pavelich - wapt public.ppt - countermeasure 2019 · recce and planning by the wapt, thanks to...
Post on 06-Oct-2020
1 Views
Preview:
TRANSCRIPT
John Pavelich
� Peter Hammerschmidt, Director General of National Cyber Security at Public Safety Canada, said: ‘Globally, cyber crime accounted for as much as $450 billion in losses’.
� ‘It’s evolved from being about young hackers looking to cause mischief into nation states collecting information on other countries’.
Ottawa Citizen, October 3, 2014
APT: Basics
APT refers to a specific model of attack associated with highly skilled
and well resourced threat actors that will persistently target specific
entities of interest.
APT can be attributed to State Actors, some Organized Crime Actors
and some commercial offensive cyber companies with the technology
and skill sets.
By now most Cyber Security experts are comfortable in their
understanding of wired APTs and the actors involved.
WAPT refers to a model of cyber attack whose vectors are entirely wireless
and incorporates a sophisticated hardware technology component called a
Complex Technical Threat Implant or CTTI.
• WAPT is very rare and not well known.
• One (in Canada) has been identified in the last 12 months.
• Alluded to by Snowden.
A distinguishing feature of the WAPT-oriented Threat Actor is the ability to
model, build, manufacture, integrate and test a CTTI similar to GUNMAN.
Let’s define this new threat class as the Wireless APT (WAPT) in order to
distinguish its unique characteristics and to show the detection capability
gap.
Wireless APT (WAPT)
Why Did the Wireless APT appear?
Threat Actors discovered that some targeted organization’s networks are
‘well defended’, ‘closed’ or ‘air-gapped’. Some organizations follow NIST
800-53 and the ‘Low Hanging Fruit’ cyber attack is gone.
Threat Actors experienced ‘mission failure’.
� “Igor, we can’t get in, all Internet doors and windows shut.
� Serge says no more voldka and caviar until get informations he need’.
� Dah, I work on it, I get us inside. First I moost find Veektor who built
‘GUNMAN’.
Experience studying GUNMAN (and other CTTIs) tells us that State Threat
Actors have excellent capability installing custom, sophisticated covert
devices inside well-defended facilities.
Ask Madelein Albright.
What do they want and why would they go to this extent?
Some potential targets:
Military:
• Nuclear Launch Warning.
• Defence R and D.
• High grade cryptographic keys.
Government:
• Trade negotiation information.
• Sensitive ‘Inner Cabinet’ information or policies.
Commercial:
• R and D.
• Economic Manipulation.
Critical Infrastructure:
• Industrial Control Systems.
In a ‘normal’ APT attack significant quantities of information are exfiltrated.
Until recently, only relatively simple, narrowband TTIs were available – only
suitable as key stroke loggers and wireless mics.
The available high speed wireless transmitting technologies were
recognizable, detectable, and very short effective range.
Short range = very high risk to the Threat Agent’s exfiltration post. State
Threat Actor is risk averse. Ask Stanislav Gusev.
WAPT needs a Waveform (vector) that is not easily detectable,
recognizable as a threat, or capable of being analyzed by the current class
of Electronic Warfare and Technical Surveillance Countermeasures
(TSCM) receivers and tools.
We still don’t understand a lot about how the implant behaves on the host.
We know it can be variable, depending upon desired outcomes.
Wireless APT: Some concerns
Older wireless technologies that have been available to the Threat Agent
Type Frequency (MHz) Channel Data Throughput Start / Stop
Citizens Band (CB) 27.00 / 27.40 < 10kHz 1.2 Kbit/sCordless Phone 43.00 / 43.99 < 10kHz 1.2 Kbit/sAir Walkie-Talkie 118.00 / 137.00 < 10kHz 1.2 Kbit/sMarine Walkie-Talkie 156.00 / 163.00 < 10kHz 1.2 Kbit/sPMR 430 433.00 / 434.80 < 10kHz 1.2 Kbit/sSat Phone (Iridium) 1616.00 / 1626.50 < 10kHz 2.4 Kbit/s
Low throughput
Narrow band (most are very easy for TSCM to detect)
Except for Iridium the data exfil point has to be close
The lower the frequency – The larger the physical size (for a clean signal)
CellularFamily
StandardPeak Data Rate(kbits/s)
Typical Data Rate
GSM
GSM-CSDHS-CSDGPRSEDGE
9.6/14.428.8/43/2115/171384/513
9.628.850115
UMTSFDDTDD
384/2000384/2000
144144
CDMAOneIS-95AIS-95B
14.464/115
14.456
CDMA2000IXIX EV
144/3072000
130
TDMA CSD 9.6 9.6
PDC i-mode 9.5 9.6
Old cellular standards did work, but had slow throughput , and were not standard everywhere.
Only Russian TSCM Detects/Analyzes GSM Standard!
In comparison to older cellular technologies , BlueTooth and WiFi have very good data speeds with very small physical footprints.
BlueTooth and WiFi are potential WAPT technology choices, butThe Threat Agent needs to be close to be effective and there are lots of defensive tools available for detect/locate/analyze/respond.
Cellular Wireless Signal Coverage can be modelled, allowing for remote RECCE and planning by the WAPT, thanks to geospatial databasesand satellite maps.
And along comes LTE and makes things high speed and standard around the world
LTE Advantages
High speed
Good coverage
Small physical footprint
Exfil point is anywhere in the world
LTE bypasses our NIDS
TSCM is in a ‘No Detect’ situation
Its encrypted ‘Out of the Box’
The WAPT will likely use LTE to ‘Hide in Plain Sight’
Now that I’ve convinced you about the use of the wireless vectorWhat else can we say?
• Application white listing doesn’t work
• CTTI has on-board processing, storage and RAM(Think Smart phone less the user oriented bits)
• CTTI is permanently attached to the host, so its powered forever
• CTTI is on the host bus, so its already authenticated to the network
• In a real slick install it’s machined or etched into part of the circuit board and can’t be easily verified by physical inspection
We obviously need to study this further!
Require better investigative tools
RF spectrum analysis is one key element
Three technique geo-location technology is another
Who will prove the threat(publicly) and provide the first ‘WAPT Capture’?
Questions?
top related