portable passive detection of advanced persistent threats
play

Portable Passive Detection of Advanced Persistent Threats APT - PowerPoint PPT Presentation

Oct 21, 2023 •22 likes •342 views

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

  1. Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN)

  2. About Advanced Persistent Threats • Advanced Persistent Threat (APT) [2]; • Highly skilled and well-resourced [17]; • Long duration of attack (months, years) [12][17]; • Specific motives, such as [12]; – Intelligence gathering; – Financial enrichment; • Not your average script kiddie. 1/23

  3. Examples of Advanced Persistent Threats • Operation Aurora (2010) - Source code theft of high profile targets, such as Google, Adobe and organisations in the defence and and financial sectors [19]; • Stuxnet (2010) - Israeli/United States joint effort, a computer worm specifically developed to attack the nuclear power programme in Iran [8]; • Operation Shady RAT (2011) - A large scale attack, targeted at more than 70 global companies, governments, and non-profit organisations for at least five years [1]; • Belgacom breach (2013) - The GCHQ breached Belgacom and had access to customer data, including encrypted and unencrypted streams of private communications [6]. 2/23

  4. Research questions Main research question Can a portable, passive Advanced Persistent Threat (APT) Catcher be designed to be easily deployed on the network which detects the presence of potential APTs? Sub-questions • What are the quantifiable characteristics of an APT? • What methods are available to passively detect the presence of an APT? • Can a prototype be designed to be deployed in an easy and feasible manner on the network to detect the presence of APTs? 3/23

  5. Modus operandi I Kill Chain [12] Giura et al. [7] Zero Entry Hacking [5] 1 Reconnaissance Reconnaissance Reconnaissance 2 Development Delivery Scanning 3 Weaponisation Exploitation Exploitation 4 Delivery Operation Post exploitation and maintaining access 5 Exploitation Data collection 6 Installation Exfiltration 7 Command & Control 8 Actions on objective Table: Several procedure models, which show a similar modus operandi. 4/23

  6. Modus operandi II Figure: Attack pyramid [7]. 5/23

  7. Characteristics of the APT I A typical APT has the following (non-exhaustive) characteristics [4][12][17][18]: • Inquisitive : a strong desire to know as much as possible about the target. Lower hanging fruit would move to a new target when bored; • Stealthy approach : circumventing all kinds of security controls to avoid detection. This also involves removing traces; • Preparation : premeditated plan of execution by using newly acquired information; • Infiltration : exploiting an asset to gain a foothold into the target. This may also involve social engineering (e.g. spear-phishing); 6/23

  8. Characteristics of the APT II • Resourceful : the APT is known for its sophisticated and custom designed attacks, such as self-built malware; • Exfiltration : stealing as much confidential information as possible. The APT may use strong encryption to conceal the data being exfiltrated; A natural born spy The APT is a natural born spy that will stop at nothing to remain undetected, while carrying out its objective. 7/23

  9. Detecting the APT I • During active network scanning; • During passive network scanning; • During port scanning. 8/23

  10. Detecting the APT II • Host Intrusion Detection System (HIDS) (out of project scope); – OSSEC; – AIDE; – Samhain; • Network Intrusion Detection System (NIDS); – Signature Based IDS (SBS); – Anomaly Based IDS (ABS). 9/23

  11. Detecting the APT III • Examples of NIDSs; – Snort - Most popular open source SBS NIDS, developed since 1998. Large community, with frequent signature updates [15]; – Suricata - Open source SBS NIDS with multi-threading, hardware acceleration, IP reputation system, developed since 2009. Compatible with Snort rules 1 , as well as their own rules 2 [ 14 ][ 16 ]; – Sagan - Open source SBS NIDS / SIEM developed since 2011. Multi-threading support and has its own ruleset [13]; – Bro - Advanced open source ABS NIDS, with behavioural network analysis, and its own script language to write detection parameters [3]; – PSAD - Open source SBS NIDS. Scans iptables logs for suspicious behaviour [9]. 1 The Talos ruleset (formerly VRT) 10/23 2 Emerging Threats Suricata ruleset

  12. Designing the APT Catcher I • Client/server architecture; – Sensor (prototype); – Aggregator. Figure: Client / server architecture. 11/23

  13. Designing the APT Catcher II Figure: A more detailed overview of the APT Catcher within a network infrastructure. 12/23

  14. Designing the APT Catcher III Figure: A new separate network for the sensors and the aggregator. Events are now sent exclusively over this network. 13/23

  15. The sensor • Portable; • Heterogeneous detection with multiple sensors; • Working prototype on a Raspberry Pi 3, using Docker. Single board computer Raspberry Pi 3 Processor 1.2 GHz 64-bit quad-core ARM Cortex- A53 Memory 1 GB (shared with GPU) NIC 10/100 Mbit/s Ethernet Operating System Raspbian Jessie Lite [11] Software Docker v1.11, Unbound v1.5.9 Table: Raspberry Pi 3 prototype running Raspbian with Docker. 14/23

