Lessons Learned from Fighting Nation States in Cyberspace
Speaker: Dmitri Alperovitch
See the list of all blog posts from the conference
Dmitri and his team uncovered 2016 DNC hack – not focus of talk because not that technically interesting
Focus on collecting a lot of data and applying AI to big data
Store data in ThreatGraph (their product) and Apollo/Hadoop
Today’s threatscape
- Whatever business you think you’re in, you’re in the security business – hacktivists, money, etc. If have nothing of value, why in business?
- In past, only government entities had to worry about nation state attack. Now commercial entities have to protect IP and info.
- Examples of China stole weapons design from United States.
- North Korea using random ware attacks – largely in South Korea – to fund weapons
- Once you use a cyberweapon, others can use it. Ex: WannaCry is good example of reuse.
- Inserting fake data in real data makes it hard to determine what is true.
- Track over 40 different threat entities in China, over 10 criminal entities worldwide, 6 activitist groups worldwide, 8 in Russia and a few others around the world. Code names have animal last name – Chinese panda, criminal spiders, etc. The analyst who discovers it picks the first name.
- Criminal actors are opportunistic. Will move on if costs too much to atack you. Nation states are more like a dog with a bone. They aren’t giving up because only one source has the information.
War stories
- Hurricane Panda (China) – Focus on telecom for economic esponiage to benefit China.
- webshells – web scripts to get control of webservers. They get it on the web server and then can use a browser to run any command via get requests. Typically password protect script so doesn’t return anything unless supply right password – prevents scans from finding. Attack went undetected for a year. Stole credentials and tried to remove evidence. Persisted after attack remediated.
- Sticky keys – modify Windows registry key and then can get in without admin password. Ex: on screen keyboard runs before login. If tell Windows to run debugger first, get command prompt with full admin privilege
- Only need a PowerShell command to steal credentials.
- Once fixed, got thrown out in minutes. Started making typos as rushed. Continued trying to get in for four months.
- Then they found a zero day to get admin access to machine
- Then they finally went away and found a new victim. Dmitri’s company repeated the pattern.
- Crowdstrike won. (article) – hackers moved on if saw CrowdStrike software on server
- Large defense company noticed problem but couldn’t figure out how got in. CrowdStrike asked to find malware, but wasn’t one. The problem was the RSA SecurID two factor keys were compromised. Chinese thread actors stole the seeds for the token. RSA said would send seeds to company rather than storing them. However, the Chinese stole the seeds from the company directly and could VPN in using two factor.
- Cloud VM data theft. Again no malware. Adversary had stolen API keys.
- Other attack method to get into environment: phishing, embed powershell in a .lnk (windows shortcut files) and make .lnk file look like word doc or pdf
- Bypassing Windows Access Control is a bunch of steps. But there is an open source tool to do all of it
- Anti-forensic methods – delete log files, wipe data to obsfucate their activity.
Lessons learned
- Windows is scary 🙂 [seriously though; the talk focused on Windows – presumably their expertise]. Someone asked about this and Dmitri said 95% of intrusions occur on Windows.
- Embrace visibility/logging and AI – you will always be behind if trying to find last attack. Aggressive logging for all system help. Anonomoly based algorithms help find the unknown
- Leverage peers – work with other entities and share information
- Hunt for the adversary – think what you would do if you were the adversary