JWP-Binde-McRee-OConnor

More documents

Recommendations

Info

Assessing Outbound Traffic to Uncover Advanced Persistent Threat Advanced In order to gain initial access to the victim’s networks, the attackers started with a targeted spear phishing attack against the company. Several employees of the victim companies received an email that appeared to be from someone they trusted. However, the email contained a link to a Taiwanese website that hosted malicious JavaScript. The malware, in turn, exploited an Internet Explorer vulnerability. The exploit triggers when Internet Explorer attempts to access memory that has been partially freed. Below is a program fragment from the Aurora attack. The reason for showing this fragment is to depict the difficulty in discovering this exploit with the lack of a signature or knowledge of the vulnerability. function intiliaize() { obj = new Array(); event_obj = null; for (var i = 0; i < 200; i++ ) obj[i] = document.createElement(“COMMENT”); } function ev1(evt) { event_obj = document.createEventObject(evt); document.getElementById(“sp1”).innerHTML=””; window.setInternal(ev2,1); } function ev2() { var data,tmp; data = “”; tmp = unescape(“%u0a0a%u0a0a”); for (var i = 0; i < 4; i++) data += tmp; for (i = 0; i < obj.length; i++) { obj[i].data = data; } event_obj.srcElement; } Program 1: Program Fragment from Aurora Attack Although previously known at Microsoft, the vulnerability was unseen ―in the wild‖---in other words, there was no indication that anyone else knew of the vulnerability--- and no mechanism was in place to detect the attack. Once exploited, the victim system(s) connected to series of Page 5
Assessing Outbound Traffic to Uncover Advanced Persistent Threat command and control servers using TCP port 443, commonly associated with encrypted traffic and thus difficult to inspect at the network perimeter. The ability to discover novel vulnerabilities and use them in a targeted attack characterizes this classified as advanced. Persistent After gaining a foothold in the victim companies, the attackers employed the exploited workstations to compromise other internal resources. Use of a compromised system to attack other systems on the same network, bypassing firewalls and other restrictions, is termed pivoting. [Exploit (computer security), 2011] Daly characterizes pivoting as the lateral movement phase of the attack. [Daly, 2009]. In Operation Aurora, the attackers then targeted the SCM systems. The McAfee analysis of Operation Aurora points out that SCM systems are often insecure. [McAfee, 2010]. The attackers then exfiltrated source code to the attacker’s command and control servers--- servers with innocuous-sounding domain names such as homelinux.org, ourhobby.com and servebeer.com. [Symantec, 2010] In January, 2010, Google was the first to publicly disclose the loss of intellectual proprietary. [Operation Aurora, 2011]. The attackers accomplished a specific mission meeting the persistence criteria of APT. Threat The attacks traced back to two Chinese schools, Shanghai Jiaotong University and the Lanxiang Vocational School. Jiatong hosts one of the top computer science programs in China. In 2010, it beat Stanford University in an international programming competition sponsored by IBM. Lanxiang is a large vocational school established with military support, training some computer scientists for the military. The school is operated by a company with close ties to Baidu, a strong Chinese competitor to Google. Sources within the schools denied organizational involvement in the attacks. [Markoff, 2010] The adversaries, whatever their actual identities, demonstrated high motivation, were adequately funded, and were part of a structured organization. Not only did they have the intent to gain access to sensitive information; they had the capability. [Command Five Pty Ltd, 2011] RSA Breach In March 2011, RSA acknowledged a successful attack against the RSA network. In an open letter addressed to customers, Art Coviella, the Executive Chairman, declared that the attack was APT. [Coviella, 2011] This attack further illustrates the key components of an APT attack and some of the methods that could be used to identify a similar attack. Target The RSA attack began with a successful phishing campaign. This is a common technique for introducing malware into the target network. In this campaign, the attackers targeted two small Page 6
Page 1 and 2: SANS Technology Institute Assessing
Page 3 and 4: Assessing Outbound Traffic to Uncov
Page 5: Assessing Outbound Traffic to Uncov
Page 35: Assessing Outbound Traffic to Uncov

JWP-Binde-McRee-OConnor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?