portable passive detection of advanced persistent threats
play

Portable Passive Detection of Advanced Persistent Threats APT - PowerPoint PPT Presentation

Oct 21, 2023 •22 likes •342 views

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

  1. Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN)

  2. About Advanced Persistent Threats • Advanced Persistent Threat (APT) [2]; • Highly skilled and well-resourced [17]; • Long duration of attack (months, years) [12][17]; • Specific motives, such as [12]; – Intelligence gathering; – Financial enrichment; • Not your average script kiddie. 1/23

  3. Examples of Advanced Persistent Threats • Operation Aurora (2010) - Source code theft of high profile targets, such as Google, Adobe and organisations in the defence and and financial sectors [19]; • Stuxnet (2010) - Israeli/United States joint effort, a computer worm specifically developed to attack the nuclear power programme in Iran [8]; • Operation Shady RAT (2011) - A large scale attack, targeted at more than 70 global companies, governments, and non-profit organisations for at least five years [1]; • Belgacom breach (2013) - The GCHQ breached Belgacom and had access to customer data, including encrypted and unencrypted streams of private communications [6]. 2/23

  4. Research questions Main research question Can a portable, passive Advanced Persistent Threat (APT) Catcher be designed to be easily deployed on the network which detects the presence of potential APTs? Sub-questions • What are the quantifiable characteristics of an APT? • What methods are available to passively detect the presence of an APT? • Can a prototype be designed to be deployed in an easy and feasible manner on the network to detect the presence of APTs? 3/23

  5. Modus operandi I Kill Chain [12] Giura et al. [7] Zero Entry Hacking [5] 1 Reconnaissance Reconnaissance Reconnaissance 2 Development Delivery Scanning 3 Weaponisation Exploitation Exploitation 4 Delivery Operation Post exploitation and maintaining access 5 Exploitation Data collection 6 Installation Exfiltration 7 Command & Control 8 Actions on objective Table: Several procedure models, which show a similar modus operandi. 4/23

  6. Modus operandi II Figure: Attack pyramid [7]. 5/23

  7. Characteristics of the APT I A typical APT has the following (non-exhaustive) characteristics [4][12][17][18]: • Inquisitive : a strong desire to know as much as possible about the target. Lower hanging fruit would move to a new target when bored; • Stealthy approach : circumventing all kinds of security controls to avoid detection. This also involves removing traces; • Preparation : premeditated plan of execution by using newly acquired information; • Infiltration : exploiting an asset to gain a foothold into the target. This may also involve social engineering (e.g. spear-phishing); 6/23

  8. Characteristics of the APT II • Resourceful : the APT is known for its sophisticated and custom designed attacks, such as self-built malware; • Exfiltration : stealing as much confidential information as possible. The APT may use strong encryption to conceal the data being exfiltrated; A natural born spy The APT is a natural born spy that will stop at nothing to remain undetected, while carrying out its objective. 7/23

  9. Detecting the APT I • During active network scanning; • During passive network scanning; • During port scanning. 8/23

  10. Detecting the APT II • Host Intrusion Detection System (HIDS) (out of project scope); – OSSEC; – AIDE; – Samhain; • Network Intrusion Detection System (NIDS); – Signature Based IDS (SBS); – Anomaly Based IDS (ABS). 9/23

  11. Detecting the APT III • Examples of NIDSs; – Snort - Most popular open source SBS NIDS, developed since 1998. Large community, with frequent signature updates [15]; – Suricata - Open source SBS NIDS with multi-threading, hardware acceleration, IP reputation system, developed since 2009. Compatible with Snort rules 1 , as well as their own rules 2 [ 14 ][ 16 ]; – Sagan - Open source SBS NIDS / SIEM developed since 2011. Multi-threading support and has its own ruleset [13]; – Bro - Advanced open source ABS NIDS, with behavioural network analysis, and its own script language to write detection parameters [3]; – PSAD - Open source SBS NIDS. Scans iptables logs for suspicious behaviour [9]. 1 The Talos ruleset (formerly VRT) 10/23 2 Emerging Threats Suricata ruleset

  12. Designing the APT Catcher I • Client/server architecture; – Sensor (prototype); – Aggregator. Figure: Client / server architecture. 11/23

