It has been a reoccurring theme for corporate victims of a major breach to publicly state that the attack perpetrated on them was sophisticated. Some may even go so far as to have their 3rd party DFIR partner(s) make statements on their behalf to the effect that the attack would have been successful at most companies. All this is done in an attempt to avoid the dreaded assumption of IT Security negligence on their part. Imagine if the press release stated that the attack might have been thwarted if they implemented processes and controls that were recommended by internal staff years ago.
While we will never read that statement, many practitioners are left to wonder what was so unique and advanced about this attack. With this presentation we will present analysis of existing public attacks against traits that are more common in truly advanced attacks. These include but are not limited to the ability to operate undetected, precise targeting, use of non-public zero days and custom payloads, ability to defeat in place security controls, strong operational security, speed and of course overall effectiveness. We will also make clear delineations between what constitutes and advanced attack versus an advanced adversary. The output of this will be a model that can be applied to help characterize your adversaries capabilities.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
1. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SOPHISTICUFFS: THE RUMBLE
OVER ADVERSARY SOPHISTICATION
PAUL JARAMILLO
2. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PAUL JARAMILLO
Twitter @DFIR_Janitor
Biography
Currently:
Principal Consultant @CrowdStrike
Previously:
§ Fortune 500 Energy
§ Fortune 100 Manufacturing
§ Fortune 10 Conglomerate
§ Dept. of Energy
§ Fortune 100 Telecommunications
Focused on Incident Response &
Digital Forensics
3. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
State of Affairs
Sophistication vs Effectiveness
Sophisticated Actor vs Attack
Measurements of Sophistication
Adversaries of Infamy
Recommendations
4. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
STATE OF AFFAIRS
§ Breachapalooza continues
§ Struggles to implement common critical
controls
§ Continued resource misallocation on buzzwords
& knee jerks
§ Massive inequality between InfoSec have’s and
have nots
§ Dwell time improving
§ Board awareness & engagement vastly
increasing
§ Defending failures with “Sophisticated”
5. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
STATE OF AFFAIRS
§ You had me at “Sophisticated” Attack :-/
§ Password dump, guessing, reuse
§ Phishing
§ Fake login portal
§ Common tools, exploits (mimikatz, wiper,
etc)
§ Ancient vulnerabilities (JBoss, Cold Fusion,
MS08-067, Wordpress, etc)
§ Ransomware
Image Credit: reddit.com
6. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SOPHISTICATION VS EFFECTIVENESS
§ Why does sophistication matter so much to the
arm chair incident responder?
§ We know it matters to security vendors J
§ Should it matter to the impacted org?
§ Tight correlation with chances for
successful defense
§ “Commercially reasonable effort”
scapegoat
§ Supports better resource allocation
Image Credit: imgur.com
8. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SOPHISTICATED ACTOR VS ATTACK
Rule #1 - Sophisticated Actor != Sophisticated Attack
Sophisticated Actor = [Basic Attack … Sophisticated Attack]
Image credit: xkcd.com
9. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SOPHISTICATED ACTOR VS ATTACK
Rule #2 - Sophisticated Actor != Zero Days
Sophisticated Actor = [Code Reuse, Custom Malware, Custom Tools, Zero Days, Etc]
On APT - “We personally do not
believe in the advanced part of
the acronym, unless the threats
involve specific zero-day
exploits”
ORLY?
10. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MEASUREMENTS OF THREAT ACTOR
SOPHISTICATION
§ Attack Precision
§ Cross-platform Capabilities
§ Targeting
§ OPSEC
§ Resilience
§ Stealth
11. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - ATTACK PRECISION
Ability of Threat Actor to closely align their planned attacks with an organization's
given vulnerabilities, including overall efficiency
§ WEAK(1) – Spray & pray, exploit kits, Apache exploits against IIS, etc
§ BASIC(4) – Brute force, observable mistakes such as CLI typos, accidental AV
& IDS detection
§ STRONG(7) – Skillful targeting of people, authentication & directory services
§ FIERCE(10) – Demonstrated mastery of unique business process, timing, and/or
closed technologies
12. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - CROSS PLATFORM
CAPABILITIES
Ability of Threat Actor to operate in a full spectrum of diverse technologies
§ WEAK(1) – PHP websites, cracked MS Windows
§ BASIC(4) – MS Windows client & servers, web servers
§ STRONG(7) – OSX, Linux, Unix, Android, IoT(?)
§ FIERCE(10) – Embedded computing, firmware, telecommunications & network
gear, and other closed systems
13. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - TARGETING
Ability of Threat Actor to successfully compromise well-defended “hard” targets, as
compared to ”soft” targets
§ WEAK(1) – Grandma, individual credit cards & banking, software licenses
§ BASIC(4) – Corporate brands, political causes, corporate wire fraud
§ STRONG(7) – Data theft, destruction or modification with grave damage to
organization or national security implication
§ FIERCE(10) – Critical systems or processes (kinetic damage, financial
catastrophe)
14. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - OPSEC
Ability of Threat Actor to avoid providing their adversaries with any useful
information about them
§ WEAK(1) – Bragging that you did it, claiming responsibility
§ BASIC(4) – Observable tool marks, traceable personas
§ STRONG(7) – Breadcrumbs, diversified tools & infrastructure
§ FIERCE(10) – Frame someone else, clandestine, covert
15. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - RESILIENCE
Ability of a Threat Actor to maintain access in an organization’s environment
§ WEAK(1) – AV solves your problem
§ BASIC(4) – Indicator blocks, reimages, and password changes solves your
problem
§ STRONG(7) – Complex remediation, requiring 3rd party assistance
§ FIERCE(10) – Source code compromise, Supply chain compromise, Human
implant
16. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ACTORS - STEALTH
Ability of Threat Actor to avoid detection
§ WEAK(1) – Mass scanning, large phishing campaigns
§ BASIC(4) – “Smash & grab” aka immediate action on objectives
§ STRONG(7) – Less than 1 year average dwell time
§ FIERCE(10) – Greater than 1 year average dwell time with continued activity
17. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ADVERSARIES OF INFAMY
Anonymous - 18
(2006 to Present, 2010 Operation Payback,
2011 HBGary)
§ Attack Precision (4)
§ Cross Platform Capability (4)
§ Targeting (4)
§ OPSEC (4)
§ Resilience (1)
§ Stealth (1)
Image Credit: ArsTechnica
18. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ADVERSARIES OF INFAMY
Carbanak/Carbon Spider - 35
(2013 to Present, Swift attacks, Hotel
chains, Retail, etc)
§ Attack Precision (10)
§ Cross Platform Capability (7)
§ Targeting (4^)
§ OPSEC (4)
§ Resilience (4)
§ Stealth (4)
Image Credit: Buzzfeed
19. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ADVERSARIES OF INFAMY
Silent Chollima/DarkSeoul - 36
(2009 to Present, South Korea, Sony, etc)
§ Attack Precision (7)
§ Cross Platform Capability (4)
§ Targeting (7)
§ OPSEC (4)
§ Resilience (7)
§ Stealth (7)
Image Credit: KnowYourMeme
20. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ADVERSARIES OF INFAMY
Axiom/Aurora Panda/APT17 - 51
(2009 to Present, Google, Adobe, Bit9, etc)
§ Attack Precision (10)
§ Cross Platform Capability (7)
§ Targeting (10)
§ OPSEC (7)
§ Resilience (7)
§ Stealth (10)
Image Credit: people-you-knew.tumblr.com
21. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ADVERSARIES OF INFAMY
Equation Group - 60
(1996 to Present, Stuxnet, Flame, Grayfish)
§ Attack Precision (10)
§ Cross Platform Capability (10)
§ Targeting (10)
§ OPSEC (10)
§ Resilience (10)
§ Stealth (10)
Image Credit: Kaspersky
23. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RECOMMENDATIONS
§ Before calling out an organization
§ Could you detect it? Prevent it?
Image Credit: quickmeme.com
24. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
RECOMMENDATIONS
Become a better defender and threat intelligence consumer
1. Collect & analyze all indicators, TTPs, and associated context around your own
incidents using Kill Chain model
2. Complete your own organizational threat profile
3. Collect & analyze available data around threat actors targeting your organization
using the ACTOR model
4. Proactively provide messaging around high visibility threats & risks
5. Align organizational priority around your biggest threats (e.g. new controls, threat
hunting, M&A, people, etc)