Transcription
State of the HackResearch and Technology Protection (RTP) ConferencePRESENTED BY: Charles Carmakal, Managing Director Mandiant, A FireEye Company. All rights reserved.APRIL 2014
Agenda Spectrum of threat actor sophistication and motivationsAttributes of various types of threat actorsRecent breach trends observedCase studiesCountermeasuresQ&A Mandiant, A FireEye Company. All rights reserved.2
Important NoteAll information is derived from Mandiantobservations in non-classified environments.Some information has been sanitized to protect ourclients’ interests. Mandiant, A FireEye Company. All rights reserved.3
We are Mandiant Threat detection, response andcontainment experts Software, professional& managed services,and education Application and network securityevaluations Offices in-WashingtonNew YorkLos AngelesRedwood CityReading, UKSan FranAlbuquerqueDublin, Ireland Mandiant, A FireEye Company. All rights reserved.4
Introductions Charles Carmakal Managing Director withMandiant Based in Washington, D.C. Fifteen years of experience inincident response andpenetration testing Focused on breaches related tothe theft of intellectual propertyand financial crime Nine years with PwC in D.C.,Atlanta, and Sydney Mandiant, A FireEye Company. All rights reserved.5
All Threat Actors Are Not gnGovernmentsObjectiveLaunch Points& NuisanceDefamation, Press,& PolicyFinancialGainEconomic, Political,and Military AdvantageExampleBotnets &SpamAnonymous, Lulzsec,Syrian Electronic ArmyTheft of CreditCards and PII, ACHfraudAdvancedPersistent ThreatTargeted Persistent Nuisance threats impact every organization. Mandiant, A FireEye Company. All rights reserved.6
All Threat Actors Are Not gnGovernmentsObjectiveLaunch Points& NuisanceDefamation, Press,& PolicyFinancialGainEconomic, Political,and Military AdvantageExampleBotnets &SpamAnonymous, Lulzsec,Syrian Electronic ArmyTheft of CreditCards and PII, ACHfraudAdvancedPersistent ThreatTargeted Persistent Hacktivists cause embarrassment and significant business impact. Mandiant, A FireEye Company. All rights reserved.7
Case Study: The Syrian Electronic Army8
The Syrian Electronic Army StealsHeadlines – Literally What is the SEA? Who do they target and why? Their tactics:‒ Send phishing emails from internal accounts‒ Compromise service providers Mandiant, A FireEye Company. All rights reserved.9
HacktivistsDowdropped 140points Mandiant, A FireEye Company. All rights reserved.10
All Threat Actors Are Not gnGovernmentsObjectiveLaunch Points& NuisanceDefamation, Press,& PolicyFinancialGainEconomic, Political,and Military AdvantageExampleBotnets &SpamAnonymous, Lulzsec,Syrian Electronic ArmyTheft of CreditCards and PII, ACHfraudAdvancedPersistent ThreatTargeted Persistent Organized crime presents financial risk to all organizations. Mandiant, A FireEye Company. All rights reserved.11
Who Are the Major Players? Groups based out of eastern Europe, who areresponsible for hundreds of public breaches Groups operating with impunity in Russia andsurrounding countriesThese groups: Will target anyone – they are opportunistic Know the banking and financial environments andtechnologies better than most organizations Specialize in credit card theft, ATM drawdowns, and ACHfraud Mandiant, A FireEye Company. All rights reserved.12
Historical and Emerging Attack Vectors Historical initial point of compromise:‒ Web-based exploits – SQL injection attacks‒ Remote administration utilities‒ Wireless networks Emerging Trends:‒ Compromised third-party entity‒ Credential theft and subsequent network access throughVPN or Citrix, instead of backdoors‒ Commodity malware Mandiant, A FireEye Company. All rights reserved.13
Why Targeted Attacks Are DifferentIt’s a “Who,”Not a “What” There is a human at a keyboardHighly tailored and customized attacksTargeted specifically at individuals/organizationsEffective at bypassing preventive controlsThey Are Professional,Organized, & Well Funded Often a nation-state or are state-sponsoredDivision of labor for different stages of attackUtilize change management processesEscalate sophistication of tactics as neededThey Are Relentlessin Achieving Their Objective They have specific objectivesTheir goal is long-term occupationPersistence tools ensure ongoing accessThey are relentlessly focused on their objectiveOrganizations that do not fully understand the scope of their breach beforeremediation often tip off the attackers. Mandiant, A FireEye Company. All rights reserved.14
All Threat Actors Are Not gnGovernmentsObjectiveLaunch Points& NuisanceDefamation, Press, &PolicyFinancialGainEconomic, Political,and Military AdvantageExampleBotnets &SpamAnonymous, Lulzsec,Syrian Electronic ArmyTheft of CreditCards and PII, ACHfraudAdvancedPersistent ThreatTargeted Persistent Foreign governments pose significant risk to numerous sectors. Mandiant, A FireEye Company. All rights reserved.15
Chinese APT Motivations Chinese-based APT groups operate with the objective ofgaining an economic, military, or political advantage. They are known to compromise entities for the followingreasons:1. Theft of intellectual property2. Mergers, acquisitions, and divestments of foreigncompanies3. Modernization of processes and technologies4. Political reasons – e.g., political activists, spread ofdemocracy They seem to follow their own rules of engagement. Mandiant, A FireEye Company. All rights reserved.16
Anatomy of a Targeted AttackAttackers move methodically to gainpersistent and ongoing access to their targets Backdoor variants VPN subversionMaintainPresenceMoveLaterally Sleeper malwareInitial CompromiseEstablish FootholdEscalate PrivilegesInternal Recon Net usecommands Reverseshell accessComplete Mission Social engineering Custom malware Credential theft Critical system recon Staging servers Spear phishing emailwith custom malware Command and control Password cracking Data consolidation Third-party applicationexploitation “Pass-the-hash” System, active directory,& user enumeration Data theftOn average, it took 229 days for organizations to discover their breach;33% of organizations self-detected the breach (down from 37% in 2012 andup from 6% in 2011). Mandiant, A FireEye Company. All rights reserved.17
Case Study: Iran-Based Activity18
Iran-Based ActivityOur Observations: Few victim industries - energy and state government Limited sophistication and tools Appear to be learning right now Mandiant, A FireEye Company. All rights reserved.19
Iran-Based vs. China-Based Mandiant, A FireEye Company. All rights reserved.20
General Trends From Our Investigations21
Detecting a Compromise Mandiant, A FireEye Company. All rights reserved.22
An Undetected Presence Mandiant, A FireEye Company. All rights reserved.23
Still Phishing Mandiant, A FireEye Company. All rights reserved.24
Countermeasures25
Relatively Easier Countermeasures Deploy application whitelisting on critical servers andinfrastructure such as domain controllers, Exchangeservers, and file servers Prevent network logons and RDP connections to theadministrator account Block email attachments with executable files Require a click-through warning for uncategorizedwebsites Block domains provided by dynamic DNS providers Mandiant, A FireEye Company. All rights reserved.26
Relatively Harder Countermeasures Require dual-factor authentication on all remote accesssolutions such as VPN, Citrix, terminal services, andwebmail Set a unique password for the local administratoraccount on all systems Remove local administrator rights for end users Inventory all service accounts and change them on aregular basis Block workstation-to-workstation communication Mandiant, A FireEye Company. All rights reserved.27
Questions? Contact Information: https://www.linkedin.com/in/charlescarmakal Free tools: RedlineIOC Editor / FinderMemoryze / Memoryze for MacHighlighterApateDNSHeap InspectorPdbXtract Mandiant, A FireEye Company. All rights reserved.28
Mandiant, A FireEye Company. All rights reserved. Spectrum of threat actor sophistication and
