RSKConferenceZOB Singapore 22 24 July Marina Bay Sands SESSION ID SPO-F04 Outgunned in Cyberspace Craig Hall CHANGE Challenge today's security thinking Managed Defense Analyst FireEye JPMorgan Chase Breach BAN mm A Fire Eye Company 2 RSA'Conference2015 #RSAC JPMorgan Chase Breach JP MORGAN CYBER SECURITY UPDATE POST BREACH By the end of 2014 we will have spent more than $250 million annually with approximately 1 000 people focused on the effort This effort will continue to grow exponentially over the years 3 Bank of America Breach Moynihan BofA Cybersecurity Unit Has Blank Check BANK OF AMERICAC- INDUSTRY IS TRYING G5 FireEye' HAN REIMAGWED Al l'ellye Lornpany 4 RSA'Conference2015 All you need is one weak 05 Firegye HAN SECURITY REIMA AFireEye' Company 5 Nearly every company is 9 555996 RAN mm A Fire Eye Company 6 RSA'Conference2015 #RSAC Adaptive Defense TECHNOLOGY IDENTIFIES KNOWN UNKNOWN AND NON MALWARE BASED THREATS INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS INTELLIGENCE INTEL AND MALWARE EXPERTS THREAT ACTOR PROFILES INTERNAL RISK PROFILES EXPERTISE GO-TO RESPONDERS FOR SECURITY INCIDENTS #RSAC Do you know your enemy In boxing a boxer studies his opponent's moves prior to the fight so he knows exactly how to defend himself against the opponent and outmaneuver him before he steps into the ring which will increase his chances of victory 8 #RSAC Threat Intelligence APT is a 'WHO' and not a 'WHAT' THREAT INTELLIGENCE should provide information on THREAT ACTORS 9 RSKConferenceZOlfS Singapore 22-24 July Marina Bay Sands Theoretical Case Study #RSAC Two Utilities TELCO - A TELCO - B Signature based TECHNOLOGY In-house EXPERTISE No malware threat actor INTELLIGENCE FireEye TECHNOLOGY FireEye EXPERTISE FireEye INTELLIGENCE 11 #RSAC Traditional In-House Approach TELCO - A TECHNOLOGY AntiSpam and AV Filtering Receives 5 million emails a day AV updates slow Sometimes AV will only catch malware AFTER infection When this happens o Machine is reimaged o Possibly send malware sample to their AV vendor #RSAC FireEye Intel Based Approach TELCO - B TECHNOLOGY 1 AntiSpam and AV Filtering 2 Malware Detonation - FireEye Receives 5 million emails a day FireEye TECHNOLOGY is not Signature based - and finds threats faster than signatures - reducing time to detect FireEye Technology finds the unknown threat Invoice xls #RSAC Unknown Threat Invoice xls Target Telco - B threat trying to appear legitimate o No signature o Bypassed existing defenses FireEye TECHNOLOGY reveals 1 Invoice xls designed to attack Excel 2010sp2 2 Excel 2010sp2 is the version Telco B has standardized on 3 Malware phones home to ServiceABC skypetw com 4 ServiceABC is the name of a VALID internal service in the Telco B network #RSAC Who Is Attacking FireEye INTELLIGENCE tells us Skypetw com matches to known threat group APT5 APT5 targets telecom companies Is looking for intellectual property regarding satellite communications Known TTPs Tactics Techniques and Procedures #RSAC APT5 Tools Techniques and Procedures 1 Establish a Beachhead using malware 2 Move laterally using standard networking tools no malware 3 Find desired intellectual property 4 Exfiltrate stolen data using password protected zip files and FTP #RSAC Incident Scope o o o o APT 5 is behind the attack Looking for Satellite IP Telco B has Satellite Communication IP Alarm bells going off from this single alert We need to find out Did end user open email attachment Did other users get infected Did the attacker move laterally once inside the network #RSAC Detect and Respond Complete Host Based investigation e g Scraping Endpoint Memory Reveal commands an attacker may have used on an endpoint Look for APT5 TTP - Lateral movement using standard networking tools Look for APT5 TTP - Exfiltration of password protected zip file Investigation through FireEye as a Service EXPERTISE tells us NETUSE command was used to connect to 2 additional servers at TelcoB Servers required Username and password - BobAdmin account was used by the attacker This account is a Domain Admin at TelcoB Our remediation now extends to this compromised admin account Agent TECHNOLOGY tells us 7z zip command was used with a password option Agent TECHNOLOGY tells us the password that was used to encrypt the file itsm9now #RSAC Incident Scope Scope of the attack o o o o Desktop Laptop 2 Servers Compromised Admin Account BobAdmin What we need to know o What was in those exfiltrated zip files o Did they actually make it out o What is the business impact #RSAC Network Forensics FireEye TECHNOLOGY 1 Goes back in time and shows us the actual zip file exfil zip that was sent to serviceABC skypetw com 2 Lets us extract exfil zip and save it to our computer 3 But it's password protected We use the password that we learned from endpoint forensic investigation See what data was exfiltrated Satellite Intellectual Property RSKConferenCGZOlfS Singapore 22-24 July Marina Bay Sands APT30 #RSAC APT30 Key Findings Long-standing advanced persistent threat APT Focus on Southeast Asia and India Methodical processes and modular tools implies a structured environment Appears to target organizations with political economic and military information Able to target sensitive air-gap networks #RSAC One of longest-operating known threat groups Based on malware metadata compile dates and domain registration date APT30 has operated for at least a decade 2004 - 2015 Domain Registration Date Compile Date Early Sample Compile Date Recent Sample km-nyc com 11 Mar 2004 11 Mar 2005 11 May 2014 km153 com 30 Aug 2007 4 Sep 2007 11 May 2014 Comments C 2004 Microsoft Corporation Flyeagle science and technology company NetEagle Remote Control Software File Version 4 2 Internal Name Neteagle Legal Copyright C 2004- Original Filename NETEAGLE EXE Private Build Product Name NetEagle Remote Control Software Product Version 4 2 Special Build Version information from BACKSPACE controller #RSAC Regional Focus 96% of victim organizations located in SE Asia Confirmed APT 30 Targets India Thailand Malaysia South Korea Saudi Arabia Vietnam United States Likely APT30 Targets Nepal Indonesia Cambodia Philippines Myanmar Bhutan Brunei Japan Singapore Laos #RSAC Regional Geopolitical Targeting 'Decoy' documents reflect geopolitical themes associated with region Political transitions China border disputes Indian military themes Focus on ASEAN with registration of malicious domain aseanm com Journalists also targeted #RSAC Consistent TTPs APT30 appears to have a consistent long-term mission that relies on existing tools to remain sufficient over time Yesterday's successful tools modified for today MALWARE TOOL COMPILE DATE EARLY COMPILE DATE SAMPLE RECENT SAMPLE BACKSPACE 2 Jan 2005 5 Nov 2014 NETEAGLE 20 Jun 2008 6 Nov 2013 SHIPSHAPE 22 Aug 2006 9 Jun 2014 SPACESHIP 23 Aug 2006 5 Jun 2014 FLASHFLOOD 31 Jan 2005 17 Feb 2009 Successful enough to not have to change Long-term investment in software development #RSAC Summary of APT30 APT30 is a well-organized group with a long-term mission that represents a regional threat Targeted activity and statesponsored not simply a US problem Able to target sensitive Air Gap networks RSA ConferenceZOlS Singapore 22-24 July Marina Bay Sands HACKING WALL #RSAC Who Are FIN4 Active since at least mid-2013 Likely seeking black edge - Market catalyst information for trading advantage Deeply familiar with inner workings of public companies Tactics simple yet insidiously effective 29 #RSAC Attack Vector Emails originate from trusted senders Links to fake Outlook Web Access portal Stolen documents weaponized with embedded macros 30 The Target M A-themed from hijacked account ll1 - pvm pm lains eclly to the pending deal is not pul li at llu- SEC'Thmeed spearphish llu- spun phish is st-nt from hijacked account - ADVISORY FIRM A - COMPROM ISED it i ADVISORY FIRM COWANYA Advisoty Fil A and Atlvisoty Firm are advising Public Company A about a With prospective deal with COMPANY Public Company repeatedly targeted the discussions of publicly traded companies I I I @FlreE e 1 1 1 A FireEye Insidiously Clever 0 Simple techniques to minimize chances of discovery lmmla' Xpdeue 9pm m Elam L3 1 My isniea umemm vim'v'rm'or'mdware'or' or' Apdy isnleaftermemessagearriv wi 'l'v'rus'or'malware'or' mveitm weDeletedIhemsfolder 2 9 3 t A A FireEye RSA ConferenceZOlS Singapore 22-24 July Marina Bay Sands Operation Cl #RSAC Who are APT3 State-sponsored group - AKA UPS Attributed to Operation Clandestine Fox in 2014 Zero-day exploit sophistication Cool code names 34 #RSAC Clandestine Wolf Spear phishing campaign against o Aerospace and Defense o Construction and Engineering o High Tech o Telecommunications o Transportation 35 Spearphishing Save between by purchasing an Apple Certified iHae through this link Refurbished iHaes eeme with the same 1-year ewtendable warranty as new iMaes Supplies are limitedr but update frequently Don t hesitate to Sale G5 FireEye HAN SECURITY REIMAGINED AFireEye Company 36 y#mws Some Technical Details C5 FireEye HAN SECURITY REIMAGINED AFireEye Company RSKConferenC62015 #RSAC These Red Dots Compromise o Valid GIF File o Malicious Payload appended at end of File o Malicious Payload is encoded to avoid detection Malicious GIF Image file #RSAC After The Initial Compromise o Custom Backdoor Backdoor APT CookieCutter installed o Quickly steal valid credentials o Move laterally to systems with digital assets of value o Install custom backdoors o Never reuse command and control infrastructure #RSAC Remediation Apply Adobe Out Of Band Security Patch FireEye IPS detects CVE-2015-3113 FireEye MVX detects Backdoor APT CookieCutter #RSAC Outgunned in Cyberspace Do you believe that the breach is inevitable How would you know if you were currently compromised Do you know who would attack you Do you know how they would do it 41 Thank You 9 To talk more email us APAC@FireEye com 05 Firgl ye HAN FECURITY REIMA IN AFIreEye Company 42 RSA'Conference2015                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu