SlideShare ist ein Scribd-Unternehmen logo

Advanced persistent threats(APT)

Network Intelligence India
Network Intelligence India

Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
ADVANCED PERSISTENT THREATS – MITIGATION SERVICES & SOLUTIONS From With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.
Advanced Persistent Threats Document Tracker Author Version Summary of Changes Manasdeep November 2012 Document Created Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 19
Advanced Persistent Threats NOTICE This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 19
Advanced Persistent Threats Contents 1. Introduction .............................................................................................................................. 5 2. Spear Phishing ........................................................................................................................... 7 3. Advanced Persistent Threat Life Cycle:....................................................................................... 8 a. Preparation............................................................................................................................ 8 b. Initial intrusion....................................................................................................................... 8 c. Expansion .............................................................................................................................. 8 d. Persistence ............................................................................................................................ 8 e. Search and Exfiltration ........................................................................................................... 8 f. Cleanup ................................................................................................................................. 9 4. Case Study Analysis: RSA SecureID hack ................................................................................... 10 5. Case Study Analysis: Operation Aurora .................................................................................... 13 6. Mitigation and early detection of an APT ................................................................................. 16 7. Security solutions to protect from APT ..................................................................................... 17 8. How can we help your organization ......................................................................................... 18 9. References............................................................................................................................... 19 Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 19
Advanced Persistent Threats 1. I NTRODUCTION Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself. The defensive tools and other controls are frequently rendered ineffective because the actors behind the intrusion are focused on a specific target and quickly adapt their ways to predict and circumvent security controls and standard incident response practices. As a result, an effective and efficient defence strategy requires good situational awareness and understanding. What are Advance Persistent Threats?[2] Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital. The entry point for espionage activities is often the unsuspecting end- user or weak perimeter security. Extensive research is done using social media sites, public available documents on organization, its processes, its technology and its people prior to craft an APT attack. The defence doctrine in the case of APTs must change from “keeping attackers out” to “sometimes attackers are going to get in; detect them as early as possible and minimize the damage.” Why the term Advanced Persistent Threats? [2] Advanced – Attackers have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent – Attackers give priority to a specific task, rather than seeking information for financial or other gain. If the attacker loses access, they reattempt access; often successfully. One of the attacker’s goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task. Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The attackers have a specific objective and are skilled, motivated, organized and well-funded. What makes APT's so dangerous?  APT attacks concentrate on people first and not on infrastructure details directly. Since people are the weakest link in the organizational security, there are more chances of data breaches than the traditional methods used by hackers  A simple "voluntary action" done by innocent employee by biting socially engineered bait will bypass all the protection methods put forward by technology. Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 19
Advanced Persistent Threats  If people are not properly educated or trained to combat social engineering, it is very difficult to contain the attack in the first place.  APT's are silent, highly sophisticated, well-crafted attack paradigms which frequently use a customized code, combination of many 0day exploits and extensive research done on both the employees targets and the asset to be compromised along with well-planned method to clean up all evidences of its activities after its objective has been achieved.  Attackers carrying out the APT are highly skilled hackers, with large resources at their disposal to find out various ways to enter into given organization.  Frequently, these attackers are endorsed by massive scale funding, research and even government level support in some countries.  The focus in APT is to obtain very specific information about the prized asset or to perform a very specific action when it is able to reach that resource.  This makes an APT a very stealthy attack leaving a very small forensic digital footprint on compromised machines as it refrains from making any unwanted "noisy" activity on the network.  Quite difficult to detect and trace back to their original sources.  An APT may lie dormant on compromised systems for many months or even few years activating only when a specific action or at certain time takes place. Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 19
Advanced Persistent Threats 2. S PEAR P HISHING Spear phishing is a deceptive communication technique in which a victim is lured via e- mail, text or tweet by an attacker to click or download a malicious link or file. The common objective of this technique is to compromise the victim machine by stealthily inserting a backdoor which seeks to obtain unauthorized access to confidential data remotely. These attempts are more likely to be conducted by attackers seeking financial gain, trade secrets or sensitive information. Spear phishing is a popular technique used in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle. Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 19
