Du Cercle The APTs That Werent La cuadrature du cercle La - - PowerPoint PPT Presentation

La Quadrature Du Cercle

The APTs That Weren‘t

La cuadrature du cercle La cuadratura del circulo Die Quadratur des Kreises Squaring the circle

квадрату́ра кру́га

Marion Marschalek

marion@cyphort.com @pinkflawd

What makes an APT

Reconnaissance – gather information Incursion – break in Discovery – look around Capture – collect goods Exfiltration – get goods out

The single most beautiful APT

November 2013 Target Corporation suffered one of the most severe large-scale retail hacks in US history

Memory scraping on running processes, fetching card data Dumping data to a file on a share, regularly pushing out to C&C

ADVANCED [ədˈvɑ:n :n(t) (t)st st] PERSISTENT [pəˈsɪst stənt nt]

we don‘t un under dersta stand it nd it we det e detect ected it ed it to too

• la

late te

Why oh why can‘t we find it? Threat detection always relies

• n patterns.

Hashes Signatures Behavior IOCs Anomalies

I can see dead patterns ...

Cheshire Cat

200 2002

Checking for running security processes Orchestrator component executing binaries from disk

200 2002

Prepared to run on _old_ Windows versions Using APIs deprecated after Win95/98/ME Function to check for the MZ value, the PE value and the NE value

200 2007-200 2009

Implementation traits and user agent string indicate Win NT 4.0 as target platform Persists as shell extension for the icon handler Wants to run in the context of the ‘Progman’ window Implant to monitor network activity

200 2007-200 2009

Evasive when network sniffer products are running Super stealthy network communication: Versatile communication method 9+ C&C servers, infrequent intervals Communication done through injected standard browser instance

201 2011

Fine tuned to paddle around Kaspersky security products

~DF DF

Nation State

Cy Cybe ber Espionage ?

Fr From

• m Bah

Bahrai rain W n With ith Lo Love ve

FinFisher Suite from Gamma International UK Ltd. Sent to Bahraini pro-democracy activists

MAL MALWARE ARE /ˈmal malwɛːɐ ̯ /

Software that doesn‘t come with an EULA

• Morgan Marquis-Boire

Of Offens fense Goi Going ng Co Comme mmercial rcial

Nat Natio ion n St States ates Go Going ing Cr Crimi imina nal

Industrial Espionage

Canada spying on Brazil‘s Mines and Energy Ministery NSA spying on Brazil‘s Petrobras France spying on IBM/Texas Instruments in late 80s China spying on about everyone

State Sponsored

Threat Detection Industry

How Threat-Detection went Threat-Intel Malware.. ‘watching’ Actor tracking Publicity APT numbering, logos & names

Fr Frene enemi mies & Th es & The F e Fung ungus us Amo Amongu ngus

Or: When Malware Became Intellectual Property

Int Intell elli.. i.. wot?

• t?
• Reverse

se engineer erin ing g turns s politic tical l when you take apart the wrong binaries ies

• mass malware => targeted malware => nation state malware
• mass malware <= targeted malware <= nation state malware
• Marketin

ting g and p publicity licity?

• Bad for business in the long run
• Blowing up e.g. Spanish government ops might not help contracting with them in the

future

• Providi

ding g offende ders s with h free e audi dits

Ethical Questions In APT Research

“… if the malware is detected, it will also make it eas asie ier r fo for extremi tremists sts to protect tect thems mselves elves against cyber spying attempts.” “ … the researcher’s insight into the operation […] is always

• superficial. At first glance, it might appear that the targ

rgeted eted ent ntity ity is is “in inno nocent ent”, such as an academic or a journalist, but in reality they could d be a radical ical academ demic ic or a terroris rorism-facilitatin facilitating g jour urnalist nalist.”

OPwot OPwot?

Ah Ahmed Ma Mans nsoo

• or

and the UAE Five

Ahmed Mansoor and the UAE Five

Sometimes Attribution isn’t Tricky

83.111.56.188 inetnum: 83.111.56.184 – 83.111.56.191 netname: minaoffice-EMIRNET descr: Office Of Sh. Tahnoon Bin Zayed Al Nahyan descr: P.O. Box 5151 ,Abu Dhabi, UAE country: AE

APT Attribution Cheatsheet

Any need for actor att ttributio ibution? – Most likely no no. Any need for actor tr tracking king? – In certain cases, ma mayb ybe. Any need for actor(-tool) recog

• gniti

nition

• n? – Probably, ye

yes.

[ sony.attributed.to ]

Squaring The Circle?

“An attacker only needs to find one weakness while the defender needs to find every one.”

“Defender Economics”, Andreas Lindh, Troopers15

Risk = Vulnerability * Thre reat * Impact Thre reat = Intent * Capability * Opportunity

„When Threat Intel met DFIR“ Chopitea & Mouchoux, hack.lu 2015

Threat modeling Compartmentalization 2-factor Authentication Encryption Secrecy

ma mario ion@cy n@cyphor phort.com t.com @pin inkflawd kflawd

Thank You

Resources