State of the Hack
Research and Technology Protection (RTP) Conference
PRESENTED BY: Charles Carmakal, Managing Director APRIL 2014
© Mandiant, A FireEye Company. All rights reserved. Agenda
. Spectrum of threat actor sophistication and motivations . Attributes of various types of threat actors . Recent breach trends observed . Case studies . Countermeasures . Q&A
© Mandiant, A FireEye Company. All rights reserved. 2 Important Note
All information is derived from Mandiant observations in non-classified environments.
Some information has been sanitized to protect our clients’ interests.
© Mandiant, A FireEye Company. All rights reserved. 3 We are Mandiant
. Threat detection, response and containment experts . Software, professional & managed services, and education . Application and network security evaluations . Offices in - Washington - San Fran - New York - Albuquerque - Los Angeles - Dublin, Ireland - Redwood City - Reading, UK
© Mandiant, A FireEye Company. All rights reserved. 4 Introductions
. Charles Carmakal . Managing Director with Mandiant . Based in Washington, D.C. . Fifteen years of experience in incident response and penetration testing . Focused on breaches related to the theft of intellectual property and financial crime . Nine years with PwC in D.C., Atlanta, and Sydney
© Mandiant, A FireEye Company. All rights reserved. 5 All Threat Actors Are Not Equal
Nuisance Organized Foreign Threats Hacktivists Crime Governments
Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage
Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted
Persistent
Nuisance threats impact every organization.
© Mandiant, A FireEye Company. All rights reserved. 6 All Threat Actors Are Not Equal
Nuisance Organized Foreign Threats Hacktivists Crime Governments
Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage
Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted
Persistent
Hacktivists cause embarrassment and significant business impact.
© Mandiant, A FireEye Company. All rights reserved. 7 Case Study: The Syrian Electronic Army
8 The Syrian Electronic Army Steals Headlines – Literally
. What is the SEA? . Who do they target and why? . Their tactics: ‒ Send phishing emails from internal accounts ‒ Compromise service providers
© Mandiant, A FireEye Company. All rights reserved. 9 Hacktivists
Dow dropped 140 points
© Mandiant, A FireEye Company. All rights reserved. 10 All Threat Actors Are Not Equal
Nuisance Organized Foreign Threats Hacktivists Crime Governments
Launch Points Defamation, Press, Financial Economic, Political, Objective & Nuisance & Policy Gain and Military Advantage
Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted
Persistent
Organized crime presents financial risk to all organizations.
© Mandiant, A FireEye Company. All rights reserved. 11 Who Are the Major Players?
. Groups based out of eastern Europe, who are responsible for hundreds of public breaches . Groups operating with impunity in Russia and surrounding countries
These groups: . Will target anyone – they are opportunistic . Know the banking and financial environments and technologies better than most organizations . Specialize in credit card theft, ATM drawdowns, and ACH fraud
© Mandiant, A FireEye Company. All rights reserved. 12 Historical and Emerging Attack Vectors
. Historical initial point of compromise: ‒ Web-based exploits – SQL injection attacks ‒ Remote administration utilities ‒ Wireless networks . Emerging Trends: ‒ Compromised third-party entity ‒ Credential theft and subsequent network access through VPN or Citrix, instead of backdoors ‒ Commodity malware
© Mandiant, A FireEye Company. All rights reserved. 13 Why Targeted Attacks Are Different
• There is a human at a keyboard It’s a “Who,” • Highly tailored and customized attacks Not a “What”… • Targeted specifically at individuals/organizations • Effective at bypassing preventive controls
• Often a nation-state or are state-sponsored They Are Professional, • Division of labor for different stages of attack Organized, & Well Funded… • Utilize change management processes • Escalate sophistication of tactics as needed
• They have specific objectives They Are Relentless • Their goal is long-term occupation • Persistence tools ensure ongoing access in Achieving Their Objective… • They are relentlessly focused on their objective
Organizations that do not fully understand the scope of their breach before remediation often tip off the attackers.
© Mandiant, A FireEye Company. All rights reserved. 14 All Threat Actors Are Not Equal
Nuisance Organized Foreign Threats Hacktivists Crime Governments
Launch Points Defamation, Press, & Financial Economic, Political, Objective & Nuisance Policy Gain and Military Advantage
Botnets & Anonymous, Lulzsec, Theft of Credit Advanced Example Spam Syrian Electronic Army Cards and PII, ACH Persistent Threat fraud Targeted
Persistent
Foreign governments pose significant risk to numerous sectors.
© Mandiant, A FireEye Company. All rights reserved. 15 Chinese APT Motivations
. Chinese-based APT groups operate with the objective of gaining an economic, military, or political advantage. . They are known to compromise entities for the following reasons: 1. Theft of intellectual property 2. Mergers, acquisitions, and divestments of foreign companies 3. Modernization of processes and technologies 4. Political reasons – e.g., political activists, spread of democracy . They seem to follow their own rules of engagement.
© Mandiant, A FireEye Company. All rights reserved. 16 Anatomy of a Targeted Attack
Attackers move methodically to gain persistent and ongoing access to their targets
• Net use • Backdoor variants Maintain Move commands • VPN subversion Presence Laterally • Reverse • Sleeper malware shell access
Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission
• Social engineering • Custom malware • Credential theft • Critical system recon • Staging servers • Spear phishing email • Command and control • Password cracking • System, active directory, • Data consolidation with custom malware • Third-party application • “Pass-the-hash” & user enumeration • Data theft exploitation
On average, it took 229 days for organizations to discover their breach; 33% of organizations self-detected the breach (down from 37% in 2012 and up from 6% in 2011).
© Mandiant, A FireEye Company. All rights reserved. 17 Case Study: Iran-Based Activity
18 Iran-Based Activity
Our Observations: . Few victim industries - energy and state government . Limited sophistication and tools . Appear to be learning right now
© Mandiant, A FireEye Company. All rights reserved. 19 Iran-Based vs. China-Based
© Mandiant, A FireEye Company. All rights reserved. 20 General Trends From Our Investigations
21 Detecting a Compromise
© Mandiant, A FireEye Company. All rights reserved. 22 An Undetected Presence
© Mandiant, A FireEye Company. All rights reserved. 23 Still Phishing
© Mandiant, A FireEye Company. All rights reserved. 24 Countermeasures
25 Relatively Easier Countermeasures
. Deploy application whitelisting on critical servers and infrastructure such as domain controllers, Exchange servers, and file servers . Prevent network logons and RDP connections to the administrator account . Block email attachments with executable files . Require a click-through warning for uncategorized websites . Block domains provided by dynamic DNS providers
© Mandiant, A FireEye Company. All rights reserved. 26 Relatively Harder Countermeasures
. Require dual-factor authentication on all remote access solutions such as VPN, Citrix, terminal services, and webmail . Set a unique password for the local administrator account on all systems . Remove local administrator rights for end users . Inventory all service accounts and change them on a regular basis . Block workstation-to-workstation communication
© Mandiant, A FireEye Company. All rights reserved. 27 Questions?
. Contact Information:
. https://www.linkedin.com/in/charlescarmakal . Free tools: . Redline . IOC Editor / Finder . Memoryze / Memoryze for Mac . Highlighter . ApateDNS . Heap Inspector . PdbXtract
© Mandiant, A FireEye Company. All rights reserved. 28