Transcript Link Analysis

Advanced
Persistent Threat
What APT Means To Your
Enterprise
State of the Threat In
21st Century
• Advanced nations are under constant cyber
attack. This has been going on for YEARS.
• Cyber Cartels will surpass Drug Cartels in
their impact on Global Security
– The scope of finance
– The extent of the operation internationally
Wake Up
Google cyberattacks a
'wake-up' call
-Director of National Intelligence Dennis Blair
http://www.csmonitor.com/USA/2010/0204/Google-cyber-attacks-a-wake-up-callfor-US-intel-chief-says
IP Is Leaving The Network
Right Now
• Everybody in this room who manages an
Enterprise with more than 10,000 nodes
YOU ARE ALREADY OWNED
They are STEALING right now -- as you sit in that chair.
A Global Theatre
• There are thousands of actors involved in
the theft of information, from technology
developers to money launderers
• Over the last decade, an underground
economy has grown to support espionage
and fraud
• This “malware ecosystem” supports both
Crimeware and e-Espionage
Espionage
The Elusive Cyberthief
The Scale
Over 100,000 malware
are automatically
generated and released
daily. Signature based
solutions are tightly
coupled to individual
malware samples, thus
cannot scale.
http://www.avertlabs.com/research/blog/index.php/2009/03/10/avert-passes-milestone-20-millionmalware-samples/
Surfaces
• The attacks today are just as effective as
they were in 1999
Remote exploits
against servers
Emergence of
network firewalls
Refocused attacks
against endpoint
“Client” machines
Emergence of
desktop firewalls
Refocused attacks
using desktop
content
The bad guys STILL HAVE their zero day, STILL HAVE their
vectors, and STILL HAVE their malware
Faster
By the time all the surfaces in a given technology
are hardened, the technology is obsolete
Value Horizon
Continuous area of attack
Technology Lifecycle
Advanced Persistent
Threat
APT – What is it?
• A human being or organization, who operates
a campaign of intellectual property theft
using cyber-methods
– Malware, malware, malware
• APT operations can conceal attacker
methods/identity – making it more difficult to
protect against
Anatomy of APT Malware
Survive Reboot
C&C Protocol
File Search
Process
Injection
Update
Keylogger
USB Stick
Command and
Control Server
Difference between APT and
Banking Malware
• Banking malware targets stored digital
identity and authentication tokens
• Bank transaction systems (internal, funds
transfers)
– A lot of money is leaving the banks
– Manipulate trades on the markets
– Manipulate the digits on the trading boards
APT & The
Enterprise: Finding
Actionable Threat
Intelligence
Anatomy of an APT
Operation
• You must understand that an ongoing operation
is underway – this involves one or more primary
actors, and potentially many secondary actors
• Example: Bad Guy is using (SE) whalephishing to
gain a foothold into a specific physical network
• Bad Guy is using SE to track dissidents
– TODO add example of outlook guide attack
APT Operational
Analysis
• These info ops have a fingerprint
• Bad guys have a specific way they write
code
• They have specific targets in mind
– Stealing XLS or PDF files
– Preference for a particular bot framework
• These fingerprints will be specific to an
operation
APT Operational
Analysis
• Each individual fingerprint, when viewed
alone, may only identify the original
developer of the software
• When all fingerprints are viewed together, a
more complete picture forms about the
‘operation’ – who is running the operation
that targets you
•
•
•
•
APT Operational
Analysis
Do they pack their software
Do they rename DLL’s to hide in plain site?
Which toolkit do they use
Did they bypass the accounting department and
go straight for the developers?
• What triggers a malware to wake up?
• How was the payload delivered? Spearphish
attachment?
Malware
Threat Attribution
Threat Intelligence
•
•
•
•
•
•
•
Who is targeting you?
What are they after?
Have they succeeded?
How long have they been succeeding?
What have I lost so far?
What can I do to counter their methods?
Are there legal actions I can take?
Threat Intelligence
(II)
• Requires that you combine many small facts
into a big picture
• More information means better analysis
• I refer to specific attackers as “threats” –
information regarding a specific attack is
called “threat intelligence”
Threat Intelligence within
Enterprise
• Locations where threat intel can be gathered
– Endpoint, physical memory snapshot
• Multiple endpoints will be involved, need to view them
as a group
– Endpoint, live-state forensics, ongoing
monitoring
– Message Archives
– Netflow / Packet Archives
Threat Intelligence
External to Enterprise
• Locations where intel can be gathered
– Dropsite where IP is being dropped
– Command and Control Server
• Designed to survive takedowns
• Hot staged failovers likely
– Exploit Pack Server
– Large Traffic Gateways
• Possible subscriptions to various intel feeds available
• Cooperation likely
Attribution Challenges
•
•
•
•
Lack of gov. intervention
No consequences
Russia is a crime state
China turns a blind eye
Attribution Challenges
• Lack of global LE cooperation
• No sharing of data
• ICANN and Registrar slow to respond to
takedown requests
• A lot of good data is classified and not
available for commercial consumption
Primary – what is the
target?
• What is being targeted
– IP, identity, email logins to google?
– File searches for source code? XLS documents?
• Who
– C-level execs? Developers? Falun Gong?
Primary – Who is running
the op?
• Country of origin
– Is the bot designed for use
by certain nationality?
• Geolocation of IP is NOT a
strong indicator
– However, there are notable
examples
– Is the IP in a network that
is very unlikely to have a
third-party proxy installed?
• For example, it lies within a
government installation
C&C map from Shadowserver, C&C for 24 hour period
C&C servers
• C&C servers are not usually designed to proxy route
through infected end-nodes
– The IP geolocation is more useful in this case
– Netblock lookups are a decent starting point
• If the C&C leads to a broadband consumer network in
the US, this is more likely to be an exploited machine
that performs proxy routing – IP geolocation is not
useful
– It may be possible to get LE or the broadband provider
to help ‘trace back’ in this case (multihop will become a
problem)
Forensic Marks left by
Actors
• Forensic marks occur at all points where
software development occurs
• They also occur in less obvious places
– All points where binary is translated into new forms
(parsed, packed, packaged, etc)
• These forensic marks may identify the original
developer of the software
• Obviously, only certain actors leave marks
Fingerprinting
Actors
within the Theatre
Digital Fingerprints
• Several actors in the underground economy
will leave digital fingerprints
• What is represented digitally
– Distribution system
– Exploitation capability
– Command and Control
– Payload (what does it do once its in)
DISK FILE
IN MEMORY IMAGE
OS Loader
Same
malware
compiled in
three
different
ways
MD5
Checksums
all different
Code idioms
remains
consistent
IN MEMORY IMAGE
Packer #1
Packer #2
OS Loader
Decrypted
Original
Starting
Malware
Packed
Malware
Unpacked
portions
remains
consistent
In-memory
analysis
tends to
defeat
packers
OS Loader
IN MEMORY IMAGE
Malware
Tookit
Different
Malware
Authors
Using
Same
Toolkit
Toolkit
Marks
Detected
Packed
Toolkits
and
developer
signatures
can be
detected
Language
• Native language of the software, expected
keyboard layout, etc – intended for use by a
specific nationality
– Be aware some technologies have multiple
language support
Actor: Endpoint
Exploiter
$100.00
per 1000
infections
Endpoint
Exploiters
• The exploiter of the end nodes, sets up the XSS or
javascript injections to force redirects
• Newcomers can learns various attack methods from
their PPI affiliate site (mini-training)
• These are generally recruited hackers from forums
(social space)
• The malware will have an affiliate ID
– “somesite.com/something?aflid=23857  look for
potential ID’s – this ID’s the individual endpoint
exploiter
URL artifact
Codenamed
Botmaster
C&C
Fingerprint
Unique
Affiliate ID’s
Link Analysis
Endpoints
Actor: Bot Master
• Owns the box that accepts inbound infection requests, pays out
by ID
– Pays for numbers of collected credentials
– Collect stolen identities and resell
– Accounting system for all successful infections
• Pay-per-infection business model
– This implies a social space
• Configuration settings on server will be reflected in client
infections (additional resolution to differentiate multiple actors
using the same bot technology)
• Version of bot system offers more resolution, and potential
indicator of when it was stood up
• The Bot Master will have a preference for a particular bot control
system – can be softlinked to this actor
Actor: Account Buyer
• Buy stolen creds from the collectors
• Use stolen credentials to move money out of
victim bank accounts
– These guys touch the victim accounts
• Source IP of transaction, Use of TOR /
HackTOR, Use of botnet to redirect, etc.
– This part is audited in your network logs, so …
– Multiple attacks by the same person are likely to be
cross-referenced
– Not a very strong fingerprint
Actor: Mules & Cashiers
• Accept stolen money into accounts in the
native country of the subverted bank and
redirect that money back out into foreign
accounts
– These transactions must stay below trigger levels
– $5,000 or less
• These actors do not leave forensic marks on
the malware chain
– Banking records only
Actor: Wizards
• Move E-Gold into ATM accounts that can be
withdrawn in the masters home country
• Will take a percentage of the money for himself
• This actor does not leave a forensic mark on
the malware chain
– Banking records typically don’t even work here, as
the transaction has already been processed thru eGold
Actor: Developers
• Sell bot systems for four figures
– $4,000 - $8,000 with complete C&C and SQL
backend
• Sell advanced rootkits for low five figures
– Possibly integrated into a bot system
– Possibly used as a custom extension to a bot,
integrated by a botmaster, $10,000 or more easily
for this
• All of this development is strongly fingerprinted
in the malware chain
The developer !=
operator
• The developer may not have any relation to
those who operate the malware
• The operation is what’s important
• We need to form a complete picture of the
‘operation’ – who is running the operation
that targets you and what their intent is
We want to
find a
connection
here
C&C
Fingerprint
Botmaster
URL artifact
Affiliate ID
Developer
Protocol
Fingerprint
Endpoints
Developer
C&C products
Link Analysis
Softlinking into the
Social Space
• Where is it sold, does that location have a social space?
