APT Reports and OPSEC Evolution, or: These Are Not the APT Reports You Are Looking For

Wednesday 5 October 12:00 - 12:30, Green room

Gadi Evron (Cymmetria)
Inbar Raz (Perimeter X)

With the advancement of defensive cyber security practices and the regular release of reports exposing toolsets used in APT attacks, advanced threat actors have had to adapt. However, while APT reports should have threat actors scrambling to keep up, in reality they are providing APT actors with the information they need to implement new operational security practices and technologies that have defenders working as hard as ever to protect their networks. Not only are attackers adapting; they are evolving at a faster rate than defenders. So what are we, as defenders, doing wrong?

The fact is, many public APT reports suck. Even though they tend to be long and technical, they are often not full reports, but rather a commentary on the attack platform(s) and deployment technique(s) used, intended for PR purposes. This results in an asymmetry — an information gap — that benefits the attacker. Current APT reports basically act as free Q&A for APT actors, providing them with valuable information about defenders' insights into their tools and actions. As a result, APT actors are able to adapt their OPSEC practices and technology in order to stay one step ahead of defenders. APT reports in their current state are more beneficial to attackers than defenders.

Currently, most APT reports provide abundant information on indicators of compromise (IOC), C&C set-up and malware used. This talk examines actual techniques that can be used to re-engineer the entire attack process, including how attackers decide what information is valuable to target, where that information can be found, creating a target report and then attack plan, and the ongoing concerns of an attacker during lateral movement (i.e. OPSEC, intelligence gathering, keeping their identity hidden). Based on these techniques, we discuss specific defensive counter-measures that can be used. If APT reports included more actionable intelligence that defenders could use to create better defence practices, their value would then be greater to defenders than to attackers. The talk discusses how intelligence on the attack vector of an APT or what information was compromised is actually more valuable to a defender than what currently dominates APT reports (malware analysis, IOCs). APT reports with more actionable intelligence would allow us the ability to publicly re-engineer specific attacks, consequently rendering useless certain attack techniques that are currently not available for public knowledge.

The cybersecurity sector needs to demand earlier reporting of breaches (or at least a heads up to the security community), actionable public information sharing, and a move away from our current fixation on attribution. We need to make hackers spend significantly more time, effort, and resources in order to succeed. By producing better APT reports, not only can the security community increase attackers' costs and cause them to be constantly on guard, but also significantly disrupt the attacker's operations and make it difficult for them to rebuild their attack infrastructure after being compromised and exposed.

The bottom line: in order to counter the evolution of APTs, we need APT reports that provide a more wholesome view of an attacker's motivations and chosen vector in addition to an analysis of his techniques. This shift in focus can give security professionals more tools to successfully re-engineer an attacker's methodology.

Click here for more details about the conference.

108x142-Gadi-Evron.jpg

Gadi Evron

Gadi is the Founder and CEO of Cymmetria, a cybersecurity startup that is pioneering the space of cyber deception. He is also Founder and Chairman of the Board of the Israeli CERT, Founding Chairman of the Cyber Threat Intelligence Alliance (CTIA), and Founder of the Israeli Government CERT. Gadi is widely recognized for his work in Internet security operation and global incident response, and is considered the first botnet expert.

Prior to founding Cymmetria, Gadi was VP of Cybersecurity Strategy for Kaspersky Lab, led PwC's Cyber Security Center of Excellence (located in Israel), and was CISO of the Israeli government's Internet operations. He has authored two books on the topic of information security, organizes global professional working groups, chairs worldwide conferences, and is a frequent lecturer.

108x143-Inbar-Raz.jpg

Inbar Raz

Inbar has been teaching and lecturing about Internet security and reverse engineering for nearly as long as he has been doing that himself. He started programming at the age of 9 on his Dragon 64. At 13 he got a PC, promptly started reverse engineering a year later, and through high-school he was a key figure in the Israeli BBS scene. He spent most of his career in the Internet and data security field, and the only reason he's not in jail right now is because he chose the right side of the law at an early age. Nowadays he commonly lectures about ethical hacking.

Inbar specializes in outside-the-box approaches to analysing security and finding vulnerabilities. From late 2011 to late 2014, he was running the malware and security research at Check Point, using his extensive experience of over 20 years in the Internet and data security fields. He has presented at a number of conferences, including Kaspersky SAS, Hack.lu, CCC, Virus Bulletin, ZeroNights, ShowMeCon, BSidesTLV, several law enforcement events and Check Point events.

These days, Inbar is running the research at PerimeterX, shielding websites against modern attacks by leveraging client-side behavioural analysis, and providing highly accurate detection and low friction integration.