the a
play

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e - PowerPoint PPT Presentation

Feb 16, 2023 •106 likes •440 views

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t) (t)st st] understand it PERSISTENT we detected it [p s st st nt nt] too late Ma Mari rion on Ma Marsc rschalek halek

  1. THE A AND THE P OF THE T

  2. #APT #APT # APT #APwot

  3. ADVANCED w e don‘t [ ə d ˈ v ɑ :n :n(t) (t)st st] understand it PERSISTENT we detected it [p əˈ s ɪ st st ə nt nt] too late

  4. Ma Mari rion on Ma Marsc rschalek halek @pinkflawd marion@cyphort.com desktopwallpaper.info

  5. A A TROJAN VIRUS TARGETED INSIDE IN Dig Digital ital THREAT THREAT AD ADWARE WARE ROOTKIT APT Thr Threa eat t WORM EXPLOIT SPYWARE Hist History ory SU SURVEILL VEILLAN ANCE CE MULTI-COMPONENT SO SOFT FTWARE ARE MALWARE http://www.hdbackgroundpoint.com

  6. A THREAT DETECTION HISTORY Source: obsoletemedia.org

  7. Your signature update. www.crane.com

  8. Virus Detection Signature Product Computer Server

  9. Checksums Byte Patterns Behavior Patterns Static / Dynamic Heuristics Whitelisting Network Streams Cloud Protection

  10. BOILS DOWN TO The binary is known. The binary is recognized. The behavior of the binary is recognized.

  11. BOILS DOWN TO KNOW KN OWLED LEDGE GE PR PRED EDICTIVE CTIVE BAS ASED ED THREAT THREAT DETECTION DETECTION

  12. NO NOT BE T BEING ING UNIQ UNIQUE UE Runtime packer trigger heuristics! Altered compiler settings don‘t ... Dynamic API resolving Character-wise string recovery http://www.dvd-ppt-slideshow.com

  13. jump table FTW FindNextFileA spot the string

  14. ON ONE B E BINA INARY TO R RY TO RULE ULE F FOR OREVER EVER Filehash-based detection Updating of binaries in irregular intervals Route traffic through local proxy

  15. ZEUS ZEUS %APP%\Uwirpa 10.12.2013 23:50 %APP%\Woyxhi 10.12.2013 23:50 %APP%\Hibyo E (DDIE) 19.12.2013 00:10 %APP%\Nezah 19.12.2013 00:10 %APP%\Afqag 19.12.2013 23:29 VASION %APP%\Zasi 19.12.2013 23:29 %APP%\Eqzauf 20.12.2013 22:23 %APP%\Ubapo 20.12.2013 22:23 %APP%\Ydgowa 20.12.2013 22:23 %APP%\Olosu 20.12.2013 23:03 %APP%\Taal 20.12.2013 23:03 %APP%\Taosep 20.12.2013 23:03 %APP%\Wokyco 16.01.2014 13:22 %APP%\Semi 17.01.2014 16:34 %APP%\Uheh 17.01.2014 16:34

  16. REPE REPETIT TITIVE A IVE ARTI RTIFAC FACTS TS File names Domain names Registry key names / value names Infiltration methods Persistence methods

  17. ENVI ENVIRO RONM NMENT ENTAL AL INS INSENS ENSITI ITIVIT VITY Might want to refuse executing in sandboxes, emulators & analyst‘s machines Potentially targeted systems usually homogeneous

  18. Only infecting Tuesdays, sorry. Or 16, 17 and 18 next month?

  19. SING SINGULA ULAR PER R PERSIST SISTENC ENCE Remember the P? Registry & service list monitored One process easy to kill MBR regularly scanned Why not do all?

  20. SEPA SEPARAT RATION ION OF LA OF LAYER YERS Runtime packers trigger heuristics! In-memory scanning identifies equal payloads Consistent evasion tricks multiply success

  21. KN KNOWN OWN SPHER SPHERES ES Remember the A? Find new battle fields Virtual machine execution Kernel land code Bootkits BIOS

  22. BATTLE FIELD you said?

  23. That moment a researcher tells you what‘s wrong with your system, an attacker is already exploiting it.

  24. Bl Black ackEnerg Energy Crimeware going APT: Sandworm Runtime Packer Malware-like startup & infiltration Driven by plugins

  25. Ha Have vex RAT used by EnergeticBear Targets ICS data, accessed via (T) EDD DDIE IE Windows COM/DCOM Standard system infiltration No protection

  26. S anatomy of a genius hack BL BLACK ACK POS Target‘s Network Los Angeles Russia

  27. Evil Ev il Bu Bunny ny FileMan/Inet PerfMon Big Boss Worker0 Manage Worker1 MainThread Worker Threads Worker2 CommandParsing Worker3 ScriptExecution

