WhoAmI, anyway? Attribution & Deception

we're gonna have on stage the amazing opening keynote that we have lined up for you today and this keynote is an actual rock star i'm not kidding he's an actual rock star he is actually the founder of one of the most successful israeli metal bands of all time orphaned land and he invented a new musical genre called oriental metal he's a really amazing speaker and a rock star like i mentioned an actual rock star he is the proud father of at least one daughter that i that i know about and i hope you have more daughters than one yeah okay three daughters that's amazing i just only met the one so he is the proud father of three

daughters and he's also the the father of something that is called the buzuki tara now if you're curious like me what the hell is a buzuki tara it's a bouzouki an oriental um musical instrument for lack of a better term and a guitar so the buzuki tara please help me everybody that is here in the room to welcome to the stage the amazing yossi sassy applause yasi the stage is yours thank you just a second we'll get this sorted and of course during the day things may not go as amazingly smooth as we always want them to go but we're going to be working very hard to make it all work as amazing as we can thank you for

spending your day with us y'all see are we ready yes i think we are amazing don't forget to sanitize your hands yes it's very important to sanitize hands and as you can see i'm keeping my distance y'all see the floor is yours thank you thank you very much karen thank you very much everybody here and everybody at home hello hope you're cozy you have your favorite drink set next to your laptop very happy to be back in b-side tel aviv this year as well i'm going to talk with you uh in this uh almost afternoon opening keynote i'm going to talk to you a bit uh about some topics that in some of them i'm

really far from being an expert which is privacy and things like that much greater people have spoken about this in the past but i want to touch a bit more in depth about who are we anyway in this generation and to touch about topics such as deception attribution false flags etc which are things that i can actually really comment about from my personal experience but first things first who are you who is but the form following the function of what and what i am is a man in a mosque well i can see that of course you can i'm not questioning your powers of observation i'm merely remarking upon the paradox of asking a masked man

who he is right well arguably maybe not natalie portman's best performance but of course this classic scene from v4 vendetta really sets the tone for the things we are talking about this morning and this is identities identities are the new perimeters actually we've even evolved since this sentence but we know we've made a long way from the perimeter the classic perimeter security and identities cross perimeters and today it's ironically it's very uh easy to repudiate actions but it can be also very very hard to achieve non-repudiation and we'll speak about this pendulum effect so we'll talk about a bit really in a nutshell about the challenges that we have today in security at the foundations

essentially why we got here in the first place and we'll speak about the challenges in privacy deception and attribution um so who am i uh well i'm not questioning your powers of observation um merely remarking uh the paradox of asking a man with a buzukitara who he is so i am the mother of uzukitara there is also a father but i i invested a bit more in the upbringing of this instrument including conceiving it ex-founder founder of co-founder of awful index member of the group till quite recently and all other musical endeavors also been practicing guitar playing and hacking uh quite a while it's been 33 years by now uh programming communication protocols etc i'm

also doing information security research especially on bypass of operating system and living of the land hacks and doing great team training in four continents around the world for military banks and governments uh nato etc i'm also the co-founder at ten route cyber security we're a small fun team we hack for good meaning that uh you have to pay us to hack you and and we'll get less than we could have in bitcoin uh and will pay the taxes but it's still it's it's fun to have good values uh i had an episode in late 90s early 2000s when i was in working for microsoft coding tools for windows server so basically this was the time that i was

i think the only employee that had the lilo dual boot with the linux machine in microsoft i couldn't say it out loud because steve ballmer used to call linux cancer at those days i think they destroyed that video but it's really amazing to see microsoft hugging open source today that's that's such a blissful move and change of tone it sometimes you feel like it's more like a bear hugs you but still it's a hug so it's it's something warm and i made the trip from atari through apple 2c openvms et cetera linux windows and back to industrial control systems so in a way from atari to scada i kind of did the trip back to to

systems from 80s and i'm the guy that gets a lot of calls in incident response hectic directory a term i coined uh powershell go to guy and i was privileged enough to be part of javelin networks ex-israeli air force intelligence corps company that was sold in late 2018 to symantec and today we have actually uh three talks with the javelin ex so that's that's nice this is what people think i'm doing especially uh my family if i speak to them i'm saying i'm a hacker that's what they think i'm doing that's what i was really doing for many years as karen mentioned i'm a proud father my eldest is almost 19 danielle and she's coding very well in python and she

already did her first hack or two under my ethical surveillance uh but this is what i'm really doing so um i read a lot of winnie the pooh stories back in the day to my three daughters by the way there's a nice joke here from in hebrew it says stories from a forest by hackers really that's that's what this cover says on this famous uh a.a milan story i looked it up and apparently it's stories from the 100 acre forest so even before google translate we had the translation glitch and last thing about how geek i am last year we moved department i xml tagged the boxes this is how geek i am and i saw it only

in retrospect so next time i'm going to json them okay so i i think all information security challenges today really can be traced back to the to the design goals and and the core design mindset of the internet protocol suites you see security privacy non-repudiation confidentiality spoofing all this was never in the mindset of the late 60s and early 70s when and when tcpap and all this started the purpose was more to survive after a partial subset of failure and basically connect multiple networks to a single one and security is just a patch it's a band-aid that we've added along the years later on and that's something that you feel until today and and really it feels that in many

things we haven't made any progress at all you can't blame those guys this was i remember you reminding you that late 60s was woodstock and stuff like that nobody thought about uh you know it was way before september 11th or thing like that humanity was was in a high mood but yes security was totally forgotten from the table and had to be patched later but we have made progress since then we have made progress in general in computing for example we used to have in computers buttons that can actually slow down your computer that's right there are few people here in the room and probably also at home that remember there was a time in

humanity that you had a button that you you could say to your computer i don't need so much performance i need you to slow down because my application is not running well so you can actually turn it down we made a lot of progress we also made the progress in terms of uh pop-ups and and all kinds of messages i love this tweet by rob graham uh regarding this internet explorer box about the security alert you know with a really nice informative alert and button there that you're about to engage with that ssl tls connection only you and your and the server are going to be able to see what you're doing and you have to approve that so but at

the end of the day i'm asking you really come on what do you need in life of course i dropped out of high school to practice hacking and music so but later i completed two or three degrees with distinction and i learned about the maslow pyramid of needs and the master pyramid of needs which i'm i'm guessing you probably heard about or know about goes between the basic needs that you need right the physical needs and all the way up to self-realization self-actualization i don't know if you've heard but lately they've updated this pyramid and added two more uh layers to it apparently today you first need a battery then a wi-fi connection and then your physical needs

maybe perhaps can be addressed you know to take a shower or something and although this is semi semi funny uh this is you know kind of uh infograph about what cyber really is because we used to be people and computers right uh back in the late 80s or or in the 90s uh we used to work with computers but when we didn't touch them we weren't connected to anything and and today you wake up in the morning and and you've touched four five six computers and and you've been uh analyzed or been recorded by a dozen others and and today this fabric of hardware essentially just you know stuff and code which is text you know just

text who wrote that text did you write this text did you read this text did i write this text trust me i'm a hacker what can go wrong uh and people are actually uh collaborating so in this uh very thin line between people and text and and um how do we are existing uh the hopes uh uh given to computers uh were were quite early uh being um criteria with uh this is a quote from uh professor yashao lebovich quite a controversial and colorful rest in peace uh character that we've had this is from a cover from a book in the 60s quite around the time that tcpip design and everything emerged and from a computer science book

computer information systems it says the the hopes we're putting on the computer are very exaggerated it doesn't release the person from thinking but from calculating computing and it certainly doesn't release it from the necessity to reach a decision and and make it happen and follow it and that's an interesting quote because today to to say it out loud on stage it really sounds very naive but that's something that really a lot of people felt strongly about and when we think about the lack of security and privacy in the design there are many many examples to show that right so to start off of course we're none of us are really uh anonymous of course in in uh

private browsing uh right so uh if we you know just every website that you browse to that this is a one of my servers but of course this is a very simple uh php code uh server side even so you know you're sending everything to that server your local port is a lot of things your user agent and of course this can be uh changed right you can actually uh manipulate your user agent so this thing works two way two ways so but by default for nobody is anonymous in anything and then of course there is a set of tools that can help you uh to get uh a bit more private right there are proxies

