du cercle
play

Du Cercle The APTs That Werent La cuadrature du cercle La - PowerPoint PPT Presentation

La Quadrature Du Cercle The APTs That Werent La cuadrature du cercle La cuadratura del circulo Die Quadratur des Kreises Squaring the circle Marion Marschalek marion@cyphort.com @pinkflawd What makes


  1. La Quadrature Du Cercle The APTs That Weren‘t

  2. La cuadrature du cercle La cuadratura del circulo Die Quadratur des Kreises Squaring the circle квадрату́ра кру́га

  3. Marion Marschalek marion@cyphort.com @pinkflawd

  4. What makes an APT Reconnaissance – gather information Incursion – break in Discovery – look around Capture – collect goods Exfiltration – get goods out

  5. The single most beautiful APT November 2013 Target Corporation suffered one of the most severe large-scale retail hacks in US history Memory scraping on running Dumping data to a file on a share, processes, fetching card data regularly pushing out to C&C

  6. ADVANCED w e don‘t [ ə d ˈ v ɑ :n :n(t) (t)st st] under un dersta stand it nd it PERSISTENT we det e detect ected it ed it [p əˈ s ɪ st st ə nt nt] to too o la late te

  7. Hashes Threat Signatures detection always Behavior relies IOCs on patterns. Anomalies Why oh why can ‘ t we find it?

  8. I can see dead patterns ...

  9. Cheshire Cat

  10. Checking for running security processes Orchestrator component executing binaries from disk 200 2002

  11. Prepared to run on _old_ Windows versions Using APIs deprecated after Win95/98/ME Function to check for the MZ value, the PE value and the NE value 200 2002

  12. Implementation traits and user agent string indicate Win NT 4.0 as target platform Persists as shell extension for the icon handler Wants to run in the context of the ‘ Progman ’ window Implant to monitor network activity 200 2007-200 2009

  13. Evasive when network sniffer products are running Super stealthy network communication: Versatile communication method 9+ C&C servers, infrequent intervals Communication done through injected standard browser instance 200 2007-200 2009

  14. Fine tuned to paddle around Kaspersky security products 201 2011

  15. ~DF DF

  16. Nation State Cy Cybe ber Espionage ?

  17. Fr From om Bah Bahrai rain W n With ith Lo Love ve FinFisher Suite from Gamma International UK Ltd. Sent to Bahraini pro-democracy activists http://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/

  18. Software that MAL MALWARE ARE doesn‘t come / ˈ mal malw ɛːɐ ̯ / with an EULA - Morgan Marquis-Boire

  19. Of Offens fense Goi Going ng Co Comme mmercial rcial

  20. Nat Natio ion n St States ates Go Going ing Cr Crimi imina nal

  21. State Sponsored Industrial Espionage Canada spying on Brazil‘s Mines and Energy Ministery NSA spying on Brazil‘s Petrobras France spying on IBM/Texas Instruments in late 80s China spying on about everyone Threat Detection Industry http://www.cbc.ca/news/canada/brazil-canada-espionage-which-countries-are-we-spying-on-1.1930522 http://www.bloomberg.com/news/articles/2013-09-08/u-s-government-spied-on-brazil-s-petrobras-globo-tv-reports http://www.nytimes.com/1990/11/18/world/french-said-to-spy-on-us-computer-companies.html

  22. How Threat-Detection went Threat-Intel Malware.. ‘ watching ’ Actor tracking Publicity APT numbering, logos & names

  23. Fr Frene enemi mies & Th es & The F e Fung ungus us Amo Amongu ngus Or: When Malware Became Intellectual Property

  24. Int Intell elli.. i.. wot? ot? • Reverse se engineer erin ing g turns s politic tical l when you take apart the wrong binaries ies • mass malware => targeted malware => nation state malware • mass malware <= targeted malware <= nation state malware • Marketin ting g and p publicity licity? • Bad for business in the long run • Blowing up e.g. Spanish government ops might not help contracting with them in the future • Providi ding g offende ders s with h free e audi dits

  25. Ethical Questions In APT Research “… if the malware is detected, it will also make it eas asie ier r fo for extremi tremists sts to protect tect thems mselves elves against cyber spying attempts. ” “ … the researcher ’ s insight into the operation [ … ] is always superficial. At first glance, it might appear that the targ rgeted eted ent ntity ity is is “ in inno nocent ent ” , such as an academic or a journalist, but in reality they could d be a radical ical academ demic ic or a terroris rorism-facilitatin facilitating g jour urnalist nalist. ” http://www.securityweek.com/long-term-strategy-needed-when-analyzing-apts-researcher

  26. OPwot OPwot?

  27. Ah Ahmed Ma Mans nsoo oor and the UAE Five

  28. Ahmed Mansoor and the UAE Five

  29. Sometimes Attribution isn’t Tricky 83.111.56.188 inetnum: 83.111.56.184 – 83.111.56.191 netname: minaoffice-EMIRNET descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan descr: P.O. Box 5151 ,Abu Dhabi, UAE country: AE

  30. APT Attribution Cheatsheet Any need for actor att ttributio ibution? – Most likely no no. Any need for actor tr tracking king? – In certain cases, ma mayb ybe. Any need for actor(-tool) recog ogniti nition on? – Probably, ye yes.

  31. [ sony.attributed.to ]

  32. Squaring The Circle?

  33. “ An attacker only needs to find one weakness while the defender needs to find every one. ” “ Defender Economics ” , Andreas Lindh, Troopers15 Risk = Vulnerability * Thre reat * Impact Thre reat = Intent * Capability * Opportunity „ When Threat Intel met DFIR “ Chopitea & Mouchoux, hack.lu 2015

  34. Threat modeling Compartmentalization 2-factor Authentication Encryption Secrecy

  35. Thank You ma mario ion@cy n@cyphor phort.com t.com @pin inkflawd kflawd

  36. Resources http://www.cbc.ca/news/canada/brazil-canada-espionage-which-countries-are-we-spying-on-1.1930522 http://www.bloomberg.com/news/articles/2013-09-08/u-s-government-spied-on-brazil-s-petrobras-globo-tv-reports http://www.nytimes.com/1990/11/18/world/french-said-to-spy-on-us-computer-companies.html http://www.cse.wustl.edu/~jain/cse571-14/ftp/cyber_espionage/ http://media.kaspersky.com/pdf/Guerrero-Saade-VB2015.pdf http://www.securityweek.com/long-term-strategy-needed-when-analyzing-apts-researcher https://cryptome.org/2013/03/call-to-cyber-arms.pdf http://archive.hack.lu/2015/When%20threat%20intel%20met%20DFIR.pdf http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/t1305571.shtml http://www.bbc.com/news/world-asia-china-34360934

Recommend


More recommend