Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner
6. Advanced Persistent Threats
What is an Advanced Persistent Threat?
1. An attack by a sophisticated adversary
with deep resources and advanced
penetration skills engaged in electronic
espionage to support long-term
strategic goals
2. Over abused marketing term used by
point product security vendors to refer
to “bad things from the Internet”
APTs have specific targets
6
8. Malware Used in APTs
Simple blacklisting, signature-based solutions with MD5 hashes yield a low rate of true positives.
Average file size
121.85 kb
Most common AP
file names
Svchost.exe, explore.exe,
lprinp.dll, wiinzf21.dll
Anomaly detection
avoidance
Outbound HTTP connections
Process injection and
Service persistence
Communication
100 percent of backdoors
connect outbound-only
83 percent use TCP port
80 or 443; 17 percent are mixed
8
10. Operation Shady RAT
Shady RAT advanced persistent threat (APT).
Active command
and control (C&C)
server accessed
by Mcafee® Labs™
Evidence of five
years of attacks
Most common
attack vector:
Spearphishing
10
15. Night Dragon
Methodical and Progressive
2. User opens infected email and
the compromised website is
accessed; a RAT is downloaded.
1. Attacker sends a spear-
phishing email containing a link
to a compromised web server Web
Email
Internet
4. Attacker uses RAT malware to conduct 3. User account information and
additional reconnaissance and systems host configuration information
compromises and to harvest confidential data C&C is sent to a C&C server
15
18. Stuxnet
The Stuxnet Trojan was discovered in mid-June
2010 by an antimalware company in Belarus
called VirusBlokAda.
It was signed with a real-looking but faked
signature attributed to Realtek Semiconductor,
one of the biggest producers of computer
equipment.
The certificate was valid through June 10 and
Stuxnet's drivers were signed in late January. It
was about a week after the certificate expired
that the anti-malware community first saw
Stuxnet in the wild.
The malware searched the compromised system
in an attempt to access the Siemens Windows
SIMATIC WinCC SCADA systems database. It used
a hard-coded password in the WinCC Siemens
system to access operational data of the control
systems stored in WinCC software’s SQL
database.
18
23. McAfee: Complete End-to-End Protection Against
All Phases of APT Attacks
Steps to Protection
Step 1 Network DLP (Prevent sensitive data
Reconnaiss from leaving)
ance
Firewall (blocks APT connection via IP
reputation)
Web Gateway (detects/blocks
obfuscated malware)
Step 2 Email Gateway (block spear-phishing
Network emails, links to malicious sites)
Intrusion Network Threat Response (detects
obfuscated malware)
Network Security Platform (stops
malicious exploit delivery)
Firewall (detects/blocks APT back-
channel communication)
Step 3 Network Threat Response (detects APT
Establish destination IPs)
Backdoor Application Whitelisting (prevent
backdoor installation)
23
24. McAfee: Complete End-to-End Protection Against
All Phases of APT Attacks
Steps to Protection
Step 4 Web Gateway (detects/blocks access
Install to malicious applications)
Command Application Whitelisting (prevent
and Control unauthorized changes to systems)
Utilities
Step 5 Unified DLP (prevent data from leaving
Data Ex- the network)
Filtration
Network User Behavioral Analysis
Step 6 (identifies unexpected user behavior
Maintaining during
Persistence APT reconnaissance and data
collection phases)
24
26. McAfee SaaS Architecture Vision
An intelligent security fabric that wraps around the Enterprise
26
27. Find out more
Visit Global Micro Solutions:
http://www.globalmicro.co.za
27
Notes de l'éditeur
Step #1 ReconnaissanceStep #2 Network IntrusionStep #3 Establish BackdoorStep #4 Install Command and Control UtilitiesStep #5 Data Ex-filtrationStep #6 Maintaining PersistenceStep 1ReconnaissanceNetwork DLP (Prevent sensitive data from leaving)Step 2Network IntrusionFirewall (blocks APT connection via IP reputation)Web Gateway (detects/blocks obfuscatedmalware)Email Gateway (block spear-phishing emails, links to malicious sites)Network Threat Response (detects obfuscated malware)Network Security Platform (stops malicious exploit delivery)Step 3Establish BackdoorFirewall (detects/blocks APT back-channel communication)Network Threat Response (detects APT destination IPs)Application Whitelisting(prevent backdoor installation)Step 4Install Command and Control UtilitiesWeb Gateway (detects/blocks access to malicious applications)Application Whitelisting(prevent unauthorized changes to systems)Step 5Data Ex-FiltrationUnified DLP (prevent data from leaving the network)Step 6Maintaining PersistenceNetwork User Behavioral Analysis (identifies unexpected user behavior during APT reconnaissance and data collection phases)
McAfee® Labs™ researchers recently gained access to the history log files of an attacking command and control (C&C) server and uncovered details of five years of attacks propagated by the Shady RAT advanced persistent threat (APT).Spear phishing works
Closely guarded national secretsSource codeBug databasesEmail archivesNegotiation plansExploration details for new oil/gas field auctionsDocument storesLegal contractsSupervisory control and data acquisition (SCADA) configurationsDesign schematics
Attackers have a variety of motivationsStolen data now reaches into petabytes (1 quadrillion or 1,000 terabytes) of content—as far as we knowWe don’t know where all of that information has gone, who has accessed it, or what they have done with itEvery geography is affectedEvery type of business (public, private,government) is affectedEvery size of business (government agencies to nonprofits) is affected Attacks are long-lived and persistent. The longest attack duration was 28 months (the average of 70+ companies identified was 8.75 months)
Starting in 2009, coordinated attacks against global oil, energy, and petrochemical companies beganThe Night Dragon attacks work by methodical and progressive intrusions into the targeted infrastructure.
The Stuxnet Trojan was discovered in mid-June 2010 by an antimalware company in Belarus called VirusBlokAda.It was signed with a real-looking but faked signature attributed to Realtek Semiconductor, one of the biggest producers of computer equipment.The certificate was valid through June 10 and Stuxnet's drivers were signed in late January. It was about a week after the certificate expired that the anti-malware community first saw Stuxnet in the wild.The malware searched the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. It used a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database.
Block unwanted infiltrationEmail security, Web security and comprehensive Endpoint Protection helps detect and stop inadvertent downloads of malicious programsFirewall and Intrusion Prevention Systems (IPS) block the downloads of malware and deny unauthorized access by command and control serversBlock unauthorized changesApplication Whitelistingand Database Activity Monitoring stops unauthorized access and changesAvoid sensitive data from being harvested and exfiltratedData Encryption and Data Loss Prevention protects sensitiveKnow what’s going on inside your networkNetwork behavior analysis can identify compromised systems based on traffic behavior anomaliesAchieve a global perspectiveKnowing just your own network isn’t sufficient—you need a global understanding of all threats worldwide to protect yourself