Combating Advanced Persistent Threat and other Targeted Attacks: An Iterative Approach
IBM X-Force Mission
The mission of the IBM X-Force® research and development team is to:
Research and evaluate threat and protection issues Develop new technology for tomorrow’s security challenges Deliver security protection for today’s security problems Educate the media and user communities
April 2008: An Evolving Crisis BusinessWeek. October 2006: Computer Systems Under Attack BusinessWeek. July 2009: Under Cyberthreat: Defense Contractors A plethora of articles beginning in early 2010…
.Advanced Persistent Threat in the news
• If you buy our product it will protect you from APT. • APT isn’t very sophisticated.
. • All sophisticated attacks are APT. • All APT style attacks have the same origin & motive. • APT is a botnet.Myths about Advanced Persistent Threat
• APT is a new threat.
aimed at compromising confidential information – Not random attacks – they’re actually “out to get you”
.What is APT?
Advanced – Using exploits for unreported vulnerabilities (zero day) – Advanced. custom malware that isn’t detected by antivirus products – Coordinated attacks using a variety of vectors Persistent – Attacks lasting for months or years – Resistant to remediation attempts – Attackers are dedicated to the target – they WILL get in Threat – Targeted at specific individuals and groups within an organization.
Sophisticated Targeted Attacks
– Identification of a target and method of compromise – Initial target is not always the true target
– Most commonly spear-phishing (email or IM that appears to come from a known trusted source) – Message contains a malicious payload or a link to a web page that has malicious code
– Attacks involve exploitation of never-before-seen vulnerabilities discovered by the attackers – Not all malware in APT cases is undetectable but the majority of malware used during the initial compromise is custom
Spear Phishing Example of e-mail with malicious PDF
Sophisticated Targeted Attacks
– Attacker will remain patient and will attempt to conceal activity by masquerading as a normal user – Attacker will attempt to cover their actions by using legitimate accounts and protocols when possible
Privilege Escalation and Lateralization
– Most often the attacker will attempt to utilize a current account and obtain any information they can with those privileges – Some APT cases have involved the creation of new accounts with administrative privilege
– Attacker will observe remedial actions and adjust accordingly – They’ll use their least sophisticated attacks first
– Attackers are patient and will watch targets for long periods of time – Attackers install multiple backdoors to ensure continued access to the target network
or both No listening ports or incoming connections
–Easy to detect incoming connections –Firewalls prevent this anyways
Commands can be embedded in compromised web pages
.Malware command and control (C&C) characteristics
■ ■ ■
Usually port 80 (HTTP) or 443 (HTTPS) Traffic is encrypted. obfuscated.
Privilege escalation and lateralization
A key example: Stuxnet
– Included exploits for 4 unpatched (0-day) vulnerabilities – Included components signed with stolen digital certificates – Spread through numerous network vectors and crossed air gaps with USB sticks – Infected developer machines with a rootkit that hid the malware and the code changes it was making
– Modified code on programmable logic controllers (PLCs) – Code modifications only occurred in limited circumstances
• Code that controls particular frequency converter drives from specific vendors • Drives that operate in particular frequency ranges
• Collateral Damage – Worldwide infections
Responding to Targeted Attacks: An Iterative Approach
Bureau of Industry and Security. We have tried incremental steps and they have proven insufficient. Email Security
– – Don’t allow incoming e-mail spoofed from your organization’s addresses Consider e-mail signing How well managed are your access policies? Do people only have access to what they need access to? How hardened is your access control system? Multifactor authentication can complicate the attack's task Review access policies frequently Frequently used by the DoD Can you afford separate systems for web browsing and for sensitive work? Some data never needs exposure to the Internet
Identity and Access Management
– – – –
– – –
– "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate.Harden
• • Your original security posture may need to be reconsidered. US Dept Of Commerce
– Consider all forms of connectivity – what is your policy on USB sticks? IPS and Firewalls and even Anti-Virus can actually help Each point solution is part of a “complete breakfast”
Keep up with traditional security measures
.Mark Foulon." .
the goal is to detect some of it
– 0 Day Attack Heuristics
• • Shell Code Obfuscation
– Protocol anomalies – Unexpected Encryption – Known Command and Control protocols
– Out of policy configuration changes – Buffer Overflow detection – Application whitelisting
. the goal isn’t to stop all spear phishing. you can pull on that thread and unravel complicated attacks. but if you can detect something. this is not a compliance activity – Again. User
– Educate targeted employees – Make education personal. some people will still fall prey .Detect
• You cannot detect everything.
Ahead of the threat
Analyze and Remediate
• Captured attacks should be analyzed
– – – – – Execute exploits in a controlled environment and monitor Determine command and control protocol and IP addresses Determine registry and other system changes Honeypot attackers and watch their activity Collect as much information as possible!
– Determine if other hosts have communicated with C&C systems
• Network evidence logging can help in this respect
– Use system management tools to search for configuration changes associated with the malware
– Integrate lessons about malware and attacks into network and end host defense systems used in the detection phase
:1-888-241-9812 Outside the U.S.We’re here to help!
IBM Computer Emergency Response Services In the U.S.: (001) 602-220-1440 24/7/365
or service names may be trademarks or service marks of others. or other publicly available sources and does not constitute an endorsement of such products by IBM. Such commitments are only made in IBM product announcements. or any other claims related to nonIBM products. Celeron. or both. and the Windows logo are trademarks of Microsoft Corporation in the United States. Intel Centrino./ Linux is a registered trademark of Linus Torvalds in the United States. and is registered in the U. and a registered community trademark of the Office of Government Commerce. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream. or both can be found on the World Wide Web at http://www. Some information addresses anticipated future capabilities. UNIX is a registered trademark of The Open Group in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. and represent goals and objectives only. Sources for non-IBM list prices and performance numbers are taken from publicly available information. Trademarks of International Business Machines Corporation in the United States. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. ITIL is a registered trademark. Patent and Trademark Office.S. Windows NT. Windows.com/legal/copytrade. no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice. Changes may be incorporated in production models. the I/O configuration. Intel Inside. other countries. All rights reserved.Trademarks and disclaimers
Intel. Information concerning non-IBM products was obtained from a supplier of these products. and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. or both. Intel Xeon. Contact your IBM representative or Business Partner for the most current pricing in your geography. Questions on the capability of non-IBM products should be addressed to the supplier of those products.shtml. Intel logo. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Prices are suggested U. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. function or delivery schedules with respect to any future products. the storage configuration. Microsoft. Starting price may not include a hard drive. Information is provided "AS IS" without warranty of any kind. Actual environmental costs and performance characteristics may vary by customer. published announcement material. © IBM Corporation 2011. and the workload processed. Intel SpeedStep. Intel Centrino logo. other countries. capability.ibm. Therefore. Other company. Intel Inside logo. Itanium. Such information is not intended as a definitive statement of a commitment to specific levels of performance. IBM has not tested these products and cannot confirm the accuracy of performance. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. including vendor announcements and vendor worldwide homepages.
. other countries. list prices and are subject to change without notice. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. operating system or other features. product.S. Photographs shown may be engineering prototypes.