Advanced Persistent Threats 3. A DVANCED P ERSISTENT T HREAT L IFE C YCLE [5] a. Preparation The “Preparation” phase includes the following aspects of the lifecycle:  Define Target  Find and organize accomplices  Build or acquire tools  Research target/infrastructure/employees  Test for detection APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data may be needed before plans can be carried out. Highly complex operations may be required before executing the exploitation plan against the primary target(s). b. Initia l intrusion The “Initial Intrusion” phase includes the following aspects of the lifecycle:  Deployment  Initial intrusion  Outbound connection initiated After the attacker completes preparations, the next step is an attempt to gain a foothold in the target’s environment. An extremely common entry tactic is the use of spear phishing emails containing a web link or attachment. c. Expansion The “Expansion” phase includes the following aspects of the lifecycle:  Expand access and obtain credentials  Strengthen foothold The objective of this phase is to gain access to additional systems and authentication material that will allow access to further systems d. Persistence The “Persistence” phase spans numerous aspects of the lifecycle. Overcoming a target’s perimeter defenses and establishing a foothold inside the network can require substantial effort. Between the times APT actors establish a foothold and the time when there is no further use for the assets or existing and future data, APT actors employ various strategies to maintain access. e. Search and Exfiltrati on The “Search and Exfiltration” phase includes the following aspects.  Exfiltrate data Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 19
Advanced Persistent Threats The ultimate target of network exploitation is generally a resource that can be used for future exploit(s) or documents and data that have financial or other perceived worth to the intruder. A popular approach to search and exfiltration is to take everything from the network that might be of interest. Some frequently examined locations include the infected user’s documents folder, shared drives located on file servers, the user’s local email file and email from the central email server. f. Cleanup The “Cleanup” phase includes the following aspects of the lifecycle.  Cover tracks and remain undetected Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was targeted and eliminating evidence of who was behind the event. The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion. Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 19
Advanced Persistent Threats 4. C ASE S TUDY A NALYSIS : RSA S ECURE ID HACK [ 3][4] a. Brief Summary Around March 2011, RSA SecureID system was attacked by using a sophisticated APT attack paradigm. A series of spear-phishing emails titled "2011 Recruitment Plan" were sent to small groups of low-profile RSA employees. Although they landed in Junk folders, the email title was interesting enough to persuade an RSA employee to open the Excel spreadsheet attachment. The excel sheet was infected with (now patched) Adobe Flash zero day flaw CVE 20110609. With one Trojan compromised machine, the attackers then started harvesting credentials and made their way up the RSA hierarchy ultimately gaining privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. Fortunately, RSA saw the attack and using its implementation of NetWitness, stopped it before more damage could be done. b. What went wrong? Even though the SPAM filters did their job by directing the mail to Junk Folders, the interestingly titled email was enough to entice one employee to deliberately pull out the mail and open the attachment. This was the typical first stage of APT attack; social engineering done via spear-phishing. The attackers collected intelligence on the organizations’ people, not infrastructure. Then they used spear phishing email to the employees of interest. The 0-day installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609) which was prevalent in older versions of Adobe. Typically, Adobe Reader is seen only as PDF file opener software and hence not patched very often as compared to mainstream updates rolled by Microsoft Windows and Oracle which are typically licensed by the firms. Hence, the attackers had now found a way to sneak inside the RSA network by vulnerabilities present in the end-point to access users’ PCs. Once inside, privilege escalation attacks were carried out by constantly updating the Trojan remotely. When you look at the list of users that were targeted, you don’t see any glaring insights; nothing that spells high profile or high value targets. c. What made the atta cks difficu lt to detect ? The rationale of a remote administration tool is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 19
Advanced Persistent Threats detect, as the PC reaches out to the command and control rather than the other way around. Since the attacks use a combination of social engineering with vulnerabilities in the end- point to access users’ PCs. they are difficult to detect because they are activated by "volunteering" action taken by victim and not done forcefully. Once inside the network, they just have find our way to the intended target using privilege escalation attacks by remotely updating and improving the trojan remotely. d. Spreading of atta ck Once inside the RSA network, the APT moved laterally inside the network. Still they need users with more access, more admin rights to relevant services and servers, etc. This was done very patiently as the attacks knew that any kind of fast and "noisy" activity will attract attention from network monitoring tools. The second stage comprised of attackers’ first harvesting access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators. When attackers think they run the risk of being detected, they move much faster and generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase. e. Carrying ou t the attack In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction. The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack. f. Lessons learnt  Although, technological controls like spam filters did their job, employee awareness about social engineering attacks was not widespread.  Importance of securing end-point security, hardening and patch management cycle is the most crucial factor to prevent APT from spreading. Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 19
Advanced Persistent Threats  Network monitoring and logging policies must leave a log trail which can trace back the activities for analysis at a later date. Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 19
Advanced Persistent Threats 5. C ASE S TUDY A NALYSIS : O PERATION A URORA [1] a. Brief Summary Operation Aurora was a cyber attack which began first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. The attacks demonstrated high degree of sophistication, with strong indications of well resourced and consistent advanced persistent threat attack. The attack was aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc. As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries. The primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. Security experts immediately noted the sophistication of the attack. Two days after the attack became public, It was reported that attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer. After a week, Microsoft issued a fix. Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code. b. Attack Ra tiona le Corporate and state secrets espionage activity becomes bolder over time with little public acknowledgement or response from governments. According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google's computer systems. The cable suggested that the attack was part of a coordinated campaign executed by "government operatives, public security experts and Internet outlaws recruited by the Chinese government." The report suggested that it was part of an ongoing campaign in which attackers have "broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002." Operation Aurora was largely an attack used to gain political power and influence over western countries by Chinese government. Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 19
Advanced Persistent Threats c. "Operation Aurora " Working Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. d. Deciphering the code: Atta ck Analysis Operation Aurora name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The code behind Operation Aurora known samples of the main backdoor trojan appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time – some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. The compiler component does use a resource section, but the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. However, one interesting clue in the binary points back to mainland China. The first thing that is unusual about the embedded CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm here uses a table of only 16 constants; basically a truncated version of the typical 256- value table. The most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. The full paper was published in simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites. This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese. This again gives a strong indicator that Operation Aurora was orchestred and funded by the backing of federal government of China. Confidential  Network Intelligence (India) Pvt. Ltd. Page 14 of 19
Advanced Persistent Threats e. Attack’s Aftermath The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down. Security researchers have continued to investigate the attacks. HBGary, a security firm, recently released a report in which they claim to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity. On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The New York Times, both of these schools have ties with the Chinese search engine Baidu, a rival of Google China. f. Lessons Learnt  APT's are not just traditional "Malware". They are well defined, fully supported by large organizations or governments with strong backing of well compensated highly skilled programmers and hackers.  The aim or an APT is to gain power, create imbalance in market by paralyzing governments or rival corporate organizations.  Industrial and government sponsored espionage to keep the vested interests of competing corporate and states well satisfied. Confidential  Network Intelligence (India) Pvt. Ltd. Page 15 of 19
Advanced Persistent Threats 6. M ITIGATION AND EARLY DETECTION OF AN APT Here are some practical ways by which we can develop a proactive way to mitigate and prevent the further spread of APT in our organization:  Make sure that you have encryption and password features enabled on your smart phones and other mobile devices.  Use strong passwords, ones that combine upper and lower case letters, numbers, and special characters, and do not share them with anyone.  Use a separate password for every account.  Properly configure and patch operating systems, browsers, and other software programs.  Use and regularly update firewalls, anti-virus, and anti-spyware programs.  Don't use work e-mail address as a "User Name" on non-work related sites.  Use common sense when communicating with users you DO and DO NOT know. Do not open e-mail or related attachments from un-trusted sources.  Don't reveal too much information about yourself on social media websites.  Verify Location Services settings on mobile devices.  Allow access to systems and data only by those who need it and protect those access credentials.  Follow your organization's cyber security policies and report violations and issues immediately.  Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to learn the ways to identify the same Confidential  Network Intelligence (India) Pvt. Ltd. Page 16 of 19
Advanced Persistent Threats 7. S ECURITY SOLUTIONS TO PROTECT FROM APT There are many security solutions available that address your need for protection from APT’s. Some of the popularly used are mentioned as follows: a. EMET EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. EMET Highlights  Making configuration easy  Enterprise deployment via Group Policy and SCCM  Reporting capability via the new EMET Notifier feature  Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. b. Bit9 Parity Suite This solution provides an extensive list of features for protection against APT’s: Features of Bit9:  Application Control/White-listing  Software Reputation Service  File Integrity Monitoring  Threat Identification  Device Control  File Integrity Monitoring  Registry Protection  Memory Protection Confidential  Network Intelligence (India) Pvt. Ltd. Page 17 of 19
Advanced Persistent Threats 8. H OW CAN WE HELP YOUR ORGANIZATION a. Drafti ng Privileged ID Management P oli cy & Procedures It is easy to observe that privileged IDs represent the highest risk for data leakage in the organization. Such IDs are numerous due to the large number of systems and devices in any network. Managing the access of these IDs and monitoring their activities is of crucial importance for the prevention of APT Attacks. Technology solutions such as Privileged Identity Management make this task easier. But this needs to be combined with the right policy framework and comprehensive procedures We can guide your organization to draft Privileged ID Management Policy & Procedures  Privileged ID allocation – process of the approval mechanism for it  Privileged ID periodic review – procedure for this  Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDs  Revocation of a privileged ID – what happens when an Administrator leaves the organization?  How are vendor-supplied user IDs managed  Managing shared/generic privileged IDs b. Conducting Penetrati on 2 .0 Exercises We engage in conducting Social Engineering exercises to demonstrate the effect that how big an impact can be on your organization information assets data leakage. Our Spear Phishing testing methodology will test your organization's preparedness against social engineering attacks. Since social engineering form a vital part in APT's Life Cycle, the results from this exercise are important indicator for your preparedness level against an APT attack. c. Conducting U ser Awareness Workshops We also engage in conducting user awareness workshops to train users about the pitfalls of getting trapped in social engineering attacks. Rather than just presenting the theoretical concepts, we stimulate practical exercises to infuse the impact of social engineering which can bypass all the state of art technological controls in an organization. d. Endpoint Securi ty Solu tions Network Intelligence has partnered with CyberArk, Seclore, Impervia and Boole Server to manage the privilege ID management, and achieve Confidentiality, Integrity and Availability of files and folders present in the network. Using these state-of-art endpoint solutions offer a peace of mind in addressing your security needs. Confidential  Network Intelligence (India) Pvt. Ltd. Page 18 of 19
Advanced Persistent Threats 9. R EFERENCES 1. http://en.wikipedia.org/wiki/Operation_Aurora 2. http://en.wikipedia.org/wiki/Advanced_Persistent_Threat 3. https://blogs.rsa.com/anatomy-of-an-attack/ 4. https://blogs.rsa.com/it-security-in-the-age-of-apts/ 5. http://www.secureworks.com/assets/pdf-store/articles/Lifecycle_of_an_APT_G.pdf 6. http://www.issa- sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf 7. http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentT hreats.pdf Confidential  Network Intelligence (India) Pvt. Ltd. Page 19 of 19

Empfohlen

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityADGP, Public Grivences, Bangalore
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityForam Gosai
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

Empfohlen

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityADGP, Public Grivences, Bangalore
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityForam Gosai
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Cyber security
Cyber securityCyber security
Cyber securityManjushree Mashal
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYMohammad Shakirul islam
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Cyber security
Cyber securityCyber security
Cyber securitySajid Hasan
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 

Weitere ähnliche Inhalte

Was ist angesagt?

Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksInformation Technology
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 

Was ist angesagt? (20)

Application security
Application securityApplication security
Application security
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Cyber security
Cyber securityCyber security
Cyber security
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 

Ähnlich wie Advanced persistent threats(APT)

Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...Ahmad Sharifi
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityDeepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityPC Doctors NET
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Hamisi Kibonde
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Lana Sorrels
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applicationsijtsrd
 
Cybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by ClearnetworkCybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by ClearnetworkClearnetwork
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
Information security
Information securityInformation security
Information securityRohit Gir
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityAliyuMuhammadButu
 
Threats Intelligence and analysis . pptx
Threats Intelligence and analysis . pptxThreats Intelligence and analysis . pptx
Threats Intelligence and analysis . pptxbilal12rana21
 
Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxasharshaikh8
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackamrutharam
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfforladies
 

Ähnlich wie Advanced persistent threats(APT) (20)

Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on CybersecurityDeepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
Deepfake Technology's Emergence: Exploring Its Impact on Cybersecurity
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...Kudler Fine Foods IT Security Report And Presentation –...
Kudler Fine Foods IT Security Report And Presentation –...
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Honeypot Methods and Applications
Honeypot Methods and ApplicationsHoneypot Methods and Applications
Honeypot Methods and Applications
 
Cybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by ClearnetworkCybersecurity: A Manufacturers Guide by Clearnetwork
Cybersecurity: A Manufacturers Guide by Clearnetwork
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
Information security
Information securityInformation security
Information security
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Threats Intelligence and analysis . pptx
Threats Intelligence and analysis . pptxThreats Intelligence and analysis . pptx
Threats Intelligence and analysis . pptx
 
Ashar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptxAshar Shaikh A-84 SEMINAR.pptx
Ashar Shaikh A-84 SEMINAR.pptx
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Information Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdfInformation Securityfind an article online discussing defense-in-d.pdf
Information Securityfind an article online discussing defense-in-d.pdf
 

Mehr von Network Intelligence India

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 

Mehr von Network Intelligence India (20)

Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 

Kürzlich hochgeladen

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Advanced persistent threats(APT)

  • 1. ADVANCED PERSISTENT THREATS – MITIGATION SERVICES & SOLUTIONS From With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.
  • 2. Advanced Persistent Threats Document Tracker Author Version Summary of Changes Manasdeep November 2012 Document Created Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 19
  • 3. Advanced Persistent Threats NOTICE This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. NII CONTACT DETAILS Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com Confidential  Network Intelligence (India) Pvt. Ltd. Page 3 of 19
  • 4. Advanced Persistent Threats Contents 1. Introduction .............................................................................................................................. 5 2. Spear Phishing ........................................................................................................................... 7 3. Advanced Persistent Threat Life Cycle:....................................................................................... 8 a. Preparation............................................................................................................................ 8 b. Initial intrusion....................................................................................................................... 8 c. Expansion .............................................................................................................................. 8 d. Persistence ............................................................................................................................ 8 e. Search and Exfiltration ........................................................................................................... 8 f. Cleanup ................................................................................................................................. 9 4. Case Study Analysis: RSA SecureID hack ................................................................................... 10 5. Case Study Analysis: Operation Aurora .................................................................................... 13 6. Mitigation and early detection of an APT ................................................................................. 16 7. Security solutions to protect from APT ..................................................................................... 17 8. How can we help your organization ......................................................................................... 18 9. References............................................................................................................................... 19 Confidential  Network Intelligence (India) Pvt. Ltd. Page 4 of 19
  • 5. Advanced Persistent Threats 1. I NTRODUCTION Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself. The defensive tools and other controls are frequently rendered ineffective because the actors behind the intrusion are focused on a specific target and quickly adapt their ways to predict and circumvent security controls and standard incident response practices. As a result, an effective and efficient defence strategy requires good situational awareness and understanding. What are Advance Persistent Threats?[2] Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital. The entry point for espionage activities is often the unsuspecting end- user or weak perimeter security. Extensive research is done using social media sites, public available documents on organization, its processes, its technology and its people prior to craft an APT attack. The defence doctrine in the case of APTs must change from “keeping attackers out” to “sometimes attackers are going to get in; detect them as early as possible and minimize the damage.” Why the term Advanced Persistent Threats? [2] Advanced – Attackers have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent – Attackers give priority to a specific task, rather than seeking information for financial or other gain. If the attacker loses access, they reattempt access; often successfully. One of the attacker’s goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task. Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The attackers have a specific objective and are skilled, motivated, organized and well-funded. What makes APT's so dangerous?  APT attacks concentrate on people first and not on infrastructure details directly. Since people are the weakest link in the organizational security, there are more chances of data breaches than the traditional methods used by hackers  A simple "voluntary action" done by innocent employee by biting socially engineered bait will bypass all the protection methods put forward by technology. Confidential  Network Intelligence (India) Pvt. Ltd. Page 5 of 19
