Attribution Shmatribution! FIX YOUR SHIT!

at the end call me get me someone get me I need to just have someone come get me a littleit sorry about that so go ahead all right so anyway um I kind of got the impression from going to different places throughout my career that they would talk a good game even in defense base but they necessarily wouldn't be doing kind of like the intelligence gathering the threat modeling that they would need to be doing and I've only run into that in a few places um and in fact last night I sat in on a a black hat dinner for a vendor uh who brought all these alleged luminaries to talk about their problems with other people who are using their

product and only one guy in the room was actually doing threat modeling and intelligence the right way and he and I could talk but the rest of them are all like clueless as to what was going on and they had you know China they had uh Anonymous attacking them various insundry companies various problems uh so you know I think something like this framework would help them a great bit for some of you it may seem very uh lowend you know maybe you're doing this maybe you're not I'm finding more and more companies aren't doing it maybe they're not thinking about it in this way so what the [ __ ] am I talking about attribution is all the rage it

doesn't really make you any more secure not necessarily how do you know your attribution right in the first place are you an intelligence agency unless you get a call from NCIS and says hey we got this data it was in Chinese hands physically in Chinese hands then you can say well Chinese Happ or maybe it was pass to them but you're not going to be able to definitively say that it was China always have a compromised box you never know what I want to get out is how to collect actionable intelligence and how to put that into an infos seex set there's a problem in our industry where more and more it's becoming militarized you see it even in this

presentation there's militarized speak ENT cant human stuff that I've you know dealt with in the past and it's becoming more the rage and the scene but it may not really apply to what we do working for craft let's say you know so no really what the [ __ ] am I talking about attribution is mostly [ __ ] pointless unless you use it intelligently that's the key so problems I usually see I've pretty much already covered that you got ORS that are in reaction mode only you got ORS focused only on attribution so they can have blaming shaming whatever it's an excuse or Orcs that don't use any threat in tell at all and that put them more toward the

reaction mode but I have seen places that are totally oblivious no reaction mode they don't know they've been hacked they're clueless and orgs misinterpreting the intelligence that they're going it's pretty common as well so let's reframe the argument attribution today is a 180° process for the most part I've seen in regular business it's China oh my god let's buy a product let's get a shiny blinky light thing attribution actually needs to be a 360° process or Centric process where you look at what's happened you look at who's doing it how they're doing it what's going on and then turn it back and say okay what about me is making them do this to me so I came up with this int Ence

framework it's really not very um in depth still working on more of a a paper or a framework to put out but it's the use of telemetry and some attribution technical reports and updates pen testing and Bone scans forensics psychology sociology and criminology which you don't hear a lot in a lot of this sphere you have to know what they're after why they're after how they're doing it not just on a technical level but they're foibles you'll hear a lot out of Mandan about some of this stuff they kind of go into it um and they do have people who are Former Intelligence people looking at this stuff and going oh I know this guy and then they'll you

know do the background work and do the ENT and they'll get this guy you know like the guy that they found was posting on some uh bulletin board blog he had about how he loved I forget what TV show it was it was like a prison break you know that's good osen and that's a good insight into this guy's mental picture what he's doing it why he's doing he's getting paid is he a True Believer that's all the O so you use this to influence the executive comprehension level technical controls policy changes security awareness security posture effective defenses and that's it you use all of these to look at your own environment to see what's wrong with it how to fix it

and what the trending is so the first principles are know myselfself Know Thy adversary understand thy adversary didn't mean to do that and defeat thy adversary now um it's a misnomer for me to even say defeat it was just for a fact really I don't think we can ever defeat them and I said this last night to that group of 20 people at this table and it went over like a fart um if you don't go into business into your work every day just assuming that you're you're already compromised you're fooling yourselves I was the only like pentest guy at at that table and they didn't like that especially the vendor didn't so you use threat intelligence I

went and Googled threat intelligence I just wanted a definition I couldn't find one there's no like Mari and Webster I think there's a a one of those common dictionaries for Street language kind of thing uh but it really didn't have anything good so I came up with this it's the collection analysis of Technical and other data within and without the organization to determine the threat to your environment that's threat intelligence threat intelligence a lot of times I hear is reversing malware you know it's kind of one dimensional u i it really does depend on what you're doing if you're a reverser that's all you do that's your threat intelligence but you got to have a

