UNCLASSIFIED Cyber Attribution: Campaigns and renegades Dr. Samuel Liles
UNCLASSIFIED Ca Cavea eats: The following represents my research over many years and none of it occurred while a federal government employee. While every effort has been made to insure accurate portrayal of events within this presentation some details may be omitted due to the research topic. Opinions, conjecture, or observations are those of the presenter and should not be construed to be official policies of opinions of The Department of Homeland Security, The Federal Government, or the companies who provided primary and secondary source materials. A bibliography at the end of this presentation covers past and current discussion on the topic but is not an exhaustive example of the topic.
UNCLASSIFIED Abstract Attribution of adversaries is a key point in a risk management approach to cybersecurity. This is an art left to the intelligence and law enforcement communities. Unique methods are explored resulting in determining and defining a cyber adversary. This discussion is a result of the collision between application, science, and art where a multi- disciplinary approach results in a comprehensive result.
UNCLASSIFIED Goals • Identify and characterize attributive techniques that are scientifically valid • Where validity is not possible or scientific method does not support attributive techniques determine viability of other methods xxx
UNCLASSIFIED Risk Research
UNCLASSIFIED Threat Research
UNCLASSIFIED Threat Research
UNCLASSIFIED Exploitation Research Diagram by Sam Liles
UNCLASSIFIED
UNCLASSIFIED Tracking an Adversary in Time and Place by vulnerabilities Diagram by Sam Liles
UNCLASSIFIED Diagram by Sam Liles
UNCLASSIFIED Diagram by Sam Liles
UNCLASSIFIED Diagram by Sam Liles
UNCLASSIFIED
UNCLASSIFIED Rosetta Research Diagram by Sam Liles. Concepts supported by work of Ronald Kurtz
UNCLASSIFIED Rosetta Research Boom Cyber Kill Chain Deliver Reconnaissance Exploitation Command and Control Actions on Objective Weaponization Installation y NSA Collect Establish Move Initial Exploitation Reconnaissance Install Tools Exfil Persistence Laterally TAO Exploit Privilege Defense Credential Lateral Host MITRE ATT&CK Persistence Execution C2 Exfiltration Escalation Evasion Access Enumeration Movement Internal Actions: “After Intrusions” External Actions Before Intrusion Pre-Execution Actions Operational A - Actions Layer 1 Effect/Consequences Preparation Engagement Presence Stages Layer 2 Deploy Control Deny Access Plan Activity Capability Objectives DNI Interact with Consume Resources Conduct Research & Analysis Hide Target Framework Alter/Manipulate Computer, Develop Resources & Exploit Expand Capabilities Network, or System Behavior Vulnerabilities Deliver Extract Data Conduct Reconnaissance Refine Targeting Payload Stage Operational Tools & Destroy HW/SW/DATA Establish Persistence Capabilities Enable Other Operations Initiate Operations
UNCLASSIFIED Adversary Research Diagram by Sam Liles
UNCLASSIFIED Is attribution that simple? Source: Attribution of cyber adversaries http://selil.com/archives/6791
UNCLASSIFIED Attribution Event Happens Time to Level of Attribution Abductive reasoning , most reasonable explanation Motive, means, Political given current evidence opportunity Possible Deductive reasoning , Man -> Mortal Technical Socrates -> Man IOCs: IP, Hash, URL, Therefore, Socrates -> Mortal method, time, etc. Probable Switches back and forth Inductive reasoning , given water is wet, if I am wet, it Crypto, non- Forensic is likely water. repudiation, multi- mode sensing, direct Provable observation Meta-Features Adversary Timestamp Phase Result Direction Methodology Resources Evidence Required Capability Infrastructure Victim
UNCLASSIFIED How do we analyze an intrusion? Source: Luke in the sky with diamonds https://www.threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/