  • 6. Advanced Persistent Threats  If people are not properly educated or trained to combat social engineering, it is very difficult to contain the attack in the first place.  APT's are silent, highly sophisticated, well-crafted attack paradigms which frequently use a customized code, combination of many 0day exploits and extensive research done on both the employees targets and the asset to be compromised along with well-planned method to clean up all evidences of its activities after its objective has been achieved.  Attackers carrying out the APT are highly skilled hackers, with large resources at their disposal to find out various ways to enter into given organization.  Frequently, these attackers are endorsed by massive scale funding, research and even government level support in some countries.  The focus in APT is to obtain very specific information about the prized asset or to perform a very specific action when it is able to reach that resource.  This makes an APT a very stealthy attack leaving a very small forensic digital footprint on compromised machines as it refrains from making any unwanted "noisy" activity on the network.  Quite difficult to detect and trace back to their original sources.  An APT may lie dormant on compromised systems for many months or even few years activating only when a specific action or at certain time takes place. Confidential  Network Intelligence (India) Pvt. Ltd. Page 6 of 19
  • 7. Advanced Persistent Threats 2. S PEAR P HISHING Spear phishing is a deceptive communication technique in which a victim is lured via e- mail, text or tweet by an attacker to click or download a malicious link or file. The common objective of this technique is to compromise the victim machine by stealthily inserting a backdoor which seeks to obtain unauthorized access to confidential data remotely. These attempts are more likely to be conducted by attackers seeking financial gain, trade secrets or sensitive information. Spear phishing is a popular technique used in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle. Confidential  Network Intelligence (India) Pvt. Ltd. Page 7 of 19
  • 8. Advanced Persistent Threats 3. A DVANCED P ERSISTENT T HREAT L IFE C YCLE [5] a. Preparation The “Preparation” phase includes the following aspects of the lifecycle:  Define Target  Find and organize accomplices  Build or acquire tools  Research target/infrastructure/employees  Test for detection APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data may be needed before plans can be carried out. Highly complex operations may be required before executing the exploitation plan against the primary target(s). b. Initia l intrusion The “Initial Intrusion” phase includes the following aspects of the lifecycle:  Deployment  Initial intrusion  Outbound connection initiated After the attacker completes preparations, the next step is an attempt to gain a foothold in the target’s environment. An extremely common entry tactic is the use of spear phishing emails containing a web link or attachment. c. Expansion The “Expansion” phase includes the following aspects of the lifecycle:  Expand access and obtain credentials  Strengthen foothold The objective of this phase is to gain access to additional systems and authentication material that will allow access to further systems d. Persistence The “Persistence” phase spans numerous aspects of the lifecycle. Overcoming a target’s perimeter defenses and establishing a foothold inside the network can require substantial effort. Between the times APT actors establish a foothold and the time when there is no further use for the assets or existing and future data, APT actors employ various strategies to maintain access. e. Search and Exfiltrati on The “Search and Exfiltration” phase includes the following aspects.  Exfiltrate data Confidential  Network Intelligence (India) Pvt. Ltd. Page 8 of 19
  • 9. Advanced Persistent Threats The ultimate target of network exploitation is generally a resource that can be used for future exploit(s) or documents and data that have financial or other perceived worth to the intruder. A popular approach to search and exfiltration is to take everything from the network that might be of interest. Some frequently examined locations include the infected user’s documents folder, shared drives located on file servers, the user’s local email file and email from the central email server. f. Cleanup The “Cleanup” phase includes the following aspects of the lifecycle.  Cover tracks and remain undetected Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was targeted and eliminating evidence of who was behind the event. The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion. Confidential  Network Intelligence (India) Pvt. Ltd. Page 9 of 19
  • 10. Advanced Persistent Threats 4. C ASE S TUDY A NALYSIS : RSA S ECURE ID HACK [ 3][4] a. Brief Summary Around March 2011, RSA SecureID system was attacked by using a sophisticated APT attack paradigm. A series of spear-phishing emails titled "2011 Recruitment Plan" were sent to small groups of low-profile RSA employees. Although they landed in Junk folders, the email title was interesting enough to persuade an RSA employee to open the Excel spreadsheet attachment. The excel sheet was infected with (now patched) Adobe Flash zero day flaw CVE 20110609. With one Trojan compromised machine, the attackers then started harvesting credentials and made their way up the RSA hierarchy ultimately gaining privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. Fortunately, RSA saw the attack and using its implementation of NetWitness, stopped it before more damage could be done. b. What went wrong? Even though the SPAM filters did their job by directing the mail to Junk Folders, the interestingly titled email was enough to entice one employee to deliberately pull out the mail and open the attachment. This was the typical first stage of APT attack; social engineering done via spear-phishing. The attackers collected intelligence on the organizations’ people, not infrastructure. Then they used spear phishing email to the employees of interest. The 0-day installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609) which was prevalent in older versions of Adobe. Typically, Adobe Reader is seen only as PDF file opener software and hence not patched very often as compared to mainstream updates rolled by Microsoft Windows and Oracle which are typically licensed by the firms. Hence, the attackers had now found a way to sneak inside the RSA network by vulnerabilities present in the end-point to access users’ PCs. Once inside, privilege escalation attacks were carried out by constantly updating the Trojan remotely. When you look at the list of users that were targeted, you don’t see any glaring insights; nothing that spells high profile or high value targets. c. What made the atta cks difficu lt to detect ? The rationale of a remote administration tool is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to Confidential  Network Intelligence (India) Pvt. Ltd. Page 10 of 19
  • 11. Advanced Persistent Threats detect, as the PC reaches out to the command and control rather than the other way around. Since the attacks use a combination of social engineering with vulnerabilities in the end- point to access users’ PCs. they are difficult to detect because they are activated by "volunteering" action taken by victim and not done forcefully. Once inside the network, they just have find our way to the intended target using privilege escalation attacks by remotely updating and improving the trojan remotely. d. Spreading of atta ck Once inside the RSA network, the APT moved laterally inside the network. Still they need users with more access, more admin rights to relevant services and servers, etc. This was done very patiently as the attacks knew that any kind of fast and "noisy" activity will attract attention from network monitoring tools. The second stage comprised of attackers’ first harvesting access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators. When attackers think they run the risk of being detected, they move much faster and generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase. e. Carrying ou t the attack In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction. The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack. f. Lessons learnt  Although, technological controls like spam filters did their job, employee awareness about social engineering attacks was not widespread.  Importance of securing end-point security, hardening and patch management cycle is the most crucial factor to prevent APT from spreading. Confidential  Network Intelligence (India) Pvt. Ltd. Page 11 of 19
  • 12. Advanced Persistent Threats  Network monitoring and logging policies must leave a log trail which can trace back the activities for analysis at a later date. Confidential  Network Intelligence (India) Pvt. Ltd. Page 12 of 19
  • 13. Advanced Persistent Threats 5. C ASE S TUDY A NALYSIS : O PERATION A URORA [1] a. Brief Summary Operation Aurora was a cyber attack which began first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. The attacks demonstrated high degree of sophistication, with strong indications of well resourced and consistent advanced persistent threat attack. The attack was aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc. As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries. The primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. Security experts immediately noted the sophistication of the attack. Two days after the attack became public, It was reported that attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer. After a week, Microsoft issued a fix. Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code. b. Attack Ra tiona le Corporate and state secrets espionage activity becomes bolder over time with little public acknowledgement or response from governments. According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google's computer systems. The cable suggested that the attack was part of a coordinated campaign executed by "government operatives, public security experts and Internet outlaws recruited by the Chinese government." The report suggested that it was part of an ongoing campaign in which attackers have "broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002." Operation Aurora was largely an attack used to gain political power and influence over western countries by Chinese government. Confidential  Network Intelligence (India) Pvt. Ltd. Page 13 of 19
  • 14. Advanced Persistent Threats c. "Operation Aurora " Working Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. d. Deciphering the code: Atta ck Analysis Operation Aurora name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The code behind Operation Aurora known samples of the main backdoor trojan appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time – some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. The compiler component does use a resource section, but the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. However, one interesting clue in the binary points back to mainland China. The first thing that is unusual about the embedded CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm here uses a table of only 16 constants; basically a truncated version of the typical 256- value table. The most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. The full paper was published in simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites. This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese. This again gives a strong indicator that Operation Aurora was orchestred and funded by the backing of federal government of China. Confidential  Network Intelligence (India) Pvt. Ltd. Page 14 of 19
