Advanced attacks and countermeasures Why today’s CSOs must have military thinking Teodor Cimpoesu, UTI CERT CERT-RO, Bucharest, 03 Nov, 2014 Agenda 1 Advanced cyber attacks 7 min 2 Military imported cyber concepts 7 min 3 Solutions and effective defenses 7 min 1 Advanced Cyber Attacks 2 3 Cyber threats evolution Danger Kinetic cyberattacks Nation-state cyber attacks Organized crime Cyber espionage Terrorist groups Small criminal groups Frelance hackers Complexity Critical infrastructures Incidents  Siberian Pipeline - intruders planted a Trojan in the SCADA sys causing an explosion equivalent to 3 kilotons of TNT (1982)  Chevron alerting system deactivation – hacking (1992)  Gazprom - hacking broke into with insider hell, gained control of the central switchboard, which controls gas flow in pipeline (1999)  CSX Corporation (2003) – Sobig virus was reported to have shut down train signaling systems, dispatching and other systems in Florida at CSX Corporation, one of the largest transportation suppliers in the U.S.  Davis-Besse (Ohio, US) nuclear power plant is infected with Slammer, network computers worm (2008)  Natanz nuclear power plant has major losses, due to a special virus that modified PDC microcontrollers - Stuxnet (2010)  Saudi Aramco network of over 30000 computers is highly affected, all HDD drives were wiped out (2012) Source: “A Survey of SCADA and Critical Infrastructure Incidents “ - Bill Miller, Dale C. Rowe Ph.D Gang Crime Group Crime Organization Syndicate Cartel Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Consortium Cybercrime Ecosystem 5% The cost of traditional crime going cyber is over 150 billion, and total estimate at 250 billion In 2009 it cost $50k to rent a botnet for a DDoS attack of 24h. Prices went down FBI takedown of SilkRoad led to seizing of $100mil in Bitcoins 5% true targeted attacks 95% are consumer-grade 70% individuals or small groups 20% criminal organizations 5% cyber-terrorists 4% state-sponsored players $100 mil $50k $150 bln Most quantity: CN, Latin America, EE Best quality: RU, UA, CN RU, RO, LT, UA, and other EE mainly focus on attacking financial institutions. Goods and Services on the Black Market Category Definition Examples Category Definition Examples Vendors offer guarantees (e.g. 12h malware undetectable) , guard Terms of Use (e.g. infect 1000 machines only) or may cancel the service (for too much noise). They also invest in high quality products: Paunch, the BlackHole Exploit owner, was said to put in 100k USD for zero-days just in one round. Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Goods and Services on the Black Market Exploit Kit Price Source: RAND Corporation, Markets for Cybercrime Tools and Stolen Data (2014), www.rand.org Year Nation-state campaigns Attacker Targets Initial vector / Delivery Control / Persistence Energetic Bear (2014) Russian (supposed) Defense & aviation (US, CA), energy ICS / SCADA vendors (EU), EU Gov Spear phishing email campaign (XDP packaged PDF with SWF expl) Watering hole – 3rd party site with LightsOut exploit kit -> JAR Trojanized software installers Havex RAT Sysmain Trojan Karagany backdoor Hurricane Panda (2014) Chinese (supposed) Infrastructure companies ChinaChopper webshell then escalate using CVE-2014-4113 (kernel-mode) RAT of choice has been PlugX configured to use the DLL side-loading Sandworm (2014) Russian (supposed) UA Gov, EU Gov, Energy (specifically in Poland), European Telecom, US academy CVE-2014-4114 (powerpoint), Spear phishing with weaponized PowerPoint document iSight did not disclose Multiple campaigns (2014) Russian (supposed) APT28 Group Georgia MIA & MOD, EE Govs, NATO, EU security orgs Spear phishing emails, with specially crafted lures, tailored to recipients -> document with exploit Special implant, FireEye calls it CHOPSTICK Operation SMN (2014) Chinese (supposed) Axiom Group 6yrs campaign targeted at full spectrum of & intl targets Mainly watering hole, tailored spear phishing Highly customized: from Zox/Gresim , Hikit to Poison Ivy Stages 1 • Intelligence gathering – OSINT, CYBINT, HUMINT 2 • Infecting the target – SE, BYOD, spear phishing, watering hole 3 • System exploitation – zero-day exploits, half-day exploits + RATs 4 • Internal recon - lateral movement and maintaining control 5 • Data exfiltration – over FTP/HTTP, known/fake protocols Strategies of attack Matryoshka Attack •Encompass a victim in a general event that conceals a targeted attack, e.g. known botnet attacks. Additionally, the attacker can mount a social-engineering attack in parallel as a decoy. Forensics may turn up this obvious targeted attack and thus overlook the lower-profile, still potent botnet Impossible Attack •Characterized by unexpected methods or channels of entry. The deception strategy is to breach a security perimeter through an unconventional means of ingress. Panic Attack •Create disturbances or simulate threats to the victim to obtain intelligence about a target resource. •The deployment of additional monitoring in certain parts of the network reveals the location of highvalue assets. The quarantine or shutdown of suspect machines, changes to compromised user accounts, or the incorporation of custom intrusion detection rules, reveal the extent of the victim’s knowledge about the attack. The provision of alternative computing infrastructure reveals critical services required by the organization’s operation. Deceive&Decoy Attack •Conceals adversarial activity or stolen data within legitimate or benign-looking context. Highvalue assets are typically exfiltrated by obfuscating the data through compression or encryption, and concealing it among common file transfer protocols such as FTP or HTTP, over popular apps protocols, or hidden in legitimate looking documents (through steganographic means). Source: “Sherlock Holmes and The Case of the Advanced Persistent Threat” , Ari Jues, Ting-Fang Yen , RSA (2012) Today “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it” – Gartner Inc. (2012) Source: Gartner whitepaper, “Malware Is Already Inside Your Organization; Deal With It” (2014) CEE Cyber Security Readiness We had 3rd party vulnerability assessments in the last 3 years We have best protection for 0% 20% 40% 60% 80% 100% 0% 10% 20% 30% 40% 50% Austria ... External attacks 38% 47% 57% 13% Cehia 50% Ungaria 50% Polonia …disruptions and data loss 37% 44% 16% Romania Slovacia Highly Agree Agree Depends Companies do not regularly check their security standing and hope for the best Source: ICT Business Trends & Challenges in Austria, CEE and Turkey, Pierre Audoin Consultants (2014) 60% 45% 38% 34% Turcia 46% Total 46% 1 Military Imported cyber security concepts 2 3 Information Security Authenticity Non Repudiation Confidentiality vs. Integrity: You can make some money harvesting credit cards, but you can make a lot of money manipulating the stock market Security Metaphor Response: Fluid, Responsive Black moves first Main strategic focus: the corners, key points Objective: expand controlled territory Asymmetric-game: extra steps Key ability: understand the threat, react timely Defense: Centered, Deep White moves first Main strategic focus: the center, open fields Objective: overwhelming attack (mate) Asymmetric defense: obstruct Key ability: master complexity / deep planning Attack - Military concepts in cyber use Kill Chain OPSEC Cyber Terrain Disinformation Diversion Cyber Terrain - those physical and logical elements of the domain that enable mission essential warfighting functions OPSEC - systematic method used to identify, control, protect critical information, and analyze friendly actions associated with military operations Targeting Threat Intelligence Targeting - the process of selecting and prioritizing targets and matching them against the appropriate response to them Disinformation / Diversion - actions executed to deliberately mislead adversary military. False targets such as honeypots can be used to learn on adversary Threat Intelligence – complex doctrine, consisting of planning, collection, analysis, dissemination & integration and evaluation of data Attack - Stages 1 • Intelligence gathering – OSINT, CYBINT, HUMINT 2 • Infecting the target – SE, BYOD, spear phishing, water holing 3 • System exploitation – zero-day exploits, half-day exploits + RATs 4 • Internal recon - lateral movement and maintaining control 5 • Data exfiltration – over FTP/HTTP, known/fake protocols The Kill Chain Find Fix Track Target Engage Assess Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Image: http://www.digitalbond.com/blog/tag/cyber-kill-chain/ Intelligence-driven Computer Network Defense Source: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Eric M. Hutchins et al. Defense - Risk Management Risk Assessment Asset Management Threat Modeling Attack Modeling Asset Values Threat Vectors Attack Trees Asset Exposure Attack Centric Scenarios Attack Modeling Recon Weaponize Deliver Exploit Install Tree source: “Design and Implementation of a Support Tool for Attack Trees”, Alexander Opel Command Action The Defense Chain  Plan – what to protect, what are your assets, policies, what type of protective controls  Build – acquire competencies, build skills specialists, acquire tools (after teams). Implement the solutions in your company  Monitor – operate the technical solutions have operational NSM/SIEM systems, perform reviews and drills (incident response excercises) Plan Build Monitor  Detect – check the output of monitoring systems, validate the alerts and do proactive search of IoA (indicators of attack)  Respond – exercise the incident response plans; investigate, contain and remediate  Report – gather information, analyze it, communicate to the right people  Improve – keep the tools, procedures and processes in a maturing loop Detect Source: http://detect-respond.blogspot.ro/2014/10/the-defense-chain.html Respond Report Improve Mindset After the 1984 IRA bombing at the Grand Hotel in Brighton England targeting the British cabinet the IRA issued a statement saying “We only have to be lucky once. You will have to be lucky always.” 