This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits. Session 10 of 10 This Webinar focuses on Advanced Persistent Threats and targeted cyber attacks: • Advanced Persistent Threats – the shifting paradigm to targeted attacks • Understanding Advanced Persistent threats • Overview of popular types of APTs • Impact of APTs on sensitive data as well as organisation reputation • Characteristics and Attack sequence of APT attacks and the challenges in detecting APTs • Assessing, Managing and Auditing APT Risks • Data loss and Cyber intrusions

1. 9/25/2018
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
Cybersecurity Series
– Advanced
Persistent Threats
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2

2. 9/25/2018
2
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
3
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,900 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 4

3. 9/25/2018
3
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
AGENDA
• Advanced Persistent Threats – the shifting paradigm to
targeted attacks
• Understanding Advanced Persistent threats
• Overview of popular types of APTs
• Impact of APTs on sensitive data as well as organization
reputation
• Characteristics and Attack sequence of APT attacks and the
challenges in detecting APTs
• Assessing, Managing and Auditing APT Risks
• Data loss and Cyber intrusions

4. 9/25/2018
4
WHAT IS IT?
Defined as a group of sophisticated, determined
and coordinated attackers that have been
systematically compromising U.S. Government
and Commercial networks for years. The vast
majority of APT activity observed by Mandiant has
been linked to China.
APT is a term coined by the U.S. Air Force in
2006
7
© 2013 ISACA. All rights reserved
IN Q4 OF 2012, ISACA LAUNCHED THE
APT AWARENESS SURVEY
TO FIND OUT.
• How well do security professionals understand
APTs?
• How are they affecting different industries and
organizations throughout the world?
• What is being done to prevent them?

5. 9/25/2018
5
RESULTS
• Just 46.6% of respondents believed that APTs
were a unique threat.
• And more than half (53.4%) believe this advanced
set of threats is no different to what they’ve been
dealing with in the past.
ORGANIZATIONAL RESPONSE
• Most respondents are using technology in a risk based
layered approach to prevent and combat APTs
94.9% Anti-Virus / Anti-Malware
92.8% Network Tech (Firewalls, etc.)
71.2% IPS

6. 9/25/2018
6
• Advanced
• – Attacker adapts to defenders’ efforts
• – Can develop or buy Zero-Day exploits
The Zeroday Emergency Response Team (ZERT) was a group of software
engineers who worked to release non-vendor patches for zero-day
exploits.
• – Higher level of sophistication
• Persistent
• – Attacks are objective and specific
• – Will continue until goal is reached
• – Intent to maintain long term connectivity
• Threats
• – Entity/s behind the attack
• – Not the malware/exploit/attack alone
ADVANCED PERSISTENT
THREATS
11
WALKTHROUGH OF A PUBLICLY
REPORTED APT
• The Wall Street Journal reported on an intrusion into the Chamber
of Commerce that serves as a good example.
Image from online.wsj.com

7. 9/25/2018
7
• Key contributors to popularity of
APTs
Nation States
Organized crime groups
Hactivist Groups
APT DEFINED
13
APT’S OBJECTIVES
• Political
• Includes suppression of their own population for
stability
• Economic
• Theft of IP, to gain competitive advantage
• Technical
• Obtain source code for further exploit development
• Military
• Identifying weakenesses that allow inferior military
forces to defeat superior military forces
14

8. 9/25/2018
8
TYPES OF ATTACK
• – Not applicable to Military / Defense alone
• –Organized Crime & ‘Hactivist’ groups
• – Looking for Intellectual Property – M&A,
Trade Secrets, Engineering Designs, Application
Code, Business Plans, etc.
• – Can Bypass Anti Virus & Anti Malware
software
• – Low and slow attacks
• – Can easily move across the network
15
External
Recon
Initial
Intrusion
Establish
Backdoor
Obtain User
Credentials
Install
Utilities
Expand
Maintain
Persistence
APT LIFECYCLE
Complete
Mission

9. 9/25/2018
9
RECONNAISSANCE
• In a number of public website pages a victim’s contact
information may be extracted and subsequently used
in targeted social engineering messages.
17
INITIAL INTRUSION INTO THE
NETWORK
• The most common and successful method has been the
use of social engineering combined with email
• The spoofed email will contain an attachment or a link to
a zip file. The zip file will contain one of several different
intrusion techniques:
• A CHM (Compiled HTML Help) file containing
malware
• A Microsoft Office document exploit
• Some other client software exploit, like an Adobe
Reader exploit.
• The attackers typically operate late in the night (U.S.
Time) between the hours of 10 p.m. and 4 a.m. These
time correlate to daytime in China
18

10. 9/25/2018
10
ESTABLISH A BACKDOOR INTO THE
NETWORK
• Attempt to obtain domain administrative credentials . . .
Transfer the credentials out of the network
• The attackers then established a stronger foothold in the
environment by moving laterally through the network and
installing multiple backdoors with different configurations.
• The malware is installed with system level privileges through
the use of process injection, registry modification or
scheduled services.
• Malware characteristics:
• Malware is continually updated
• Malware uses encryption and obfuscation techniques of
its network traffic
• The attackers’ malware uses built-in Microsoft libraries
• The attackers’ malware uses legitimate user credentials
so they can better blend in with typical user activity
• Do not listen for inbound connections
19
OBTAIN USER CREDENTIALS
• The attackers often target domain controllers to obtain user
accounts and corresponding password hashes en masse.
• The attackers also obtain local credentials from compromised
systems
• The APT intruders access approximately 40 systems on a victim
network using compromised credentials
• Mandiant (Consulting group from FireEye) has seen as few as 10
compromised systems to in excess of 150 compromised systems
20

11. 9/25/2018
11
INSTALL VARIOUS UTILITIES
• Programs functionality includes:
• Installing backdoors
• Dumping passwords
• Obtaining email from servers
• List running processes
• Many other tasks
• More Malware Characteristics:
• Only 24% detected by security software
• Utilize spoofed SSL Certificates
• ie. Microsoft, Yahoo
• Most NOT packed
• Common File names
• ie. Svchost.exe, iexplore.exe
• Malware in sleep mode from a few weeks to a few months to up
to a year
• Target executives’ systems
• Use of a stub file to download malware into memory (Minimal
Forensic Footprint)
21
PRIVILEGE ESCALATION / LATERAL
MOVEMENT / DATA EXFILTRATION
• Once a secure foothold has been established:
• Exfiltrate data such as emails and attachments, or
files residing on user workstations or project file
servers
• The data is usually compressed and put into a
password protected RAR or Microsoft Cabinet File.
• They often use “Staging Servers” to aggregate the
data they intend to steal
• They then delete the compressed files they exfiltrated
from the “Staging Servers.”
22

12. 9/25/2018
12
MAINTAIN PERSISTENCE
• As the attackers detect remediation, they will attempt to
establish additional footholds and improve the
sophistication of their malware
23
PREPARATION AND
DETECTION
• Preparation
• Follow Industry Compliance Guidelines:
• Robust logging
• Servers and Workstations will be more secure
• User credentials will be harder to crack
• Security appliances will be strategically distributed
• Detection
“You have to be able to look for complex signs of
compromise; integrate host-based and network-based
information; and go far beyond simple anti-virus and
network intrusion detection. You need to look inside
packets, files, e-mail – and even live memory of
systems that are still running.” (www.mandiant.com)
24

13. 9/25/2018
13
WHAT CAN WE DO?
•Your Network MUST be
•Defensible
•Hostile
•Fertile
25
APT SECURITY
26

14. 9/25/2018
14
AUDITING FOR APT
• Know the boundaries of your network
• Where it begins and where it ends
• Know what should be in your network
• Segment your network and use DMZs
• Where there is a firewall, there should also
be an IDS and network monitoring
• Standardize your hardware and software
• Know where accounts authenticate
27
AUDITING – YOU WILL NEED TO
• Develop Overview of Enterprise
Infrastructure
• List of all DNS & DHCP servers
• List of all Internet points of presence
• List of all VPN concentrators
• Network diagram of core network
infrastructure
• Compile the rule set of core firewalls
• Ensure GPO(s) log failed and
successful log-on attempts
• Ensure all items logged centrally
• Centralize the Storage of Key
Logs
• Integrate key logs (firewall, VPN,
DHCP, DNS, etc) into a SIEM
• At a minimum store key logs in a
central location
• Implement Robust Logging
• Ensure both Success and Failure
audits are being logged on all
systems
• Increase the amount of storage for
logs so they are not overwritten
• AV and IDS to centralized logging
utility
• Firewall traffic logs to centralized
utility (Packet Contents not required)
• Web Proxy (date/time, hostname, IP
address pairing, URL browsed info)
• VPN Concentrators (hostname and
IP address pairing, date/time)
• DHCP (hostname and IP address
pairing, date/time)
• DNS (queried domain name and
system performing the query)
28

15. 9/25/2018
15
MITIGATIONS
• Change passwords multiple times per day
• Fast track two factor authentication
• Compartmentalized passwords
• Separate user and admin credentials
• Minimize lateral trust
• Scan entire domain for scheduled tasks
• Rebuild Domain Controlers
EMPLOYEE AWARENESS
TRAINING
Employees found to be susceptible can
immediately be redirected to
• Internal corporate training websites
• PhishMe.com
• Web-based platform that facilitates the execution of
mock phishing exercises and user awareness training
• PhishMe’s built-in educational message
• PhishMe’s educational comic strip
30

16. 9/25/2018
16
PHISHING STILL WORKS
Effectively and
securely
communicating
a password
change is hard
CYBERSECURITY AUDIT
PROCESS
32
Set Targets
• Establish Core Group (key staff and Managers)
• F2F Session with Core Group to identifty threats and components (2x4 hour sessions/6 managers
/staff)
• Risk Rank threats and components
• Validate Targets with Decision Makers (CISO & Staff)
Assess
Current State
• Identify Key Controls
• Assess adequacy
Analyze Results
• Aggregate key controls and assess overall cyber control effectiveness
• Drill down on identified gaps >1 to identify key security performance issues
Communicate
Results
• Review findings & recommendations with CISO & Staff
• Inform impacted Managers to ensure prioritization feed into budget and planning cycles
• Brief Senior Management on findings and resulting recommendations

17. 9/25/2018
17
CUBE STARTING POINT
33
LAYER BY LAYER
34

18. 9/25/2018
18
Steps in the Cube Approach
• 1 Identify the components and threats in a given audit unit
• 2 Rank the components and threats
• 3 Create the control matrix identifying the high-risk
quartile and the low-risk quartile
• 4 Identify controls known / believed to be in place
• 5 Evaluate the effectiveness and cost/benefits of the
systems of internal control
• 6 Make recommendations where controls are deemed to
be inadequate
• 7 Test key controls to ensure their effectiveness
• 8 Re-evaluate based on known control
effectiveness and make recommendations
where appropriate
35
CUSTOMER-FACING KEY CONTROLS
36
Risks
compliance integrity availability confidentiality fraud performance
external coms
1 3 11 14 16 20 21 60 1 9 10 1112 14 16 18
21 62
1 6 7 16 25 33 60 1 3 10 11 1416 2162 1 7 10 11 12 16 60 1 3 6 12 16 20 25
Elementspeople
3 8 9 14 16 60 3 9 16 60 16 21 8 1 3 16 21 1 3 8 16 20
data
11 60 8 11 19 20 2123 6062 6 20 25 33 8 9 11 16 1819 65 8 9 11 18 19 21
software
3 7 8 9 12 16 17 60 3 7 89 16 18 19 21 22
60
14 16 18 3 11 12 16 3 1921 3 8 9 12 14 16 20
hardware
3 9 10 12 65 1 3 79 10 1 2 3 4 6 16 21 1 3 7 1 3 7 11 3 8 9 12 14 16 20

19. 9/25/2018
19
CONTROL LIST
37
2015 Controls I Series
i-Series
N/wrk Servers Network Workstation Customer
Critical in 4 or more areas
1. Physical Access
2. Climate controls
3. Acquisition standards
4. UPS
5. Secureworks
6. Backups
7. Change management
8. Knowledge
9. Standards and best
practices
10. Technical Controls
11. Encryption
12. Vendor Support
13. Warranty
14. Monitoring
15. Bonding
16. Contracts
17. Documentation
18. Software Controls
19. Malware / Antivirus
20. Active user base
21. Logical access
MAPPING KEY CONTROLS
38
2015 Controls I Series i-Series N/wrk Servers Network Workstation Customer
Critical in 4 or more areas
1. Physical Access
2. Climate controls
3. Acquisitionstandards
4. UPS
5. Secureworks
6. Backups
7. Change management
8. Knowledge
9. Standards and best practices
10. Technical Controls
11. Encryption
12. Vendor Support
13. Warranty
14. Monitoring
15. Bonding
16. Contracts
17. Documentation
18. Software Controls
19. Malware/ Antivirus
20. Active user base
21. Logical access

20. 9/25/2018
20
OVERALL APPROACH
39
CONTINUOUS ANALYSIS
2. Find infected
hosts, servers,
routers …etc.
3. Conduct forensics,
intrusion and malware
analysis.
4. Develop
mitigation strategy
using what you
learned.
5. Deploy network detection
signatures to IDS/IPS and scan devices
and hosts across the Enterprise.
1. Monitor network
traffic and hosts for
suspicious activity.
APT
STRATEGY

21. 9/25/2018
21
IMPLEMENT AND EXECUTE
NETWORK SECURITY AUDITING
2. Track all users and
administrator activity.
3. Identify security holes
in your existing policy
and unauthorized accesses.
4. Determine causes
of attempted
access violations.
5. Proactively investigate
and prevent all security violations.
1. Develop and satisfy
Org. specific security
policies.
APT
STRATEGY
“If ignorant both of your enemy and
yourself, you are certain to be in
peril.”
― Sun Tzu, The Art of War

22. 9/25/2018
22
HANDS UP ALL THE
HACKERS
43
QUESTIONS?
 Any Questions?
Don’t be Shy!
44

23. 9/25/2018
23
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU! Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino