Advanced persistent threats – Coming to a network near you

Barry HensleyDirector, Counter Threat Unit

Advanced persistent threats – Coming to a network near you

Jeff SchillingDirector, Security & Risk Consulting

Confidential

Public breaches are tip of the iceberg…

Advanced persistent threats

Contentstyleguidelines

A “who,” not a “what”• Specifically targeted because you

have something they want

• Will invest time and resources until they achieve the objective

• Can and will adapt until they win

Organized

Efficient

Tenacious

Your cash, intellectual property, access credentials, intelligence and access to your infrastructure are all on someone’s wish list

Confidential

Scope of APT is bigger than you think…

~800Hard-coded Command

and control IPs

~14,500 Command and control

hostnames

~900Actor-registered APT

domain names

~200Unique malware

families (thousands of samples)

APT tracking

Confidential

APT methods are not limited• Compromised numerous

domain admin accounts

• Dozens of external IPs from different network address blocks and geographic locations, associated with attacker

• Attackers deleted their tools and recovered credentials after use.

• Forensic review identified attacker presence over 180 days

Victim’s network access points were distributed across multiple sites and access mechanisms, including different VPN endpoints, Virtual Desktop Infrastructure (VDI) systems, Outlook Web Access (OWA) interface, and several Microsoft SharePoint portals

Confidential

The struggle to defend

37%

Insufficient

visibility +

Insufficient

counter-measure

s=

Ripe for breach

Most organizations fail to notice APT until long after compromise

“I don’t know if I am being targeted and how.”

“I don’t know if I have been compromised.”

“I can’t stop the threat before it reaches my assets.”

“I can’t completely remove the threat’s presence and access.”

Insu

fficie

nt c

ou

nte

r-measu

res

Insu

fficie

nt

vis

ibilit

y?

? !

!

Confidential

Your best defense*

Each element fuels the others,

maximizing your

chance of thwarting

the adversary

Successful defense against advanced threats requires integrated threat intelligence, security operations and incident response

Security operations

Incident response

Threat intelligence

Know your adversarie

s and their methods

Detect threat

activityearlier in the kill chain

Disrupt the kill chain

and stop the attack

Eradicate actor

presenceand

remove the threat

Confidential

Dell provides your best defense

Integrated solutions

that deliver

exceptional

protection against

advanced threats.

Know your adversaries, detect their activity, disrupt the kill chain and eradicate their presence with Dell’s Advanced Threat Management solutions

Counter Threat Unit Intelligence Group

24 x 7 Managed Security Services

Incident Response Services

1

2

3

Confidential

Counter Threat Unit Intelligence Group

The relentless pursuit of who

and how

CTU

AV Vendors

IPS Vendors

Targeted

Broad

AdvancedCommodity

Elite cyber-intelligence experts provide

• Insight into attackers and tradecraft

• “Over the horizon” threat anticipation

• Countermeasures against emerging threats

1

Confidential

24x7 Managed Security Services*

Global Visibility

7 SOCs

Thousands of

Customers

Data

Counter-measuresCounter Threat

PlatformIntelligen

ceFlexibilityScalabilit

y

Counter Threat Unit

Detect and

respond to threats 24x7x365

Protect against

emerging threats

2

Confidential

Active attack

Reporting

Containment

Root cause analysis Forensic analysis

Assessment/identification

Incident response services*

Active attack Active attack

Day 0Breach Detected

Day 7Incident Response contract in place

Day 7 + 3Malware analyzed, actor profiled

Day 7 + 6Malware and actor presence removed

Day 7 + 8Engagement reported and lessons learned

Day 7 + 8.END

Day 7 + 2Boots on the ground

Day 6Engages Dell SecureWorks

Day 7 + 5Entry point and scope confirmed

Data loss assessment

Active attack

3

Day 2IT staff tries to remediate

Day 4Seeks 3rd party help

What was breached and how

Disrupt and

contain the threat

Thoroughly eradicate

and prevent re-entry

Codename “Wisconsin”

Real world APT breach at a Research Institute

Wisconsin targeted and compromisedSeptember:

Wisconsin sees the threat

• Administrators first noticed odd activity

• Domain Administrator account exhibited unusual behavior

February-September:Wisconsin is

breached• Attacker gained access

to Wisconsin’s network

• Established outbound communications

• Expanded access, obtained privileged credentials

• Installed persistence measures to strengthen foothold

• Exfiltrated data

February:The attack begins

• APT attacker launched two “spear-phishing” campaigns targeting “Wisconsin”

October 25:Threat contained

and removed

Wisconsin turns to Dell for help*October 18-24:

Breach confirmed and assessed

• Host forensics confirm infiltration and timeframes

• Detected compromised accounts via event correlation

• Swept environment for additional compromised systems

• Conducted data loss assessment

October 14-17:Wisconsin reached

out for help

• Contacted Dell SecureWorks

• Dell SecureWorks IR specialists arrive onsite and initiate response process

• Initial assessment reveals A/V trigger for password dump tool on a host

• Isolated all compromised systems

• Blocked related traffic at all network boundaries

• Implemented intermediate countermeasures to detect and prevent re-entry

• Infected machines cleaned and rebuilt

Wisconsin gets the bad news

Four APT campaigns discovered in Wisconsin’s network

Malicious Domain ***.edu.Freshdns.org 211.***.***.76 ***.edu.Blankchair.com ***.edu.Bcvziy.com

Date of Activity 16 June, 2011 29 June, 2011 29 June, 2011 29 June, 2011

Country of Origin Vietnam Korea Hong Kong China

Clear evidence of communication with malicious APT domains at least since June.

(“Wisconsin” had no log data prior to June.)

Wisconsin’s lessons learned

Lacked even basic security controls

• No dual administrator accounts

• No network-based intrusion detection or prevention systems

• No log retention system

• No security event monitoring and analysis

• Poor segregation for sensitive systems

Now on path to

Wisconsin’s Security Management did not take the threat of APT seriously.

• Customer brought in new security management

• Working with Dell to implement proper controls and develop a good IR plan

On the Dell World app

Or

Contentstyleguidelines Session Evaluation Survey

On paper• Forms in room• Turn in on the way

out

4. Select survey title

5. Simply complete the survey

3. Select Surveys

1. Select My Schedule

2. Select session to evaluate

Please help Dell meet your needsby filling out the Session Evaluation Surveys