Attackers Vs Defenders:

change your strategy and stop losing

Antonio Forzieri
EMEA Cyber Security Practice Lead
Attack
Techniques
Attacker motivations

CYBERCRIME ESPIONAGE
Financial
Nation states
Trojans

Ransomware Corporate

SUBVERSION SABOTAGE
Physical
DDoS
damage
Social media Data
hacking destruction

3
The three most common attack vectors

Spear Phishing
Email with an attachment or link to malicious site
1 in 247 email has a virus attached

Drive-by Download Attack

Copyright © 2014 Symantec Corporation

Website uses exploit to install malware on
computer. Popular Exploit Toolkits

Supply-chain Hack
Software of a vendor gets compromised
and hijacked to infect its clients

4
Spear phishing Malicious attachment
connects to a malicious
system to download the
3 first stage of the malicious
code.
Attacker sends an e-mail
1 to targeted users with a
malicious attachment
(usually pdf or office’s
document)

Attacker downloads
information stolen from the
7 drop zone eventually
connecting through an
anon proxy.

The installed malware User receives the e-mail First stage is executed on
and open the attachment. the user’s endpoint and
6 collects information and
sends it back to the drop
2 Usually social engineering 4 downloads a second stage.
zone server. techniques are used in The multi stage helps
order to mimic a legit e- bypassing security
mail. controls.
 Targeted attacks with spear phishing
emails

2011 2012 2013 201

4
841
779
78
122
Email per Campaign

61 111 29
Recipient/Campaign 25

408 23
18
Campaign 165
Duration of Campaign 3 8 9

6
Drive-by download (Watering hole) User is silently redirected
to a server under the
attacker control and a first
3 stage payload is installed
into the user PC exploiting
Attacker compromises a a vulnerability.
1 web application and inserts
an hidden link inside the
legitimate app.

Attacker downloads
information stolen from the
7 drop zone eventually
connecting through an
anon proxy.

The installed malware A legitime user visits the First stage is executed on
compromised app. Usally the user’s endpoint and
6 collects information and
sends it back to the drop
2 users are redirected to the 4 download a second stage.
zone server. these apps via SEO The multi stage helps
poisoning attacks. bypassing security
controls.
Watering hole –
let’s have a look
at it

8
Supply-chain Hack
• Hidden Lynx (Gov) 2012:
– During SCADEF campaign,
manufacturers and suppliers of
military-grade computers were
observed installing a Trojanized
Intel driver application;
– Attackers bundled an Intel driver
application with variants of
Backdoor.Moudoor

• DragonFly (Energy) 2013:

– Three different ICS equipment
providers were targeted and
malware was inserted into the
software bundles they had made
available for download on their
websites.

9
Nice techniques
What do they have in common?!?

• The old days where attackers

were hitting servers are gone:
– They still hit them, but there’s a
more juicy target

• Attackers are heavily using

social engineering techniques:
– Attacks are accurately planned
gathering information my many
means
– E-mails are well built and realistic
and relevant to real/realistic
projects
– Users targeted usually have
access to sensitive information
and have a low security awareness
– Even badly written e-mails are
effective:
• Crypto/CTBlocker ANYONE?!?
10
Talking about social engineering...
Operation Francophoned

• Convinced by phone to open the attachment

11
Talking about social engineering...
Another spear phishing case

12
No you cannot patch them
• Awareness
• Awareness
• Awareness
• Awareness
• Awareness
• Awareness
• Awareness
• Awareness
• Awareness

13
What about server vulnerability?
Heartbleed OpenSSL Vulnerability
Affected > 500M trusted websites (~17% of all TLS
servers)
Heartbleed vulnerability used 4h after reporting
Other issues: POODLE, FREAK, LogJam,…
24 reported zero-day vulnerabilities in 2014

500
MILLION

14
But we are good in patching right?
Well… I’d not say good.

 Time for
vendor to
supply a
patch.
 No
tracking
on how
long
companies
take to
 204
patch was
done.
days
to patch

15
Let’s see two
attacks

16
 Stages of an attack
EXFILTRATIO
EXFILTRATIO
INCURSION
INCURSION DISCOVERY
DISCOVERY CAPTURE
CAPTURE N
N

Attacker breaks into Attacker then mapsAccesses data on Data sent to attacker
he network by organization’s unprotected systems for analysis
delivering targeted defenses from the
Installs malware Information may be
malware to inside to secretly acquire used for various
vulnerable systems
Create a battle plandata or disrupt purposes including
and employees
operations fraud and planning
further attacks

INCURSION DISCOVERY
ECONNAISSANCE CAPTURE EXFILTRATION
Regin at a glance

COMPLEX
COMPLEX TOOL-SUITE/PLATFORM
TOOL-SUITE/PLATFORM FOR
FOR SYMANTEC DETECTION
SPYING
SPYING &
& SURVEILLANCE
SURVEILLANCE BY
BY NAME
GOVERNMENTS
GOVERNMENTS
BACKDOOR.REGIN
SIMILAR
SIMILAR TO
TO STUXNET
STUXNET IN
IN COMPLEXITY
COMPLEXITY

CUSTOMISED
CUSTOMISED FOR
FOR EACH
EACH SPECIFIC
SPECIFIC
MISSION
MISSION

USED
USED AGAINST
AGAINST VARIETY
VARIETY OF
OF ORGS
ORGS IN
IN
MANY COUNTRIES
MANY COUNTRIES

INVESTIGATED
INVESTIGATED BY
BY SYMANTEC
SYMANTEC FOR
FOR OVER
OVER
A
A YEAR
YEAR

OPERATING
OPERATING SINCE
SINCE AT
AT LEAST
LEAST
2008…
2008…
Regin features
MULTI-STAGED
MULTI-STAGED &
& ROBUST
ROBUST C&C
C&C
MODULAR
MODULAR
MANY
MANY COMPONENTS
COMPONENTS MULTIPLE
MULTIPLE CHANNELS
CHANNELS

CUSTOMIZABLE
CUSTOMIZABLE HEAVILY
HEAVILY ENCRYPTED
ENCRYPTED

DIFFICULT
DIFFICULT TO
TO ANALYZE
ANALYZE P2P
P2P

PERSISTANCE
PERSISTANCE &
& SPECIALIZED
SPECIALIZED
STEALTH
STEALTH
BULK
BULK OF
OF CODE
CODE IS
IS CUSTOMIZED
CUSTOMIZED FOR
FOR
HIDDEN
HIDDEN EACH JOB
EACH JOB
REQUIRES
REQUIRES SPECIALIST
SPECIALIST
COMPLEX
COMPLEX ENCRYPTION
ENCRYPTION SKILLS
SKILLS
Regin: What can it do?

LOW
LOW LEVEL
LEVEL PACKET
PACKET
COMPUTER
COMPUTER INFO
INFO SNIFFING
SNIFFING
MULTI-CHANNEL
MULTI-CHANNEL DATA
DATA
PASSWORDS
PASSWORDS && LOGIN
LOGIN EXFILTRATION
EXFILTRATION
DETAILS
DETAILS (TCP,
(TCP, UDP,
UDP, ICMP,
ICMP, HTTP)
HTTP)

PROCESS
PROCESS &
& MEMORY
MEMORY INFO
INFO FILE
FILE SYSTEM
SYSTEM CRAWLING
CRAWLING

DELETED
DELETED FILES
FILES PARSING
PARSING MS
MS EXCHANGE
EXCHANGE
(FORENSICS)
(FORENSICS) DATABASES
DATABASES

IIS
IIS SERVER
SERVER INFO
INFO &
& LOGS
LOGS UI
UI MANIPULATION
MANIPULATION

GSM
GSM BASE
BASE STATION
STATION ADMIN
ADMIN 32BIT
32BIT &
& 64BIT
64BIT VERSIONS
VERSIONS
TRAFFIC
TRAFFIC
Yep… this was sophisticated and
ADVANCED

21
Dragonfly: Attacks against the energy
sector
Dragonfly attack group has been active since 2011,
but shifted focus to the energy sector in early 2013…

ACTIVITIES
ACTIVITIES TARGETS
TARGETS
Information
Information theft
theft Electricity
Electricity infrastructure
infrastructure
Sabotage
Sabotage capable
capable Electricity
Electricity generation
generation
Industrial
Industrial equipment
equipment
suppliers
suppliers
Pipeline
Pipeline operators
operators

OTHER INDUSTRIES ENERGY SECTOR

2011 2012 2013 2014
 Dragonfly: The tools of the trade

TROJAN.KARAGNY
TROJAN.KARAGNY
Available
Available in
in underground
underground
markets
markets
Adapted
Adapted for
for use
use by
by Dragonfly
Dragonfly
group
group
Download/upload/execute
Download/upload/execute files
files
Additional
Additional plugins
plugins available
available
BACKDOOR.OLDREA
BACKDOOR.OLDREA
Custom
Custom made
made malware
malware
RAT
RAT –– full
full back
back door
door access
access
Used
Used in
in 90%
90% of
of cases
cases
 Dragonfly: Attack vectors

SPAM
SPAM EMAIL
EMAIL WATERING
WATERING HOLE
HOLE SUPPLY
SUPPLY CHAIN
CHAIN
TARGETING:
TARGETING: TARGETING: TARGETING:
TARGETING:
Spam TARGETING:
Spam email
email sent
sent to
to Visitors Compromise
Compromise ICS
ICS
senior Visitors to
to compromised
compromised
senior employees and
employees and websites equipment
equipment vendors
vendors &
&
engineers websites related
related to
to suppliers
engineers energy suppliers
energy sector
sector

HISTORY:
HISTORY: HISTORY:
HISTORY: HISTORY:
HISTORY:
February
February 2013
2013 May
May 2013
2013 June/July
June/July 2013
2013

EMAIL EXPLOITS:
EXPLOITS: POISONED
POISONED
EMAIL SUBJECTS:
SUBJECTS: Redirects SOFTWARE:
•• “The Redirects visitors
visitors to
to SOFTWARE:
“The account”
account” other hacked sites
•• “Settlement other hacked sites Malware
Malware added
added to to
“Settlement of
of hosting
delivery hosting Lightsout
Lightsout software files/updates
software files/updates
delivery problem”
problem” exploit
exploit kit
kit on
on vendor’s
vendor’s websites
websites
EMAIL Victims
Victims unknowingly
unknowingly
EMAIL Malware
Malware dropped
dropped onto download
ATTACHMENT: onto download andand install
install
ATTACHMENT: victim’s
victim’s computer
computer “Trojanized”
“Trojanized” software
software
Malicious
Malicious PDF
PDF file
file updates
updates
Yep… this was less (NOT) so advanced

25
How do we
protect?

26
Forrest Gump MANTRA
it happens!!!

27
Before we start
Get the basics right!

CESG 10 Steps to
Cyber Security
Cyber Security guidance
from CESG
(Communications-
Electronics Security
Group), the UK
Government's National
Technical Authority for
Information Assurance.
Back to basics…
few simple examples

• Endpoint Protection:
– Is your technology configured to adopt all available
engines?
– Is the update mechanism scheduled every 2/4h?

• Patch Management:
– Do you have a Patch Management Process (a real one I
mean, not the one you have in your drawer)

• Vulnerability Management:
– Do you have a Vulnerability Management Process (a real
one I mean, not the one you have in your drawer)

• Perimeter Security:
– Are you sure you should allow binary files (even zipped)
attached to e-mail?

• Hardening:
– I’m kidding… I know it’s just a dream.

29
NO: IPS, Firewall and AV are not enough
Security… you are doing it wrong
What else should we be
doing?

31
What else should we be investing on?

Track Key Trends

and Events and Cyber Intelligence
Analyze for Intelligent Services
Actionable (Tactical and
Intelligence Strategic)
Protect Against
Targeted Attacks, Cyber
Cyber Defense
Advanced Threats Vigilant
Center
and Campaigns
Respond Quickly and
Effectively to Credible Cyber Incident Response
Security Threats & Responsive
Incidents
Strengthen Cyber
Cyber Cyber Security Exercise and
Readiness to Prevent
Ready Security Simulation
Today’s
Advanced Attacks

32
Cyber Defense Center
from monitoring to hunting (from reactive to proactive)

• Cyber Security Attack Monitoring:

Monito • 24x7 - Real Time monitor of network devices
and endpoints

r
• 24x7 – intelligence monitoring
• Compliance Monitoring:
• 8x5 - Monitoring of system compliance to
company/industry/national standards.
• Cyber Threat Intelligence:

Respo •
• Produce and consume threat
intelligence
Incident Response:
nd • 8x5 - Monitoring of system
compliance to company
standards.
• Compliance Violation Response:
• 8x5 – Response
Usetoadvanced
policy
violation. technique to hunt

Hunt for incidents:

• Trending
• Hunting
• Honeypotting

33
Cyber Threat Analysis Cell
advanced services at the right time

• In order to benefit from such services:

– Monitoring related services are required
– Effective incident response procedures are required
– A “stable” environment is required
Monitor
Hunt

Respond

34
Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective
owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
change without notice.