SlideShare ist ein Scribd-Unternehmen logo

Apt presso good to learn

Fajar Isnanto
Fajar Isnanto
Technologie
1 von 50
Downloaden Sie, um offline zu lesen
The Advanced Persistent Threat   (or Informa5onized Force Opera5ons)  Michael K. Daly  November 4, 2009 
What is meant by Advanced, Persistent Threat?    Increasingly sophis5cated cyber aIacks by hos5le  organiza5ons with the goal of:    Gaining access to defense, financial and other targeted  informa5on from governments, corpora5ons and  individuals.    Maintaining a foothold in these environments to enable  future use and control.    Modifying data to disrupt performance in their targets.  APT: People With Money Who Discovered That Computers Are Connected 
APT in the News  A Broad Problem Affec5ng Many Na5ons and Industries 
Is this a big deal?  Is it new?    Yes, this is a very big deal.    If “it” is the broad no5on  of theW, spying, social   engineering and bad stuff,  then No, it is definitely not new.    However, it is new (~2003) that na5on states  are widely leveraging the Internet to operate  agents across all cri5cal infrastructures.  APT ac5vity is leveraging the expansion of the greater system of systems 
I’m not in the military.    Why do I care?  “[APT] possess the targeting competence to identify specific users in a unit or organization based on job function or presumed access to information. [APT] can use this access for passive monitoring of network traffic for intelligence collection purposes. Instrumenting these machines in peacetime may enable attackers to prepare a reserve of compromised machines that can be used during a crisis. [APT] … possess the technical sophistication to craft and upload rootkit and covert remote access software, creating deep persistent access to the compromised host and making detection extremely difficult. An “upstream” attack on … civilian networks … has potential for great impact and is potentially easier against smaller companies that often lack the resources or expertise for sophisticated network security and monitoring.” **  Shipping, Finance, Energy, Water, … The En5re Supply Chain is at Risk  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
Are we paying aIen5on  Google Trends: “Your terms ‐ advanced persistent threat   ‐ do not have enough search volume to show graphs.” 
OK, give me a prac5cal example  The “classic” case is:    Employee Bob gets an email with an aIachment,  so he opens it.    The aIachment opens, and is typically either  irrelevant, or a copy of some other message he  got a while back, or not even the topic of the  message.  Bob closes it and goes back to his  coffee.    His computer is now running a Trojan applica5on  that connects to a site on the Internet that is  used by bad guys to control his computer.  Socially Engineered Emails 
A “case study”  Bad Guy Searches the  USENIX Site. 
A “case study”  Bad Guy downloads  the LISA Agenda. 
A more specific example  Bad Guy adds a Trojan  to the Agenda PDF. 
A more specific example  Bad Guy sends the Trojanized PDF   to selected aIendees. 
A more specific example  Bob opens the  Agenda PDF.  Note: This image is  not really Bob ;‐) 
A more specific example  (Not this obvious)  Bob’s PC starts  “beaconing” that  it is available. 
A more specific example  Bob’s PC is used to harvest  data from all his  coworkers. 
Actual messages from last week  Adobe Acrobat is by far the most targeted applica5on this year. 
What happens when they are opened  Look at the preIy bear.  Don’t look at your proxy logs. 
A bit more about APT Trojans    Mul5ple means of command and control allow the adversary to persist  even when defensive ac5ons are taken    Mul5ple malware installa5ons;     Mul5ple C2 des5na5ons    Off‐Net use allows adversaries to change tac5cs while outside your view  and control    VPN Malware    Off‐Network updates    0‐Day AIack Vectors    Uniquely compiled for you    Avoids AV detec5on  AIack in Depth 
What kinds of aIachments    Adobe Acrobat is   increasing    No surprises –  these’re the  apps we use.    “Why has it changed?   Primarily because there   has been more vulnerabili5es   in Adobe Acrobat/Reader than in   the MicrosoW Office applica5ons.” – F‐Secure  hIp://www.f‐secure.com/weblog/archives/00001676.html  Patching Is Not Keeping Up With Current APT TTP’s 
HTTP Vector    Hacked sites redirec5ng to exploits    www.ned.org    www.elec5onguide.org    aceproject.org    www.ifes.org    Serving 3 exploits    SWF on FF 0‐day    SWF on IE 0‐day    MSVIDCTL Vulnerability  Not All Bad Stuff Comes Via The Mail … Some5mes we seek it out. 
Analyzing Malicious PDF  AV Detec9on of Malicious PDF Documents  (McAfee‐GW‐Edi5on)  (An5Vir)  (Sophos)  (BitDefender)  (GData)  (Avast)  (Symantec)  (a‐squared)  (McAfee)  (Ikarus)  (McAfee+Artemis)  (Kaspersky)  (NOD32)  (F‐Secure)  (MicrosoW)  (TrendMicro)  (For5net)  0%  10%  20%  30%  40%  50%  60%  70%  80%  AV Detec5on of Malicious PDFs Has Been Very Poor 
Common PDF Exploits  CVE Name First Used Discovered Patched Gap 2007-5659 collectEmailInfo() (JS) 1/1/2008 2/6/2008 2/7/2008 37 2008-2992 Util.printf() (JS) 11/5/2008 11/5/2008 11/4/2008 -1 2009-0658 JBIG2* 1/15/2009 2/13/2009 3/24/2009 68 2009-0927 getIcon() (JS) 4/9/2009 4/9/2009 3/24/2009 -16 2009-1492 getAnnots() (JS) 6/4/2009 6/4/2009 5/12/2009 -23 2009-1862 SWF* 7/15/2009 7/15/2009 7/31/2009 16 2009-3459 Heap Corruption* 9/23/2009 10/1/2009 10/13/2009 20 Days Between First Use and Patch  Users  ? Patched?  ? Users  Patched?  ‐30  ‐20  ‐10  0  10  20  30  40  50  60  70  Occasional Lag to Discovery – Consistent Lag to Remedia5on 
JBIG2 Timeline  More Than 2 Months from First Known Offensive Use to Patch Availability 
JBIG2 Dissec5on  What did Bad Guy do to the PDF?    Object 3 is first to launch, in this case.    It has an OpenAc'on to go to Object 2.    Object 2 fills memory with code that  leads to Object 7.    Object 7 contains the executable that  gives you a bad day.    The red colored areas are indicators  you can use to find similar documents.  Automated Tools Are Available To Help Our Bad Guy Insert the Executable 
Cool Tool to Help Find Stuff  Yara    Simple and correlated rules    Ascii, binary, regex, wildcards  rule HIGH_PDF_Flash_Exploit { strings: $a = "%PDF-1." $j = "(pop056swf)" $k = "(pushpro056swf)" $b = "( a.swf)" condition: ($a at 0) and ($j or $k or $b) } hIp://code.google.com/p/yara‐project/ 
