APT Advanced threats Intelligence Targeted Attack Discovery Abnormal Behavior Threat Hunting
TARGETED CYBER ATTACKS ANATOMY, VIVISECTION AND PROTECTION
Sergey Gordeychik Deputy CTO, Kaspersky Lab The case of the CRYPTOBANK INVESTIGATION RESULTS
1000 workstations, 200 servers 2 weeks of unsuccessful encryption attempts Backups servers hacked also FDE tool/unique encryption key for each device PowerShell scripts…
3 TTP
Enterprise wipers/cryptors Black Energy HDDCryptor Shamoon 2 …
Full disk encryption Malware-less “Tailored” encryption
4 https://kas.pr/aAg2
PowerShell scripts?.. PowerShell scripts?.. INVESTIGATION RESULTS
The initial breach occurred 6 months before Spear phishing “from” [email protected] Cobalt Strike beacon Privilege escalation (Mimikatz, Pass-the-Hash) Access to ATM management station Silence… 9 15 countries Near East Asia East/West Europe Russia 40+ banks XFS ATM withdraw sdelete.exe wipe “Offensive Security Certified” hacking
CYBER THREAT VELOCITY
https://www.youtube.com/watch?v=e50DpEvKJ-k TECHNIQUES, TACTICS AND PROCEDURES
Pentest-style attack
Massive breach post processing Targets selection and profiling
Black market Remote access Insiders Passwords Drops
Organized activity
12 http://www.scmagazine.com/kaspersky-confirms-return-of-carbanak-and-two-more-banking-apt-groups/article/472224/ https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist https://www.elevenpaths.com/wp-content/uploads/2016/11/Financial_Threats_Q3-2016_EN.pdf https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/
THREAT VELOCITY
ATM +15 Countries Swift Poland .. Local payment systems We don’t know yet…
The case of the
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx OOPS, THEY DID IT AGAIN
Domain controllers under control since 2013 psexec for lateral movement Steganography for C2 communications Checks for (only) Qihoo 360 AV 3 days for ”do it again” after cleanup
• Trusted domain in daughter company
• Overseas branch
16 • Backdoor VPN channel THEY NETHER GIVE UP
You don't have to be a target to be a victim Supply chain attack
Multiply C2 channel
Malware-less attacks
Server side implants Taidoor/ Whitewhile Poisoned Flight/Elirks PlugX/ ZeroT TropicTrooper 17 https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/ http://census2012.sourceforge.net/paper.html A THOUSAND BATTLES, A THOUSAND VICTORIES THREAT HUNTING
Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions. https://sqrrl.com/solutions/cyber-threat-hunting/
21 WHY THREAT HUNTING? Risks Minimize residual risks
Minimize time between attack and detection Threat hunting Hunting Unknown targeted attacks detection
TTP based detection SOC Alerting
“Time machine” for evidence analysis Monitoring
Non-malware attacks detection Iteratively process Prevention Tools Security 22
Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 http://info.isightpartners.com/definitive-guide Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 http://info.isightpartners.com/definitive-guide FROM THE OTHER SIDE OF THE FENCES
https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/ SANS 2016 (THREAT HUNTING, MDR*) DAVID BIANCO - PYRAMID OF PAIN
https://www.sans.org/reading-room/whitepapers/threats/automated-defense-threat-intelligence-augment-35692 https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/ WHAT DO WE NEED/HAVE?
Hypothesis IOC Security assessment Data feeds: MAF, C&C, pDNS, etc. SOC practice White lists APT/Breach reports Popularity Situational awareness Similarity
Analytics Machine learning Linked data analysis
https://www.gartner.com/doc/reprints?id=1-2WQY2BI&ct=160121&st=sb THREAT HUNTING CYCLE
Goals Priorities
Live response analysis Detect scenarios Forensic examination Scenarios Malware Data deploymen analysis analysis t
Live response Evidence Validation Network Detection collection Categorization Memory forensics dump Prioritization Host forensics Disk dump THREAT HUNTING (PAIN) CYCLE
Goals Who? PrioritiesHow and with what? Attack goals? Live response analysis Detect scenarios How to deliver Forensic quickly? Whatexamination really has happened? Scenarios HowMalware to withstand in theData deploymen analysisfuture ? analysis t
Live response How and with what to detect? Evidence Validation Detection TP or FP? Network collection How? “tailored” forCategorization me or seen before ? Memory forensics Tools to use? Is this really important? dump Prioritization Host forensics Disk dump IMPLEMENTATION: THREAT INTELLIGENCE PLATFORM
32 THREAT HUNTING FUNNEL
Object tags
APT Hunt Objects behavior Suspicions objects Objects Suspicious behavior (MD5, FQDN) (system, network, Events identity)
AV
Leve 1: Level 2: Level 3: TI Farm TTP Analyst
Distributed ML pDNS Exploit detection SandBox Sandbox/КАТА IR team Files IoC Ext. IoCs SOC practice Security Manual analysis Automatic analysis Assessment C&C WL IR, DF CYBER THREAT HUNTING ”TOOLKIT”
Intelligence • TTP: Incident Response/Pentest cases • MRTI: Feeds Sensors • Host • Network • Infrastructure • Apps Collection and analysis • Collection cloud • Storage • Analytical engine(s) Threat Hunting Team
34
SOC/IR/THREAT HUNTING
Incident Response Goals Priorities Monitoring
Live response analysis Detect scenarios Forensic examination Threat Hunting Scenarios Malware Data deploymen analysis analysis t
Live response Evidence Validation Network Detection collection Categorization Memory forensics dump Prioritization Host forensics Disk dump THREAT HUNTING…
Helps to detect new threats On the top of SOC TTP based detection “Time machine” Non-malware attacks Iteratively process Pain cycle
https://www.linkedin.com/pulse/threat-hunting-reference-model-part-2-loop-ely-kahn 36
Know the enemy Know you self Follow tends Use what you have Looks forward Remember the past
37 Hunt the hunters
SILENCE IS A SCARY SOUND APT Advanced threats IT issues Targeted Attack Discovery Abnormal Behavior Internal threats BE SAFE!
Sergey Gordeychik [email protected] @scadasl