1 Copyright © 2014, FireEye, Inc. All rights reserved. Adversaries, Methods & Defenses Advanced Attacks UVa Information Security Seminar 3 December 2014 

2 Copyright © 2014, FireEye, Inc. All rights reserved. About Me Hunt Team Manager at FireEye. Focus areas include threat intelligence, analytics and workflow for incident detection and response. 15 years of detection & response experience in government, research, educational and corporate arenas. One of the founding members of a Fortune 5 CIRT. Spent 5 years helping to build a global detection & response capability. . This is only here so you can pick me out of a lineup. 

3 Copyright © 2014, FireEye, Inc. All rights reserved. “WHO” NOT “WHAT” THERE’S A HUMAN AT A KEYBOARD HIGHLY TAILORED AND CUSTOMIZED ATTACKS TARGETED SPECIFICALLY AT YOU PROFESSIONAL, ORGANIZED AND WELL FUNDED NATION-STATE SPONSORED, PURE CYBERCRIME, OR BLENDED ESCALATE SOPHISTICATION OF TACTICS AS NEEDED RELENTLESSLY FOCUSED ON THEIR OBJECTIVE IF YOU KICK THEM OUT THEY WILL RETURN THEY HAVE SPECIFIC OBJECTIVES THEIR GOAL IS LONG-TERM OCCUPATION PERSISTENCE TOOLS ENSURE ONGOING ACCESS The Adversaries 

4 Copyright © 2014, FireEye, Inc. All rights reserved. Attack Lifecycles How Our Adversaries Work 

5 Copyright © 2014, FireEye, Inc. All rights reserved. The Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “[…] a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013) 

6 Copyright © 2014, FireEye, Inc. All rights reserved. Mandiant’s Version 

7 Copyright © 2014, FireEye, Inc. All rights reserved. KC1: Reconnaissance Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Before you attack, scope out the target! Identify •  Who to attack •  Where to attack •  How to attack •  Where they keep their stuff Victim organization may never even see any of this. There is a lot of info out there in Google’s cache or public databases. Adversaries will use this data to create a plan of attack. 

8 Copyright © 2014, FireEye, Inc. All rights reserved. KC2: Weaponization Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Take something harmless and make it evil. Could be a document, executable file or even a transaction (e.g., HTTP request). Bonus points if it’s something the target wants, like a conference they’re attending or a game! This is all hidden from your view. 

9 Copyright © 2014, FireEye, Inc. All rights reserved. KC3: Delivery Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Deliver the attack to the target! Many possible ways, depending on the type of attack they have planned. Common methods include: 

10 Copyright © 2014, FireEye, Inc. All rights reserved. KC4: Exploitation Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives 

11 Copyright © 2014, FireEye, Inc. All rights reserved. KC5: Installation Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Once they’re in, they make sure they stay in! Typically involves some combination of: •  A stage1 and/or stage2 backdoor •  A persistence mechanism •  Rootkit Usually the earliest stage involving changes to a victim’s IT environment. 

12 Copyright © 2014, FireEye, Inc. All rights reserved. KC6: Command & Control Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Once the malware is installed and running, it needs to “broadcast” back to it’s owner. This design circumvents firewalls with restrictive ingress policies but lax egress controls (i.e., every firewall). Example is from FIN4. It is plaintext HTTP, but it doesn’t have to be. 

13 Copyright © 2014, FireEye, Inc. All rights reserved. KC7: Actions on Objectives Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives The the attacker is ready to carry out the mission. This is where things start to get really interesting! It’s also where the KC model starts to break down. Almost always involves compromising additional hosts (“lateral movement”). Other frequent activities include: •  Capture & use of user creds •  Tool downloads •  Internal reconnaissance •  Direct exploitation •  Data theft & exfiltration •  

14 Copyright © 2014, FireEye, Inc. All rights reserved. The Kill Spiral! . . . . . . . . . . . . . > - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R - s e v i t c e j b O n o t c A - l o r t n o C & d n a m m o C - n o i t a l l a t s n I - n o i t a t i o l p x E - y r e v i l e D - n o i t a z i n o p a e W - e c n a s s i a n n o c e R 

15 Copyright © 2014, FireEye, Inc. All rights reserved. Advanced Persistent Defense Disrupting The Kill Chain! 

16 Copyright © 2014, FireEye, Inc. All rights reserved. The Defense Chain Plan Build Monitor Detect Respond Report Improve Why let the Bad Guys have all the fun? Let’s get our own model! 

17 Copyright © 2014, FireEye, Inc. All rights reserved. Intel Lifecycle Direction Collection Analysis Dissemination Plan Build Monitor Detect Respond Report Improve 

18 Copyright © 2014, FireEye, Inc. All rights reserved. The Pyramid of Pain The Pyramid measures potential usefulness of your intel It also measures difficulty of obtaining that intel The higher you are, the more resources your adversaries have to expend. When you quickly detect, respond to and disrupt your adversaries’ activities, defense becomes offense. 

19 Copyright © 2014, FireEye, Inc. All rights reserved. Detection Process Observe Compare Alert Validate Plan Build Monitor Detect Respond Report Improve 

20 Copyright © 2014, FireEye, Inc. All rights reserved. Response Cycle Contain Investigate Remediate Plan Build Monitor Detect Respond Report Improve 

21 Copyright © 2014, FireEye, Inc. All rights reserved. The Intel-Driven Operations Cycle Direction Collection Analysis Dissemination Observe Compare Alert Validate Contain Investigate Remediate Intelligence Detection Response Validated Alerts Quality Feedback Plan Build Monitor Detect Respond Report Improve 

22 Copyright © 2014, FireEye, Inc. All rights reserved. Questions? David J. Bianco [email protected] @DavidJBianco detect-respond.blogspot.com I <3 Feedback! I’d really love to hear from you. Questions, comments, stories about how this worked for you, citations referencing my work are all appreciated!