IBM Internet Security Systems

Advanced Persistent Threats (APTs)

Subversive Multi-Vector Threats (SMTs)

What Does It Mean for Application Security

OWASP - Austin

Prepared by:
Matthew Pour, CISSP
Systems Engineer
Blue Coat Systems
 IBM Internet Security Systems

Agenda
• APTs & SMTs at a Glance

• Vectors for Attacks

• High Value Targeting

• Evolving Protection Strategies

• Summary

2
IBM Internet Security Systems

APTs
&
Vectors for Cyber
SMTs Attacks…

Are you prepared?

3
 IBM Internet Security Systems

APTs and SMTs

• Advanced Persistent Threat

• Coined by Department of Defense
• Events of Interest

• Subversive Multi-Vector Threat

• Coined by Cassandra Security (ToorCon 11)

4
4
 IBM Internet Security Systems

Non-Intentional Act
Intentional Act
Classification of an Attacker
Expertise + Motivation + Attack Vector = Result
Email
None Notoriety
and Compromise of an Asset/Policy
(Normal End-User) Attachments and/or
Intellectual Property

Destruction
Novice IM,IRC,P2P
(Script Kiddie)
Espionage
Money Corporate/Government
Web Browsers
Intermediate Moral
(Hacker for Hire)
Agenda
Open
Ports Theft
Expert Unwitting
(Foreign Intel Service,
Terrorist Organization
and/or Organized Crime) Vulnerable
Operating System Fame
Fun

5
 IBM Internet Security Systems

Globalization and the Borderless Internet

• Threat Evolution:
– A flat world has brought about
an unprecedented amount of
criminals and cons
– In recent years the age of the
worm has withered and
application threats dominate
– Attackers keep ROI in mind as
well, and constantly evolve
their wares in order to re-
purpose it for the next flood of
attacks
– High profile vulnerabilities will
still be the vehicles for new
attacks, however, the low and
slow attack vectors cannot be
ignored

6
IBM Internet Security Systems

Recent Examples of DDoS & Web Defacements

 Estonia Attacks
 Parliament, ministries, banks, media targeted

 Georgia Attacks
 Government Website’s targeted
 Hamas Declares Cyber-war Against Israel
 Israeli Political Organization targeted
 Moroccan Islamic Group
 Israeli Bank Discount, news & weather sites attacked

7
 IBM Internet Security Systems

Ghost Net

 Ghost Net Forensics

 Malware embedded
in email
Spear Phishing
 Drive by Malware
 Ghost RAT
 Command & Control

8
 IBM Internet Security Systems

Recent Examples of Corporate

 China vs. Google

 Marathon Oil

 Conoco Phillips

 Exxon Mobil

9
IBM Internet Security Systems

Recent Examples of Critical Infrastructure

 Insider Threat & Unauthorized Access

 Computer system detecting pipeline leaks for three oil derricks off the Southern California coast
disabled.
 Queensland sanitation system – incident caused the release of millions of gallons of raw
sewage
 Laid Off Employee – plant temperature at risk

 Slammer Worm
 Penetrated the network at Ohio's Davis-Besse nuclear power plant, disabling a safety
monitoring system for nearly five hours.

 DDoS Attack on root name servers

 Disabled the Internet for several hours

10
IBM Internet Security Systems

Vectors of Attacks

Vectors for Cyber Attacks…

Are you prepared?

11
 IBM Internet Security Systems

The Cyber Jihad & “Common Cause” Attack Tools

• New social networks take up collective “arms” to target disliked organizations

• Largely bandwidth consumption

orientated attacks

• Free tools to enable mass attacks

 Multi-threaded HTTP GET Flooder
 Similar to old ICMP PING flooders

• Open-source versions
available for DIY authors
and new “causes”

12
 IBM Internet Security Systems

Exploit code availability

• New browser and plug-in exploits are

in high demand
 0-day exploit for IE/FF = $25,000-$75,000
 Same-day exploit = $2,000-$30,000
 Up to 3-days old exploit = $5-$500

• Drive-by-download exploit packs and

support services increase spread of
new exploits
 Managed services and C&C distribution
 New exploits can be propagated to thousands of
sites/engines within seconds

13
 IBM Internet Security Systems

IcePack

• First appeared in July 2007 Contains Web browser optimized

• Two versions of IcePack exploit pages

• Basic Version “IcePack Lite Edition” (only has /exploits/i.php

Optimized for Internet Explorer
exploits for MS06-014 and MS06-006) and Contains WinZip exploits,
QuickTime overflow,
sold for $30 MS06-057 WebViewFolderIcon,
MS06-055 VML
• Advanced version “IcePack Platinum Edition”,
/exploits/movie.bin
sold for around $400 QuickTime overflow exploit

• Produced by “IDT Group” in Russian (now translated to /exploits/f.php

Firefox optimized version of MS06-006
English and French) exploit

• /admin/license /exploits/o.php
Opera optimized version of MS06-006
• Licensed on a per-website basis – “ERROR: Invalid License” exploit

14
 IBM Internet Security Systems

Avoiding AV Technology – Malware Testing

• KIMS – English/Spanish
– Requires attacker to install all
the AV products themselves

• ScanLix
– "install & forget" philosophy –
just update from time to time.
– … see the different signature
files being updated.
– …disadvantage is the limited
number of engines it uses.

15
 IBM Internet Security Systems

Not Experienced…no problem

Web-based portal bot-management

For a small fee, attackers can
rent/purchase members of a larger
botnet.
Online tools enable remote management
and configuration of the botnet agents
Portals include performance monitoring
tools – how fast is the spam being sent,
DDoS throughput, etc.

