APT for EngineersIET - Cyber Security for Critical InfrastructureOllie Whitehouse, Technical Director

Agenda

APT: definition

APT: manifestation and implementation

APT: mitigation, detection and remediation

Conclusions

2

3

definition

4

Advanced: i.e. not basic

Persistent: i.e. not non-persistent

Threat: i.e. backdoor, remote access, retained control, root kit etc.

APT: definition

5

Intelligence agencies

6

Intelligence agenciesOrganised criminals

7

manifestation and implementation

8

APT: manifestation

http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/

9

APT: manifestation - key functionsCommand

& Control

(C2)

Persistence

Security & Defence

Functionality & Maintenance

10

Ensures remote and desired level of access

Persistent but minimizes forensic artefacts

Minimizes likelihood of detection

Frustrates analysis

Modular, upgradable and versatile

APT: manifestation - goals

11

December 2014 NCC Group dealt with the compromise of REDACTED who had been compromised by Shell Crew

http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

This actor uses the Derusbi trojan family to maintain access which supports a form of port-knocking.

APT: manifestation

12

APT: manifestation

13

APT: implementation

14

APT: implementation

15

A program (i.e. on Windows, Mac OS X, Linux, iOS/Android etc.)

A kernel driver (i.e. on Windows, Mac OS X, Linux etc.)

A non-persistent patch to existing code (anything)

A malicious firmware (embedded devices)

APT: implementation

16

Summer 2014 NCC Group detect a malicious RTF (document) containing the Havex RAT

We then developed signatures and detected numerous trojaned ICS / SCADA tools in malware zoos

Actor has been compromising ICS / SCADA tool vendor web sites, trojaning legitimate binaries with havex and waiting for downloads

APT: manifestation

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/june/extracting-the-payload-from-a-cve-2014-1761-rtf-document/

17

APT: manifestation

http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster https://nigesecurityguy.wordpress.com/2013/06/04/defensible-security-posture/

18

APT: manifestation

Cheap(ish) &

normally simple

deployment

19

APT: manifestation

Moderately

costly &

semi-complex

deployment

20

APT: manifestation

Cheap but

complex

deployment

21

APT: manifestation

Typically very

cheap but

variable cost to

deployment

APT: manifestation

22

APT: manifestation

23

APT: manifestation

24

APT: manifestation

25

APT: manifestation

26

APT: manifestation

27

APT: manifestation

28

29

Software stacks are today very complex

Re-writable software is everywhere

Cryptographic code signing etc. is not

APT: manifestation - reality

30

detection

31

Known knowns = Indicators of Compromise (IOCs)

IOCs = signatures for network traffic or files

APT: detection – known knowns

32

Monitoring and measurementnetworkOSdevice

Anomaly detection and investigationusing monitoring and measurement

APT: detection – unknown unknowns

33

analysis

34

observe – from the network or on host

identify – the program code

extract – from the host / device

analyse – statically / dynamically

APT: analysis

35

mitigation and remediation

36

APT: mitigation – 2002 proposal

https://en.wikipedia.org/wiki/Next-Generation_Secure_Computing_Base

37

APT: mitigation - TPMs

https://en.wikipedia.org/wiki/Trusted_Platform_Module

38

APT: mitigation – UEFI Secure Boot

http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1

39

APT: mitigation – UEFI Secure Boot

http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1

40

APT: mitigation – UEFI Secure Boot

http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1

41

Once we have an OS* we trust

.. we can do things likehypervisor level malicious code scanningearly launch malware detection (Windows)

APT: mitigation

* caveat is now hardware with DMA access and if IOMMUs are used or if data/code in RAM is otherwise protected from manipulation

42

putting the advanced in APT

43

persistent element: encrypted to hostnot persistent until shutdownpersisted via secondary host

command and controladding to legitimate network connections

APT: putting the advanced in APT

44

Conclusions

45

EuropeManchester - Head Office

Amsterdam

Cambridge

Copenhagen

Cheltenham

Edinburgh

Glasgow

Leatherhead

London

Luxembourg

Munich

Zurich

AustraliaSydney

North AmericaAtlanta

Austin

Chicago

New York

San Francisco

Seattle

Sunnyvale

Ollie Whitehouseollie.whitehouse@nccgroup.trust