  28. 1. Unique binaries 2. Irregular updates 3. No repetitive artifacts 4. Environmental sensitivity 5. Multiple persistence techniques 6. Consistent evasion 7. Unknown spheres

  29. The A and the P of the T 1 2 3 4 5 6 7 estimated BlackEnergy 56 Mio. credit cards Havex compromised BlackPOS EvilBunny

  30. http://wall.alphacoders.com/big.php?i=318353

  31. RESOURCES • Havex - http://www.cyphort.com/windows-meets-industrial-control-systems-ics- havex-rat-spells-security-risks-2/ • BlackPOS - http://www.cyphort.com/parallels-among-three-notorious-pos- malwares-attacking-u-s-retailers/ • EvilBunny - https://drive.google.com/a/cyphort.com/file/d/0B9Mrr- en8FX4M2lXN1B4eElHcE0/view • Eddie - http://maiden-world.com/downloads/wallpaper.html

  32. Thank you! Marion Marschalek @pinkflawd marion@cyphort.com http://karmadecay.com/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Contents Problem: Social Engineering concepts

857 views • 23 slides
Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why putting a focus on text? Multimedia: Text plus Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet Chapter

1.16k views • 81 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss & J.-F.

367 views • 18 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai

819 views • 30 slides
Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University 2 University of Auckland 3 Australian National University 2nd ATE Symposium University of New South Wales Business School December, 2014 Fabrizi,

498 views • 24 slides
OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

Pierre-Marc Bureau bureau@eset.sk Joan Calvet - j04n.calvet@gmail.com UNDERSTANDING SWIZZORS OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries daily. Nice icons : Little publicly

966 views • 62 slides
AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director,

AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director,

AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director, Center for Digital Strategy & Research, Westat Julie Yegen | Senior Digital Media Associate, Westat December 10, 2015 Case Studies Whats

386 views • 14 slides
Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

| 2018 Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate Marketing 2002 - Present SEM / Ads 2003 to Present Current Jenga Digital LLC 2013 - Present Personal Born in

385 views • 20 slides
PPC Budget Management Software We provide agencies with powerful tools to take control of PPC

PPC Budget Management Software We provide agencies with powerful tools to take control of PPC

PPC Budget Management Software We provide agencies with powerful tools to take control of PPC spend THE PROBLEM Digital ad spend will grow to $330 Billion by 2021 But digital marketers are struggling to scale their organizations fast enough to

659 views • 16 slides
Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms,

Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms,

Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms, Google Research, Mountain View, CA. Outline Topics: 1. Budget Allocation: - Algorithms based on Online Matching - Algorithms based on Reinforcement

913 views • 48 slides
Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM

Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM

Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM TAGGING www.website.com/?utm_medium=email&utm_source=newsletter&utm_campaign=12-5-2015 utm_medium utm_content utm_source

608 views • 6 slides
Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual

Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual

Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual We were already serving 60% of the IPv6 Internet Technical progress A number of services became available over IPv6 Voice, talk, mobile

228 views • 10 slides
Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van

Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van

WiFi : Google Partnership Event Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van Cleeff, Sales Acquisition Lead, Benelux Proprietary + Confidential Proprietary + Confidential Google Confidential

659 views • 36 slides
Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance

Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance

Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance Success Fall Undergraduate Enrollment Headcount Semester Credit Hours 388,303 31,744 377,373 31,367 367,782 368,050 30,452 30,408 353,287

779 views • 56 slides
Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing

Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing

Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing Specialist What is Digital Advertising? Any advertisement on the internet Banner ads SEO (search engine optimization) Social media

570 views • 19 slides
Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist &

Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist &

10/25/2017 Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist & Performance Analyst 360InternetStrategy.com @ TinaArnoldi 1 2 1 10/25/2017 Which leads me to point #1... 3 No one cares

375 views • 23 slides
F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu)

F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu)

F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu) 15-799 10/ 21/ 2013 What is F1? Distributed relational database Built to replace sharded MySQL back-end of AdWords system Combines

750 views • 37 slides
Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford University Lear Conference July 25, 2015 1 Internet Marketplaces 2 On-Demand Services 3 Introduction Peer-to-peer

1.02k views • 25 slides
Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin

Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin

Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin Kong 1 , Xue Liu 1 , Xi Chen 1 , Linghe Kong 1 and Lei Rao 2 1 School of Computer Science, McGill University 2 General Motors Research Lab July

623 views • 26 slides
Member Updates! More Information Arizona Marketing Association

Member Updates! More Information Arizona Marketing Association

Member Updates! More Information Arizona Marketing Association Facebook.com/AZMarketingAssociation th Ask an Expert October 18 th rd Wednesda 3 rd esday y of t f the Month th Exp xper ert t Inter Interview view 7pm pm 10 G

615 views • 29 slides
Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law

Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law

Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law Oregon State Bar Technology Section April 25, 2019 Artificial Intelligence General AI: a system that can perform any generalized task that is

493 views • 17 slides

More recommend