– If it has a social space, then this can be targeted
– Forum, IRC, instant messaging
• Using link-analysis, softlink can be created between the
developer of a malware product and anyone else in the
social space
– Slightly harder link if the two have communicated directly
– If someone asks for tech support, indicates they have
purchased
– If someone queries price, etc, then possibly they have
purchased
Software
Software
Author
Social Space
Link Analysis
Author
Social Space
Working back the
timeline
• Who sells it, when did that capability first
emerge?
– Requires ongoing monitoring of all open-source
intelligence, presence within underground
marketplaces
– Requires budget for acquisition of emerging
malware products
Software
Author
Social Space
i.e., Technical Support Query made
AFTER version 1.4 Release
Use of timeline to differentiate links
Link Analysis
Actor: Vuln Researchers
• Paid well into the five figures for a good,
reliable exploit
– $20,000 or more for a dependable IE exploit on
latest version
• Injection vector & activation point can be
fingerprinted
– Method for heap grooming, etc
– Delivery vehicle
Fingerprinting
Malware
Distribution
Systems
Malware Distribution
Systems
•
•
•
•
•
•
Email, Instant Message, and Exploited Web
Boobytrapped documents
Rogueware & trojan downloads
Clientside exploits
Injected javascript
Command and Control server
Freed Memory (endpoint)
• Freed memory will still contain evidence
– Blocks of obfuscated javascript that can be tied to
specific exploit packs (redirectors)
– Leftover HTML remnants of subverted websites
• URL paths to the exploit server itself
– These are key to identification
– TODO: put a few examples here
Spearphishing
• Email archives may contain boobytrapped
documents
– These can be detonated with a deep tracer
attached (packet sniffer at a minimum, REcon if
you’re really hard core, CW sandbox & Norman
also options)
Detonate & Trace
• Getting the exploit to detonate allows you to
observe the secondary download step
• Malware payload will be sent to you,
command and control IP will be established,
communication with exploit server and C&C
can be sniffed
Trap Postings
• Sql injection (dyno content) asprox worm
• Reflected XSS ( … ) xssed.com
• Plain XSS: Comments not stripped
(javascript)
– Renders in HTML, pops in admin creds
• (persistent XSS)
– Logs in html format
Trap Postings I
www.somesite.com/somepage.php
Some text to be posted to…
<script>
</script> the site ….
Trap Postings II
www.somesite.com/somepage.php
Some text to be posted to…
<IFRAME src=
style=“display:none”></IF
RAME> the site ….
SQL Injection
www.somesite.com/somepage.php
SQL attack,
inserts IFRAME
or script tags
‘Reflected’ injection
Link contains a URL variable w/ embedded script or IFRAME *
User clicks link, thus submitting the variable too
Trusted site, like
.com, .gov, .edu
The site prints the contents of the
variable back as regular HTML
*For an archive of examples, see xssed.com
Rogueware
• 35 million computers infected every month
with rogueware*
• Many victims pay for these programs, $50$70, and stats show bad guys are making
upwards of $34 million dollars a month with
this scam*
• Many are fake anti-virus scanners
*http://www.pandasecurity.com/img/enc/The%20Business%20of%20Rogueware.pdf
Rogueware
Exploit Packs…
• No skill needed, buy and use auto-exploiter
systems
• Highly effective
• These types of systems are extremely
dangerous
– Consider that Islamic Terrorists, who until now
haven’t had strong technical abilities in cyber,
can now just buy an attack kit for $1000
Eleonore (exploit pack)
Tornado (exploit pack)
Napoleon / Siberia
(exploit pack)
Fingerprinting
Command and
Control
Command and Control
These commands map
to a foreign language
keyboard.
IRC C&C
IRC control channel for a DDOS botnet
Most of the C&C has moved to the web.
Triad (botnet)
ZeuS (botnet)
Fragus (botnet)
Fingerprinting
Malware Implants
• TODO: be sure to mention server-side
polymorphism
Staged reinfection
server
• Machine that gots the APT, in memory, on
disk
• Infector machine in the same network,
memory resident only
– Just re-infects the endnode
– This machine has no on-disk code
Poison Ivy (implant)
CRUM (protector)
Conclusions
HTML Injection
BHO has injected this HTML into the live banking page
This screenshot provided by threatexpert.com
Searching Google™ on each of the
symbols clearly indicates they all can
access a remote process.
USB STICK
SOYSAUCE 2
SERVICES
PACKING
CAC Card Attack
REMOTE DESKTOP
AUDIO VIDEO BUGGING
STAGING SERVER