Managing the APT Risk
Over Hyped or Under Managed?
Dave Ockwell-Jenner
COUNTERMEASURE 2013
About Me
November 2013
Copyright © 2013 Prime Information Security
2
The Accidental Malware Investigator
• Offered to help investigate some malware one
day
– It was a slow day, no PowerPoint to do!
• Tracking Evil Bad Guys™ for the past several
years
– For fun, and profit?
• Turns out I was dealing with a known group active
in the Advanced Persistent Threat space
• Standard disclaimers apply
– My experiences only. I’m not a lawyer. Stock prices
may go down as well as up. We might all wake up
one day and find this was a terrible dream, etc.
November 2013
Copyright © 2013 Prime Information Security
3
APT Redefined
• Today we’re making the argument to
redefine what APT means…
November 2013
Copyright © 2013 Prime Information Security
4
The Annoying Persistent Threat
November 2013
Copyright © 2013 Prime Information Security
5
Annoying Persistent Threat
• Because they use simple techniques you
thought you’d already mitigated
• Because they keep coming back
• Because their malware is surprisingly
unsophisticated
• Because they make you look stupid in
front of your boss!
November 2013
Copyright © 2013 Prime Information Security
6
A Long Time Ago, In a Galaxy Real
Close to Here, Actually…
November 2013
Copyright © 2013 Prime Information Security
7
How it all Began
• Some malware was found at a company
• Minimal analysis was done, nothing on
VirusTotal, nothing on Google
• Didn’t seem to do much of anything, wasn’t
widespread so deemed ‘business-as-usual’
kind of malware
• Sample was submitted to AV vendor.
Signatures were issued. It was removed. Life
continued.
November 2013
Copyright © 2013 Prime Information Security
8
How was this Discovered?
• By Anti-Virus?
– No
• By IDS?
– No
• By Firewall?
– No
• By ANY IT Security controls?
– No
• By a person who received a phishing email and
reported it
November 2013
Copyright © 2013 Prime Information Security
9
Sound Familiar?
November 2013
Copyright © 2013 Prime Information Security
10
About a year later…
November 2013
Copyright © 2013 Prime Information Security
11
The Saga Continues
• Company issues a press release
announcing their intent to partner with
another organization to do business in the
Chinese market
You knew all APTs are from China, right?
November 2013
Copyright © 2013 Prime Information Security
12
7 Days Later…
• An e-mail arrives
• Addressed to senior leaders of the company,
apparently from the CEO
• Implies that partner organization has been
secretly working against the company
• Uses correct terminology, names of projects,
people’s role, etc.
• Has an attachment (ruh-roh!)
November 2013
Copyright © 2013 Prime Information Security
13
What do YOU think happened?
November 2013
Copyright © 2013 Prime Information Security
14
Something Like This
November 2013
Copyright © 2013 Prime Information Security
15
Hilarity Ensues
• APT infects one or two (or three, or four…)
machines
• Start ‘exploring’ the network
• Hook into several other systems that seem
like they might have access needed
• Start stealing stuff
November 2013
Copyright © 2013 Prime Information Security
16
How was this Discovered?
• By Anti-Virus?
– No
• By IDS?
– No
• By Firewall?
– No
• By ANY IT Security controls?
– No
• By a phone call from an International Defense Consulting
company monitoring connections to a system they now
control that used to belong to the APT group called “Comment
Crew”
November 2013
Copyright © 2013 Prime Information Security
17
First Thought
November 2013
Copyright © 2013 Prime Information Security
18
Second Thought… They’re BA-ACK
November 2013
Copyright © 2013 Prime Information Security
19
The Questions We Ask
•
•
•
•
How did they get in?
What vulnerability did they exploit?
How can we clean infected machines?
Which patches do we need to apply to
keep them out?
November 2013
Copyright © 2013 Prime Information Security
20
The Questions We Should Ask
• Why are we targeted?
• What is the adversary after?
• How should I manage the situation now
and WHEN it occurs next time?
“He who tries to defend everything defends nothing.”
- Frederick II
November 2013
Copyright © 2013 Prime Information Security
21
Why Are We Targeted?
• What did we do recently that draws
attention to ourselves?
– Media exposure, new product introduction
• Who are our friends?
• Are we disrupting the status quo?
November 2013
Copyright © 2013 Prime Information Security
22
What is the Adversary After?
• What do we have that others might want?
– Intellectual property, business plans, access
to other sources of information (e.g.
partners?)
• Which of our assets are our most
valuable?
November 2013
Copyright © 2013 Prime Information Security
23
How Should We Manage?
• Verify effectiveness of our current
controls?
• Buy new tools, technology to better detect,
protect, react and prevent?
• Try to put the pieces together and find out
what jigsaw puzzle we’re making!
November 2013
Copyright © 2013 Prime Information Security
24
How did this company answer?
November 2013
Copyright © 2013 Prime Information Security
25
Why Targeted?
• Entering a new market with existing
players
• Discovered that standard practice in China
is to seek information on new competitor
to attempt to gain competitive advantage
November 2013
Copyright © 2013 Prime Information Security
26
What After?
•
•
•
•
Isolate malware sample
Reverse engineer it
Find samples across the company
Find who owned systems the malware
was on
• Find out what they did and ask them what
information they created or had access to
November 2013
Copyright © 2013 Prime Information Security
27
How to Manage?
• Couldn’t invest in much tooling
• Had a fairly good idea what information
was being targeted
• So…
November 2013
Copyright © 2013 Prime Information Security
28
Blatantly lie!
(The World’s Best Risk Management Strategy)
November 2013
Copyright © 2013 Prime Information Security
29
Disinformation Campaign
• Start creating ‘edited’ versions of
documents
– Embed ‘tells’ – small items known to be false
– Sometimes comments in meta-data,
paragraphs written in a different style, but
visually equivalent, etc.
• Save these in the usual places
• Brief staff verbally & “loose lips sink ships”
November 2013
Copyright © 2013 Prime Information Security
30
Now… wait
November 2013
Copyright © 2013 Prime Information Security
31
Negotiations
• Company invited to attend negotiations to
supply customer in China
• Are told that certain competitors believe
company is not being honest in their
negotiations
• Presented with evidence gained from
‘stolen’ information
November 2013
Copyright © 2013 Prime Information Security
32
All Ahead, Embarrassment Factor 9 Mr. Sulu
• Company produces same documentation
– shows deliberately planted misinformation
• Evidence could only have come from
stolen documents
• Ask others how this information was
obtained…
November 2013
Copyright © 2013 Prime Information Security
33
Totally Professional Version Of…
November 2013
Copyright © 2013 Prime Information Security
34
Outcomes
• Won business! (= more money, yay!)
• Got funding approval to improve defensive
posture
• Began exercise of formally risk profiling
key assets and designing appropriate
protections
• Replaced e-mail with carrier pigeons
November 2013
Copyright © 2013 Prime Information Security
35
OK, maybe the e-mail part was a lie
November 2013
Copyright © 2013 Prime Information Security
36
Since This Sorry Tale
• New technologies deployed to better
detect
• Reduction in desktop rights
• Better, faster, stronger malware analysis
• Assets risk profiled and monitored more
closely
• And…
November 2013
Copyright © 2013 Prime Information Security
37
Share the story
It’s the best defence we have against the
Annoying Persistent Threat
November 2013
Copyright © 2013 Prime Information Security
38
Thank You… Questions?
Dave Ockwell-Jenner
[email protected] • @DaveOJ
November 2013
Copyright © 2013 Prime Information Security
39