Trojans Commonly Delivered in Email    Opening of the malicious aIachment may have no visual  indicators    Some poorly created documents will “crash” and reopen    Others will briefly close   and reopen    In rare cases, the   computer may “freeze”    AIackers embed   relevant content to be  displayed aWer infec5on    .WRI    .PDF    .SCR  Using Your Own Content Against You 
Typical malware workflow    Checks to see if it already  infected you    Delay for a bit so you don’t  associate its behavior with the  opening of the aIachment    Download other junk    Keep checking back for more  commands or control requests  Ini5ates Connec5on from Inside 
Gh0stNet, a good example of APT  APT with a Poli5cal Mission: Tracking the Dalai Lama and Tibetan Exiles 
Gh0st RAT and Poison Ivy RAT    Gh0st RAT is published by Red Wolf Group    Key logger can record the informa5on in  English and Chinese    Remote Terminal Shell    System management process management,  window management    Video View ‐ View a remote camera,  snapshot, video, compression and other  func5ons ...    Voice monitoring ‐ remote monitoring of  voice, but also the local voice can be  transmiIed to the remote, voice chat,  GSM610 compression    Session management off, restart,  shutdown, uninstall the server    Specify the download URL, hide or display  access to the specified URL, clear the  system log    Cluster control can simultaneously control  mul9ple hosts at the same 5me  Remote Administra5on Tools 
So, who are some of these people    General Staff Department Fourth Department    The GSD’s decision in 2000 to promote Dai  Qingmin to head the 4th Department—veyng his  advocacy of the integrated network‐electronic  warfare (INEW) strategy—likely further  consolidated the organiza5onal authority for the  IW—and the CNA mission specifically—in this  group. Dai’s promo5on to this posi5on suggests  that the GSD probably endorsed his vision of  adop5ng INEW as the PLA’s IW strategy.  Remember, China is just one country we can talk about due to Open Source  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
Leveraging the private sector    PLA Informa5on Warfare Mili5a Units    Since approximately 2002, the PLA has been  crea5ng IW mili5a units comprised of personnel  from the commercial IT sector and academia, and  represents an opera5onal  nexus between PLA   Computer Network  Opera5ons and Chinese  civilian informa5on  security professionals.  Strong organiza5on, bolstered by internal compe55on  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
Further private sector ac5vity    Individuals, or possibly groups, engaged in computer network  exploita9on against US networks have obtained malicious  so=ware developed by Chinese underground or black hat  programmers.     In one demonstrated instance, black hat programmers affiliated  with Chinese hacker forums provided malicious soWware to  intruders targe5ng a US commercial firm in early 2009. The  techniques and tools employed by this group or individual are  similar to those observed in previous penetra5on aIempts against  this same company in the previous year, according to their forensic  analysis.    Forensic analysis also suggests this group is comprised of mul9ple  members of varying skill levels, opera5ng with fixed schedules and  standard opera5ng procedures and is willing to take detailed steps  to mask their ac5vi5es on the targeted computer.  Cross‐pollina5on of tac5cs, techniques and procedures  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
APT Tac5cs, Techniques & Procedures  A‐Team  B‐Team  More senior?   Malware writers?  www.hackedsite2.com  Beaconing  RDP &  Data  www.hackedsite1.com  & Latching  Other  transfer  Agent  Download  Command  Command  & Install  & Control;  & Control;  Data  Agent  Agent  transfer  transfer  transfer  Data  Foothold  Intermediary  Transfer  Host  Host  Host  Host  Stage 0 Stage 1 Stage 2 Stage 3 Infec5on Generate   Setup  Data  Intermediaries Relay Agents Exfiltra5on
VPN Client Shimming  Index  File Name  Func9onality  A  netSvc32.exe  Remote Access; File Transfer; NTLAN Manager Hashing  B  00000000.exe  Packed  C  00000001.exe  Packed  D  00000002.exe  TCP Connec5on Filtering; Raw Packet TX to NDIS Driver & VPN Driver  E  00000003.exe  Malware Loading and Injec5on  F  00000004.exe  Same as specimen D without appended binaries  G  Fsvsda.dll  Unpacked specimen B; Remote Access; File TX; Remote Shell Execu5on  H  Fsvsda.sys  TCP Obfusca5on; Disable detec5on by netstat.exe  Example:  Specimen A ‐ netSvc32.exe     Variant of a known malware family.    Backdoor    Generates NT LanManager hashes     Ability to launch a remote shell     The soWware will only aIempt communica5on to its server on a periodic basis (via keep alive/beaconing).     This variant of the malware uses a password at the command line. This parameter must be supplied at the end of the command  line in order for the program to be configured.  
More on TTPs    Open Source Analysis   APT will use all the informa5on you give them against you   You can use their analysis to predict their ac5ons    AIack Phase   Social Engineered Email and Web Site plan5ng   Awareness, Monitoring, Sharing    Lateral Movement Phase   They will jump to new systems and establish new footholds   Monitor for lateral movement and segregate your networks    Command & Control and Exfiltra5on   They will communicate with your systems and take what they want   Block unnecessary outbound traffic, monitor, and share  Move  Counter‐Move 
OK, so what should we do about it  1.  Understand that the threat is real.  2.  Take responsibility for your own compu5ng  environments.  No na5onal force is capable of  protec5ng the Internet ecosystem.  3.  Start by understanding the IPO diagram.  4.  Share, and leverage shared knowledge.  5.  Paradoxically, think about not sharing so much.  Outbound  Awareness  Zoning  Sharing  Control  We must build secure systems‐of‐systems. 
Awareness    Make sure your co‐workers and leadership understand APT ac5vi5es.    Communicate using many different channels:    Annual mandatory awareness training    Special events, symposia, brown‐bag lunches    Give aways (calendars, mouse pads, shirts)    Web sites, portal ar5cles    Advanced training for system administrators    Targeted training for high‐risk persons    Include your Supply Chain    Lather, Rinse, Repeat  Outbound  Awareness  Zoning  Sharing  Control  Knowledge is Power – Social Engineering Relies on Ignorance 
