Mandiant FBI RTP April 2014

State of the Hack

Research and Technology Protection (RTP) Conference

PRESENTED BY: Charles Carmakal, Managing Director APRIL 2014

. Spectrum of threat actor sophistication and motivations . Attributes of various types of threat actors . Recent breach trends observed . Case studies . Countermeasures . Q&A

All information is derived from Mandiant observations in non-classified environments.

Some information has been sanitized to protect our clients’ interests.

. Threat detection, response and containment experts . Software, professional & managed services, and education . Application and network security evaluations . Offices in - Washington - San Fran - New York - Albuquerque - Los Angeles - Dublin, Ireland - Redwood City - Reading, UK

. Charles Carmakal . Managing Director with Mandiant . Based in Washington, D.C. . Fifteen years of experience in incident response and penetration testing . Focused on breaches related to the theft of intellectual property and financial crime . Nine years with PwC in D.C., Atlanta, and Sydney

Nuisance Organized Foreign Threats Hacktivists Crime Governments

Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage

Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted    

Persistent    

Nuisance threats impact every organization.

Nuisance Organized Foreign Threats Hacktivists Crime Governments

Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage

Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted    

Persistent    

Hacktivists cause embarrassment and significant business impact.

8 The Syrian Electronic Army Steals Headlines – Literally

. What is the SEA? . Who do they target and why? . Their tactics: ‒ Send phishing emails from internal accounts ‒ Compromise service providers

Dow dropped 140 points

Nuisance Organized Foreign Threats Hacktivists Crime Governments

Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage

Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted    

Persistent    

Organized crime presents financial risk to all organizations.

. Groups based out of eastern Europe, who are responsible for hundreds of public breaches . Groups operating with impunity in Russia and surrounding countries

These groups: . Will target anyone – they are opportunistic . Know the banking and financial environments and technologies better than most organizations . Specialize in credit card theft, ATM drawdowns, and ACH fraud

. Historical initial point of compromise: ‒ Web-based exploits – SQL injection attacks ‒ Remote administration utilities ‒ Wireless networks . Emerging Trends: ‒ Compromised third-party entity ‒ Credential theft and subsequent network access through VPN or Citrix, instead of backdoors ‒ Commodity malware

• There is a human at a keyboard It’s a “Who,” • Highly tailored and customized attacks Not a “What”… • Targeted specifically at individuals/organizations • Effective at bypassing preventive controls

• Often a nation-state or are state-sponsored They Are Professional, • Division of labor for different stages of attack Organized, & Well Funded… • Utilize change management processes • Escalate sophistication of tactics as needed

• They have specific objectives They Are Relentless • Their goal is long-term occupation • Persistence tools ensure ongoing access in Achieving Their Objective… • They are relentlessly focused on their objective

Organizations that do not fully understand the scope of their breach before remediation often tip off the attackers.

Nuisance Organized Foreign Threats Hacktivists Crime Governments

Launch Points Defamation, Press, & Financial Economic, Political, Objective & Nuisance Policy Gain and Military Advantage

Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted    

Persistent    

Foreign governments pose significant risk to numerous sectors.

. Chinese-based APT groups operate with the objective of gaining an economic, military, or political advantage. . They are known to compromise entities for the following reasons: 1. Theft of intellectual property 2. Mergers, acquisitions, and divestments of foreign companies 3. Modernization of processes and technologies 4. Political reasons – e.g., political activists, spread of democracy . They seem to follow their own rules of engagement.

Attackers move methodically to gain persistent and ongoing access to their targets

• Net use • Backdoor variants Maintain Move commands • VPN subversion Presence Laterally • Reverse • Sleeper malware shell access

Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission

• Social engineering • Custom malware • Credential theft • Critical system recon • Staging servers • Spear phishing email • Command and control • Password cracking • System, active directory, • Data consolidation with custom malware • Third-party application • “Pass-the-hash” & user enumeration • Data theft exploitation

On average, it took 229 days for organizations to discover their breach; 33% of organizations self-detected the breach (down from 37% in 2012 and up from 6% in 2011).

18 Iran-Based Activity

Our Observations: . Few victim industries - energy and state government . Limited sophistication and tools . Appear to be learning right now

21 Detecting a Compromise

25 Relatively Easier Countermeasures

. Deploy application whitelisting on critical servers and infrastructure such as domain controllers, Exchange servers, and file servers . Prevent network logons and RDP connections to the administrator account . Block email attachments with executable files . Require a click-through warning for uncategorized websites . Block domains provided by dynamic DNS providers

. Require dual-factor authentication on all remote access solutions such as VPN, Citrix, terminal services, and webmail . Set a unique password for the local administrator account on all systems . Remove local administrator rights for end users . Inventory all service accounts and change them on a regular basis . Block workstation-to-workstation communication

. Contact Information:

. https://www.linkedin.com/in/charlescarmakal . Free tools: . Redline . IOC Editor / Finder . Memoryze / Memoryze for Mac . Highlighter . ApateDNS . Heap Inspector . PdbXtract