Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

Similar documents
SEI/CMU Efforts on Assured Systems

Passive Detection of Misbehaving Name Servers

ARINC653 AADL Annex Update

Information Security Is a Business

Defining Computer Security Incident Response Teams

The CERT Top 10 List for Winning the Battle Against Insider Threats

Analyzing 24 Years of CVD

2013 US State of Cybercrime Survey

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Cyber Threat Prioritization

Encounter Complexes For Clustering Network Flow

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

Design Pattern Recovery from Malware Binaries

Modeling the Implementation of Stated-Based System Architectures

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

Panel: Future of Cloud Computing

Prioritizing Alerts from Static Analysis with Classification Models

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Components and Considerations in Building an Insider Threat Program

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Denial of Service Attacks

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Cyber Hygiene: A Baseline Set of Practices

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Inference of Memory Bounds

Julia Allen Principal Researcher, CERT Division

Situational Awareness Metrics from Flow and Other Data Sources

Providing Information Superiority to Small Tactical Units

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Software Assurance Education Overview

OSATE Analysis Support

Roles and Responsibilities on DevOps Adoption

Current Threat Environment

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Smart Grid Maturity Model

Netflow in Daily Information Security Operations

Automated Provisioning of Cloud and Cloudlet Applications

Fall 2014 SEI Research Review Verifying Evolving Software

Report Writer and Security Requirements Finder: User and Admin Manuals

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Researching New Ways to Build a Cybersecurity Workforce

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Verifying Periodic Programs with Priority Inheritance Locks

Foundations for Summarizing and Learning Latent Structure in Video

Semantic Importance Sampling for Statistical Model Checking

The Insider Threat Center: Thwarting the Evil Insider

EXAMINING THREAT GROUPS FROM THE OUTSIDE: GENERATING HIGH-LEVEL OVERVIEWS OF PERSISTENT AND TRADITIONAL COMPROMISES. Angela Marie Horneman

Effecting Large-Scale Adaptive Swarms Through Intelligent Collaboration (ELASTIC)

Modeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Integrating the Risk Management Framework (RMF) with DevOps

Engineering Improvement in Software Assurance: A Landscape Framework

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Architectural Implications of Cloud Computing

WorldExtend Environment Preparation Guide

Merchant Certificate of Compliance

Measuring the Software Security Requirements Engineering Process

Using CERT-RMM in a Software and System Assurance Context

TCP/IP Fundamentals. Introduction. Practice Practice : Name. Date Period

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Open Systems: What s Old Is New Again

Pharos Static Analysis Framework

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

The Need for Operational and Cyber Resilience in Transportation Systems

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

MCAFEE THREAT INTELLIGENCE EXCHANGE RESILIENT THREAT SERVICE INTEGRATION GUIDE V1.0

An Incident Management Ontology

Cloud Sandboxing Against Advanced Persistent Attacks

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Enhancement in Agent syslog collector to resolve sender IP Address EventTracker Enterprise

HP ArcSight Port and Protocol Information

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

HYCU SCOM Management Pack for F5 BIG-IP

NetApp Cloud Volumes Service for AWS

Modernizing Meetings: Delivering Intel Unite App Authentication with RFID

Global Information Assurance Certification Paper

Site Impact Policies for Website Use

Integrating Software Assurance Knowledge into Conventional Curricula

Unified Infrastructure Management Compatibility Matrix September 05, 2017

QuickSpecs. Available Packs and Purchase Information. ProLiant Essentials Vulnerability and Patch Management Pack v2.1. Overview.

Intel Unite. Intel Unite Firewall Help Guide

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Microsoft Exchange Server SMTPDiag

Improving Software Assurance 1

Networks and Communications MS216 - Course Outline -

CyberArk Privileged Threat Analytics

Integrate Cisco VPN Concentrator

Attackers Process. Compromise the Root of the Domain Network: Active Directory

The Confluence of Physical and Cyber Security Management

Five Keys to Agile Test Automation for Government Programs

DESCRIPTION OF TYPICAL NETWORK SERVICES ON SERVERS

Port Mirroring in CounterACT. CounterACT Technical Note

Transcription:

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Deana Shick and Angela Horneman

Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM-0000813 2

Introduction We wanted to validate what Mandiant proposed in its APT1 report We wanted to utilize the Internet Census 2012 data We wanted to understand how public sources can tell a story about a specific threat group We came to many similar conclusions as Mandiant with significantly less man power We were able to show that important information can be gathered, combined, and reported by not using private or otherwise sensitive data 3

Data Sources Mandiant: APT1: Exposing One of China s Cyber Espionage Units Joint Indicator Bulletins: INC260425, INC260425-2 Internet Census Data 2012 Security Information Exchange at the Internet System Consortium (SIE@ISC): passive DNS Data Open Resolvers Data Set Neustar GeoPoint Data for geo-location and routing data Internet Storm Center Data: Dshield 4

Indicator Expansion Address sets I j : IP addresses found in both JIBs DI m : IP addresses resolved from Mandiant FQDNs I j +I m : Combined I j and DI m Network Attribution I j +I m A: ASN information I j +I m R: Routing type I j +I m C: Country code, city and state (or province) I j +I m O: Open resolvers I j D: Domain Names I j DM: Malicious Code Device Architecture I j +I m F p75 : Fingerprints with minimum 75% match P: Set of IP addresses having open ports I j +I m P : Open ports IPv4 Random Sample SF p75 : Fingerprints with minimum 75% match SP: Open Ports 5

