Embed Size (px)
Citation preview
CyberAttribution:Campaignsandrenegades
Dr.SamuelLiles
UNCLASSIFIED
Caveats:Thefollowingrepresentsmyresearchovermanyyearsandnoneofitoccurredwhileafederalgovernmentemployee.Whileeveryefforthasbeenmadetoinsureaccurateportrayalofeventswithinthispresentationsomedetailsmaybeomittedduetotheresearchtopic.Opinions,conjecture,orobservationsarethoseofthepresenterandshouldnotbeconstruedtobeofficialpoliciesofopinionsofTheDepartmentofHomelandSecurity,TheFederalGovernment,orthecompanieswhoprovidedprimaryandsecondarysourcematerials.Abibliographyattheendofthispresentationcoverspastandcurrentdiscussiononthetopicbutisnotanexhaustiveexampleofthetopic.
UNCLASSIFIED
Abstract
Attributionofadversariesisakeypointinariskmanagementapproachtocybersecurity.Thisisanartlefttotheintelligenceand lawenforcementcommunities.Uniquemethodsareexploredresultingindetermininganddefiningacyberadversary.Thisdiscussionisaresultofthecollisionbetweenapplication,science,andartwhereamulti-disciplinaryapproachresultsinacomprehensiveresult.
UNCLASSIFIED
Goals
• Identifyandcharacterizeattributivetechniquesthatarescientificallyvalid
• Wherevalidityisnotpossibleorscientificmethoddoesnotsupportattributivetechniquesdetermineviabilityofothermethods
xxx
UNCLASSIFIED
RiskResearchUNCLASSIFIED
ThreatResearchUNCLASSIFIED
ThreatResearch
UNCLASSIFIED
ExploitationResearch
DiagrambySamLiles
UNCLASSIFIED
UNCLASSIFIED
TrackinganAdversaryinTimeandPlacebyvulnerabilities
DiagrambySamLiles
UNCLASSIFIED
UNCLASSIFIED
DiagrambySamLiles
DiagrambySamLiles
UNCLASSIFIED
DiagrambySamLiles
UNCLASSIFIED
UNCLASSIFIED
RosettaResearch
DiagrambySamLiles.ConceptssupportedbyworkofRonaldKurtz
UNCLASSIFIED
Boom
PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess
HostEnumeration
LateralMovement
Execution C2 Exfiltration
CommandandControlInstallationReconnaissance WeaponizationDeliver
y ActionsonObjective
Preparation Engagement Presence Effect/Consequences
DNIFramework
CyberKillChain
MITREATT&CK
NSATAO
Reconnaissance InitialExploitationEstablish
PersistenceInstallTools
MoveLaterally
CollectExfil
Exploit
Exploitation
ExternalActionsBeforeIntrusion
Pre-ExecutionActions OperationalA- Actions
InternalActions:“AfterIntrusions”
PlanActivity DeployCapability
Control DenyAccess
ConductResearch&Analysis InteractwithTarget
Hide ConsumeResources
DevelopResources&Capabilities
ExploitVulnerabilities
ExpandAlter/ManipulateComputer,Network,orSystemBehavior
ConductReconnaissance DeliverPayload
RefineTargeting ExtractData
StageOperationalTools&Capabilities
EstablishPersistence DestroyHW/SW/DATA
InitiateOperations EnableOtherOperations
Layer1Stages
Layer2Objectives
RosettaResearchUNCLASSIFIED
AdversaryResearch
DiagrambySamLiles
UNCLASSIFIED
Isattributionthatsimple?
Source:Attributionofcyberadversarieshttp://selil.com/archives/6791
UNCLASSIFIED
Political
Technical
Forensic
EvidenceRequired
TimetoLevelofA
ttribution
EventHappens
Possible
Probable
Provable
Motive,means,opportunity
IOCs:IP,Hash,URL,method,time,etc.
Crypto,non-repudiation,multi-modesensing,direct
observation
Abductivereasoning,mostreasonableexplanationgivencurrentevidence
Deductivereasoning,Man->MortalSocrates->Man
Therefore,Socrates->Mortal
Inductivereasoning,givenwateriswet,ifIamwet,it
islikelywater.
Switchesbackandforth
Adversary
CapabilityInfrastructure
Victim
Meta-FeaturesTimestampPhaseResultDirectionMethodologyResources
Attribution
UNCLASSIFIED
Howdoweanalyzeanintrusion?
Source:Lukeintheskywithdiamondshttps://www.threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/
UNCLASSIFIED
Stepstoattribution• TheDiamondModelisagraphicalrepresentationofan
intrusionbutnotofattribution
• Attributionisthesummationofaninvestigation
• Preparesetoffactscharacterizedbytime/date/event/DNIframework
• Eventshaveavictim(definedbybusinesstype,mission,category),adeployedcapabilitybyanadversary,andaninfrastructurebothofwhichareindicativeofIOCs
• Memory,disk,networkevidenceofcompromisearecategorizedbyDNIframework,typeofcompromise,andtimeofcompromise(evenifawindow)
• EacheventmayhaveseveralstagesofcompromiseasdepictedbythreadswithinonevictiminfrastructurethatbecomesuniquepatternofTTP
• InfrastructureofadversaryisidentifiedthroughIOCs
• Adversaryinfrastructuredeployedagainstonevictimisastartingpointforfurtherinvestigationofadversarycapability
• IOCsareusedtopivotthroughadversarynetwork(IPstodomains,SSLcertificates,ASNs,associatedphysical/logicallocations,passiveDNStolocateotherinfrastructure/victims)
• Determinetimewindowforeachcompromise(DONOTstackmultipleeventsbecauseiteasier)
• Whenfusingclassifiedintelligenceintounclassifiedattributionadmitmagichappens,utilizeknownanswertobackintounknowablesolution,butbewaryofthis
Adversary
Infrastructure
Victim
Meta-FeaturesTimestampPhaseResultDirectionMethodologyResources
Capability
Somebackgroundhttps://selil.com/archives/6791
UNCLASSIFIED
Thread1 Thread2 Thread3 Thread4
Preparation
Engagement
Presence
EffectConsequences
Victim1 Victim1 Victim2 Victim?
Boom
A
IC
VA B
C
D
E F
A&CarethesamevictimB&DarethesamevictimB&CsharethesameattackinfrastructureC&DsawthesamecapabilityD&E&Fsawthesameattackinfrastructure
UNCLASSIFIED
Stepstoattribution
FutureWork
• Artificialintelligenceorgameenginestructuretoautomateresponse
• Contextualizeandautomatedatacollectionintotheframework
• Operationalizetheresultantactivity
Questions?
UNCLASSIFIED
Bibliography1• Rid,Thomas;Buchanan,Ben“AttributingCyberAttacks”TheJournalofStrategicStudies,Vol38,1-2,4-37
• RidandBuchananspecificallyareconcernedthatthe“DiamondModel”suggestedbyCaltagirone,Pendergast,andBetzmaybesuspect.
• Boebert,Earl“Asurveyofchallengesinattribution”Proceedingsofaworkshopondeterringcyber-attacks:InformingstrategiesanddevelopingoptionsforU.S.policy,NationalAcademiesPress,2010
• Locard’s ExchangePrinciplefundamentallystatesthattheperpetratorofacrimewillbringsomethingtothecrimesceneandleavewithsomethingfromit.Incybernetworkdefenseexamplesincludemalware,internetprotocoladdresses,logfiles,netflow data,andotherartifacts(https://en.wikipedia.org/wiki/Locard%27s_exchange_principle)
• ScientificMethod(https://en.wikipedia.org/wiki/Scientific_method)
• Catagirone;Pendergast;Betz“TheDiamondModel”,DoDDocumentreleased2013
• Brady,Henry;Sniderman,Paul;“AttitudeAttribution:Agroupbasisforpoliticalreasoning”AmericanPoliticalScienceReivew,Volume79,December1985
• Clark,David;Landau,Susan,“UntanglingAttribution”,Proceedingsofaworkshopondeterringcyber-attacks:InformingstrategiesanddevelopingoptionsforU.S.policy,NationalAcademiesPress,2010
UNCLASSIFIED
Bibliography2• Yamamoto,Teppei;“Understandingthepast:Statisticalanalysisofcausalattribution”,American
JournalofPoliticalScience,Vol0NO0,2011,pp1-20(pre-printcopyused)
• Confirmationbias(https://en.wikipedia.org/wiki/Confirmation_bias)
• Perfidy(https://en.wikipedia.org/wiki/Perfidy)• Falseflagordeceptionoperations(https://en.wikipedia.org/wiki/False_flag)
• USENIXEnigmaConferenceJanuary2016https://www.usenix.org/conference/enigma2016
• BruceSchnier reportsonBruceJoycediscussionatUSENIXEnigmaConferencehttps://www.schneier.com/blog/archives/2016/02/nsas_tao_on_int.html
• USENIXEnigma2016– NSATAOChiefonDisruptingNationStateHackershttps://www.youtube.com/watch?v=bDJb8WOJYdA
• SeeAdversarialTactics,Techniques,andCommonKnowledgehttps://attack.mitre.org/wiki/Main_Page
• Catagirone;Pendergast;Betz“TheDiamondModel”,DoDDocumentreleased2013pages26—30
UNCLASSIFIED
