Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS.

Published byJeffry Black Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS."— Presentation transcript:

1 Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS

2 APT in this presentation The original meaning when US Navy coined the phrase Before it started being used by every IT Security vendor, anti- malware vendor, and everyone with “Cyber” in their marketing portfolio

3 Agenda What APT is – its background/history Detection and elimination The people and what they attack The on-going fight Reminder checklist Some difficult truths Questions.

4 APT Targeted Malware with the intent to –Enter your estate –Stay in your estate –Obtain your data Commercial advantage Technology leapfrog etc

5 APT is a new threat Wrong –Very wrong Instances of well developed attacks and associated malware seen since before 2006 Some folks working on these issues since perhaps as early as 2002 Candidly, if you haven’t seen this stuff you probably are not looking properly.

6 APT family It isn't –Single attack type –Single type of malware –Single attack group

7 APT Family It is –Range of attack types Spearphishing Generic social engineered attacks Very well targeted social engineering attacks Targeted drive-by attacks –Range of malware types Relatively simple through to Quite sophisticated Perhaps 7 to 9 different levels of complexity Generally use the simplest malware needed

8 APT Activity Gain a foot hold that can obtain command and control instructions –Via some quite interesting approaches “interactive” sessions instructions by hidden means eg jpeg images Usually (always?) via other parties –Other compromised companies/web-sites –University systems –“mom & pop shops” –Compromised systems unlikely to initiate a web connection to … Knowledge of these “other parties” can often lead to the discovery of new victims … more on that later

9 What a rush! There is no rush from the attackers point of view Marathon not sprint Sleeper malware –Long period beaconing Check in only every few months A bit more on this later…

10 Elimination How do you get rid of it after you first detect it? –Or after you have had a tip-off that you might have a problem –You may get a tip-off from…

11 Whack-a-Mole? Very dynamic – lots of IT folks doing stuff But dangerous and not very effective Attackers will notice They will change attack approach They will remain in your estate

12 Structured approach You will probably need help with some of this Who you gonna call? Competent Capable Trusted Much less fun, much harder work, much more effective –Detect/locate –Prepare/Understand –Disconnect –Eliminate –Protect –Future processes –Re-connect –The new normal

13 Detection Log file analysis –dns, dhcp, vpn, firewall, ids/ips, proxy, AV Network Analysis –packet capture and analysis, network sensors Host Capability –process maps, memory maps, file structures, registry contents, file contents One third/one third/one third

14 Prepare/Understand Do you know your estate? –Network connections –Password policies –Password and application interactions Understand how the malware works –Command and control –How it persists –How it moves/how it is moved

15 Structured approach Detect/locate  Prepare/Understand  Disconnect Eliminate Protect Future processes Re-connect New normal      

16 New Normal They will re-attack They will get in Your processes have to: –Detect –Investigate –Eliminate –Adapt

17 The Human Element Groups –Developers –Doers –Follow-up Below the radar –Working patterns –Comms patterns Multiple Groups? –Probably –May not always be aware of each other

18 They are only human Oops! –Human script followers Identified keyboard drivers Typos Mistakes Repeat commands May not be sure of where they are Sometimes careless/sloppy –Compressed archives not fully deleted

19 The Attack Surface Microsoft / Adobe / Java –Because they are the most popular platforms. “I rob banks ‘cause that’s where the money is” Patching and the role it can play…

20 The products that fix the problem Unfortunately none Needs a structured approach to robust monitoring and a number of products to help manage the risk An approach based on –People – at all levels of the organisation –Process –Technology In that order of priority

21 The approach that handles the problem This is about our approach, but others have similar. SOC – multi-geography, 24*365 Evolution of tools –Externally sourced –Internally sourced Evolution of people skills –Better understanding of the subject –Better analysis skills

22 Tools Log consolidation and analysis –DHCP, dns, proxy, firewall, ids, vpn etc Network traffic monitoring and analysis Host data capture –To aid in incident identification –To aid in incident investigation

23 Tool Effectiveness Initially –34% / 33% / 33% (log/network/host) Now –65% / 30% / 5% (log/network/host) Future? –45%? / 50%? / 5%? (log/network/host)

24 The approach takes time

25 Summary Bad folks are doing bad stuff very well They see it as huge commercial benefit We need to get better at detecting/eliminating/protecting It can be done but must be done in a structured and on-going fashion to be effective It is an evolving threat so there are no “fit and forget” solutions

26 Remember, you may have to…. Detect/locate  Prepare/Understand  Disconnect Eliminate Protect Future processes Re-connect New normal      

27 Difficult Truths Safe harbours will continue to exist Traditional prevention and detection has failed Governments cannot prevent intrusions Data loss is inevitable Attacks will continue Companies often breached for years

28 Additional Reading http://www.rsa.com/innovation/docs/sbic_rpt_0711.pdf –Write-up from RSA on the threat and what can be done to help reduce the risk and the impact.

29 Any Questions ?

Download ppt "Advanced Targeted Malware or Advanced Persistent Threat without the marketing BS."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Chapter 12 Network Security.

Chapter 12 Network Security.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.
Introduction to Network Defense

Introduction to Network Defense
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.

Antivirus Technology in State Government Kym Patterson State Chief Cyber Security Officer Department of Information Systems.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Similar presentations

Ads by Google