Book Review chapter 3

Advanced Persistent Threat Hacking
Chapter 3 Lecture By
Professor Henry A. McKelvey

What This is and Is Not
This is a lecture session
This is not a review of the PDF Slides
You are to read these (PDF Slides) in conjunction with your book
This is a chance to ask questions about the assignments and to understand what is required
This is not a chance to call your friends and family via the Internet
I require your full time and attention.

Objectives
How we handle data and information and why it is problematic
Be able to provide examples of threats
Determine the difference between nation and non-nation state threats
Know the difference between AHM and Penetration Testers
Describe the AHM components
Explain the hacker’s thought process
List and describe the APT hacking core steps
Describe and explain the APT hacker attack phases

Limited data resources that leads to compromises
Not all compromises are discovered
Not all discoveries are reported
Not all the facts of any specific compromise are always uncovered
Some facts that are released might be misleading or even incorrect
Data and information are not disclosed in an open manner
See pages 30-31
How we handle data and information and why it is problematic

Examples of Threats

Techno-Criminals:
Skimmer Evolution
Skimmers are used by individuals who may not have technical ability but can gain access to machines.
See page 32-33
Hacking Power Systems
Smart-meter tampering
Power Jacking USB supplied Power Systems
Defeating physical controls
Unsophisticated Threat:
Hollywood Hacker
Unskilled but use complete immersion of technology against targets
Social Engineering tactics

Examples of Threats (Cont.)

Unsophisticated Threat: (Cont.)
Neighbor from Hell
WiFi Attacks, e-mail spoofing to others
Using attack methods to cast blame on others
See page 35-37 the Barry Ardolf Story
Smart Persistent Threats
Kevin Mitnick
Gaining Access to Computer Systems
Social Engineering
Using knowledge of the interaction of people and system

Nation-States vs. Non-nation States

Define Nation State:
A nation state is a geographical area that can be identified as deriving its political legitimacy from serving as a sovereign nation. A state is a political and geopolitical entity, while a nation is a cultural and ethnic one. (Political Definition)
Define Non-Nation State:
Is a nation in which there is a cultural diversity, and from this cultural diversity no one ethic group holds complete national autonomy. (Political Definition)
See pages 37 – 49
Stuxnet, Duqu, Flame (What are these?)
RSA Attack , MITM Attack, Carrier IQ Attack(What are These?)

What are AHM and PTM and how do they Differ
AHM = APT Hacker Methodology
A skill set that allows for big picture understanding of attacks and attack methods
A methodology that avoids segmentation of attack methods
PTM = Penetration Tester Methodology
A skill set that allows for convergent and directed understanding of attacks and attack methods
A methodology that’s seek to segment attack methods

What are AHM and PTM and how do they Differ (Cont)

Differences Between AHM and PTM

PTM Attributes AHM

Yes Scope Limitations No

Yes Time Limitations No

Yes Customer Conscious No

Yes Predetermined Immunity No

No Concerned with anonymity Yes

No Requires long term stealth Yes

No Continous probing of target Yes

 Pen Testing is not AHM

The Components of AHM
The Elegance of Taking in the Big Picture
Seeing the forest instead of the trees
High Skill Level
Knowledge of what to do and why to do it
Preparation
Knowing what is needed to carry out a successful attack
Patience
Know how to take your time and collect proper data on an attack (Reconnaissance is the key)

The Components of AHM (Cont.)
Social Omniscience
Having knowledge of people and interpersonal reactions.
See page 58 for listing
Target Selectivity
Go for the weakest link
Careful attention to efficacy
Using the most efficient tool for the most efficient job
Exploitless Exploits
Using that which is, to your benefit (using the system’s tools against the system)
Knowing the value of information
Gathering data is the most important task

The AHM Thought Process
Think outside the box
Use unconventional thinking to obtain goals
See pages 61-65 (Examples)
Use Misdirection as a Tool
Companies use security as a misdirection, understand and adapt
Technology may hide weakness
Thinking Through Pain
The APT hacker will attempt to understand the incomprehensible
Avoids Tunnel Vision
Examines all avenues of possibilities
There are no rules in war
The APT Hacker will use any means necessary
Keep It Simple, Stupid (KISS)
Your attack should be simple avoid complications

Core Steps
I have to admit that for the most part I agree with what the author has said, and I have to congratulate him on separating Reconnaissance and Enumeration. The problem I have is the order of events.
Here is what he has:
Reconnaissance
Enumeration
Exploitation
Maintaining Access
Clean up
Progression
Exfiltration
I would swap Reconnaissance and Enumeration. I would like to know if something is worth the effort of recon.

APT Hacking Core Steps Listed
Enumeration (Using PING and Traceroute)
Reconnaissance (Using Nmap to test ports)
Exploitation (Launch attack based on systems with Vulnerabilities)
Maintaining Access (setting up and using back doors)
Clean up (Removing evidence of attack, log files and or tracking IDS,IPS software)
Progression (Attacking other systems from this system to set up ubiquitous gathering of data)
Exfiltration (retrieving gathered data)

APT hacker Attack Phases
Reconnaissance
Gather all information and data on a system
Spear Social Engineering
Manipulate persons who can be used for access
Remote and Wireless
Target remote users and wireless users to exploit wireless weaknesses
Hardware Spear-phishing
Use custom built devices to infiltrate buildings and locations
Physical infiltration
Target any place that the main target will or might locate to (hotel rooms, third party locations, etc…)

Basic Network

The fact is APTs are more advanced than the networks they are designed to attack. How would you attack this network, using the Thought processes, the core steps and the attack phases discussed?

Questions and Answers To be posted on the Discussion Portal
Feel free to ask questions, if not I have some questions for you.
What is the goal of Pen Testing vs APT Hacking ?
What problems would Pen Testers have when dealing with APT Hackers?
Pretend that your manager approaches you with the question “What is APT?” Could you explain it, and if so, how?
In your own words give me your opinion of this presentation?

This is “The End”