Zoning: IPO Diagram    Input, Process, Output    At the network level  Input  Output    At the system level    At the subsystem level  Input  Output    At the data level    Good ole fashioned ACLs    Also known as:  Are your servers surfing the  “compartmentaliza5on”.  net when you’re not looking?    Contains risk; IDs bad stuff  Outbound  Awareness  Zoning  Sharing  Control  Zoning Enables Monitoring and Controls 
Outbound Control: C2 Blocking    “Geyng in” is not enough    They must get out to fulfill   their en5re mission    Goal is to drive down Dwell  Time    (We must s5ll protect the   inbound,  of course, to  maximize SNR)  Outbound  Awareness  Zoning  Sharing  Control  Disrupt and Deny Adversary’s Command and Control Traffic  ** See Mandiant, Ero Carrera and Peter Silberman, “State Of malware:  Explosion of the axis of Evil”. 
    Sharing: E Pluribus Unum    Collabora5on is cheap    You can use other people’s money    The Return on Investment is high    You’re not admiyng you were compromised, just that you  found something    Share the ‘known bad sites’, ip‐addresses, malware    Maybe don’t publish so much unnecessary info about yourself  Outbound  Awareness  Zoning  Sharing  Control  Discover and block C2 sites any way you can 
Other Techniques    APT uses Dynamic DNS hos5ng services to collect  exfiltrated informa5on and serve as C2 systems    Also, APT is using DNS as a covert channel by  transmiyng data such as keystrokes within “DNS  requests”    Lessons:    Block “uncategorized” web sites at your proxies    Employ Split‐DNS    Employ Split‐Rou5ng  Use Bas5on Hosts to Screen Basic Malware Methods 
Yet More Techniques    Block common bad aIachment types:    mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg,  rar, emf, shs, js, vb, yourcompany.com.zip, cab,  mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif,  m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef,  scf, chm, <#>.txt, wsf, fli, vbe    Look for MZ header (magic byte) in packet  streams that indicates an executable    Check proxy & firewall logs for such requests  as port 22, 6667 (SSH, IRC)  Block the Basic Malware Methods (SNR) 
What might you look for back home  F‐Secure: We’d recommend you’d at least check your company’s gateway logs  ** See hIp://www.f‐secure.com/weblog/archives/00000883.html 
What might you look for back home    Sessions, Dura5ons    Long sessions**    Bytes/sec over 5me    RDP Sessions & other  management tools    User‐Agent‐Strings in  your Proxy Logs  Mozilla/4‐0(compatable; MSIE6.0; Windows NT 5.2; .NET CLR 1.1.4322)    Look for the scarce records    DNS rejects    No route to host    Rare web site requests  Conduct Sta5s5cal Analysis of Your Traffic  ** See hIp://www.ists.dartmouth.edu/library/425.pdf,  Alexander V. Barsamian. 
Virus Total is a good thing    See if someone else has already found this problem.  Sharing Malware Iden5fica5on 
Collabora5on Groups    Transglobal Secure Collabora9on Program (TSCP):   Large A&D companies and western gov’ts building strategic  solu5ons    Network Security Info Exchange  Small interna5onal exchange    Aerospace Industries Associa9on (AIA):  270+ A&D companies sharing ideas    Defense Industrial Base (DIB):  US Gov/Industry classified info  Find your industry groups – The FBI’s InfraGard is a great place to start. 
We, the Designers &  We, the Na5ons  Integrators    Design your supra‐systems    Share informa5on with your  assuming the threat will  cri5cal industries  compromise a subsystem    Cri5cal Infrastructures    Build in layers of defense and  cross na5onal boundaries  segment your subsystems    Don’t leave your ci5zens to     Remember the IPO diagram  defend themselves    Monitor the interfaces and    I s5ll can’t believe that my   enforce valida5on to the  grandmother’s computer is the  specifica5on  na5onal cyber boundary.    U5lize logging and aler5ng  My Granny is not happy.  Don’t leave her to defend herself. 
  All of us par5cipate in the ecosystem of the Internet    We are therefore targets, capable of serving as an  aIack agent or a data transfer agent    We must be aware of this interconnectedness and the  risk we pose to our neighbors    We must defend our systems and advocate for  defensible systems  Too much?  I don’t think so.  Remember the Cylons. 
What else ?    Tor based C2    Malware designed to infect EnCase sta5ons when evidence is reviewed.    Super‐light Payload Malware – Just enough to establish C2.    Inten5onal Worm Outbreaks to hide real aIacks in worm traffic.    Portplexd (Brandon Gilmore) described protocol‐based rou5ng of TCP  streams to provide different services (port mul5plexing) to different  requestors    You, the security professionals are the new targets    Browser data theW techniques that eliminate need for key loggers    Searching your proxy logs for sites to host malware your employees visit    Mail header harves5ng from web sites (news groups, mail‐in blogs)    Focus on minor config changes to undo security and, similarly,  downgrading applica5ons to older vulnerable versions    Injec5ng subtle bugs – When source code is found a minor change is  made.  Themes: Use of Social Networking sites and Obfusca5on 
flight?  Can I catch an earlier  QUESTIONS?  er?   alk a l iIle long do.  Co uld you t ore e‐mails to  few m I have a 
About the Speaker  Michael K. Daly    As Director of Informa5on Technology Enterprise Security Services at  Raytheon Company, Michael is globally responsible for informa5on  security policy, intelligence and analysis, the engineering and opera5onal  support of teaming partner connec5vity, network and data protec5ons,  Internet connec5vity, iden5ty and access services, and incident handling,  and he also provides consul5ng services to the business development and  engineering groups.     With headquarters in Waltham, Mass., Raytheon employs 73,000 people  worldwide.  Michael supports the Na5onal Security Telecommunica5ons  Advisory CommiIee to the President of the United States and the  Transglobal Secure Collabora5on Program.  He was the 2006 recipient of  the People's Choice Award for the ISE New England Informa5on Security  Execu5ve of the Year and the 2007 recipient of the Security 7 Award for  the Manufacturing sector.  23 Years in the Security Industry, S5ll In5midated by a USENIX Crowd 

