Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to fight an APT attack: Identifying and Responding to a visit from China.

Published byCornelius Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "How to fight an APT attack: Identifying and Responding to a visit from China."— Presentation transcript:

1 How to fight an APT attack: Identifying and Responding to a visit from China

2 Trends of Cyber Espionage “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.” -Verizon DBIR “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.” -Verizon DBIR

3 Cyber Espionage Statistics 2013 Compromises 511 Reported Incidents 306 Confirmed Data Disclosures Malware Threat Vectors 78% Email Attachments 20% Drive By Downloads 2% Email Link 2013 Compromises 511 Reported Incidents 306 Confirmed Data Disclosures Malware Threat Vectors 78% Email Attachments 20% Drive By Downloads 2% Email Link

4 Discovery Timeline 0% Seconds 0% Minutes 9% Hours 8% Days 16% Weeks 62% Months 5% Years 0% Seconds 0% Minutes 9% Hours 8% Days 16% Weeks 62% Months 5% Years

5 Discovery Methods 85% External 15% Internal Which breaks down as follows: 67% External Unrelated Party 16% External Law Enforcement 8% Internal Anti-Virus 2% Internal Network IDS 2% Reported by User 1% Internal Log Review 1% Other 85% External 15% Internal Which breaks down as follows: 67% External Unrelated Party 16% External Law Enforcement 8% Internal Anti-Virus 2% Internal Network IDS 2% Reported by User 1% Internal Log Review 1% Other

6 Spearphish Spoofed sender Looks legitimate, will research your social media presence for customization Will leverage a reconnaissance tool such as “TheHarvester” to acquire email targets Email Attachments (typically PDF, Word, or Excel documents) contain embedded malware Once attachment is opened, malware is installed and beacons to it’s Command and Control Server Spoofed sender Looks legitimate, will research your social media presence for customization Will leverage a reconnaissance tool such as “TheHarvester” to acquire email targets Email Attachments (typically PDF, Word, or Excel documents) contain embedded malware Once attachment is opened, malware is installed and beacons to it’s Command and Control Server

7 Drive By Downloads Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page –Excel Forums, NBC, Council on Foreign Relations Once the Exploit Kit is successful, malware is dropped on the victim’s system The malware installs and beacons back to the Command and Control server Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page –Excel Forums, NBC, Council on Foreign Relations Once the Exploit Kit is successful, malware is dropped on the victim’s system The malware installs and beacons back to the Command and Control server

8 Pondurance Network Sensors > Drive By Downloads

9 Now we’re just showing off….

10 Cyber Espionage Attack Structure The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access. The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found. The attacker now has access to the system and dumps account names and passwords from the domain controller. The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected. The attacker performs reconnaissance to identify and gather data. Data is collected on a staging server. Data is exfiltrated from the staging server. The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity. The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access. The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found. The attacker now has access to the system and dumps account names and passwords from the domain controller. The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected. The attacker performs reconnaissance to identify and gather data. Data is collected on a staging server. Data is exfiltrated from the staging server. The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity.

11 Lateral Movement Scan the network for targets –Copy the backdoor malware file over –Schedule an “at” job to execute the malware PsExec Internal Remote Access Tools (TeamViewer!) Scan the network for targets –Copy the backdoor malware file over –Schedule an “at” job to execute the malware PsExec Internal Remote Access Tools (TeamViewer!)

12 Incident Response Procedure Preparation Identification Containment Eradication Recovery Lessons Learned Preparation Identification Containment Eradication Recovery Lessons Learned

13 Network Sensors – Initial Detection The POST included: HTTP/1.1 200 OK Host: militarysurpluspotsandpans.com Dst: {“status”:”1”}

14 Notice a pattern in these beacons?

15 Stop! Acquisition is so 2013… Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology When an incident related to foreign nation-state cyber espionage goes to court, let me know ;) Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology When an incident related to foreign nation-state cyber espionage goes to court, let me know ;) Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds

16 The Culprit – Captured in Real Time

17 PDF Analysis http://blog.didierstevens.com/programs/pdf-tools/ http://blog.zeltser.com/post/3235995383/pdf-stream- dumper-malicious-file-analysishttp://blog.zeltser.com/post/3235995383/pdf-stream- dumper-malicious-file-analysis Malware embedded within PDF documents typically involve Shellcode, JavaScript or.swf (flash) files These tools allow you to identify and extract these objects for further analysis http://blog.didierstevens.com/programs/pdf-tools/ http://blog.zeltser.com/post/3235995383/pdf-stream- dumper-malicious-file-analysishttp://blog.zeltser.com/post/3235995383/pdf-stream- dumper-malicious-file-analysis Malware embedded within PDF documents typically involve Shellcode, JavaScript or.swf (flash) files These tools allow you to identify and extract these objects for further analysis

18 Memory Analysis Command Line Input root@ubuntu:/home/john/Volatility# python vol.py cmdscan Cmd #0 @ 0x300500: hostname Cmd #1 @ 0x310038: whoami Cmd #2 @ 0x31002d: netstat -ano Cmd #3 @ 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01 Cmd #4 @ 0x310037: psexec \\user-xp-pc cmd.exe Cmd #5 @ 0x2d0030: netstat -ano Command Line Input root@ubuntu:/home/john/Volatility# python vol.py cmdscan Cmd #0 @ 0x300500: hostname Cmd #1 @ 0x310038: whoami Cmd #2 @ 0x31002d: netstat -ano Cmd #3 @ 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01 Cmd #4 @ 0x310037: psexec \\user-xp-pc cmd.exe Cmd #5 @ 0x2d0030: netstat -ano

19 Memory Analysis Suspicious Exited Connection Umm….. Suspicious Exited Connection Umm…..

20 Memory Analysis - Processes

21 Memory Analysis – Acquiring Processes Process saved as an executable to your local directory in seconds From there you may proceed with malware analysis Works for DLLs as well

22 Malware Analysis

23 Capabilities: Remote Access Trojan [RAT] –Able to provide a reverse shell to the attacker for backdoor level access Keylogger –Able to steal credentials from the affected system How does this influence the remediation strategy? Capabilities: Remote Access Trojan [RAT] –Able to provide a reverse shell to the attacker for backdoor level access Keylogger –Able to steal credentials from the affected system How does this influence the remediation strategy?

24 Malware Analysis – C2 Traffic DomainsIP Address g.ceipmsn.com131.253.40.10 microsoftwlsearchcrm.112.2o7.net66.235.138.225 puppydepo.com120.199.31.8 414780153.log.optimizely.com54.235.178.178 militarysurpluspotsandpans.com54.196.135.175 az10143.vo.msecnd.net65.54.89.229 ajax.aspnetcdn.com68.232.34.200 static.revenyou.com198.232.124.224

25 Oh look….

26 Basic Dynamic Analysis Regshot will allow the analyst to identify how the malware influences the Registry upon execution On a test machine, use Regshot to “snapshot” the Registry Run the malware Use Regshot to take a second “snapshot” of the Registry Regshot will then output the difference Regshot will allow the analyst to identify how the malware influences the Registry upon execution On a test machine, use Regshot to “snapshot” the Registry Run the malware Use Regshot to take a second “snapshot” of the Registry Regshot will then output the difference

27 Scoping the Attack IOC Sweeps –Indicators of Compromise – OpenIOC Framework –XML Format –Leverage threat intelligence of the malware (registry keys it writes to, file names, file sizes, compilation timestamps, etc) –Forensically scan every node on the network to see if these exist IOC Sweeps –Indicators of Compromise – OpenIOC Framework –XML Format –Leverage threat intelligence of the malware (registry keys it writes to, file names, file sizes, compilation timestamps, etc) –Forensically scan every node on the network to see if these exist

28 Finding Evil with Autorunsc for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete” Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files Example: SYSTEM\CurrentControlSet\Services If Start Key is set to 0x02 then service will start at boot Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy for /L %i in (1, 1, 254) do @psexec -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete” Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files Example: SYSTEM\CurrentControlSet\Services If Start Key is set to 0x02 then service will start at boot Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy

29 Containment – Get it right the first time or else Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines) Sinkhole all the C2 Domains in DNS Servers Suspend all user accounts related to the attack Submit malware to AV Vendor for signature creation Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines) Sinkhole all the C2 Domains in DNS Servers Suspend all user accounts related to the attack Submit malware to AV Vendor for signature creation

30 Eradication Pull affected machines from the network IN UNISON Rebuild machines from a known clean base image Issue new credentials to affected users Ensure AV Signatures are updated throughout the environment Pull affected machines from the network IN UNISON Rebuild machines from a known clean base image Issue new credentials to affected users Ensure AV Signatures are updated throughout the environment

31 Recovery Bring remediated machines back on the network Remove ACL restrictions that isolated affected subnets Ensure business returns to normal Continue monitoring and sweeping network Bring remediated machines back on the network Remove ACL restrictions that isolated affected subnets Ensure business returns to normal Continue monitoring and sweeping network

32 Lessons Learned Review incident with team Discuss what went right, what went wrong Document and implement these strategies in future scenarios Review incident with team Discuss what went right, what went wrong Document and implement these strategies in future scenarios

33 Any Questions?

Download ppt "How to fight an APT attack: Identifying and Responding to a visit from China."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.

Jeffrey Bernardino Nikko Tamaña Stealth by Legitimacy: Malware’s Use of Legitimate Services 2012 年 5 月 2 日.
Malware Identification and Classification

Malware Identification and Classification
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015

Similar presentations

Ads by Google