How to fight an APT attack: Identifying and Responding to a visit from China

Trends of Cyber Espionage “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.” -Verizon DBIR “Most surprising to us is the consistent, significant growth of incidents in the dataset. We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number. Espionage exhibits a wider variety of threat actions than any other pattern. The most evident changes from our last report include the rise of strategic web compromises and the broader geographic regions represented by both victims and actors.” -Verizon DBIR

Cyber Espionage Statistics 2013 Compromises 511 Reported Incidents 306 Confirmed Data Disclosures Malware Threat Vectors 78% Attachments 20% Drive By Downloads 2% Link 2013 Compromises 511 Reported Incidents 306 Confirmed Data Disclosures Malware Threat Vectors 78% Attachments 20% Drive By Downloads 2% Link

Discovery Timeline 0% Seconds 0% Minutes 9% Hours 8% Days 16% Weeks 62% Months 5% Years 0% Seconds 0% Minutes 9% Hours 8% Days 16% Weeks 62% Months 5% Years

Discovery Methods 85% External 15% Internal Which breaks down as follows: 67% External Unrelated Party 16% External Law Enforcement 8% Internal Anti-Virus 2% Internal Network IDS 2% Reported by User 1% Internal Log Review 1% Other 85% External 15% Internal Which breaks down as follows: 67% External Unrelated Party 16% External Law Enforcement 8% Internal Anti-Virus 2% Internal Network IDS 2% Reported by User 1% Internal Log Review 1% Other

Spearphish Spoofed sender Looks legitimate, will research your social media presence for customization Will leverage a reconnaissance tool such as “TheHarvester” to acquire targets Attachments (typically PDF, Word, or Excel documents) contain embedded malware Once attachment is opened, malware is installed and beacons to it’s Command and Control Server Spoofed sender Looks legitimate, will research your social media presence for customization Will leverage a reconnaissance tool such as “TheHarvester” to acquire targets Attachments (typically PDF, Word, or Excel documents) contain embedded malware Once attachment is opened, malware is installed and beacons to it’s Command and Control Server

Drive By Downloads Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page –Excel Forums, NBC, Council on Foreign Relations Once the Exploit Kit is successful, malware is dropped on the victim’s system The malware installs and beacons back to the Command and Control server Malicious actors set a trap on legitimate websites redirecting the target to an Exploit Kit Landing Page –Excel Forums, NBC, Council on Foreign Relations Once the Exploit Kit is successful, malware is dropped on the victim’s system The malware installs and beacons back to the Command and Control server

Pondurance Network Sensors > Drive By Downloads

Now we’re just showing off….

Cyber Espionage Attack Structure The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access. The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found. The attacker now has access to the system and dumps account names and passwords from the domain controller. The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected. The attacker performs reconnaissance to identify and gather data. Data is collected on a staging server. Data is exfiltrated from the staging server. The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity. The custom dropper malware beacons to a command and control web site and pulls down backdoor malware which enables the attacker with reverse shell access. The attacker establishes multiple backdoors to ensure access can be maintained if the other systems are found. The attacker now has access to the system and dumps account names and passwords from the domain controller. The attacker cracks the passwords and now has access to legitimate user accounts to continue the attack undetected. The attacker performs reconnaissance to identify and gather data. Data is collected on a staging server. Data is exfiltrated from the staging server. The attacker will cover their tracks by deleting files but can return at any time to conduct additional activity.

Lateral Movement Scan the network for targets –Copy the backdoor malware file over –Schedule an “at” job to execute the malware PsExec Internal Remote Access Tools (TeamViewer!) Scan the network for targets –Copy the backdoor malware file over –Schedule an “at” job to execute the malware PsExec Internal Remote Access Tools (TeamViewer!)

Incident Response Procedure Preparation Identification Containment Eradication Recovery Lessons Learned Preparation Identification Containment Eradication Recovery Lessons Learned

Network Sensors – Initial Detection The POST included: HTTP/ OK Host: militarysurpluspotsandpans.com Dst: {“status”:”1”}

Notice a pattern in these beacons?

Stop! Acquisition is so 2013… Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology When an incident related to foreign nation-state cyber espionage goes to court, let me know ;) Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds Acquisition takes A LONG TIME, it is nearly impossible to keep up with a skilled attacker using this methodology When an incident related to foreign nation-state cyber espionage goes to court, let me know ;) Remote Forensics is where its at….this capability allows you to mount remote Memory and Disk to your workstation for analysis in READ ONLY MODE in mere seconds

The Culprit – Captured in Real Time

PDF Analysis dumper-malicious-file-analysishttp://blog.zeltser.com/post/ /pdf-stream- dumper-malicious-file-analysis Malware embedded within PDF documents typically involve Shellcode, JavaScript or.swf (flash) files These tools allow you to identify and extract these objects for further analysis dumper-malicious-file-analysishttp://blog.zeltser.com/post/ /pdf-stream- dumper-malicious-file-analysis Malware embedded within PDF documents typically involve Shellcode, JavaScript or.swf (flash) files These tools allow you to identify and extract these objects for further analysis

Memory Analysis Command Line Input python vol.py cmdscan Cmd 0x300500: hostname Cmd 0x310038: whoami Cmd 0x31002d: netstat -ano Cmd 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01 Cmd 0x310037: psexec \\user-xp-pc cmd.exe Cmd 0x2d0030: netstat -ano Command Line Input python vol.py cmdscan Cmd 0x300500: hostname Cmd 0x310038: whoami Cmd 0x31002d: netstat -ano Cmd 0x2d0039: net use \\user-xp-pc\IPC$ /u:DOMAIN\USER-01 Cmd 0x310037: psexec \\user-xp-pc cmd.exe Cmd 0x2d0030: netstat -ano

Memory Analysis Suspicious Exited Connection Umm….. Suspicious Exited Connection Umm…..

Memory Analysis - Processes

Memory Analysis – Acquiring Processes Process saved as an executable to your local directory in seconds From there you may proceed with malware analysis Works for DLLs as well

Malware Analysis

Capabilities: Remote Access Trojan [RAT] –Able to provide a reverse shell to the attacker for backdoor level access Keylogger –Able to steal credentials from the affected system How does this influence the remediation strategy? Capabilities: Remote Access Trojan [RAT] –Able to provide a reverse shell to the attacker for backdoor level access Keylogger –Able to steal credentials from the affected system How does this influence the remediation strategy?

Malware Analysis – C2 Traffic DomainsIP Address g.ceipmsn.com microsoftwlsearchcrm.112.2o7.net puppydepo.com log.optimizely.com militarysurpluspotsandpans.com az10143.vo.msecnd.net ajax.aspnetcdn.com static.revenyou.com

Oh look….

Basic Dynamic Analysis Regshot will allow the analyst to identify how the malware influences the Registry upon execution On a test machine, use Regshot to “snapshot” the Registry Run the malware Use Regshot to take a second “snapshot” of the Registry Regshot will then output the difference Regshot will allow the analyst to identify how the malware influences the Registry upon execution On a test machine, use Regshot to “snapshot” the Registry Run the malware Use Regshot to take a second “snapshot” of the Registry Regshot will then output the difference

Scoping the Attack IOC Sweeps –Indicators of Compromise – OpenIOC Framework –XML Format –Leverage threat intelligence of the malware (registry keys it writes to, file names, file sizes, compilation timestamps, etc) –Forensically scan every node on the network to see if these exist IOC Sweeps –Indicators of Compromise – OpenIOC Framework –XML Format –Leverage threat intelligence of the malware (registry keys it writes to, file names, file sizes, compilation timestamps, etc) –Forensically scan every node on the network to see if these exist

Finding Evil with Autorunsc for /L %i in (1, 1, 254) -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete” Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files Example: SYSTEM\CurrentControlSet\Services If Start Key is set to 0x02 then service will start at boot Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy for /L %i in (1, 1, 254) -s -n 4 -d \\n.n.n.%i cmd /c "net use o: \\server\share PASSWORD /user:doman\username && \\live.sysinternals.com\tools\autorunsc -a -v -f -c '*' > o:n.n.n.%i.csv && net use o: /delete” Remotely extract all Registry entries set to known autostart locations as well as the MD5 hash of the associated files Example: SYSTEM\CurrentControlSet\Services If Start Key is set to 0x02 then service will start at boot Another way to quickly scan an enterprise if the auto-start mechanisms of the malware are known by pushing this out through Group Policy

Containment – Get it right the first time or else Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines) Sinkhole all the C2 Domains in DNS Servers Suspend all user accounts related to the attack Submit malware to AV Vendor for signature creation Isolate the affected subnets from the rest of the network (if feasible, if not then the affected machines) Sinkhole all the C2 Domains in DNS Servers Suspend all user accounts related to the attack Submit malware to AV Vendor for signature creation

Eradication Pull affected machines from the network IN UNISON Rebuild machines from a known clean base image Issue new credentials to affected users Ensure AV Signatures are updated throughout the environment Pull affected machines from the network IN UNISON Rebuild machines from a known clean base image Issue new credentials to affected users Ensure AV Signatures are updated throughout the environment

Recovery Bring remediated machines back on the network Remove ACL restrictions that isolated affected subnets Ensure business returns to normal Continue monitoring and sweeping network Bring remediated machines back on the network Remove ACL restrictions that isolated affected subnets Ensure business returns to normal Continue monitoring and sweeping network

Lessons Learned Review incident with team Discuss what went right, what went wrong Document and implement these strategies in future scenarios Review incident with team Discuss what went right, what went wrong Document and implement these strategies in future scenarios

Any Questions?