Advanced Attack Groups (Objectives, Tactics, Countermeasures) February 27, 2013

Advanced Attack Groups

(Objectives, Tactics, Countermeasures)

February 27, 2013 Copyright 2010MANDIANT CORPORATIONComputer Information Security ConsultingSoftware: Host Inspection/Network Monitoring ToolsEnterprise-Wide Intrusion InvestigationsFinancial Crimes, National Security Compromises380+ Investigations Since 2008, >2M and >20K HostsOffices: DC, NYC, LA, San FranciscoPCI PFI Certified, FS-ISAC Affiliate Member, GCHQ/CESG/CPNI Cyber Incident Response Pilot

2

Copyright 2010March 17, 2013Page 2AgendaInformation Targeted By AttackersAttack Group ProfilesIntrusion Case ExamplesInvestigative ApproachWhy It Continues To HappenCountermeasures Strategic and TacticalThe FutureQuestions and Answers

3

Copyright 2010Targeted Information Copyright 2010Information Targeted By AttackersCategoryObjectiveExamplesFinancialPersonally Identifiable InfoIdentity Theft Or Inadvertent LossATM WithdrawalsRBS Worldpay $9.3MPayment Card DataTJX, Hannaford, HeartlandsACH TransactionsFinance Person TargetedIntelligenceIntellectual PropertyCorporate MisdeedsCorporate StrategySenior Exec E-MailAttorney/Client CommGipson Hoffman & PancioneR&D MaterialMany IndustriesGovernment PlansDemocratic Natl CommitteeMilitary SecretsF35 Lightning Fighter JetEnergy Infra ArchitectureRumored Data CollectionOtherDestruction/Disruption/LeaksInsiders, Hacktivists Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 5Major Attack Groups Copyright 2010Not As Sophisticated Or PracticedLimited Resources AvailableSmallest ImpactEasier To Investigate Than Other ActorsThe Rogue/The Disgruntled7

Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 7

HacktivistsFocused On Notoriety/CauseLoosely Organized: Small GroupsLow (Follow Script) To Moderate (SQL Injection) Skills Frequent Use Of Publicly Available ToolsCapitalize On Common Security VulnerabilitiesMore Disruptive Than Dangerous

8 Copyright 2010Financially Motivated: Obtain/Sell InfoGood Bankers: Understand ATM/PIN/HSMMicrosoft-Centric: Bypass Mainframe, AS/400Highly Automated: Move Fast, Reuse ToolsCompromise More Systems Than UsedPersistence Has Not Been A HallmarkOrganized Crime9

Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 9Organized Crime10

Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 10Focused On Intelligence Gathering and OccupationTarget Specific OrganizationsNation State Sponsored

What It Is Not: Botnet/WormScript KiddiesFinancial CriminalsSimplistic MalwareThe Advanced Persistent Threat Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 11How The APT Is Different12Motivation & Tenacity

Their goal is occupationPersistent access to network resources Political and economic insightFuture use / fear / deterrentOrganization & Orchestration

Division of laborMalware change managementEscalation only as necessaryCountermeasures increase attack sophisticationTechnology

Custom MalwareLeverage various IP blocks to avoid filtering and detectionFew sustainable signatures (pack & modify binaries)Malware recompiled days before installationConstant feature additionsVPN SubversionEncryption Copyright 2010March 17, 2013Copyright 2010, Mandiant Corp.Page 12Intrusion Examples Copyright 2010Scareware Ill-Advised BrowsingiFrame Popup With Virus WarningInstall Rootkit Malware (Broad Functionality)Charge Victims Payment CardHarvest Victims Payment Card Information

Valid Transaction, Rarely ReportedMillions Of VictimsUser Awareness Is Primary Defense

14 Copyright 2010Typical APT Attack - ConglomerateLaw Enforcement Notification: April 20102007 Phishing Email Attack (Conference Attendance)93 Systems CompromisedFive Attack Groups Active Concurrently/IndependentlyLost Credentials: User, Domain Admin, Service Accounts1 GB Of Email, Credentials (Incremental Only)Attacker Focus: Green Fuel Materials, R&D, Mfg Data

15 Copyright 2010Financial Services AttackLaw Enforcement Notification Server Misconfiguration Attack VectorIn Network Two Months Prior to TheftMoved Laterally With Blank SA Passwords, RDPDumped Credentials From Domain Controller Compromised/Accessed ~350 SystemsDumped Several Dozen Records from Target DatabaseDetermined PINs Using IVR Web ServiceMade $13M In Withdrawals At 2,300 ATMsRepeated Attacks from Unmanaged Infrastructure