  • 15. Advanced Persistent Threats e. Attack’s Aftermath The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down. Security researchers have continued to investigate the attacks. HBGary, a security firm, recently released a report in which they claim to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity. On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The New York Times, both of these schools have ties with the Chinese search engine Baidu, a rival of Google China. f. Lessons Learnt  APT's are not just traditional "Malware". They are well defined, fully supported by large organizations or governments with strong backing of well compensated highly skilled programmers and hackers.  The aim or an APT is to gain power, create imbalance in market by paralyzing governments or rival corporate organizations.  Industrial and government sponsored espionage to keep the vested interests of competing corporate and states well satisfied. Confidential  Network Intelligence (India) Pvt. Ltd. Page 15 of 19
  • 16. Advanced Persistent Threats 6. M ITIGATION AND EARLY DETECTION OF AN APT Here are some practical ways by which we can develop a proactive way to mitigate and prevent the further spread of APT in our organization:  Make sure that you have encryption and password features enabled on your smart phones and other mobile devices.  Use strong passwords, ones that combine upper and lower case letters, numbers, and special characters, and do not share them with anyone.  Use a separate password for every account.  Properly configure and patch operating systems, browsers, and other software programs.  Use and regularly update firewalls, anti-virus, and anti-spyware programs.  Don't use work e-mail address as a "User Name" on non-work related sites.  Use common sense when communicating with users you DO and DO NOT know. Do not open e-mail or related attachments from un-trusted sources.  Don't reveal too much information about yourself on social media websites.  Verify Location Services settings on mobile devices.  Allow access to systems and data only by those who need it and protect those access credentials.  Follow your organization's cyber security policies and report violations and issues immediately.  Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to learn the ways to identify the same Confidential  Network Intelligence (India) Pvt. Ltd. Page 16 of 19
  • 17. Advanced Persistent Threats 7. S ECURITY SOLUTIONS TO PROTECT FROM APT There are many security solutions available that address your need for protection from APT’s. Some of the popularly used are mentioned as follows: a. EMET EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. EMET Highlights  Making configuration easy  Enterprise deployment via Group Policy and SCCM  Reporting capability via the new EMET Notifier feature  Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. b. Bit9 Parity Suite This solution provides an extensive list of features for protection against APT’s: Features of Bit9:  Application Control/White-listing  Software Reputation Service  File Integrity Monitoring  Threat Identification  Device Control  File Integrity Monitoring  Registry Protection  Memory Protection Confidential  Network Intelligence (India) Pvt. Ltd. Page 17 of 19
  • 18. Advanced Persistent Threats 8. H OW CAN WE HELP YOUR ORGANIZATION a. Drafti ng Privileged ID Management P oli cy & Procedures It is easy to observe that privileged IDs represent the highest risk for data leakage in the organization. Such IDs are numerous due to the large number of systems and devices in any network. Managing the access of these IDs and monitoring their activities is of crucial importance for the prevention of APT Attacks. Technology solutions such as Privileged Identity Management make this task easier. But this needs to be combined with the right policy framework and comprehensive procedures We can guide your organization to draft Privileged ID Management Policy & Procedures  Privileged ID allocation – process of the approval mechanism for it  Privileged ID periodic review – procedure for this  Monitoring of privileged ID activities – mechanisms, and procedures for logging and monitoring privileged IDs  Revocation of a privileged ID – what happens when an Administrator leaves the organization?  How are vendor-supplied user IDs managed  Managing shared/generic privileged IDs b. Conducting Penetrati on 2 .0 Exercises We engage in conducting Social Engineering exercises to demonstrate the effect that how big an impact can be on your organization information assets data leakage. Our Spear Phishing testing methodology will test your organization's preparedness against social engineering attacks. Since social engineering form a vital part in APT's Life Cycle, the results from this exercise are important indicator for your preparedness level against an APT attack. c. Conducting U ser Awareness Workshops We also engage in conducting user awareness workshops to train users about the pitfalls of getting trapped in social engineering attacks. Rather than just presenting the theoretical concepts, we stimulate practical exercises to infuse the impact of social engineering which can bypass all the state of art technological controls in an organization. d. Endpoint Securi ty Solu tions Network Intelligence has partnered with CyberArk, Seclore, Impervia and Boole Server to manage the privilege ID management, and achieve Confidentiality, Integrity and Availability of files and folders present in the network. Using these state-of-art endpoint solutions offer a peace of mind in addressing your security needs. Confidential  Network Intelligence (India) Pvt. Ltd. Page 18 of 19
  • 19. Advanced Persistent Threats 9. R EFERENCES 1. http://en.wikipedia.org/wiki/Operation_Aurora 2. http://en.wikipedia.org/wiki/Advanced_Persistent_Threat 3. https://blogs.rsa.com/anatomy-of-an-attack/ 4. https://blogs.rsa.com/it-security-in-the-age-of-apts/ 5. http://www.secureworks.com/assets/pdf-store/articles/Lifecycle_of_an_APT_G.pdf 6. http://www.issa- sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf 7. http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentT hreats.pdf Confidential  Network Intelligence (India) Pvt. Ltd. Page 19 of 19