state of the hack - university of central florida...anatomy of a targeted attack initial compromise...
TRANSCRIPT
PRESENTED BY:
© Mandiant, A FireEye Company. All rights reserved.
State of the Hack
Research and Technology Protection (RTP) Conference
Charles Carmakal, Managing Director APRIL 2014
© Mandiant, A FireEye Company. All rights reserved.
Spectrum of threat actor sophistication and motivations
Attributes of various types of threat actors
Recent breach trends observed
Case studies
Countermeasures
Q&A
Agenda
2
© Mandiant, A FireEye Company. All rights reserved.
All information is derived from Mandiant
observations in non-classified environments.
Some information has been sanitized to protect our
clients’ interests.
Important Note
3
© Mandiant, A FireEye Company. All rights reserved.
Threat detection, response and containment experts
Software, professional & managed services, and education
Application and network security evaluations
Offices in
4
We are Mandiant
- Washington
- New York
- Los Angeles
- Redwood City
- Reading, UK
- San Fran
- Albuquerque
- Dublin, Ireland
© Mandiant, A FireEye Company. All rights reserved. 5
Introductions
Charles Carmakal
Managing Director with
Mandiant
Based in Washington, D.C.
Fifteen years of experience in
incident response and
penetration testing
Focused on breaches related to
the theft of intellectual property
and financial crime
Nine years with PwC in D.C.,
Atlanta, and Sydney
© Mandiant, A FireEye Company. All rights reserved. 6
All Threat Actors Are Not Equal
Nuisance
Threats
Objective
Example
Targeted
Persistent
Launch Points
& Nuisance
Botnets &
Spam
Hacktivists
Defamation, Press,
& Policy
Anonymous, Lulzsec,
Syrian Electronic Army
Organized
Crime
Financial
Gain
Theft of Credit
Cards and PII, ACH
fraud
Advanced
Persistent Threat
Nuisance threats impact every organization.
Foreign
Governments
Economic, Political,
and Military Advantage
© Mandiant, A FireEye Company. All rights reserved. 7
All Threat Actors Are Not Equal
Nuisance
Threats
Objective
Example
Targeted
Persistent
Launch Points
& Nuisance
Botnets &
Spam
Hacktivists
Defamation, Press,
& Policy
Anonymous, Lulzsec,
Syrian Electronic Army
Organized
Crime
Financial
Gain
Theft of Credit
Cards and PII, ACH
fraud
Advanced
Persistent Threat
Hacktivists cause embarrassment and significant business impact.
Foreign
Governments
Economic, Political,
and Military Advantage
© Mandiant, A FireEye Company. All rights reserved. 9
The Syrian Electronic Army Steals
Headlines – Literally
What is the SEA?
Who do they target and why?
Their tactics:
‒ Send phishing emails from internal accounts
‒ Compromise service providers
© Mandiant, A FireEye Company. All rights reserved. 11
All Threat Actors Are Not Equal
Nuisance
Threats
Objective
Example
Targeted
Persistent
Launch Points
& Nuisance
Botnets &
Spam
Hacktivists
Defamation, Press,
& Policy
Anonymous, Lulzsec,
Syrian Electronic Army
Organized
Crime
Financial
Gain
Theft of Credit
Cards and PII, ACH
fraud
Advanced
Persistent Threat
Organized crime presents financial risk to all organizations.
Foreign
Governments
Economic, Political,
and Military Advantage
© Mandiant, A FireEye Company. All rights reserved.
Groups based out of eastern Europe, who are
responsible for hundreds of public breaches
Groups operating with impunity in Russia and
surrounding countries
These groups:
Will target anyone – they are opportunistic
Know the banking and financial environments and
technologies better than most organizations
Specialize in credit card theft, ATM drawdowns, and ACH
fraud
12
Who Are the Major Players?
© Mandiant, A FireEye Company. All rights reserved. 13
Historical and Emerging Attack Vectors
Historical initial point of compromise:
‒ Web-based exploits – SQL injection attacks
‒ Remote administration utilities
‒ Wireless networks
Emerging Trends:
‒ Compromised third-party entity
‒ Credential theft and subsequent network access through
VPN or Citrix, instead of backdoors
‒ Commodity malware
© Mandiant, A FireEye Company. All rights reserved. 14
Why Targeted Attacks Are Different
• Often a nation-state or are state-sponsored
• Division of labor for different stages of attack
• Utilize change management processes
• Escalate sophistication of tactics as needed
• They have specific objectives
• Their goal is long-term occupation
• Persistence tools ensure ongoing access
• They are relentlessly focused on their objective
• There is a human at a keyboard
• Highly tailored and customized attacks
• Targeted specifically at individuals/organizations
• Effective at bypassing preventive controls
It’s a “Who,”
Not a “What”…
Organizations that do not fully understand the scope of their breach before
remediation often tip off the attackers.
They Are Professional,
Organized, & Well Funded…
They Are Relentless
in Achieving Their Objective…
© Mandiant, A FireEye Company. All rights reserved. 15
All Threat Actors Are Not Equal
Nuisance
Threats
Objective
Example
Targeted
Persistent
Launch Points
& Nuisance
Botnets &
Spam
Hacktivists
Defamation, Press, &
Policy
Anonymous, Lulzsec,
Syrian Electronic Army
Organized
Crime
Foreign
Governments
Financial
Gain
Economic, Political,
and Military Advantage
Theft of Credit
Cards and PII, ACH
fraud
Advanced
Persistent Threat
Foreign governments pose significant risk to numerous sectors.
© Mandiant, A FireEye Company. All rights reserved.
Chinese-based APT groups operate with the objective of
gaining an economic, military, or political advantage.
They are known to compromise entities for the following
reasons:
1. Theft of intellectual property
2. Mergers, acquisitions, and divestments of foreign
companies
3. Modernization of processes and technologies
4. Political reasons – e.g., political activists, spread of
democracy
They seem to follow their own rules of engagement.
16
Chinese APT Motivations
© Mandiant, A FireEye Company. All rights reserved. 17
Anatomy of a Targeted Attack
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
Attackers move methodically to gain
persistent and ongoing access to their targets
On average, it took 229 days for organizations to discover their breach;
33% of organizations self-detected the breach (down from 37% in 2012 and
up from 6% in 2011).
Move
Laterally
Maintain
Presence
• Custom malware
• Command and control
• Third-party application
exploitation
• Credential theft
• Password cracking
• “Pass-the-hash”
• Critical system recon
• System, active directory,
& user enumeration
• Staging servers
• Data consolidation
• Data theft
• Social engineering
• Spear phishing email
with custom malware
• Net use
commands
• Reverse
shell access
• Backdoor variants
• VPN subversion
• Sleeper malware
© Mandiant, A FireEye Company. All rights reserved.
Our Observations:
Few victim industries - energy and state government
Limited sophistication and tools
Appear to be learning right now
19
Iran-Based Activity
© Mandiant, A FireEye Company. All rights reserved.
Deploy application whitelisting on critical servers and
infrastructure such as domain controllers, Exchange
servers, and file servers
Prevent network logons and RDP connections to the
administrator account
Block email attachments with executable files
Require a click-through warning for uncategorized
websites
Block domains provided by dynamic DNS providers
26
Relatively Easier Countermeasures
© Mandiant, A FireEye Company. All rights reserved.
Require dual-factor authentication on all remote access
solutions such as VPN, Citrix, terminal services, and
webmail
Set a unique password for the local administrator
account on all systems
Remove local administrator rights for end users
Inventory all service accounts and change them on a
regular basis
Block workstation-to-workstation communication
27
Relatively Harder Countermeasures