or informa5onized force opera5ons
play

(or Informa5onized Force Opera5ons) Michael K. Daly November 4, - PowerPoint PPT Presentation

Nov 06, 2022 •365 likes •872 views

The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009 What is meant by Advanced, Persistent Threat? Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of: Gaining

  1. The Advanced Persistent Threat (or Informa5onized Force Opera5ons) Michael K. Daly November 4, 2009

  2. What is meant by Advanced, Persistent Threat?  Increasingly sophis5cated cyber aIacks by hos5le organiza5ons with the goal of:  Gaining access to defense, financial and other targeted informa5on from governments, corpora5ons and individuals.  Maintaining a foothold in these environments to enable future use and control.  Modifying data to disrupt performance in their targets. APT: People With Money Who Discovered That Computers Are Connected

  3. APT in the News A Broad Problem Affec5ng Many Na5ons and Industries

  4. Is this a big deal? Is it new?  Yes, this is a very big deal.  If “it” is the broad no5on of theW, spying, social engineering and bad stuff, then No, it is definitely not new.  However, it is new (~2003) that na5on states are widely leveraging the Internet to operate agents across all cri5cal infrastructures. APT ac5vity is leveraging the expansion of the greater system of systems

  5. I’m not in the military. Why do I care? “[APT] possess the targeting competence to identify specific users in a unit or organization based on job function or presumed access to information. [APT] can use this access for passive monitoring of network traffic for intelligence collection purposes. Instrumenting these machines in peacetime may enable attackers to prepare a reserve of compromised machines that can be used during a crisis. [APT] … possess the technical sophistication to craft and upload rootkit and covert remote access software, creating deep persistent access to the compromised host and making detection extremely difficult. An “upstream” attack on … civilian networks … has potential for great impact and is potentially easier against smaller companies that often lack the resources or expertise for sophisticated network security and monitoring.” ** Shipping, Finance, Energy, Water, … The En5re Supply Chain is at Risk ** Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploita5on, Prepared for The US‐China Economic and Security Review Commission, October 2009.

  6. Are we paying aIen5on Google Trends: “Your terms ‐ advanced persistent threat ‐ do not have enough search volume to show graphs.”

  7. OK, give me a prac5cal example The “classic” case is:  Employee Bob gets an email with an aIachment, so he opens it.  The aIachment opens, and is typically either irrelevant, or a copy of some other message he got a while back, or not even the topic of the message. Bob closes it and goes back to his coffee.  His computer is now running a Trojan applica5on that connects to a site on the Internet that is used by bad guys to control his computer. Socially Engineered Emails

  8. A “case study” Bad Guy Searches the USENIX Site.

  9. A “case study” Bad Guy downloads the LISA Agenda.

  10. A more specific example Bad Guy adds a Trojan to the Agenda PDF.

  11. A more specific example Bad Guy sends the Trojanized PDF to selected aIendees.

  12. A more specific example Bob opens the Agenda PDF. Note: This image is not really Bob ;‐)

  13. A more specific example (Not this obvious) Bob’s PC starts “beaconing” that it is available.

  14. A more specific example Bob’s PC is used to harvest data from all his coworkers.

  15. Actual messages from last week Adobe Acrobat is by far the most targeted applica5on this year.

  16. What happens when they are opened Look at the preIy bear. Don’t look at your proxy logs.

  17. A bit more about APT Trojans  Mul5ple means of command and control allow the adversary to persist even when defensive ac5ons are taken  Mul5ple malware installa5ons;  Mul5ple C2 des5na5ons  Off‐Net use allows adversaries to change tac5cs while outside your view and control  VPN Malware  Off‐Network updates  0‐Day AIack Vectors  Uniquely compiled for you  Avoids AV detec5on AIack in Depth

  18. What kinds of aIachments  Adobe Acrobat is increasing  No surprises – these’re the apps we use.  “Why has it changed? Primarily because there has been more vulnerabili5es in Adobe Acrobat/Reader than in the MicrosoW Office applica5ons.” – F‐Secure hIp://www.f‐secure.com/weblog/archives/00001676.html Patching Is Not Keeping Up With Current APT TTP’s

  19. HTTP Vector  Hacked sites redirec5ng to exploits  www.ned.org  www.elec5onguide.org  aceproject.org  www.ifes.org  Serving 3 exploits  SWF on FF 0‐day  SWF on IE 0‐day  MSVIDCTL Vulnerability Not All Bad Stuff Comes Via The Mail … Some5mes we seek it out.

