Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊

Published byGavin Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊"— Presentation transcript:

1 TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊

2 CONTENTS Overview of APTs APT Characteristics APT Life Cycle
Spear Phishing Defense Strategies

3 OVERVIEW OF APTS Complex cyber attacks against specific targets over long periods of time. Originally, the term was used to describe countries stealing data or causing damage to other countries for strategic gain. The definition has been expanded to include similar attacks carried out by cybercriminals stealing data from businesses for profit. Video:

4 OVERVIEW OF APTS Public reports of APT attacks dated back to at least 1998, when the Pentagon, National Aeronautics and Space Administration (NASA), the United States (US) Energy Department, research laboratories and private universities were targeted. Operation Aurora attack (January 2010) was described at the time by Google as "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google."

5 OVERVIEW OF APTS A recent ISACA Cybersecurity Survey (13 February 2013) reveals that one in five enterprises have experienced an APT Attack. Source:

6 APT CHARACTERISTICS Targeted
APTs target specific organizations with the purpose of stealing specific data or causing damage. The more valuable the data, the more likely the organizations are to be targeted. Persistent APTs work through multiple phases over a long period of time. The entire process may take months or even years.

7 APT CHARACTERISTICS Evasive (回避)
APTs are designed to evade the traditional security products such as firewalls, antivirus programs. To bypass network firewalls, the attacker sends malicious code within content carried over commonly allowed protocols (http, https, smtp, etc.). The malicious code has no AV signatures exist to provide protection.

8 APT CHARACTERISTICS Complex
APTs apply a complex mix of attack methods targeting multiple vulnerabilities identified within the organization. Using social engineering to identify key individuals Sending phishing s to those key individuals with links to a malicious website Customizing encryption technology

9 APT LIFE CYCLE Initial compromise - Performed by use of Social engineering, spear phishing, zero-day viruses. Name known to the recipient Spear Phishing - Source: Mandiant

10 APT LIFE CYCLE Establish Foothold - Plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure. APT backdoors initiate outbound connections to the intruder’s “command and control” (C2) server. Source: Mandiant

11 APT LIFE CYCLE Escalate Privileges - Use exploits and password cracking to acquire administrator privileges over victim's computer. Popular privilege escalation tools are cachedump, fgdump, pwdump7 and etc. Internal Reconnaissance - Collect information about the victim environment, and use built-in operating system commands to explore a compromised system and its networked environment.

12 APT LIFE CYCLE Batch script to automate reconnaissance
Source: Mandiant

13 APT LIFE CYCLE Lateral Movement - Expand control to other workstations, servers and infrastructure devices like connecting to shared resources and executing commands on other systems. It is hard to detect because legitimate system administrators also use these techniques to perform administrative work. Maintain Presence - Ensure continued control over access channels and credentials acquired in previous steps.

14 Batch script bundles stolen files into RAR archive files
APT LIFE CYCLE Completing the Mission – Transfer stolen data usually in archive file format (RAR) from victim's network. Batch script bundles stolen files into RAR archive files Source: Mandiant

15 SPEAR PHISHING Spear phishing is a favored means used by APT attackers to infiltrate target networks. Typically, a specially crafted is sent to specific individuals in a target organization. The lures the target recipient to either download a seemingly harmless file attachment or to click a link to a malicious site. The attachment is a vulnerability exploit, installs a malware in a compromised computer. The malware then accesses a malicious C2 server to await instructions from a remote attacker.

16 SPEAR PHISHING The most commonly file types: .XLS, .PDF, .DOC, .DOCX, and .HWP. Executable (.EXE) files are not commonly used as spear phishing attachments as they are usually detected and blocked by common security products. People usually share files in the business or government sectors via . That is why a higher number of spear-phishing s with attachments is sent to targets in the business or government sector.

17 SPEAR PHISHING Source: Trend Micro

18 DEFENSE STRATEGIES Monitor inbound and outbound traffic for content, context (relationship between indicators), and sensitive data, preferably for both and web communications. More specifically, the defense layer should monitor outbound communications for the detection of data- theft behavior. In addition traditional defenses such as firewall and antivirus programs, secure web gateways provide an additional defense layer with URL filtering and antivirus scanning, including the ability to analyze SSL traffic.

19 DEFENSE STRATEGIES Using secure gateway that has the ability to inspect for malicious web links and attachments to prevent initial infection. Employing data loss prevention (DLP) capabilities in secure and web gateways to detect if the most valuable data is leaving your organization. The availability of organizational information on the Internet allow attackers to gain relevant data on their chosen targets. Organizations should take careful consideration what types of and how much information they make available online.

20 DEFENSE STRATEGIES DLP - Source:

21 REFERENCES websense-advanced-persistent-threats-and-other-advanced- attacks-en.pdf Releases/2013/Pages/ISACA-Cybersecurity-Survey- Reveals-That-One-in-Five-Enterprises-Have- Experienced.aspx chinas-cyber-espionage-units-releases-3000-indicators/ intelligence/white-papers/wp-spear-phishing- -most- favored-apt-attack-bait.pdf prevention-for-mobile

Download ppt "TOPIC 8 ADVANCED PERSISTENT THREAT (APT) 進階持續性滲透攻擊"

Similar presentations

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,

Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.

1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Similar presentations

Ads by Google