Empfohlen

Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsF _
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...South Tyrol Free Software Conference
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 

Empfohlen

Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Incident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsIncident Response Tactics with Compromise Indicators
Incident Response Tactics with Compromise IndicatorsF _
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...
SFScon 2020 - Paolo Boldi - Software Ecosystems as Networks Advances on the F...South Tyrol Free Software Conference
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
An Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPagesAn Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPagesUlrich Krause
 
Lab final
Lab finalLab final
Lab finalMaddineni Nagabhushanam
 
Life In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPagesLife In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPagesUlrich Krause
 
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...BCC - Solutions for IBM Collaboration Software
 
Life in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPagesLife in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPagesUlrich Krause
 
Speed up your XPages Application performance
Speed up your XPages Application performanceSpeed up your XPages Application performance
Speed up your XPages Application performanceMaarga Systems
 
Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET Journal
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfTheresa Mammarella
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)Abhishek Singh
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationCarlos Andrés García
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 

Weitere ähnliche Inhalte

Andere mochten auch

An Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPagesAn Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPagesUlrich Krause
 
Life In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPagesLife In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPagesUlrich Krause
 
Life in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPagesLife in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPagesUlrich Krause
 
Speed up your XPages Application performance
Speed up your XPages Application performanceSpeed up your XPages Application performance
Speed up your XPages Application performanceMaarga Systems
 

Andere mochten auch (6)

An Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPagesAn Introduction To Model  View  Controller In XPages
An Introduction To Model  View  Controller In XPages
 
Lab final
Lab finalLab final
Lab final
 
Life In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPagesLife In The FastLane: Full Speed XPages
Life In The FastLane: Full Speed XPages
 
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
XPages Performance Master Class - Survive in the fast lane on the Autobahn (E...
 
Life in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPagesLife in the fast lane. Full speed XPages
Life in the fast lane. Full speed XPages
 
Speed up your XPages Application performance
Speed up your XPages Application performanceSpeed up your XPages Application performance
Speed up your XPages Application performance
 

Ähnlich wie Apt presso good to learn

Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009abhicc285
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET Journal
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 

Ähnlich wie Apt presso good to learn (20)

Cansec West 2009
Cansec West 2009Cansec West 2009
Cansec West 2009
 
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
IRJET- Windows Log Investigator System for Faster Root Cause Detection of a D...
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII students
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 

Mehr von Fajar Isnanto

Micro controller based projects
Micro controller based projectsMicro controller based projects
Micro controller based projectsFajar Isnanto
 
Toyota motor manual 2 lt
Toyota motor manual 2 ltToyota motor manual 2 lt
Toyota motor manual 2 ltFajar Isnanto
 
L 2l 2l-t_repair_manual
L 2l 2l-t_repair_manualL 2l 2l-t_repair_manual
L 2l 2l-t_repair_manualFajar Isnanto
 
2010.06 defender my07 workshop manual complete
2010.06 defender my07 workshop manual complete2010.06 defender my07 workshop manual complete
2010.06 defender my07 workshop manual completeFajar Isnanto
 
Bmw e39 door lock actuator replacement
Bmw e39 door lock actuator replacementBmw e39 door lock actuator replacement
Bmw e39 door lock actuator replacementFajar Isnanto
 
Land rover monthly 2013 04
Land rover monthly 2013 04Land rover monthly 2013 04
Land rover monthly 2013 04Fajar Isnanto
 
Land rover defender_110_en_gb
Land rover defender_110_en_gbLand rover defender_110_en_gb
Land rover defender_110_en_gbFajar Isnanto
 
Series iii optional_parts_catalogue_1
Series iii optional_parts_catalogue_1Series iii optional_parts_catalogue_1
Series iii optional_parts_catalogue_1Fajar Isnanto
 
Lr series iii part 1
Lr series iii part 1Lr series iii part 1
Lr series iii part 1Fajar Isnanto
 
Land rover defender_110_en_gb
Land rover defender_110_en_gbLand rover defender_110_en_gb
Land rover defender_110_en_gbFajar Isnanto
 
Def 90 110_wsm_book1
Def 90 110_wsm_book1Def 90 110_wsm_book1
Def 90 110_wsm_book1Fajar Isnanto
 
Venus ecu user manual ver2.2.4.0
Venus ecu user manual ver2.2.4.0Venus ecu user manual ver2.2.4.0
Venus ecu user manual ver2.2.4.0Fajar Isnanto
 
2011 auto meter hp catalog w links
2011 auto meter hp catalog w links2011 auto meter hp catalog w links
2011 auto meter hp catalog w linksFajar Isnanto
 
Know your-differential-ec-12.97
Know your-differential-ec-12.97Know your-differential-ec-12.97
Know your-differential-ec-12.97Fajar Isnanto
 
BMW E30 Wiring DIagram
BMW E30 Wiring DIagramBMW E30 Wiring DIagram
BMW E30 Wiring DIagramFajar Isnanto
 
Meraki cs chattanooga
Meraki cs chattanoogaMeraki cs chattanooga
Meraki cs chattanoogaFajar Isnanto
 

Mehr von Fajar Isnanto (20)

Micro controller based projects
Micro controller based projectsMicro controller based projects
Micro controller based projects
 
Toyota motor manual 2 lt
Toyota motor manual 2 ltToyota motor manual 2 lt
Toyota motor manual 2 lt
 
L 2l 2l-t_repair_manual
L 2l 2l-t_repair_manualL 2l 2l-t_repair_manual
L 2l 2l-t_repair_manual
 
2010.06 defender my07 workshop manual complete
2010.06 defender my07 workshop manual complete2010.06 defender my07 workshop manual complete
2010.06 defender my07 workshop manual complete
 
2lt 3l supplement
2lt 3l supplement2lt 3l supplement
2lt 3l supplement
 
Bmw e39 door lock actuator replacement
Bmw e39 door lock actuator replacementBmw e39 door lock actuator replacement
Bmw e39 door lock actuator replacement
 
1uzto3uz history
1uzto3uz history1uzto3uz history
1uzto3uz history
 
Land rover monthly 2013 04
Land rover monthly 2013 04Land rover monthly 2013 04
Land rover monthly 2013 04
 
Land rover defender_110_en_gb
Land rover defender_110_en_gbLand rover defender_110_en_gb
Land rover defender_110_en_gb
 
Series iii optional_parts_catalogue_1
Series iii optional_parts_catalogue_1Series iii optional_parts_catalogue_1
Series iii optional_parts_catalogue_1
 
Lr series iii part 1
Lr series iii part 1Lr series iii part 1
Lr series iii part 1
 
Land rover defender_110_en_gb
Land rover defender_110_en_gbLand rover defender_110_en_gb
Land rover defender_110_en_gb
 
Def 90 110_wsm_book1
Def 90 110_wsm_book1Def 90 110_wsm_book1
Def 90 110_wsm_book1
 
Venus ecu user manual ver2.2.4.0
Venus ecu user manual ver2.2.4.0Venus ecu user manual ver2.2.4.0
Venus ecu user manual ver2.2.4.0
 
2011 auto meter hp catalog w links
2011 auto meter hp catalog w links2011 auto meter hp catalog w links
2011 auto meter hp catalog w links
 
Cda 117e apvers
Cda 117e apversCda 117e apvers
Cda 117e apvers
 
D600 en
D600 enD600 en
D600 en
 
Know your-differential-ec-12.97
Know your-differential-ec-12.97Know your-differential-ec-12.97
Know your-differential-ec-12.97
 
BMW E30 Wiring DIagram
BMW E30 Wiring DIagramBMW E30 Wiring DIagram
BMW E30 Wiring DIagram
 
Meraki cs chattanooga
Meraki cs chattanoogaMeraki cs chattanooga
Meraki cs chattanooga
 

Kürzlich hochgeladen

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 

Kürzlich hochgeladen (20)

Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 

Apt presso good to learn

  • 1. The Advanced Persistent Threat   (or Informa5onized Force Opera5ons)  Michael K. Daly  November 4, 2009 
  • 2. What is meant by Advanced, Persistent Threat?    Increasingly sophis5cated cyber aIacks by hos5le  organiza5ons with the goal of:    Gaining access to defense, financial and other targeted  informa5on from governments, corpora5ons and  individuals.    Maintaining a foothold in these environments to enable  future use and control.    Modifying data to disrupt performance in their targets.  APT: People With Money Who Discovered That Computers Are Connected 
  • 4. Is this a big deal?  Is it new?    Yes, this is a very big deal.    If “it” is the broad no5on  of theW, spying, social   engineering and bad stuff,  then No, it is definitely not new.    However, it is new (~2003) that na5on states  are widely leveraging the Internet to operate  agents across all cri5cal infrastructures.  APT ac5vity is leveraging the expansion of the greater system of systems 
  • 5. I’m not in the military.    Why do I care?  “[APT] possess the targeting competence to identify specific users in a unit or organization based on job function or presumed access to information. [APT] can use this access for passive monitoring of network traffic for intelligence collection purposes. Instrumenting these machines in peacetime may enable attackers to prepare a reserve of compromised machines that can be used during a crisis. [APT] … possess the technical sophistication to craft and upload rootkit and covert remote access software, creating deep persistent access to the compromised host and making detection extremely difficult. An “upstream” attack on … civilian networks … has potential for great impact and is potentially easier against smaller companies that often lack the resources or expertise for sophisticated network security and monitoring.” **  Shipping, Finance, Energy, Water, … The En5re Supply Chain is at Risk  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
  • 7. OK, give me a prac5cal example  The “classic” case is:    Employee Bob gets an email with an aIachment,  so he opens it.    The aIachment opens, and is typically either  irrelevant, or a copy of some other message he  got a while back, or not even the topic of the  message.  Bob closes it and goes back to his  coffee.    His computer is now running a Trojan applica5on  that connects to a site on the Internet that is  used by bad guys to control his computer.  Socially Engineered Emails 
  • 13. A more specific example  (Not this obvious)  Bob’s PC starts  “beaconing” that  it is available. 
  • 17. A bit more about APT Trojans    Mul5ple means of command and control allow the adversary to persist  even when defensive ac5ons are taken    Mul5ple malware installa5ons;     Mul5ple C2 des5na5ons    Off‐Net use allows adversaries to change tac5cs while outside your view  and control    VPN Malware    Off‐Network updates    0‐Day AIack Vectors    Uniquely compiled for you    Avoids AV detec5on  AIack in Depth 
  • 18. What kinds of aIachments    Adobe Acrobat is   increasing    No surprises –  these’re the  apps we use.    “Why has it changed?   Primarily because there   has been more vulnerabili5es   in Adobe Acrobat/Reader than in   the MicrosoW Office applica5ons.” – F‐Secure  hIp://www.f‐secure.com/weblog/archives/00001676.html  Patching Is Not Keeping Up With Current APT TTP’s 
  • 19. HTTP Vector    Hacked sites redirec5ng to exploits    www.ned.org    www.elec5onguide.org    aceproject.org    www.ifes.org    Serving 3 exploits    SWF on FF 0‐day    SWF on IE 0‐day    MSVIDCTL Vulnerability  Not All Bad Stuff Comes Via The Mail … Some5mes we seek it out. 
  • 20. Analyzing Malicious PDF  AV Detec9on of Malicious PDF Documents  (McAfee‐GW‐Edi5on)  (An5Vir)  (Sophos)  (BitDefender)  (GData)  (Avast)  (Symantec)  (a‐squared)  (McAfee)  (Ikarus)  (McAfee+Artemis)  (Kaspersky)  (NOD32)  (F‐Secure)  (MicrosoW)  (TrendMicro)  (For5net)  0%  10%  20%  30%  40%  50%  60%  70%  80%  AV Detec5on of Malicious PDFs Has Been Very Poor 
  • 21. Common PDF Exploits  CVE Name First Used Discovered Patched Gap 2007-5659 collectEmailInfo() (JS) 1/1/2008 2/6/2008 2/7/2008 37 2008-2992 Util.printf() (JS) 11/5/2008 11/5/2008 11/4/2008 -1 2009-0658 JBIG2* 1/15/2009 2/13/2009 3/24/2009 68 2009-0927 getIcon() (JS) 4/9/2009 4/9/2009 3/24/2009 -16 2009-1492 getAnnots() (JS) 6/4/2009 6/4/2009 5/12/2009 -23 2009-1862 SWF* 7/15/2009 7/15/2009 7/31/2009 16 2009-3459 Heap Corruption* 9/23/2009 10/1/2009 10/13/2009 20 Days Between First Use and Patch  Users  ? Patched?  ? Users  Patched?  ‐30  ‐20  ‐10  0  10  20  30  40  50  60  70  Occasional Lag to Discovery – Consistent Lag to Remedia5on 
  • 23. JBIG2 Dissec5on  What did Bad Guy do to the PDF?    Object 3 is first to launch, in this case.    It has an OpenAc'on to go to Object 2.    Object 2 fills memory with code that  leads to Object 7.    Object 7 contains the executable that  gives you a bad day.    The red colored areas are indicators  you can use to find similar documents.  Automated Tools Are Available To Help Our Bad Guy Insert the Executable 
  • 24. Cool Tool to Help Find Stuff  Yara    Simple and correlated rules    Ascii, binary, regex, wildcards  rule HIGH_PDF_Flash_Exploit { strings: $a = "%PDF-1." $j = "(pop056swf)" $k = "(pushpro056swf)" $b = "( a.swf)" condition: ($a at 0) and ($j or $k or $b) } hIp://code.google.com/p/yara‐project/ 
  • 25. Trojans Commonly Delivered in Email    Opening of the malicious aIachment may have no visual  indicators    Some poorly created documents will “crash” and reopen    Others will briefly close   and reopen    In rare cases, the   computer may “freeze”    AIackers embed   relevant content to be  displayed aWer infec5on    .WRI    .PDF    .SCR  Using Your Own Content Against You 
  • 26. Typical malware workflow    Checks to see if it already  infected you    Delay for a bit so you don’t  associate its behavior with the  opening of the aIachment    Download other junk    Keep checking back for more  commands or control requests  Ini5ates Connec5on from Inside 
