Delivery Vector Evolution. HTTP. SMTP. USB. 2006. 2007. 2008. 2009. 2010. Capability will persist and spread amongst adv
Michael Cloppert Intel Fusion lead Lockheed Martin CIRT
whoami Michael Cloppert Intel Fusion Team Lead, LM-CIRT Logged In Since: 6/1997, 6/2001, 9/2005 Formal education as engineer, scientist BS Computer Engineering, The University of Dayton MS Computer Science, The George Washington University
Industry certifications GCIA gold, GCFA gold, GREM Countless others (SCO?)
Industries include Financial Services, Fed Gov’t, DoD
Constants Since 2006 Based on empirical evidence, beginning ’04-’06:
Delivery: social engineering, highly targeted, user/wkstn Exploits: ubiquitous app focus, used first in targeted attacks
Objective: specific data, CNE Capability: 24x7, situational awareness Prior to 2006 Classic intrusion methodology
Delivery Vector Evolution 2006
2007
2008
2009
2010
HTTP
SMTP
USB
Capability will persist and spread amongst adversaries once used
Exploit Trends 2006
2007
2008
2009
2010
40
ZIP*
35,1
20 0 40
DOC
20
101,3
0 40
XLS
20
32,1
0 40
PPT
20
24,1
0 40
PDF
20
395,13
0
Activity observed; reliable measures unavailable
* - typically only exploit was social engineering
C2, Payload Obfuscation Arms race:
Base64 Modified Base64 XOR with keys increasing in size XOR with complex key scheduling SSL
Sleep tight… No, you can’t see the data (sorry)
Contact Info
[email protected]
Twitter: mikecloppert Web: http://blog.cloppert.org https://blogs.sans.org/computer-forensics/author/mikecloppert/