Threat Intel Sharing: Deciphering the APTs secret handshakes

Download Report

Transcript Threat Intel Sharing: Deciphering the APTs secret handshakes

Adam Lange
Mark Manglicmot
1
Adam Lange & Mark Manglicmot
•
Senior Consultant at Delta Risk LLC
•
CISM, GCIA, GSEC, GCIH, CEH, Sec+,
•
Advanced threat consulting & counter
APT team building for Fortune 500’s,
federal gov, and allied governments
@LangeSecurity
•
Senior Consultant in Ernst & Young’s
Advanced Security Center
•
CISSP, GCIH, CEH, Sec+,
•
Advanced threat, Incident Response, &
SOC consulting
@MGManglicmot
2
The Data Doesn’t lie!
Past habits can help predict future
behavior
By analyzing data-trends over time,
Target could tell a 15 yr old girl was
pregnant before her family knew
3
The Problems Defenders Face
There is no delineation
between routine incidents
and incidents that may be
APT activity
Industry improvements
are being made all the
time and integration into
government operations
tends to lag behind
Advanced Adversaries
evolve faster than we can
We don’t have all the
processes, tools and
understanding to take on
APT actors
Demystifying Threat Intel
Everyone has it!
5
6
The Role of Intel
Major driver to catch the top tier of threat
 Detection
 Prevention
 Response
Types of Intel
 Behavioral
 Indicators
7
APT is bad stuff
 APT makes up 20% of workload
 80% is “garbage”
 What is the difference?
 There is no “APT differentiation analyst”
 Targets industries whose intellectual property provides a
strategic advantage for the attacker
 Intelligence on APT actors comes from three major areas:
 Internally derived
 Commercially purchased
 Sharing partners
8
A Quick Look at the Adversaries
APT
Strategic Gains
Cyber Crime Financial Gains
Hacktivists
Sociopolitical Gains
Script
kiddies,
college kids,
others
Thrill of the exploit,
Learning the system
Generic mayhem
Top 20% -- High impact
The good news is that because
they tend to repeat attacks with
recycled tactics, organizations can
trend their behavior over time
Bottom 80% -- Lower impact
They don’t trend well, so mitigate
and move on
9
Sophistication vs Intel
Attacker Knowledge and Technology
HIGH
DDoS and
No intel –
Actors
have
OPSEC
LOW
Binary
Scanning
Encryption
Distributed
Tools
THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL,
tools
Stealth
and Attack
EVENT, AND INFORMATION BASED
TOOLS
TO DETECT
Vulnerability
Exploitation
Anti-Audit
Technologies
Session
Sniffers
Behavior/Event
Hijacking
And Spoofing
Capture/Analysis
DDOS
Backdoors
Mitigation
Plenty
of intel
Password
– attackers
talkCracking
too much
Firewalls
HIPS
MOST OF
THESE ATTACKS CANHoneynets
BE IDENTIFIED USING
IDS/IPS
TRADITIONAL RULE-BASED TECHNOLOGIES
Password
Network Traffic
Guessing
Patching
Analysis
High Quality
No intel –
Forensics and
Hacks of
opportunity
Advanced
Incident Reporting
Defense Sophistication
Deception
Operations
Lockheed Martin Perspective
This paper was
published back in 2011
and was the
cornerstone of many
advances in the DIB.
This model and its
implications can be
studied in depth to
understand how to
counter advanced
adversaries
Mandiant: APT1
The first major civilian expose on a state
sponsored group. It reveals APT1 TTPs
and C2 infrastructure.
It provided actionable intelligence for
every organization to leverage.
It is likely that APT1 is going to start over
in several organizations, however for
some orgs it appears that APT1 is
conducting business as usual.
NOTE: What we really liked about this
report was the appendices – they
contained all the TECHNICAL
INDICATORS needed to actually do
something about the threat.
Malware.lu based in Luxembourg, was
able to do some additional deep dives