  • 28. Gh0st RAT and Poison Ivy RAT    Gh0st RAT is published by Red Wolf Group    Key logger can record the informa5on in  English and Chinese    Remote Terminal Shell    System management process management,  window management    Video View ‐ View a remote camera,  snapshot, video, compression and other  func5ons ...    Voice monitoring ‐ remote monitoring of  voice, but also the local voice can be  transmiIed to the remote, voice chat,  GSM610 compression    Session management off, restart,  shutdown, uninstall the server    Specify the download URL, hide or display  access to the specified URL, clear the  system log    Cluster control can simultaneously control  mul9ple hosts at the same 5me  Remote Administra5on Tools 
  • 29. So, who are some of these people    General Staff Department Fourth Department    The GSD’s decision in 2000 to promote Dai  Qingmin to head the 4th Department—veyng his  advocacy of the integrated network‐electronic  warfare (INEW) strategy—likely further  consolidated the organiza5onal authority for the  IW—and the CNA mission specifically—in this  group. Dai’s promo5on to this posi5on suggests  that the GSD probably endorsed his vision of  adop5ng INEW as the PLA’s IW strategy.  Remember, China is just one country we can talk about due to Open Source  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
  • 30. Leveraging the private sector    PLA Informa5on Warfare Mili5a Units    Since approximately 2002, the PLA has been  crea5ng IW mili5a units comprised of personnel  from the commercial IT sector and academia, and  represents an opera5onal  nexus between PLA   Computer Network  Opera5ons and Chinese  civilian informa5on  security professionals.  Strong organiza5on, bolstered by internal compe55on  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
  • 31. Further private sector ac5vity    Individuals, or possibly groups, engaged in computer network  exploita9on against US networks have obtained malicious  so=ware developed by Chinese underground or black hat  programmers.     In one demonstrated instance, black hat programmers affiliated  with Chinese hacker forums provided malicious soWware to  intruders targe5ng a US commercial firm in early 2009. The  techniques and tools employed by this group or individual are  similar to those observed in previous penetra5on aIempts against  this same company in the previous year, according to their forensic  analysis.    Forensic analysis also suggests this group is comprised of mul9ple  members of varying skill levels, opera5ng with fixed schedules and  standard opera5ng procedures and is willing to take detailed steps  to mask their ac5vi5es on the targeted computer.  Cross‐pollina5on of tac5cs, techniques and procedures  ** Capability of the People’s Republic of China to Conduct Cyber Warfare  and Computer Network Exploita5on,  Prepared for The US‐China Economic  and Security Review Commission, October 2009. 
  • 32. APT Tac5cs, Techniques & Procedures  A‐Team  B‐Team  More senior?   Malware writers?  www.hackedsite2.com  Beaconing  RDP &  Data  www.hackedsite1.com  & Latching  Other  transfer  Agent  Download  Command  Command  & Install  & Control;  & Control;  Data  Agent  Agent  transfer  transfer  transfer  Data  Foothold  Intermediary  Transfer  Host  Host  Host  Host  Stage 0 Stage 1 Stage 2 Stage 3 Infec5on Generate   Setup  Data  Intermediaries Relay Agents Exfiltra5on
  • 33. VPN Client Shimming  Index  File Name  Func9onality  A  netSvc32.exe  Remote Access; File Transfer; NTLAN Manager Hashing  B  00000000.exe  Packed  C  00000001.exe  Packed  D  00000002.exe  TCP Connec5on Filtering; Raw Packet TX to NDIS Driver & VPN Driver  E  00000003.exe  Malware Loading and Injec5on  F  00000004.exe  Same as specimen D without appended binaries  G  Fsvsda.dll  Unpacked specimen B; Remote Access; File TX; Remote Shell Execu5on  H  Fsvsda.sys  TCP Obfusca5on; Disable detec5on by netstat.exe  Example:  Specimen A ‐ netSvc32.exe     Variant of a known malware family.    Backdoor    Generates NT LanManager hashes     Ability to launch a remote shell     The soWware will only aIempt communica5on to its server on a periodic basis (via keep alive/beaconing).     This variant of the malware uses a password at the command line. This parameter must be supplied at the end of the command  line in order for the program to be configured.  
  • 34. More on TTPs    Open Source Analysis   APT will use all the informa5on you give them against you   You can use their analysis to predict their ac5ons    AIack Phase   Social Engineered Email and Web Site plan5ng   Awareness, Monitoring, Sharing    Lateral Movement Phase   They will jump to new systems and establish new footholds   Monitor for lateral movement and segregate your networks    Command & Control and Exfiltra5on   They will communicate with your systems and take what they want   Block unnecessary outbound traffic, monitor, and share  Move  Counter‐Move 
  • 35. OK, so what should we do about it  1.  Understand that the threat is real.  2.  Take responsibility for your own compu5ng  environments.  No na5onal force is capable of  protec5ng the Internet ecosystem.  3.  Start by understanding the IPO diagram.  4.  Share, and leverage shared knowledge.  5.  Paradoxically, think about not sharing so much.  Outbound  Awareness  Zoning  Sharing  Control  We must build secure systems‐of‐systems. 
  • 36. Awareness    Make sure your co‐workers and leadership understand APT ac5vi5es.    Communicate using many different channels:    Annual mandatory awareness training    Special events, symposia, brown‐bag lunches    Give aways (calendars, mouse pads, shirts)    Web sites, portal ar5cles    Advanced training for system administrators    Targeted training for high‐risk persons    Include your Supply Chain    Lather, Rinse, Repeat  Outbound  Awareness  Zoning  Sharing  Control  Knowledge is Power – Social Engineering Relies on Ignorance 
