Cyber Attribution: Campaigns and renegades Dr. Samuel Liles - - PowerPoint PPT Presentation

cyber attribution campaigns and renegades
SMART_READER_LITE
LIVE PREVIEW

Cyber Attribution: Campaigns and renegades Dr. Samuel Liles - - PowerPoint PPT Presentation

Dec 14, 2023 116 likes •390 views

UNCLASSIFIED Cyber Attribution: Campaigns and renegades Dr. Samuel Liles UNCLASSIFIED Ca Cavea eats: The following represents my research over many years and none of it occurred while a federal government employee. While every effort has

slide-1
SLIDE 1

Cyber Attribution: Campaigns and renegades

  • Dr. Samuel Liles

UNCLASSIFIED

slide-2
SLIDE 2

Ca Cavea eats: The following represents my research over many years and none of it occurred while a federal government

  • employee. While every effort has been made to insure

accurate portrayal of events within this presentation some details may be omitted due to the research topic. Opinions, conjecture, or observations are those of the presenter and should not be construed to be official policies of opinions of The Department of Homeland Security, The Federal Government, or the companies who provided primary and secondary source materials. A bibliography at the end of this presentation covers past and current discussion on the topic but is not an exhaustive example of the topic.

UNCLASSIFIED

slide-3
SLIDE 3

Abstract

Attribution of adversaries is a key point in a risk management approach to cybersecurity. This is an art left to the intelligence and law enforcement

  • communities. Unique methods are explored resulting

in determining and defining a cyber adversary. This discussion is a result of the collision between application, science, and art where a multi- disciplinary approach results in a comprehensive result.

UNCLASSIFIED

slide-4
SLIDE 4

Goals

  • Identify and characterize attributive techniques

that are scientifically valid

  • Where validity is not possible or scientific method

does not support attributive techniques determine viability of other methods

xxx

UNCLASSIFIED

slide-5
SLIDE 5

Risk Research

UNCLASSIFIED

slide-6
SLIDE 6

Threat Research

UNCLASSIFIED

slide-7
SLIDE 7

Threat Research

UNCLASSIFIED

slide-8
SLIDE 8

Exploitation Research

Diagram by Sam Liles

UNCLASSIFIED

slide-9
SLIDE 9

UNCLASSIFIED

slide-10
SLIDE 10

Tracking an Adversary in Time and Place by vulnerabilities

Diagram by Sam Liles

UNCLASSIFIED

slide-11
SLIDE 11

UNCLASSIFIED

Diagram by Sam Liles

slide-12
SLIDE 12

Diagram by Sam Liles

UNCLASSIFIED

slide-13
SLIDE 13

Diagram by Sam Liles

UNCLASSIFIED

slide-14
SLIDE 14

UNCLASSIFIED

slide-15
SLIDE 15

Rosetta Research

Diagram by Sam Liles. Concepts supported by work of Ronald Kurtz

UNCLASSIFIED

slide-16
SLIDE 16

Boom

Persistence Privilege Escalation Defense Evasion Credential Access

Host Enumeration

Lateral Movement Execution C2 Exfiltration Command and Control Installation

Reconnaissance Weaponization

Deliver y Actions on Objective Preparation Engagement Presence Effect/Consequences

DNI Framework

Cyber Kill Chain MITRE ATT&CK NSA TAO

Reconnaissance Initial Exploitation Establish Persistence Install Tools Move Laterally Collect Exfil Exploit Exploitation External Actions Before Intrusion Pre-Execution Actions Operational A - Actions Internal Actions: “After Intrusions” Plan Activity Deploy Capability Control Deny Access Conduct Research & Analysis Interact with Target Hide Consume Resources Develop Resources & Capabilities Exploit Vulnerabilities Expand Alter/Manipulate Computer, Network, or System Behavior Conduct Reconnaissance Deliver Payload Refine Targeting Extract Data Stage Operational Tools & Capabilities Establish Persistence Destroy HW/SW/DATA Initiate Operations Enable Other Operations

Layer 1 Stages Layer 2 Objectives

Rosetta Research

UNCLASSIFIED

slide-17
SLIDE 17

Adversary Research

Diagram by Sam Liles

UNCLASSIFIED

slide-18
SLIDE 18

Is attribution that simple?

Source: Attribution of cyber adversaries http://selil.com/archives/6791

UNCLASSIFIED

slide-19
SLIDE 19

Political Technical Forensic

Evidence Required Time to Level of Attribution Event Happens

Possible Probable Provable

Motive, means,

  • pportunity

IOCs: IP, Hash, URL, method, time, etc. Crypto, non- repudiation, multi- mode sensing, direct

  • bservation

Abductive reasoning, most reasonable explanation given current evidence

Deductive reasoning , Man -> Mortal Socrates -> Man Therefore, Socrates -> Mortal

Inductive reasoning, given water is wet, if I am wet, it is likely water.

