More Related Content Similar to Apt sharing tisa protalk 2-2554 Similar to Apt sharing tisa protalk 2-2554 (20) Apt sharing tisa protalk 2-25541. Advanced Persistent Threats <APT>
โดย ไชยกร อภิวัฒโนกุล, CISSP, CSSLP, GCFA, IRCA:ISMS
Chief Executive Officer, S-Generation Co., Ltd.
© 2011 S-Generation Co., Ltd.
2. Name: Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Title: Chief Executive Officer
Company: S-GENERATION Company Limited
Asia Forensic Hub Company Limited
Certificates: CISSP, CSSLP, IRCA:ISMS (ISO27001), SANS:GCFA
• CSO ASEAN Award 2010 by Ministry of Information and Communications and Ministry of Public Security, Vietnam
• Honoree in the Senior Information Security Professional category for the 2010 Asia-Pacific Information Security
Leadership Achievements (ISLA) by (ISC)2
• Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544)
• Contribute to Thailand Cyber Crime Act B.E.2550
• Workgroup for CA service standard development
• Committee of national standard adoption of ISO27001/ISO27002
• Committee of Thailand Information Security Association (TISA)
• Committee of Cybersecurity workforce development, Division of Skill Development, Ministry of Labour
chaiyakorna@hotmail.com
• Advisor to Department of Special Investigation (DSI)
1997 1999 2000 2004 2006 2011
3. AGENDA
1. About APT
2. Night Dragon Attack
3. Other case study
4. Solutions Partnership
© 2011 S-Generation Co., Ltd.
5. Malware Growth
Nearly Twenty Million New
Malware Threats in 2010
© 2011 S-Generation Co., Ltd.
7. About APT
APT = Advanced Persistent Threat
่ ่
จากกรณี ศึกษามากมายที่ปรากฏ อยูในหน้าข่าวไม่วาจะเป็ น Google , Night Dragon Attack , RSA
และ SONY Play Station Network ที่ถูกบุกรุ กเข้าไปขโมยข้อมูลสาคัญออกมานั้น นักวิชาการทัว ่
โลกได้ลงความเห็นว่าเกิดจาก ปฏิบติการในลักษณะเดียวกันที่เรี ยกว่า Advanced Persistent Threat
ั
หรื อ APT ซึ่งมีความซับซ้อนและใช้วธีการที่ล้ าสมัยในการบุกรุ ก ยากที่จะตรวจจับได้โดยง่าย
ิ
จึงจาเป็ นที่ตองเรี ยนรู้ทาความเข้าใจลักษณะการเกิดขึ้นของปั ญหา เพื่อนาไปสู่ การพิจารณาสรรหา
้
เทคโนโลยีและกระบวนการ ที่เหมาะสม เข้ามาช่วยกันการบริ หารจัดการ
© 2011 S-Generation Co., Ltd.
8. What is APT?
• Advanced
– All possible available techniques (or new)
– Coordinated
– Both well-know and UKNOWN (0-day) vulnerabilities
– Multiple phases
• Persistent
– Here to stay
– Not by accident (targeted)
– Specific mission
– Polymorphic (for signature-base evasion)
– Dormant(able)
• Threat
– Organized and funded and motivated
• Highly sophisticated
– dedicated "crews" with various missions • Targeted
– State-sponsored
– Cyberwarfare • Steal Information
© 2011 S-Generation Co., Ltd.
9. APT is used for …
• Political objectives that include continuing to suppress its own
population in the name of "stability.“
• Economic objectives that rely on stealing intellectual property from
victims. Such IP can be cloned and sold, studied and underbid in
competitive dealings, or fused with local research to produce new
products and services more cheaply than the victims.
• Technical objectives that further their ability to accomplish their
mission. These include gaining access to source code for further exploit
development, or learning how defenses work in order to better evade or
disrupt them. Most worringly is the thought that intruders could make
changes to improve their position and weaken the victim.
• Military objectives that include identifying weaknesses that allow
inferior military forces to defeat superior military forces. The Report on
Chinese Government Sponsored Cyber Activities addresses issues like
these.
© 2011 S-Generation Co., Ltd.
10. Some Characteristic of APT
• Named in 2008 by US Air Force
• As security jargon when Google
describe the attack on 2009
• Advanced
– Coordinated
– Multi-phases
• High expertise/knowledge/skill in each phase unlikely to be
in one single individual
• Highly crafted for specific target organization or individual
• Period of operation in weeks, months or years
• Not easy to detect
© 2011 S-Generation Co., Ltd.
11. Some Characteristic of APT
• Phases of the operation
• Target selection
• Vulnerability identification
• Domain contamination
• Information ex-filtration
• Intelligence analysis
• Exploitation
© 2011 S-Generation Co., Ltd.
12. Some Characteristic of APT
• Expert advise
– Defense-in-Dept
– Multiple layers of protection
– Multiple compartments
© 2011 S-Generation Co., Ltd.
13. Some facts about APT
Because APT malware is so difficult to detect,
simple malware signatures such as MD5
hashes, filenames, and traditional anti-virus
methods usually yield a low rate of true
positives.
© 2011 S-Generation Co., Ltd.
14. Big Challenges in APT are…
• Detection
• Analysis
• Containment
© 2011 S-Generation Co., Ltd.
15. Thing to Consider for Resolution
• Educate users who has access to the
infrastructure and critical information
• Evaluate network security posture
• Work with expert in case of incident or under
suspicious
• Automated situational awareness tool
• Rapid deployment of countermeasures
• Focus more on the detective measure
• Focus more on what leaving out (ex-filtration)
from your network
• White-listing your environment
© 2011 S-Generation Co., Ltd.
16. Case Studies
• Night Dragon
• Ghost Net
(Electronic Spy Network Focused on Dalai
Lama and Embassy Computers)
• Aurora
(China vs. Google)
• NASDAQ
• RSA
• Stuxnet
• Sony Play Station Network (PSN)
© 2011 S-Generation Co., Ltd.
17. Night Dragon Attack
“Night Dragon”
attacks from China strike energy companies
• Exxon Mobil, Royal Dutch Shell and BP were
among the oil companies targeted
• The intrusions targeted intellectual property and
have been going on for as long as 2-4 years
• The oil, gas and petrochemical companies
targeted were hit with technical attacks on their
public-facing Web sites.
• It happens during 9am-5pm local Beijing time.
© 2011 S-Generation Co., Ltd.
19. Operation Aurora
• China vs. Google
• politically motivated attacks against Gmail
from China
• Censorship
• Government Eavesdropping/Privacy
• Backdoor
• zero-day flaw in Internet Explorer
© 2011 S-Generation Co., Ltd.
21. STUXNET
• Discovered late June 2010
• A computer worm that infects Windows computers
• It primarily spreads via USB sticks, which allows it to
get into computers and networks not normally
connected to the Internet
• Use both known and patched vulnerabilities, and four
"zero-day exploits”
• Target Siemens PLC
• Reads and changes particular bits of data in the PLCs
• It’s claimed to target Iranian powerplant
© 2011 S-Generation Co., Ltd.
23. RSA’s SecureID Security Breach!
RSA has not yet divulged specifics about the APT attack of which it
has found evidence and says it's now interacting with customers of
its SecurID product on the situation.
But security analysts are also quickly trying to size up the situation,
advising their clientele who are RSA customers about a stance they
might take.
http://www.pcworld.com/businesscenter/article/222554/rsas_securid_security_breach_what_s
hould_you_do.html#tk.mod_rel
@2011 S-GENERATION CO., LTD
24. RSA’s SecureID Security Breach!
Microsoft Excel is used to distribute malicious SWF file (“2011
Recruitment plan.xls”) via email to specific users at RSA. (Perhaps
other specific targets as well, an approach known as “spear
phishing.”) A malicious SWF file installs a customized variant of the
Poison Ivy remote administration tool (RAT) on the compromised
machine. (Using a customized variant makes signature-based
malware detection of the RAT ineffective; see FireEye Malware
analysis of a.exe.) Using the RAT, users’ credentials are harvested
and used to access other machines within the RSA network. These
other machines are searched, sensitive information was copied and
transferred to external servers.
@2011 S-GENERATION CO., LTD
25. RSA Breached
• 2011 Recruitment plan.xls with malicious .swf file embeded
• spear phishing
• Customized variant Poison Ivy remote administration tool (RAT)
• March 14, 2011 - Adobe issues security advisory and patch
schedule, warning of a vulnerability (APSA11-01, CVE-2011-
0609, SecurityFocus BID 46860)
• March 16, 2011 - Microsoft adds Exploit:SWF/CVE-2011-0609
detection for malicious SWF file.
• March 17, 2011 - RSA warns SecurID customers after company is
hacked, offers guidance.
© 2011 S-Generation Co., Ltd.
26. Many Other Cases
• Night Dragon
• Ghost Net
(Electronic Spy Network Focused on Dalai Lama and Embassy Computers)
• Aurora
(China vs. Google)
• NASDAQ
• RSA
• Stuxnet
• Sony Play Station Network (PSN)
© 2011 S-Generation Co., Ltd.
27. About S-Generation
“The Trusted Partner …
to Conquer Advanced Digital Threats”
• Cybersecurity Solutions Distribution in Thailand and ASEAN
• Advanced Persistent Threats Solution
• Mobile Security Solution
• Application Security Solution
• Information Security Consultancy
• Incident Response, Recovery & Investigation
• Industrial Control System Security
(SCADA/DCS/BAS/Embedded)
© 2011 S-Generation Co., Ltd.
29. Welcome to
S-Generation Channel on YouTube
http://www.youtube.com/user/ SGenerationChannel
© 2011 S-Generation Co., Ltd.
30. About AFH
Product
• Planning session ( Plan of Action)
• On-Site Support
Professional • Document & File Discovery
Service • Preservation of Evidence
• Data Recovery & Analysis
• Expert Reporting
• Post – investigation Reports with
Recommendations
• Digital Media Sanitization
© 2011 S-Generation Co., Ltd. CONFIDENTIAL TO AFH & PTTICT