 Hi everyone. My name is Alexander Adamov. I'm happy to see you here. Thank you for voting for my talk. I didn't expect that someone from OpusNight community is interested in in cyberattacks, so good for me. So who I am? I'm from Mirages. I've been working for antivirus companies for last 10 years. I've been analyzing malware, investigating security incidents, and finally I come to cloud security. And here today I'm going to give you introduction on targeted cyberattacks from a threat analysis standpoint. We've talked Monday about IDA system, about deployment, but today we are going to talk about threats actually. So what all security think is an OpusTact actually are made for? I'm going to talk about three issues. First one is like general overview of most popular targeted attacks or APT. I'm going to explain what APT is. Detection approaches and finally we come to intrusion detection system. So what targeted attacks is and what APT? So previously targeted attacks were made using backdoors. It's just simply a simple malicious program that connects the server, steal something, send it to the attacker, but now backdoors, they get complicated. So backdoor is not enough anymore. So usually targeted attacks made using some program software complex. So it has a module structure and it depends on chosen victim. So here I can see the main scheme how targeted attacks is actually done. We can see an attacker that sends a phishing mail or it can be a watering hole attacks when the attacker just hijacked websites, put some malicious inclusion on the website and the employees from the company doesn't get a trick and social engineering trick, open attachment or visit the infected websites and finally employees machine gets infected. Once infected, the backdoor is installed and backdoor actually allows attackers to communicate with the victim's machine to harvest necessary information, send it to the remote server and also in case of targeted attacks, single victim is not the main purpose. Actually, once infected, the attackers they try to scan the local network and proliferate through the corporate network to find like really valuable targets like servers, database servers, whatever. All harvested data then uploads to the attacker command and control server. As you can see, targeted attacks are made through four ways. There is a spare phishing attack just when you are sending mail to some particular victim, you know exactly who this victim is and you even know what language victim speaks. Water and Hall attack is when you know, okay, what kind of websites a victim used to visit. So once you know, you can hijack one of these websites and the next day, the victim opens these websites. Here she gets infected. Exploits, zero-day exploits are, you know, very effective, but they cost a lot. So that's that's why usually they're done using not actually zero-day exploit, but already already discovered and patched exploits and of course backdoor. This is not online war game. It's good infographics by Kaspersky Lab. You can see APTs, advanced persistence threats discovered recently. The land of the ship shows how long this APT has been in operation since the discovery date. So if you're interested, you can go to the APT logbook at securelease.com. So it's quite interesting. You can see like many of them have been discovered during the last several years, but the trick that the majority of them were in operation much more time before. So like for 10 years possible. This is the example, first example, epic turtle attack discovered in 2014 and it uses, you know, many techniques per fishing with attachment, with PDF attachment that implements PDF exploits. Social engineering techniques, sending SCR file. SCR stands for screen-server, but it's just, you know, usual executable file in Windows. Water and hull attacks. Here I can see example of the watering hull attacks. The attack, the victim was actually a Palestinian embassy and they hijacked the website of authority minister of rain affairs of Palestine. So that's, that sounds reasonable. It makes sense. And they, you can see the malicious inclusion. It's just script. Once you open this web page, you fell down a victim of drive-by attack. And the next one is a fake flash player, like this one. Has anybody installed such fake flash player? Nobody? Okay. So it looks pretty, pretty much like the original one. The next APT is cloud first discovered in 2013. The interesting thing that legal cloud provider, which called cloud me, was actually not, not the victim, but it participated in the attacker scheme. So the storage was used to store stolen data and send this data to the attacker. So it was like, you know, like a dropbox, so you can put stolen data. You can see like recorded audio files, which, which came from victims. And after that, the attacker can, can login and download all the data saved on this account. By the way, like the account, they analyzed, they, they were able to, to get into the account, just analyzing, after analyzing the file, they, they figure out the login and password embedded in, inside of the backdoor. It's actually not the first time when the public cloud providers are used to deliver malware or to use in interrogated attacks. We discovered two years ago when three botnets are bought, base bought and energy bought, they use dropbox to deliver malicious files. Before, before putting the malicious samples into the dropbox, attackers, they use polymorphic encryption just to avoid being detected on cloud provider site. And then just distribute the URL to, to the victims and the victim get, get uploaded, uploaded these new malicious samples to, to, to machines. As you can see, it worked well, but later dropbox increase the security policy and now it's, it's not all, it's almost not used. Another one, Carbonak is a banking APT. It's the biggest bank robbery. Carbonak attacked more than 100 banks, mostly in Russia, in the United States, and the total loss of all banks amounted to one billion dollars. The interesting thing that once penetrated the bank network, they are recorded activity of the employer on the screen. Then they ribbed the video and sent to the CNC server. And after that, the attackers, they, they watched the video, they could figure out how, how it works, how to, how to make transaction in this particular bank, in this particular information system. And then they just do the same, send money to AT machines and then someone grab, grab the cash from AT machines. That's interesting. You can, you can read it. It's very fun. It, it comes as a VBS script. It was rather big, two megabytes, and on board it has three exploits. They, they, they are not zero-day, actually. Communication, of course, the communication comes through HTTP and all data were encrypted using RC2 and base 64. As you can see, the majority of malware and, of course, target attacks are used encryption for traffic. So we can, we can figure out what is inside of the traffic, of the malicious traffic. And you can see the examples of requests. You can see the embedded part is actually base 64. Yeah, this is, this is just fun. This is some notice for employees, for bank employees, how to detect if your machine is infected. It's, it's for Windows machine. It's a map of targets. As I said, the top targets are Russia and the United States. The interesting thing that targets attack, they use remote administration tool and they used penetration tools and hacking tools. Once backdoor installed in the victim machines, it is capable to connect to the CNC server and the request to download some hacking tool to the victim machine. Among them, you can see the rat metasploit. I think it's, it's, there is no sense to describe what metasploit is. PSX is a tool by Mark Krasinovich. It's a simple implementation of Telnet protocol. Mimikatz is also a hacking tool to, to, to get a login password in this operation system. Another one are actually the family, the family of yukes, cosmic yuk, onion yuk and cozy yuk is the latest thread I discovered last month. Supposedly, those malicious programs were written by Russian developers and here you can see quite impressive list of, you know, spy features. And this is the dumps where I can find, for example, where, where, where we find the files, the type of files they, they, they were looking for. So we can see like it's documents, presentation, pictures, and this is a social networking accounts they, they, they are trying to steal credentials for. Just geography, you can see the Russia is actually the most, you know, target country, but probably the, the, the Turkish, they target some diplomatic and government institution in this area. And also United States. As well, we can see hacking tools found on CNC server. So that actually feeds our hypothesis about the functionality of the APT. So big door connects to command and control server and tells, okay, give me please some, you know, hacking tool. For example, vulnerability scanner. Yeah. Like June scan or whatever. Or brute force tool. What I have for you are a little demo about quasi-duke. It, it's also from Duke family. It is famous because of attacking White House and US, US State Department. It comes as ZIP archive in attachment. Once you open this attachment, you can see some executable file. It's a flash video. As you can see, this flash video is about funny office monkeys. By the way, another title for this thread is office monkeys. I think you, you should, you should hear about this attack because, you know, media made a fuss about this because, you know, among the victims, as I said, were like high profile targets like White House and US departments. So, okay, what's the point of showing this video to, to victims? So probably, of course, the first one is taking your attention away. You're looking at this video and something is happening in, in your system. But now we don't see any suspicious activity. I mean, we don't see, for example, any network communication. You can see a wire shark sniffer. We can see any network communication. But in process explorer, we can see only process for, for flash flash player. So that was made. So there is a sleep. So this big, this application sleeps for two minutes. It was made just to avoid, for example, being analyzed on automation solutions like sandboxes and whatever. And of course, when, when employee opens this file, so he, he or she sees nothing. But after two minutes, we see some strange process started. And after two minutes more, we see some, you know, strange, strange activity is going on. As you can see, the, the data sent through HTTP is actually based 64 encoded. We can open, we can follow the stream. The main point of this presentation is to find out the network indicators of compromise. So how we can detect such attacks based on network traffic. Here you can see the flow, the traffic flow. And we can find out the server, San Jose Maristas. And some data, based 64 encoded, sent to the attack. It's some kind of, you know, request sent to the attacker server. Then we can, for example, open registry editor. And we see update the uterine section. And we can find out that there is some extra value in this section. And this section is responsible for running this program once your system bootups. In Linux, backdoors, they write themselves into a Chrome tab, just to be, to be executable from time to time. When, when we open the reference folder, we can find files. All files are digitally signed. However, the root is not, is not trusted. It's just, you know, another, another social engineering trick when, when the victim sees that file is signed. So it, it looks like, okay. Okay. That's all. Let's continue with our presentation. And the next section is actually, yeah. About communication protocol. Long story short, after analysis of this encrypted data sent to the server, we figure out that the data was encrypted using RC4. And over RC4, we have base 64. Just a reverse engineering opening of the file. In disassembly, we can figure out that the algorithm ID, then we can figure out, okay, the key because the key is exported in the memory. So you can see this is the RC4 key. It is 16 bytes. And then after that, we can figure out that this key actually embedded into the header of network, of the network packet in HTTP packet. So it's easier how you can, for example, by reverse engineering, you can crack, crack the communication protocol and understand what is going on. Moreover, configuration file is also encrypted and you can use the same RC4 key that you can find in the memory or in the header of the file. And it's XML. In XML, you can see server's XML section. It contains two servers, two control servers. One is primary, second is like backup. All of them are legitimate. They were just hijacked. malicious server was set up. And it's used to send the comments to the backdoor. So the main conclusion for APT is that communication with common control server is always encrypt and compressed. Unfortunately, we cannot hack it or crack it on the fly. And also it's interesting that the majority of target attacks use remote administration tool or penetration testing tool. So about detection approaches, as you know, there are two approaches, signature base and anomaly-based. For signature base, we can use, for example, URLs that we, for example, figure out from the configuration file. Also, we can use some IDS signatures to traffic. We can use the main names of common control servers. Anomaly-based. So we are looking for some anomalies in network traffic. Unfortunately, backdoors, they use the same HTTP protocol as, you know, as all other applications, web applications. So it doesn't work. We can come to clustering. Despite it's quite, you know, resource consuming theme, it still doesn't work because we have a high level of noise. The clustering approach is about, you know, finding similar packets, put it in one cluster. And if some packet doesn't fit any cluster, so it goes to a new cluster. But, you know, there are a lot of packets that goes to a new cluster that doesn't work. Detection of URLs. As you know, there are some networks, like, you know, suspicious networks. One of them is called Russian business network. And it has, you know, like some particular set of IP addresses. So we find out in your network, there are some of these IP addresses. So your IDS system will trigger this alert, like known Russian business network IP group. Next one, you can analyze URLs like this. For example, this is a URL to download some backdoor. Okay, if you see it as a registration, country is Ukraine, actually my motherland. The lifetime of the domain is one year, which is, you know, which fits for fission URLs. They use a register, short time URLs. Register is Russian one, all sorts of suspicious, content type undefined. Finally, you have a penalty points. So this URL really is not cool. Don't open it. APT use hacking tools. Here you can see the list. It's based on these four APTs analyzed today. So summary. It's okay to use signature-based approach, but the problem is we have some delay between the discovery of the signature and applying the signature to your cloud, to your network. Anomaly-based doesn't need the signature. So it works like, you know, in a proactive way. But, you know, it's hard to apply to APT because when, you know, governments, they're going to target attacks. They do not create, you know, short time URL domains. They hijack existing domains, which are, you know, looks pretty trusted. So finally, we come to ideas. How we can use ideas. So I recommend using Snort or Srikata. So both of them support so-called emergency threats rule sets. So those rule sets, they are free. You can apply it for your idea system. As you can see, the rules are grouped into some sections. For example, some rules are grouped in malware, some in bot, command and control servers, some of them to tour traffic to the tech. So your goal is to find the trade-off between, you know, performance and coverage, detection coverage. So, for example, you don't need to enable, for example, mobile malware if you have no access from BYOD. Or you do not expect any tour traffic, whatever. This is the example of ideas rules for APT based on previous examples. So we can use this one. You can also check if your ideas can detect the following hacking tool. Unfortunately, in default, in free version of emergency threats rule set, not all of them are presented. So you have to check it. If it's not, you probably should take ET Pro. It's more advanced rule set. It covers more threats. It has more signatures, but it's not for free. And, of course, you can create your own. You can add a rule to your ideas following, for example, blocks of antivirus web vendors. So they usually publish network indicators to compromise. You can grab it and apply it to your ideas. Incidents response model. So here we have, for example, you build the cloud. You build the private cloud. Of course, you should use some infrastructure provider to get hardware access to internet and so on. Usually, infrastructure provider is responsible for any abuse reports. For example, if someone from your private cloud connects to a command and control server or to turn network, so your cloud, your infrastructure provider will notify you about it. Also, if someone, for example, runs some spam attack or a phishing attack, so it's almost the case. But sometimes you don't know what particular solution is used by your infrastructure provider, because infrastructure provider just gives you the service. So you don't know what is inside, what solution is used. You can enforce your private cloud with your own security service. For example, if you sell the service to some company that wants some special security policy to comply. So they say, okay, you guarantee us some security level. So you can install, for example, ideas and enforce the security level of your cloud. For example, for banks, this Carbonak is the first criminal APT. And if you want, for example, to attract banks to move from on-premise facilities to the cloud, you need to guarantee, okay, we guarantee that Carbonak case won't happen for you. And so you should show some, you know, facts how you're going to do this. So my proposal is you can use ideas and you can use fresh rule sets. You can adopt the inter-categorical compromise published by antivirus vendors. What we have now in OpenStack. Unfortunately, ideas is not integrated yet in OpenStack. What we use in meranches, we use a few plugins to automatically deploy ideas. Because, for example, if you need to deploy ideas in some small cloud, you cannot do by hands. But if you need to deploy ideas, for example, for 200, 500 nodes, so it's not possible. So we can use a few plugins to deploy ideas in an automated way. It's done through puppets. You can find actually the detailed guideline how to create this plugin for a few. So as you have seen, targeted attacks can be detected by network indicators of compromise. Like we figure out for office monkeys case, we can, for example, detect it by two servers, which I used to connect. But those two are not the only one. So you can go to antivirus company block and you can find out more, more component control servers. Also, ideas need to be properly configured. It's not the end of the story when you deploy ideas. You need to take care about it. You need to supply it with new rules. You need to add some new indicators of compromise. Because, you know, threads, they come out like every day, every hour, and that's why they call zero day. So you need to react very fast. You need to get these indicators, for example, from... If you don't have your own security department, your security researchers, you may just follow the antivirus block. So they usually publish it very, very fast. So that's all from my side. Thank you for your attention and welcome for questions. Yeah, probably you're welcome to use mic. Hi, Mariano Pagnetti from enter cloud suite. We run a public cloud. My question is, where do you think it's the best place to install an IDS in a public cloud? I mean, the discussion is whether to place it inside the tenant, inside the private plan on the router, at the provider's level. What do you think about it? It depends, it depends on, of course, on the size of your cloud. But, you know, typically it is recommended to deploy IDS on compute node. So it is going to be a tenant targeted, so you can, with one IDS, target one tenant. But if tenant has, you know, many nodes, so probably you need to install IDS on every node. Also, I like the idea presented by Dan. Lembright about, you know, allocating a separate node, like monitoring node where you can install IDS, IPS, whatever, because IDS is, you know, like quite a source consuming thing. That's why I was asking why you would install it on compute nodes. If you install it on compute nodes, then the provider is in charge of administering them. If you provide it in the tenant, or maybe on the router, or tap as a service, then you can charge the user for this resource consuming service. Yeah, from this point of view, it's a good idea. So you say that having IDS on compute nodes is best suited for private clouds and on the router for public cloud? No, it's an existing solution, like what is recommended, but it's not the only one. Okay, thank you. Could you talk a little more about your IDS configuration? It sounds like you're talking about running it not inside the tenant, you know, as a VM, as part of the tenant network, but on the outside sniffing the traffic. Yeah, you can, as I said, you can install it on compute nodes. You can set it up to listen to public interface, to intercept the available traffic. My point is to pay attention to configuration for rule sets. So it's very important because there is no sense to enable all rule sets from emergency threats because it will cost you a fortune. So it's important to find out what threats do you expect in your cloud and then enable rules for that. Well, in a lot of network configuration, or in a lot of neutron configurations, I mean, you might be using gerry tunnels and things like that. Does your IDS have, if you're running your IDS on the hypervisor itself, doesn't really have visibility then to all those things, right? Yep, yep, I agree. Okay. Anymore? I'm just wondering how are you normally tapping the traffic to the IDS? You can, as I said, you can install it on compute nodes and just listen to eavesdrop the public network. But it depends on architecture. So it's not the case for big clouds. So you should consider your architecture, your size of the cloud. I'm not actually have a lot of experience in deployment in big clouds, but I have more experience mostly in configuration with rule sets. Thank you. Okay, thank you very much.