CommSec Track: Anatomy of an APT Attack

In this talk I will be discussing the tactics used by APTs and Nation State threat actors. Starting with the basics of who is responsible for attacks we will move swiftly on to the top 2% of attacks which can be classed as APTs: State Sponsored Hackers, Organised Crime and Intelligence Services. I will briefly cover the history of industrial espionage starting with the theft of Lockheed Martin’s jet designs and the subsequent suspiciously similar MIG which was produced in 1998. Moving on I will discuss with examples how this has grown over time to encompass almost every industry. I will then briefly look at the integrated supply chain and how intellectual property theft can happen at any point in the process. This will emphasise the need for security at all stages and the increased demand for vendor assurance. I will use one genic client as a real world example. I will then look at the global economic impact of cybercrime setting it next to drug trafficking and digital piracy for context.

The main part of the presentation will now begin which will look at a real life APT attack. This was a real life compromise and remediation of a large muti-national company. In order so as not to offend anyone we will base the around a fictitious country called The People’s Democratic Republic of Vango. The attached pic will be the basis for this part of the presentation. I will explain the process which takes place, from the “Bagman” who spots potential targets, the first team who spearfished a user and then the common process of gaining control of the domain controller. Once there the dev/research and marketing domains are compromised. Persistence and back doors are then installed and we will discuss by what methods are used to exfitrate data. We will then look at team B who swing into action if team A is discovered. These people will be more experienced and use custom bespoke tools and different methods of entry. Is there a team C? Yes and they have a twitter account and turn out to be married to each other.

I will then explain the timeline for remediating such an attack and the process used. In fact this process is very similar to the attack process it is however reversed. We will look at what clues can be derived to inform who had actually attacked the company. I will explain using a timeline slide the remediation process, basically the attackers are left in the system while investigations are carried out then they are booted out of the system in quite literally a 24-48 hour process, all entry points are closed and better IDS systems put in place. This explains both the cost and the time for remediation of major breaches and well known examples will be used.

Time permitting, I will also cover some remediation governance issues and incident response governance.

Location: CommSec Track Date: May 27, 2016 Time: 3:30 pm - 4:00 pm Paul Mason