  13. Designing the APT Catcher II Figure: A more detailed overview of the APT Catcher within a network infrastructure. 12/23

  14. Designing the APT Catcher III Figure: A new separate network for the sensors and the aggregator. Events are now sent exclusively over this network. 13/23

  15. The sensor • Portable; • Heterogeneous detection with multiple sensors; • Working prototype on a Raspberry Pi 3, using Docker. Single board computer Raspberry Pi 3 Processor 1.2 GHz 64-bit quad-core ARM Cortex- A53 Memory 1 GB (shared with GPU) NIC 10/100 Mbit/s Ethernet Operating System Raspbian Jessie Lite [11] Software Docker v1.11, Unbound v1.5.9 Table: Raspberry Pi 3 prototype running Raspbian with Docker. 14/23

  16. The sensor prototype Docker container equipped with the following: Base image resin/rpi-raspbian [10] Operating System Raspbian Jessie Lite [11] NIDS Software Bro v2.4.1, PSAD v2.2.3, Snort v2.9.7.0 and Suricata v3.1. Miscellaneous tools netsniff-ng v0.6.1, Nmap v7.12, tcpdump v4.7.4 and TShark v2.0.4. Table: Custom built Raspberry Pi 3 sensor container running Raspbian using Docker. 15/23

  17. The aggregator • Collects alarms of the sensors; • Some dashboards already exist for several NIDSs; • No dashboard exists which aggregates all alarms from all NIDSs. 16/23

  18. Field testing • Measurements taken with Monitorix; • Measured performance of NIDSs running in the container; • Measured performance of an attack simulation. 17/23

  19. Field testing - Bro Figure: System load when Bro is running inside the APT Catcher sensor Docker container. 18/23

  20. Field testing - Snort Figure: System load when Snort is running inside the APT Catcher sensor Docker container. 19/23

  21. Field testing - Suricata Figure: System load when Suricata is running inside the APT Catcher sensor Docker container. 20/23

  22. Demonstration 21/23

  23. Conclusion • The APT is increasingly sophisticated, patient and stealthy; • Detection of the APT causes a paradigm shift in defence strategies; – Don’t just expect the threat at your door; – Expect them already in your home; • The portable APT Catcher helps to detect such threats, in your home, continuously. 22/23

  24. Questions? ? 23/23

  25. Bibliography I [1] Dmitri Alperovitch et al. Revealed: operation shady RAT , volume 3. McAfee, 2011. [2] Beth Binde, Russ McRee, and Terrence J O’Connor. Assessing outbound traffic to uncover advanced persistent threat. SANS Institute. Whitepaper , 2011. [3] Bro. About Bro and the Bro Project. https://www.bro.org/documentation/faq.html , 2016. [Online; accessed 25-July-2016]. 1/8

  26. Bibliography II [4] Terry Cutler. The Anatomy of an Advanced Persistent Threat. http://www.securityweek.com/ anatomy-advanced-persistent-threat , 2010. [Online; accessed 5-July-2016]. [5] Patrick Engebretson. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy , chapter 1, pages 14–18. Elsevier, 2013. 2/8

  27. Bibliography III [6] Ryan Gallagher. The Inside Story of How British Spies Hacked Belgium’s Largest Telco. https://theintercept.com/2014/12/13/ belgacom-hack-gchq-inside-story/ , 2016. [Online; accessed 01-August-2016]. [7] Paul Giura and Wei Wang. A context-based detection framework for advanced persistent threats. In Cyber Security (CyberSecurity), 2012 International Conference on , pages 69–74. IEEE, 2012. 3/8

  28. Bibliography IV [8] Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy , 9(3):49–51, 2011. [9] Michael Rash. psad: Intrusion Detection and Log Analysis with iptables. http://cipherdyne.org/psad/ , 2016. [Online; accessed 25-July-2016]. [10] Raspbian. Base image for the Raspberry Pi. https://hub.docker.com/r/resin/rpi-raspbian/ , 2016. [Online; accessed 25-July-2016]. 4/8

