Saturday, March 27, 2010

Demystifying APT



Introduction  


Marketing folks have already started using the term Advanced Persistent Threats (APT) extensively, many of them without understanding what it is. For many of them every malware identified, every attempted breach is an APT, they try to the spread the FUD and exploit to their advantage. Let's look at what APT is and what's new about this. I have known APT since last one year or so from many of the proponents such as Mandiant and Richard Bejtlich, so, the term in itself is nothing new but has been getting lot of press lately due to the Google China incident.  


What is APT?  


APTs are specific threats where the threat agents are highly motivated and they make these highly advanced, targeted, and customized threats to infiltrate into corporate networks and gain persistent access. Their goal is to take sensitive information, which can be used for variety of tasks.  


A good example is a customized malware embedded in a PDF, which gets emailed in a typical social engineering attack to a specific individual who may have access to confidential information, including an organization's intellectual property. This malware is used to leak the important data out of the organization. The malware goes undetected by the organization's multiple defensive mechanisms, the traffic would also look legitimate since there is no sign of widespread attack or mass leak of information to a particular threat source. Many of the traditional defensive mechanisms fail in this case. Can user awareness be a good defense against these type of threats? Sure, to a certain extent. Since the exploit is so customized and the attacker has taken so much time and effort to look it legitimate, most, if not all users would fall for it.  


With the increased popularity of social networking, adversaries find it easier to do social engineering attacks. I am not talking about home users and home computers, the danger is in allowing corporate users to access various social networking sites. One typical attack involves a video link, which may look like came from a friend, who is visible in your social networking profile. Since it came from a known person, most of the users will click on the link and the video. The video asks the user to download a codec or video plug-in, which is nothing but a deadly malware and now, the user unknowingly allowed the presence of adversaries inside the corporate network.  


One of the APT Trojan is a new variant of the well known Zeus Trojan (there are conflicting notions as to whether APTs known to use Bots). It is spread via e-mails purporting to be from known organizations or known people and the system gets infected, when people click on it. The same Trojan is also sent as phishing message on Facebook and other social networking sites. Secureworks recently reported that Zeus Trojan is the one malware most utilized by criminals specializing in financial fraud.  


Adversaries also use many of zero-day exploits in gaining foothold on the corporate networks. These zero-day exploits goes undetected by the various tools employed by the organization. The fact that product vendors some times takes more than 6 months from the date they have known about the vulnerability to release patches, makes it easier for these adversaries.  


What are the characteristics of APT?  


Some of the characteristics that Peter Silberman from Mandiant mentioned in a recent presentation based on their own investigation into many of this type of threats were:
  • APT tries very hard to camouflage itself
  • Use Windows file names like svchost.exe
  • Usually not packed
  • Replicate system DLL resource sections
  • Small file sizes
  • Copies itself to folders in \windows\system32\somesubfolder\* and executes as svchost.exe
How can we identify and prevent APT?

The biggest problem in identifying this type of threats is organizational awareness. Many organizations are not aware of such adversaries, who are highly skilled and highly motivated. Another biggest problem is that organizations are not aware of the information these criminals are after and they are still in infancy trying to both identify and protect such information. Some of the ways to identify such threats are:

  • Memory analysis
  • Look for processes that should not be run from by a normal user
  • Look for processes that runs from a path other than %systemroot%\system32 \. These are the two characteristics that the newly released tool Malware Rating Index or MRI look for
  • Look for unknown executables both in %systemroot%\system32 and other directories
  • Look for registry changes
  • Look for unsigned DLLs that hooks on to regular processes
  • Detecting unusual outbound traffic using netflow type of network behavior analysis tools. Many of such tools cannot look at encrypted traffic, so it is very important that organizations, while performing network analysis, spend cycles on identifying what is "normal" at least for traffic leaving or entering organizational boundaries.
Some of the preventive measures include:
  • Awareness, - both user and organizational - goes a long way in identifying and preventing this type of threats.
  • Ensure that the defense-in-depth methodology and tools are working as expected. This includes your AV, HIPS, NIPS, log monitoring, vulnerability assessment, patching, etc
  • Actionable intelligence
Conclusion

These threats are real and getting increasingly sophisticated, tools and defensive mechanisms continue to play catch-up. As Rich Mogull put it, "There isn't a tool on the market, or even a collection of tools, that can eliminate these attacks". 

What we need is a coordinated effort between high ranking information security professionals of both corporations and law enforcement who can share the intelligence on real time basis. This way organizations can take these intelligence and build effective responses to such threats. We are already seeing that in the form bay area CISO meet-ups and some other community gatherings.

Organizations must also go back to the basics and start identifying the critical assets and build threat based or risk based preventive controls. 

References: 


Monday, March 22, 2010

India Income tax refund Phishing Email

An associate sent this information that he received on his Yahoo email account. As you can see, the web site takes you to an IP address in Russia and the hosted site asks for all kinds of personal information including the ATM PIN!

--------------------------------------------------------------------------------------------


This was the email in my yahoo mail

4_image001.gif

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This was the website, I was directed to, after following the link
 2_image002.gif
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 In the Tax Refund Online Form – all fields were compulsory to be filled – like card number, bank account details, Credit card CVV number & ATM PIN etc
6_image003.gif

3_image004.gif

Saturday, March 6, 2010

Cyber Criminology conference in Chennai

Organized by DEPARTMENT OF CRIMINOLOGY UNIVERSITY OF MADRAS, Ernst & Young, Valiant Technologies, and Indian Society of Criminology
Dates : March 23rd and 24th , 2010
Location : Chennai



The aim of this conference is to establish a multidisciplinary forum for information sharing, team building and the development of innovative debate on cyber security, investigations, forensic techniques /technologies and legal concerns amongst investigators, criminologists, victimolgists, information assurance and network security professionals.


For more details check the below link


http://tabrezahmad.typepad.com/blog/2010/03/international-conference-on-cyber-criminology.html

Friday, March 5, 2010

More DEP

I wrote about DEP and its benefits in detail here.

A security researcher has released an exploit that uses a new technique to defeat DEP on Windows operating systems. For more details, visit his blog . He says in his blog that " I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms."


Even though there is no available exploit for the current versions of IE or any other software which utilizes the ASLR + DEP features, it is good to know that organizations cannot use this alone as primary defense, rather as I mentioned in my post, it should be looked at as an another layer in the defense-in-depth.  

At the 2008 Black Hat conference, another method to get around DEP restriction using Java, ActiveX controls, and .NET was released. The presentation is available here.

Thursday, March 4, 2010

Cloud computing and Security - Updates

This is an update to my essay on Cloud Computing and Security and some of the recent changes



==>  Recently joined a new working group for cloud audit, it is the Cloud Audit Working Group


"The goal of Cloud Audit is to provide a common interface that allows Cloud providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments and allow authorized consumers of their services to do likewise via an open, extensible and secure API. CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance, distributed application and system architecture backgrounds."


==> Learned from Jonathan Penn's blog about the Cloud Security challenge . This is for startups with innovative Cloud Security solutions. If you have innovative technology that addresses some of security or privacy issues surrounding cloud computing, I encourage you to apply, further details are below:
Entrants must have a technology that can be used to prevent, defend against, cope with or recover from terrorist incidents and other criminal acts in the 'cloud'. Examples of areas of interest are (but are not limited to): data protection, storage in the cloud, authentication, encrypted data transfer, data classification, understanding data locations, vulnerabilities from social networks and virtualization SW. Entrants cannot have more than GBP£3 million (~$4.5m) in annual revenues in 2009 (total annual sales revenue). Deadline for submission is March 15, and winners will be announced in April. Entry is free.  


The winner of the Cloud Security Challenge will receive: . $10,000 cash award. . Exclusive mentorship from an executive at CapGemini . Up to three finalists will be invited to test their technology in an HP Labs cloud test-bed


==> For India and Bangalore based readers, who wants to know more about Cloud Computing, there is Cloud Computing summit organized by Datacraft and involves talks from EMC, Cisco, and VMware. This is on March 9th.


For others, there is a Web based conference on Cloud Security on March 11th, the link is below
http://www.brighttalk.com/summit/cloudsecurity3

Forensics tools survey

Rob Lee from SANS sent this.


The Computer Forensics Tool Testing (CFTT) team at NIST and NW3C want to know what digital forensics tools you are using and what digital forensics tools you want NIST to test.  Please take a few minutes to complete the below linked survey and share with us your valuable feedback.
To learn more about CFTT and the NW3C visit http://www.cftt.nist.gov and http://www.nw3c.org.
This survey is very important to state and local law enforcement as it is your voice and input, directly to NIST, for testing of the forensic hardware and software you use every day. A NIST evaluation of the tools you use has many benefits to you, your agency, and the cases you work. The survey itself is all multiple choice with an option for you to add a tool if isn’t listed. There are only 9 questions in the survey and completing it should take less than 10 minutes.