introduction to the advanced persistent threat and hactivism
DESCRIPTION
Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilnerTRANSCRIPT
![Page 1: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/1.jpg)
SAFE NEVER SLEEPS A peak into the underworld…
Hosted by: Jathniel Meyer & Christo van Staden, McAfee South Africa Date: 17-19 October 2011
![Page 2: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/2.jpg)
Introduction to the Advanced Persistent Threat & Hactivism
![Page 3: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/3.jpg)
3
Advanced Persistent Threats (APT’s)
Countermeasures
Questions and Answers
Agenda
1
2
3
![Page 4: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/4.jpg)
Advanced Persistent Threat,
How was it Done
APT In action
![Page 5: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/5.jpg)
Advanced Persistent Threats
![Page 6: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/6.jpg)
Advanced Persistent Threats
6
1. An attack by a sophisticated adversary with deep resources and advanced penetration skills engaged in electronic espionage to support long-term strategic goals
2. Over abused marketing term used by point product security vendors to refer to “bad things from the Internet”
What is an Advanced Persistent Threat?
APTs have specific targets
![Page 7: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/7.jpg)
7
Advanced Persistent Threats
![Page 8: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/8.jpg)
Simple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives.
8
Average file size 121.85 kb
Most common AP
file names Svchost.exe, explore.exe,
lprinp.dll, wiinzf21.dll
Anomaly detection
avoidance Outbound HTTP connections
Process injection and
Service persistence
Communication 100 percent of backdoors
connect outbound-only
83 percent use TCP port
80 or 443; 17 percent are mixed
Malware Used in APTs
![Page 9: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/9.jpg)
Operation Shady RAT
![Page 10: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/10.jpg)
Shady RAT advanced persistent threat (APT).
10
Active command and control (C&C) server accessed by Mcafee® Labs™
Evidence of five years of attacks
Most common attack vector: Spearphishing
Operation Shady RAT
![Page 11: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/11.jpg)
Coveted Data
11
Operation Shady RAT
![Page 12: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/12.jpg)
Motivation
12
Operation Shady RAT
MONEY POLITICS
![Page 13: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/13.jpg)
Operation Night Dragon
![Page 14: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/14.jpg)
Targeted attacks & advanced persistent threats
14
Night Dragon
![Page 15: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/15.jpg)
15
Methodical and Progressive
Night Dragon
Internet Email
1. Attacker sends a spear-phishing email containing a link to a compromised web server
2. User opens infected email and the compromised website is accessed; a RAT is downloaded.
3. User account information and host configuration information is sent to a C&C server
4. Attacker uses RAT malware to conduct additional reconnaissance and systems compromises and to harvest confidential data
Web
C&C
![Page 16: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/16.jpg)
Operation StuxNet
![Page 17: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/17.jpg)
17
Used 20 Zero day vulnerabilities
Stuxnet
CVE-2010-2772 – SCADA WinCC/PCS 7 vulnerability
CVE-2010-2568 - MS10-046 - LNK
CVE-2010-2729 - MS10-061 - Print Spooler
CVE-2010-2743 - MS010-073 - Privilege escalation via keyboard layout file
CVE-2010-3338 – MS010-092 - Privilege escalation via Task Scheduler
Win32k.sys (waiting CVE)
Stuxnet
![Page 18: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/18.jpg)
18
The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.
It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.
The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.
The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database.
Stuxnet
![Page 19: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/19.jpg)
Hacktivism
![Page 20: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/20.jpg)
20
Anonymous Group stands up for Wikileaks
Hactivism
![Page 21: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/21.jpg)
21
Anonymous publishes BofA emails
Stuxnet
![Page 22: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/22.jpg)
Countermeasures
![Page 23: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/23.jpg)
23
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks
Steps to Protection
Step 1 Reconnaissance
Network DLP (Prevent sensitive data from leaving)
Step 2 Network Intrusion
Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Email Gateway (block spear-phishing emails, links to malicious sites) Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery)
Step 3 Establish Backdoor
Firewall (detects/blocks APT back-channel communication) Network Threat Response (detects APT destination IPs) Application Whitelisting (prevent backdoor installation)
![Page 24: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/24.jpg)
24
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks
Steps to Protection
Step 4 Install Command and Control Utilities
Web Gateway (detects/blocks access to malicious applications) Application Whitelisting (prevent unauthorized changes to systems)
Step 5 Data Ex-Filtration
Unified DLP (prevent data from leaving the network)
Step 6 Maintaining Persistence
Network User Behavioral Analysis (identifies unexpected user behavior during APT reconnaissance and data collection phases)
![Page 25: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/25.jpg)
25
Collaboration Proxies
Agent-based Collectors
Threat Feeds
Vulnerability Probes
Real-time Threat Analyzers
Data Protection Vaults
Authentication and Trust Brokers
Intelligent Dashboards
McAfee SaaS Architecture Vision
![Page 26: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/26.jpg)
26
McAfee SaaS Architecture Vision An intelligent security fabric that wraps around the Enterprise
![Page 27: Introduction to the advanced persistent threat and hactivism](https://reader034.vdocument.in/reader034/viewer/2022042606/54bd08414a795927308b456e/html5/thumbnails/27.jpg)
27
Find out more
Visit Global Micro Solutions: http://www.globalmicro.co.za