Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? - - PowerPoint PPT Presentation

Finger Pointing for Fun, Finger Pointing for Fun, Profit and War? Profit and War? Profit and War? Profit and War?

Tom Parker Tom Parker tom.at.rooted.dot.net

• m.at.rooted.dot.net

tom.at.rooted.dot.net

• m.at.rooted.dot.net

Quick Introduction Quick Introduction Quick Introduction.. Quick Introduction..

Background & Recent Events

Background & Recent Events

Background & Recent Events

Background & Recent Events

Attribution

Attribution – – why do we care? why do we care?

Technical Analysis Today

Technical Analysis Today

Technical Analysis Today

Technical Analysis Today

Technical Attribution 101

Technical Attribution 101

Enhancing Existing Methodologies

Enhancing Existing Methodologies

Enhancing Existing Methodologies

Enhancing Existing Methodologies

Non Technical Data Correlation & Augmentation

Non Technical Data Correlation & Augmentation

Media & “Cyber War” Media & “Cyber War” Love Affair Love Affair

WSJ “Wide Cyber Attack Is Linked to China”

WSJ “Wide Cyber Attack Is Linked to China”

60 Minutes “Sabotaging the System”

60 Minutes “Sabotaging the System”

60 Minutes Sabotaging the System

60 Minutes Sabotaging the System

Google/Adobe “Aurora Incident”

Google/Adobe “Aurora Incident”

Targeted SCADA Malware?

Targeted SCADA Malware?

Targeted SCADA Malware?

Targeted SCADA Malware?

Cyber Conflict Lexicon Cyber Conflict Lexicon Cyber Conflict Lexicon Cyber Conflict Lexicon

Cyber War

Cyber War

Cyber War

Cyber War

Adversary / Actor

Adversary / Actor Att ib ti Att ib ti

Attribution

Attribution

APT?

APT?

Attribution Attribution – Why do we care? Why do we care? Attribution Attribution Why do we care? Why do we care?

LE/Actor Deterrents

LE/Actor Deterrents

LE/Actor Deterrents

LE/Actor Deterrents

Actor Intelligence

Actor Intelligence

P fili Ad i l T h i l C biliti P fili Ad i l T h i l C biliti

Profiling Adversarial Technical Capabilities

Profiling Adversarial Technical Capabilities

Insight into State Sponsored Programs

Insight into State Sponsored Programs C G C G

Creating Linkage Between Actor Groups

Creating Linkage Between Actor Groups

Tracking the Supply Chain

Tracking the Supply Chain

Attribution: Attribution: What are we looking for? What are we looking for?

The obvious

The obvious – An individual or group of An individual or group of

The obvious

The obvious An individual or group of An individual or group of individuals name(s), street address, social individuals name(s), street address, social networking page etc networking page etc networking page etc.. networking page etc..

However..

However..

W ft d ’t b t thi W ft d ’t b t thi

We often don’t care about this..

We often don’t care about this..

Doesn’t generally help develop countermeasures

Doesn’t generally help develop countermeasures

Attributing to the actor/group level is often enough

Attributing to the actor/group level is often enough

Attributing to the actor/group level is often enough

Attributing to the actor/group level is often enough for profiling efforts for profiling efforts

Attribution Continued Attribution Continued Attribution Continued.. Attribution Continued..

Attribution at actor group level

Attribution at actor group level

Attribution at actor group level

Attribution at actor group level

Differentiation between groups

Differentiation between groups

Identification of group geography

Identification of group geography

Identification of group geography

Identification of group geography

Indications of sponsorship

Indications of sponsorship

Nation State (China Russia

Nation State (China Russia or Korea?)

• r Korea?)

Nation State (China, Russia

Nation State (China, Russia or Korea?)

• r Korea?)

Organized Crime (RBN et al?)

Organized Crime (RBN et al?)

Activist Group

Activist Group

Activist Group

Activist Group

Where worlds collide

Where worlds collide

Code sharing between groups

Code sharing between groups

Conventional Analysis Conventional Analysis Data Sources Data Sources

Static and Runtime Binary Analysis

Static and Runtime Binary Analysis

Static and Runtime Binary Analysis

Static and Runtime Binary Analysis

Memory Forensics

Memory Forensics

Vulnerability Exploitation & Payload Analysis

Vulnerability Exploitation & Payload Analysis

Vulnerability Exploitation & Payload Analysis

Vulnerability Exploitation & Payload Analysis

Command & Control

Command & Control

Post

Post Exploitation Forensics Exploitation Forensics

Post

Post-Exploitation Forensics Exploitation Forensics

Analysis Today Continued Analysis Today Continued Analysis Today Continued.. Analysis Today Continued..

What Happened?

What Happened?

What Happened?

What Happened?

How did they get in?

How did they get in? Wh t did th l it t t i ? Wh t did th l it t t i ?

What did they exploit to get in?

What did they exploit to get in?

What was done once on the system?

What was done once on the system?

Are they still there?

Are they still there?

How can this be prevented in the future?

How can this be prevented in the future?

How can this be prevented in the future?

How can this be prevented in the future?

Automated Analysis Today Automated Analysis Today Automated Analysis Today Automated Analysis Today

Anti Virus:

Anti Virus:

Anti Virus:

Anti Virus:

Known Signature

Known Signature

Virus

Virus Like Characteristics Like Characteristics

Virus

Virus-Like Characteristics Like Characteristics

S db / R ti A l i S db / R ti A l i

Sandbox / Runtime Analysis

Sandbox / Runtime Analysis

What does the code do?

What does the code do?

Analysis Today Continued Analysis Today Continued Analysis Today Continued.. Analysis Today Continued..

Lots of R&D Associated with Modern

Lots of R&D Associated with Modern

Lots of R&D Associated with Modern

Lots of R&D Associated with Modern AV/Analysis Technologies. AV/Analysis Technologies.

Typically Designed to Provide End User

Typically Designed to Provide End User

Typically Designed to Provide End User

Typically Designed to Provide End User with a one or a zero, and no exposure to with a one or a zero, and no exposure to any shades of grey any shades of grey any shades of grey. any shades of grey.

LOTS of useful metadata processed under

LOTS of useful metadata processed under th h d th t k b tt f th h d th t k b tt f the hood that we can make better use of. the hood that we can make better use of.

Static and Runtime Static and Runtime Binary Analysis Binary Analysis

What does the code “do”?

What does the code “do”?

What does the code do ?

What does the code do ?

How does it ensure persistence?

How does it ensure persistence? Wh t h d t th t Wh t h d t th t

What changes are made to the system

What changes are made to the system

Attribution Research Intro Attribution Research Intro Attribution Research Intro Attribution Research Intro

Cyber Adversary Working

Cyber Adversary Working Group (DC) Group (DC)

RAND

RAND Conference Conference

RAND

RAND Conference Conference

Cyber Conflict Studies Association

Cyber Conflict Studies Association Bl kh t Bl kh t B i fi (2003 2004 2006) B i fi (2003 2004 2006)

Blackhat

Blackhat Briefings (2003, 2004, 2006) Briefings (2003, 2004, 2006)

Auditing the Hacker Mind (

Auditing the Hacker Mind (Syngress Syngress) )

Attack Inhibitors Attack Inhibitors Attack Inhibitors Attack Inhibitors

Payoff/Impact Given Success

Payoff/Impact Given Success y p y p

Perceived Probability of Success Given an

Perceived Probability of Success Given an Attempt Attempt

Perceived Probability of Detection Given an

Perceived Probability of Detection Given an Attempt Attempt Perceived Probability of Detection Given an Perceived Probability of Detection Given an Attempt Attempt

Perceived Probability of Attribution

Perceived Probability of Attribution Given Detection Given Detection

Perceived Consequences

Perceived Consequences of Attribution

• f Attribution

Perceived Consequences

Perceived Consequences of Attribution

• f Attribution

Adversary

Adversary Uncertainty Given the Attack Uncertainty Given the Attack Parameters Parameters