  29. Bibliography V [11] Raspbian. Download Raspbian for Raspberry Pi. https://www.raspberrypi.org/downloads/raspbian/ , 2016. [Online; accessed 25-July-2016]. [12] Dell SecureWorks. Advanced Threat Protection with Dell SecureWorks Security Services. http://www.secureworks.com/assets/pdf-store/ white-papers/wp-advanced-threat-protection.pdf , 2016. [Online; accessed 27-June-2016]. 5/8

  30. Bibliography VI [13] Quadrant Information Security. Sagan. https: //quadrantsec.com/sagan_log_analysis_engine/ , 2016. [Online; accessed 25-July-2016]. [14] Eric Smith. Snort vs Suricata. http://wiki.aanval.com/wiki/Snort_vs_Suricata , 2016. [Online; accessed 25-July-2016]. 6/8

  31. Bibliography VII [15] Snort. Snort FAQ/Wiki. https://www.snort.org/faq , 2016. [Online; accessed 25-July-2016]. [16] Suricata. Complete list of Suricata Features. https://suricata-ids.org/features/all-features/ , 2016. [Online; accessed 25-July-2016]. [17] Colin Tankard. Advanced persistent threats and how to monitor and deter them. Network security , 2011(8):16–19, 2011. 7/8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack:

Cyber@UC Meeting 68 Advanced Persistent Threats If Youre New! Join our Slack: cyberatuc.slack.com (URL changed!) SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of our committees:

484 views • 13 slides
Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier

Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier

Unicorn Runtime Provenance-Based Detector for Advanced Persistent Threats Thomas Pasquier Xueyuan Han, James Mickens University of Bristol Harvard University Adam Bates Margo Seltzer University of Illinois at Urbana-Champaign University of

5.31k views • 21 slides
Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based

Mitigating threats associated with your TLD Moving from passive, complaints-based ac6on to pro-ac6ve measures Primary Goal : To iden6fy and take ac6on against domains

195 views • 5 slides
PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of new light fjxtures based on Pierre Charpins original PC Task Light, a HAY classic. Like its predecessor, the PC Portable hides its engineering

271 views • 15 slides
X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES

X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES

Introducing the new Sonoscape www.enterpriseultrasound.com X5 Portable Ultrasound New Product Release FDA Approved December 2016 ADVANCED FEATURES IMPROVED IMAGING LAPTOP, COMPACT STYLE PORTABLE Color Doppler Portable Ultrasound

359 views • 9 slides
Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13

Using Bro to Hunt Persistent Threats Benjamin H. Klimkowski United States Military Academy 13 September 2017 Agenda 1. Goals 2. Definitions 3. Motivating problem 4. Approach 5. How Cobalt Strike works 6. Traffic analysis 7.

821 views • 59 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric Filiol 1 - Laurent Frayssignes Army Signals Academy - Virology and Cryptology Laboratory About Author(s) Eric Filiol is Head Scientist Officer of the

474 views • 20 slides
Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in

Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in

Development of In-field Portable Sensor for Detection of Phosphates and Heavy Metals in Everglades Water Systems. Presented by: Shradha Prabhulkar Nanobioengineering/Bioelectronics Lab Biomedical Engineering Department Florida International

543 views • 15 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced Persistent Threats (APT) Cybercriminals, Exploits and Malware Denial of Service attacks (DDoS) Domain name hijacking Corporate

347 views • 13 slides
DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

Bram C.M. Cappers Jarke J. van Wijk b.c.m.cappers@tue.nl j.j.v.wijk@tue.nl SEMANTIC NETWORK TRAFFIC ANALYSIS USING DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced Persistent Threats (APTs)

240 views • 5 slides
Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE

Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE

Vehicle to Pavement Passive Sensing for AV Lateral Position Detection Jeff Roesler, PhD, PE Sachindra Dahal, PhD Candidate Department of Civil and Environmental Engineering University of Illinois at Urbana Champaign September 29, 2020

474 views • 34 slides
The theory and applications of persistent homology Ippei Obayashi Center for Advanced

The theory and applications of persistent homology Ippei Obayashi Center for Advanced

The theory and applications of persistent homology Ippei Obayashi Center for Advanced Intelligence Project (AIP), RIKEN Advanced Institute for Materials Research (AIMR), Tohoku University Nov. 5, 2018 I. Obayashi (AIP, Riken) Theory and