bigger picture you got to have other people in there can't just do one thing and expect to know what's going on so collection you've got techical threat intelligence which covers your internal EX it's understanding the architecture that you have involving Security in the Change Control processes performing B scans penetration tests internally and externally logging correlation and alerting leveraging security metrics in defense and depth and Reporting and dear of course now this may seem standard to you but how many of you are actually taking all that and then generating an actual report that goes to the board or goes to the CEO one anyone else anyone else seen it happening just one so technical threat intelligence for

external so you've got your OD on sale you got your OD plus one got your vulnerability alerts patches your IDs firewall logs DMZ logs and leveraging as many security feeds as you can so in this when I talk about OD day I'm talking about doing a Brian crbs you got to have somebody out there actually going on these sites and knowing what's going on not just reactively getting an email saying oh

[ __ ] then you use ent ent is the new flavor of the day I've been doing it for a while um open source intelligence before became popular in the outside the intelligence Community looking at the external threats got your Facebooks your pce bin your IRC underground bulletin boards darknet Twitter and human sources I cannot tell you how much importance can be laying on just talking to people talking to the bad guys in my outside my work stuff um I do a lot of that a lot of that dealing with jihadists and so knowing how they think knowing what they're talking about it's very important to knowing what the fair picture is got to do the same thing for

your company you know um if you don't have somebody doing it maybe you want to do it yourself just kind of go out there make a cut out look around get a feel I know a lot of people still go to IRC just to sit there you know attribution I I really am loathed about all the crap that goes on around attribution lately it's like ABT and attribution are two Bugaboo words I really despise but it's the what the why the how The Who and the where that's what you got to know so what what was done was it Data Theft did they steal money did they take IP or did they take pii or

SPI you know what kind of uh threat are they what are they looking to take from it what are they going to do with it when they take it is it something that they're going to sell the black market is it something they're going to use against you later did they dos did they just come along into face you did they actually tone you and then rmrf your [ __ ] or did they hack you and then Place something on your site to make you look that it's happening it's not just shaming by you know taking your site down and removing everything thisinformation is the new thing when I was at deathcon two years ago I think it was

from that panel um I I said that that with Anonymous and all this stuff it's all going to be about disinformation the government's going to use it Anonymous is going to latch on to it already doing it and it's just a melee you you don't know what's real any so if something happens where your site is defaced in a very subtle way kind of like uh Adrian L did to the New York Times um you could do it in a way that really makes them look bad and reputational L be huge how was it malware was it fishing with malware or fishing with just like hey put your credentials into the screen uh was it physical access was it

oday exploitation of common Vols was it low-end um malware you know Common Russian crime wear crap was it Chinese was it Chinese that was so bad that you really had to look at it you know just once and say you just delete people still fall fashion too exfiltration methods and locations operating methods and pets so on that last one Mandy does a lot of that stuff they'll talk about the operational methods the habits that these guys have and they'll be trying to get back and they can get individual actors why what were the motives for the attack they state or not did Anonymous say I'm going to [ __ ] take you down I'm going to make

you chained or did they just come out of nowhere uh one of the people at the the dinner last night Anonymous have been hacking the [ __ ] out of them over Monsanto they're not even Monsanto they're just sort of affiliated with them you know General way but not just locked on them it's like hey look shit's open let's just def face and the thing is they actually told them they were coming and yet they still didn't um because they had so much stuff out there they didn't know about and they didn't have a security posture was a financial gain uh that's kind of hard to tell sometimes uh if you are tracking back and you actually see

the your data being passed on for for Bitcoins then you know it's Financial uh if it's credit cards obviously recent were there political motives Anonymous others was it a random action was it just Target of opportunity Target of ease who individuals non-state actors nation state or teers Rivals chaotic actors n same one again I mean actually n can be fit into all but non-state I'll put like a state actor but even then you've got States now using disinformation they say it's Anonymous so was actually a state it was China where the regions of cyber crime was your data being exfiltrated to Romania usually that's Russian crime Weare stealing your credit cards tie that back to what they took it's credit

cards or uh personal data yeah it's probably them looking to scam your money commercial proxies anonymize VPS VPN cutouts which is basically anonymized you know BPS VPN but you can also set up a whole identity and just have it go back to that if you're really that interested in doing it nation state stuff compromise boxes so you got a lot of vectors even looking at them in depth unless you actually physically own that box what can you say you can't say for 100% sure anyone did anything right you only have a good guess and that's what the attribution problem is you have a good guess unless somebody from Leo comes and says here's your data we got