Attack Drivers Attack Drivers Attack Drivers Attack Drivers

Payoff/Impact Given Success

Payoff/Impact Given Success y p y p

Perceived

Perceived Probability of Success Given an Attempt Probability of Success Given an Attempt

Perceived

Perceived consequences of failure consequences of failure

Perceived

Perceived consequences of failure consequences of failure

Adversary attack fingerprints Adversary attack fingerprints Adversary attack fingerprints Adversary attack fingerprints

Key Attack Meta Data

Key Attack Meta Data

Key Attack Meta Data

Key Attack Meta Data

Attack sources

Attack sources

Other Relevant Packet Data

Other Relevant Packet Data Other Relevant Packet Data Other Relevant Packet Data

Attack tools and their origins

Attack tools and their origins

Attack methodology

Attack methodology Attack methodology Attack methodology

Planning

Planning

Execution

Execution

Follow through

Follow through

Attack tool meta data: Origins Attack tool meta data: Origins Attack tool meta data: Origins Attack tool meta data: Origins

All attack tools have their origins..

All attack tools have their origins..

All attack tools have their origins..

All attack tools have their origins..

These can be put into two broad categories:

These can be put into two broad categories:

Public

Public

Public

Public

Often simply prove a concept

Often simply prove a concept

Often not ‘robust’

Often not ‘robust’

Many contain backdoors

Many contain backdoors

Private

Private

Frequently

Frequently more robust than public counterparts more robust than public counterparts

Generally better written

Generally better written May be based on private attack API’s May be based on private attack API’s

May be based on private attack API’s

May be based on private attack API’s

Attack tool meta data: Use Attack tool meta data: Use Attack tool meta data: Use Attack tool meta data: Use

How easy is it to use a given attack tool

How easy is it to use a given attack tool y g y g

Prior technical knowledge required to use tool

Prior technical knowledge required to use tool

Prior target knowledge required to use tool

Prior target knowledge required to use tool

Was it an appropriate tool to use for a given task?

Was it an appropriate tool to use for a given task?

Example Attack Scoring Matrix Example Attack Scoring Matrix Example Attack Scoring Matrix Example Attack Scoring Matrix

Web Application Flaws Web Application Flaws Public Public Private Private

• Proprietary Application Penetration:

Proprietary Application Penetration:

• Proprietary Application Penetration:

Proprietary Application Penetration:

SQL Injection

SQL Injection 3 5 5

• Open Source Application Penetration:

Open Source Application Penetration:

• SQL Injection

SQL Injection 3 5 5

• Proprietary Application Penetration:

Proprietary Application Penetration:

• Proprietary Application Penetration:

Proprietary Application Penetration:

Arbitrary Code Injection

Arbitrary Code Injection 2 4 4

• Open Source Application Penetration:

Open Source Application Penetration:

Arbitrary Code Injection

Arbitrary Code Injection 2 4 4

• Proprietary Application Penetration:

Proprietary Application Penetration: p y pp p y pp

OS command execution using

OS command execution using MSSQL MSSQL Injection Injection 3 5 5

• Proprietary Application Penetration:

Proprietary Application Penetration:

OS command execution using

OS command execution using SyBase SyBase SQL SQL Injection Injection 3 5 5

• Proprietary Application Penetration:

Proprietary Application Penetration:

• SQL Injection only (MS SQL

SQL Injection only (MS SQL) ) 4 6 6

• Proprietary Application Penetration:

Proprietary Application Penetration:

SQL Injection only (IBM DB2)

SQL Injection only (IBM DB2) 6 8 8

• Proprietary Application Penetration:

Proprietary Application Penetration:

SQL Injection only (Oracle)

SQL Injection only (Oracle) 6 8 8

Furthering the Toolset Furthering the Toolset Furthering the Toolset Furthering the Toolset

Large Bodies of RE/Analysis Research

Large Bodies of RE/Analysis Research

Large Bodies of RE/Analysis Research

Large Bodies of RE/Analysis Research

Almost all geared around traditional IR

Almost all geared around traditional IR

In most cases; not appropriate for attribution

In most cases; not appropriate for attribution

In most cases; not appropriate for attribution

In most cases; not appropriate for attribution

Application of Current Tool Set Application of Current Tool Set To Attribution Doctrine To Attribution Doctrine

Can be possible through

Can be possible through

Can be possible through..

Can be possible through..

Exploit /Payload Analysis

Exploit /Payload Analysis

Known Tooling/Markings

Known Tooling/Markings

Known Tooling/Markings

Known Tooling/Markings

Normally Requires Manual Effort to Identify

Normally Requires Manual Effort to Identify

Binary Image Meta Data

Binary Image Meta Data

Binary Image Meta Data

Binary Image Meta Data

Email Addresses

Email Addresses

User Names

User Names

User Names

User Names

Etc..

Etc..

Exploit Analysis Exploit Analysis Exploit Analysis Exploit Analysis

Exploits often re

Exploits often re-worked for malware worked for malware

Exploits often re

Exploits often re worked for malware worked for malware

Improved Reliability

Improved Reliability

Specific host type/OS level targeting

Specific host type/OS level targeting

Specific host type/OS level targeting

Specific host type/OS level targeting

Possible to automate coloration with

Possible to automate coloration with knowledge base of public exploits knowledge base of public exploits knowledge base of public exploits knowledge base of public exploits

ANI Exploit ANI Exploit Re Re worked in malware to worked in malware to

ANI Exploit

ANI Exploit – Re Re-worked in malware to worked in malware to avoid IPS signatures for previous exploit avoid IPS signatures for previous exploit

Exploit Reliability & Performance Exploit Reliability & Performance Exploit Reliability & Performance Exploit Reliability & Performance

Crashes & Loose Lips Sink Ships

Crashes & Loose Lips Sink Ships

Crashes & Loose Lips Sink Ships

Crashes & Loose Lips Sink Ships

Improved Performance

Improved Performance

Ad d / I d Ad d / I d Sh ll d Sh ll d

Advanced / Improved

Advanced / Improved Shellcode Shellcode

Re

Re-

• patching Memory

patching Memory

Repairing Corrupted Heaps

Repairing Corrupted Heaps

Repairing Corrupted Heaps

Repairing Corrupted Heaps

Less Overhead

Less Overhead

No Large Heap Sprays

No Large Heap Sprays

No Large Heap Sprays

No Large Heap Sprays

Or Excessive CPU Overhead

Or Excessive CPU Overhead

Continued Target Process Execution

Continued Target Process Execution

Continued Target Process Execution

Continued Target Process Execution

Exploit Failure Exploit Failure Exploit Failure Exploit Failure

Where possible

Where possible – failure may be silent failure may be silent

Where possible

Where possible failure may be silent failure may be silent

Exploit Self Clean

Exploit Self Clean-

• Up:

Up:

J h l fil l fil

Java

Java hs_err hs_err log files log files

System / Application Log files

System / Application Log files * C f * C f

*NIX Core files

*NIX Core files

Exploit Applicability Exploit Applicability Exploit Applicability Exploit Applicability

Reconnaissance Performed

Reconnaissance Performed

Reconnaissance Performed

Reconnaissance Performed

Execution based on SW (browser) version?

Execution based on SW (browser) version?

Operating System

Operating System

Operating System

Operating System

Less likely to function on ASLR / DEP

Less likely to function on ASLR / DEP

Exploit Selection Exploit Selection Exploit Selection Exploit Selection

Lots of Attention Toward 0day

Lots of Attention Toward 0day

Lots of Attention Toward 0day

Lots of Attention Toward 0day

1+Day != Low End Adversary?

1+Day != Low End Adversary? Old Att k Oft R Old Att k Oft R W k d W k d

Old Attacks Often Re

Old Attacks Often Re-

• Worked

Worked

Bypass IDS/IPS Signatures

Bypass IDS/IPS Signatures

Improved Payloads Demonstrate Capability

Improved Payloads Demonstrate Capability

Code Isomorphism Code Isomorphism Code Isomorphism Code Isomorphism

Lots of Investment from Anti

Lots of Investment from Anti-

• Code Theft World

Code Theft World

Small

Small Prime Prime Product Product

Create Large Prime # Per Function

Create Large Prime # Per Function

Unique Prime # / Each

Unique Prime # / Each Opcode Opcode

Unique Prime # / Each

Unique Prime # / Each Opcode Opcode

Resistant to Reordering

Resistant to Reordering

API Call

API Call Structure Analysis Structure Analysis

Prog1.Func Prog2.Func Function Checksums

Function Checksums

Variables / Constant Tracking

Variables / Constant Tracking

RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx

Code Code Isomorphism Cont Isomorphism Cont Code Code Isomorphism Cont.. Isomorphism Cont..

Seokwoo

Seokwoo Choi Choi Heewan Heewan Park et al Park et al

Seokwoo

Seokwoo Choi, Choi, Heewan Heewan Park et al Park et al

• A Static Birthmark of Binary

A Static Birthmark of Binary Executables Executables Based on Based on API Call Structure API Call Structure

Halvar

Halvar Flake Flake

• BinDiff

BinDiff

Function Level Code Function Level Code Isomorphism Based Attribution Isomorphism Based Attribution

Reuse of Code Functions

Reuse of Code Functions

Reuse of Code Functions

Reuse of Code Functions

Useful for closed

Useful for closed-

• source projects

source projects

Good for tracking malware ‘genomes’

Good for tracking malware ‘genomes’

Good for tracking malware genomes

Good for tracking malware genomes

H

However..

However..

Most malware based off of ‘kits’

Most malware based off of ‘kits’

In most cases

In most cases -

• doesn't tell us much (or

doesn't tell us much (or anything) about authors anything) about authors

BlackAxion BlackAxion BlackAxion BlackAxion

Designed as Proof of Concept

Designed as Proof of Concept

Designed as Proof of Concept

Designed as Proof of Concept

Utilizes int3 debugger breakpoints

Utilizes int3 debugger breakpoints

Y ’ l d t t ’ l d t t

Yes

Yes – you’re malware can detect me you’re malware can detect me

XML Model Defines Functions of Interest

XML Model Defines Functions of Interest

Identification of API call context

Identification of API call context

Defines weighting of API calls

Defines weighting of API calls

Further Development Further Development Further Development.. Further Development..

DETOURS Hooks

DETOURS Hooks

DETOURS Hooks

DETOURS Hooks

Kernel Hooks

Kernel Hooks

DEMO / CASE STUDY DEMO / CASE STUDY DEMO / CASE STUDY DEMO / CASE STUDY

When code analysis #fails When code analysis #fails When code analysis #fails When code analysis #fails

Other meta data:

Other meta data:

Other meta data:

Other meta data:

C&C Channel Hosts Correlation

C&C Channel Hosts Correlation

Check

Check In Server Identification In Server Identification

Check

Check-In Server Identification In Server Identification

Post

Post-

• Incident Artifacts

Incident Artifacts

Auxiliary Tools / Code Utilized

Auxiliary Tools / Code Utilized

Auxiliary Tools / Code Utilized

Auxiliary Tools / Code Utilized

Data Exfiltrated

Data Exfiltrated

Secondary Targets Attacked

Secondary Targets Attacked

Secondary Targets Attacked

Secondary Targets Attacked

When code analysis #fails When code analysis #fails When code analysis #fails When code analysis #fails

Meta Data Relationship Analysis Tools

Meta Data Relationship Analysis Tools

Meta Data Relationship Analysis Tools

Meta Data Relationship Analysis Tools

Maltego

Maltego

Palantir Palantir

IRC / Ch t F IRC / Ch t F

IRC / Chat Forums

IRC / Chat Forums

Q i ? Questions?