SEC204

Advanced Persistent Threat - прицельные кибер-атаки. Сопротивление бесполезно?

Бешков Андрей Руководитель программы информационной безопасностиMicrosoft

Содержание

Что такое APTТекущее состояние индустрии APTВлияние APT на ИТ индустриюВарианты обнаружения APTЗащита от APT

Что происходит?

Сотни организаций подверглись взломам и

скомпрометированы

Неужели правда???Так уж и сотни?

APT

dvancedersistenthreat

Не каждая атака APT…

Advanced Persistent ThreatЧем отличается от привычных атак?

Хорошо организованаРаботает профессиональная команда. В случае необходимости долгие месяцы посменно или с 9 до 18 с перерывом на обед.

Точно знают за чем охотятся и чего хотятКрадут секреты или интеллектуальную собственностьИспользуют любые виды атак. От физического проникновения до найма инсайдеров и использования свежих уязвимостей.Намерены оставаться внутри жертвы навсегдаАдаптируются к защитным мерам, не сдаютсяВозвращаются при первой же возможности

Нет намерения разрушать

инфраструктуру или

убивать жертву

Advanced Persistent ThreatКто?

Advanced Persistent ThreatЧто же это?

Прицельные атаки с помощью широко распространенных автоматизированных средств,

скоординировано исполняемые неизвестным кругом лиц, настойчиво и достаточно

профессионально с целью достижения долговременных стратегических целей

Advanced Persistent ThreatПочему?

Наш план экстренного реагирования и восстановления

после катастрофы

Advanced Persistent ThreatЧто делать?

Предотвращение Восстановление

– INTERNAL ONLY

Advanced Persistent ThreatWhat to do? - Prevention

Raise awarenessRaise the bar

Adopt risk based strategyDefense in depth

Expect to be compromised

– INTERNAL ONLY

Advanced Persistent ThreatWhat to do? - Recovery

The Perfect PlanClose all internet / remote accessChange all passwordsRebuild Active DirectoryRebuild all hosts from scratchUpdate all software, defenses, policiesFix vulnerabilitiesRestore data and legitimate applicationsEducate end-usersTurn everything back on

You can’t clean a compromised system by patching it.You can’t clean a compromised system by removing the back doors.You can’t clean a compromised system by using some “vulnerability remover.”You can’t clean a compromised system by using a virus scanner. You can’t clean a compromised system by reinstalling over the existing installation.You can’t trust any data copied from a compromised system. You can’t trust the event logs on a compromised system. You may not be able to trust your latest backup.

The only way to clean a

compromised system is to

flatten and rebuild

– INTERNAL ONLY

Advanced Persistent ThreatWhat to do? - Recovery

The “Perfect” Plan: not so muchToo bigToo complexToo costlyToo disruptive

Which leaves… “Plan B”

– INTERNAL ONLY

Advanced Persistent ThreatWhat to do? - Plan B

Women and children first!Define & locate “Crown Jewels”Create safe havenMove crown jewels over

Declare old environment to be aZooGraveyard

– INTERNAL ONLY

ContosoGlobal Enterprise200+ officesOutsourcedCentralized IT

Single forest Active DirectoryWindows 2000/2003/2008100.000+ users/desktops10.000+ servers

– INTERNAL ONLY

What Happened At Contoso?Unusual logons of AD admin account account disabled

Malware found on 50+ servers and dozens of laptopsAffected systems reimaged

Service account logon detected

Upload of new malware detected

Most Confidential data extracted

Compromised DCPSS case raised

MS and ISP incident response team

Help Desk procedures and remote access software extracted

Silence...Initial breach?

Malware installed on extranet server

July Aug Sept OctJuneOct 2009

– INTERNAL ONLY

How Did They Get In?

Internet

1. Exploit vulnerability2. Placed Malware3. Cracked AD admin

account

• RDP to internal systems • Placement of malware• Remotely executed

commands

Contoso VPN connected systems

DMZ

Intranet

So what about IDS or AV?

Malware - Backdoors

File Name Descriptionapp.aspx Backdoor:ASP/Aspy.A ASPX Spy enables uploading of files through the web

browser and executing them on the web server.Download: http://code.google.com/p/aspxspy/downloads/list

mt.exe Backdoor:Win32/Agent.JT Backdoor + password stealerrebind.exe Backdoor:Win32/Small Remote command shellweb.asp Backdoor:ASP/Ace ASP backdoorzwshlx.exe Backdoor:Win32/Rat Remote administration tool, backdoorver.exe Backdoor:Win32/

Remosh.A.drMulti functional backdoor

sethc.exe Backdoor:AutoIt/Acidoor.A “Control panel applet” that provides a command shell

More Stuff From the Dark SideFile Name Descriptionapi.asp HackTool:ASP/Oxess.A Allows retrieval of websites similar to a proxylcx.exe Tool:Win32/Transmit Proxy toolapp.s23.aspx HackTool:ASP/Websniff.A ASPX network sniffer and password stealerhash.exe HackTool:Win32/Gsecdump Password dumpertmplugin.dll PWS:Win32/Lsagrab LSA secrets dumping DLLp.exe HackTool:Win32/PWDump.A Password dumperfgdump.exe HackTool:Win32/Fgdump Tools to dump LSA secrets and other credentials

hash2.exePart of commercial password recovery tool (SAMInside)

hookmsgina.dll PWS:Win32/Hine.A!dll Password stealing hooks.exe Tool:Win32/Tcpportscan.D portscan utility

