Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? Profit and War? Profit and War? Profit and War? Tom Parker Tom Parker tom.at.rooted.dot.net tom.at.rooted.dot.net om.at.rooted.dot.net om.at.rooted.dot.net
Quick Introduction Quick Introduction.. Quick Introduction.. Quick Introduction � Background & Recent Events � Background & Recent Events Background & Recent Events Background & Recent Events � Attribution Attribution – – why do we care? why do we care? � Technical Analysis Today � Technical Analysis Today Technical Analysis Today Technical Analysis Today � Technical Attribution 101 Technical Attribution 101 � Enhancing Existing Methodologies � Enhancing Existing Methodologies Enhancing Existing Methodologies Enhancing Existing Methodologies � Non Technical Data Correlation & Augmentation Non Technical Data Correlation & Augmentation
Media & “Cyber War” Media & “Cyber War” Love Affair Love Affair � WSJ “Wide Cyber Attack Is Linked to China” WSJ “Wide Cyber Attack Is Linked to China” � 60 Minutes “Sabotaging the System” � 60 Minutes Sabotaging the System 60 Minutes “Sabotaging the System” 60 Minutes Sabotaging the System � Google/Adobe “Aurora Incident” Google/Adobe “Aurora Incident” � Targeted SCADA Malware? � Targeted SCADA Malware? Targeted SCADA Malware? Targeted SCADA Malware?
Cyber Conflict Lexicon Cyber Conflict Lexicon Cyber Conflict Lexicon Cyber Conflict Lexicon � Cyber War � Cyber War Cyber War Cyber War � Adversary / Actor Adversary / Actor � Attribution Att ib ti Att ib ti Attribution � APT? APT?
Attribution Attribution – Why do we care? Attribution Attribution Why do we care? Why do we care? Why do we care? � LE/Actor Deterrents � LE/Actor Deterrents LE/Actor Deterrents LE/Actor Deterrents � Actor Intelligence Actor Intelligence � Profiling Adversarial Technical Capabilities P P Profiling Adversarial Technical Capabilities fili fili Ad Ad i l T i l T h i h i l C l C biliti biliti � Insight into State Sponsored Programs Insight into State Sponsored Programs � Creating Linkage Between Actor Groups C C Creating Linkage Between Actor Groups G G � Tracking the Supply Chain Tracking the Supply Chain
Attribution: Attribution: What are we looking for? What are we looking for? � The obvious � The obvious The obvious – An individual or group of The obvious An individual or group of An individual or group of An individual or group of individuals name(s), street address, social individuals name(s), street address, social networking page etc networking page etc networking page etc.. networking page etc.. � However.. However.. � We often don’t care about this.. W W We often don’t care about this.. ft ft d d ’t ’t b b t thi t thi � Doesn’t generally help develop countermeasures Doesn’t generally help develop countermeasures � Attributing to the actor/group level is often enough � Attributing to the actor/group level is often enough Attributing to the actor/group level is often enough Attributing to the actor/group level is often enough for profiling efforts for profiling efforts
Attribution Continued Attribution Continued.. Attribution Continued Attribution Continued.. � Attribution at actor group level � Attribution at actor group level Attribution at actor group level Attribution at actor group level � Differentiation between groups Differentiation between groups � Identification of group geography � Identification of group geography Identification of group geography Identification of group geography � Indications of sponsorship Indications of sponsorship � Nation State (China, Russia � Nation State (China Russia Nation State (China Russia or Korea?) Nation State (China, Russia or Korea?) or Korea?) or Korea?) � Organized Crime (RBN et al?) Organized Crime (RBN et al?) � Activist Group � Activist Group Activist Group Activist Group � Where worlds collide Where worlds collide � Code sharing between groups Code sharing between groups
Conventional Analysis Conventional Analysis Data Sources Data Sources � Static and Runtime Binary Analysis � Static and Runtime Binary Analysis Static and Runtime Binary Analysis Static and Runtime Binary Analysis � Memory Forensics Memory Forensics � Vulnerability Exploitation & Payload Analysis � Vulnerability Exploitation & Payload Analysis Vulnerability Exploitation & Payload Analysis Vulnerability Exploitation & Payload Analysis � Command & Control Command & Control � Post � Post Post Exploitation Forensics Post-Exploitation Forensics Exploitation Forensics Exploitation Forensics
Analysis Today Continued Analysis Today Continued Analysis Today Continued.. Analysis Today Continued.. � What Happened? � What Happened? What Happened? What Happened? � How did they get in? How did they get in? � What did they exploit to get in? What did they exploit to get in? Wh t did th Wh t did th l it t l it t t i ? t i ? � What was done once on the system? What was done once on the system? � Are they still there? Are they still there? � How can this be prevented in the future? � How can this be prevented in the future? How can this be prevented in the future? How can this be prevented in the future?
