APT Advanced threats Intelligence Targeted Attack Discovery Abnormal Behavior Threat Hunting

TARGETED CYBER ATTACKS ANATOMY, VIVISECTION AND PROTECTION

Sergey Gordeychik Deputy CTO, Kaspersky Lab The case of the CRYPTOBANK INVESTIGATION RESULTS

1000 workstations, 200 servers 2 weeks of unsuccessful encryption attempts Backups servers hacked also FDE tool/unique encryption key for each device PowerShell scripts…

3 TTP

Enterprise wipers/cryptors Black Energy HDDCryptor Shamoon 2 …

Full disk encryption Malware-less “Tailored” encryption

4 https://kas.pr/aAg2

PowerShell scripts?.. PowerShell scripts?.. INVESTIGATION RESULTS

The initial breach occurred 6 months before Spear phishing “from” [email protected] Cobalt Strike beacon Privilege escalation (Mimikatz, Pass-the-Hash) Access to ATM management station Silence… 9 15 countries Near East Asia East/West Europe Russia 40+ banks XFS ATM withdraw sdelete.exe wipe “Offensive Security Certified” hacking

CYBER THREAT VELOCITY

https://www.youtube.com/watch?v=e50DpEvKJ-k TECHNIQUES, TACTICS AND PROCEDURES

Pentest-style attack

Massive breach post processing Targets selection and profiling

Black market Remote access Insiders Passwords Drops

Organized activity

12 http://www.scmagazine.com/kaspersky-confirms-return-of-carbanak-and-two-more-banking-apt-groups/article/472224/ https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist https://www.elevenpaths.com/wp-content/uploads/2016/11/Financial_Threats_Q3-2016_EN.pdf https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/

THREAT VELOCITY

ATM +15 Countries Swift Poland .. Local payment systems We don’t know yet…

The case of the

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx OOPS, THEY DID IT AGAIN

Domain controllers under control since 2013 psexec for lateral movement Steganography for C2 communications Checks for (only) Qihoo 360 AV 3 days for ”do it again” after cleanup

• Trusted domain in daughter company

• Overseas branch

16 • Backdoor VPN channel THEY NETHER GIVE UP

You don't have to be a target to be a victim Supply chain attack

Multiply C2 channel

Malware-less attacks

Server side implants Taidoor/ Whitewhile Poisoned Flight/Elirks PlugX/ ZeroT TropicTrooper 17 https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/ http://census2012.sourceforge.net/paper.html A THOUSAND BATTLES, A THOUSAND VICTORIES THREAT HUNTING

Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions. https://sqrrl.com/solutions/cyber-threat-hunting/

21 WHY THREAT HUNTING? Risks Minimize residual risks

Minimize time between attack and detection Threat hunting Hunting Unknown targeted attacks detection

TTP based detection SOC Alerting

“Time machine” for evidence analysis Monitoring

Non-malware attacks detection Iteratively process Prevention Tools Security 22

Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 http://info.isightpartners.com/definitive-guide Eric M. Hutchins∗ , Michael J. Cloppert† , Rohan M. Amin, Ph.D.‡ Lockheed Martin Corporation

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 http://info.isightpartners.com/definitive-guide FROM THE OTHER SIDE OF THE FENCES

https://securelist.com/blog/virus-watch/74150/plugx-malware-a-good-hacker-is-an-apologetic-hacker/ SANS 2016 (THREAT HUNTING, MDR*) DAVID BIANCO - PYRAMID OF PAIN

https://www.sans.org/reading-room/whitepapers/threats/automated-defense-threat-intelligence-augment-35692 https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/ WHAT DO WE NEED/HAVE?

Hypothesis IOC Security assessment Data feeds: MAF, C&C, pDNS, etc. SOC practice White lists APT/Breach reports Popularity Situational awareness Similarity

Analytics Machine learning Linked data analysis

https://www.gartner.com/doc/reprints?id=1-2WQY2BI&ct=160121&st=sb THREAT HUNTING CYCLE

Goals Priorities

Live response analysis Detect scenarios Forensic examination Scenarios Malware Data deploymen analysis analysis t

Live response Evidence Validation Network Detection collection Categorization Memory forensics dump Prioritization Host forensics Disk dump THREAT HUNTING (PAIN) CYCLE

Goals Who? PrioritiesHow and with what? Attack goals? Live response analysis Detect scenarios How to deliver Forensic quickly? Whatexamination really has happened? Scenarios HowMalware to withstand in theData deploymen analysisfuture ? analysis t

Live response How and with what to detect? Evidence Validation Detection TP or FP? Network collection How? “tailored” forCategorization me or seen before ? Memory forensics Tools to use? Is this really important? dump Prioritization Host forensics Disk dump IMPLEMENTATION: THREAT INTELLIGENCE PLATFORM

32 THREAT HUNTING FUNNEL

Object tags

APT Hunt Objects behavior Suspicions objects Objects Suspicious behavior (MD5, FQDN) (system, network, Events identity)

AV

Leve 1: Level 2: Level 3: TI Farm TTP Analyst

Distributed ML pDNS Exploit detection SandBox Sandbox/КАТА IR team Files IoC Ext. IoCs SOC practice Security Manual analysis Automatic analysis Assessment C&C WL IR, DF CYBER THREAT HUNTING ”TOOLKIT”

Intelligence • TTP: Incident Response/Pentest cases • MRTI: Feeds Sensors • Host • Network • Infrastructure • Apps Collection and analysis • Collection cloud • Storage • Analytical engine(s) Threat Hunting Team

34

SOC/IR/THREAT HUNTING

Incident Response Goals Priorities Monitoring

Live response analysis Detect scenarios Forensic examination Threat Hunting Scenarios Malware Data deploymen analysis analysis t

Live response Evidence Validation Network Detection collection Categorization Memory forensics dump Prioritization Host forensics Disk dump THREAT HUNTING…

Helps to detect new threats On the top of SOC TTP based detection “Time machine” Non-malware attacks Iteratively process Pain cycle

https://www.linkedin.com/pulse/threat-hunting-reference-model-part-2-loop-ely-kahn 36

Know the enemy Know you self Follow tends Use what you have Looks forward Remember the past

37 Hunt the hunters

SILENCE IS A SCARY SOUND APT Advanced threats IT issues Targeted Attack Discovery Abnormal Behavior Internal threats BE SAFE!

Sergey Gordeychik [email protected] @scadasl