Switches back and forth

Adversary Capability

Infrastructure

Victim Meta-Features Timestamp Phase Result Direction Methodology Resources

Attribution UNCLASSIFIED

slide-20
SLIDE 20

How do we analyze an intrusion?

Source: Luke in the sky with diamonds https://www.threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/

UNCLASSIFIED

slide-21
SLIDE 21

Steps to attribution

  • The Diamond Model is a graphical representation of an

intrusion but not of attribution

  • Attribution is the summation of an investigation
  • Prepare set of facts characterized by time/date/event/DNI

framework

  • Events have a victim (defined by business type, mission,

category), a deployed capability by an adversary, and an infrastructure both of which are indicative of IOCs

  • Memory, disk, network evidence of compromise are

categorized by DNI framework, type of compromise, and time of compromise (even if a window)

  • Each event may have several stages of compromise as

depicted by threads within one victim infrastructure that becomes unique pattern of TTP

  • Infrastructure of adversary is identified through IOCs
  • Adversary infrastructure deployed against one victim is a

starting point for further investigation of adversary capability

  • IOCs are used to pivot through adversary network (IPs to

domains, SSL certificates, ASNs, associated physical/logical locations, passive DNS to locate other infrastructure/victims)

  • Determine time window for each compromise (DO NOT stack

multiple events because it easier)

  • When fusing classified intelligence into unclassified

attribution admit magic happens, utilize known answer to back into unknowable solution, but be wary of this

Adversary Infrastructure Victim Meta-Features Timestamp Phase Result Direction Methodology Resources Capability

Some background https://selil.com/archives/6791

UNCLASSIFIED

slide-22
SLIDE 22

Thread 1 Thread 2 Thread 3 Thread 4 Preparation Engagement Presence Effect Consequences Victim 1 Victim 1 Victim 2 Victim ?

Boom

A I C V A B C D E F A & C are the same victim B & D are the same victim B & C share the same attack infrastructure C & D saw the same capability D & E & F saw the same attack infrastructure UNCLASSIFIED

Steps to attribution

slide-23
SLIDE 23

Future Work

  • Artificial intelligence or game engine structure to

automate response

  • Contextualize and automate data collection into the

framework

  • Operationalize the resultant activity
slide-24
SLIDE 24

Questions?

UNCLASSIFIED

slide-25
SLIDE 25

Bibliography 1

  • Rid, Thomas; Buchanan, Ben “Attributing Cyber Attacks” The Journal of Strategic Studies, Vol 38, 1-2, 4-37
  • Rid and Buchanan specifically are concerned that the “Diamond Model”

suggested by Caltagirone, Pendergast, and Betz may be suspect.

  • Boebert, Earl “A survey of challenges in attribution” Proceedings of a workshop
  • n deterring cyber-attacks: Informing strategies and developing options for U.S.

policy, National Academies Press, 2010

  • Locard’s Exchange Principle fundamentally states that the perpetrator of a crime

will bring something to the crime scene and leave with something from it. In cyber network defense examples include malware, internet protocol addresses, log files, netflow data, and other artifacts (https://en.wikipedia.org/wiki/Locard%27s_exchange_principle)

  • Scientific Method (https://en.wikipedia.org/wiki/Scientific_method)
  • Catagirone; Pendergast; Betz “The Diamond Model”, DoD Document released

2013

  • Brady, Henry; Sniderman, Paul; “Attitude Attribution: A group basis for political

reasoning” American Political Science Reivew, Volume 79, December 1985

  • Clark, David; Landau, Susan, “Untangling Attribution”, Proceedings of a

workshop on deterring cyber-attacks: Informing strategies and developing

  • ptions for U.S. policy, National Academies Press, 2010

UNCLASSIFIED

slide-26
SLIDE 26

Bibliography 2

  • Yamamoto, Teppei; “Understanding the past: Statistical analysis of causal attribution”, American

Journal of Political Science, Vol 0 NO 0, 2011, pp1-20 (pre-print copy used)

  • Confirmation bias

(https://en.wikipedia.org/wiki/Confirmation_bias)

  • Perfidy (https://en.wikipedia.org/wiki/Perfidy)
  • False flag or deception operations

(https://en.wikipedia.org/wiki/False_flag)

  • USENIX Enigma Conference January 2016

https://www.usenix.org/conference/enigma2016

  • Bruce Schnier reports on Bruce Joyce discussion at USENIX

Enigma Conference https://www.schneier.com/blog/archives/2016/02/nsas_tao_on_i nt.html

  • USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State

Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA

  • See Adversarial Tactics, Techniques, and Common Knowledge

https://attack.mitre.org/wiki/Main_Page

  • Catagirone; Pendergast; Betz “The Diamond Model”, DoD

Document released 2013 pages 26—30

UNCLASSIFIED