this guy he had it in his hands and he works for this company this country which I've seen happen so analysis the importance of analysis yes sir Mr President sir Iraq has weapons of mass destruction and that yellow cake from Nigeria is a slam D anyone remember that that's a CIA director former the brownie of the CIA directors technical analysis so you got technical intelligence reports you take all your your analysis you develop reports Security State of your technical environment the security landscape in the wild successes and failures of your technical measures successes and failures of the adversary against you and you process that so then you get the processes your your processes in your

organization are they working are they not you know processes in place breaks in the process successes in process that actually mitigated the tax don't look just at the negative look at the positive see what worked and then o this is a more soft field you know threat reports on actors current trends and attacks current trends on targets thread actor information uh that shows intent um let me go back so all of this stuff is really subjective it's looking at your open source intelligence maybe having human assets maybe just being in IRC darket seeing who's talking it's really more um and there's a slide later it's called Rin which is rumor intelligence you know what people say

but you've got to you got to take all that into account and analyze it and give it your best guess um and and and really here's the thing all of this stuff all intelligence work it's like that scene in Patriot games where they bring Jack Ryan into the room where they're showing the actual raid where they're killing the guys in North Africa and he's like oh [ __ ] what did I do well the Admiral says it he like you made your best guess you used all the information you had and you made a decision that's what you got to do so after that it's up to other than the techical means it's up to management

to make decisions and even on those technical means they may not sign off on risk of doing things you could say something's a risk and they'll say well it'll break the business can't do it TR have every day so in attribution you're looking at the the locations the or originations the actors who may be doing it the context of what why they're doing it um and what they are after and how they're doing it so you take all this and you put it into an intelligence product this is the report the goal in intelligence reporting for infoset is much the same as it is in any other intelligence organization you're seeking to show threats internally and

externally technical reports on your security posture status of your technical defense measures your likelihood of compromise per vulnerability standard stuff that we do every day as blue team Uh current adversaries and and how they've succeeded in the past current adversaries and how they've failed and methods used and the compromises your de fear then you take the attribution reports you know attack vectors types of actors goals of the attack locations defar do your ENT VES in the wild Rin your rumor intelligence your human and your teken Tekken is new in a way um it's all of those technical measures that we do every day as blue team to ensure that we have patching ensure that there's a

vulnerability scan and all that stuff we're putting it all together to provide context an overall picture generating that whole picture of your environment the environment outside and who's after you whether it be just regular crime wear whether it be na State whether it be chaotic and giving that to your superiors who may just includ this and and you know this is to say that you can even get something like this off the ground in your organization a lot of companies are going to look at what I'm talking about go we don't have people who are looking to take us out like that we don't have the money for this we don't have the time so this all leads to

response and the first thing on response everybody's talking about act that I have one word I know there are some people over at Caesar's right now talking about it I can I I feel pain in my head about their sales of what they they can do we're going to go get that [ __ ] back for you it's too late it's already out horse is out gone AR's on fire look at your own environment don't don't go after them so you've got once again it should be a 360 approach look at what's happening get yourself understand the attacks understand who's using them and why SC your weaknesses and Leverage The adversaries methods to defeat them so in

that I broke it down into basic and advanced responses you'll see the uh Advanced response next but so you got basic stuff you know use of data to strengthen your defenses when you get a pen test what do you do you go fix the problems that you solve if it's process you go to the people and say look process is broken somebody put in a simple password and help us said we'll make it non-expiring that'll be great process broken determine weak points in your uh defenses pen testing vulnerability scanning SE correct your processes very simple correct the technical problems and then be ahead of the curve and be proactive too many places are in reaction mode

[Music] only so then once you've got that stuff out of the way and you're actually doing that on a recurring basis go to the advanced response active defense no not Hack That and really there is a difference between active defense and P using disinformation using honeypots using tarpits all of these you can put that stuff out there let them do what they want have a segment that says super Secret Squirrel [ __ ] you want and let them do whatever they want to it find out what they're doing give you time to react and stop them from going elsewhere so the conclusion um pretty much I'm just saying that we're all a hair on fire

we're all reactionary I know it's a common thing everywhere very few places have I been other than like Baby Al a GE or some intelligence agencies are being a little more subtle about it and they're looking at the bigger picture we as corporate security people need to be doing the same kind of thing and what you got to do is get the buy off from your management to at least have one person doing some of this stuff for intelligence um and then do you due diligence you know take a look at what's going on and try to pain picture so you can give it to your management they may not get it but your your engineers and

