advanced persistent threats (apt)
DESCRIPTION
Advanced Persistent Threats (APT). Sasha Browning. Breakdown . Advanced Combination of attack methods and tools Persistent Continuous monitoring and interaction “Low-and-slow” approach Threat Attacker is skilled, motivated, organized and well funded. What is an APT?. Definition - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/1.jpg)
Advanced Persistent Threats(APT)
Sasha Browning
![Page 2: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/2.jpg)
Breakdown
• Advanced– Combination of attack methods and tools
• Persistent– Continuous monitoring and interaction– “Low-and-slow” approach
• Threat– Attacker is skilled, motivated, organized and well
funded
![Page 3: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/3.jpg)
What is an APT?
• Definition– Sophisticated attack that tries to access and steal
information from computers
• Requirement– Remain invisible for as long as possible
![Page 4: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/4.jpg)
Why are APTs Important?
• Then– Just because– Demonstrate their skills
• Now– Attacks have evolved– Specific targets– Intend to maintain a long term presence
![Page 5: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/5.jpg)
Problem with APTs
• File size is small• File names don’t raise any red flags
• Almost always are successful • Undetectable until it's too late
• More frequent• No one is immune
![Page 6: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/6.jpg)
Targets
• .mil and .gov sites• Department of Defense contractors• Infrastructure companies– power and water
• CEOs or leaders of powerful enterprise or gov. agencies
![Page 7: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/7.jpg)
Stages of an APT Attack
1. Reconnaissance2. Intrusion into the network3. Establishing a backdoor4. Obtaining user credentials5. Installing multiple utilities6. Data exfiltration7. Maintaining persistence
![Page 8: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/8.jpg)
Step 1: Reconnaissance
• Research and identify targets– Using public search or other methods
• Obtain email addresses or IM handles
![Page 9: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/9.jpg)
Step 2: Intrusion into the Network
• Spear-phishing emails – Target specific people– Spoofed emails – include malicious links or attachments
• Infect the employee's machine• Gives the attacker a foot in the door
![Page 10: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/10.jpg)
Step 3: Establishing a Backdoor
• Try to obtain domain admin credentials– grab password hashes from network DCs
• Decrypt credentials to gain elevated user privileges
• Move within the network– Install backdoors here and there – Typically install malware
![Page 11: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/11.jpg)
Step 4: Obtaining User Credentials
• Use valid user credentials
• Average of 40 systems accessed using these credentials
• Most common type of credentials:– Domain admin
![Page 12: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/12.jpg)
Step 5: Installing Multiple Utilities
• Utility programs conduct system admin.– Installing backdoors– grabbing passwords– getting emails
• Typically found on systems without backdoors
![Page 13: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/13.jpg)
Step 6: Data Exfiltration
• Grab emails, attachments, and files
• Funnel the stolen data to staging servers– Encrypt and compress– Delete the compressed
![Page 14: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/14.jpg)
Step 7: Maintaining Persistence
• Use any and all methods
• Revamp malware if needed
![Page 15: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/15.jpg)
Problems with APTs
• Self-destructing malware – Erases if it fails to reach its destination
• Nobody monitors outbound traffic– Can look legitimate
• Sniffers– Dynamically create credentials to mimic
communication
![Page 16: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/16.jpg)
Disguising Activity
• Process injections – introduce malicious code into a trusted process – Conceals malicious activity
• Stub malware– Code with only minimal functionality– Remotely add new capabilities– Runs in the network’s virtual memory
![Page 17: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/17.jpg)
Stopping APTs
• Weakness– Interactive access
• Solution– Find the link between you and the attacker– Block it
• Afterwards– Attacker will have to re-infect a new host
![Page 18: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/18.jpg)
Summary• Targets are carefully selected• Persistent– Will not leave– Changes strategy/attack
• Control focused – Not financially driven– Crucial information
• It's automated, but on a small scale– Targets a few people
![Page 19: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/19.jpg)
Questions
![Page 20: Advanced Persistent Threats (APT)](https://reader035.vdocument.in/reader035/viewer/2022081422/5681674a550346895ddbfb57/html5/thumbnails/20.jpg)
Sources
• Wiredhttp://www.wired.com/threatlevel/2010/02/apt-hacks/
• Dark Readinghttp://www.securityweek.com/anatomy-advanced-persistent-threat
• Damballa http://
www.damballa.com/knowledge/advanced-persistent-threats.php