Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

Published byJonathan King Modified over 9 years ago

Similar presentations

Presentation on theme: "ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material."— Presentation transcript:

1 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 Advanced Persistent Threat Material excerpted from Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 Feb. 22, 2013

2 APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. »»Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries. »»APT1 has a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property. »» Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership. »» APT1 uses some tools and techniques that we have not yet observed being used by other groups including two utilities designed to steal email — GETMAIL and MAPIGET. * * * »»Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organization over a ten-month time period. »»In the first month of 2011, APT1 successfully compromised at least 17 new victims operating in 10 different industries. 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 2

3 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 3 APT1 maintains an extensive infrastructure of computer systems around the world. »» APT1 controls thousands of systems in support of their computer intrusion activities. »»In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these 849 unique IP addresses were registered to organizations in China (709), followed by the U.S. (109). »»In the last three years we have observed APT1 use fully qualified domain names (FQDNs) resolving to 988 unique IP addresses. »»Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their attack infrastructure from 832 different IP addresses with Remote Desktop, a tool that provides a remote user with an interactive graphical interface to a system. »»In the last several years we have confirmed 2,551 FQDNs attributed to APT1.

4 Initial Reconnaissance Study the target’s Web Pages, do Google and Bing searches. Learn the names of employees, particularly executives and engineers. Study them on social networks (YouTube, LinkedIn, Facebook, Twitter, … ). Initial Compromise Craft spear-phishing messages with Trojan Horse attachments, links, jpegs, … - or - Take advantage of a fortuitous compromise by a wide-spread exploit. Establish Foothold Add root kits and backdoors. Initial Compromise Initial Recon. 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 4 Establish Foothol d Escalate Privileges Internal Recon. Complete Mission (leave back doors) Move Laterally Maintain Presence

5 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 5 On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.” It’s legit ->

6 2/24/2013 Mandiant APT1 Report – www.mandiant.com/apt1www.mandiant.com/apt1 6 FIGURE 20: APT1 bundles stolen files into “rar” archives before moving data to China. rar After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Figure 19 above shows a RAR command with the option “-v200m”, which means that the RAR file should be split up into 200MB portions.

7 2/24/20137 Worth Noting The APT has only collected information (commercial, government, military), trying not to leave a trace of its presence. Unlike gangster hacking organizations, there have been no deliberate damages (deletion of data, denial of service, …) or demands for payment. The APT (and other nation-level organizations) have reconnoitered Internet backbones and utility infrastructure networks, and have put back doors and logic bombs in place. They are apparently developing to capability to do extensive physical damage to the U.S. infrastructure and economy if (or maybe, when) it becomes advantageous to do so. Ref. "Cyberwar, the Next Threat to National Security, and What to Do About It," by Richard C. Clark (2010).

Download ppt "ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material."

Similar presentations

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.
James D. Brown Chief Engineer and Senior Fellow Information Resource Management L-3 Communications.

James D. Brown Chief Engineer and Senior Fellow Information Resource Management L-3 Communications.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.

CHINESE HACKERS. Where do they come from? In 2007 private security firm Mandiant was hired by the New York Times to trace cyber-attacks on their network.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Internet…issues Managing the Internet

Internet…issues Managing the Internet
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
FIRST COURSE Computer Concepts Internet and Email Microsoft Office Get to Know Your Computer.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.

“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

Similar presentations

Ads by Google