and vpns aka glorified proxies and there is tor and there is hunix with with uh that you can also drive with without hunix and two vms uh throughout enablehood and and change wifis uh so there are levels of anonymity that you can achieve uh but then again uh to really escape uh the fact to be um discovered you really need to take into account metadata and metadata is is a huge thing metadata even when you're encrypting everything your whatsapp your calls your and you're in vpn et cetera there is still this metadata and metadata counts it matters because it tells a story about you it's the junction where pieces of information are collected and it's not necessarily a right story by

the way the fact that my uh my cell phone was in the same cell tower triangulation in a certain time of the day with a criminal doesn't mean that i was meeting with that criminal uh but certainly can tell a lot of stories about you from this metadata so uh 101 privacy is that anonymity and privacy are not the same thing right when privacy is a basic thing that we all strive for and we all deserve it's it's embedded in the laws of every modern society and democracy you are you have the perfect right to do what you want in your four walls to dance naked or whatever anonymity is something a bit different uh it's also legitimate for many needs

you know if you're doing a friendly whistle-blowing exposing corruptions if you're a journalist for the sake of democracy from dark regimes and dictatorships but uh you can also do some things that hurt other people or or are criminal uh crimes uh when you're anonymous so it's definitely not the same thing what we see clearly is that the request for legitimate privacy from individuals is of course all the time colliding uh and interfering with law enforcement and national security and and now we see it even more than ever with the with the last uh stride on global health so you see a kovit 19 and what that's bringing so people speaking about from bluetooth bracelets to of course uh

uh the the cell phone that cell tower triangulations and and you know the it's still open to uh even more things that will come speaking about identifying people and the lack of identity sometimes technology comes for the greater good to do some nice things for example in this nice research they've done an x model from identifying people behind a wall you can identify somebody through the wall from a candidate video so you take a candidate and all you need is wi-fi it's two antennas one transient transmitting other receiving uh apparently our gestures our body gestures our movements are unique to us and can identify us in in a very high rate more than eighty percent uh

success rate and you take a candidate video you just take you build a 3d mesh a model from the movements of those people of course you convert it to the right model in in the returns the descendant returns of the waves behind that uh wall and you can actually identify people and this leads us to one of the most challenging problems to to find out who did what and and the challenge of attribution is just getting more and more evident and and very very very hard to to figure out attribution essentially is proving the source of an attack the source of the guy doing the things and you know with the time forensic analysts really

developed it to a whole bunch of best practices and a lot of methodologies to really determine uh the source of actions you know by using means like code and closing the code and the infrastructure connections and political motivations what's going on in their actual life of that nation state etc uh many companies do this code attribution or guessing uh attributions from the code itself infrastructure etc like intesar and many many other companies and you can see this sometimes it's it's fairly easy right if i'm giving you this attribution challenge you will solve it very quickly like for example uh if you can tell me who wrote this piece of malware if i'm taking in one part of this malware is as you see

is this called get user default language id and you see there is a condition check if the result is somewhere in the russian federation then abort exit process so clearly what we can assume from that is of course that this is a russian malware it's designed and it has in the very beginning of the payload a very specific check that if you you've infected the russian machine you just need to exit this process and you can also infect with a bit more advanced uh payloads you can you can use a fuscation string manipulations polymorphic malwares etc and you can also use zero days and zero days uh either you find which is it takes some time but you can find researchers

find it and they report it uh companies find and report academy find a report many people find and they don't report they don't report uh either because you know their own special interests but but can be also a nation state or or intelligence agency etc but there are stock uh markets for exchanging uh zero days one of the more known ones is rhodium which is totally anonymous sellers and buyers so in the radium you can actually sell of course uh zero-day exploits that actually make you do things by bypassing a lot of the design uh the core architecture of that product remote code execution local privilege escalation zero click etc and the payouts are also

very very good so you can sell and buy anonymously to everyone everyone so you can actually be an iranian guy and you can sell a zero day to the most sad and you can sell it to the americans and you can sell it to a mexican crime conglomerate and you'll never know that you actually did that and you can also sell it to your own country without knowing that you did that and speaking about nation states you of course any organizations can and will be hacked breaches are inevitable period we know that as hackers right that's what we do all day we have 100 success rate all it takes to hack any organization in the world

is motivation and time and in motivation we put ideology and money and all kinds of resources right uh industrial espionages from those of the other uh cia nsa nasa and the list goes on and on and what happens when uh the this type of nation state gets hacked or or what happens when they use zero days in the public so this can happen for example when you get exposed using a zero day as a as a nation state for example so this is a real explanation from the white house site it's called process transparency because after following a set of events set of breaches nsa cia etc vault 7 shadow brokers etc so the american regime had had to

explain a bit uh and what this essentially says is that if the united states of america finds a zero-day vulnerability in one of its three-letter dozens of trilateral economic agencies it will not disclose it to microsoft or adobe or even to american companies because the need for national security over uh exceeds the uh the need of those commercial companies and but we saw it also balancing for example in cv 2020601 the notorious crypto api spoof in the early in january 2020 we saw the nsa actually giving to microsoft working with them to expose this fix i have a calculated guess why they did that and i don't think it's the blue eyes of anybody but the classic dimensions of

war are totally shifting i believe and hope that also my colleague chris kubeka will speak about that later in the closing keynote and cyber the fifth dimension of war really changes everything so these carriers that we saw doing wonders and dominating the wars of iraq and afghanistan really really far from what's happening today today we are at war we are at with in multiple fronts but it's a very silent war and the digital uh arms are are simply their weapons like like anything else it's a it's actually a a very useful weapon it has a very low signature it travels uh many miles in matter of seconds it doesn't have to it's not meant it doesn't have to risk

human lives unnecessarily but it's a two-way street so if you get an airplane of some country or or you get the bombshells just the debris you can't do a lot with that when you get hit by your adversary but when you you get a malware and you capture it in an air gap network or in a base or on a water facility you can reverse engineer it and then you can learn every everything about your opponent you can learn about this modus operandi about his ip actually the intellectual property that they have in this malware you can uh use it against your opponent you can actually alter it and even enhance it etc etc so it's really challenging and

the fact that we see with identities and attribution etc is that it's getting worse because we see uh for quite some years now uh clear uh evidence of false flag in cyber false flag like we used to have in uh in pirates back in the day they used to approach ships in open sea with the friendly flag like of spain or some other kingdom of explorers and then when they were close enough they would uh reveal the identity but in cyber we see false flag using other people's malware or pieces of code or just you know modifying and spoofing headers or files etc just to appear as if you're coming from another nation state we have very known

cases like the pay young olympics the olympic destroyer malware essentially think thought for a long time uh that it was done by north korea and actually was in a very uh thorough and rigorous step was uh linked in in very high percent to to russia and speaking about russia we saw also in the last year some evidence exposed allegedly that russia was using tula essentially a russian group hijacked tools from iranian unit or oil rig and to attack to lead attack on

it's a nice concept it's a very uh mature concept it had the use of honey pots for for a long time which is quite obsolete in a way but today you know honeypots are just lures you know they're just traps it's very easy to plant them but it's also very easy to find them as seasoned hackers we find a large percent of honeypots in the customer environment when we come in engagement it's very easy to recognize them multiple computers pointing to the same ip and injecting elsa's credentials without a logon server it's very very easy to recognize them so we need to take deception to the next level so deception can be used also two-way

everything in cyber is two-way deception can be used by malware to uh evade defenses obfuscations etc and defense says defenders can also use deception to deter adversaries and actually hide mask the real assets and and that's what we did in javelin networks uh and uh in javelin next we saw we saw first first of all that it's very easy to bypass honeypots right deception really needs to go to the next level the other thing we saw is that active directory active directory this rockstar of microsoft internal it networks is involved in almost every apt around the world and every apt that you research doesn't matter who found out and and explored that malware so it has a idea enumeration and

credential theft inside of it and so we took the the steps to do an evolution in assets deception and did an in-memory total adversary perception control by using hooks user mode hooks injections inside the memory for each and every process luckily for all of you today the person speaking after me is omer yair the endpoint security lead uh from javelin uh also then symantec then broadcom and uh he's the number one guy to this topic and he will take you from zero to uh nation state in in 25 minutes about how we did that but in a nutshell we basically controlled the perception by uh just in every api every protocol doesn't matter what you query about users computers

