understanding advanced persistent threats (apt)
DESCRIPTION
Slide Presentation discussing APT and the context of Highline Community Colleges CIS 166 ClassTRANSCRIPT
UNDERSTANDING ADVANCED PERSISTENT
THREATS (APT)CIS 166 Highline Community
CollegeFebruary 2013
What is an APT?
Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity.
The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack.
Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat
APT Defined
Bodmer, Kilger, Carpenter and Jones defined the following APT criteria: Objectives - The end goal of the threat, your adversary Timeliness - The time spent probing and accessing your system Resources - The level of knowledge and tools used in the event (skills
and methods will weigh on this point) Risk tolerance - The extent the threat will go to remain undetected Skills and methods - The tools and techniques used throughout the
event Actions - The precise actions of a threat or numerous threats Attack origination points - The number of points where the event
originated Numbers involved in the attack - How many internal and external
systems were involved in the event, and how many people's systems have different influence/importance weights
Knowledge source - The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by a little proactive)
How an APT happens Actors behind advanced persistent
threats create a growing and changing risk to organizations' financial assets, intellectual property, and reputation by following a continuous process:
Target specific organizations for a singular objective
Attempt to gain a foothold in the environment, common tactics include spear phishing emails.
Use the compromised systems as access into the target network
Deploy additional tools that help fulfill the attack objective
Cover tracks to maintain access for future initiatives
This is why we covered:
Maltego Develop a method and standard to identify
targets within an organization that we can social engineer
Metasploit So we can write URL’s, PDF’s and other items
to send to our target within an organization So we can “hack into a system” leaving
behind a username and password for access later on
ZenMap/NMAP So we can identify weak targets on a network
Steps in an APT
Initial compromise — performed by use of Social engineering (security) and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim employees will be likely to visit.
Establish Foothold — plant remote administration software in victim's network, create network backdoors and tunnels allowing stealth access to its infrastructure.
Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
Internal Reconnaissance — collect information on surrounding infrastructure, trust relationships, Windows domain structure.
Move Laterally — expand control to other workstations, servers and infrastructure elements and perform data harvesting on them.
Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.
Complete Mission — exfiltrate stolen data from victim's network.
Once we are in – look for cool stuff!
How APT’s Happen Abuse and compromise of
“trusted connections” is a key ingredient for many APTs. While the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization using the hijacked credentials of employees or business partners, or via less-secured remote offices.
As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.
https://www.damballa.com/knowledge/advanced-persistent-threats.php
Exposing One of China's Cyber Espionage Units
So when you find Awesome
So when you find “awesome” Passwords Configurations Databases E-Mail
The whole company can be yours, and often is
Trust people
To take short cuts Not think that they
could be a victim of social profiling or grooming
To “Friday” their job (not pay attention)
To forget “details” To get around
“roadblocks”
Evading Capture is part of this
Five ways of seeing if you have an APT on your network
APT sign No. 1: Increase in elevated log-ons late at night
APTs rapidly escalate from compromising a single computer to taking over the whole environment. They do this by reading an authentication database, stealing credentials, and reusing them.
They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons while the legitimate work crew is at home, start to worry.
Source: http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,0#sthash.SouQCZzM.dpuf
Five ways of seeing if you have an APT on your network
APT sign No. 2: Finding widespread backdoor Trojans APT hackers often install backdoor Trojan programs on
compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials get changed when the victim gets a clue. Another related trait: Once discovered, APT hackers don't go away like normal attackers. Why should they? They own computers in your environment, and you aren't likely to see them in a court of law.
These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment -- and they proliferate in APT attacks.
Source: http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,0#sthash.SouQCZzM.dpuf
Five ways of seeing if you have an APT on your network
APT sign No. 3: Unexpected information flows If I could pick the single best way to detect APT activities, this would
be it: Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.
Those data flows may also be limited, but targeted -- such as someone picking up email from a foreign country. I wish every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.
Of course, in order to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.
Source: http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,0#sthash.SouQCZzM.dpuf
Five ways of seeing if you have an APT on your network
APT sign No. 4: Discovering unexpected data bundles
APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (we're talking gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.
Source: http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,1#sthash.Jw5b5REJ.dpuf
Five ways of seeing if you have an APT on your network
APT sign No. 5: Detecting pass-the-hash hacking tools
Although APTs don't always use pass-the-hash attack tools, they frequently pop up. Strangely, after using them, hackers often forget to delete them. If you find pass-the-hash attack tools hanging around, it's OK to panic a little or at least consider them as evidence that should be investigated further.
Source: http://www.infoworld.com/d/security/5-signs-youve-been-hit-advanced-persistent-threat-204941?page=0,1#sthash.Jw5b5REJ.dpuf
This is why you learned
All the tools you used in this class help you understand more about APT If you know how to do it, you know what to
look for If you know what to look for you know how to
protect your company If you know how to protect your company, you
are going to be one awesome Information Security Engineer