Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.

Published byNorah Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013."— Presentation transcript:

1 PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013

2 2 At Mandiant We Live the Headlines Experts in Advanced Targeted Threats Incident responders to the biggest breaches We train the FBI & Secret Service Our CEO wrote the book (literally) on incident response Our Products Are Based on Our Experience Built to fill a gap for incident responders We use our own products in our investigations SC Magazine 2012 & 2013 “Best Security Company” Nationwide Presence 350+ employees Offices in DC, New York, LA, San Francisco, and Albuquerque Best Security Company

3  Free tools  Redline  IOC Editor  IOC Finder  Memoryze  Memoryze for Mac  Highlighter  Web Historian 3  Resources  M-Trends  M-Unition  blog.mandiant.com  Forums  Forums.mandiant.com  Education  Black Hat classes  Custom classes  Webinar series Free Resources

4 4 Anatomy of a Targeted Attack Initial CompromiseEstablish FootholdEscalate PrivilegesInternal ReconComplete Mission Attackers Move Methodically to Gain Persistent & Ongoing Access to Their Targets At organizations where Mandiant responded to a targeted attack in the last year, the typical attacker went undetected for 273 days. Move Laterally Maintain Presence Custom malware Command and control 3 rd party application exploitation Credential theft Password cracking “Pass-the-hash” Critical system recon System, active directory & user enumeration Staging servers Data consolidation Data theft Social engineering Spear phishing e-mail with custom malware Net use commands Reverse shell access Backdoor variants VPN subversion Sleeper malware

5 5 Visibility is critical Of all of the compromised machines Mandiant identified in 2011, only 54% had malware on them. EVIDENCE OF COMPROMISE Initial CompromiseEstablish FootholdEscalate PrivilegesInternal ReconComplete Mission Move Laterally Maintain Presence Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files

6 Inside APT 1

7  Monday, February 18, 2013 Mandiant released intelligence report on threat group: APT1  Linked APT1 to PLA unit 61398  Provided hard evidence  Released 3000+ immediately actionable indicators of compromise  OpenIOC format  Malware reports  IPs/domain names  MD5s  SSL Certificates  5 minute video showing footage of the attacker in action  Set the bar for actionable intelligence sharing Background

8  ~30 core people worked on actual report  Threat Intelligence  IOCs  M-Labs  Marketing, legal, execs…  Significant effort to validate and consolidate data (and conduct open source research) under tight deadline  Though the “surge” was intense, it was made possible by 7 years of previous research 8 The People

9  Prolific  Volume of data stolen  Comprehensive understanding of tools, tactics, and procedures  Example of actionable information sharing  The timing felt right  Traffic Light Protocol (TLP): Green indicator disclosure  Not as intel-sensitive as other groups Why?

10 APT 1 – Targets by Industry

11 APT 1 – Victims by Country

12 APT 1 – Impact

13 APT 1 – Command and Control Infrastructure

14  We’ve received lots of it!  Why do you always pick on China?!  Focusing on the country of origin is the wrong issue  Don’t focus on the attacker, focus on your defenses  Mandiant disclosed sensitive intel and ruined intelligence operations  Publicity stunt Criticisms

15  CNN video shows military chasing CNN vehicle near the building while filming https://www.youtube.com/watch?v=yG2ezzLHSD0  Sen. Feinstein, Chairman Senate Intelligence Committee:  “I read the Mandiant report. I've also read other reports, classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct,” http://thehill.com/blogs/global-affairs/terrorism/284721-intel-chairwoman-report-on-chinas-cyber-war-unit- essentially-correct Accuracy

16  DOTA phone number discovered used in 2009 for apartment rental – 600 feet from unit 61398.  SuperHard_M (aka Mei Qiang) likely studied at famous PLA Information Engineering University in 2005.  2004 recruitment notice on Zhejiang University website advertising for “Unit 61398 of China’s PLA (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.”  LA Times found blog of possible 61398 worker: http://lat.ms/12OATUY http://lat.ms/12OATUY https://www.mandiant.com/blog/netizen-research-bolsters-apt1-attribution Accuracy – Netizen Research

17  Monday 2/18 – Business as usual  Report is released at 10 PM EST – 11 AM CST  Tuesday 2/19 – Clear signs of action plan being invoked  Domains getting parked  WHOIS registry getting changed  Backdoor/tools removed  Staging/working directories cleared  New backdoors implanted (leverage public communications channels – hotmail/gmail/MSN)  MACROMAIL malware from APT1 report  Today: many indicators changed, but otherwise business as usual APT1 – Reaction after a week

18  NY Times disclosed internal name APT12  Tools:  APT1 – WEBC2, public communication channels, noisy  APT12 – DNS calc, cmdline backdoors, more stealthy  Data theft:  APT1 – everything  APT12 - discriminating  Skill:  APT1 – good enough, large range of skillsets  APT12 – more skilled  Industries targeted:  APT1 – everything  APT12 – satellite, crypto, media APT1 vs. APT12

19 M-Trends 2013

20 Targeted industries

21 Compromise Detection

22 Dwell Time

23 Trend #1 – Outside In  When targeted organizations increase their prevention and detection capability, weaker service providers and partners become targets  Mandiant investigated several organizations that had been compromised through 3 rd party connections  15% of victims in 2012 were notified by a service provider

24 Trend #2 – ‘X’ Marks the Spot  Attacks are becoming more surgical in nature: immediately targeting administrators for network diagrams, sensitive asset lists  Change from historical reliance on internal network reconnaissance  One victim had followed all the necessary precautions to protect their financial information, yet attacks against system administrators yielded necessary data to breach the environment

25 Trend #3 – Once a Target, Always a Target  Though long known anecdotally, Mandiant measured repeat victimization in 2012  38% of victims were re- compromised within the year  Reminder that persistence means constant attempts at re- compromise until mission is accomplished

26 Trend #4 – Strategic Web Compromise  Mandiant observed frequent use of strategic web compromises, or “watering hole attacks” over the last year  Financial institutions attacked via Java exploits on local news web sites  Energy companies compromised through an industry portal  Significant collateral damage

27

Download ppt "PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs.

APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.

CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.

Emerging Trends: Cyber Threats Bryan Sheppard Cyber Security Defense Center.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Introduction to Network Defense

Introduction to Network Defense
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Similar presentations

Ads by Google