1 / 27

APT1 & M- Trends 2013

APT1 & M- Trends 2013. Grady Summers. May 9, 2013. At Mandiant We Live the Headlines. Experts in Advanced Targeted Threats Incident responders to the biggest breaches We train the FBI & Secret Service Our CEO wrote the book (literally) on incident response

willa
Download Presentation

APT1 & M- Trends 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. APT1 & M-Trends 2013 Grady Summers May 9, 2013

  2. At Mandiant We Live the Headlines • Experts in Advanced Targeted Threats • Incident responders to the biggest breaches • We train the FBI & Secret Service • Our CEO wrote the book (literally) on incident response • Our Products Are Based on Our Experience • Built to fill a gap for incident responders • We use our own products in our investigations • SC Magazine 2012 & 2013 “Best Security Company” • Nationwide Presence • 350+ employees • Offices in DC, New York, LA, San Francisco, and Albuquerque Best Security Company

  3. Resources M-Trends M-Unition blog.mandiant.com Forums Forums.mandiant.com Education Black Hat classes Custom classes Webinar series Free Resources • Free tools • Redline • IOC Editor • IOC Finder • Memoryze • Memoryze for Mac • Highlighter • Web Historian

  4. Anatomy of a Targeted Attack Attackers Move Methodically to GainPersistent & Ongoing Access to Their Targets • Net use commands • Reverse shell access • Backdoor variants • VPN subversion • Sleeper malware MaintainPresence MoveLaterally Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission • Custom malware • Command and control • 3rd party application exploitation • Credential theft • Password cracking • “Pass-the-hash” • Critical system recon • System, active directory & user enumeration • Staging servers • Data consolidation • Data theft • Social engineering • Spear phishing e-mail with custom malware At organizations where Mandiant responded to a targeted attack in the last year, the typical attacker went undetected for 273 days.

  5. Visibility is critical MaintainPresence MoveLaterally Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Unauthorized Use of Valid Accounts Known & Unknown Malware Command & Control Activity Suspicious Network Traffic Files Accessed by Attackers Valid Programs Used for Evil Purposes Trace Evidence & Partial Files EVIDENCE OF COMPROMISE Of all of the compromised machines Mandiantidentified in 2011, only 54% had malware on them.

  6. Inside APT 1

  7. Background • Monday, February 18, 2013 Mandiant released intelligence report on threat group: APT1 • Linked APT1 to PLA unit 61398 • Provided hard evidence • Released 3000+ immediately actionable indicators of compromise • OpenIOC format • Malware reports • IPs/domain names • MD5s • SSL Certificates • 5 minute video showing footage of the attacker in action • Set the bar for actionable intelligence sharing

  8. The People • ~30 core people worked on actual report • Threat Intelligence • IOCs • M-Labs • Marketing, legal, execs… • Significant effort to validate and consolidate data (and conduct open source research) under tight deadline • Though the “surge” was intense, it was made possible by 7 years of previous research

  9. Why? • Prolific • Volume of data stolen • Comprehensive understanding of tools, tactics, and procedures • Example of actionable information sharing • The timing felt right • Traffic Light Protocol (TLP): Green indicator disclosure • Not as intel-sensitive as other groups

  10. APT 1 – Targets by Industry

  11. APT 1 – Victims by Country

  12. APT 1 – Impact

  13. APT 1 – Command and Control Infrastructure

  14. Criticisms • We’ve received lots of it! • Why do you always pick on China?! • Focusing on the country of origin is the wrong issue • Don’t focus on the attacker, focus on your defenses • Mandiant disclosed sensitive intel and ruined intelligence operations • Publicity stunt

  15. Accuracy • CNN video shows military chasing CNN vehicle near the building while filming https://www.youtube.com/watch?v=yG2ezzLHSD0 • Sen. Feinstein, Chairman Senate Intelligence Committee: • “I read the Mandiant report. I've also read other reports, classified out of Intelligence, and I think the Mandiant report, which is now unclassified, it's public, is essentially correct,” http://thehill.com/blogs/global-affairs/terrorism/284721-intel-chairwoman-report-on-chinas-cyber-war-unit-essentially-correct

  16. Accuracy – Netizen Research • DOTA phone number discovered used in 2009 for apartment rental – 600 feet from unit 61398. • SuperHard_M (aka Mei Qiang) likely studied at famous PLA Information Engineering University in 2005. • 2004 recruitment notice on Zhejiang University website advertising for “Unit 61398 of China’s PLA (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students.” • LA Times found blog of possible 61398 worker: http://lat.ms/12OATUY https://www.mandiant.com/blog/netizen-research-bolsters-apt1-attribution

  17. APT1 – Reaction after a week • Monday 2/18 – Business as usual • Report is released at 10 PM EST – 11 AM CST • Tuesday 2/19 – Clear signs of action plan being invoked • Domains getting parked • WHOIS registry getting changed • Backdoor/tools removed • Staging/working directories cleared • New backdoors implanted (leverage public communications channels – hotmail/gmail/MSN) • MACROMAIL malware from APT1 report • Today: many indicators changed, but otherwise business as usual

  18. APT1 vs. APT12 • NY Times disclosed internal name APT12 • Tools: • APT1 – WEBC2, public communication channels, noisy • APT12 – DNS calc, cmdline backdoors, more stealthy • Data theft: • APT1 – everything • APT12 - discriminating • Skill: • APT1 – good enough, large range of skillsets • APT12 – more skilled • Industries targeted: • APT1 – everything • APT12 – satellite, crypto, media

  19. M-Trends 2013

  20. Targeted industries

  21. Compromise Detection

  22. Dwell Time

  23. Trend #1 – Outside In • When targeted organizations increase their prevention and detection capability, weaker service providers and partners become targets • Mandiant investigated several organizations that had been compromised through 3rd party connections • 15% of victims in 2012 were notified by a service provider

  24. Trend #2 – ‘X’ Marks the Spot • Attacks are becoming more surgical in nature: immediately targeting administrators for network diagrams, sensitive asset lists • Change from historical reliance on internal network reconnaissance • One victim had followed all the necessary precautions to protect their financial information, yet attacks against system administrators yielded necessary data to breach the environment

  25. Trend #3 – Once a Target, Always a Target • Though long known anecdotally, Mandiant measured repeat victimization in 2012 • 38% of victims were re-compromised within the year • Reminder that persistence means constant attempts at re-compromise until mission is accomplished

  26. Trend #4 – Strategic Web Compromise • Mandiant observed frequent use of strategic web compromises, or “watering hole attacks” over the last year • Financial institutions attacked via Java exploits on local news web sites • Energy companies compromised through an industry portal • Significant collateral damage

More Related