Advance Persistent Threat Hacking (ATP) Introduction PDF

Summary

This document provides an introduction to Advance Persistent Threat Hacking (ATP). It explores the different types of attackers and their motivations, as well as the types of vulnerabilities they exploit. It also covers the current state of cyber security, and how organizations can defend themselves.

Full Transcript

ADVANCE
PERSISTENT
THREAT HACKING
(ATP)
Introduction – Part One
  When you decided to use the Internet, you joined a
war
 In the past a bank has to worry about physical
security threats and tangible people.
 Nowadays, banks are being attacked by intruders
from countries with unfamiliar names who utilize
FACTS attacks that exist only digitally
 Countries laws are struggling to deal with constant
barrage of foreign attackers
 Internet makes it possible for an attacker to appear to
originate from any country he wishes
  In the modern digital era, everyone connected to the
internet is under constant attack for both businesses
and home users
 Most times, the people compromised are just random
victims of criminals who wants to steal as much data
as possible, package it up, and sell it to the highest
bidder
FACTS  Your computer resources are still valuable to an
attacker
 A compromised computer represent another
processor to attempt to crack passwords, send spam
e-mail, or another host to help knock down a target in
a distributed denial of service (DDoS) attack.
  The world has become a playground for anyone who
understands technology and is willing to bend the
rules
 We live in an age where anything is possible

FACTS  In Chapter 2, you will see real-world examples
demonstrating some interesting and enlightening
examples
 We are reminded on an almost daily basis of the
struggles of corporations by headlines alerting us to
the latest breach
 Major infrastructure have been called “indefensible”
  Want to know where your celebrity crush will be this
weekend? I will just hack her e-mail account and meet
here there
 Want to know what product your competitors are
developing for next year? I will just hack their network
and check out the blueprints.
 Did someone make you angry? I will just hack their
computer and donate every cent they have to charity
FACTS  Can not afford to get into the hottest clubs? I will just
hack them and add myself to the VIP list.

 This is only the tip of the iceberg. In the digital
dimension, the only limits are from your own
imagination
 The threats is much more real than you think, and it is
only getting worse.
  The cold, hard truth is that at this very moment,
regardless of the defense you have in place, I can get
Defining the access to any and all of your private data
 Motives + Capabilities = Threat Class
Threat  Threat Class + History = Threat
  Threat Motives
 Hackers Motivated by curiosity & intellectual
challenges
 Cyber criminals Motivated to make quick and easy
money through the use of cyber-tactics, primarily
on the Internet (e.g. scams through emails
 Hacktivists Motivated by a political agenda: hackers for a
Attacker cause
 Hacking groups Motivated to gain fame and
Motives recognition and to push agenda
 Nations-states Motivated by national security and
political/national agenda
 Organized crime Motivated to make money by utilizing
technologically gifted individuals
 Techno –criminals Motivated to make money through the use
of technology, think of them as technologically
enabled con men9 (e.g. credit card skimmers)
  Unsophisticated Threats (UT)
 Unsophisticated Persistent Threat (UPS)
 Smart Threat (ST)
 Smart Persistent Threat (SPT)
Threat  Advanced Threat (AT)
Capabilities  Advanced Persistent Threat (APT)

 APT has the most advanced skill set of all
  UT can focus on specific threats. They use point and
click to execute a specific attach – and require
virtually no skill.
UT & UPT  UPT will use same methods and have virtually the
same set as a UT, but will focus more their efforts on
a specific target
  ST represent a class of attackers with good
technological skills, and if the attack does not work
they move on to a different target.

ST & SPT  SPT represent a class of attackers with good
technological skills, and they use a wide range of
attack vectors to choose from. They will strategically
choose the method that works best for the target
organization.
  AT attackers have:
 Big picture/strategic thinker
 Systematic/military approach to attacks
 Preference for anonymity
 Selection of attack from larger pool

AT & APT  APT is a threat with advanced capabilities that
focuses on compromising a specific target. The
attacker will persist against specific target of interest
until he or she achieve the goal.
 The two most likely attackers are Nation States and
Organized Crime.
  Stealing intellectual property (corporate espionage)
 Stealing private data (insider trading, blackmail,
espionage)
Goals of  Stealing money (electronically transferring funds,
APT stealing ATM, credentials, etc.,)
 Stealing government secrets (spying, espionage,
etc.,)
 Political or activist motives
  Motives + Capabilities = Threat Class
Hackers + UT Unsophisticated Hacker
Nation States + APT Advance Persistent Nation
Threat Class Nation States + UT Unsophisticated Nation
Techno-criminals + ST Smart Techno-
criminals
Introduction
: Part Two
  The APT hacker is a single individual with an
advanced skill set and methodology, which
gives them the ability to target and
compromise any organization they choose,
APT Hacker: gaining access to any desired assets.

The New  APT hackers do exist within groups and will
continue to be recruited by nations states and
Black organized crime.
 Likewise it is completely feasible that a
collective group of smart hackers could prove
to be just as effective as a single APT hacker.
  No organization either small or big is safe from
APT hacker
 Every organization such as government,
military agencies, defense contractors, banks,
financial firms, utility providers, etc., can be
Targeted compromised.
 Small organization with small budget are most
Organizatio vulnerable.
ns  Hackers can stay undetected within the small
organization for a long time.
  Seriously? Can any organization be hacked?
YES
 Any? Even the most secure environment? YES
 But seriously any organization, regardless of
industry? YES
Construct of  And it does not matter what defense they have
Our Demise in place? YES

 Of course, the defense matter. It just may make
it more difficult, but not impossible
  The Internet and modern digital technology in
general have not been around for a long time
 1993 is the official year the World Wide Web
was born
The Impact  Laws were catching up and technology is
of the Youth changing and laws are slow to develop
 Defenses against cyber attacks are not
catching up with advanced hacking techniques,
and this is a major consideration of cyber
security
  The truth in this technological war is that you
simply can not afford to prevent a successful
attack from an APT hacker, actually it is
impossible
The  The mathematics behind risk management
Economics simply breaks apart when accounting for an
APT hacker
of  It is too expensive for organization to defend
(In)security against an APT hacker
 Current protection technologies although very
expensive can not prevent a successful attack
coming from APT
  Many people including experts in IT confuse
Security and Risk Management
 Businesses must perform risk management to
minimize the risk of doing business to
acceptable level
 Processes like patch management, vulnerability
management, system hardening, and incident
Security vs. response are no brainers for reducing risk, but
Risk essentially a business can not remove all the
risk from technology
Manageme  Technology is an essential part of every
nt business today
 Businesses simply can not spend enough money
to defend against an APT hackers in an
effective or foolproof way.
 A business may remove certain attack paths
and vulnerabilities but will never be able to
remove all the attack vectors that an APT
hacker can use
  The fact is that the risks are greatly reduced for
cyber-criminals compared to traditional
criminals
Inverted  The money made compared to the time
invested is far greater for cyber criminals
Risk and  A bank cyber attacker using the internet is
ROI hardly at physical risk, captured, or even found
 Then the fact is that the return for time
invested, as well as the risks involved are
greatly in the favor of a cyber criminal.
  A very clear advantage that an attacker has
against defenders lies in the sheer number of
items a defender needs to juggle.
 A defender must fix for at least every
vulnerability that an attacker can use to
compromise a system
 An attacker needs to find only one exploitable
A Number vulnerability or path to win the battle.
 Businesses must concern itself by many factors
Game such as
 Patch management
 Vulnerability management
 Server hardening
 Security awareness training

 But APT hacker is only concerned with the one
ball that is been dropped
  You maybe SECURE today but in 24 hours, a
new vulnerability could manifest itself that
makes you very vulnerable and an easy target
to compromise
 A patch might be found to fix the vulnerability,
but in a short time another vulnerability is
Time is Not found, and thus your system becomes insecure
again
your Friend  Hackers will find the gap between a fix batch
and new vulnerability and attack
 The attacker always search for new
vulnerability in the system and to look for zero-
day vulnerabilities

  Lack of concern toward security
 Lack of patching the vulnerability and updating
their systems
Psychology  Lack of awareness and understanding the risk
of lack of security
of  Weakness of installing proper security methods
(In)security and updating firewalls and anti-viruses

 Simply do not care or pay attention of the risk
of cyber attacks
  This means the cause and effect
 Few people understand the relationship
between computer security and for example
credit card identity theft.
 Most people do not understand why and how
they were compromised in the first place,
because they do not understand the technology
Ambiguous well

Casualty  As an example, if a user clicks on an email link
and the computer is compromised, by the time
they find out, or understand what happened, it
is tool late
 The damage is done and by the time he or she
finds out, which is too late, the relationship
between cause and effect becomes ambiguous
  Defensive thinking appear to have a narrow
and traditional process for handling security
 Attackers take much more liberal and outside
the box approach to problems
Offensive  The defensive personnel are less intelligent
Thinking vs than offensive attackers

Defensive  Defensive is more reactionary.
 Attackers will always have the upper hand
Thinking because they can innovate in a fundamentally
different and fast way
 Many organizations do not think like attackers
and this is the problem
  Companies create hardware and software as
fast as possible to make money and increase
market share, and beat their competitors
 Current and future technologies where society
The Big is depend on became the liability of today, and
there are risks associated with them
Picture  The power grid, emergency response systems,
payment and banking systems are virtually
every part of our lives. They rely on a complex
network of computer systems that can be
vulnerable for cyber attacks
  Organizations are large and not mobile,
opposite to hackers who are mobile and hard to
get
 APT attackers utilize the guerrilla warfare
tactics which requires mobility and not
stationary
Guerrilla  Anonymous attackers always have the upper
hand
Warfare  Attackers can innovate use exploits that
defenders are unaware of.
 Defenders can then be slow to discover,
analyze, and come up with corrective measures
for these exploit
  The more complex the system the more
vulnerabilities are there
 Microsoft Windows 7 and without any extra
software installed, has about 50 millions of
code. This means there are roughly 50,000
The vulnerabilities in Windows, this what an
Vulnerability attacker needs to exploit, that is enough even
with less percentage
of  Thin of all the systems in place beside
Complexity operating system such as banking system,
power and utility systems, network system.
They are built in the same way, with similar
vulnerabilities, and then they are all networked
together
  Exploits involve:
 Stack overflows
 Heap overflows
 SQL injection
Exploitless  Cross side scripting (XSS)

Exploits  File format bugs

 They are all part of APT hacker tool kit
 This in addition to many other tools
  Turning software into offensive tools that can
be use by people with little to no understanding
of the underlying technology. Like a gun, you
do not need to understand how it is made, but
you know how to use
 They are developed by commercial and
The professional audiences

Weaponizin  They developed specifically for criminals such
as rootkit development kits, web exploit packs,
g of botnet for rent, zero-day exploits and more

Software  They require minimal to no programming
knowledge
 Viruses and rootkit to frameworks allow
attackers to create a customized virus with
minimal time and effort using only the
functionality the attacker requires. Some of the
kits even include specialized delivery methods.