Combating Advanced Persistent Threat and other Targeted Attacks: An Iterative Approach

IBM X-Force Mission

The mission of the IBM X-Force research and development team is to:
Research and evaluate threat and protection issues Develop new technology for tomorrows security challenges Deliver security protection for todays security problems Educate the media and user communities

Advanced Persistent Threat in the news

Washington Post, October 2006: Computer Systems Under Attack BusinessWeek, April 2008: An Evolving Crisis BusinessWeek, July 2009: Under Cyberthreat: Defense Contractors A plethora of articles beginning in early 2010

Myths about Advanced Persistent Threat

APT is a new threat. APT is a botnet. APT isnt very sophisticated. All sophisticated attacks are APT. All APT style attacks have the same origin & motive. If you buy our product it will protect you from APT.

What is APT?
Advanced Using exploits for unreported vulnerabilities (zero day) Advanced, custom malware that isnt detected by antivirus products Coordinated attacks using a variety of vectors Persistent Attacks lasting for months or years Resistant to remediation attempts Attackers are dedicated to the target they WILL get in Threat Targeted at specific individuals and groups within an organization, aimed at compromising confidential information Not random attacks theyre actually out to get you

Sophisticated Targeted Attacks

Reconnaissance
Identification of a target and method of compromise Initial target is not always the true target

Social Engineering
Most commonly spear-phishing (email or IM that appears to come from a known trusted source) Message contains a malicious payload or a link to a web page that has malicious code

0-Day Tools
Attacks involve exploitation of never-before-seen vulnerabilities discovered by the attackers Not all malware in APT cases is undetectable but the majority of malware used during the initial compromise is custom

Spear Phishing Example of e-mail with malicious PDF

Sophisticated Targeted Attacks

Covert
Attacker will remain patient and will attempt to conceal activity by masquerading as a normal user Attacker will attempt to cover their actions by using legitimate accounts and protocols when possible

Privilege Escalation and Lateralization

Most often the attacker will attempt to utilize a current account and obtain any information they can with those privileges Some APT cases have involved the creation of new accounts with administrative privilege

Adaptive
Attacker will observe remedial actions and adjust accordingly Theyll use their least sophisticated attacks first

Persistence
Attackers are patient and will watch targets for long periods of time Attackers install multiple backdoors to ensure continued access to the target network

Malware command and control (C&C) characteristics

Usually port 80 (HTTP) or 443 (HTTPS) Traffic is encrypted, obfuscated, or both No listening ports or incoming connections
Easy to detect incoming connections Firewalls prevent this anyways

Commands can be embedded in compromised web pages

Privilege escalation and lateralization

10

10

A key example: Stuxnet

Sophisticated:
Included exploits for 4 unpatched (0-day) vulnerabilities Included components signed with stolen digital certificates Spread through numerous network vectors and crossed air gaps with USB sticks Infected developer machines with a rootkit that hid the malware and the code changes it was making

Targeted:
Modified code on programmable logic controllers (PLCs) Code modifications only occurred in limited circumstances
Code that controls particular frequency converter drives from specific vendors Drives that operate in particular frequency ranges

Collateral Damage Worldwide infections

11

Responding to Targeted Attacks: An Iterative Approach

12

Harden
Your original security posture may need to be reconsidered. Email Security
Dont allow incoming e-mail spoofed from your organizations addresses Consider e-mail signing How well managed are your access policies? Do people only have access to what they need access to? How hardened is your access control system? Multifactor authentication can complicate the attack's task Review access policies frequently Frequently used by the DoD Can you afford separate systems for web browsing and for sensitive work? Some data never needs exposure to the Internet

Identity and Access Management

Physical Segmentation

"It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient." - Mark Foulon, Bureau of Industry and Security, US Dept Of Commerce
Consider all forms of connectivity what is your policy on USB sticks? IPS and Firewalls and even Anti-Virus can actually help Each point solution is part of a complete breakfast

Keep up with traditional security measures

13

Detect
You cannot detect everything, but if you can detect something, you can pull on that thread and unravel complicated attacks. User
Educate targeted employees Make education personal, this is not a compliance activity Again, the goal isnt to stop all spear phishing, some people will still fall prey - the goal is to detect some of it

Network
0 Day Attack Heuristics
Shell Code Obfuscation

Protocol anomalies Unexpected Encryption Known Command and Control protocols

System
Out of policy configuration changes Buffer Overflow detection Application whitelisting
14

Ahead of the threat

Operation Aurora

15

Analyze and Remediate

Captured attacks should be analyzed
Execute exploits in a controlled environment and monitor Determine command and control protocol and IP addresses Determine registry and other system changes Honeypot attackers and watch their activity Collect as much information as possible!

Remediate
Determine if other hosts have communicated with C&C systems
Network evidence logging can help in this respect

Use system management tools to search for configuration changes associated with the malware

Feedback
Integrate lessons about malware and attacks into network and end host defense systems used in the detection phase

16

Were here to help!

IBM Computer Emergency Response Services In the U.S.:1-888-241-9812 Outside the U.S.: (001) 602-220-1440 24/7/365

17

18

Trademarks and disclaimers

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries./ Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to nonIBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. Photographs shown may be engineering prototypes. Changes may be incorporated in production models. IBM Corporation 2011. All rights reserved. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at http://www.ibm.com/legal/copytrade.shtml.

19