JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
JWP-Binde-McRee-OConnor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Assessing Outbound Traffic to Uncover Advanced Persistent Threat<br />
Table of Contents<br />
Executive Summary .................................................................................................................. 2<br />
Introduction ................................................................................................................................ 3<br />
Operation Aurora ................................................................................................................... 4<br />
RSA Breach ........................................................................................................................... 6<br />
APT Detection ........................................................................................................................... 8<br />
Rule Sets ............................................................................................................................... 9<br />
Statistical and Correlation Methods ..................................................................................... 14<br />
Manual Approaches ............................................................................................................. 20<br />
Automatic Blocking of Data Exfiltration ................................................................................ 24<br />
Conclusions ............................................................................................................................. 28<br />
Appendices .............................................................................................................................. 29<br />
Appendix A - dnsWatch.py .................................................................................................. 29<br />
Appendix B - trackByGeo.py ................................................................................................ 30<br />
References .............................................................................................................................. 31<br />
Table of Figures<br />
Figure 1: Anatomy of the Operation Aurora Attack ....................................................................... 4<br />
Figure 2: PI-RAT (Poison Ivy Remote Access Toolkit) ................................................................. 7<br />
Figure 3: Replicating the Operation Aurora Attack in Metasploit ................................................ 10<br />
Figure 4: Fast Flux Traffic ........................................................................................................... 14<br />
Figure 5: SIAPT Splunk app ....................................................................................................... 16<br />
Figure 6: Splunk alert conditions ................................................................................................. 18<br />
Figure 7: Snort alert noted via Sguil ............................................................................................ 19<br />
Figure 8: Possible APT correlation ............................................................................................. 20<br />
Figure 9: Sguil view of pivot host's scan probe ........................................................................... 21<br />
Figure 10: Squert/AfterGlow visualization of pivot host's scan probe ......................................... 22<br />
Figure 11: LizaMoon script injection detection ............................................................................ 23<br />
Figure 12: Perimeter Protection By Allowing Only Port 443 Outbound from Proxy .................... 27<br />
Page 1