Count of IP Addresses I j +I m A: Autonomous System Numbers There are 28 organizations with 10 or more IP addresses which comprise 51.9% of the data. Most Frequently Occurring Organizations Organization Name 6

Count of IP Addresses I j +I m C: Location of IP Addresses 79% of I j +I m IPs are located in the United States 45 U.S states and the District of Columbia are represented 28% of IPs resolve to California 54 different countries are represented Most Frequently Occurring Non-U.S. Countries Country Name 7

I j +I m R: Routing Data 1,000 I j +I m IPs have a routing type 984 IP addresses having connection types, which classifies if the routing type is fiber, leased line, DSL, cable or dialup. Routing Types 8

I j D : Domain Names Deceptive Domains; off by 1 Pseudo-random Alphanumeric Strings Malicious Domains 9

I j DM: Malicious Code 266 unique malicious code hashes found in CERT's Malicious Runtime Analysis efforts 7 of 266 appeared in the Mandiant report in 8 different domain names Only 3 of these 8 domain names were listed by Mandiant 15 hashes occurred more than once, all others occurred only once 10

Count of IP Addresses (I j +I m F p75 ) 5 : Top TCP/IP Fingerprints 32.5% of I j +I m was fingerprinted Linux made up 27.9 % of the fingerprinted machines. Microsoft Windows accounted for 65.4% of the fingerprinted machines. OS Fingerprints by Count of IP Addresses Operating System 11

SF p75 :TCP/IP Fingerprints of S given a 75% Match 11.13% of the sample set was fingerprinted Linux made up 35.2% of the fingerprinted machines. Windows made up 12.9% of the fingerprinted machines. 51.9% were other device types Fingerprint % Total IPs I j +I m %Total IPs S Microsoft Windows Sever 2003 Service Pack 1 or 2 21.5% 0.6% Microsoft Windows Server 2003 SP2 9.3% 3.0% Linux 2.6.32-3.2 7.5% 1.8% Windows XP SP2 or Windows Server 2003 SP1 or SP2 6.2% 0.2% Linux 2.6.32 5.3% 6.6% VxWorks - 6.2% Linux 2.6.18 4.2% 4.2% Linksys WRT610Nv3 WAP 0.2% 4.1% AVM FRITZ!Box FON WLAN 7170 WAP (Linux 2.6.13-3.8% 12

Count of IP Addresses I j +I m P: Port Analysis 51.1% of the I j +I m had open ports 609 unique open ports Four IP addresses had more than 100 ports open Most Common Open Port by Count of IP Addresses Port Number and Most Common Service 13

SP: Open Ports There are 33,573 IP addresses found in the S having open ports. This constitutes 33.6% of the sample data. There are 14,024 unique open ports represented in the data. Port % Total of IPs I j +I m % Total IPs S 3389 (RDP) 54.9% 4.3% 443 (HTTPS) 39.4% 17.6% 21 (FTP) 38.6% 16.6% 25 (SMTP) 27.4% 9.8% 135 (NetBIOS) 26.8% 3.2% 53 (DNS) 20.9% 8.2% 22 (SSH) 20.5% 11.3% 1025 (NFS or IIS) 19.7% 1.4% 3306 (MySQL) 18.5% 4.2% 139 (NetBIOS) 18.3% 1.4% 445 (Microsoft AD) 17.3% 1.0% 1723 (PPTP) 15.5% 3.4% 110 (POP3) 14.8% 5.2% 1026 (DCom Services) 12.8% 1.5% 143 (IMAP) 10.9% 4.8% 8080 (Alt HTTP) 9.6% 2.6% 23 (Telnet) 4.2% 5.2% 14

I j +I m O: Open Resolvers There are 43 open resolvers total in the I j +I m. This constitutes 3.1% of the I j +I m. These belong to 30 different organizations Companies associated with more than 1 open resolver Company Name Number of Open Resolvers Comcast Cable Communications, Inc. 6 CrystalTech Web Hosting Inc. 5 MegaPath Networks Inc. 3 Charlotte Colocation Center, LLc 2 NOVARTIS-DMZ-US (Qwest/CenturyLink) 2 15

Overall Findings Our available unclassified data gives a snapshot in time of what APT1 was using APT1 uses stable, well connected infrastructure, mostly in the US Windows 2003 or XP, Linux ~ 2.6.32 Mostly ISPs or hosting providers Especially from California The APT1 infrastructure may be evolving Time frame of Windows vs. Linux versions Open port differences (including absences) across IP addresses even within same ASN Malware hashes indicate there is a much bigger network for APT1 than what was released 16

Conclusion We were able to validate at a high level some of what Mandiant proposed Command and control servers communicate over port 443 Malware communicated using RDP or similar protocols APT1 used compromised mail servers in its operations In some cases we found more data then it provided Exploited devices are predominately in the U.S. and in particular California Found 259 previously unattributed pieces of malware In other cases what we were able to investigate did not directly corroborate Mandiant s findings Exploited devices are hosting providers We were able to find important information by not using private or otherwise sensitive data 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback