advanced persistent threats (apt) sasha browning
TRANSCRIPT
Advanced Persistent Threats(APT)
Sasha Browning
Breakdown
• Advanced– Combination of attack methods and tools
• Persistent– Continuous monitoring and interaction– “Low-and-slow” approach
• Threat– Attacker is skilled, motivated, organized and well
funded
What is an APT?
• Definition– Sophisticated attack that tries to access and steal
information from computers
• Requirement– Remain invisible for as long as possible
Why are APTs Important?
• Then– Just because– Demonstrate their skills
• Now– Attacks have evolved– Specific targets– Intend to maintain a long term presence
Problem with APTs
• File size is small• File names don’t raise any red flags
• Almost always are successful • Undetectable until it's too late
• More frequent• No one is immune
Targets
• .mil and .gov sites• Department of Defense contractors• Infrastructure companies– power and water
• CEOs or leaders of powerful enterprise or gov. agencies
Stages of an APT Attack
1. Reconnaissance2. Intrusion into the network3. Establishing a backdoor4. Obtaining user credentials5. Installing multiple utilities6. Data exfiltration7. Maintaining persistence
Step 1: Reconnaissance
• Research and identify targets– Using public search or other methods
• Obtain email addresses or IM handles
Step 2: Intrusion into the Network
• Spear-phishing emails – Target specific people– Spoofed emails – include malicious links or attachments
• Infect the employee's machine• Gives the attacker a foot in the door
Step 3: Establishing a Backdoor
• Try to obtain domain admin credentials– grab password hashes from network DCs
• Decrypt credentials to gain elevated user privileges
• Move within the network– Install backdoors here and there – Typically install malware
Step 4: Obtaining User Credentials
• Use valid user credentials
• Average of 40 systems accessed using these credentials
• Most common type of credentials:– Domain admin
Step 5: Installing Multiple Utilities
• Utility programs conduct system admin.– Installing backdoors– grabbing passwords– getting emails
• Typically found on systems without backdoors
Step 6: Data Exfiltration
• Grab emails, attachments, and files
• Funnel the stolen data to staging servers– Encrypt and compress– Delete the compressed
Step 7: Maintaining Persistence
• Use any and all methods
• Revamp malware if needed
Problems with APTs
• Self-destructing malware – Erases if it fails to reach its destination
• Nobody monitors outbound traffic– Can look legitimate
• Sniffers– Dynamically create credentials to mimic
communication
Disguising Activity
• Process injections – introduce malicious code into a trusted process – Conceals malicious activity
• Stub malware– Code with only minimal functionality– Remotely add new capabilities– Runs in the network’s virtual memory
Stopping APTs
• Weakness– Interactive access
• Solution– Find the link between you and the attacker– Block it
• Afterwards– Attacker will have to re-infect a new host
Summary• Targets are carefully selected• Persistent– Will not leave– Changes strategy/attack
• Control focused – Not financially driven– Crucial information
• It's automated, but on a small scale– Targets a few people
Questions
Sources
• Wiredhttp://www.wired.com/threatlevel/2010/02/apt-hacks/
• Dark Readinghttp://www.securityweek.com/anatomy-advanced-persistent-threat
• Damballa http://
www.damballa.com/knowledge/advanced-persistent-threats.php