1© copyright 2011 emc corporation. all rights reserved. advanced persistent threat sachin deshmanya...

10
1 © Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

Upload: geoffrey-matthews

Post on 16-Dec-2015

219 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

1© Copyright 2011 EMC Corporation. All rights reserved.

Advanced Persistent Threat

Sachin Deshmanya & Srinivas Matta

Page 2: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

2© Copyright 2011 EMC Corporation. All rights reserved.

• Defining APT

• Evolution of threat models

• Intention of such threats

• How to gear up for such a threat

Agenda

Page 3: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

3© Copyright 2011 EMC Corporation. All rights reserved.

What is APT• Advanced

– Sophisticated.– Targeted.– With a purpose.

• Persistent– Continued efforts to achieve the goal.– Month after month, even years.

• Threat – Are resourceful, capable.– Are determined to achieve the goals.

Page 4: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

4© Copyright 2011 EMC Corporation. All rights reserved.

Intrusion kill chain

Different Stages

Reconnaissance Research, identification and selection of targets.

Weaponization Coupling a remote access Trojan with an exploit into a deliverable payload.

Delivery Transmission of weapon into the target network.

Exploitation Once a weapon is delivered, the intruders code exploits a vulnerability of an application OR operating system.

Installation Installation of remote access Trojan, allows backdoor entry.

Command and Control

Compromised host forms a channel to controlled servers.

Actions on objectives

Once the above phases are complete, intruders take actions to achieve original goal.

Chain is a series of process such as find, fix, track, target, engage and assess.

So find the targets for engagement, fix their location, track and keep an eye, target with suitable weapon, engage, assess the effects. This is called a chain because any interruption breaks the entire process.

Page 5: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

5© Copyright 2011 EMC Corporation. All rights reserved.

Differentiator, evolution of threatsTraditional Virus/Malware

APT

Target random networks/hosts.

Target specific network/hosts.

Probably of getting detected are high by AV as their signatures get detected.

Combination of malware used, signatures go undetected because of this.

The effects become visible over a period of time, as large network/hosts get infected.

The idea is to lay low over a significant period of time.

A good firewall OR intrusion detection system can prevent entry by signature checking.

Carrier is mostly through content, which uses well known ports (80, 443 etc.) and known protocol http, https etc.

Page 6: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

6© Copyright 2011 EMC Corporation. All rights reserved.

Different techniques used in an APT

• Spear phishing emails

• Social engineering emails

Page 7: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

7© Copyright 2011 EMC Corporation. All rights reserved.

Different techniques used in an APT

• Zero Day exploits

Page 8: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

8© Copyright 2011 EMC Corporation. All rights reserved.

Am I a APT victim, how to gear up?• How to figure out you are a victim of APT

attack?

• What to look out for?• May get unnoticed by a single AV/IDS.• Analyzing network layered packets is good way to start.• Log analyses from various sources with co-relation should

help.• Monitoring end points for suspicious behavior.• Good asset management should be in place, guard critical

systems.• Monitoring critical asset’s is very important.

Finding needle in a hay stack.

Page 9: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

9© Copyright 2011 EMC Corporation. All rights reserved.

Am I a APT victim, how to gear up?• What to look out for?

• Multi layered defense is needed.

• We are moving towards intelligence driven security systems.

Page 10: 1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta

10© Copyright 2011 EMC Corporation. All rights reserved.

RSA Security AnalyticsRSA Security Analytics gives security teams the ability to unleash their full potential and stand tall against today’s attackers by evolving from a traditional log-centric approach to one with better visibility, analysis, and workflow