you will catch him next time

68. Where Digital Fingerprints Occur
Several actors in the underground economy will leave digital fingerprints
Malware system components that have digital fingerprints (different developers for each):
Distribution system
Exploitation capability
Command and Control
Payload (what does it do once its in)

69. The developer != operator
The developer may not have any relation to those who operate the malware
The operation is what’s important
Ideally, we want to form a complete picture of the ‘operation’ – who is running the operation that targets you and what their intent is

70. Same malware compiled in three different ways
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
MD5 Checksums
all different
Code idioms remains consistent

71. In-memory analysis tends to defeat packers
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
In-memory analysis tends to defeat packers
Starting Malware
Packed
Malware
Unpacked portions remains consistent

72. Toolkits and developer signatures can be detected
IN MEMORY IMAGE
OS Loader
Toolkits and developer signatures can be detected
Malware
Tookit
Different
Malware
Authors
Using
Same Toolkit
Toolkit Marks Detected
Packed

73. Country of Origin Country of origin
Is the bot designed for use by certain nationality?
Geolocation of IP is NOT a strong indicator
However, there are notable examples
Is the IP in a network that is very unlikely to have a third-party proxy installed?
For example, it lies within a government installation
C&C map from Shadowserver, C&C for 24 hour period

74. Language
Native language of the software, expected keyboard layout, etc – intended for use by a specific nationality
Be aware some technologies have multiple language support
Language codes in resources

75. Actor: Endpoint Exploiter
Endpoint Exploiters
Actor: Endpoint Exploiter
$ per 1000 infections
The exploiter of the end nodes, sets up the XSS or javascript injections to force redirects
Newcomers can learns various attack methods from their PPI affiliate site (mini-training)
These are generally recruited hackers from forums (social space)
The malware will have an affiliate ID
“somesite.com/something?aflid=23857  look for potential ID’s – this ID’s the individual endpoint exploiter

76. Link Analysis URL artifact Unique Affiliate ID’s Codenamed Botmaster
C&C Fingerprint
Endpoints
Link Analysis

77. Actor: Developers Sell bot systems for four figures
$4,000 - $8,000 with complete C&C and SQL backend
Sell advanced rootkits for low five figures
Possibly integrated into a bot system
Possibly used as a custom extension to a bot, integrated by a botmaster, $10,000 or more easily for this
All of this development is strongly fingerprinted in the malware chain

78. Link Analysis We want to find a connection here C&C Fingerprint
Botmaster
URL artifact
Affiliate ID
Developer
Protocol Fingerprint
Endpoints
Developer
C&C products
Link Analysis

79. Softlinking into the Social Space
Where is it sold, does that location have a social space?
If it has a social space, then this can be targeted
Forum, IRC, instant messaging
Using link-analysis, softlink can be created between the developer of a malware product and anyone else in the social space
Slightly harder link if the two have communicated directly
If someone asks for tech support, indicates they have purchased
If someone queries price, etc, then possibly they have purchased

80. Link Analysis Software Author Software Author Social Space

81. Working back the timeline
Who sells it, when did that capability first emerge?
Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces
Requires budget for acquisition of emerging malware products

82. Software
Author
Social Space
i.e., Technical Support Query made AFTER version 1.4 Release
Use of timeline to differentiate links
Link Analysis

83. Actor: Vuln Researchers
Paid well into the five figures for a good, reliable exploit
$20,000 or more for a dependable IE exploit on latest version
Injection vector & activation point can be fingerprinted
Method for heap grooming, etc
Delivery vehicle

84. Detect, Diagnose, Respond

85. Threat Intelligence Who is targeting you? What are they after?
Have they succeeded?
How long have they been succeeding?
What have I lost so far?
What can I do to counter their methods?
Are there legal actions I can take?

86. Primary Internal Data Sources
Endpoint physical memory snapshots
There is more evidence in physical memory than any other source
Physical memory is where Digital DNA™ will be calculated
Other sources
Message archives
Netflow data

87. External Evidence Dropsite where IP is being dropped
IP Address, Server Version, Country of Origin
Command and Control Server
Version of C&C, Fingerprint
Designed to survive takedowns
Hot staged failovers likely
Exploit Pack Server
Version of Exploit Pack, Fingerprint

88. Intel Feeds (external)
malwaredomainlist.com
abuse.ch
spamcop.net
team-cymru.org
shadowserver.org

89. HBGary and Verdasys Integration
Responder
Professional
Digital Guardian
Console
Analysis
Reporting
Policies
Actions DG
Server DG
Agents
(Endpoints)
SQL
Results
Livebins
Live Bins
DDNA Extensions
HBGary DDNA

90. Integrated License Management
© 2009 Verdasys All rights reserved

91. DDNA Deployment & Activation
Scheduled or ad hoc endpoint scans
© 2009 Verdasys All rights reserved

92. Detect Malware alert reporting Configure risk reporting thresholds
© 2009 Verdasys All rights reserved

93. Diagnose Extract malware (livebins) from endpoint nodes
Analyze with HBGary Responder Professional
© 2009 Verdasys All rights reserved

94. Respond
Create DG policy rules to contain malware discovered by Digital DNA
Examples
Block host/hijacked applications from running
Limit which apps can act on sensitive data
Block network access to specific URLs/IDs
Prevent read/write to files used by malware

95. Conclusion

96. Take Away
‘Hands off’ IDS and AV security isn’t enough to keep bad guys out
Go ‘beyond the checkbox’
You have to investigate and respond to funded adversaries
Determine their intent, and defend yourself against their methods
DG + DDNA allows detection and rapid response countermeasures

97. HBGary Enterprise Offerings
Digital DNA™ - Malware detection
Without using signatures
Based on malicious behaviors, developer code idioms, and trait patterns
Integrated into Verdasys Digital Guardian
Responder™ – Malware investigation and incident response platform