Advanced Persistent Threats
Advanced Persistent Threats
OWASP - Austin
Prepared by:
Matthew Pour, CISSP
Systems Engineer
Blue Coat Systems
IBM Internet Security Systems
Agenda
• APTs & SMTs at a Glance
• Summary
2
IBM Internet Security Systems
APTs
&
Vectors for Cyber
SMTs Attacks…
3
IBM Internet Security Systems
4
4
IBM Internet Security Systems
Non-Intentional Act
Intentional Act
Classification of an Attacker
Expertise + Motivation + Attack Vector = Result
Email
None Notoriety
and Compromise of an Asset/Policy
(Normal End-User) Attachments and/or
Intellectual Property
Destruction
Novice IM,IRC,P2P
(Script Kiddie)
Espionage
Money Corporate/Government
Web Browsers
Intermediate Moral
(Hacker for Hire)
Agenda
Open
Ports Theft
Expert Unwitting
(Foreign Intel Service,
Terrorist Organization
and/or Organized Crime) Vulnerable
Operating System Fame
Fun
5
IBM Internet Security Systems
• Threat Evolution:
– A flat world has brought about
an unprecedented amount of
criminals and cons
– In recent years the age of the
worm has withered and
application threats dominate
– Attackers keep ROI in mind as
well, and constantly evolve
their wares in order to re-
purpose it for the next flood of
attacks
– High profile vulnerabilities will
still be the vehicles for new
attacks, however, the low and
slow attack vectors cannot be
ignored
6
IBM Internet Security Systems
Estonia Attacks
Parliament, ministries, banks, media targeted
Georgia Attacks
Government Website’s targeted
Hamas Declares Cyber-war Against Israel
Israeli Political Organization targeted
Moroccan Islamic Group
Israeli Bank Discount, news & weather sites attacked
7
IBM Internet Security Systems
Ghost Net
8
IBM Internet Security Systems
Marathon Oil
Conoco Phillips
Exxon Mobil
9
IBM Internet Security Systems
Slammer Worm
Penetrated the network at Ohio's Davis-Besse nuclear power plant, disabling a safety
monitoring system for nearly five hours.
10
IBM Internet Security Systems
Vectors of Attacks
11
IBM Internet Security Systems
• Open-source versions
available for DIY authors
and new “causes”
12
IBM Internet Security Systems
13
IBM Internet Security Systems
IcePack
• /admin/license /exploits/o.php
Opera optimized version of MS06-006
• Licensed on a per-website basis – “ERROR: Invalid License” exploit
14
IBM Internet Security Systems
• ScanLix
– "install & forget" philosophy –
just update from time to time.
– … see the different signature
files being updated.
– …disadvantage is the limited
number of engines it uses.
15
IBM Internet Security Systems
16
IBM Internet Security Systems
Anonymous Behavior
Anonymous Proxies
Volume of proxy services
Commercial Anonymizing increasing year over year
Service
17
IBM Internet Security Systems
Localizing attacks
Prices and deadlines:
• Local language attack * Standard - the deadline is not more than 24 hours.
support Prices depend on the direction and guidance from the
'Order'.
• Can be outsourced * Term - work on your translation begins precedence.
The price of the 50% more than the standard
• Translation services translation. Prices also depend on the direction and
for spam/phishing/ guidance from the 'Order'.
malware campaigns The cost of the transfer depends on the amount of
work. The workload is measured in symbols. In
calculating the characters are shown letters and
numbers. Punctuation do not count. Minimum order
100 characters."
21
IBM Internet Security Systems
The drive-by-download process
Firewalls Exposed…
Desktop Users
Malware
installed and activated
Structured Attack
Reanalyze
Downloader
installed
Malware
installed and activated Exploit material
Served
Desktop Users
Conficker –
Technically sophisticated
– Well written code
• Conficker.A signing key: 1024 bits
• Conficker.B signing key: 4094 bits
• No known remote code execution vulnerabilities
EXPERIENCES OF
NUCLEAR PLANT CYBER-
SECURITY…
27
IBM Internet Security Systems
Best Practices
• Risk Management
• Incident Response
• Maturity Model
• Best Practices Defense-in-depth Approach
• Infraguard
Process Management People Technology
10%
28
IBM Internet Security Systems
• SDLC
• Assessment / Prevention
• Virtual Patching
Exploit protection from within the network
Provides coverage while software patches are deployed
29
IBM Internet Security Systems
Summary
EVOLVING
PROTECTION
STRATEGIES
30
IBM Internet Security Systems
Summary
• APTS/SMTs
• Multiple Attack Vectors
• Evolution of the Threat
• Process/Technology
31
IBM Internet Security Systems
Thank You!