trusselsbilledet - dau.dk · relationswith european lea, *certs, intelligence! trusted advisor for...
TRANSCRIPT
1Copyright © 2015, FireEye, Inc. All rights reserved. Copyright © 2015, FireEye, Inc. All rights reserved.
TrusselsbilledetFra phishing og malware til industrispionage og statsterrorisme
2Copyright © 2015, FireEye, Inc. All rights reserved.
Introductions
§ Who am I?§ Jens Christian Høy Monrad (@jenschm)
- E-‐mail: [email protected]§ Consulting Systems Engineer§ Global Intelligence Liaison
§ Monitor European cyber threat activities§ Relations with European LEA, *Certs, Intelligence
§ Trusted Advisor for European Fortune 500 / Global 2000 Enterprises§ ENISA Threat Landscape Stakeholder§ IT-‐Branchens sikkerhedsudvalg
§ Previous experience at§ Team Lead Security Intelligence Operations (EMEAR) – Global Enterprise§ Abuse / Incident HandlingLead – Nordic Teleco´s & ISP´s
3Copyright © 2015, FireEye, Inc. All rights reserved.
Agenda
§ The Cyber Threat Landscape§ Anatomy of a Targeted Attack§ Examples
4Copyright © 2015, FireEye, Inc. All rights reserved.
Breakthrough? – What about Europe?
25th September 2015 - The U.S. and China have agreed that neither government would support or conductcyber-enabled theft of intellectual property, U.S. President Barack Obama said in a joint media conferencewith Chinese President Xi Jinping on Friday.
5Copyright © 2015, FireEye, Inc. All rights reserved.
Nuisance Data Theft Cyber Crime Hacktivism Network Attack
ObjectiveAccess & Propagation
Economic, Political Advantage
Financial Gain
Defamation, Press & Policy Escalation, Destruction
Example Botnets & Spam Advanced Persistent Threat Credit Card Theft Website
DefacementsDestroy Critical Infrastructure
Targeted ý þ þ þ þ
Character Automated Persistent Opportunistic Conspicuous Conflict Driven
The Cyber Threat Landscape
6Copyright © 2015, FireEye, Inc. All rights reserved.
Crimeware Actors (Cyber crime gangs)
Hacktivists(Anonymous, LulzSec)
APT Actors(Nation State threats)
Threat actors – The Traditional View
7Copyright © 2015, FireEye, Inc. All rights reserved.
Hacktivists(Anonymous)
APT Actors(Nation-‐State
threats)
CrimewareActors
(Cyber crime gangs)
The reality - A Rainbow of Threat Actors
8Copyright © 2015, FireEye, Inc. All rights reserved.
Dropper (or Loader. Bootkits / Rootkits
Malware Delivery)
C2
2nd Dropper
C2
Payload(VPN, Proxy, RDP, Spam, Bitcoin, Data
stealer, PPC, DDoS)
3rd Monetisation Layer
Payload(VPN, Proxy, RDP, Spam, Bitcoin, Data
stealer, PPC, DDoS)
2nd Monetisation Layer
C2
Exploit(Social Eng / Drive-‐by / Targeted
Email – KIT!)
1st Monetisation Layer
Source: “Measuring Pay-‐per-‐Install: The Commoditization of Malware Distribution” –Caballero, J et al
Supply chain economics of a compromised host
9Copyright © 2015, FireEye, Inc. All rights reserved.
ANATOMY OF A TARGETED ATTACK
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
MoveLaterally
MaintainPresence
§ Custom malware§ Command and Control§ 3rd-‐party application
exploitation
§ Credential theft§ Password cracking§ “Pass-‐the-‐hash”
§ Critical system recon§ System, active directory &
user enumeration
§ Staging servers§ Data consolidation§ Data theft
§ Social engineering§ Spear phishing e-‐mail
with custom malware
§ Strategic Web Compromises
§ Net use commands
§ Reverse shell access
§ Backdoor variants§ VPN subversion§ Sleeper malware
10Copyright © 2015, FireEye, Inc. All rights reserved.
Examples
11Copyright © 2015, FireEye, Inc. All rights reserved.
1. Check for the right
environment
2. Store encoded
malware in browser cache
3. Perform heap spray to load shellcode in memory
4. Load text file, decode to
Javascript and execute
5. Exploit IE8 vulnerability & execute the shellcode
6. Shell code runs and
decodes the malware
7. Final malware
exposed and executed
Other Advanced attacks (e.g. Aurora, Deputy Dog, Ephemeral Hydra, Miniduke) follow a similar approach
Dissecting an advanced attack – cfr.org
12Copyright © 2015, FireEye, Inc. All rights reserved.
Political Motivated Cyber Attacks
13Copyright © 2015, FireEye, Inc. All rights reserved.
Advanced Groups and techniques
14Copyright © 2015, FireEye, Inc. All rights reserved.
APT Groups Using Political Themes in Spearphishing Attempts
15Copyright © 2015, FireEye, Inc. All rights reserved.
AP Attack
16Copyright © 2015, FireEye, Inc. All rights reserved.
RSA Attack
17Copyright © 2015, FireEye, Inc. All rights reserved.
ICS
18Copyright © 2015, FireEye, Inc. All rights reserved.
The Stuxnet Era
0
50
100
150
200
250
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Public ICS Vulnerabilities per Year
vulnsexploitsmalware
Data Sources:ics-cert.us-cert.govosvdb.orgrapid7.comgleg.netscadavulns.com
STUXNET
HAVEX& BLACK ENERGY2
19Copyright © 2015, FireEye, Inc. All rights reserved.
Why don’t we hear about more ICS attacks?
1Lack of Data
2Lack of visibility
20Copyright © 2015, FireEye, Inc. All rights reserved.
Finding Potential Targets
§ Scada: 4000+ People on LinkedIn
§ ICS: 500+ People on LinkedIn
§ PLC: 8000+ People On LinkedIn
§ HMI: 900+ People on LinkedIn
§ DCS: 1000+ People on LinkedIn
21Copyright © 2015, FireEye, Inc. All rights reserved.
Finding Potential Targets
”Scada Technician” ”Scada Engineering” ”Hardware Lead Engineer” ”Technology Specialist” ”ICS Operations” ”Process Tester” ”Project Management” ”Engineer” ”Team Lead” ”Applied Manufacturing” ”Dicipline Manager” ”DCS Programmer” ”Test Manager” ”Hardware Manager” ”Specialist”
22Copyright © 2015, FireEye, Inc. All rights reserved.
Network Security Monitoring for ICS
ICS is becoming more, not less, connected
1
2
3
Security breaches are inevitable
ICS vulnerabilities will exist indefinitely
DETECTICS network
instrumented and monitored by security
personnel
RESPONDEffective process for response to ICS
cybersecurity incidents
CONTAINBusiness continuity and DR planning consider ICS asset compromise
Realities
Vision
23Copyright © 2015, FireEye, Inc. All rights reserved.
Resources
§ Nordic Threat Report - https://www.fireeye.com/blog/threat-research/2015/05/cyber_threats_tocou.html
§ Utilities Security - https://www.fireeye.com/solutions/utilities.html
§ Highly Recommended - http://www.scadaandme.com
24Copyright © 2015, FireEye, Inc. All rights reserved. Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
THANK YOU