Proxy 2011 - Computer Security Intrusions in a Modern World

Transcript

1. Computer  Security  Intrusions  in  a   Modern  World   APT

    

2. whoami   Eduardo  Urías    So>ware  Engineer  /  IT  Consultant

      Inspect  Labs  Founder        OSCP,  OSWP,  Security+    @larsx2  

3. Advanced  Persistent  Threat   (APT)  

4. APT   Advanced:     The  aNacker  has  the  ability

    to  evade  detecPon   and  the  capability  to  gain  and  maintain  access  to   well  protected  networks  and  sensiPve   informaPon  contained  within  them.  

5. APT   Persistence:     The  persistence  nature  of  the

    threats  makes  it   difficult  to  prevent  access  to  your  computer   network  and,  once  the  threat  actor  has   successfully  gained  access  to  your  network,  very   difficult  to  remove.  

6. APT   Threat:     The  hacker  has  not  only

    the  intent  but  also  the   capability  to  gain  access  to  sensiPve  informaPon   stored  electronically.  

7. APT      Advanced  Persistent  Threat     Well  resourced,

    highly  capable  and  persistent  in   their  aNempts  to  access  sensiPve  informaPon,   such  as  intellectual  property,  negoPaPon   strategies  or  poliPcal  dynamite,  from  their   chosen  targets.  

8. Timeline  of  Significant  ANacks   1998-­‐2000    Moonlight  Maze  

   2006      US  Congressman   2007    US  Congressmen    Oak  Ridge  NaPonal  Laboratory    Los  Alamos  NaPonal  Laboratory   2008    US  Department  of  Defense    Office  of  His  Holiness  the  Dalai  Lama  

9. Timeline  of  Significant  ANacks   2009    GhostNet    Stuxnet

      Night  Dragon    OperaPon  Aurora  (Google)     2010    Stuxnet  (contd.)    Australian  Resource  Sector    French  Government                

10. Today   2011    French  Government  (contd.)    Canadian  Government

       Australian  Government    Comodo  Affiliated  Root  Authority    RSA    Oak  Ridge  NaPonal  Laboratory    L-­‐3  CommunicaPons    Lockheed  MarPn    Northrop  Grumman    InternaPonal  Monetary  Fund    SK  CommunicaPons    

11. ExploitaPon  Life  Cycle   1.  Reconnaissance   2.  IniPal  Intrusion

     into  the  Network   3.  Establish  a  Backdoor  into  the  Network   4.  Obtain  User  CredenPals   5.  Install  Various  UPliPes   6.  Privilege  EscalaPon  /  Data  ExfiltraPon   7.  Maintain  Persistence  

12. Recon         IdenPficaPon  process   InformaPon  Gathering

      EnumeraPon   Service  Scanning  

13. Intrusion  Begins       Spear  Phishing   Email  Spoofing

      Service  ExploitaPon   CHM  +  Malware   MS  Office  exploit   Adobe  exploit    

14. Establishing  a  Backdoor       RAT      

    Trojan   Rootkits   Ex.   Gh0stRat   PoisonIvy    

15. UPliPes  InstallaPon       SysAdmin  Tasks   Password  Dumps

      Process  InspecPon   Sniffers   Etc..  

16. Data  ExfiltraPon       Pass-­‐the-­‐hash   DC  Compromise  

    Password  Cracking   Sniffing     Staging  Server   RAR  Compressed  Assets   MS  Cabinet  File   Archives    

17. Maintain  Persistence       EncrypPon   Signature  Evasion  

    AnP-­‐forensics   Polymorphic  Malware   Covert  Channels  

18. Nitro   Stealing  Secrets  from  the  Chemical   Industry  

19. Nitro     Started:            July

     2011   Ended:                September  2011   Reported:      Symantec     Target:                Chemical  Industry   Goal:     “Collect  intellectual  property  (IP)  such  as  design   documents,  formulas  and  manufacturing   processes.”  

20. Nitro  -­‐  Methodology   1.  Spear  Phishing   Specific  Target

      -­‐  The  mails  purported  to  be  meePng  invitaPons   from  established  business  partners   Broad  Targets   -­‐  The  mails  purported  to  be  a  necessary  security   update  

21. Spear  Phishing?      

22. Nitro    -­‐  Methodology   2.  ExploitaPon     ANached

     Malware   -­‐  Executable  that  appears  as  a  text  file   -­‐  Password-­‐protected  archive   In  both  cases  contained  a  self-­‐extracPng  executable   containing  Poison  Ivy(RAT)    

23. Remote  AdministraPon  Tool  (RAT)   Piece  of  so>ware  that  allows

     a  remote  “operator”   to  control  a  system  as  if  he  has  physical  access  to   that  system.     -­‐  Screen/camera  capture   -­‐  File  Management   -­‐  Shell   -­‐  Computer  Control   -­‐  So>ware  Management  

24. Nitro  -­‐  Methodology   3.  Enters  the  Backdoor    

      Poison  Ivy  gets  installed   -­‐  As  soon  as  the  RAT  is  installed,  it  contacts  the  C2   server  on  TCP  80(Web)  using  an  encrypted   protocol   -­‐  The  RAT  provides  informaPon  of  its  environment   to  the  server  like  computers  on  the  workgroup,   domain,  password  hashes  etc.  

