Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Module 4 Advanced Persistent Threats

No description

Faham Usman

on 23 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Module 4 Advanced Persistent Threats

Information Security
Module 4
Advanced Persistent Threats
Awareness Campaign
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
What is an APT?
The Components of APT
Objectives of APT’s
APT Characteristics
APT Tools and Techniques
Defending against APT
APT Detaection
APT Attack Method
The Stages of an APT
APT Incidents around the Globe
Salim (aeCERT)
For more information
FireEye – NG Threat Prevention
Mandiant Intelligence Center
The Security Analytics
DNS Cache Analysis
SysInternal Process Monitor
SysInternal Process Explorer
Memory Analysis Toolkit
Memory Analysis Toolkit
APT – Indicators of Compromise
Targeted Attacks are on Rise
Analyze Interesting Files
RSA Attack Analysis A Spear-Phishing Real World Case
APT Case Study
Stuxnet (2010)
Operation Shady RAT (2011)
New York Times (2013)
Government of Pakistan
APT Dwell Time
APT Targeted Industries
APT in the News
What is an APT?
FireEye – Next Generation
Threat Protection
Security Analytics – RSA
Memory Analysis
Iterative Process
Step 2-5: Internal Installation
Step 1-5: Initial Installation
RSA Attack: Digital Shoulder-Surfing
Attacker packages the stolen files in ZIP or RAR format and then renames as GIFs
APT Attack Method
Government of Canada (2011)
APT Compromise Detection
APT Characteristics
APT Characteristics
APT Characteristics
APT in the News
Advanced Persistent Threats
Defense-in-Depth at a Glance
Defense-in-Depth at a Glance
Defense-in-Depth at a Glance
2-7: Mission Fulfillment
Iterative Process
Step 2-6: Persistence
Step 2-4: Internal Exploitation
File Name Attribute
Created: 01/13/2012 11:13:18AM
Last Modified: 01/13/2012 11:13:18AM
Last Access: 01/13/2012 11:13:18AM
MFT Entry: 01/13/2012 11:13:18AM
Standard Information Attribute
Created: 12/29/2011 9:00:00AM
Last Modified: 12/29/2011 9:00:00AM
Last Access: 12/29/2011 9:00:00AM
MFT Entry: 01/13/2012 11:15:30AM
Step 2-3: Internal Delivery
Step 2-2: Internal Weaponization
Step 2-1: Internal Reconnaissance
Step 1-6: Command & Control Activity
Step 1-4: Initial Exploitation
Step 1-3: External Delivery
Step 1-3: External Delivery
Step 1-2: External Weaponization
Step 1-1: Initial Reconnaissance
RSA is a security company that produces hugenumber of hardware security tokens to prevent such a data breach

RSA Background
Spear Phishing
Anonymous (2011)
APT Characteristics
Defending against APT
How an APT works?
Antivirus Exclusions
RSA Attack: Employee Mistake
RSA Attack: Spear Phishing Emails
Spear Phishing Stats
RSA Attacks
Shamoon (2012)
Anonymous (2011)
-Strategies for Dealing with
Advanced Targeted threat
John pescatore

APT: According to Gartner
Origins of the Term: APT
RSA Attack: Harvesting
RSA Attack: Remote Administration
Tool (RAT)
Attacker did not perform the
spamming because it would have been caught by RSA spam filter
Attacker captures the valid email addresses
RSA Attack: Initial Steps
U.S. Department of Defense (2013)
APT Detection
All Eight Timestamps are in $MFT
RSA Attack: The Battle
Sophisticated Targeted Attacks



Business Week, July 2009: Under Cyber
Threat: Defense Contractors
Business Week, April 2008: An Evolving
Washington Post, October 2006: Computer
Systems Under Attack

APT in the News
The Components of APT
Pagefile/Swapfile Analysis
Backdoor renames itself to a filename slightly different from Windows filenames
Trojan backdoor install into Window System directory and registers in NETSVCS
Trojan downloader then sends encoded instruction to a different drop site, which installs a Trojan backdoor
APT Attack Method
Operation Aurora (2010)
Tangent: $USN Journal Codes
Layered Security
Weakest Link
Lessons Learned
RSA Attack: Analysis
Installs additional backdoors
Attacker then further uses RDP (Terminal Services), for lateral movement, SC.exe (to create services), or NET commands (to connect to shares)
Offline password hash cracking
APT Attack Method
Hidden URL is a drop site which finds browser vulnerabilities and drops a Trojan downloader
User clicks the link which opens an attachment and redirects it to a hidden URL with a base64-encoded key
Spear-phishing email
APT Attack Method
The Stages of an APT
Defense-in-Depth Strategy
Network & Process Monitoring
Tangent: LNK Files
Attacker then gains service privilege escalation to move in network
Trojan backdoor uses SSL communication with C&C
APT Attack Method
The Stages of an APT
Results of Analysis
RSA Attack: Receiving Host
Spear Phishing – The Ingredients
Spear Phishing – A Problem
APT Incidents Around the Globe
APT Characteristics
Data transferred out
Copied data to staging servers
Found staging servers
RSA Attack: Data Gathering
Objectives of APT’s
APT Attack: An Example
Attacker has a long-term objective and works to achieve goals without detection

The Components of APT
Defending against APT
Forensic Tools
Review of Each Step
Review of Each Step
Visibility is Critical
Anatomy of a Targeted Attack

APT attacker lists down the computer name and user accounts, gets local and Active Directory accounts information
Image (a)
Latest Technologies - Defending
Against APTs
Full transcript