Beruflich Dokumente
Kultur Dokumente
Interactive Session 1
Who here is afraid of The APT
Who here thinks they have APT
taken care of
Who here thinks APT doesnt apply to
them
What is APT?
o Malware set?
Interactive 2
What is IP Theft?
Do you have IP worth protecting?
Is there IP you dont care about?
What do you have that is being targeted?
Interactive 3
What
What
What
What
is state sponsorship?
does it look like
does it look like in other countries
does it look like in our country?
So what is Intelligence?
According to the CIAs Center for the Study of
Intelligence:
Intelligence is secret state or group activity
to understand or influence foreign or
domestic entities.
Intelligence analysis is the application of
individual and collective cognitive methods
to weigh data and test hypotheses within a
secret socio-cultural context
Criminal Investigation
Reports for the sake of reports
A random guess
Magic
o Heuers Psychology of Intelligence Analysis
o A Tradecraft Primer: Structured Analytic Techniq
ues for Improving Intelligence Analysis
o Intelligence Community Directive 203 Analytic
Standards
Anatomy of an Attack by
Mike Cloppert
Read the Lockheed Martin Kill Chain Paper!!
Move to the left of the hack
The more you understand the quicker you can get
to the root of the problem.
What is the root of the problem?
Anatomy of an Attack
(Intelligence)
What
When
Where
Why
Who
What is APT
Advancedmeans the adversary can operate in the full spectrum of computer intrusion.
They can use the most pedestrian publicly available exploit against a well-known
vulnerability, or they can elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target's posture.
Persistentmeans the adversary is formally tasked to accomplish a mission. They are not
opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy
their masters. Persistent does not necessarily mean they need to constantly execute
malicious code on victim computers. Rather, they maintain the level of interaction needed
to execute their objectives.
Threatmeans the adversary is not a piece of mindless code. This point is crucial. Some
people throw around the term "threat" with reference to malware. If malware had no human
attached to it (someone to control the victim, read the stolen data, etc.), then most
malware would be of little worry (as long as it didn't degrade or deny data). Rather, the
adversary here is a threat because it is organized and funded and motivated. Some people
speak of multiple "groups" consisting of dedicated "crews" with various missions.
(All courtesy of Richard Beijtlich)
http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
What is APT? ==
State Sponsored Hacking
Not necessarily one person, small group, or even
the same group.
Institutionalized: Education Facilities, Companies,
Military, Intelligence Agencies, Individuals for
National pride and honor.
It is tasked, not random but can be opportunistic
(though some groups are cut loose, there are
ways to tell them what is desired.)
Patient
Persistent
Well Funded
Simple rule:
o Minimum required force
FUD as a weapon
Chinese doctrine, parallels other countries
o Timothy L Thomas and Chinese Warfare
o See Sun Tzu above
IP Theft
What they take
o Short answer: everything
Contact lists
Publicly available documents
Content of targeted folders
Who you are doing business with
Anyone you trust
Political advantage
Economic advantage
Military Advantage
Technological Advantage
Timeline of an attack
Date
Event
Late 2010
Early 2011
Foreign Investment Guide changed to reflect new policy and incentives added
Early 2011
April 2011
April 2011
May 2011
Govt regulating body hacked, but attackers appear unsure of what is relevant
June 2011
Govt agency is targeted again and specific law firm information is exfiltrated
Aug 2011
Aug 2011
Apparently unrelated attack is conducted on small energy company, but specific searches
are done for names related to target company
Aug 2011
Sep 2011
Govt agency is hit again but moves outside our observable window
Sep 2011
Nov 2011
Early 2012
Questions?
Sources
http://
virginia.academia.edu/BryanPfaffenberger/Papers/154215/The_Rhetoric_of_Dread_Fear_Uncertainty
_and_Doubt_FUD_in_Information_Technology_Marketing
http://computer-forensics.sans.org/blog/2010/06/21/security-intelligence-knowing-enemy/
http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
http://www.goodreads.com/quotes/108-the-greatest-trick-the-devil-ever-played-was-convincing-the
http://
www.firstpost.com/world/china-is-the-voldemort-of-hacking-it-that-must-not-be-named-53539.html
http://www.carlisle.army.mil/USAWC/parameters/Articles/2010summer/Thomas.pdf
http://www.fanpop.com/spots/warner-brothers-animation/images/30975958/title/elmer-fudd-photo
http://www.scmagazine.com/the-not-so-advanced-persistent-threat/article/224530/
Intelligence Resources:
https://
www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tra
decraft%20Primer-apr09.pdf
https://
www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tra
decraft%20Primer-apr09.pdf
http://www.fas.org/irp/dni/icd/icd-203.pdf