your network people probably will um and certainly uh if you can point out where the financial aspects go you know one of the things that came up last night in this uh dinner was you know having to scare Executives and I agreed I said yeah you know out of all the years of pentesting I had to scare Executives into doing stuff you know I went to one One Bank in particular that did not want to talk to me the the executives CIO CEO CFO they're all like [ __ ] you we don't care well I went I did my pen test and I turned around and I said you know what these guys are [ __ ] I'm going to do the extra

benefit and I created dossier on each and everyone their families where their kids went to school their patterns of behavior satellite photos all the [ __ ] I did Total footprint on it and when I presented the report there were you know three or four manila envelopes and I walked away I heard like a day later from IBM they were not happy they didn't like that but it made a point years later I found out through somebody else that they remembered that and they made a lot of changes after that because not only could I do that to them but you could steal $20 million from them in a very simplistic manner without the government

knowing so you know it's a big picture and you got to look at it all in order to understand threat Matrix um Nickerson says it a lot he said it a few years ago I don't know if it was bsides or somewhere else I think it was Brugge in bran that you know his pentesting method is how can I burn your house down how can I burn your company completely and that's what you got to do I agree with you 100% some of these guys are too busy fiddling with their knobs under grass boats they're not paying attention so maybe you got to use scare attack this un it's unfortunate but it's true so by using the uh intelligence

framework you can understand your security posture improve it understand the attacks carried out against you understand the adversaries modus operandi and proactively prevent attack both but I'll reiterate you have to get buy off from these Executives you have to have a focus on your own environment and have to remember you're on defense a lot of people out there want to be red team oo I get to ride into town [ __ ] people over and ride out again I used to love that part of the too now I'm not in that position anymore I got to deal with all the [ __ ] and you know at least this makes it interesting but it's important

this whole idea of hack back I think it's all just red team nonsense mindset that's it if you want to reach me you can reach me here and how much time do have 30 minutes 30 wow questions in a tweet after the bus Marathon uh you suggested that uh this could be an example of a standalone complex like in Ghost in the Shell you elaborate that a little was it off if any what it kind of turned out to be um these two kids well one guy one kid uh alienated themselves from our society in a way we helped them a lot through just the nature of our society but um they went online on their own uh there

were a lot of stories about possibly there being some mom uh turned out to be not the case they did this on their own um and it's that Standalone complex idea of the Laughing Man right uh where one idea becomes sort of Amplified in the net and people latch onto it and start saying I'm going to do that too either it's cool or you know whatever and this is a problem with um you know jihadist terrorism now and even um aq8 and Al malahan really kind of took that up and started saying well you westerners have this magazine that gives you ideas go do this and the problem that they had originally was the westerners weren't were Western mindset

they weren't Eastern mindset they weren't raised in the country necessarily so it was harder to U radicalize them that's what I meant by that any other questions comments uh what are some of the tools that you to help uh uh look into like that Os Os in um other than looking at forums and and IRC do you have anything in mind or is that typically well there's a lot of online tools you can use like cord future stuff like that aggregating systems um Volo is is a big one uh you can write your own transforms you can use the transforms that are out there um I've been using it since they first put it out there uh and I like it it's but but

you got to remember um a lot of people are writing transforms now to use multigo in threat intelligence gathering for attack um not and defense but I I see it more for uh pen testing where they're writing a Transformer they're going out they're looking for vulnerabilities and systems they're looking for the footprint of an organization they're looking for information to exploit um and that's more technical information what I tend to be using it for most of the time is some of that technical but a lot more of the social cues looking at who's connected to who who's talking to who um and that's both for you know this kind of work as well as the stuff that he was

alluding to with jihadist terrorism um so there's a lot more leg work to it you actually have to go to the links you have to look at the pages you have to say Okay what are they doing you know who's talking to who and why are they doing it and when are they doing it so there's a lot of um elbow grease that goes into it mental health anyone else just do

you yeah um usually it's more along the lines of even what I found last night at the uh at the table for this meeting this dinner um four or five people out of that table uh when they introduced themselves all had their jobs recently given to them because there was a compromise at their company and that company turned around and it was bad it was a bad compromise they you know lost data they were in the news that kind of thing and that's usually what it takes unfortunately for a lot of places to decide that they really need to do something about it um in defense base defense space they should be thinking about this already and they're being