  16. The sensor prototype Docker container equipped with the following: Base image resin/rpi-raspbian [10] Operating System Raspbian Jessie Lite [11] NIDS Software Bro v2.4.1, PSAD v2.2.3, Snort v2.9.7.0 and Suricata v3.1. Miscellaneous tools netsniff-ng v0.6.1, Nmap v7.12, tcpdump v4.7.4 and TShark v2.0.4. Table: Custom built Raspberry Pi 3 sensor container running Raspbian using Docker. 15/23

  17. The aggregator • Collects alarms of the sensors; • Some dashboards already exist for several NIDSs; • No dashboard exists which aggregates all alarms from all NIDSs. 16/23

  18. Field testing • Measurements taken with Monitorix; • Measured performance of NIDSs running in the container; • Measured performance of an attack simulation. 17/23

  19. Field testing - Bro Figure: System load when Bro is running inside the APT Catcher sensor Docker container. 18/23

  20. Field testing - Snort Figure: System load when Snort is running inside the APT Catcher sensor Docker container. 19/23

  21. Field testing - Suricata Figure: System load when Suricata is running inside the APT Catcher sensor Docker container. 20/23

  22. Demonstration 21/23

  23. Conclusion • The APT is increasingly sophisticated, patient and stealthy; • Detection of the APT causes a paradigm shift in defence strategies; – Don’t just expect the threat at your door; – Expect them already in your home; • The portable APT Catcher helps to detect such threats, in your home, continuously. 22/23

  24. Questions? ? 23/23

  25. Bibliography I [1] Dmitri Alperovitch et al. Revealed: operation shady RAT , volume 3. McAfee, 2011. [2] Beth Binde, Russ McRee, and Terrence J O’Connor. Assessing outbound traffic to uncover advanced persistent threat. SANS Institute. Whitepaper , 2011. [3] Bro. About Bro and the Bro Project. https://www.bro.org/documentation/faq.html , 2016. [Online; accessed 25-July-2016]. 1/8

  26. Bibliography II [4] Terry Cutler. The Anatomy of an Advanced Persistent Threat. http://www.securityweek.com/ anatomy-advanced-persistent-threat , 2010. [Online; accessed 5-July-2016]. [5] Patrick Engebretson. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy , chapter 1, pages 14–18. Elsevier, 2013. 2/8

  27. Bibliography III [6] Ryan Gallagher. The Inside Story of How British Spies Hacked Belgium’s Largest Telco. https://theintercept.com/2014/12/13/ belgacom-hack-gchq-inside-story/ , 2016. [Online; accessed 01-August-2016]. [7] Paul Giura and Wei Wang. A context-based detection framework for advanced persistent threats. In Cyber Security (CyberSecurity), 2012 International Conference on , pages 69–74. IEEE, 2012. 3/8

  28. Bibliography IV [8] Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy , 9(3):49–51, 2011. [9] Michael Rash. psad: Intrusion Detection and Log Analysis with iptables. http://cipherdyne.org/psad/ , 2016. [Online; accessed 25-July-2016]. [10] Raspbian. Base image for the Raspberry Pi. https://hub.docker.com/r/resin/rpi-raspbian/ , 2016. [Online; accessed 25-July-2016]. 4/8

  29. Bibliography V [11] Raspbian. Download Raspbian for Raspberry Pi. https://www.raspberrypi.org/downloads/raspbian/ , 2016. [Online; accessed 25-July-2016]. [12] Dell SecureWorks. Advanced Threat Protection with Dell SecureWorks Security Services. http://www.secureworks.com/assets/pdf-store/ white-papers/wp-advanced-threat-protection.pdf , 2016. [Online; accessed 27-June-2016]. 5/8

  30. Bibliography VI [13] Quadrant Information Security. Sagan. https: //quadrantsec.com/sagan_log_analysis_engine/ , 2016. [Online; accessed 25-July-2016]. [14] Eric Smith. Snort vs Suricata. http://wiki.aanval.com/wiki/Snort_vs_Suricata , 2016. [Online; accessed 25-July-2016]. 6/8

  31. Bibliography VII [15] Snort. Snort FAQ/Wiki. https://www.snort.org/faq , 2016. [Online; accessed 25-July-2016]. [16] Suricata. Complete list of Suricata Features. https://suricata-ids.org/features/all-features/ , 2016. [Online; accessed 25-July-2016]. [17] Colin Tankard. Advanced persistent threats and how to monitor and deter them. Network security , 2011(8):16–19, 2011. 7/8

Recommend

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack: cyberatuc.slack.com (URL changed!) SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of our committees:

484 views • 13 slides
Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier

Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier

Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier Xueyuan Han, James Mickens University of Bristol Harvard University Adam Bates Margo Seltzer University of Illinois at Urbana-Champaign University of

5.31k views • 21 slides
Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based ac6on to pro-ac6ve measures Primary Goal : To iden6fy and take ac6on against domains

195 views • 5 slides
PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of new light fjxtures based on Pierre Charpins original PC Task Light, a HAY classic. Like its predecessor, the PC Portable hides its engineering

271 views • 15 slides
X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES

X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES

Introducing the new Sonoscape www.enterpriseultrasound.com X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES IMPROVED IMAGING LAPTOP, COMPACT STYLE PORTABLE Color Doppler Portable Ultrasound

359 views • 9 slides
Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13 September 2017 Agenda 1. Goals 2. Definitions 3. Motivating problem 4. Approach 5. How Cobalt Strike works 6. Traffic analysis 7.