16

Copyright 2010Investigation: How Do We Investigate? Copyright 2010Conducting Investigations Determine Incident History, Steps Taken, Technical Environment, ObjectivesCollect Relevant DataIncrease Monitoring And Enterprise-Wide Inspection Capabilities As NeededConduct Forensic, Log and Malware Analysis To Identify Network And Host-Based Indicators Of CompromiseIdentify Attack Vector, Attacker Activities, Compromise Systems/Accounts, Data ExposureReport Status, Findings, Remediation Recommendations

18 Copyright 2010Investigative Cycle

Primary Sources of InformationHost inspectionFull network monitoring/analysisLog analysisNear real-timeHistoricalMalware reverse engineeringSystems inspectionLive response analysisIn-depth forensic analysisMemory analysis Copyright 2010The new model for incident investigation follows a cyclical process. Based on the initial leads, usually provided by the FBI, we begin creating indicators of compromise for both hosts and the network.

We then deploy these IOCs throughout the organizations environment.

This allows us to identify suspect systems that the attackers may have compromised.

We then collect forensic evidence and analyze the evidence to determine whether the system was part of the compromise. This analysis often leads to new IOCs that we can deploy to find additional suspect systems for analysis.

In addition to traditional host-based forensic data, we also apply indicators of compromise to multiple log sources to identify additional attacker activity. This, in turn, can lead to additional IOCs that we can then apply to the cycle.March 17, 2013Copyright 2010, Mandiant Corp.Page 19Successful Investigations RequireTechnical Expertise:Forensics, Malware, Log AnalysisInvestigative Skills: Organize The SituationUnderstand The AttackerRecognize/Take The Right Next StepManagement Skills:Identification/Elimination of ObstaclesCommunication Skills: When/How Needed20

Copyright 2010Why Does It Continue To Happen?

Copyright 2010Why Does It Continue To Happen?Limited Awareness of:The Threats/Attackers/Actors and Their MotivesWhat is Possible: Advanced Phishing, Defeating Two-Factor, Obtaining Valid CredentialsLack Understanding of Actual Attacker Tactics:Hacking Web Apps or Staging Phishing Campaigns?Using Cached Credentials or Attacking Domain Controllers?Using Backdoors, VPN Accounts or Web Shells?

22

Copyright 2010Why Does It Continue To Happen?Tendency to Focus on Security Best PracticesInstead of What Attackers Actually DoLack of Visibility:Inadequate Logging - Detail/RetentionUnmanaged InfrastructureUnreconciled M&A ActivityOperational Expediency:Two-Factor Authentication Is Hard to AdministerDealing With Multiple Complex Passwords Creates IssuesNetwork Segmentation Makes App Deployment Difficult

23

Copyright 2010March 17, 2013Page 23Why Does It Continue To Happen?Misplaced Faith in Compliance Audits:Last 50 PCI Breaches How Many Were Compliant?Spend Money Instead of Time:Solving Problems with Technology Is AppealingFixing People Problems Is HardFixing Process Problems Is Hard/Boring

24

Copyright 2010Addressing The Issues Copyright 2010Addressing The Issues - StrategicEducate Your People, Clients, Suppliers, Partners:Security Awareness, Attacker Profiles/TacticsTurn Up Logging/Monitoring, Gain VisibilityObtain Senior Management Awareness/SupportInvest in Appropriate Practices:Focus on People and Process FirstImplement Technology That Addresses True Issues:Install Whitelisting on Domain ControllersEstablish/Enforce Strong Passwords: User, Admin, ServiceLimit Number of Cached Local CredentialsRecognize That Execution Trumps Strategy

26

Copyright 2010Addressing The Issues - TacticalUnderstand What They Do And Take It AwayConduct In Parallel With InvestigationRebuild SystemsWhitelist Domain ControllersRemove Local Admin RightsConduct Enterprise-Wide Credential ChangeIncrease LoggingEstablish Host Inspection CapabilityEstablish Network Monitoring CapabilitySegment Networks

27 Copyright 2010Prioritizing Remediation Initiatives28Initial ReconInitial CompromiseEstablish FootholdEscalate PrivilegesInternal ReconMove LaterallyMaintain PresenceComplete MissionDetectInhibitRespondThreat IntelligenceOperational ComplexitiesResource ConstraintsOperational VisibilityBusiness DriversInitial ReconEstablish FootholdEscalate PrivilegesComplete MissionInitial CompromiseInternal Recon Maintain PresenceMove Laterally Copyright 2010The Future Copyright 2010The FutureWe See Progress with Victim Organizations:Small Number Unable to Remove Attacker (