group memberships service principal names sql instances whatever then we mask it once we inject to the the code into the memory so we give you 10 times multiple quality fakes there is an nlp engine that learns the customer environment all the prefix suffix with dictionaries etc and we we add some bat wings to it and not not bad from wohan but really kosher bats and we mix this all together and we do our magic by the way somewhere here there's also a decoy admin a real admin not an injected delta's credential but it really it's a real user uh but it's a deco user with regular permissions that appears to be a domain admin and you get high fidelity

alerts through opposite false positive through a positive alerts on that so we can use different controls of course to detect uh malicious activities uh the preventive deterrent detective confirming etc but what about using prevention through a deterrent control so we can actually prevent malware from making progress uh on the endpoint itself and use it as a deterrent control right so for example that's what that's the thing that for example the guys in minerva are doing so in minerva they're also using a rope and other kinds of user mode hooks in memory if you remember this example i showed you a couple of slide early slides earlier about the default language user id so a malware comes in

and asks you know am i running a russian language os so then in that point this call will be intercepted and the answer will come back yes so if you answer in memory to that malware that yes you are running a language or a russian language but actually you're running a hebrew or whatever uh os then you can actually trick the malware in memory to use its abort built-in uh function uh look at it it's it's a real-time memory hooking yes it's something that happens in real time very fast it's actually it's more fast than the operating system itself so in that mechanism of uh deception minerva also uses sometimes some delays in the algorithm so the malware

will appear it's it's uh real that you actually access the disks or you did something and and things didn't happen in memory so that that's that's the deterrent uh prevention there and think about this uh when you we when you think about stuxnet right the stuxnet warm was something totally autonomous it had a a wide tree with a branch of decisions and uh think about that if if the the guys there would have something like that and it will infect a scada machine it would affect the pc connected to the plc et cetera then the first things that the malware if you saw a stuxnet code and and of course like many others also have

uh revisions of it on my machine so you see that it's actually probing uh it's asking some questions it wants to know if it got to natanz the iranian nuclear facility are these siemens pcs are these plcs from a specific frequency converter because they don't want to attack power plants in the u.s et cetera so with this mechanism in place you can actually say no there is no siemens plc no you're not in natanz and then it will just simply abort uh tens of millions of dollars of uh multinational uh allegedly operation uh or in other words these are not the droids you're looking for so uh we don't know what covet 19 will bring

you know like i said the cell tower triangulation trojan apps in your cell phones new types of passports embedded in our body i'm not sure uh but i do know that everything works in a pendulum in life in general and in cyber in particular and everything comes back to us and uh the real dilemma here is that unlike september september 11th that uh you know was used uh the fear after this terror wave was used to uh put acts like the patriot act and and to run rules and laws that uh invaded privacy more than ever uh i'm sure that this will bring its own wave of uh of hurting privacy along around the world it's already happening

uh but this time it's a bit it's a real dilemma because it's it's our health it's not something like terror happening in another country and it's like perceived at least as a global pandemic and that's that's that's a challenging thing to wait to be seen so key takeaways for my morning slash almost afternoon opening keynote it's very challenging to both correlate actions to entities as well as to maintain some basic privacy today although you can get a very high level of privacy but still you probably forgot some metadata or you uh forgot to that the file you you open the file while you were browsing in your perfect privacy world etc uh the pendulum effect in this cat and

mouse mouse stuff uh race uh between parties so all things cyber are two ways right privacy attribution deception false flags we've seen i hope i got you a chance to get a glimpse from this huge iceberg of hunting around identities uh and to understand that uh honestly truly no cyber attack can really ever be traced fully to its source we can have very good clues chinese source cause is a bit more evident than than others perhaps but still it's it's a matter of really a huge guessing game it's sometimes a very good guess but it's still a guessing game and biggest challenges are still yet to be seen uh we've started with this quote from professor xiao labovich

computers don't release us from thinking but from computing from calculating and you know computers are really good in answers i i argue that people are still at least for the time being not always but we're still good in asking questions and i think we still have a thing or two to offer instead of the machines maybe there's a computer somewhere around the world that disagrees with me so i invite him to to email me or send me some beacon uh but really when you go out of here or later in the day you think about what you have in your pocket you know your cell phone so ask yourself you know what do you have in your pocket

is it a a thinker or a computer because it's certainly not a camera with benefit as it tries to tell you all the time thanks everybody see you later