  • 37. Zoning: IPO Diagram    Input, Process, Output    At the network level  Input  Output    At the system level    At the subsystem level  Input  Output    At the data level    Good ole fashioned ACLs    Also known as:  Are your servers surfing the  “compartmentaliza5on”.  net when you’re not looking?    Contains risk; IDs bad stuff  Outbound  Awareness  Zoning  Sharing  Control  Zoning Enables Monitoring and Controls 
  • 38. Outbound Control: C2 Blocking    “Geyng in” is not enough    They must get out to fulfill   their en5re mission    Goal is to drive down Dwell  Time    (We must s5ll protect the   inbound,  of course, to  maximize SNR)  Outbound  Awareness  Zoning  Sharing  Control  Disrupt and Deny Adversary’s Command and Control Traffic  ** See Mandiant, Ero Carrera and Peter Silberman, “State Of malware:  Explosion of the axis of Evil”. 
  • 39.     Sharing: E Pluribus Unum    Collabora5on is cheap    You can use other people’s money    The Return on Investment is high    You’re not admiyng you were compromised, just that you  found something    Share the ‘known bad sites’, ip‐addresses, malware    Maybe don’t publish so much unnecessary info about yourself  Outbound  Awareness  Zoning  Sharing  Control  Discover and block C2 sites any way you can 
  • 40. Other Techniques    APT uses Dynamic DNS hos5ng services to collect  exfiltrated informa5on and serve as C2 systems    Also, APT is using DNS as a covert channel by  transmiyng data such as keystrokes within “DNS  requests”    Lessons:    Block “uncategorized” web sites at your proxies    Employ Split‐DNS    Employ Split‐Rou5ng  Use Bas5on Hosts to Screen Basic Malware Methods 
  • 41. Yet More Techniques    Block common bad aIachment types:    mp3, exe, lnk, dll, mov, com, mp4, bat, cmd, reg,  rar, emf, shs, js, vb, yourcompany.com.zip, cab,  mda, zip, mdb, scr, aiff, mde, cpl, msi, vbs, aif,  m4p, msp, fdf, mdt, sys, wmf, hlp, hta, pif, jse, qef,  scf, chm, <#>.txt, wsf, fli, vbe    Look for MZ header (magic byte) in packet  streams that indicates an executable    Check proxy & firewall logs for such requests  as port 22, 6667 (SSH, IRC)  Block the Basic Malware Methods (SNR) 
  • 43. What might you look for back home    Sessions, Dura5ons    Long sessions**    Bytes/sec over 5me    RDP Sessions & other  management tools    User‐Agent‐Strings in  your Proxy Logs  Mozilla/4‐0(compatable; MSIE6.0; Windows NT 5.2; .NET CLR 1.1.4322)    Look for the scarce records    DNS rejects    No route to host    Rare web site requests  Conduct Sta5s5cal Analysis of Your Traffic  ** See hIp://www.ists.dartmouth.edu/library/425.pdf,  Alexander V. Barsamian. 
  • 45. Collabora5on Groups    Transglobal Secure Collabora9on Program (TSCP):   Large A&D companies and western gov’ts building strategic  solu5ons    Network Security Info Exchange  Small interna5onal exchange    Aerospace Industries Associa9on (AIA):  270+ A&D companies sharing ideas    Defense Industrial Base (DIB):  US Gov/Industry classified info  Find your industry groups – The FBI’s InfraGard is a great place to start. 
  • 46. We, the Designers &  We, the Na5ons  Integrators    Design your supra‐systems    Share informa5on with your  assuming the threat will  cri5cal industries  compromise a subsystem    Cri5cal Infrastructures    Build in layers of defense and  cross na5onal boundaries  segment your subsystems    Don’t leave your ci5zens to     Remember the IPO diagram  defend themselves    Monitor the interfaces and    I s5ll can’t believe that my   enforce valida5on to the  grandmother’s computer is the  specifica5on  na5onal cyber boundary.    U5lize logging and aler5ng  My Granny is not happy.  Don’t leave her to defend herself. 
  • 47.   All of us par5cipate in the ecosystem of the Internet    We are therefore targets, capable of serving as an  aIack agent or a data transfer agent    We must be aware of this interconnectedness and the  risk we pose to our neighbors    We must defend our systems and advocate for  defensible systems  Too much?  I don’t think so.  Remember the Cylons. 
  • 48. What else ?    Tor based C2    Malware designed to infect EnCase sta5ons when evidence is reviewed.    Super‐light Payload Malware – Just enough to establish C2.    Inten5onal Worm Outbreaks to hide real aIacks in worm traffic.    Portplexd (Brandon Gilmore) described protocol‐based rou5ng of TCP  streams to provide different services (port mul5plexing) to different  requestors    You, the security professionals are the new targets    Browser data theW techniques that eliminate need for key loggers    Searching your proxy logs for sites to host malware your employees visit    Mail header harves5ng from web sites (news groups, mail‐in blogs)    Focus on minor config changes to undo security and, similarly,  downgrading applica5ons to older vulnerable versions    Injec5ng subtle bugs – When source code is found a minor change is  made.  Themes: Use of Social Networking sites and Obfusca5on 
  • 49. flight?  Can I catch an earlier  QUESTIONS?  er?   alk a l iIle long do.  Co uld you t ore e‐mails to  few m I have a 
  • 50. About the Speaker  Michael K. Daly    As Director of Informa5on Technology Enterprise Security Services at  Raytheon Company, Michael is globally responsible for informa5on  security policy, intelligence and analysis, the engineering and opera5onal  support of teaming partner connec5vity, network and data protec5ons,  Internet connec5vity, iden5ty and access services, and incident handling,  and he also provides consul5ng services to the business development and  engineering groups.     With headquarters in Waltham, Mass., Raytheon employs 73,000 people  worldwide.  Michael supports the Na5onal Security Telecommunica5ons  Advisory CommiIee to the President of the United States and the  Transglobal Secure Collabora5on Program.  He was the 2006 recipient of  the People's Choice Award for the ISE New England Informa5on Security  Execu5ve of the Year and the 2007 recipient of the Security 7 Award for  the Manufacturing sector.  23 Years in the Security Industry, S5ll In5midated by a USENIX Crowd