Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


State Sponsored Malware: The Advanced Persistent Threat

How it disrupted the Iranian nuclear program, and how it will change Computers and Security

Bill Kilgallon

on 21 February 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of State Sponsored Malware: The Advanced Persistent Threat

Somewhere in a hardened Iraninan
military facility, several centrifuges just shook themselves to pieces. This was a result of a very subtle bug in the industrial controller running the centrifuges. Except it wasn't a bug.
It appears to be the culmination of a sophisticated mission. The components of this attack were commonplace But their sophisticated orchestration is changing computing and security Again. Deconstructing Stuxnet The Anatomy of an Advanced Persistent Threat Physical Layer Chips, Networks, Motors, Radio waves (and centrifuges ;) ) Physical Layer Attacks Physical Network Internet Infrastructure Server Platform Infrastructure Client Platform Infrastructure Out of Band Infrastructure Conscious Entities Physical Layer Defenses Physical Layer Implications Network Layer TCP, IP, UDP, ARP, MAC Network Layer Attacks Network Layer Defenses Security Abstraction Layers Server Platform Infrastructure Layer Windows, Linux, MacOS, IIS, Apache, Websphere, Python, PGP, Programmable Controllers, Databases, Compilers Internet Infrastructure DNS, Certificate Authorities, HTTPS, Encryption Algorithims Client Platform Infrastructure Windows, Linux, MacOS, iOS, Flash, Firefox, Safari, Internet Explorer, Anti-Malware Out of Band Infrastructure Hard Tokens, Phones, IP Strapping, air gaps Conscious Entities Humans, Companies, Institutions, Governments, News Media, Subcultures Internet Infrastructure Layer Attacks Server Platform Infrastructure Layer Attacks Client Platform Layer Attacks Out of Band Infrastructure Attacks Concious Entity Attacks Internet Infrastructure Layer Defenses Server Platform Infrastructure Layer Defenses Client Platform Layer Defenses Out of Band Infrastructure Defenses Concious Entity Defenses Network Layer Implications Internet Infrastructure Layer Implications Server Platform Infrastructure Layer Implications Client Platform Layer Implications Out of Band Infrastructure Implications Concious Entity Implications Construction of a duplicate facility to test and refine the attack
Specifically targeted domain specific "soft spots"
Leverage ubiquitous but non IT managed hardware (i.e. thumb drives)

All the same stuff that worked on your server platform layer
Malware drive by install from a thumbdrive
Malware drive by installs from web browser
Get the manufacturer to pre-install your malware before they ship
Find and leverage zero day exploits
Use exploits to put rootkits on the servers (or PLCs).
Use exploits for privilege escalation and self replication
Infect compilers to inject malicious instructions into built executables (but not in source)
Attacks specifically designed to attack specific security software (which runs at high priviledge)
General "stealth" capabilities in the way the virus infected an OS (compromising a valid DLL that alreaday behaved in a way a virus would)
Automatic "retreat" in the face of security products it knew would detect it.
Use of native OS resources (scheduler, updater) in attacks
Network worm spreads through existing channels with common traffic (Windows Print Spooler and SMB shared drives)
Infected hosts do discovery and form ad hoc peer to peer network to keep each other updated with malware updates
Use of IP address to better target attack
Malware is closed loop, and frequently updated by its controller based on updated intelligence the malware is gathering
Steal trusted certificates for code signing
Bootstrap infection with a trained human spy inserted into facility
Spearphish for credentials to sensitive systems
Disrupt the activity with people tasked to defend and eliminate the threat
Only infect two or three other machines, then become an introvert
Defend your infected host against other rogue attackers
Make your command and control channels look innocent (MyPremierFutbol.com)
Respond with increasing damage when you are hurt
Self destruct as soon as your part of the mission is complete
Attack independent feedback loops to have them fake normal operation (when isn't)
Make your attacks look plausibly like entropy
Signed and trusted code signed with a valid (but stolen) digital certificate
Stolen RSA certificates for second factor hard tokens
Use of Internet infrastructure to better target attack (i.e. geolocation by IP address)
Thumb drives to "jump" the air gap
Compromised RSA hard token keys? Mature hardened facility
Mature hardened enterprise procedures
Operational secrecy
Industry wide best practices Hard data centers are only hard until they are occupied or operated by human beings
Industry best practices control previous risks, not the future ones
Hardware security controls can be completely subverted by security defects at the software level
Air gaps, firewalls, and VLANS isolate sensitive things from dangerous things
Monitor for unauthorized traffic
Hostile traffic may be embedded in normal traffic channels, and deep inspection is hard
Even small amounts of unknown traffic could represent a large active infection
Just because nobody else was reporting attacks and a breach, you can't assume you aren't under attack and being breached
Only run signed and trusted code
Two factor authentication for access
Monitoring and awareness of global hostile traffic patterns and exploits
Trusted code is actually only as good as the weakest trusted code provider(s)
Even the serious security products can't be trusted, they are as much at risk as you are, and are even more of a target
It really might be "all about you", and you might be on your own until it's too late.
Stick to secure and well managed off the shelf hardware and software
Maintain minimal installed software (less surface area for attack)
Do source code reviews and security audits
Do timely patching and vulnerability scanning
Design easy to secure OS and software architectures, including principals of least priviledge
Isolation of environments (malware inside an isolated network can't be remotely controlled or adapted)
You can trust your hardware... until it runs software
(Except that you actually can't trust your hardware, sorry)
Even small attack surfaces, these days, are pretty large if you are actually doing anything significant
Source code audits may find insecure content. Sadly, you aren't running source code, you are running an executable. Good luck reviewing that.
Patching and anti malware controls only address risks that have been discovered and fixed.
Even if you find and patch one unknown vulnerability, it won't help you if a rootkit is being actively protected by another unknown vulnerability
Software that is priviledged enough to effectively protect your system is still just software with vulnerabilities, and is priviledged enough to hurt your system
Isolate production networks from client devices
Disable inputs (USB, memory card, DVD, etc)
Only use trusted hardware and software
Include behavior analysis in anti-malware tools (in addition to typical signature based detection)
Serialize diversity within defense layers
You can't just worry about rootkits on your computer, they can be anywhere (mouse? monitor? docking station? firmware?)
You have to patch everything, not just desktops and servers.
(And these were zero days, so even that would not have helped)
Everything you do with your client is another attack point
(But the whole point of a client is interaction)
Behavior based anti malware detection only helps if your malware infects things that need to behave differently in order to hurt you
You can no longer assume that autonomous malware will be noisy and clumsy
Malware that uses native resources on your platform effectively can be small (sub 500k)

An air gap is a happy fairy tale that lives primarily in the minds of your security people
Your "out of band" security has it's own problems
Why on earth would you assume that your nuclear processing facility was compromised, but your IPhone and Blackberries aren't?
"Air gaps" to prevent bad things from getting into sensitive areas
Two factor authentication (uses completely independent systems together to protect you)
Policies and training to shape behavior of people with sensitive access
Background checks on employees
Use of only signed and trusted code
Smart, experienced, and trained people executing carefully designed defense and response plans
Experiences showing that outbreaks will make a noisy mess (your *last* problem is not knowing they are there)
Experience showing that malware reaching back to its "controller" will be obvious (MyEvilsiteForeignBlacklistedSite.com)
Assumption that virus cleanup is an extermination excercise (and not a hostage situation)
Assumption that an infection that did manage to linger will eventually be caught by updated anti malware signatures or features
Independent monitoring loops

You can't assume that your APT won't evolve quickly and efficiently as it gets further and further into your network
The brightest and best defense team tends to perform poorly once killed by a guy on a motorcycle
Cryptographically, it is insanely hard to forge a certificate for code signing. But physically, it turns out it's pretty easy to do breaking and entering (or worse)
Policies and background checks help the good guys behave well. And spies don't follow them
Your organization is infected by something at this moment. The only real questions is "What is it up to?"
Don't count on your canaries in your coal mine to die. In fact, dont even count on them looking sad.
Accept that you are in a zombie movie. Inevitibly, someone will *eventually* hide the bite mark
Accept that if your hardened facility can be compromised (and it can), that your security product vendors hardened facilities can be compromised (and they have been)
Accept that cleaning up an infection may be more like poking a hornets nest than squishing cockroaches
You are planning your defenses like you are going to be in "Saving Private Ryan". But the movie you are in is "Mission Impossible"
If your operational systems are infected, why would you trust the information coming from your monitoring systems?
You must assume that some bugs might not be accidents. But most bugs *are* accidents. Given entropy is ubiquitous, expect a lot of stress and snipe hunts
You have to assume that the first hit you can see might be the only hit they need Three Legged Frogs The trematode is a water borne parasite
Consider it's lifecycle At the end of the day, this is nothing new Larval snails are infected with trematodes Photo credit Todd Huspeni, University of California, Santa Barbara, used without permission Tadpoles eat larval snails with trematode infection Image from findatoad.blogspot.com Tadpoles with tremadode infections grow into frogs with extra legs Image from http://edition.cnn.com/US/fringe/8-31/three_legged_frog.jpg Frogs with extra legs swim poorly, and are easy prey for water birds and fish Image from http://www.florida
kayakfishing.com/blog1.htm Image from http://www.middletownbible
church.org/christia/ngiveup.htm Fish and water birds eat frogs that are easy to catch, get infected with trematodes, and are prone to poop in the water (no picture here, we are eating) Trematodes are then distributed through bodies of water, where they infect snail larvae Image credit Kyle C. Reynolds, Hiromi Watanabe, Ellen E. Strong, Takenori Sasaki, Katsuyuki Uematsu, Hiroshi Miyake, Shigeaki Kojima, Yohey Suzuki, Katsunori Fujikura, Stacy Kim, & Craig M. Young (2010). New Molluscan Larval Form: Brooding and Development in a Hydrothermal Vent Gastropod, Ifremeria nautilei (Provannidae) Biological Bulletin, 219 (1), 7-11

Sound familiar? Conclusion There is no conclusion, this is evolution
Evolution just took a leap forward
Future defenses will look more like good hygiene
And won't be as much about preventing any attack as they will be about minimizing and managing their effects Advanced Persistent Threats
(APT) Stuxnet and the Iranian Nuclear Fuel Processing Facility Disclaimer This presentation is "Infotainment" While it is actually fairly accurate,
I tried not to let details get in the way of a good story Credits The information about what stuxnet was and what it did was gathered primarily from a Symantec published whitepaper http://www.symantec.com/
w32_stuxnet_dossier.pdf Your one saving grace... Mounting these attacks is insanely expensive and time consuming.
Microsoft estimated this was 30 to 50 person years (You might not be that important) Other Useful Resources Citibank breached by replacement of bank teller pin pads with identical (but bugged) replacements.

Wired infotainment story

RSA breached in what is suspected to be part of an attack against military / government

Malware is being served from otherwise legitimate domains now, making blocking a lot more problematic.
Top 10 Categories Hosting Malware
January – May 2011
1 Online Storage
2 Software Downloads
3 Pornography*
4 Open/Mixed Content
5 Computers/Internet
6 Placeholders*
7 Phishing*
8 Hacking*
9 Online Games*
10 Illegal/Questionable*
Source: Blue Coat Security Labs

 --DigiNotar Certificates Blocked Following Breach
(September 3 & 5, 2011)
The number of certificates issued as a result of a security breach at
Dutch certificate authority DigiNotar is growing; the latest official
estimate has the figure at 531. The breach had prompted Mozilla to take
measures so "that all DigiNotar certificates will be untrusted by
Mozilla products," which includes the Firefox browser. The most recent
version of Google's Chrome browser also places DigiNotar certificates
on a permanent block list. There is evidence that the stolen
certificates were being used to spy on people in Iran. The sites for
which fraudulent certificates were issued include MI6, the CIA,
Microsoft, Facebook and Twitter. Microsoft said that the forged
certificate cannot be used to force malware through Windows Update.
Internet Strorm Center:
[Editor's Note (Ullrich): In particular the intermediate audit report
not only shows how deeply DigiNotar was penetrated, but also how little
attention they apparently paid to logs.
(Honan: The external consultants, Fox IT, who conducted the audit into
this incident have published their findings and it makes for very sad
reading.  The findings show issues that contributed to the breach
include out of date anti-virus software, unpatched software, poor log
management, weak passwords and a network which did not have sensitive
systems segregated from others.  This report is a must read for security
professionals on how not to secure an environment.
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html ]
(From SANS newsbytes)

--Malware Found on Japanese Military Contractor's Computers
(September 21 & 22, 2011)
Malware has been detected on at least 80 computers at Mitsubishi Heavy
Industries (MHI), a Japanese military weapons contractor. The attackers
appear to have been targeting information about missiles, submarines and
nuclear power plants. One report said that the company's systems were
infiltrated through a spear phishing attack.  MHI says that Stuxnet was
not among the malware found on their systems.
(From SANS newsbytes)
(By client platform, I mean things that are mainly used by people to interact with other things) Layer Defenses Attacks Implications Concious Entities Out of Band Infrastructure Client Platform Server Platform Internet Infrastructure Network Layer Physical Layer Bill Kilgallon
Full transcript