SlideShare une entreprise Scribd logo

Introduction to the advanced persistent threat and hactivism

Global Micro Solutions
Global Micro Solutions

Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner

Technologie
1  sur  27
Télécharger pour lire hors ligne
SAFE NEVER SLEEPS A peak into the underworld… Hosted by: Jathniel Meyer & Christo van Staden, McAfee South Africa Date: 17-19 October 2011
Introduction to the Advanced Persistent Threat & Hactivism
Agenda 1 Advanced Persistent Threats (APT’s) 2 Countermeasures 3 Questions and Answers 3
Advanced Persistent Threat, How was it Done APT In action
Advanced Persistent Threats
Advanced Persistent Threats What is an Advanced Persistent Threat? 1. An attack by a sophisticated adversary with deep resources and advanced penetration skills engaged in electronic espionage to support long-term strategic goals 2. Over abused marketing term used by point product security vendors to refer to “bad things from the Internet” APTs have specific targets 6
Advanced Persistent Threats 7
Malware Used in APTs Simple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives. Average file size 121.85 kb Most common AP file names Svchost.exe, explore.exe, lprinp.dll, wiinzf21.dll Anomaly detection avoidance Outbound HTTP connections Process injection and Service persistence Communication 100 percent of backdoors connect outbound-only 83 percent use TCP port 80 or 443; 17 percent are mixed 8
Operation Shady RAT
Operation Shady RAT Shady RAT advanced persistent threat (APT). Active command and control (C&C) server accessed by Mcafee® Labs™ Evidence of five years of attacks Most common attack vector: Spearphishing 10
Operation Shady RAT Coveted Data 11
Operation Shady RAT Motivation MONEY POLITICS 12
Operation Night Dragon
Night Dragon Targeted attacks & advanced persistent threats 14
Night Dragon Methodical and Progressive 2. User opens infected email and the compromised website is accessed; a RAT is downloaded. 1. Attacker sends a spear- phishing email containing a link to a compromised web server Web Email Internet 4. Attacker uses RAT malware to conduct 3. User account information and additional reconnaissance and systems host configuration information compromises and to harvest confidential data C&C is sent to a C&C server 15
Operation StuxNet
Stuxnet Used 20 Zero day vulnerabilities Stuxnet  CVE-2010-2772 – SCADA WinCC/PCS 7 vulnerability  CVE-2010-2568 - MS10-046 - LNK  CVE-2010-2729 - MS10-061 - Print Spooler  CVE-2010-2743 - MS010-073 - Privilege escalation via keyboard layout file  CVE-2010-3338 – MS010-092 - Privilege escalation via Task Scheduler  Win32k.sys (waiting CVE) 17
Stuxnet  The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.  It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.  The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.  The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database. 18
Hacktivism
Hactivism Anonymous Group stands up for Wikileaks 20
Stuxnet Anonymous publishes BofA emails 21
Countermeasures
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks Steps to Protection Step 1 Network DLP (Prevent sensitive data Reconnaiss from leaving) ance Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Step 2 Email Gateway (block spear-phishing Network emails, links to malicious sites) Intrusion Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery) Firewall (detects/blocks APT back- channel communication) Step 3 Network Threat Response (detects APT Establish destination IPs) Backdoor Application Whitelisting (prevent backdoor installation) 23
McAfee: Complete End-to-End Protection Against All Phases of APT Attacks Steps to Protection Step 4 Web Gateway (detects/blocks access Install to malicious applications) Command Application Whitelisting (prevent and Control unauthorized changes to systems) Utilities Step 5 Unified DLP (prevent data from leaving Data Ex- the network) Filtration Network User Behavioral Analysis Step 6 (identifies unexpected user behavior Maintaining during Persistence APT reconnaissance and data collection phases) 24
McAfee SaaS Architecture Vision  Collaboration Proxies  Agent-based Collectors  Threat Feeds  Vulnerability Probes  Real-time Threat Analyzers  Data Protection Vaults  Authentication and Trust Brokers  Intelligent Dashboards 25
McAfee SaaS Architecture Vision An intelligent security fabric that wraps around the Enterprise 26
Find out more Visit Global Micro Solutions: http://www.globalmicro.co.za 27

Recommandé

Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
festival ICT 2016
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 

Recommandé

Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
festival ICT 2016
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
Sameer Thadani
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)
Yuval Sinay, CISSP, C|CISO
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
Dan Morrill
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
Luigi Delgrosso
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
Priyanka Aash
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
TISA
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
Peter Wood
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
Anton Chuvakin
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Rahul Neel Mani
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
APT
APTAPT
APT
morisson
 

Contenu connexe

Tendances

Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
TISA
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 

Tendances (20)

Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Sophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent SecuritySophisticated Attacks vs. Advanced Persistent Security
Sophisticated Attacks vs. Advanced Persistent Security
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 

En vedette

SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
How Safe is your Data?
How Safe is your Data?How Safe is your Data?
How Safe is your Data?
Michael Soltys
 
De escalation techniques in relationship
De escalation techniques in relationshipDe escalation techniques in relationship
De escalation techniques in relationship
Moshe Ratson
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
Textile industry ppt strategic management
Textile industry ppt strategic managementTextile industry ppt strategic management
Textile industry ppt strategic management
Prasanth Sai
 

En vedette (15)

ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
APT
APTAPT
APT
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
Lean management in textile processing
Lean management in textile processingLean management in textile processing
Lean management in textile processing
 
How Safe is your Data?
How Safe is your Data?How Safe is your Data?
How Safe is your Data?
 
De escalation techniques in relationship
De escalation techniques in relationshipDe escalation techniques in relationship
De escalation techniques in relationship
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
5 Ways to Create Sexual Tension With a Girl Over Text
5 Ways to Create Sexual Tension With a Girl Over Text5 Ways to Create Sexual Tension With a Girl Over Text
5 Ways to Create Sexual Tension With a Girl Over Text
 
Risk management in supply chain
Risk management in supply chain Risk management in supply chain
Risk management in supply chain
 
raj Textile project
raj Textile projectraj Textile project
raj Textile project
 
Indian Textile Industry
Indian Textile IndustryIndian Textile Industry
Indian Textile Industry
 
Textile industry ppt strategic management
Textile industry ppt strategic managementTextile industry ppt strategic management
Textile industry ppt strategic management
 
Supply Chain Risk Management
Supply Chain Risk ManagementSupply Chain Risk Management
Supply Chain Risk Management
 

Similaire à Introduction to the advanced persistent threat and hactivism

13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptxProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
SecPod
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 

Similaire à Introduction to the advanced persistent threat and hactivism (20)

13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
Final presentation of IT security project
Final presentation of IT security projectFinal presentation of IT security project
Final presentation of IT security project
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Netforts
Netforts Netforts
Netforts
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan Bansal
 
FireEye Report.ppt
FireEye Report.pptFireEye Report.ppt
FireEye Report.ppt
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptxProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Internet security
Internet securityInternet security
Internet security
 
Internet security
Internet securityInternet security
Internet security
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Introduction to the advanced persistent threat and hactivism

  • 1. SAFE NEVER SLEEPS A peak into the underworld… Hosted by: Jathniel Meyer & Christo van Staden, McAfee South Africa Date: 17-19 October 2011
  • 2. Introduction to the Advanced Persistent Threat & Hactivism
  • 3. Agenda 1 Advanced Persistent Threats (APT’s) 2 Countermeasures 3 Questions and Answers 3
  • 4. Advanced Persistent Threat, How was it Done APT In action
  • 6. Advanced Persistent Threats What is an Advanced Persistent Threat? 1. An attack by a sophisticated adversary with deep resources and advanced penetration skills engaged in electronic espionage to support long-term strategic goals 2. Over abused marketing term used by point product security vendors to refer to “bad things from the Internet” APTs have specific targets 6
  • 8. Malware Used in APTs Simple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives. Average file size 121.85 kb Most common AP file names Svchost.exe, explore.exe, lprinp.dll, wiinzf21.dll Anomaly detection avoidance Outbound HTTP connections Process injection and Service persistence Communication 100 percent of backdoors connect outbound-only 83 percent use TCP port 80 or 443; 17 percent are mixed 8
  • 10. Operation Shady RAT Shady RAT advanced persistent threat (APT). Active command and control (C&C) server accessed by Mcafee® Labs™ Evidence of five years of attacks Most common attack vector: Spearphishing 10
  • 12. Operation Shady RAT Motivation MONEY POLITICS 12
  • 13. Operation Night Dragon
  • 14. Night Dragon Targeted attacks & advanced persistent threats 14
  • 15. Night Dragon Methodical and Progressive 2. User opens infected email and the compromised website is accessed; a RAT is downloaded. 1. Attacker sends a spear- phishing email containing a link to a compromised web server Web Email Internet 4. Attacker uses RAT malware to conduct 3. User account information and additional reconnaissance and systems host configuration information compromises and to harvest confidential data C&C is sent to a C&C server 15
  • 17. Stuxnet Used 20 Zero day vulnerabilities Stuxnet  CVE-2010-2772 – SCADA WinCC/PCS 7 vulnerability  CVE-2010-2568 - MS10-046 - LNK  CVE-2010-2729 - MS10-061 - Print Spooler  CVE-2010-2743 - MS010-073 - Privilege escalation via keyboard layout file  CVE-2010-3338 – MS010-092 - Privilege escalation via Task Scheduler  Win32k.sys (waiting CVE) 17
  • 18. Stuxnet  The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.  It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.  The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.  The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database. 18
  • 20. Hactivism Anonymous Group stands up for Wikileaks 20
  • 21. Stuxnet Anonymous publishes BofA emails 21
  • 23. McAfee: Complete End-to-End Protection Against All Phases of APT Attacks Steps to Protection Step 1 Network DLP (Prevent sensitive data Reconnaiss from leaving) ance Firewall (blocks APT connection via IP reputation) Web Gateway (detects/blocks obfuscated malware) Step 2 Email Gateway (block spear-phishing Network emails, links to malicious sites) Intrusion Network Threat Response (detects obfuscated malware) Network Security Platform (stops malicious exploit delivery) Firewall (detects/blocks APT back- channel communication) Step 3 Network Threat Response (detects APT Establish destination IPs) Backdoor Application Whitelisting (prevent backdoor installation) 23
  • 24. McAfee: Complete End-to-End Protection Against All Phases of APT Attacks Steps to Protection Step 4 Web Gateway (detects/blocks access Install to malicious applications) Command Application Whitelisting (prevent and Control unauthorized changes to systems) Utilities Step 5 Unified DLP (prevent data from leaving Data Ex- the network) Filtration Network User Behavioral Analysis Step 6 (identifies unexpected user behavior Maintaining during Persistence APT reconnaissance and data collection phases) 24
  • 25. McAfee SaaS Architecture Vision  Collaboration Proxies  Agent-based Collectors  Threat Feeds  Vulnerability Probes  Real-time Threat Analyzers  Data Protection Vaults  Authentication and Trust Brokers  Intelligent Dashboards 25
  • 26. McAfee SaaS Architecture Vision An intelligent security fabric that wraps around the Enterprise 26
  • 27. Find out more Visit Global Micro Solutions: http://www.globalmicro.co.za 27

Notes de l'éditeur

  1. Step #1 ReconnaissanceStep #2 Network IntrusionStep #3 Establish BackdoorStep #4 Install Command and Control UtilitiesStep #5 Data Ex-filtrationStep #6 Maintaining PersistenceStep 1ReconnaissanceNetwork DLP (Prevent sensitive data from leaving)Step 2Network IntrusionFirewall (blocks APT connection via IP reputation)Web Gateway (detects/blocks obfuscatedmalware)Email Gateway (block spear-phishing emails, links to malicious sites)Network Threat Response (detects obfuscated malware)Network Security Platform (stops malicious exploit delivery)Step 3Establish BackdoorFirewall (detects/blocks APT back-channel communication)Network Threat Response (detects APT destination IPs)Application Whitelisting(prevent backdoor installation)Step 4Install Command and Control UtilitiesWeb Gateway (detects/blocks access to malicious applications)Application Whitelisting(prevent unauthorized changes to systems)Step 5Data Ex-FiltrationUnified DLP (prevent data from leaving the network)Step 6Maintaining PersistenceNetwork User Behavioral Analysis (identifies unexpected user behavior during APT reconnaissance and data collection phases)
  2. McAfee® Labs™ researchers recently gained access to the history log files of an attacking command and control (C&C) server and uncovered details of five years of attacks propagated by the Shady RAT advanced persistent threat (APT).Spear phishing works
  3. Closely guarded national secretsSource codeBug databasesEmail archivesNegotiation plansExploration details for new oil/gas field auctionsDocument storesLegal contractsSupervisory control and data acquisition (SCADA) configurationsDesign schematics
  4. Attackers have a variety of motivationsStolen data now reaches into petabytes (1 quadrillion or 1,000 terabytes) of content—as far as we knowWe don’t know where all of that information has gone, who has accessed it, or what they have done with itEvery geography is affectedEvery type of business (public, private,government) is affectedEvery size of business (government agencies to nonprofits) is affected Attacks are long-lived and persistent. The longest attack duration was 28 months (the average of 70+ companies identified was 8.75 months)
  5. Starting in 2009, coordinated attacks against global oil, energy, and petrochemical companies beganThe Night Dragon attacks work by methodical and progressive intrusions into the targeted infrastructure.
  6. The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database.
  7. Block unwanted infiltrationEmail security, Web security and comprehensive Endpoint Protection helps detect and stop inadvertent downloads of malicious programsFirewall and Intrusion Prevention Systems (IPS) block the downloads of malware and deny unauthorized access by command and control serversBlock unauthorized changesApplication Whitelistingand Database Activity Monitoring stops unauthorized access and changesAvoid sensitive data from being harvested and exfiltratedData Encryption and Data Loss Prevention protects sensitiveKnow what’s going on inside your networkNetwork behavior analysis can identify compromised systems based on traffic behavior anomaliesAchieve a global perspectiveKnowing just your own network isn’t sufficient—you need a global understanding of all threats worldwide to protect yourself