I Was APT d. What Did They Steal?

Transcription

1 I Was APT d. What Did They Steal? Marcus H. Sachs, P.E. Verizon October 19, 2011

2 All Is Not Lost Just because you found the APT in your system (or were told by a third party that you ve been 0wn3d) doesn t mean that all is lost The name of the game for this particular threat is exfiltration But exfiltration is the last step they are going to take Catch the APT early, and you can still win This presentation explains how to find out what you lost Hopefully you ve not lost anything! (yet) 2 RELIABILITY ACCOUNTABILITY

3 Investigating and Preventing Data Theft What was taken? Not always easy to answer Accessed hosts are not necessarily the ones that were infected Staging of data (.zip or.rar files) does not mean that data was actually stolen Long-term undetected network occupation and data theft is common Different strategies for Single host investigation Enterprise-scale investigation Detection and prevention 3 RELIABILITY ACCOUNTABILITY

4 Host or Network Analysis? Often subject to heated debate Need to be adept at both! Distinct sets of skills and technologies to address each challenge Most organizations prefer network-centric detection Especially if the enterprise is large or when host-level analysis is cost prohibitive But if you prefer enterprise network analysis then you need tools that scale to the size of your enterprise Don t forget to look for the easy stuff like FTP or TFTP o Exfiltration is not always via encrypted tunnels 4 RELIABILITY ACCOUNTABILITY

5 Single Host Analysis Traditional file system forensics Directory index records Hidden folders and files Search & carve archives from unallocated space Services or processes that are not normal System logs (must be turned on!) Registry ShellBags Most Recently Used (MRU) registry keys 5 RELIABILITY ACCOUNTABILITY

6 Enterprise-Scale Host Analysis Use lightweight data suitable for stacking and searching For example: Evidence of deleted attacker tools o Prefetch analysis o Restore point analysis Remnants in staging directories Common hiding spots in Windows o C:\RECYCLER o %SYSTEMROOT%\Tasks o Registry entries in \HKLM\..\RunOnce Local logon events implicating lateral movement 6 RELIABILITY ACCOUNTABILITY

7 Network Logs High-volume data transfers are usually detected after the fact Next steps are often unclear Can you map the traffic back to a single / several offending hosts? o DHCP logging? o DNS logging? o Web proxy logs? o Log retention? What s the threshold for identifying anomalous volumes of data to an Internet endpoint? o Via FTP? o Via HTTPS? But you have to have logging turned on before the attack 7 RELIABILITY ACCOUNTABILITY

8 Detection Via Netflow It is often easier to detect data theft through internal netflow monitoring Workstations are almost always both the initial entry points and staging points Baseline normal netflows between workstations and servers / server segments Also baseline normal netflows between yourself and third parties Often a business partner will get infected, then the intruder will use a trusted connection to exfiltrate your data Don t forget queries to your local DNS 8 RELIABILITY ACCOUNTABILITY

9 Windows Security 101 Inhibit lateral movement to limit data theft opportunities Internal network segmentation Host-to-host Host-to-server Admin LANs Lockdown Local Admin Remove Local Admin from ordinary domain users Unique Local Admin passwords on each system Admin accounts only used for admin functions Remove web and services/clients from data servers Turn off all unused/unneeded services 9 RELIABILITY ACCOUNTABILITY

10 When the APT is Found, Don t Panic! Avoid knee-jerk responses to detected breaches You probably only know a small piece of a larger puzzle Compromised systems Accessed systems Malware and utilities in place Malicious network endpoints Incomplete response ensures attacker adaptation and persistence If you don t know what to do, call an expert! 10 RELIABILITY ACCOUNTABILITY

11 Some Final Thoughts Truths about targeted attacks They were there for a reason They will try to come back The term Persistent is exactly that Plan for their return Encourage active searching Reward those who find the first evidence of a reoccurrence Maximize the costs of exploitation, data theft & persistence You can win this battle But you have to be prepared for the APT 11 RELIABILITY ACCOUNTABILITY