doten apt presentaiton (2)
DESCRIPTION
Chief Security Scientist at Lockheed Martin using Plants Vs. Zombies to illustrate his points. Government wants to eat our brains CONFIRMED!TRANSCRIPT
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
1
Demystifying Advance Persistent Threats:Reversing the Course of a Perceived Asymmetric Cyber Battle
Rick Doten, CISSP, RKCChief ScientistLockheed MartinCenter for Cyber Security Innovation
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Cyber Security Is like…
Images courtesy PopCap; used with permission
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Advanced Persistent Threat
We Never Forget Who We’re Working For®
… and neither do the bad guys!
Advanced Characteristics:
• Using unreported exploits (zero day)
• Advanced, custom malware that isn’t detected by
antivirus products
• Coordinated intrusions using a variety of vectors
• Intruder will adjust actions based on
countermeasures
• Intruder will use least sophisticated exploits and
techniques first and escalate only as required
Persistent Characteristics:
• Intrusions lasting for months or years
• Adversaries install multiple backdoors to ensure
continued access to the targets
• Adversaries are patient and dedicated (or
assigned) to the target.
Threat Characteristics:
• Targeted at specific individuals and groups within
an organization
• Social Engineering is typically the first step to an
intrusion: people manipulating people
• Assume they know which information they are
targeting
• Because there is a real person behind the actions,
they will respond quickly to countermeasures
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
What APT is Not...
• Bot nets, Rogue antispyware, DOS and DDOS attacks
• Categorized by the techniques of intrusion, and not considering the people or motive
• Typically defined as:• Any intrusion not discovered by current security
technology
• Any intrusion that uses advanced techniques, such as zero day exploits
One reason for confusion:
Many Cyber Criminal teams are adopting (buying or bartering) APT-built techniques because of their effectiveness.
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
APT campaigns are not about being the anomaly,
but part of the normal:
• APT campaign will take advantage of trust relationship
• APT campaign is low and slow, as opposed to broad attempts, aggressive, or obvious
• APT campaign is patient and will take time to achieve their objectives
• APT campaign will conceal actions by using legitimate accounts and protocols
• APT campaign will utilize a current account and enumerate information with those privileges
• APT campaign will attempt to create new accounts with administrative privilege
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
So, how is PvZ like APT campaigns?
Images courtesy PopCap; used with permission
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
“To protect our infrastructure, we have to be right every step; the bad guys only have to be right once.”“To compromise our infrastructure, the bad guys have to
be right every step; we only have to be right once.”
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Cyber Threat Kill Chain
Intrusion
Reconnaissance
Weaponization
Delivery
Exploit
Installation
Command and Control
Act on Objectives
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command & Control7. Act on Objectives
Cyber Kill Chain Animation
• No matter where you block the sequence in the
chain, you stop the attack.
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Threat-focused Risk Reduction
RiskTarget Value
Vulnerability Threat= x x
RiskTarget Value
Vulnerability Capability= x x
Opportunity
Intent
Our Objectives:
• Erode capability
• Increase Cost of Intrusion
• Understand intent
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Same Technique works on these Guys!
Images courtesy PopCap; used with permission
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Attack Vector Escalation
Email spoofing Parking lot entry vector Fake sites that look real
Man-in-the-Mailbox Supply ChainCompromised sites with
embedded malware
The
nN
ow
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Benefits of Framework
• Articulates Prioritization
• Articulates data collection requirements
1. Reconnaissance2. Weaponization3. Delivery4. Exploitation5. Installation6. Command & Control7. Act on Objectives
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Putting them Together
Detect Degrade Deny Disrupt Deceive
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Act on Objectives
Drives detection, mitigation measures
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Which is not unlike…
Images courtesy PopCap; used with permission
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Because in the end, you don’t want…
Images courtesy PopCap; used with permission
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
Questions?
INFORMATION SYSTEMS & GLOBAL SOLUTIONS
18
Thank You!
Rick Doten, CISSP, RKC
Chief Scientist
Lockheed Martin
Center for Cyber Security Innovation