25. C&C  (C2)  Servers        

26. Nitro  -­‐  Methodology   4.  Lateral  ExploitaPon  /  Privilege  EscalaPon

        Network  EnumeraPon   -­‐  Domain  administrator  credenPals   -­‐  Access  to  high  priority  servers   -­‐  Download  uPliPes  from  their  other  servers  

27. Nitro  -­‐  Methodology   5.  Data  ExfiltraPon     Staging

     Servers     -­‐  IdenPfy  intellectual  property   -­‐  Copy  contents  to  the  staging  servers   -­‐  Upload  to  remote  sites   -­‐  Data  The>  

28. Night  Dragon   Global  Energy  Cyber-­‐aNacks  

29. Night  Dragon   Started:          November  2009

      Reported:  McAfee   Target:            Global  oil,  energy  and  petrochemical     Goal:   “TargePng  and  harvesPng  sensiPve  compePPve   proprietary  operaPons  and  project-­‐financing   informaPon  with  regard  to  oil  and  gas  field  bids  and   operaPons”      

30. Night  Dragon  -­‐  Methodology   1.  SQL  InjecPon  /  Spear

     Phishing     Perimeter  Compromise   -­‐  SQL  InjecPon  aNacks  on  the  extranet  web  servers   -­‐  Spear  phishing  aNacks  on  telecommute  workers    

31. SQL  InjecPon?      

32. Night  Dragon  -­‐  Methodology   2.  ExploitaPon     -­‐ 

    Compromise  of  network  hosts   -­‐  Privilege  EscalaPon   -­‐  AcPve  Directory  administrator  credenPals   -­‐  Domain  Controllers  

33. Night  Dragon  -­‐  Methodology   3.  Backdoor  Access    

    Disabled  IE  Proxy  Sepng     ANackers  used  zwShell  RAT   -­‐  Dumper  hashes  with  gsecdump   -­‐  Hash  cracking  with  Cain  &  Abel  

34. Night  Dragon  -­‐  Methodology   4.  Data  ExfiltraPon    

    -­‐  Files  of  interest  focused  on  operaPonal  oil  and   gas  field  producPon  systems  and  financial   documents  related  to  exploraPon  and  bidding.   -­‐  SCADA  data  acquisiPon   -­‐  ExecuPves  emails  

35. Other?   RSA?    SecurID  two-­‐factor  authenPcaPon    products  

     exfiltraPon   SK  CommunicaPons?    35  million  people  informaPon    compromised   Comodo  Affiliated  Root  Authority    Fraudulent  SSL  cerPficates  for  mail.google.com,    www.google.com,  login.yahoo.com,  etc.  

36. Network  Security  Monitoring   (NSM)  

37. What  is  this  NSM  Stuff?   Network  Security  Monitoring  (NSM)

      It  is  a  Model   – An  approach  to  detect  advanced  (or  low  skilled)   aNackers  in  a  network   – Relies  on  people  using  products  following  a   process  to  detect  intrusions   – Analysis  of  collected  network-­‐based  evidence  

38. Let’s  define  NSM         “Is  the  collec/on,

     analysis  and  escala/on  of   indica&ons  and  warnings  to  detect  and   respond  to  intrusions”  

39. How  does  it  work?   Products  perform  collec%on   – 

    A  piece  of  so>ware  or  appliance  whose  purpose  is  to   analyze  packets  on  the  network.     People  perform  analysis   –  While  products  can  perform  conclusions  of  what  they   see,  only  people  can  provide  context.     Processes  guides  escala%on   –  EscalaPon  is  the  act  of  bringing  informaPon  to  the   aNenPon  of  decision  makers.    

40. Things  decision  makers  care  about   What  did  the  intruder

     do?   When  did  he/she  do  it?   Does  the  intruder  s/ll  have  access?   How  bad  could  the  compromise  be?  

41. Security  Principles   Some  intruders  are  smarter  than  you  

    Many  intruders  are  unpredictable   PrevenPon  eventually  fails   Intruders  who  can  communicate  with  vicPms  can   be  detected   DetecPon  through  sampling  is  beNer  than  no   detecPon   DetecPon  through  traffic  analysis  is  beNer  than  no   detecPon  at  all  

42. Sources   Alert  Data   Snort,  Suricata,  Bro   StaPsPcal

     Data   Bmon,  Tcpdstat,  Ntop   Session   NetFlow,  Argus,  SANCP,  cxtracker   Full  Content  Capture   Daemonlogger,  tcpdump,  tshark,  wireshark  

43. Alert      

44. Session  

45. StaPsPcal  Data      

46. Full  Packet  Capture        

47. NSM  Tools?   Sguil,  Snorby,  Bro  IDS,  Snort,  Squert,  

    Suricata,  Argus,  Cxtracker…  

48. References   hNp://inspectlabs.com   hNp://www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf   hNp://www.commandfive.com/papers/C5_APT_SKHack.pdf   hNp://www.mandiant.com/products/services/m-­‐trends  

    hNp://www.mandiant.com/news_events/forms/m-­‐trends_2011   hNp://en.wikipedia.org/wiki/Advanced_persistent_threat   hNp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ the_nitro_aNacks.pdf   hNp://www.infowar-­‐monitor.net/wp-­‐content/uploads/2010/02/cs294-­‐28-­‐paper.pdf   hNp://snorby.org/   hNp://sguil.sourceforge.net/   hNp://www.gamelinux.org/   hNp://www.nsmframework.org   hNp://www.openinfosecfoundaPon.org/index.php/downloads   hNp://www.snort.org/   hNp://taosecurity.blogspot.com/