Random Bits and Pieces

File Name Descriptionnc.exe NetCat Port scanner, tunneling, proxy, webserverpsexec.exe Psexec Telnet-replacement, execute processes, remote console

rar.exe RAR Compression utility

portqry.exe PortQuery utility to test TCP/IP connectivity strexp.exe StringExpander String expandertestport.exe TestPort portscan utility

powershell.exe PowerShell …hyena.exe Hyena Active Directory administration tool

– INTERNAL ONLY

Malware Phone Home DynDNS…is-a-chef.com

contoso.is-a-chef.comnorthwind.is-a-chef.comtailspintoys.is-a-chef.comwoodgrove.is-a-chef.com

thruhere.netoffice-on-the.netselfip.com

– INTERNAL ONLY

Outbound Monitoring

Each packet of the ZW malware protocol contains: “hW$.” (hex “68572413”) at offset 0x42

– INTERNAL ONLY

Initial Response

Establish incident response organizationEstablish separate communication channelsAssess the extent of compromiseAssess the vulnerability of environmentDefine remediation plans

– INTERNAL ONLY

Remediation Plans

Anti malwareVerify AdminsDisable LMReset credentialsOutbound monitoringAssess environmentCode reviews

Remediation effort

New environmentCurrent environment Migrate crown jewels

Short term<90 days

Mid term<18 months

Long term<36 months

Design and build new environmentMigration strategyMigrate critical systemsSecure Development Lifecycle

Migrate remaining assetsDecide on old environment (zoo/graveyard)

time“Raising the bar” “Securing the crown jewels” “Back to normal”

– INTERNAL ONLY

Assessment FindingsApplication security code reviewsADRAP / AD Security AssessmentPKI Security AssessmentAsset management

Crown jewelsInternet access pointsExtranet systemsEtc, etc

In short: environment not defensible

Finding ValueMany Admins 75%Admins with "Password Never Expires" 91%LAN Manager Hash enabled 75%Group Policies not used to enforce security 61%No documented disaster recovery plan 50%Backups not secured 53%

– INTERNAL ONLY

Where Are We Now @Contoso?Good

Management (finally) understands riskMore insight into environment than everStructural improvement plans starting upTrusted advisor

– INTERNAL ONLY

Where Are We Now @Contoso?Bad

Sloooowwwwremediation

Decreasedsense of urgency

Wishfuldenial

– INTERNAL ONLY

Where Are We Now @Contoso?Ugly

– INTERNAL ONLY

In short…

This thing is realBe alertDon’t assume anythingDon’t underestimate the power of wishful denialWe can helpHelp our customers raise the bar

– INTERNAL ONLY

Session Takeaways

The IT (security) landscape has changed dramaticallyResistance is futile?Know thy self, know thy enemy

– INTERNAL ONLY

Related ContentBreakout Sessions/Chalk Talks

SIP213 High Security Admin Desktop (New MCS Cybersecurity Solution)SIP216 Threat Landscape and the Measurement of Antimalware Protection TechnologiesSIP303 Combating Cyber Threats: Doing Incident Response for CustomersSIP319 Malware Hunting with Mark Russinovich and the Sysinternals ToolsSIPCT305 Good, Bad, Ugly: Malware in the Real World and Fighting it with Data AnalysisSIP338 High Security Web Access (New MCS Cybersecurity Solution)

Additional content:TR12: Advance Persistent Threat (APT): Real-World Examples and How to Fight (SIP337)WP: Rethinking the Cyber Threat - A Framework and Path Forward (Scott Charney)

– INTERNAL ONLY

More Related Stuff

Managing cyber risk in the face of sophisticated adversariesMicrosoft ACE team services on ISRM portalBeating the APT, ghetto style (Maarten Van Horenbeeck)Your blind trust in the Internet (John Howie)Infrastructure Planning and Design Guide for Malware Response DamballaMandiant

“Automation applied to an efficient operation will magnify the efficiency… automation applied to an inefficient operation will magnify the inefficiency”

- Bill Gates

Заголовок слайда

Первый уровень Второй уровень

Третий уровень Четвертый уровень

Пятый уровень

Рекомендации к оформлению

Старайтесь избегать текста пятого уровняИспользуйте предлагаемые цветаЦвет гиперссылок: www.microsoft.com

Sample FillSample FillSample Fill

Sample FillSample FillSample Fill

Пример диаграммы

Category 1

Category 2

Category 3

Category 4

0

1

2

3

4

5

Series 1Series 2Series 3

Демонстрация

Заголовок демонстрации

Имя Фамилия

Видео

Заголовок видео

Анонс

Заголовок

Пример кода

Get-Process –computername srv1

class TechEdProgram{

public static void Main(){

System.Console.WriteLine("Hello, Tech·Ed!");

}}

Итоги

Сессии по теме

Ресурсы

Обратная связь

Ваше мнение очень важно для нас. Пожалуйста, оцените сессию, заполните анкету и сдайте ее при выходе из зала

Спасибо!

Вопросы

Код сессии Имя и фамилия докладчика

ДолжностьEmail Адрес блога…

Вы сможете задать вопросы докладчикам в зоне «Спроси эксперта» в течение часа после завершения этой сессии