APT Attack Detection of Vulnhunt. Vulnhunt Inc Flashsky

Transcription

1 APT Attack Detection of Vulnhunt Vulnhunt Inc Flashsky

2 About Me * Venustech researcher * Eeye researcher * Microsoft researcher * Vulnhunt CEO

3 CONTENT Vulnerability and APT APT attack analysis APT attack detection

4 Vulnerability EXP Shellcode Trojan Trojan be installed into the user s System by attacker controlled SHELLC ODE Vulne rabilit y Troj an Troj an The Internet server Which Attacker control Trojan:a program which include malicious function can be executed by the attacker attacker Shellcode Download trojans Attacker write Trojans and upload to the server Attacker send the EXP to user Discovery vulnerability Simulation scenarios Trust boundaries vulner ability Application the vulnerability be tiggered and the shellcode executed EXP Application User scenarios If user use the application to Open this exp EXP:trigger the vulnerability and execute the attack play- load (SHELLCODE),but it seems legitimate and harmless normal data,such as a document, a message,. user

5 Vulnerability and attack/defense * Attacker * discover vulnerability * Vulnerability exploitation * Trojan Bypass Protection( use defense flaw) * Ascendant: Remote(low cost, difficult detecting, difficult forensics, difficult Law enforcement) Defender * Reduce vulnerability * Detect Exp and Shellcode * Detect the behavior of Exp and Shellcode * Detect Trojan horse * Detect the behavior of Trojan horse

6 Defender problems * Reduce vulnerability * Security Development Process( Rely developer) * Detect Exp and Shellcode * characteristic detection (based known, bypass) * Detect the behavior of Exp and Shellcode * NX (confront) * Detect Trojan horse * Static characteristic(based known, easily confrontation) * Detect the behavior of Trojan horse * High- risk Behavior(mistake, confront)

7 CONTENT Vulnerability and APT APT attack analysis APT attack detection

8 What s APT * Advanced Persistent Threat * Advanced * Intelligence gathering and analysis * Social engineering * Professional attack techniques * Persistent * Purpose * Big profit * Organized * Capital adequacy

9 * A * Means * Spy Advance Consideration * Collect information * Scan * Social engineering * Spoof * Back door * Techniques * 0DAY Vulnerabilities * 0DAY Trojan * Encryption channel * Bypass the detection

10 APT CASE 2009:Aurora Attack 2010:Stuxnet Why we can t stop them? 2011:Steal RSA Token 2012:Steal NASA 2012:Flame

11 APT attack process * Gather Information * Launch * Gain a foothold * Penetration for higher privilege * Gain the valuable assets Gather Information Organizational structure Valuable assets Network structure Network defense Host defense weakness Launch Vulnerability EXP Trojan Simulation exercises Launch a Social engineering Gain the valuable assets Valuable assets Gain a foothold Vulnerability trigger Shellcode execute Trojan download Trojan implanted Network defense Normal employees and Host defense another assets Privileged employees and Host defense Penetration for higher privilege Social engineering Attempts to access and bruteforcing Vulnerability Virus and Trojan Important Enterprise Steal control Or Organization destroy Encryption channel Camouflage Long-term Strategy * Steal/control/destroy attacker

12 APT attack feature Persistent concurrency Strategy control Long-term Steal Destroy when key Client 0DAY vulnerabilities 0day Trojan Social engineering Gather Information Organizational structure Valuable assets Network structure Network defense Host defense weakness Launch Vulnerability EXP Trojan Simulation exercises Launch a Social engineering Gain a foothold Vulnerability trigger Shellcode execute Trojan download Trojan implanted Network defense Gain the valuable assets Normal employees and Host defense Valuable assets another assets Privileged employees and Host defense Penetration for higher privilege Social engineering Attempts to access and bruteforcing Vulnerability Virus and Trojan Steal control destroy Important Enterprise Encryption Or Organization channel Camouflage Long-term Strategy Encryption channel Simulation Distributed attacker Social engineering penetration

13 When APT go mainstream aurora:1 0day VUL,0DAY Trojan Stuxnet :7 0DAY VUL,0DAY Trojan RSA:1 0DAY VUL, 0DAY Trojan flame: 1 0DAY VUL, 0DAY Trojan Energy Military industry Financial Science research Large manufacturing IT Government Military Goals: large organizations important information assets Attack path: personal terminal social engineering penetration Techniques 0day vulnerabilities 0day Trojan encryption channel Current defense system is difficult to detect and defend

