Attribution Shmattribution! FIX YOUR SHIT!

Transcript

1. Attribution Shmattribution! FIX YOUR SHIT! By Dr. Krypt3ia

2. WTF am I talking about? • Attribution is all the

   rage but does it really make you more secure? • How to collect and use actionable intelligence • How an INFOSEC intelligence org functions

3. No really.. WTF is he talking about? ATTRIBUTION is mostly

   fucking pointless! Unless you use it intelligently

4. The problems I usually see • Orgs that are in

   reaction mode only • Orgs focused only on attribution • Orgs that don’t use any threat intelligence • Orgs misinterpreting intelligence

5. So let’s re-frame the argument • Attribution today is 180

   degree centric • Attribution needs to be 360 degree centric

6. An INFOSEC Intelligence Framework

7. The use of… – Telemetry and (some) Attribution – Technical

   reports & updates – Pentesting & vuln scans – Forensics – Psychology, Sociology, & Criminology – OSINT

8. To influence… – Executive comprehension – Technical Controls – Policy

   changes – Security Awareness – Security posture – Effective defense

9. First principles…

10. “Know Thyself” “Know thy Adversary” “Understand thy Adversary” “Defeat thy

    Adversary”

11. Threat Intelligence “The collection and analysis of technical and other

    data from within and without your organization to determine the threat to your environment”

12. Collection

13. Technical Intelligence Technical Threat intelligence – Internal • Understanding the

    architecture • Involving security in change control • Performing vuln scans & pentesting internally • Logging, correlation, & alerting • Leveraging security metrics & defense in depth • Incident reporting • DFIR

14. Technical Intelligence Technical Threat Intelligence – External • 0day’s on

    sale • 0day +1 released and known • Vulnerability alerts • Patch update alerts • IDS and FW reports/logs • DMZ logs and alerts • Leveraging as many security feeds online as possible

15. OSINT Social Threat Intelligence – External • Facebook • Pastebin

    • IRC • Underground bulletin boards • Darknet • Twitter • Human sources

16. Attribution What, Why, How, Who, & Where

17. Attribution WHAT • Was done –Data theft? –Money theft? –IP

    theft? –PII or SPI theft? –DDoS –Defacement –Hacked and RM –RF* –Disinformation against you?

18. Attribution HOW – Malware? – Phishing? – Physical access? –

    0day? – Exploitation of common vulns? – Exfiltration methods & locations – Operating methods and habits

19. Attribution WHY – Motives for the attacks stated or not

    – Financial gain? – Political motives? – Random action? – Target of ease?

20. Attribution WHO – Individuals? – Non state actors? – Nation

    states? – Bored teenagers? – Rivals? – Chaotic actors?

21. Attribution WHERE – Regions of cybercrime – Commercial proxies –

    Anonymized VPS/VPN – Cutouts – Compromised boxes

22. Analysis

23. The importance of analysis “Yes sir Mr. President sir.. Iraq

    has weapons of mass destruction and that yellow cake from Nigeria is a slam dunk” – George Tenet

24. Technical Analysis Technical Intelligence Reports • The security state of

    your technical environment • The security landscape in the wild • The successes and failures of your technical measures • The successes and failures of the adversary

25. Process Analysis Process Intelligence Reports • The security state of

    your processes in place • The breaks in process that lead to compromise • The successes in process that mitigated attacks

26. OSINT Analysis OSINT Reports – Threat reports on actors –

    Current trends in attacks – Current trends on targets – Threat actor information that shows intent

27. Attribution Analysis Attribution Reports – Locations of attack originations –

    Actors who (may) be the originators – Context of why they are attacking – Context of what they are after – Context of how they are attacking

28. Intelligence Product

29. Intelligence Reports “Your goal in intelligence reporting for INFOSEC is

    much the same as it is in other intelligence organizations. You are seeking to show threats internally and externally”

30. Technical Intelligence Reports Technical reports on your security posture –

    The status of your technical defense measures – The likelihood of compromise per vulnerabilites – The current adversaries and their successes – The current adversaries and their failures – Methods used in compromises (DFIR)

31. Attribution Reports Attribution reports on attack vectors – Types of

    actors – Goals of attack – Locations of attack origins (C&C) – DFIR on methodologies used

32. OSINT Reports OSINT reports on threat vectors in the wild

    – RUMINT (Rumour Intelligence) – HUMINT (Human Intelligence) – TECHINT (Technical Intelligence)

33. Providing Context “When generating intelligence reports the collection has to

    be integrated to see the threats to YOUR environment. It’s no good to be reporting that Anonymous is threatening BofA if you are not a bank or affiliated with them”

34. Response

35. A word about hack back Derp.

36. Response This should be a 360 degree approach – Understand

    the attacks being used – Understand who is using them and why – Understand your weaknesses – Leverage the adversary’s methods to defeat them

37. Basic Response Basic Defense – Use the data to strengthen

    your defenses – Determine weak points in your defenses – Correct processes – Correct technical defenses (patches/rules etc) – Be ahead of the curve and proactive

38. Advanced Response Active Defense (no not hack back) – Using

    disinformation – Using honeypots – Using tarpits All of these should be used to monitor as well as deny the adversary success.

39. Conclusion

40. Using Intelligence By using an intelligence framework you can –

    Understand your security posture & improve it – Understand the attacks carried out against you – Understand the adversaries modus operandi – Proactively prevent attack success (hopefully)

41. But… • You have to get buy off from the

    executives • You have to focus on YOUR environment • You have to remember you are on defense…

42. Fin. Dr. Krypt3ia @krypt3ia [email protected] http://www.krypt3ia.com