forced to with the DCI did um but even then I've only seen a few really leveraging this you know you got to have a lot of money if you're really good I mean there are there are teams of guys just doing reversal like five or six at a time you know um there are fewer places with guys just surfing the net and going to uh talk to people and coating all that data and actually just being intelligence analysts um um and what I've seen is a trend uh last year uh Bank of America which originally there was a slide about Bank of America which I redacted uh because it just kind of died there but uh they're a good

example when Anonymous started doing their thing um they decided that they would hire uh an intelligence team a threat intelligence group and what they did was they outsourced it all these guys from LinkedIn with all their LinkedIn information on those ages and that they were doing Bank of America threat intelligence and Anonymous caught onto it and found that they had uh put a whole bunch of their threat reports on uh internet facing server without any crypto without any controls around it so they were like woohoo and they took it down they put it up on torret I pulled it down I started reading through all of it and I was like this is Tribble I mean

unless there's another portion that I'm missing you know it was all like rumor rumor rumor there was no there were no reports it was all just raw intelligence there which wouldn't do you any good and I'm not sure if they were actually doing anymore and actually going be talking to somebody from BFA tomorrow and ask him because he's in that area and say what were you thinking there was much shot and fory when when that came out so there are companies that are thinking about it they're thinking about it in this Bain but getting by off is the big thing and I'm not sure you know each CEO each executive uh group either they're they're into it

they understand or uh they don't care they don't see an Roi and that's the thing you know what's the ROI in this is what you'll get you know I can do all this stuff what's my return on the investment well I can say got all this information we're ahead of the curve we know what's going on we can you know be agile about preventing attacks or responding to attacks sometimes you get that you know dull look other times they get it it's really up to the person and the company kind of a political atmosphere anyone else or um say you mentioned that this one company had outsourced all that if you were building one building a

teamy how would you that just one guys well if if you have the money you know the funds then I would get at least one analyst who's looking at all the OS you get hopefully one malare reversal guy I mean it depends on how big your company is dude um I've seen2 billion doll companies have like very little security never mind you know this kind of stuff so if you are a BF and you have the money um they had for analysts my count was five or six as I went through all their emails and all their stuff from the dump um but that's not to say that they didn't have more they were all

reporting into uh a central uh person who was then reporting up to management and and that's I didn't really go into that in this talk but you really have to have an infrastructure of report to chains who's doing what that's their only function um if youve got a Sim and you've got a big environment then you should have at least one or two people just running that Sim because shit's going on all the time but unfortunately a lot of places just go well we'll buy the shiny thing and we'll put it in and then you come up with some rules and have it ping us when there's something wrong and then you're retasked to go do something else and you

have five of the things you got to do but you're not paying attention to the Sim and that Sim information nowadays like Splunk has a console now for security where you're taking all that fire hose you're just putting it into that console well how many people do you need to look at that console should it be 24/7 sock do you have a big environment maybe you should maybe you should have 247 so so if you if if I were in that situation of a company that had the money I'd be Lobby lobbying for it I wouldn't say it's a a showstopper but uh it's not going to make it life EAS app anything else I apologize I missed the middle of

the discussion is there anybody out there you think doing it right yeah in fact um you know lck Martin does a lot of good stuff uh but last night G I talked this guy G and uh they're doing stuff that was even Beyond this they they developed some stuff that was looking at malware from an epidemiological aspect to determine who had coded it and what it was doing it was really cool um and they had an infrastructure where they had a report to change their defense base they also have corporates on so that's a division that you have to deal with too if you work in a company that's defense based and has a corporate side

how do you deal with that you know you got the fence they've got the secret squirrels they're not going to talk to you but it might be your side of the fence that actually gets compromised that leads to them unless you're working as a whole you don't have the whole picture what about mil um military or government um I think military and intelligence agencies are doing it I think the NSA is the premier of that um they do a lot of this stuff and as long as long with the more technical sifting and everything else we've seen in the news lately but um yeah even the uh even the Air Force when they had a a team was doing that

they they came in my place and they had guys doing different things and it was all you know tied together they did the footprinting they had you know typ typical red teaming but there was more to it than that and even even like a Nickerson is doing this kind of stuff just on the red team side where you got different guys doing different things you know put it all together anyone else right and I shall let you go my rant is over [Applause]

all right the guys that raise your hand if you asked a question

swag uh yeah so everything's

at I think going to talk to radio there USB drives you be in here for a bit cool can you make sure nobody steals that kill him I know it's kind

of yeah I I Rely laugh

um only a

visiting over this slides cut out question sir oh this is still quing man oh for