  20. Analyzing Malicious PDF AV Detec9on of Malicious PDF Documents (McAfee‐GW‐Edi5on) (An5Vir) (Sophos) (BitDefender) (GData) (Avast) (Symantec) (a‐squared) (McAfee) (Ikarus) (McAfee+Artemis) (Kaspersky) (NOD32) (F‐Secure) (MicrosoW) (TrendMicro) (For5net) 0% 10% 20% 30% 40% 50% 60% 70% 80% AV Detec5on of Malicious PDFs Has Been Very Poor

  21. Common PDF Exploits CVE Name First Used Discovered Patched Gap 2007-5659 collectEmailInfo() (JS) 1/1/2008 2/6/2008 2/7/2008 37 2008-2992 Util.printf() (JS) 11/5/2008 11/5/2008 11/4/2008 -1 2009-0658 JBIG2* 1/15/2009 2/13/2009 3/24/2009 68 2009-0927 getIcon() (JS) 4/9/2009 4/9/2009 3/24/2009 -16 2009-1492 getAnnots() (JS) 6/4/2009 6/4/2009 5/12/2009 -23 2009-1862 SWF* 7/15/2009 7/15/2009 7/31/2009 16 2009-3459 Heap Corruption* 9/23/2009 10/1/2009 10/13/2009 20 Days Between First Use and Patch Users ? Patched? ? Users Patched? ‐30 ‐20 ‐10 0 10 20 30 40 50 60 70 Occasional Lag to Discovery – Consistent Lag to Remedia5on

  22. JBIG2 Timeline More Than 2 Months from First Known Offensive Use to Patch Availability

  23. JBIG2 Dissec5on What did Bad Guy do to the PDF? Object 3 is first to launch, in this case.  It has an OpenAc'on to go to Object 2.  Object 2 fills memory with code that  leads to Object 7. Object 7 contains the executable that  gives you a bad day. The red colored areas are indicators  you can use to find similar documents. Automated Tools Are Available To Help Our Bad Guy Insert the Executable

  24. Cool Tool to Help Find Stuff Yara  Simple and correlated rules  Ascii, binary, regex, wildcards rule HIGH_PDF_Flash_Exploit { strings: $a = "%PDF-1." $j = "(pop\\056swf)" $k = "(pushpro\\056swf)" $b = "( a.swf)" condition: ($a at 0) and ($j or $k or $b) } hIp://code.google.com/p/yara‐project/

  25. Trojans Commonly Delivered in Email  Opening of the malicious aIachment may have no visual indicators  Some poorly created documents will “crash” and reopen  Others will briefly close and reopen  In rare cases, the computer may “freeze”  AIackers embed relevant content to be displayed aWer infec5on  .WRI  .PDF  .SCR Using Your Own Content Against You

  26. Typical malware workflow  Checks to see if it already infected you  Delay for a bit so you don’t associate its behavior with the opening of the aIachment  Download other junk  Keep checking back for more commands or control requests Ini5ates Connec5on from Inside

  27. Gh0stNet, a good example of APT APT with a Poli5cal Mission: Tracking the Dalai Lama and Tibetan Exiles

  28. Gh0st RAT and Poison Ivy RAT Gh0st RAT is published by Red Wolf Group  Key logger can record the informa5on in  English and Chinese Remote Terminal Shell  System management process management,  window management Video View ‐ View a remote camera,  snapshot, video, compression and other func5ons ... Voice monitoring ‐ remote monitoring of  voice, but also the local voice can be transmiIed to the remote, voice chat, GSM610 compression Session management off, restart,  shutdown, uninstall the server Specify the download URL, hide or display  access to the specified URL, clear the system log  Cluster control can simultaneously control mul9ple hosts at the same 5me Remote Administra5on Tools

  29. So, who are some of these people  General Staff Department Fourth Department  The GSD’s decision in 2000 to promote Dai Qingmin to head the 4 th Department—veyng his advocacy of the integrated network‐electronic warfare (INEW) strategy—likely further consolidated the organiza5onal authority for the IW—and the CNA mission specifically—in this group. Dai’s promo5on to this posi5on suggests that the GSD probably endorsed his vision of adop5ng INEW as the PLA’s IW strategy. Remember, China is just one country we can talk about due to Open Source ** Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploita5on, Prepared for The US‐China Economic and Security Review Commission, October 2009.

