state of the hack - university of central florida...anatomy of a targeted attack initial compromise...

PRESENTED BY:

© Mandiant, A FireEye Company. All rights reserved.

State of the Hack

Research and Technology Protection (RTP) Conference

Charles Carmakal, Managing Director APRIL 2014


Spectrum of threat actor sophistication and motivations

Attributes of various types of threat actors

Recent breach trends observed

Case studies

Countermeasures

Q&A

Agenda

2


All information is derived from Mandiant

observations in non-classified environments.

Some information has been sanitized to protect our

clients’ interests.

Important Note

3


Threat detection, response and containment experts

Software, professional & managed services, and education

Application and network security evaluations

Offices in

4

We are Mandiant

- Washington

- New York

- Los Angeles

- Redwood City

- Reading, UK

- San Fran

- Albuquerque

- Dublin, Ireland

© Mandiant, A FireEye Company. All rights reserved. 5

Introductions

Charles Carmakal

Managing Director with

Mandiant

Based in Washington, D.C.

Fifteen years of experience in

incident response and

penetration testing

Focused on breaches related to

the theft of intellectual property

and financial crime

Nine years with PwC in D.C.,

Atlanta, and Sydney


All Threat Actors Are Not Equal

Nuisance

Threats

Objective

Example

Targeted

Persistent

Launch Points

& Nuisance

Botnets &

Spam

Hacktivists

Defamation, Press,

& Policy

Anonymous, Lulzsec,

Syrian Electronic Army

Organized

Crime

Financial

Gain

Theft of Credit

Cards and PII, ACH

fraud

Advanced

Persistent Threat

Nuisance threats impact every organization.

Foreign

Governments

Economic, Political,

and Military Advantage



Nuisance

Threats

Objective

Example

Targeted

Persistent

Launch Points

& Nuisance

Botnets &

Spam

Hacktivists

Defamation, Press,

& Policy

Anonymous, Lulzsec,


Organized

Crime

Financial

Gain

Theft of Credit

Cards and PII, ACH

fraud

Advanced

Persistent Threat

Hacktivists cause embarrassment and significant business impact.

Foreign

Governments



Case Study: The Syrian Electronic Army

8


The Syrian Electronic Army Steals

Headlines – Literally

What is the SEA?

Who do they target and why?

Their tactics:

‒ Send phishing emails from internal accounts

‒ Compromise service providers


Hacktivists

Dow

dropped 140

points



Nuisance

Threats

Objective

Example

Targeted

Persistent

Launch Points

& Nuisance

Botnets &

Spam

Hacktivists

Defamation, Press,

& Policy

Anonymous, Lulzsec,


Organized

Crime

Financial

Gain

Theft of Credit

Cards and PII, ACH

fraud

Advanced

Persistent Threat

Organized crime presents financial risk to all organizations.

Foreign

Governments




Groups based out of eastern Europe, who are

responsible for hundreds of public breaches

Groups operating with impunity in Russia and

surrounding countries

These groups:

Will target anyone – they are opportunistic

Know the banking and financial environments and

technologies better than most organizations

Specialize in credit card theft, ATM drawdowns, and ACH

fraud

12

Who Are the Major Players?


Historical and Emerging Attack Vectors

Historical initial point of compromise:

‒ Web-based exploits – SQL injection attacks

‒ Remote administration utilities

‒ Wireless networks

Emerging Trends:

‒ Compromised third-party entity

‒ Credential theft and subsequent network access through

VPN or Citrix, instead of backdoors

‒ Commodity malware


Why Targeted Attacks Are Different

• Often a nation-state or are state-sponsored

• Division of labor for different stages of attack

• Utilize change management processes

• Escalate sophistication of tactics as needed

• They have specific objectives

• Their goal is long-term occupation

• Persistence tools ensure ongoing access

• They are relentlessly focused on their objective

• There is a human at a keyboard

• Highly tailored and customized attacks

• Targeted specifically at individuals/organizations

• Effective at bypassing preventive controls

It’s a “Who,”

Not a “What”…

Organizations that do not fully understand the scope of their breach before

remediation often tip off the attackers.

They Are Professional,

Organized, & Well Funded…

They Are Relentless

in Achieving Their Objective…



Nuisance

Threats

Objective

Example

Targeted

Persistent

Launch Points

& Nuisance

Botnets &

Spam

Hacktivists

Defamation, Press, &

Policy

Anonymous, Lulzsec,


Organized

Crime

Foreign

Governments

Financial

Gain



Theft of Credit

Cards and PII, ACH

fraud

Advanced

Persistent Threat

Foreign governments pose significant risk to numerous sectors.


Chinese-based APT groups operate with the objective of

gaining an economic, military, or political advantage.

They are known to compromise entities for the following

reasons:

1. Theft of intellectual property

2. Mergers, acquisitions, and divestments of foreign

companies

3. Modernization of processes and technologies

4. Political reasons – e.g., political activists, spread of

democracy

They seem to follow their own rules of engagement.

16

Chinese APT Motivations


Anatomy of a Targeted Attack

Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission

Attackers move methodically to gain

persistent and ongoing access to their targets

On average, it took 229 days for organizations to discover their breach;

33% of organizations self-detected the breach (down from 37% in 2012 and

up from 6% in 2011).

Move

Laterally

Maintain

Presence

• Custom malware

• Command and control

• Third-party application

exploitation

• Credential theft

• Password cracking

• “Pass-the-hash”

• Critical system recon

• System, active directory,

& user enumeration

• Staging servers

• Data consolidation

• Data theft

• Social engineering

• Spear phishing email

with custom malware

• Net use

commands

• Reverse

shell access

• Backdoor variants

• VPN subversion

• Sleeper malware

Case Study: Iran-Based Activity

18


Our Observations:

Few victim industries - energy and state government

Limited sophistication and tools

Appear to be learning right now

19

Iran-Based Activity


Iran-Based vs. China-Based

General Trends From Our Investigations

21


Detecting a Compromise


An Undetected Presence


Still Phishing

Countermeasures

25


Deploy application whitelisting on critical servers and

infrastructure such as domain controllers, Exchange

servers, and file servers

Prevent network logons and RDP connections to the

administrator account

Block email attachments with executable files

Require a click-through warning for uncategorized

websites

Block domains provided by dynamic DNS providers

26

Relatively Easier Countermeasures


Require dual-factor authentication on all remote access

solutions such as VPN, Citrix, terminal services, and

webmail

Set a unique password for the local administrator

account on all systems

Remove local administrator rights for end users

Inventory all service accounts and change them on a

regular basis

Block workstation-to-workstation communication

27

Relatively Harder Countermeasures


Contact Information:

https://www.linkedin.com/in/charlescarmakal

Free tools:

Redline

IOC Editor / Finder

Memoryze / Memoryze for Mac

Highlighter

ApateDNS

Heap Inspector

PdbXtract

28

Questions?

state of the hack - university of central florida...anatomy of a targeted attack initial compromise...

Documents