Behind the Perimeter: Fighting Advanced Attackers

Alex | | CiscoLive Barcelona

These are the notes of a talk about defence of an APT attack. What can you do to prepare yourself and make it as hard as possible for the attacker? It's about using honeypots and detect an APT inside your perimeter. These articles are just notes and may be missing some specific context or could be already outdated.

"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." Sun Tzu

Motivation

Target as defender: Make the attack as expensive as possible.

Challenges Today

  • Inefficient breach mitigation
  • High cost of attacker attribution
  • Information overload
  • Many discrete security products

Knowing the Enemy

This is maybe the best documented APT attack, from which you can learn the Attack Lifecylce: Operation Cobalt Kitty

Persistence mechanisms

  • Windows Scheduled Tasks
  • Windowns Services
  • Windowns Registry Autorun keys

Credentials stealing

Mimikatz in Powershell in Memory only! No files left somewhere to be detected.

Hint: Never use admin account on client (for support or something) because then they get the credentials because it's saved on client itself and can be read out with Mimikatz.

Advanced Attack Commonalities

  • Sandboxing & analysis evasion (90% of Malware don't do this!)
  • Misuse of legitimate resources
  • Low forensic footprint
  • Layers of scripting (script call script call script)
  • Steganography
  • Stable C&C

Strategic Considerations

What can we do to raise the cost for the attacker?

Hinder In-Advance Attack Preparation

They always prepare what to use that it's gonna work at the target.

Traps Everywhere

Canary NTLM hashes put into memory waiting to be picked up by Mimikatz and alike. They are optimistic and try the things that want to be hacked; bad FTP servers, logins found, and so on. The trap have to be spoted, so place them on the right place that it can/will work.

Baselining is important to see anomalies and unusual behaviour. That you can trigger on specific tresholds in your environment.

Deploy Generic C&C Detectors

  • Advanced don't use generated domains. They are stable, not detected, have traffic, running a long time in advance.
  • They don't use Botnets, they want to hide themself in the big part of traffic.
  • Don't think to detect them in watching into the content of the traffic
  • Mellable C2 can fake content to look like normal and plant the wanted data before and after the generated data.

Detect the entire infrastructure::

  • Traffic http -> domains -> IPs -> Amazon
  • Traffic https -> domains -> IPs -> Amazon
  • Maybe multiple domains point to the same IPs from one CSP/ISP -> Netflow data!
  • If it's TLS check other parameters what is comming. Initial packet, timing, certificate and so on.
  • If they are sure that their C&C is not detectable, they would hardcode the IPs of them into the malware.

Stream Endpoint and Network Level Traces

Because:

  • Coding errors happen
  • Mistakes happen
  • Detection due to definition update happen

Do:

  • Collect and have at hand endpoint and network activiy traces
  • Attack will wipe the logs -> Netflow comes very handy to detect stuff.

Use Vendor with Large Threat Reserach Team

Because you need researchers!

  • More detectors
  • Complex malware
  • Bugs, Cost, Risk increase :)

Attackers always use anti sandboxing tools, if everything is already virtualized, try to use the same that your sandbox (run malware to find it) look like all the other servers. Because then they have to use fingerprinting the see the differences!

Breach detection - practically

  • Breach detecting
  • Establishing priority rating
  • first look at device trajectory

Important for reporting / alarming: Don't flood!

Putting it all together

If possible, use automatically blocking with Cisco ISE for example or other integrations.

Get a list of all browsers and their extensions and add-ons and check them regulary, because the browser knows everything in plaintext and malicious extensions can see the same and steal credentials. (saved admin logins for example!)

Wrap-up

  • Know your enemy (who, motivation etc. not only what vulnerability they used!)
  • Know how to fight them (how would you stay stealth and hidden?! Here the cost can go up!)
  • Understand the process from top to bottom
  • See it in action - breach mitigated within hours