advanced persistent threats approaches to stopping advanced threats roman ackle 16. nov. 2015

Advanced Persistent ThreatsApproaches to stopping Advanced Threats

Roman Ackle16. Nov. 2015

© 2015 NTT Com Security 2

Contents

No statistics !

No products !

• ATP: Malware?

• ATP: Architectural Countermeasures

• A more global picture

• Conclusion

16. Nov 2015


APT – Advanced Persistent Threats

“An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s)

targeting a specific entity.”(src: WIKIPEDIA)

There is someone behind it with a specific goal!

16. Nov 2015


APT – just new malware?

You might think of APT as a piece of malware. Is it?

> No!

> APT might be based on some sophisticated malware though.

Is it something completely new?

> No

Is it’s prevention based on completely new technologies, procedure or methods?

> Partially

16. Nov 2015


APT – the goal

It’s not only about data extraction….

> Extract data is one of a lot of possible goals

> Manipulation of information

> Influence industrial processes

> Change production data

> ……everything that might give some advantage to someone

16. Nov 2015

Internet Perimeter

Internal Data Network

10010110100101101


APT Prevention – as everything, it’s a process!

16. Nov 2015

•Detect Incident•Anomaly/misuse detection

•CERT, Incident Managment•Remediation, Forensics and Investigative

•Security Model Change

•System Isolation and Hardening•Preventive Controls (FWs, Content Filters, IPS, Encryption, etc.)

•GAP Analysis•Community Intelligence•Vulnerability Management•Penetration Testing

Predict Prevent

DetectRespond


APT Challenge – You really want to do it?

APT

> If you don’t think you’re concerned, don’t start with it

> If you thing you are, do it right!

> Don’t do “tick the box” projects

> APT prevention is about strategy, is about architecure, it’s about processes, it’s about incident response, and at the same time, it’s about a lot of technical details

16. Nov 2015


APT Challenge– Knowledge is powerDo you know….?

> Do you really know in detail the dataflow in your enterprise?

> Do you know the baseline?

> Do you get alerted when somebody is logging in off-hours?

> Do you know all the details of filtering at the perimeter?

> Do you have the logs?

> If you had to verify whether you are currently victim of an APT, could you? How would you check?

> Do you know how to react in case of an emergency? What is an emergency?

> …

16. Nov 2015


APT Prevention – The chain

Attack life cycle

1. Reconnaissance

2. Delivery

3. Exploitation of System

4. Malware Download

5. Callbacks and Control

6. Exfiltration / Action

7. Malware spreads laterally

8. Cover tracks

16. Nov 2015

Internet Perimeter Internal Data Network

www

2

4 5

6

7

Recon Delivery Exploit Malware download CC Exfiltration

Action

Malware spreads laterally

Cover tracks

1

3


APT – Ways to get in, ways to get out

The usual suspects:

> In: mail, web, sticks, updates……..

> Out: mail, web, tunnels (dns, ssl, ssh), stego tools…..

> Finally: You cannot control human behaviour and human curiosity (fortunately….) There is always someone clicking on a link……..

16. Nov 2015


?


APT Prevention – Break the chain !

The attack vector is significantly reduced….

> …if you break the chainat any point

> …if you have controls at everystep an attack could take

> …if the controls are on the samelevel of sophistication as theattack

16. Nov 2015


www

Recon Delivery Exploit Malware download CC Exfiltration

ActionMalware spreads laterally

Cover tracks


APT Prevention - Reducing attack vector

Less is more….

> Identify and minimize the dataflows

> Establish baselines

> Identify and get the low hanging fruits

> Reduce the unknownblock the unknown (the Trusted Internet)

16. Nov 201516. Nov 2015 13


www


APT Prevention - Reducing attack vector

Less is more….

> Identify and minimize the dataflows

> Establish baselines

> Identify and get the low hanging fruits

> Reduce the unknownblock the unknown (the Trusted Internet)

16. Nov 201516. Nov 2015 14


www


APT Prevention– Architectural Countermeasures

It start’s with the policy…..

> Implement a control is not enough, it has to be governed by a policy

> It is not a security engineers task to decide about the level of protection, because it influences the daily business

> A policy has a very big influence on the daily work load

> A lot of measures are not implemented because they might be too technical for ISO and considered too risky for business by engineering

> There’s a big difference between a simple firewall and a firewall with protocol checks (UUID f.e), IPS etc.

> … and remember:

16. Nov 2015




Internal zoning

> The zoning concept and services/data placing decision tree is the base of it all!

> It’s not just about firewalling

> User based rules

> RPC restriction based on UUID

> Protocol checks

> IPS

> Routing limitation

> ….

16. Nov 2015

Internet PerimeterInternal Clients

Internal Data- and Services



System administration

> No internet access for admins

> No internet access for servers/services

> Privileged account management

16. Nov 2015


Internal Data- and Serviceswww



System administration

> Management zone for system administration

> Pass-the-hash prevention

16. Nov 2015

Internet Perimeter

Internal Clients


System Administration



Internet Communication: DNS

> No Internet DNS resolution for internal systems, as it can be used to setup DNS tunnels

> Can even be seen in environments with proxy

16. Nov 2015


Internal Data- and Servicesdns dns

© 2015 NTT Com Security 20[Name]-Public-[Status]-v0 01


Internet Communication: Web Access

> Application filtering

> Authentication

> No browsing from the workstation

> Block the unknown!

16. Nov 2015dd mmm yyyy

Internet Perimeter

Internal Clients



proxy



Internet Communication: Mail

> Take care about the ruleset!

> Take care about the quarantine!

> File filtering (did you ever think about whitelisting?)

> Reputation

> SPF

> …..

16. Nov 2015

Internet Perimeter

Internal Clients

Internal Data- and ServicesMTA


MTA

Quarantine



The user / the endpoint

> No admin rights!

> No USB control

> NAC

> Client Protection– Application whitelisting

– Application Containment

– Malware scanning

16. Nov 2015



Internet Communication: Web Presence

> Check the uploads

> Check the partners (remember: we are talking about APT)

16. Nov 2015



Partner

www



Data access

> Most probably, the intruder's goal is the data in the database

> There are a lot of measures to take concerning database security– access control

– auditing

– authentication

– ……

> What about live data being used in UAT environments

16. Nov 2015


APT Prevention– Getting a better microscope

Now that we might have:

> A solid architecture

> Procedures

> A good understanding of our dataflow

> A good understanding of what we already do

….. and now?

Let’s get a better microscope!

16. Nov 2015



The ATP solution and what they do:

> Sandboxing

> Static code analysis

> Analysing behaviour in an specific environment: – What DLL calls are made

– What registry keys are accessed

– What network calls are made

– …..

> Typically implemented in the mail flow, the web traffic flow and on the endpoint

16. Nov 2015



WWW HTTP(S)

MTA SMTP



ATP solutions: the current hype in IT security……

> Very detailed information about what files are actually doing

> Some solutions could be used as forensic tools

> Available in different “form factors”– CPE / appliances

– Hybrid solutions

– Cloud services

So this is it? Is my company protected now?

16. Nov 2015


APT Prevention– Multilevel Security

16. Nov 2015

Internet

Web Presence

Internal Clients

Internal Data and Services

AdministrationMail

Web Access

E2E

Remote Access

DNS

S2S

Cloud Services

Branches

Internal Devices

Zero TrustIndustrial Processing



16. Nov 2015

Internet

Web Presence

Internal Clients


Administration

HTML Filtering

Mail

Mail Filtering

Web Access

Web Filtering

E2E

SOAP / XML Filter

Remote Access

Client Based / Portal

DNS

DNS Sec

S2S

Cloud Services

Branches

Internal Devices

DB FW

NACCP

DLPMDMDLP

IPS/IDSIA

BOT

CPClnt Check

Certs

IPS/IDSIA

BOT

IPS/IDSDDOSBOT

Priv Acct MgtIAM

Zero TrustDB FWVirt. FWsDLP

Data Classific.

Patch MgtVuln MgtLog Mgt

SIEMPKI

Auth Services

SCADA FW

IPSec

NACCP

DLP

Reputation DBsVuln. Scan

Authentication

Industrial Processing

MDM



16. Nov 2015

Internet

Web Presence

Internal Clients


Administration

HTML Filtering

Mail

Mail Filtering

Web Access

Web Filtering

E2E

SOAP / XML Filter

Remote Access

Client Based / Portal

DNS

DNS Sec

S2S

Cloud Services

Branches

Internal Devices

DB FW

NACCP

APTDLP

MDMDLP

IPS/IDSAPT-Prev

IABOT

CPClnt Check

Certs

IPS/IDSAPT-Prev

IABOT

IPS/IDSAPT-Prev

DDOSBOT

Priv Acct MgtIAM

Zero TrustDB FWVirt. FWsDLP

Data Classific.

Patch MgtVuln MgtLog Mgt

SIEMPKI

Auth Services

SCADA FW

IPSec

NACCP

APTDLP

Reputation DBsVuln. Scan

Authentication

Industrial Processing

MDMAPT

APT


APT Prevention – The strategy

Establishing a strategy…..

> A strategy is at the beginning towards comprehensive IT security infrastructure

> It should be the base for any further extension like new technologies, new controls, new procedures

> It should take care of what is possible in an enterprise.

> Take into consideration:– Investment

– Resources

– Know How

– Operational costs

– and of course: a realistic risk assessment

16. Nov 2015


APT Prevention – The human factor

> Commonly seen as the most vulnerable “link” in the attack chain

> Processes and guidelines should help people, not control them

> Employees should be part of the IT Security process

> Management should be part of the IT Security process!

….. especially with regard to APTs

16. Nov 2015


APT Conclusion– Risk Based Security

> There is no simple technical solution, but new technologies might help

> Risk Based Security: not everything has to be protected to the same level, not everything has the same importance

16. Nov 2015

• What has to be protected?• Where do we protect?

• What are the threats?• How to protect efficiently?

target-oriented

adequate

Security should be…..


APT ConclusionAPT Prevention with new technologies?

> APT’s are not only a new type of malware

> New technologies might be required and might help

> New technologies must be understood in order to be used in a practical environment

But:

> Fighting APT’s is not only a technological task of more granular file filtering

-------------------------------------------

Preventing APTs is about establishing a comprehensive security architecture strategy, that will help an enterprise getting a clear picture of it’s IT landscape

and that will lead to a reliable and sustainable protection for it’s assets.

16. Nov 2015


APT Conclusion

> ….. and did we mention that already?

16. Nov 2015



NTT Com Security

16. Nov 2015

Thank you

Roman [email protected]

advanced persistent threats approaches to stopping advanced threats roman ackle 16. nov. 2015

Documents