into APT1 Activity.
Much of this may be illegal to do in the
US. The report is worth taking a look at.
13
Who? What do they want? How do they attack?
Cultural
Threat
Industry
Strategic
Innovator
Competitor
Interest
14
Various Ways to Model Adversaries
15
An Advanced Adversary Model
Full spectrum cyber operations
More targeted & tactical indicators
Ability to correlate seemingly disparate
activities
Metrics and strategic trends
16
How most defenses work
Detection is somewhere in the middle of an attackers
operation
Look for one or so indicators to stop discrete attack, but
the campaign continues
17
18
Defensive Campaigns
Two types of Defensive Campaigning
 Adversary-Based Campaign
 Event-Driven Campaign
What do each of these have in common?
An event begins and ends at some point
An adversary operation begins at ends at some point
Now, I suddenly realize that the initial attack is NOT success for them, so it’s
not failure for me. I have TIME to do something about it…
19
Elements of ‘Good’ Intel
Tactical
 Timeliness <48hrs
 IP
 FQDN
 File Hash
Strategic
 Trends
 Vectors
 Patches/Updates
 Profiles
20
The Government
Common complaint: “Its all classified”
The good news: It doesn’t really matter
Look at intel from a SIGINT perspective
Tries to share as it can
http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines
21
Industry Methods
Puppets
CollectiveSOCK
Intelligence
Framework
22
OpenIOC
23
Account
Address
Memory
URI
UNIX File
UNIX Network
Route Entry
Mutex
Network Route
Network
Connection
UNIX Pipe
UNIX Process
UNIX User
Account
UNIX Volume
User Account
DNS Record
Device
Network
Network
Network
Entry
Network
Win Mailslot
Win Memory Page
Region
Win Mutex
Win Network
Route Entry
Win Network
Share
Win Pipe
User Session
Volume
Win Prefetch
Win Process
Disk
PDF File
Win Registry Key
Disk Partition
Pipe
Email Message
File
Port
Process
WhoIS
Win Computer
Account
Wind Critical
Selection
Win Driver
Artifact
Code
Custom
DNS Cache
DNS Query
Link
Linux Package
Flow
Packet
Route
Subnet
GUI Dialogbox
GUI
Semaphore
GUI Window
HTTP Session
Library
Socket
Socket Address
System
Win
Win
Win
File
Win
Win
Event Log
Event
Executable
File
Handle
Win Kernel Hook
Win Kernel
Win Semaphore
Win Service
Win System
Win System
Restore
Win Task
Win Thread
Win User Account
Win Volume
Win Waitable
Timer
24
X509
25
How reliable is it?
Analysis of Competing Hypothesis
26
27
Intel & SOC/CERT Integration
RTA
Investigation
ATA
Countermeasures
Digital
Forensics
Threat Intel
28
Learning & sharing: Where to start
Start small
 Look in the mirror
 Friends (Real, not imaginary)
 Read!
 Get involved
 ISAC’s
 Local FBI office (InfraGard)
 Join the online communities
29
What are the next steps?
Try to understand who is interested in you
Not always necessary to get 100% attribution
Understand that once your are targeted by APT, you
will forever be on their target cycle list
Continue to iterate: That’s what the APT does
 Shorten the Kill Chain
30
What You’ll Gain
Ask the right questions…generate the right metrics
 “We had 27 ‘incidents’ this month”
Trends
 These guys only attack us when we do some conference
 Group X only attacks when specific 0-days are published
 Group Y is only active between these hours
 Group Z never attacks during “insert country” holidays

(i.e Cinco de Mayo)
31
Impacts
Work smarter, not harder
Improves efficiency
Drives targeted investment
Ultimately improves security, and protects the
business
“By leveraging threat intelligence, you can tactically and strategically
campaign against the APT and defend your business.”
32
Thanks for you time
Questions?
Follow us on Twitter!
@LangeSecurity
@MGManglicmot
33