Understanding Targeted Attacks. Sean Mason VP, Incident Response

Transcription

1 Understanding Targeted Attacks Sean Mason VP, Incident Response

2 Sean A. Mason Security Analyst IR Mgr Director IR Executive IR Leader VP, Incident Response Sr. IT Auditor InfoSec Team Lead Web Developer Agile Development Manager Web Developer R1 Technical School USAF BS MIS McKendree University MBA Webster University PMP CISA CISSP CISM ISSMP CSSLP NMDC & AIMC GE Crotonville CCFP

3 Session Synopsis Understanding Targeted Attacks In the past, most cyber attack campaigns were primarily random, and they simply exploited the most vulnerable systems they could find. Today, however, there is an increasing number of sophisticated attacks that target specific companies, data, or even employees. These attacks are often extremely well disguised and may escape the security tools that most enterprises use to screen out more random attacks. What tools and defenses are there to prevent targeted attacks on your organization? In this session, you will hear about the latest types of targeted attacks and what your enterprise can do to stop them.

4 Prevention Will Fail

5 Shifting landscape

6 Upfront Reality You will get breached Prevention is not a panacea Detection is an absolute must Outsourcing Response is a recipe for failure Speed to discovery and containment are critical By 2020, 60% of enterprise information security budgets will be allocated to rapid Endpoint Detection & Response, up from 10% in Gartner

7 Slower Response = Greater Risk 66% 60% 60, % Of Breaches Took Months or Even Years to Discover Of Breaches Have Data Exfiltrated in First 24 Hours Number of Alerts Hackers Set Off at Neiman Marcus Median Number of Days Advanced Attackers Present Before Detection Of Organizations Discover Breaches Through Their Own Monitoring Stats: Verizon 2013 Data Breach Investigations Report, Mandiant MTrends 2014 & Neiman Marcus

8 Threat Landscape

9 Mental Anchors

10 Fallacy of the Single Cause

11 Threats are People Nuisance Hacktivism Insiders Cyber Crime State Sponsored/APT Objective Access & Propagation Defamation, Destruction, Press & Policy Revenge, Destruction, Monetary Gain Financial Gain Economic, Political Advantage, Destruction Example Botnets & Spam Website Defacements, DDOS Destruction, Theft Credit Card Theft Intellectual Property Theft, DDOS Skill Low Low - Med Med High Very High Potential Data Targets Sensitive Information, Vulnerable Data Access to the Network, Compromising Information Intellectual Property, Compromising Information Credit Card Data, Personal Identifiable Information, Health Records Intellectual Property, Negotiation, National Intelligence Named Actors General Malware Syrian Electronic Army, LizardSquad, Anonymous Jimmy, Suzy, Sally, Johnny Russian Business Network (RBN) APT1

12 Anatomy of an Attack

13 Increasing risk & cost to contain & remediate Kill Chain (KC) Recon Weaponization KC1- Re connaissance: Collecting information about the target organiza tion KC2- We aponization: Packaging the threat for delivery Delivery KC3- De live ry: Transmission of the weaponized payload Exploitation KC4- Exploitation: Exploting vulnerabilities on a system Installation KC5- Installation: Installing malware on a target C2 KC6- Command &Control: Providing hands on the keyboard access to the target system Actions on Intent KC7- Actions on Intent: The attacker achieves their objective (e.g. stealing information) Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin

14 Anatomy of the Hack evil.com tcp/80 (http) tcp/445 (smb) DMZ Host tcp/80 (http) tcp/443 (ssl) External Facing Web Server Backend SQL DB tcp/3389 (rdp) tcp 445 (smb) tcp 3389 (rdp) 1. Vulnerability scanning (KC1) 2. Google hacking (KC1) 3. SQLi / Web shell (KC3-5) 4. SMB Lateral movement (KC5-7) 5. RDP Lateral movement (KC5-7) 6. SQL Lateral movement (KC5-7) 7. Internal Lateral movement (KC5-7) 8. Pipeline creation (KC7) 9. Exfil (KC7) DMZ Host Internal Host

15 Case Study Acquisition Acquiring Company Small 3 rd party / acquisition targeted All infrastructure compromised, to include All data within acquisition stolen Waited until networks connected to move into acquiring company Acquiring Company Info Security spend >$50M/yr

16 Dissecting Attacks

17 Creating a defenders advantage Intrusion Attempts 1, 2, and 3 Indicators Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin

18 Incident Review Lessons Learned (What did the a ctor do?) (Why did it work?) (What should we do?) Kill Chain Actor Action Failure Mode Mitigation Action Reconnaissance Used commercial web scanner Potential gaps in threat tool & scanning capability Establish detection capability W eaponization Delivery Exploitation SQL injection on vulnerable ASP page to gain admin user access Could not detect SSL traffic; vulnerable to SQL injection Secure Development, Application Security Assessments, WAF Installation Comm & Control Actions on intent IIS web service used to upload web shell Used web shell on initially compromised host Accessed id.txt which held account information with admin access Failure to restrict file upload types or configure web server to not execute uploaded files Could not detect SSL traffic Management scripts failed to delete id.txt after running Secure Development, Application Security Assessments, HIDS, AV, White Listing Netflow Analysis Scripts retired and environment scanned. Go 5 What s &Why s Deep Created by GE-CIRT

19 Prevention & Detection Scenarios Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives - Name URI Domain Name URI URL HTTP - GET HTTP UA String Address - Path URI - URL Behavior - Path - Name URI- Domain Name URI - URL HTTP - POST Header - Subject Header X- Mailer Address Behavior Win Registry Key - Name URI Domain Name URI URL Address cidr Code Binary Code Win Process Win Registry Key - Path - Name URI Domain Name URI - URL HTTP - GET HTTP UA String Address Behavior Win Process Win Registry Key URI Domain Name URI - URL HTTP - GET HTTP - POST HTTP UA String Address Behavior Win Registry Key Win Service - Path - Name URI Domain Name URI URL Created by GE-CIRT

20 Platform Strengths (example IDS Solution) Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives - Name URI Domain Name URI URL HTTP - GET HTTP UA String Address - Path URI - URL Behavior - Path - Name URI- Domain Name URI - URL HTTP - POST Header - Subject Header X- Mailer Address Behavior Win Registry Key - Name URI Domain Name URI URL Address cidr Code Binary Code Win Process Win Registry Key - Path - Name URI Domain Name URI - URL HTTP - GET HTTP UA String Address Behavior Win Process Win Registry Key URI Domain Name URI - URL HTTP - GET HTTP - POST HTTP UA String Address Behavior Win Registry Key Win Service - Path - Name URI Domain Name URI URL Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by GE-CIRT

21 All Platforms (aggregated view) Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives - Name URI Domain Name URI URL HTTP - GET HTTP UA String Address - Path URI - URL Behavior - Path - Name URI- Domain Name URI - URL HTTP - POST Header - Subject Header X- Mailer Address Behavior Win Registry Key - Name URI Domain Name URI URL Address cidr Code Binary Code Win Process Win Registry Key - Path - Name URI Domain Name URI - URL HTTP - GET HTTP UA String Address Behavior Win Process Win Registry Key URI Domain Name URI - URL HTTP - GET HTTP - POST HTTP UA String Address Behavior Win Registry Key Win Service - Path - Name URI Domain Name URI URL Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by GE-CIRT

22 Coverage Gaps Recon Weaponization Deliver Exploitation Installation C2 Act on Objectives HTTP UA String Header - Subject - Path URI - URL Header X-Mailer Created by GE-CIRT

23 Putting it all Together

24 Intel Driven Risk Mitigation

25 Defense & Detection- in Depth Perimeter: Reduce Internet PoPs, , DMZ s, IPS/IDS/FE/Proxy, Netflow Network: IDS/IPS/Netflow Host: AV, WhiteListing, HIPS, R1 Application & Data: WAF, Secure Coding, Logging

26 Knowledge Management automated & manual automated automated & manual Ecosystem for Success Prevention & Detection Response Hosts Outpost(s) Centralized Storage & Analysis for Response Intel IDS/IPS Single Pa ne Suspect External SSH SIEM Internal SSH Etc Wiki Repository Knowledge Management

27 Wrapping it up

28 Environmental Changes Architecture People Attacks/TTPs Infrastructure Regulations (HIPAA, PCI-DSS, DFARS)

29 Final Thoughts! Prevention will fail! Threats are people! Ensure everything is Auditable Think beyond IT- form allies in the business Establish a relationship with your local FBI office Don t forget metrics Reward your teams!

30 Questions? Sean Mason Web: