$30 off During Our Annual Pro Sale. View Details »

Attribution Shmattribution! FIX YOUR SHIT!

August 04, 2013

Attribution Shmattribution! FIX YOUR SHIT!

Bsides LV 2013 presentation on using attribution in an INFOSEC intelligence gathering framework.


August 04, 2013

Other Decks in Technology


  1. Attribution Shmattribution! FIX YOUR SHIT! By Dr. Krypt3ia

  2. WTF am I talking about? • Attribution is all the

    rage but does it really make you more secure? • How to collect and use actionable intelligence • How an INFOSEC intelligence org functions
  3. No really.. WTF is he talking about? ATTRIBUTION is mostly

    fucking pointless! Unless you use it intelligently
  4. The problems I usually see • Orgs that are in

    reaction mode only • Orgs focused only on attribution • Orgs that don’t use any threat intelligence • Orgs misinterpreting intelligence
  5. So let’s re-frame the argument • Attribution today is 180

    degree centric • Attribution needs to be 360 degree centric
  6. An INFOSEC Intelligence Framework

  7. The use of… – Telemetry and (some) Attribution – Technical

    reports & updates – Pentesting & vuln scans – Forensics – Psychology, Sociology, & Criminology – OSINT
  8. To influence… – Executive comprehension – Technical Controls – Policy

    changes – Security Awareness – Security posture – Effective defense
  9. First principles…

  10. “Know Thyself” “Know thy Adversary” “Understand thy Adversary” “Defeat thy

  11. Threat Intelligence “The collection and analysis of technical and other

    data from within and without your organization to determine the threat to your environment”
  12. Collection

  13. Technical Intelligence Technical Threat intelligence – Internal • Understanding the

    architecture • Involving security in change control • Performing vuln scans & pentesting internally • Logging, correlation, & alerting • Leveraging security metrics & defense in depth • Incident reporting • DFIR
  14. Technical Intelligence Technical Threat Intelligence – External • 0day’s on

    sale • 0day +1 released and known • Vulnerability alerts • Patch update alerts • IDS and FW reports/logs • DMZ logs and alerts • Leveraging as many security feeds online as possible
  15. OSINT Social Threat Intelligence – External • Facebook • Pastebin

    • IRC • Underground bulletin boards • Darknet • Twitter • Human sources
  16. Attribution What, Why, How, Who, & Where

  17. Attribution WHAT • Was done –Data theft? –Money theft? –IP

    theft? –PII or SPI theft? –DDoS –Defacement –Hacked and RM –RF* –Disinformation against you?
  18. Attribution HOW – Malware? – Phishing? – Physical access? –

    0day? – Exploitation of common vulns? – Exfiltration methods & locations – Operating methods and habits
  19. Attribution WHY – Motives for the attacks stated or not

    – Financial gain? – Political motives? – Random action? – Target of ease?
  20. Attribution WHO – Individuals? – Non state actors? – Nation

    states? – Bored teenagers? – Rivals? – Chaotic actors?
  21. Attribution WHERE – Regions of cybercrime – Commercial proxies –

    Anonymized VPS/VPN – Cutouts – Compromised boxes
  22. Analysis

  23. The importance of analysis “Yes sir Mr. President sir.. Iraq

    has weapons of mass destruction and that yellow cake from Nigeria is a slam dunk” – George Tenet
  24. Technical Analysis Technical Intelligence Reports • The security state of

    your technical environment • The security landscape in the wild • The successes and failures of your technical measures • The successes and failures of the adversary
  25. Process Analysis Process Intelligence Reports • The security state of

    your processes in place • The breaks in process that lead to compromise • The successes in process that mitigated attacks
  26. OSINT Analysis OSINT Reports – Threat reports on actors –

    Current trends in attacks – Current trends on targets – Threat actor information that shows intent
  27. Attribution Analysis Attribution Reports – Locations of attack originations –

    Actors who (may) be the originators – Context of why they are attacking – Context of what they are after – Context of how they are attacking
  28. Intelligence Product

  29. Intelligence Reports “Your goal in intelligence reporting for INFOSEC is

    much the same as it is in other intelligence organizations. You are seeking to show threats internally and externally”
  30. Technical Intelligence Reports Technical reports on your security posture –

    The status of your technical defense measures – The likelihood of compromise per vulnerabilites – The current adversaries and their successes – The current adversaries and their failures – Methods used in compromises (DFIR)
  31. Attribution Reports Attribution reports on attack vectors – Types of

    actors – Goals of attack – Locations of attack origins (C&C) – DFIR on methodologies used
  32. OSINT Reports OSINT reports on threat vectors in the wild

    – RUMINT (Rumour Intelligence) – HUMINT (Human Intelligence) – TECHINT (Technical Intelligence)
  33. Providing Context “When generating intelligence reports the collection has to

    be integrated to see the threats to YOUR environment. It’s no good to be reporting that Anonymous is threatening BofA if you are not a bank or affiliated with them”
  34. Response

  35. A word about hack back Derp.

  36. Response This should be a 360 degree approach – Understand

    the attacks being used – Understand who is using them and why – Understand your weaknesses – Leverage the adversary’s methods to defeat them
  37. Basic Response Basic Defense – Use the data to strengthen

    your defenses – Determine weak points in your defenses – Correct processes – Correct technical defenses (patches/rules etc) – Be ahead of the curve and proactive
  38. Advanced Response Active Defense (no not hack back) – Using

    disinformation – Using honeypots – Using tarpits All of these should be used to monitor as well as deny the adversary success.
  39. Conclusion

  40. Using Intelligence By using an intelligence framework you can –

    Understand your security posture & improve it – Understand the attacks carried out against you – Understand the adversaries modus operandi – Proactively prevent attack success (hopefully)
  41. But… • You have to get buy off from the

    executives • You have to focus on YOUR environment • You have to remember you are on defense…
  42. Fin. Dr. Krypt3ia @krypt3ia krypt3ia@gmail.com http://www.krypt3ia.com