Pen Tests Evolved: The Advanced Threat Cycle

Dave Shackleford Owner, Voodoo Security CTO, IANS

Agenda
The advanced threat cycle, and what attack techniques and tools are seen most frequently What most internal pen testing teams are doing today, and why it may not be adequate for today's threat landscape How internal pen testing teams can switch up their normal testing regimens to better represent advanced threats to organizations Tips for how to prevent and detect advanced malware as part of your assessment program

Whats an APT?
The APT is
A more methodical, professional attack conducted by well-organized and possibly well-funded attackers

The APT is NOT

Just malware. Or any one attack.

Weve settled on this term for anything even remotely sophisticated or targeted Is this a cop out?
Are all of these breaches that sophisticated at all?

The APT: An Attack Cycle

Todays advanced threats are really an attack cycle:
Reconnaissance
Recon

Intrusion
Backdoors and persistence Advancement

Maintenance

Initial intrusion

Privilege escalation Data theft

Additional attacks
Advancement

Backdoors & malware

Maintenance

What are we seeing? (2009-2010)

The attacks are getting worse
More stealthy, more damaging, for longer term compromises

April 2009:
US Electrical Grid compromised by Chinese & Russian hackers US Joint Strike Fighter Program compromised through contractor networks data was encrypted

June 2010
Stuxnet discovered, affecting Siemens SCADA control systems

What are we seeing in 2011-2012?

RSA Breach in March 2011
Compromised token seed files via initial vector of social engineering (email) + 0-day Flash exploit

Lockheed Martin compromised 2 months later with fake tokens

Possibly other victims too, including Northrop Grumman

Citigroup hacked in June 2011

210,000 customer records exposed

And theres plenty of hacktivism targeting thats happening with Lulzsec and Anonymous

Advanced Threat Techniques

The methods, techniques, and technology we see now, more than ever:
Social engineering, especially phishing
Use of 0-day exploits

HTTP and HTTPS C&C channels

Memory-resident payloads

Use of common document formats for delivery, such as PDF, DOC, XLS, etc. Focus on client-side software exploits
Data stealing code components

Yesterday & Today: One Example

Bot C&C Traffic in 2006: IRC
input: 20051116.BOT.CTRL.NET.pcap #### T BOT.NET.EEE.12:2925 -> BOT.CTRL.215.148:153 [AP] PONG :sErVeR.BiTcHnEt.org.. ## T BOT.NET.BBB.90:2241 -> BOT.CTRL.215.148:153 [AP] NICK [pullerindamouth]|92437..USER ezwic 0 0 :[pullerindamouth]|92437.. ### T BOT.CTRL.215.148:153 -> BOT.NET.BBB.90:2275 [AP] ERROR :Closing Link: [BOT.NET.BBB.90] (Throttled: Reconnecting too fast) -Email sysop@blabla for more information.).. ## T BOT.NET.BBB.90:2275 -> BOT.CTRL.215.148:153 [AP] NICK [pullerindamouth]|41050..USER hutvqa 0 0 :[pullerindamouth]|41050.. #ownz Operator!fick@cashrulez.net .ddos.syn VIC.NET.AAA.143 80 120 --> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds. --> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds. #ownz Operator!fick@cashrulez.net .ddos.syn VIC.NET.AAA.143 80 120 #ownz Operator!fick@cashrulez.net .ddos.syn VIC.NET.AAA.143 80 120 #ownz Operator!fick@cashrulez.net .ddos.syn VIC.NET.AAA.143 80 120 #ownz [7][pullerindamouth]|62001!akgino@BAIWY-299F05B6.BOT.CTRL.NET [DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds. #ownz Operator!fick@cashrulez.net .ddos.syn VIC.NET.AAA.143 80 120 #ownz [7][pullerindamouth]|62001!akgino@BAIWY-299F05B6.BOT.CTRL.NET

Bot C&C Traffic Today: Encrypted UDP

Downloading a file

Attack instructions

Confirmation from infected client

Copied from: http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/

Operation Aurora
A highly sophisticated malware penetration by Chinese hackers against major companies like Google and Adobe
Involved: 0-day browser exploit Embedded shellcode Flexible payload Custom encrypted C&C traffic on port 443

Malware and Attack Examples

The Energizer Trojan Bundled within a commercial piece of software!
But it LOOKED like a PDF! Via email, Web browser, etc!