14 The flaw of current defense Audit Risk assess reinforcement system Policy and Privilege Manage AV/HIPS IDS/IPS Based known : Known vulnerabilities Known Trojans Known attack behavior Sensitive keywords Difficult: 0day vulnerabilities 0day Trojans Farraginous attack behavior Encryption channel Social engineering FW

15 Key technical point of APT Detection Encryption channel Vulnerability exploitation (include 0day) Unknown Trojan Social engineering

16 CONTENT Vulnerability and APT APT attack analysis APT attack detection

17 APT defense technology SDL and security testing Vulnhunt xingyun product Security develop Security testing Security awarenes s ss Security reinforc ement Scan scan gather gather Social spoof Social engineer vulnerabi ing lity FW IPS + IPS Vulnerability AV+ Audit+ Honeypo t+ APT attack forensics detection 0DAY Trojan detectio n encrypti on channel detectio n vulnerabi Trojan lity Call Back Trojan Destroy Call back destroy Preve ntion Detect ion suppr ess Respo nse

18 The Problem of current APT detection * Focus point of Industry * 0day Trojan detection * White list * Online virtual execution analysis * Problem :hardly dominant in the confrontation * Detection: * Trojan can execute confront code * Example: cover up, Hijack DLL files of trusted program * Trojan use runtime Behavior * Example: Cloud push, implanted vulnerability * Analysis and Tracking: * Cloud push

19 The APT detection system of vulnhunt Challenge:How to detect unknown threat? Share Attack information Various application Different Version Online VX analysis Unknown Vulnerability (include 0Day) Event relate Online VX analysis Unknown Trojan Confront Auto-learning Encryption channel Trusted channel analysis The APT Depth Detection system of vulnhunt Social spoof How?

20 vulnerability attack Detection of Vulnhunt VX (include 0day) * Pre- analytical techniques of Vulnhunt * Embed execution code * Check Suspected Shellcode * Decode * Binary shellcode * Data seem as execution code * Memory Virtual Execution : independent of application * Script shellcode * Characteristic detect * Limited and widely known applications

21 vulnerability attack Detection of Vulnhunt VX (Include 0day) * VX- analysis techniques of vulnhunt * Determine * Execution Behavior : data memory execute, create process * Memory check : independent of version and decoding knowledge * Behavior recode * Execution recode * Memory Virtual Execution recode * binary shellcode * the virtual machine isn t installed this application * the shellcode not executed successfully

22 Demo of vulnhunt APT detection 1. determine vulnerability attack 2. determine 0day or Nday 3. analysis shellcode behavior 1. Extract Shellcode 2. Trojan 1. File 2. Url 3. local execution behavior of the shellcode: 1. Call API 2. modify registry 3. Network communication 4. Create and modify local files

23 Trojan Detection of Vulnhunt VX (include 0day Trojan) * Pre- analytical techniques of Vulnhunt * Source * Embed execution file * Execution file obtained from / IM /online copy/ Download * Known Trojan detection * Anti- virus * Self- learning detection * Same URL with Shellcode download * Same MD5 with Shellcode released

24 Trojan Detection of Vulnhunt VX (include 0day Trojan) * VX- analysis techniques of vulnhunt * Execution behavior analysis * API * Network communication * Registry * create or modify local files * Resource ( ex. Pipe, mutex ) * Known Trojan Signature matched * Self- learning * Shellcode download or release files - > Trojan ( white list exclude ) * URL * MD5 * Behavior recode

25 Encryption channel Detection of Vulnhunt ( study) * Non- encryption protocol ;encrypted data * Entropy analysis * Encryption protocol ;encrypted data * Source exception * Time * Flow * Access rule * Destination exception * White list * Internet- aware * Whois analysis * traffic link or other information

26 Thanks * About Vulnhunt Inc. * Founded in , flashsky & alert7 * Business * Security testing service * SDL service * APT attack Detection product * Customers * HuaWei,Tencent,Kingsoft,360.. * Thanks * xing_fang@vulnhunt.com * Q/A