821 views • 59 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric Filiol 1 - Laurent Frayssignes Army Signals Academy - Virology and Cryptology Laboratory About Author(s) Eric Filiol is Head Scientist Officer of the

474 views • 20 slides
Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in

Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in

Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in Everglades Water Systems. Presented by: Shradha Prabhulkar Nanobioengineering/Bioelectronics Lab Biomedical Engineering Department Florida International

543 views • 15 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced Persistent Threats (APT) Cybercriminals, Exploits and Malware Denial of Service attacks (DDoS) Domain name hijacking Corporate

347 views • 13 slides
DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

Bram C.M. Cappers Jarke J. van Wijk b.c.m.cappers@tue.nl j.j.v.wijk@tue.nl SEMANTIC NETWORK TRAFFIC ANALYSIS USING DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced Persistent Threats (APTs)

240 views • 5 slides
Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE

Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE

Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE Sachindra Dahal, PhD Candidate Department of Civil and Environmental Engineering University of Illinois at Urbana Champaign September 29, 2020

474 views • 34 slides
The theory and applications of persistent homology Ippei Obayashi Center for Advanced

The theory and applications of persistent homology Ippei Obayashi Center for Advanced

The theory and applications of persistent homology Ippei Obayashi Center for Advanced Intelligence Project (AIP), RIKEN Advanced Institute for Materials Research (AIMR), Tohoku University Nov. 5, 2018 I. Obayashi (AIP, Riken) Theory and

429 views • 38 slides
Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI

Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI

Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI Homeland Security Standards Panel Tenth Annual Plenary Meeting: Achievements from the Past Decade and Charting the Path Forward November 9, 2010

385 views • 12 slides
Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive Corruption MPC: Honest-Majority + Passive-Corruption Can achieve information-theoretic security for any function Function should be given as an

573 views • 15 slides
(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced,

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

872 views • 50 slides
The Trafficware Pod Pod Detection and Advanced Applications As a Means of Collecting Purdue High

The Trafficware Pod Pod Detection and Advanced Applications As a Means of Collecting Purdue High

The Trafficware Pod Pod Detection and Advanced Applications As a Means of Collecting Purdue High Resolution Data The Pod Bill Ische, Business Development Manager Chris Jannace, Detection Specialist 03 September 2015 A GENDA Pod Detection

1.04k views • 15 slides
Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas

Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas

Domestic Nuclear Detection Office (DNDO) Detecting Nuclear Threats 18 November 2008 Thomas McIlvain Architecture Directorate Domestic Nuclear Detection Office Mission and Objectives DNDO was founded on April 15, 2005 with the signing of NSPD

345 views • 20 slides
Advanced Tools from Modern Cryptography Lecture 10 MPC: GMW Paradigm. Composition. MPC:

Advanced Tools from Modern Cryptography Lecture 10 MPC: GMW Paradigm. Composition. MPC:

Advanced Tools from Modern Cryptography Lecture 10 MPC: GMW Paradigm. Composition. MPC: Story So Far Security against passive corruption Basic GMW using OT, Yao s Garbled Circuits using OT, Passive-BGW with honest majority

299 views • 19 slides
TFAWS Active Thermal Paper Session Advanced Passive Thermal Experiment (APTx) for Hybrid Heat

TFAWS Active Thermal Paper Session Advanced Passive Thermal Experiment (APTx) for Hybrid Heat

TFAWS Active Thermal Paper Session Advanced Passive Thermal Experiment (APTx) for Hybrid Heat Pipes and HiK Plates on board the International Space Station (ISS) Advanced Cooling Technologies, Inc. (ACT) Mohammed T. Ababneh, Ph.D. Calin

545 views • 19 slides
Deep Learning based tonal detection for passive sonar signals Dae-Jin Jung, Jihun Park, Sang Ho

Deep Learning based tonal detection for passive sonar signals Dae-Jin Jung, Jihun Park, Sang Ho

Deep Learning based tonal detection for passive sonar signals Dae-Jin Jung, Jihun Park, Sang Ho Lee and Taekyu Reu Intelligence & Information Technology Center, Agency for Defense Development, South Korea #UDT2019 Introduction

1.34k views • 18 slides
Module 19: Security The Security Problem Authentication Program Threats System

Module 19: Security The Security Problem Authentication Program Threats System

Module 19: Security The Security Problem Authentication Program Threats System Threats Securing Systems Intrusion Detection Encryption Windows NT Operating System Concepts Silberschatz, Galvin and Gagne 2002

425 views • 9 slides
Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides

More recommend