Automated Analysis Today Automated Analysis Today Automated Analysis Today Automated Analysis Today � Anti Virus: � Anti Virus: Anti Virus: Anti Virus: � Known Signature Known Signature � Virus � Virus Virus Like Characteristics Virus-Like Characteristics Like Characteristics Like Characteristics � Sandbox / Runtime Analysis S S Sandbox / Runtime Analysis db db / R / R ti ti A A l l i i � What does the code do? What does the code do?
Analysis Today Continued Analysis Today Continued Analysis Today Continued.. Analysis Today Continued.. � Lots of R&D Associated with Modern � Lots of R&D Associated with Modern Lots of R&D Associated with Modern Lots of R&D Associated with Modern AV/Analysis Technologies. AV/Analysis Technologies. � Typically Designed to Provide End User � Typically Designed to Provide End User Typically Designed to Provide End User Typically Designed to Provide End User with a one or a zero, and no exposure to with a one or a zero, and no exposure to any shades of grey. any shades of grey. any shades of grey any shades of grey � LOTS of useful metadata processed under LOTS of useful metadata processed under the hood that we can make better use of. th the hood that we can make better use of. th h h d th t d th t k k b tt b tt f f
Static and Runtime Static and Runtime Binary Analysis Binary Analysis � What does the code “do”? � What does the code do ? What does the code “do”? What does the code do ? � How does it ensure persistence? How does it ensure persistence? � What changes are made to the system Wh t h What changes are made to the system Wh t h d d t t th th t t
Attribution Research Intro Attribution Research Intro Attribution Research Intro Attribution Research Intro � Cyber Adversary Working Cyber Adversary Working Group (DC) Group (DC) � RAND � RAND RAND Conference RAND Conference Conference Conference � Cyber Conflict Studies Association Cyber Conflict Studies Association � Blackhat Bl Bl Blackhat Briefings (2003, 2004, 2006) kh t kh t B i fi B i fi Briefings (2003, 2004, 2006) (2003 2004 2006) (2003 2004 2006) � Auditing the Hacker Mind ( Auditing the Hacker Mind (Syngress Syngress) )
Attack Inhibitors Attack Inhibitors Attack Inhibitors Attack Inhibitors � Payoff/Impact Given Success Payoff/Impact Given Success y y p p � Perceived Probability of Success Given an Perceived Probability of Success Given an Attempt Attempt � Perceived Probability of Detection Given an Perceived Probability of Detection Given an Attempt Perceived Probability of Detection Given an Perceived Probability of Detection Given an Attempt Attempt Attempt � Perceived Probability of Attribution Perceived Probability of Attribution Given Detection Given Detection � Perceived Consequences � Perceived Consequences Perceived Consequences of Attribution Perceived Consequences of Attribution of Attribution of Attribution � Adversary Adversary Uncertainty Given the Attack Uncertainty Given the Attack Parameters Parameters
Attack Drivers Attack Drivers Attack Drivers Attack Drivers � Payoff/Impact Given Success Payoff/Impact Given Success y y p p � Perceived Perceived Probability of Success Given an Attempt Probability of Success Given an Attempt � Perceived � Perceived Perceived consequences of failure Perceived consequences of failure consequences of failure consequences of failure
Adversary attack fingerprints Adversary attack fingerprints Adversary attack fingerprints Adversary attack fingerprints � Key Attack Meta Data � Key Attack Meta Data Key Attack Meta Data Key Attack Meta Data � Attack sources Attack sources � Other Relevant Packet Data Other Relevant Packet Data Other Relevant Packet Data Other Relevant Packet Data � Attack tools and their origins Attack tools and their origins � Attack methodology Attack methodology Attack methodology Attack methodology � Planning Planning � Execution Execution � Follow through Follow through
Recommend
More recommend