  30. Leveraging the private sector  PLA Informa5on Warfare Mili5a Units  Since approximately 2002, the PLA has been crea5ng IW mili5a units comprised of personnel from the commercial IT sector and academia , and represents an opera5onal nexus between PLA Computer Network Opera5ons and Chinese civilian informa5on security professionals. Strong organiza5on, bolstered by internal compe55on ** Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploita5on, Prepared for The US‐China Economic and Security Review Commission, October 2009.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tailoring your Freight Car fleet for Opera5ons Al Kempf, Jr. Before we start Exits

Tailoring your Freight Car fleet for Opera5ons Al Kempf, Jr. Before we start Exits

Tailoring your Freight Car fleet for Opera5ons Al Kempf, Jr. Before we start Exits Restrooms Tailoring your Freight Car fleet for Opera5ons Al Kempf, Jr. Anything that I say is simply my opinion. Others may view things differently,

424 views • 20 slides
Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force

Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force

Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force Progress in Implementing Standard Desktop Configurations Information Security and Advisory Board June 7th , 2007 Ken Heitkamp Associate

384 views • 16 slides
Ballast Dust and you Between us we have a

Ballast Dust and you Between us we have a

Ballast Dust and you Between us we have a responsibility to prevent harm to anyone involved in our opera5ons, through reduc5on in accidents and

439 views • 14 slides
Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force

Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force

Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Air Force Long-Term Monitoring Optimization Tools AFCEE/TDV Phil Hunter, P.G. 2011 May Overview Process & Opportunity Tool Inventory Status

475 views • 30 slides
Police Use of Force Ch Insp Neil Williams Force Lead for Use of Force To Improve internal

Police Use of Force Ch Insp Neil Williams Force Lead for Use of Force To Improve internal

Police Use of Force Ch Insp Neil Williams Force Lead for Use of Force To Improve internal scrutiny for instances where force has been used by Nottinghamshire Police personnel. Performance / Organisational risks / Training requirements.

222 views • 11 slides
Air Force Materiel Command Air Force Materiel Command Developing, Fielding, and Sustaining

Air Force Materiel Command Air Force Materiel Command Developing, Fielding, and Sustaining

Air Force Materiel Command Air Force Materiel Command Developing, Fielding, and Sustaining Americas Aerospace Force Implementation of Policy Requiring Systems Engineering Plans for Air Force Programs Results and Implications Kevin

402 views • 25 slides
LAVA full SPH system with: - pressure force - viscosity force - gravity force - terrain

LAVA full SPH system with: - pressure force - viscosity force - gravity force - terrain

LAVA full SPH system with: - pressure force - viscosity force - gravity force - terrain collision handling problems encountered: - density computation - parameter tuning - graphical representation SMOKE - based on a particle system -

340 views • 4 slides
Force Majeure Presentation to the School Board July 23, 2020 What is Force Majeure? Force

Force Majeure Presentation to the School Board July 23, 2020 What is Force Majeure? Force

Force Majeure Presentation to the School Board July 23, 2020 What is Force Majeure? Force majeure is a common clause in contracts that essentially frees both parties from liability or obligation when an extraordinary event or circumstance

564 views • 11 slides
I IaB = Fb = ( IaB ) b = IabB = IAB B = IA = Iab b IaB ~ = ~ B (present case:

I IaB = Fb = ( IaB ) b = IabB = IAB B = IA = Iab b IaB ~ = ~ B (present case:

Lecture 27: Magne&c Force, Torque, Circular Motor and the Hall Effect Magnetic Force: ~ B field exerts a force on the source, q ~ v ~ v ~ Nq l F = q ~ B ~ t = I l l F = I

319 views • 10 slides
Force Options and Plans Brigadier Jason Blain Director General Force Options and Plans Mr

Force Options and Plans Brigadier Jason Blain Director General Force Options and Plans Mr

Force Options and Plans Brigadier Jason Blain Director General Force Options and Plans Mr Anthony Ween Director Force Planning and Prioritisation Scope FOAP Branch Overview Force Design and Strategy Responding to Risk

292 views • 18 slides
Ind ndet etermi minat ate A Anal nalys ysis For Force M e Met ethod 1 The force

Ind ndet etermi minat ate A Anal nalys ysis For Force M e Met ethod 1 The force

Ind ndet etermi minat ate A Anal nalys ysis For Force M e Met ethod 1 The force (flexibility) method expresses the relationships between displacements and forces that exist in a structure. Primary objective of the force

638 views • 44 slides
F = ma Electricity and atoms results from the properties of the electric force The structure

F = ma Electricity and atoms results from the properties of the electric force The structure

21.1 #4: Electric charge & force Electric force : one of the fundamental forces of nature Electric charge : property that determines the strength the electric force Charge is analogous to mass for gravity But 2 kinds of electric charge:

