Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Advanced Persistent Threat and You

The Advanced Persistent Threat and You

Introduction to APT for Perl Programmers presented at YAPC::NA in 2011. High level overview of why it matters to programmers, and how they can help protect their organizations. Yes, APT is a security buzzword, but it is very much a part of the world we software in!


Brad Lhotsky

June 28, 2011


  1. The Advanced Persistent Adversary and You a lesson on why

    not to rewrite your slides the day before your talk Brad Lhotsky! http://twitter.com/reyjrar! http://github.com/reyjrar
  2. $WORK Disclaimer: The views presented here are almost certainly! do

    not reflect the views of my $EMPLOYER.
  3. $PLAY Owner (how did that happen?) of Baltimore PM! http://baltimore.pm.org!

    ! ! Co-founder and regular of CharmSec! http://charmsec.org! http://citysec.org
  4. $JOB

  5. security noun 1 the security of the nation's citizens: safety,

    freedom from danger, protection, invulnerability. ANTONYMS vulnerability, danger. 2 he could give her the security she needed: peace of mind, feeling of safety, stability, certainty, happiness, confidence. ANTONYMS disquiet. 3 security at the court was tight: safety measures, safeguards, surveillance, defense, protection. 4 additional security for your loan may be required: guarantee, collateral, surety, pledge, bond.
  6. getting CISSP-ie wit it

  7. learning from war, because ‘computer’ eq ‘gun’

  8. http://www.penny-arcade.com/comic/2000/6/26/

  9. APT!  not just a package manager anymore!

  10. buzzword

  11. misleading

  12. not tangible

  13. None
  14. Advanced Persistent Adversary

  15. “.. APT is ‘who’ not a ‘how’ .. ” Source:

    Mandiant, LLC
  16. what does that mean?

  17. Governments

  18. Organized Crime

  19. Activists

  20. possibly Bristol Palin.

  21. what’s the harm?

  22. Compromised: DoD • In April of 2009 malware was discovered

    on the DoD Classified network, it stole at least 6 terabytes of data before being detected! • The entire volume of data pertaining to the Joint Strike Fighter Program was taken
  23. Compromised: HB Gary • Aaron Bar decides to unmask Anonymous

    in late 2010! • Feb 5th 2011, Anonymous announce compromise of HB Gary including internal email and documents! • Feb 7th, Anonymous release torrent of all the data! • FBI/DoD were contracting HB Gary to develop malware for domestic spying initiatives
  24. Compromised: RSA • March 17th, RSA announces they’ve been breached,

    details unknown. Says SecurID is “safe”! • April, Level 3 announces a breach believed to be related to SecurID! • May, DoD, DHS, and Lockheed Martin announce breaches confirming SecurID has been compromised
  25. Compromised: Sony • January 11th, 2011, Sony files a suit

    against George Hotz for a mod to the PS3 which allows another OS to be run! • Since April 14th of 2011, Sony and its holdings have experienced 20 major compromises, totaling more than 200 MILLION Customer records
  26. Sony may be a game changer

  27. Sony Stock, 6m

  28. Panasonic Stock, 6m

  29. Compromised: AZPD • While I was writing this presentation, LulzSecurity

    released details of their compromise of the AZPD due to SB1070, the racial profiling bill! • Included in the press release were threats to continue targeting corrupt companies, politicians, law enforcement and military agencies.
  30. who else?

  31. if your company’s on this list

  32. you’re probably screwed.

  33. that’s not true.

  34. we’re all screwed.

  35. ok. what the fuck does this have to do with

  36. more than you think ..

  37. but I’m data driven, so ..

  38. Verizon DBIR 2011

  39. Verizon DBIR 2011

  40. Verizon DBIR 2011

  41. and that brings me to: Standards Compliance


  43. boo! ! right?

  44. wrong.

  45. what do we call this ...

  46. when this guy says it?

  47. useless bull shit

  48. when this guy says it?

  49. DevOps

  50. WebOps ! *Ops ! WebDevSecOps!!

  51. and I think we’re already doing it

  52. recommendations •Auditing! •Log fucking everything! •Configuration Management! •Puppet / Chef

    / whatever! •Visibility and Accessibility! •Graphs, Metrics! •Contingency Planning! •Risk Assessments! •Did you know it’s OK to have risks?
  53. cool deploy macros subversion::deploy { ‘project’:! owner => apache, group

    => apache,! svnurl => ‘svn+ssh://svn/repo/project’,! target => ‘/var/www/project’,! notify => Service[‘httpd’]! } It just got DevOpsy up in here .. https://github.com/reyjrar/svnutils
  54. metrics

  55. do something cool w/ metrics

  56. example

  57. small IT department lots of users

  58. forced efficiency

  59. Open Source Software and some glue, duct tape, and WD-40

    • Netdisco (Network Discovery via SNMP, CDP, LLDP)! • Custom libpcap based detectors at key points in the network (Service Discovery, DNS Monitoring, Traffic Monitoring)! • syslog-ng (Communication Bridge)! • dhcpd (Node Discovery)! • snort (Security Event Detection)! • Windows Event Logs (Correlation / Discovery)! • OSSEC HIDS (Correlation / Detection / Prevention)! • PostgreSQL Database (Storage / Correlation)! • RRDTool (Storage / Visual Analysis)! • Perl (Glue / Duct Tape / WD-40)
  60. why?

  61. it makes my job simpler

  62. Security Under the Veil of Utility Identify and Locate Users

  63. Get useful information on our users

  64. None
  65. None
  66. all of these things satisfy requirements

  67. talk to your security staff

  68. talk to your help desk

  69. talk to your core business groups

  70. how can you help them solve their problems?

  71. chances are .. you already have.

  72. and if you haven’t ...

  73. you’re Perl programmers ..

  74. and you can.

  75. how will that help with security?

  76. Other stuff • http://github.com/reyjrar/dns-monitor/! • DNS Statistics! • DNS Anomaly

    Detection (soon)
  77. Thank you! brad.lhotsky@gmail.com https://twitter.com/reyjrar https://github.com/reyjrar