UNCLASSIFIED Steps to attribution • The Diamond Model is a graphical representation of an intrusion but not of attribution Attribution is the summation of an investigation • • Prepare set of facts characterized by time/date/event/DNI framework Events have a victim (defined by business type, mission, Meta-Features Adversary • Timestamp category), a deployed capability by an adversary, and an Phase infrastructure both of which are indicative of IOCs Result Direction Methodology Memory, disk, network evidence of compromise are • Resources categorized by DNI framework, type of compromise, and time of compromise (even if a window) Infrastructure Capability • Each event may have several stages of compromise as depicted by threads within one victim infrastructure that becomes unique pattern of TTP • Infrastructure of adversary is identified through IOCs Victim • Adversary infrastructure deployed against one victim is a starting point for further investigation of adversary capability IOCs are used to pivot through adversary network (IPs to • domains, SSL certificates, ASNs, associated physical/logical locations, passive DNS to locate other infrastructure/victims) • Determine time window for each compromise (DO NOT stack multiple events because it easier) • When fusing classified intelligence into unclassified attribution admit magic happens, utilize known answer to back into unknowable solution, but be wary of this Some background https://selil.com/archives/6791
UNCLASSIFIED Steps to attribution A Thread 1 Thread 2 Thread 3 Thread 4 I C A & C are the same A B Preparation victim V B & D are the same victim C Engagement B & C share the same attack infrastructure Boom C & D saw the same Presence D capability D & E & F saw the same attack Effect E F infrastructure Consequences Victim 1 Victim 1 Victim 2 Victim ?
Future Work • Artificial intelligence or game engine structure to automate response • Contextualize and automate data collection into the framework • Operationalize the resultant activity
UNCLASSIFIED Questions?
UNCLASSIFIED Bibliography 1 Rid, Thomas; Buchanan, Ben “Attributing Cyber Attacks” The Journal of Strategic Studies, Vol 38, 1-2, 4-37 • • Rid and Buchanan specifically are concerned that the “Diamond Model” suggested by Caltagirone, Pendergast, and Betz may be suspect. • Boebert, Earl “A survey of challenges in attribution” Proceedings of a workshop on deterring cyber-attacks: Informing strategies and developing options for U.S. policy, National Academies Press, 2010 • Locard’s Exchange Principle fundamentally states that the perpetrator of a crime will bring something to the crime scene and leave with something from it. In cyber network defense examples include malware, internet protocol addresses, log files, netflow data, and other artifacts (https://en.wikipedia.org/wiki/Locard%27s_exchange_principle) • Scientific Method (https://en.wikipedia.org/wiki/Scientific_method) • Catagirone; Pendergast; Betz “The Diamond Model”, DoD Document released 2013 • Brady, Henry; Sniderman, Paul; “Attitude Attribution: A group basis for political reasoning” American Political Science Reivew, Volume 79, December 1985 • Clark, David; Landau, Susan, “Untangling Attribution”, Proceedings of a workshop on deterring cyber-attacks: Informing strategies and developing options for U.S. policy, National Academies Press, 2010
UNCLASSIFIED Bibliography 2 • Yamamoto, Teppei; “Understanding the past: Statistical analysis of causal attribution”, American Journal of Political Science, Vol 0 NO 0, 2011, pp1-20 (pre-print copy used) • Confirmation bias (https://en.wikipedia.org/wiki/Confirmation_bias) • Perfidy (https://en.wikipedia.org/wiki/Perfidy) • False flag or deception operations (https://en.wikipedia.org/wiki/False_flag) • USENIX Enigma Conference January 2016 https://www.usenix.org/conference/enigma2016 • Bruce Schnier reports on Bruce Joyce discussion at USENIX Enigma Conference https://www.schneier.com/blog/archives/2016/02/nsas_tao_on_i nt.html • USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA • See Adversarial Tactics, Techniques, and Common Knowledge https://attack.mitre.org/wiki/Main_Page • Catagirone; Pendergast; Betz “The Diamond Model”, DoD Document released 2013 pages 26—30
Recommend
More recommend