Marcus Murray, Truesec, Microsoft MVP
Marcus is a great speaker, and has been speaking at TechEd for a number of years. His sessions are always very popular and informative. He has a different style..no power point slides and nearly all live demos. This session explained what an APT (advanced persistent threat) is and show some live examples of exploits and how easy they are to develop and go undetected. This doesn’t take a state sponsor like China to pull off.
- APT – Term originally used by the military. Both the capability and intent to presistently and effectively target a specific entity
- Can easily buy off the shelf pieces to assemble your own APT. Not only for Governments, but corps can create them too.
- Many of the APT attacks really aren’t that advanced. Companies can use APT as an excuse why they got hacked.
- They can go low and slow, unlike worm attacks where you get data then exit the network
- 6% of APT attacks are detected
- People behind the RSA compromise attacked 800 companies using the RSA dongle information they stole
1) Need to compromise one computer (client side attack, server side attack, USB, etc.)
2) install a backdoor – machine remotely accessed via poison ivy tool
3) Lateral movement – Elevate access
4) Data gathering from target servers
5) Exfiltrate data
- Demoed a rigged spreadsheet that contained an exploit which allowed an attacker to open a remote command prompt when the spreadsheet was opened.
- Demoed an obfuscated SQL injection exploit that remotely opened a powershell command prompt. Used powershell command encoding.
- Don’t have to touch disk to pull off these attacks
- Poison Ivy tool – Great tool for remotely controlling/accessing a computer. Capture key strokes, turn on webcam, etc.
- Demoed a home built tool that can hide any exe from anti-virus software
Bottom line is that practically everyone will get hacked at some point, and many will never know it. Protecting yourself is very hard and more than simply installing AV and setting up a firewall. Internal security is paramount. Marcus said he’s impressed with the Azure internal security controls Microsoft has taken. Assume all clients, even those internally, are compromised and harden your core infrastructure accordingly.