1 Solutions and effective defenses 2 3 Modern IT Security Perimeter Security Respond Prepare Server Infrastructure Security Threat Intel Endpoint & Gateway Detect Prevent Apps Security Defense Chain Mindset Kill Chain Mindset How can the private sector help 1 • Help do proper risk evaluation and update your cyber policy 2 • Test and validate the technical vulnerabilities – in the key points 3 • Implement the right security controls with the best technologies 4 • Monitor the security for you, or help you do it right (SIEM based) 5 • Be your SWAT team when incident strikes – do Incident Response 6 • Be your Investigator – if you may be the target of cyber-espionage certSIGN Service Provider and CSIRT SOC Consulting Managed Services CSIRT Special Services Vulnerability Assessment Monitoring (SIEM) Alerting Services Security validation (Pen testing) Network Security Incident Handling Cyber Investigation Security consulting Communication Security Vulnerability Handling Threat Intelligence Data Security Forensics Advanced Correlation Malwar e Analysis Special Projects Endpoint Security Vulnerability Analysis Research & Development CSIRT Services Security Management Proactive Services Reactive Services Risk Analysis Announcements Alerts and warnings Security Consulting Technology Watch Incident Handling Security Validation Configuration Management Incident analysis Education/Training Network Security Management IR on site, support, coordination BC & DR Plans Intrusion Detection Services Vulnerability Handling Security Tools Development Vuln analysis Security Analytics Vuln response, coordination Data Forensics Artifact analysis DF response, coordination Incident Indicators Proactive Controls / Monitoring File system / Network Oversight • Anti-virus, HIPS/HIDS • SIEM • Anomalies in privileged user account activity • Large numbers of requests for the same file • Suspicious registry or system file changes • Spikes in database read volume • HTML response sizes • Unexpected patching of systems • Mobile device profile change • Files in unusual locations • Large bundles of data in the wrong places • Unhuman traffic behaviour (e.g. beacons, # of sessions) Threat Intelligence / Analysis • Unusual outbound traffic • Unusually large/frequent traffic to Google, Dropbox / P2P etc. • Geographical irregularities • Mismatched port-application traffic • DNS anomalies Exfiltration • Encrypted communication • Over trusted protocols • Can you change your security policy? Source: TrendMicro Labs When it happens First day First month  Switch to alternative computing, safe communications  Confirm with additional analysis the incident scope and impact  Inventory security data  Plan remediation First week  Develop and deploy additional counter-APT improvements  Initiate IR group, enlist external help, brief decision makers  Inventory security data  Deploy additional instrumentation  Determine incident scope  Review security policy, the schedule of security assessments and their effectiveness  Create Blue Team, hire Red Team to test it [email protected] @cteodor +40724.039.254 GPG 0xA1BFF1D2 UTI CERT [email protected] Referenced/Quoted Material • RAND Corporation, “Markets for Cybercrime Tools and Stolen Data - Hackers’ Bazaar” (2014) • IBM, “IBM X-Force Threat Intelligence Quarterly, 3Q 2014” (2014) • RSA, “THE CURRENT STATE OF CYBERCRIME 2014 - An Inside Look at the Changing Threat Landscape” (2014) • SANS Institute, “Critical Security Controls: From Adoption to Implementation” (2014) • CrowdStrike, “Global Threat Report – 2013 Year in Review (2014) • Adita Sood, Richard Ebody, “Targeted Cyber Attacks – multi stage attacks driven by exploits and malware”, Elsevier Publishing (2014) • Jason Luttgens, Matthew Pepe, Kevin Mandia “Incident Response and Computer Forensics – 3rd edition”, Mc Graw Hill Education (2014) • Symantec, “Dragonfly: Cyberespionage Attacks Against Energy Suppliers” (2014) • Kaspersky Lab, "Red October" Diplomatic Cyber Attacks Investigation (2013) • IBM, “IT executive guide to security intelligence - Transitioning from log management and SIEM to comprehensive security intelligence (2013) • DarkReading, “Top 15 Indicators Of Compromise” (2013) • Ari Jues, Ting-Fang Yen , RSA, “Sherlock Holmes and The Case of the Advanced Persistent Threat” (2012) • McAfee, “Global Energy Cyberattacks: “Night Dragon” (2011) • Eric M. Hutchins et al., Lockheed Martin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” (2011) • HB Gary, Operation Aurora (2010) • Alexander Opel, “Design and Implementation of a Support Tool for Attack Trees” (2005)