Copyright © 2014 EiQ Networks, Inc. All rights reserved.

Chris Schweigert – Director of SOCVue Security OperationsMSIA, CISSP, GSNA, OSCE, SFCP, CCNP-Security, SFCSE, CCDA, CMNA,

ITIL v3

APT: The threat that keeps on giving

Copyright © 2014 EiQ Networks, Inc. All rights reserved.2

Attention grabber

Verizon DBIR 2014

Copyright © 2014 EiQ Networks, Inc. All rights reserved.3

Attention grabber

"The Chinese have penetrated every major corporation of any consequence in the United States and taken information," he said. "We've never, ever not found Chinese malware.”Ex-NSA Director Mike McConnell (March 12, 2015)

Verizon DBIR 2014

Copyright © 2014 EiQ Networks, Inc. All rights reserved.4

Agenda

• APT Life Cycle

• Areas of focus for defense and Response

• Strategies for recovering from an APT Attack

Copyright © 2014 EiQ Networks, Inc. All rights reserved.5

APT Life Cycle

• Phase 1 Reconnaissance

• Phase 2 Social Engineering

• Phase 3 Initial exploitation attempt

• Phase 4 Establishing a Presence

• Phase 5 Pivoting

• Phase 6 Data Exfiltration

• Phase 7 Maintaining Persistence

Copyright © 2014 EiQ Networks, Inc. All rights reserved.6

Reconnaissance

• Collecting enough data to start building your attack– Tools:TheHarvester, Maltego, Nmap, unicornscan, MetaSploit– Techniques

• Looking at online content (Facebook, LinkedIn, Twitter)• Dumpster Diving• USB Drops

Copyright © 2014 EiQ Networks, Inc. All rights reserved.7

Reconnaissance

Copyright © 2014 EiQ Networks, Inc. All rights reserved.8

Social Engineering

www.social-engineer.org

Copyright © 2014 EiQ Networks, Inc. All rights reserved.9

Initial Exploitation Attempts

• Extensive Research– Attempt to mimic an

environment they will attack– Extensive vulnerability research

• Testing– Develop Zero-Day exploits that

have a higher likely hood of subverting the security controls the attacker believes are in place

• Attempting the attack

Copyright © 2014 EiQ Networks, Inc. All rights reserved.10

Establishing a Presence

Information Gathering

Social Engineering

Exploitation Attempts

Copyright © 2014 EiQ Networks, Inc. All rights reserved.11

Pivoting

Copyright © 2014 EiQ Networks, Inc. All rights reserved.12

Data Exfiltration

• Getting data out as soon as possible, without being caught.– Egress filtering on their

firewalls?– Is port 80 and 443

wide open outbound?– Can you identify

anomalous outbound traffic?

Copyright © 2014 EiQ Networks, Inc. All rights reserved.13

Persistent Presence

• Attackers may exploit several systems within an environment to use as fallbacks.

• Attackers may not steal information all at one time.

• Several of the steps in the lifecycle of an APT will repeat as they progress towards their goal.

• APT, as the name implies, is a prolonged attack often carried out over months or years.

Copyright © 2014 EiQ Networks, Inc. All rights reserved.14

Defenses

• Monitor key user accounts

• PATCH

• Defensive measures should start with your data!

• Encrypted Data in transit, in use, and at rest?

• Monitor and investigate System changes!

• Assume there is already someone inside your network

• Establish a baseline of your network activity

• The attackers are persistent and the defenses need to be persistent as well.

Copyright © 2014 EiQ Networks, Inc. All rights reserved.15

Response

• Build a Team:– Define the role and purpose (in terms of scope, resources skills, contacts,

escalation)– Experienced and skilled full-time members– Involve cross-functional multi-disciplinary areas of the organization in

the process

• Rules of Engagement:– Create clearly defined rules of engagement for the incident response team– Define incidents, handling and escalation to clearly distinguish and prioritize

• Tools/Techniques:– Invest in technologies that support the collection of information to identify

indicators and potential threats (SIEM Tools)– Understand changes in compliance – Stay current on new threat trends and techniques

Copyright © 2014 EiQ Networks, Inc. All rights reserved.16

Response Cont..

• Preparedness:– Practice, Practice, Practice– Run table top exercises on an ongoing basis– Dealing with the press– Lawyers and law enforcement– Test your backups

• Effectiveness Metrics:– Develop useable operational metrics to measure the overall effectiveness– Consider time based measurements (How long does it take?)

• IoC Sharing:– Consider using third-party organizations to foster collaboration.– Look at industry information exchanges

Copyright © 2014 EiQ Networks, Inc. All rights reserved.17

• Continuous Security Intelligence Platform– SIEM & Log Management – Security Controls Monitoring– Configuration Auditing

EiQ SecureVue®

Automates SANS Critical Security Controls

Copyright © 2014 EiQ Networks, Inc. All rights reserved.18

•Managed Service– 24x7 Security Monitoring– SIEM & Log Management SaaS– Deployed On-Premises or in Cloud– Customized alerting, reporting & analysis

• Proactive Security Monitoring– Security controls monitoring – Vulnerability detection– Anomaly Detection– User Tracking and Watch lists

SOCVue® Security Monitoring Service

Copyright © 2014 EiQ Networks, Inc. All rights reserved.

Please visit www.eiqnetworks.com to learn moreRequest a Demo of SecureVue

Request a Free Trial of SOCVue Monitoring Service

Thank You!