Gabor Pek is a PhD student of CrySys Lab (Laboratory of Cryptography and System Security).He obtained MSc diploma in computer science at the Budapest University of Technology and Economics in 2011 and being a PhD student there since then. He has been doing research in the CrySyS Lab. under the guidance of prof. Levente Buttyan since 2008 in the field of malware analysis and virtualization security. He also completed internships at iSecLab at Eurecom, France in 2012 and Technical University of Vienna in 2009. He participated in several industrial and academical projects including penetration testing, malware analysis (e.g., member of the Duqu, Flame, Miniduke and Teamspy investigation team), securing/exploiting hardware virtualization (e.g., XSA-59). He was also the member of the 2009 UCSB iCTF We 0wn Y0u team (2nd position) and one of the main organizers of various Hungarian CTF teams (e.g., CrySyS.iCTF, !SpamAndHex). He co-founded a spin-off called Ukatemi Technologies with some of his colleagues from the CrySyS Lab in December 2012 to mitigate current targeted attacks.
[Abstract] In recent years, the number of uncovered targeted attacks created and sponsored by different threat actors exceeded every expectation. While these targeted cyber-attacks mainly use known techniques to infect or stay silent, they are still interestingly successful against high-profile victims. In my presentation, I give technical background information on the trends we saw in the evolution of recent campaigns focusing on techniques and tricks used by adversaries. Interestingly, adversaries don't use exceptionally sophisticated methods in recent campaigns, rather, they come up with quite rough solutions. I will disclose the following observations of CrySyS Lab in more detail: there are a limited number of (high-profile) victims, there is no server-side polymorphism, the goal is data exfiltration (e.g., Duqu, Flame, Teamspy etc) or destruction (e.g., batchwiper), there is a tradeoff between persistency and stealthiness. At the same time, attackers increase their speed of reconnaissance and lateral movement. When an incident happens, they first look at system administrator documents and network topologies to discover and identify valuable assets. Finally, the collected data is transferred via the relay nodes of the C&C; infrastructure. My presentation includes concrete examples to confirm all the statements above.