craig searle bae systems detica: apt – myths & malware
DESCRIPTION
Craig Searle, Operations Director (Australasia), BAE Systems Detica delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconferenceTRANSCRIPT
APT – Myths & Malware
WHY WE’RE HERE
STRICTLY CONFIDENTIAL 2
LOTS OF HYSTERIA AROUND THE “APT THREAT”
HAS BECOME AN INTERNET BOOGEYMAN OF SORTS
SOMETIMES AN APT IS SIMPLY A HACKER TAKING ADVANTAGE OF YOUR POOR SECURITY PRACTICES
SOMETIMES AN APT SOMETHING MORE….
AN APT BY ANY OTHER NAME?
STRICTLY CONFIDENTIAL 3
CYBERCRIME != CYBERWARFARE • Plenty of media coverage of the threat of Cyberwarfare
• Very little actual Cyberwarfare actually going on though
– Stuxnet in Iran
– Estonia…but not really – Vitek Boden….Maroochydore
• Despite that Cyberwarfare is seen as a credible and present threat
– Akin to the ‘nuclear option’ a serious escalation in times of conflict
• Where does that leave us? – Cyber Activism (Hacktivism)
– Cybercrime
– Good old fashioned espionage, either corporate or state sponsored
– (Un)fortunately for us the line between these three has become increasingly blurred
STRICTLY CONFIDENTIAL 4
5
Cyber-‐criminals Cyber-‐ac/vists Cyber-‐espionage
Serving themselves Serving the cause Serving the na/on
© BAE SYSTEMS DETICA 2013 6
Cyber-‐ac)vists
Recent examples
© BAE SYSTEMS DETICA 2013 7
Cyber-‐ac)vists
Recent examples
June
September
January
April
July
March
April
May
News reports of ‘Syrian Electronic Army’ harassing dissidents on Facebook, spamming an/-‐government pages
Harvard.edu site hacked, defaced
Al-‐Jazeera blog hacked, defaced
LinkedIn Blog hacked, defaced
TwiLer account of Al-‐Jazeera’s Stream programme hacked, messages posted cri/cising Al-‐Jazeera and The Guardian
Human Rights Watch site & TwiLer account hacked. Mul/ple other TwiLer accounts hacked, including BBC News and Deustche Welle
Associated Press TwiLer account hacked, false reports of aLack on white house cause DOW Jones to temporarily crash. 11 Guardian TwiLer Accounts hacked
The Onion hacked
2011
2012
2013
© BAE SYSTEMS DETICA 2013 8
Cyber-‐espionage
State-‐of-‐the-‐na)on
NYT hacked aVer publishing ar/cle en/tled: “Billions in Hidden Riches for Family of Chinese Leader”
WSJ: “It's a plain-‐old crime, undertaken by a government that fancies itself the world's next superpower but acts like a giant thievery corpora/on.”
© BAE SYSTEMS DETICA 2013 9
The US goes on the offensive: Chinese hacking crew go quiet:
Cyber-‐espionage
State-‐of-‐the-‐na)on
© BAE SYSTEMS DETICA 2013 10
“De/ca researchers have obtained a copy of malware that has all the hallmarks of being craVed by this espionage group.”
Recently compiled sample:
Targe/ng US defence related conference:
Consistent communica/on and cipher rou/ne:
Cyber-‐espionage
State-‐of-‐the-‐na)on
A DAY IN THE LIFE OF AN APT • APT is a business
• Like any business they have working hours, customers, suppliers, partners and a fully functioning supply chain
• Business is good, really good!
STRICTLY CONFIDENTIAL 11
A PROFESSIONAL APPROACH
PORTALS
PORTAL STRUCTURE
PORTAL MANAGEMENT
ENABLING SERVICES
MALWARE AND MAYHEM
:: Campaign da/ng back over 5 years
:: Targeted government ministries, embassies, and technology companies
:: Advanced code-‐base of over 100 dis/nct modules for stealing specific data
:: Cyrillic language sebngs, and Russian words in the code
“EVERBODY’S WORKING FOR THE WEEKEND”
Cyber-‐war on Korean Peninsula?
Friday 15 March 2013! Wednesday 20 March 2013!
“The computer networks of three broadcasters -‐ KBS, MBC and YTN -‐ and two banks, Shinhan and Nonghyup, froze at around 2pm local /me. Shinhan said its ATMs, payment terminals and mobile banking in the South were affected. TV broadcasts were not affected.”
Another Persistent Threat
THE 4CORNERS EFFECT
20
Prevalen
ce
“There are two types of CEO, those that know their systems are being hacked -‐ and those that don’t”, Ian Livingstone, CEO of BT
“There are now three certain/es in life -‐ there's death, there's taxes and there's a foreign intelligence service on your system”, MI5 Head of Cyber
Characteris)cs
• Asymmetric – much easier to aLack than defend
• Anonymous – easy to hide or deny
• Global – can aLack anyone from anywhere
• Trans-‐jurisdic/onal – loca/on of incidents are not obvious • Large and complex – billions of people and webpages interac/ng
• Dynamic – millions of bright people inven/ng new services or aLacks
THE 4CORNERS EFFECT • Increasing public accounts of industrial espionage using ‘cyber’ as an attack vector • APTs are exceedingly skillful at keeping a low profile
- Not apparent you have a problem until it is too late • Increasing attacks on the supply chain due to:
- Weaker links / softer targets than the end entity - Ability to achieve deeper and wider penetration
21
Do any of your customers think that this is you? Which of your vendors/suppliers is this?
ANOTHER WAY TO THINK OF APT • Consider APT to be a business, which they are • They have now evolved to become a hyper-aggressive competitor, always
on the lookout to impinge upon your IP, your products/services and your brand
• Now how would you counter that threat? – Changes board focus, has now become a business risk not an IT risk
• You might consider additional control of your crown jewels • You would likely also want better notification of what your competitor is
doing and where your IP is appearing • Also need the ability to respond effectively and efficiently in the event of a
breach
STRICTLY CONFIDENTIAL 22
New customers
New partners
Mobilising and globalising delivery
New IP and markets
More online services
More personal data being collected and stored
More connec/vity between systems
More sensi/ve commercial informa/on
More partners, customers and clients
More mobile and flexible working
…but the threats and possible impacts on business are con/nuously evolving…
ORGANISATIONAL IMPERATIVES • Whatever the business, there is always a need to adapt in order to grow and build value
…but threats and impacts on business are constantly evolving…
24
External threats
Malicious insiders
Vulnerable partners
…and the aLacks reported in the press are just the /p of the iceberg
Financial loss
Physical damage
Business disrup/on
Loss of compe//ve advantage
Reputa/onal damage
Economic damage
Endangering na/onal security
PLAN FOR RESILIENCE
25
Protect
Monitor Respond
Prepare
Understanding and managing risk and preparing
for the risks we wish to mi/gate
Protec/ng key informa/on and systems from aLack and
reducing the impact of aLacks
Managing the consequences of an aLack to minimise its
impact
Monitoring systems to detect and frustrate
aLackers
IN CLOSING • Hype
• Know your enemy
• A business problem
• Plan for resilience
Legal Disclaimer STRICTLY CONFIDENTIAL 26
QUESTIONS
? Legal Disclaimer STRICTLY CONFIDENTIAL 27