Professional Documents
Culture Documents
The mission of the IBM X-Force research and development team is to:
Research and evaluate threat and protection issues Develop new technology for tomorrows security challenges Deliver security protection for todays security problems Educate the media and user communities
Washington Post, October 2006: Computer Systems Under Attack BusinessWeek, April 2008: An Evolving Crisis BusinessWeek, July 2009: Under Cyberthreat: Defense Contractors A plethora of articles beginning in early 2010
What is APT?
Advanced Using exploits for unreported vulnerabilities (zero day) Advanced, custom malware that isnt detected by antivirus products Coordinated attacks using a variety of vectors Persistent Attacks lasting for months or years Resistant to remediation attempts Attackers are dedicated to the target they WILL get in Threat Targeted at specific individuals and groups within an organization, aimed at compromising confidential information Not random attacks theyre actually out to get you
Reconnaissance
Identification of a target and method of compromise Initial target is not always the true target
Social Engineering
Most commonly spear-phishing (email or IM that appears to come from a known trusted source) Message contains a malicious payload or a link to a web page that has malicious code
0-Day Tools
Attacks involve exploitation of never-before-seen vulnerabilities discovered by the attackers Not all malware in APT cases is undetectable but the majority of malware used during the initial compromise is custom
Adaptive
Attacker will observe remedial actions and adjust accordingly Theyll use their least sophisticated attacks first
Persistence
Attackers are patient and will watch targets for long periods of time Attackers install multiple backdoors to ensure continued access to the target network
Usually port 80 (HTTP) or 443 (HTTPS) Traffic is encrypted, obfuscated, or both No listening ports or incoming connections
Easy to detect incoming connections Firewalls prevent this anyways
10
10
Targeted:
Modified code on programmable logic controllers (PLCs) Code modifications only occurred in limited circumstances
Code that controls particular frequency converter drives from specific vendors Drives that operate in particular frequency ranges
11
12
Harden
Your original security posture may need to be reconsidered. Email Security
Dont allow incoming e-mail spoofed from your organizations addresses Consider e-mail signing How well managed are your access policies? Do people only have access to what they need access to? How hardened is your access control system? Multifactor authentication can complicate the attack's task Review access policies frequently Frequently used by the DoD Can you afford separate systems for web browsing and for sensitive work? Some data never needs exposure to the Internet
Physical Segmentation
"It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient." - Mark Foulon, Bureau of Industry and Security, US Dept Of Commerce
Consider all forms of connectivity what is your policy on USB sticks? IPS and Firewalls and even Anti-Virus can actually help Each point solution is part of a complete breakfast
13
Detect
You cannot detect everything, but if you can detect something, you can pull on that thread and unravel complicated attacks. User
Educate targeted employees Make education personal, this is not a compliance activity Again, the goal isnt to stop all spear phishing, some people will still fall prey - the goal is to detect some of it
Network
0 Day Attack Heuristics
Shell Code Obfuscation
System
Out of policy configuration changes Buffer Overflow detection Application whitelisting
14
15
Remediate
Determine if other hosts have communicated with C&C systems
Network evidence logging can help in this respect
Use system management tools to search for configuration changes associated with the malware
Feedback
Integrate lessons about malware and attacks into network and end host defense systems used in the detection phase
16
17
18
19