231 views • 11 slides
May the Strong Force be with you Origin of the nucleon-nucleon force The simplest contributions to

May the Strong Force be with you Origin of the nucleon-nucleon force The simplest contributions to

May the Strong Force be with you Origin of the nucleon-nucleon force The simplest contributions to the force between nucleons, as viewed from QCD. Here, the exchange of two colored gluons causes two quarks in each nucleon to change their colors

363 views • 10 slides
USE THE FORCE, CIO! How to use the force in the cloud wisely, Or have you outsourced your

USE THE FORCE, CIO! How to use the force in the cloud wisely, Or have you outsourced your

USE THE FORCE, CIO! How to use the force in the cloud wisely, Or have you outsourced your security to the cloud? TAKE-AWAYS How-tos keeping information safe regardless of where it is Other perspectives CEO, COO, CIO, CISO,

439 views • 25 slides
Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task

Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task

Zero Traffic Fatalities Task Force Workshop #3 October 22, 2019 10:00 am 4:00 pm Task Force Introductions Name Organization Welcome Elissa Konove CalSTA Undersecretary and Task Force Chair Progr gres ess to Da Date e Task Force

580 views • 38 slides
Air Force Retraining Program Air Force Retraining Program These slides are intended for those

Air Force Retraining Program Air Force Retraining Program These slides are intended for those

Air Force Retraining Program Air Force Retraining Program These slides are intended for those Air Force members, currently serving, who are interested in retraining into the following AFSCs: 1C2X1 CCT (Combat Control) 1C4X1

402 views • 13 slides
Maximum Likelihood (ML), Expecta6on Maximiza6on (EM)

Maximum Likelihood (ML), Expecta6on Maximiza6on (EM)

Maximum Likelihood (ML), Expecta6on Maximiza6on (EM) Pieter Abbeel UC Berkeley EECS Many slides adapted from Thrun, Burgard and Fox,

495 views • 46 slides
Design and Implementa/on of a Carrier Grade So6ware Defined

Design and Implementa/on of a Carrier Grade So6ware Defined

1ST IEEE / IFIP Interna/onal Workshop on SDN Management and Orchestra/on Design and Implementa/on of a Carrier Grade So6ware Defined Telecommunica/on

604 views • 21 slides
Network Economics -- Lecture 2: Incen5ves in online

Network Economics -- Lecture 2: Incen5ves in online

Network Economics -- Lecture 2: Incen5ves in online systems I: free riding and effort elicita5on Patrick Loiseau EURECOM Fall 2014 1

885 views • 55 slides
Probe and Pray: Using UPnP for Home Network Measurements

Probe and Pray: Using UPnP for Home Network Measurements

Probe and Pray: Using UPnP for Home Network Measurements Renata Teixeira Laboratoire LIP6 CNRS and UPMC Sorbonne Universits Lucas Di Cioccio

446 views • 16 slides
Sets of Arithmetical Invariants in Transfer Krull Monoids Alfred Geroldinger Spring Central and

Sets of Arithmetical Invariants in Transfer Krull Monoids Alfred Geroldinger Spring Central and

Sets of Arithmetical Invariants in Transfer Krull Monoids Alfred Geroldinger Spring Central and Western Joint Sectional Meeting Special Session on Factorizations and Arithmetic Properties of

680 views • 41 slides
NOTE Machine Learning for NLP: New Developments and Challenges These slides are still

NOTE Machine Learning for NLP: New Developments and Challenges These slides are still

NOTE Machine Learning for NLP: New Developments and Challenges These slides are still incomplete A more complete version will be posted at a later date at: http://www.cs.berkeley.edu/~klein/nips-tutorial Dan Klein Computer Science

315 views • 18 slides
Safety Check: A Semantic Web Application for Emergency Management Yogesh Pandey Srividya K

Safety Check: A Semantic Web Application for Emergency Management Yogesh Pandey Srividya K

Semantic Big Data @ SIGMOD 2017 Safety Check: A Semantic Web Application for Emergency Management Yogesh Pandey Srividya K Bansal Arizona State University Introduction v The essen'al element of the Seman'c Web data model is a resource A

660 views • 30 slides
Using a RoboJc Arm to Assess the Variability of MoJon

Using a RoboJc Arm to Assess the Variability of MoJon

Graduate School of Information Science in Health Technische Universitt Mnchen Oral presentation at MIE 2011 Using a RoboJc Arm to Assess the Variability of MoJon Sensors Lukas

304 views • 12 slides

More recommend