Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013.

Similar presentations

Presentation on theme: "PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013."— Presentation transcript:

1 PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013

2 2 At Mandiant We Live the Headlines Experts in Advanced Targeted Threats Incident responders to the biggest breaches We train the FBI & Secret Service Our CEO wrote the book (literally) on incident response Our Products Are Based on Our Experience Built to fill a gap for incident responders We use our own products in our investigations SC Magazine 2012 & 2013 “Best Security Company” Nationwide Presence 350+ employees Offices in DC, New York, LA, San Francisco, and Albuquerque Best Security Company

3  Free tools  Redline  IOC Editor  IOC Finder  Memoryze  Memoryze for Mac  Highlighter  Web Historian 3  Resources  M-Trends  M-Unition   Forums   Education  Black Hat classes  Custom classes  Webinar series Free Resources

4 4 Anatomy of a Targeted Attack Initial CompromiseEstablish FootholdEscalate PrivilegesInternal ReconComplete Mission Attackers Move Methodically to Gain Persistent & Ongoing Access to Their Targets At organizations where Mandiant responded to a targeted attack in the last year, the typical attacker went undetected for 273 days. Move Laterally Maintain Presence Custom malware Command and control 3 rd party application exploitation Credential theft Password cracking “Pass-the-hash” Critical system recon System, active directory & user enumeration Staging servers Data consolidation Data theft Social engineering Spear phishing e-mail with custom malware Net use commands Reverse shell access Backdoor variants VPN subversion Sleeper malware

5 5 Visibility is critical Of all of the compromised machines Mandiant identified in 2011, only 54% had malware on them. EVIDENCE OF COMPROMISE Initial CompromiseEstablish FootholdEscalate PrivilegesInternal ReconComplete Mission Move Laterally Maintain Presence Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files

6 Inside APT 1

7  Monday, February 18, 2013 Mandiant released intelligence report on threat group: APT1  Linked APT1 to PLA unit 61398  Provided hard evidence  Released 3000+ immediately actionable indicators of compromise  OpenIOC format  Malware reports  IPs/domain names  MD5s  SSL Certificates  5 minute video showing footage of the attacker in action  Set the bar for actionable intelligence sharing Background

8  ~30 core people worked on actual report  Threat Intelligence  IOCs  M-Labs  Marketing, legal, execs…  Significant effort to validate and consolidate data (and conduct open source research) under tight deadline  Though the “surge” was intense, it was made possible by 7 years of previous research 8 The People

9  Prolific  Volume of data stolen  Comprehensive understanding of tools, tactics, and procedures  Example of actionable information sharing  The timing felt right  Traffic Light Protocol (TLP): Green indicator disclosure  Not as intel-sensitive as other groups Why?

10 APT 1 – Targets by Industry

11 APT 1 – Victims by Country

12 APT 1 – Impact

13 APT 1 – Command and Control Infrastructure

14  We’ve received lots of it!  Why do you always pick on China?!  Focusing on the country of origin is the wrong issue  Don’t focus on the attacker, focus on your defenses  Mandiant disclosed sensitive intel and ruined intelligence operations  Publicity stunt Criticisms

15  CNN video shows military chasing CNN vehicle near the building while filming  Sen. Feinstein, Chairman Senate Intelligence Committee:  “I read the Mandiant report. I've also read other reports, classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct,” essentially-correct Accuracy

16  DOTA phone number discovered used in 2009 for apartment rental – 600 feet from unit 61398.  SuperHard_M (aka Mei Qiang) likely studied at famous PLA Information Engineering University in 2005.  2004 recruitment notice on Zhejiang University website advertising for “Unit 61398 of China’s PLA (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.”  LA Times found blog of possible 61398 worker: Accuracy – Netizen Research

17  Monday 2/18 – Business as usual  Report is released at 10 PM EST – 11 AM CST  Tuesday 2/19 – Clear signs of action plan being invoked  Domains getting parked  WHOIS registry getting changed  Backdoor/tools removed  Staging/working directories cleared  New backdoors implanted (leverage public communications channels – hotmail/gmail/MSN)  MACROMAIL malware from APT1 report  Today: many indicators changed, but otherwise business as usual APT1 – Reaction after a week

18  NY Times disclosed internal name APT12  Tools:  APT1 – WEBC2, public communication channels, noisy  APT12 – DNS calc, cmdline backdoors, more stealthy  Data theft:  APT1 – everything  APT12 - discriminating  Skill:  APT1 – good enough, large range of skillsets  APT12 – more skilled  Industries targeted:  APT1 – everything  APT12 – satellite, crypto, media APT1 vs. APT12

19 M-Trends 2013

20 Targeted industries

21 Compromise Detection

22 Dwell Time

23 Trend #1 – Outside In  When targeted organizations increase their prevention and detection capability, weaker service providers and partners become targets  Mandiant investigated several organizations that had been compromised through 3 rd party connections  15% of victims in 2012 were notified by a service provider

24 Trend #2 – ‘X’ Marks the Spot  Attacks are becoming more surgical in nature: immediately targeting administrators for network diagrams, sensitive asset lists  Change from historical reliance on internal network reconnaissance  One victim had followed all the necessary precautions to protect their financial information, yet attacks against system administrators yielded necessary data to breach the environment

25 Trend #3 – Once a Target, Always a Target  Though long known anecdotally, Mandiant measured repeat victimization in 2012  38% of victims were re- compromised within the year  Reminder that persistence means constant attempts at re- compromise until mission is accomplished

26 Trend #4 – Strategic Web Compromise  Mandiant observed frequent use of strategic web compromises, or “watering hole attacks” over the last year  Financial institutions attacked via Java exploits on local news web sites  Energy companies compromised through an industry portal  Significant collateral damage


Download ppt "PRESENTED BY: © 2013 Mandiant Corporation. All rights reserved. APT1 & M-Trends 2013 Grady Summers MAY 9, 2013."

Similar presentations

Ads by Google