Session ID:
Session Classification:
Gunter Ollmann CTO, IOActive Inc.
STU-W23B
Intermediate
Building a Better APT Package
► Gunter Ollmann ► CTO - IOActive
► University of Georgia Advisory board
► Formerly: ► Damballa CTO & VP Research
► IBM Chief Security Strategist
► ISS Director of X-Force & EMEA SAS
► NGS Professional Services Director
► Can be found/followed/located at: ► Email [email protected]
► Twitter - @gollmann
About Me
Advanced “Classic”
►Advanced
►Persistent
►Threat
APT
Targeted Threat
► Scary Stuff
Weaponization Teeter-totter
Co
st ($
$$
)
Ste
alth
ine
ss (P
rob
. De
tect
ion
)
► ►
► Outsourcing of all complex bits ► Commercial tools for evasion
►
► Quality Assurance services
► Subscription services to check every malware against all current enterprise network and host-based detection technologies
Cybercrime Evasion
► ► Multiple campaigns, multiple vectors, multiple tools
► Constant information gathering ►
► Mapping networks, host configurations, incident response metrics
► Tie in to organized crime and cybercrime units ► Buy the info or access
► Mingle cyber with physical world
► Bypassing automated defenses Sandboxing/Virtual ►
►
► ► Live Exchange connector & address book
► Age of browser cache
► Webex connectors, etc.
► ►
Stealth within an Onslaught
► Who needs the front door? ► Other devices being carried in past perimeter (BYOD)
► Substitution of physical components ► Spotting chip & board changes?
► Incorporation of custom FPGA logic, etc.
► ►
Breaking the Supply Chain
► ► Most commercial crimeware techniques are already sufficient
► ► Buffer overflow conditions
►
► 0-day, shmo- ► Not normally needed.
► Often increases probability of being detec
Weaponization Teeter-totter
Co
st ($
$$
)
Ste
alth
ine
ss (P
rob
. De
tect
ion
)
APT Delivery Framework
Co
st ($
)
Attack (Volume/Frequency)
Thank you! [email protected]
Twitter: @gollmann