16
 IBM Internet Security Systems

Anonymous Behavior

Anonymous Proxies
Volume of proxy services
Commercial Anonymizing increasing year over year
Service

SOCKS Jump Point

Many tools and services rely upon
compromised hosts (typically botnet agents)
to provide SOCKS proxies as anonymous
exit/jump points.

17
 IBM Internet Security Systems

Localizing attacks
Prices and deadlines:
• Local language attack * Standard - the deadline is not more than 24 hours.
support Prices depend on the direction and guidance from the
'Order'.
• Can be outsourced * Term - work on your translation begins precedence.
The price of the 50% more than the standard
• Translation services translation. Prices also depend on the direction and
for spam/phishing/ guidance from the 'Order'.
malware campaigns The cost of the transfer depends on the amount of
work. The workload is measured in symbols. In
calculating the characters are shown letters and
numbers. Punctuation do not count. Minimum order
100 characters."

"We offer our services in translation. We are only competent translators

profile higher education. Service is working with all types of texts. Languages
available at this time of Russian, English, German. Average translation of the
text takes up to 10 hours (usually much faster) through the full automation of
the order and payment. Just want to note that we do not keep any logs on IP
and does not require registration. In addition you can remove your order from
the database after his execution. In addition to running more than 1000
translations already, we can use all the lessons learned to be more effective in
our services. Prices vary depending on the complexity of the topic covered.
18
IBM Internet Security Systems

SQL Injection Attack Tools

* Automatic page-rank verification

* Search engine integration for finding
“vulnerable” sites
* Prioritization of results based on probability
for successful injection
* Reverse domain name resolution
* etc.
 IBM Internet Security Systems

Web Browsers are Complicated and Vulnerable

 Largest number of client-side

vulnerabilities in the first half
of 2009 affects Web browsers
and their plug-ins
 Mozilla Firefox surpasses
Microsoft Internet Explorer for
the 1st time.
IBM Internet Security Systems

High Value Targets

Vectors for Cyber Attacks…

Are you prepared?

21
 IBM Internet Security Systems
The drive-by-download process
Firewalls Exposed…

Desktop Users

Downloader Exploit material

installed Served

Malware
installed and activated

Web server with Malicious iframe Web browser

Browse The Internet embedded iframe host targeted
22
 IBM Internet Security Systems

Structured Attack

Reanalyze

Downloader
installed
Malware
installed and activated Exploit material
Served
Desktop Users

Web server with Malicious iframe Web browser

Browse The Internet embedded iframe host targeted
23
 IBM Internet Security Systems

Conficker –
Technically sophisticated
– Well written code
• Conficker.A signing key: 1024 bits
• Conficker.B signing key: 4094 bits
• No known remote code execution vulnerabilities

– Use of MD-6 by Ron Rivest

• MD-6 was announced in October 2008
• Included unexploitable vulnerability
• Patched in Conficker.C

– Use of P2P Communications Protocol

• Conficker A & B tried 500 daily domains
• Conficker C tried 50,000
• Unprecedented encoded P2P communications
 IBM Internet Security Systems

Conficker data transfer traffic from the first

week of May, 2009
• Analysis Summary:
• P2P Message (All) : 12327
• P2P Message with FLAG_CLIENT : 12327
• P2P Message with FLAG_LOCAL :0
• P2P Message with FLAG_TCP : 1574
• P2P Message with FLAG_LOCATION : 10753
• P2P Message with FLAG_EXECDATA_VAR : 35
• P2P Message with FLAG_EXECDATA_OFS :0
• P2P Message with FLAG_EXECDATA :0
• P2P Message with FLAG_SYSINFO : 186
• P2P Message with FLAG_PEERINFO : 12157
• P2P Message with FLAG_RESERVED1 :0
• P2P Message with FLAG_RESERVED2 :0
• P2P Message with FLAG_RESERVED3 :0
• P2P Message with FLAG_RESERVED4 :0
• P2P Message with FLAG_RESERVED5 :0
• P2P Message with FLAG_RESERVED6 :0
• P2P Message with FLAG_ENCODED : 12327
IBM Internet Security Systems

Who did it and why?

– Conficker A&B did not attack computers in Ukraine

– Isolated reports of malware appearing on Conficker.C nodes

• Waldec
• Rouge A/V

– Is there activity that no one has noticed?

– Are the botmasters biding their time?

• For the Conficker Working Group to miss another domain or give up
completely?
• For another wormable vulnerability to be disclosed? MS09-050
• For a political event?

– Have the botmasters been hit by a bus?

IBM Internet Security Systems

Evolving Protection Strategies

EXPERIENCES OF
NUCLEAR PLANT CYBER-
SECURITY…

27
 IBM Internet Security Systems

Best Practices

• Risk Management
• Incident Response
• Maturity Model
• Best Practices Defense-in-depth Approach

• Infraguard
Process Management People Technology

10%

• OWASP 20% 40%

• Information Sharing and

Consortiums (ISACS) 30%

Its not just an IT problem

(Combination of people, process, and technology)

28
 IBM Internet Security Systems

Protection Strategies – Defense in Depth

• SDLC
• Assessment / Prevention
• Virtual Patching
 Exploit protection from within the network
 Provides coverage while software patches are deployed

• Deep Content Inspection

 Network traffic and critical control protocols inspected for
malicious and rogue commands
 Complete Visibility

29
IBM Internet Security Systems

Summary

EVOLVING
PROTECTION
STRATEGIES

30
 IBM Internet Security Systems

Summary

• APTS/SMTs
• Multiple Attack Vectors
• Evolution of the Threat
• Process/Technology

31
IBM Internet Security Systems

Thank You!

Matthew Pour, CISSP

[email protected]
32