The Energizer Trojan

Bundled with the Energizer USB Rechargeable Battery software Opens a listening port that accepts commands
Was apparently there for several years before being discovered
No one is yet sure who put the backdoor into the software, or why it was placed there

Numerous Changes to System

File Arucer.dll is added to %Windir%\System32

Added to Registry Run key

Controls a backdoor Trojan application

Network Backdoor
Opens a backdoor listener on TCP port 7777 Accepts CLSID values to the port, XORd with 0xE5
{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}: Trojan Health Check {F6C43E1A-1551-4000-A483-C361969AEC41}: Send a file to attacker {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}: Directory/file contents {783EACBF-EF8B-498e-A059-F0B5BD12641E} {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}: Drive information {98D958FC-D0A2-4f1c-B841-232AB357E7C8}: Create a file on the system {4F4F0D88-E715-4b1f-B311-61E530C2C8FC} {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}: Add a RunOnce Registry entry {8AF1C164-EBD6-4b2b-BC1F-64674E98A710}: Download a file to execute

But it LOOKED like a PDF

Many malware analysts estimate that ~50% or more of the latest Trojans are being disseminated as PDF files These can be sent as email attachments
Or accessed via browser

Registry changes and files

These things can be NASTY. A Before and After snapshot of Registry entries and the %windir%\System32 directory were taken with a tool called Regshot

Note this file name

A backdoor IRC channel

Opens a backdoor to an IRC server on TCP port 9899 Waits for commands like most bot or Trojan-style malware

If not a PDFwhat is it?

Here it is again

Pen Test Teams Today

Many teams today do the following: Basic vulnerability scans no pen testing! Follow the classic cycle: Scan Exploit! High-five Repeat Skip Recon FAIL TO EMULATE REAL THREATS!

Why Pen Test?

Find holes before attackers do!
Prove that security issues exist to skeptical management Raise overall security awareness Verify secure system configurations Test new technology Discover gaps in compliance posture and satisfy legal and/or governmental requirements such as HIPAA, SOX or GLBA.

Perform Better Assessments

There are many ways to improve assessments and better represent advanced threats The following are key considerations that should be planned upfront before an assessment is started:
Scoping and rules of engagement Following a methodology Results, formatting, and tool output Evidence of compromise and attack vectors Repeatability Prioritized and risk-focused remediation guidance

Scoping and Rules of Engagement

Establish what networks and apps are in scope
Determine reason(s) for assessment Compliance General vulnerability understanding Rules of engagement include time of tests, how to report vulnerabilities, keeping track of issues, etc. For pen tests, have a goal: Get to PII Establish specific attack vectors Compromise specific systems or apps Bypass security / stealth attacks

Follow a Methodology
There are not many standards in use today for assessments and pen tests
Some exist, though:
OSSTMM NIST guidelines

A newer standard is the Penetration Testing Execution Standard (PTES)

Incredibly detailed may be overkill, but consider following it

Results, Tools, Output

Ensure the assessment report includes details specific to the risks you face and business you are in
Dont be generic!

Interpret language from scanners and dont just paste Nessus results into the report Include tools used and output from tools for technical teams to leverage in validation and remediation efforts
Usually best to include this as an Appendix or separate report

Evidence of compromise & attack vectors

Demonstrate true compromise or vulnerabilities
Screen shots, planted flags work best

Ensure false positives are eliminated

Have testers confirm with IT teams before report
A prelim report may be a good idea for this reason

Repeatability
Listing the actual tools used, the process followed, and how things flowed during the assessment is key
This can follow the ReconScanningExploit cycle or some other format

This can also be used to validate logs, IDS events, etc.

