Black Hat: Persistent Threat Plan

Thursday, July 26, 2012 @ 08:07 PM gHale

By Gregory Hale
It takes a strong-willed security team and a strong management team to let a persistent attacker stay on your network so you can learn more about what he is up to.

But that is exactly what Jim Aldridge was saying during his talk Wednesday entitled, “Targeted Intrusion Remediation: Lessons from the Front Line” at Black Hat USA 2012

Black Hat: Govt. Unplugged
Black Hat: Smart Meters Insecure
Black Hat: Sub-GHz Wireless Within Reach
Black Hat: Air Gap Myth Buster
Black Hat: New Security Paradigm

“Not all targeted threats are persistent threats, but persistent threats are usually spies or espionage,” Aldridge said. These attacks come from humans using technology, but they have a plan of attack and they want to stay on the system as long as possible to get as much information on the product lifecycle as possible.

“These are targeted threats. They do this for a living; these are adversaries that will take the time to do reconnaissance on your organization,” he said.

“A persistent means the adversary will stay in the environment for a long time. They want to know the lifecycle of what they are stealing,” Aldridge said.

The hackers are smart, once they get into a system, they go out and find other systems to infect and they will add in a few backdoors as an insurance policy to ensure they can stay in the system to understand every nuance of the product they are spying on.

Aldridge listed eight parts of the attack lifecycle:
• Reconnaissance
• Compromise
• Establish a foothold
• Escalate privileges
• Internal reconnaissance
• Move laterally
• Maintain presence
• Complete mission

It used to be once you found a threat on your system, you just pulled it offline. “But often attackers will move laterally and infect other machines. You clean one machine and others get filled up,” Aldridge said. That is why it is wise to keep the attackers on the system until you can determine the entire attack vector and what the attacker is looking for, he said.

Aldridge then went through a simple attack scenario where the use of a spear phishing campaign got the attacker into a targeted victim’s system. “Within a couple of days, the hacker probably got in and you didn’t even know about it,” he said.

Once they are in, then the security professionals’ job is to make the attackers job much harder.

“You want to make their job more difficult. You want to stop them from getting around, but you have to understand you were targeted for a reason,” he said.

He said companies need to work out a solid plan to secure you environment because attacks happen and they will continue to happen.

“There will be a next time,” Aldridge said.

One Response to “Black Hat: Persistent Threat Plan”

Leave a Reply

You must be logged in to post a comment.