429 views • 38 slides
Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI

Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI

Standards for Biothreat Detection Standards Development in Response to Terrorism Threats ANSI Homeland Security Standards Panel Tenth Annual Plenary Meeting: Achievements from the Past Decade and Charting the Path Forward November 9, 2010

385 views • 12 slides
Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive

Advanced Tools from Modern Cryptography Lecture 5 Secure Multi-Party Computation: Passive Corruption MPC: Honest-Majority + Passive-Corruption Can achieve information-theoretic security for any function Function should be given as an

573 views • 15 slides
Swedish Government Mandate Electronically structured coded PI Swedish (human+veterinary) Kim

Swedish Government Mandate Electronically structured coded PI Swedish (human+veterinary) Kim

Swedish Government Mandate Electronically structured coded PI Swedish (human+veterinary) Kim Sherwood, QRD delegate PI assessor Swedish Medical Products Agency Pre study: 2018 Project start: 2020? Possibilities for new formats. Content

216 views • 6 slides
Pi Shaped Officers: Developing Naval Officers to Lead in the Converged Cyberspace and

Pi Shaped Officers: Developing Naval Officers to Lead in the Converged Cyberspace and

Pi Shaped Officers: Developing Naval Officers to Lead in the Converged Cyberspace and Electromagnetic Spectrum Domains LCDR Brian Schulz 29 APRIL 2016 The views and opinions expressed here are the authors alone and do not reflect the views

747 views • 19 slides
Efficient Parallel Partition based Algorithms for Similarity Search and Join with Edit Distance

Efficient Parallel Partition based Algorithms for Similarity Search and Join with Edit Distance

Motivation Our Approach Experiment Efficient Parallel Partition based Algorithms for Similarity Search and Join with Edit Distance Constraints Yu Jiang, Dong Deng, Jiannan Wang, Guoliang Li, and Jianhua Feng Tsinghua University Similarity

536 views • 50 slides
Onion Pi Turning a Raspberry Pi into a Tor Access Point Disclaimer Any opinions presented in

Onion Pi Turning a Raspberry Pi into a Tor Access Point Disclaimer Any opinions presented in

Onion Pi Turning a Raspberry Pi into a Tor Access Point Disclaimer Any opinions presented in this talk by the presenter do not in any way represent an official endorsement of these opinions by Freeside Technology Spaces, Inc., nor is intended

418 views • 8 slides
The 2.8 Mill Permanent Improvement Levy Renewing Our Communitys Commitment to School

The 2.8 Mill Permanent Improvement Levy Renewing Our Communitys Commitment to School

The 2.8 Mill Permanent Improvement Levy Renewing Our Communitys Commitment to School Facilities What Is a Permanent Improvement Levy? Ohio Revised Code 5705.01 outlines the allowable use of funds from a Permanent Improvement (P.I.) Levy:

352 views • 13 slides
Leveraging HPX on a Raspberry Pi Cluster Jesse Goncalves, Seattle University Mentor: Dr.

Leveraging HPX on a Raspberry Pi Cluster Jesse Goncalves, Seattle University Mentor: Dr.

Leveraging HPX on a Raspberry Pi Cluster Jesse Goncalves, Seattle University Mentor: Dr. Hartmut Kaiser, Louisiana State University Background What is HPX? What was my project? How might my project contribute to HPX? Process Write a serial

316 views • 9 slides
Sponsored Programs & Research Services PI Guidance for New Awards Teri Kocevar , CRA

Sponsored Programs & Research Services PI Guidance for New Awards Teri Kocevar , CRA

Sponsored Programs & Research Services PI Guidance for New Awards Teri Kocevar , CRA Director, SPRS Phone: (216) 687-3675 Email: m.kocevar@csuohio.edu Website: http://www.csuohio.edu/sprs/ Last Updated: May 2018

369 views • 11 slides
INVESTOR PRESENTATION June 2017 Certain statements made in this presentation may not be based on

INVESTOR PRESENTATION June 2017 Certain statements made in this presentation may not be based on

INVESTOR PRESENTATION June 2017 Certain statements made in this presentation may not be based on historical information or facts and may be forward looking statements, including those relating to general business plans and strategy of PI

530 views • 21 slides

More recommend