Keep track of process with a Wiki or some other tracking tools during assessments

Prioritized and risk-focused remediation guidance

Define what is important to you in terms of risk
Confidentiality for PII and other data? Availability concerns with systems and apps? Integrity with MitM and other attacks?

Build on this for the report Ensure both attacks and successful exploits are framed in the context of priorities to your business

Any VA/PT should be focused on your actual risks not just a scan or exploit to prove youre vulnerable

A Targeted Attack Example

Competitor wants to gain access to R&D documents
They decide to target the firms engineers

Step 1: Recon Step 2: Targeted Attack Step 3: Gaining Access Step 4: Command and Control

Step 5: Data Access/Exfiltration

Step 1: Recon
Twitter Starbucks Starbucks Sniffing

Captured: Email address (engineer@gmail.com) Friends email (engineer2@gmail.com) Interests (www.techstuff.com)

Step 2: Targeted Attack

Hey look! An email from Engineer2. With a catalog attached!

Spoofed, of course Most certainly clicking here

Step 3: Gaining Access

The PDF gets clicked.
Code gets dropped.

The backdoor is opened.

Step 4: Command & Control

The attacker connects back to the listening port
A more likely scenario would be the other way around an outbound shell (Shoveling Shell) or a more robust bot/rootkit

Step 5: Adios to the Data

At this point, the attacker could do any number of things to get more sensitive data
FTP/SFTP SSH/SCP Custom encrypted channels (Base64/UDP)

Prevention + Detection = Success

Just attacking stuff is not that useful
One of my most successful techniques as a pen tester is coming in AFTER the test

And marrying the detection side of the house with what I did during the test.
This way, you can actually improve SECURITY PROCESS, not just infrastructure posture

Detection: Behavior
Host level behavior:
Should the lsass process be communicating outbound on port 30204? Should the notepad process be modifying the Registry?

Although difficult to detect, 0-day and stealthy attacks may be prevented by behavioral analysis and lockdown

Network behavioral monitoring is also highly recommended

Signature-based only goes so far, use Netflow and other tools to detect unusual patterns and traffic

Detection: Whitelisting & Host Security

Whitelisting is host-based software that maintains a local fingerprint of applications that are allowed based on policies
Policies tied to users, groups, systems, etc. Everything not allowed by policy is denied. This effectively brings a Default Deny policy to the host

Use anti-virus too, although its effectiveness is waning Any HIDS/HIPS and memory monitoring is also very useful
May be bundled with A/V and other agents

Detection: Logs and Audit Trails

Log analysis can be a major benefit to any team looking for evidence of APTs
DNS logs
Local user access and domain user access patterns

Outbound firewall logs

VPN & remote access logs

System & application logs

Ensure you have remote logging and log analysis technologies and capabilities in place

Reaction: Incident Response

Ensure you have an adequate plan!
Everyone says they do. Have you tested it?

For adequate incident response, you need:

A designated team lead. One. The ability to segregate a machine on the network quickly Disk duplication and forensic analysis skills and tools Memory analysis tools

Create customized pen test scenarios with client-side exploits and obfuscated PDF/DOCembedded malware

Security Infrastructure Improvement

Yesterdays tools are not wholly adequate any longer for advanced attacks Attackers are avoiding A/V left and right Network traffic is outbound using HTTP/HTTPS
Sowhat can help?
New, next generation firewalls Whitelisting and more advanced host security Virtualized platforms for rapid response Malware sandbox analysis tools (FireEye, Norman, etc.)

Continuous Monitoring
Although this is a FISMA concept in the US government, it could and should apply to all organizations
Key controls to monitor regularly (via scripts) or continually (with an agent):
File integrity for key areas of the OS Logs for failed access or unusual access patterns Anti-virus or other host security alerts Network behaviors and flow data SIEM console, if available

Port scans and local tools like netstat and Process Explorer can help, too

Final Discussion & Questions

Thanks for attending!