Convergence: An Analytical Deep Dive into Foreign Intelligence Activity in US-Based Critical Infrastructure

good morning everyone thanks for coming out the b-side San Antonio 2019 y'all lovely Bunch so just a shout out to a couple of our Gold level sponsors st. Mary's University thank you for having us USA a Trend Micro digital defense and sands so first talk up is going to be David as you can see based on the slides and will bring them up now

so guys my name is David Evan didn't as you see my handles Jedi mammoths I am and I'm gonna set this down with time I'm an offensive intelligence analyst coming from the offensive security space started my time up on campus at NSA these guys right over here and I've got some really good training really good background sort of you know produced a good segue for me and the rest of my career in fact some of the people that trained me and where my top-tier managers that I even still have a ton of respect for are in this audience today I'm gonna tell you who they are but but they're here so I really appreciate that

they're here and it's actually making me a little bit more nervous I think so we'll see yeah good so I pass out this way for me to stand up all right so here we go what we're gonna talk about today is doing an analytical deep dive of using attack metrics or foreign intelligence activity and the minor tech framework to to sort of show and hear of how you can go back home and track and perform an illiberal metrics for your management or just to show good use cases for how you can get additional value out of your tracking and hunting again kind of one of the things that we go over from a threat intelligence

perspective because we only track foreign intelligence activity terrorist organizations and highly funded crime syndicates so if one of you guys were to go home you know download Kali get em interpreter session punched in one of the organizations that we cover down for I don't care just on my job I don't track that I'm not gonna come find you no one's gonna come find you probably you know it's just because a lot of those are gonna get blocked before they even move out of the first you know reverse machine some of the organizations that we monitor you guys probably know what those are different apts and where they're at geographically we do this we do this fundamentally for

for DHS right now they're tracking actually this is this is not updated or they were tracking 23 TAS in October they're tracking 29 TAS right now which is thread actors so they they don't use the apt because every single organization for whatever reason has their own names which is great it's not like suck but and so kind of what we're gonna do is we're gonna we're gonna initially step right into it we're gonna sort of move in as we're kind of going along in five states I'm a doesn't only make any sense or anybody has a bunch of questions just feel free to interrupt me this is gonna go pretty quick but it'll be it'll be nice and then it'll be

pretty engaging if you guys have questions so one of the first things we do is ingest into panda data streams I mean if you guys want to see code you welcome to take a look at it but it's not gonna help you you know kind of the way that we we analyze and and push down as we tear based on sector so energy coms finance critical infrastructure sectors and then every single domain or signature has its own ref ID and that ref idea is then linked directly to a thread actor at apt twenty eight twenty nine so on and so forth that way when we perform data analytics put it onto a canvas or Jupiter canvas of anything

like that we can actually get valuable intelligence and start to actually perform some predictive analytics off of that data will cop well touch on that a little bit that's not really the point of this talk not pretty to analytics but you guys have questions after this I'm happy to dive into that so as we sort of move into there and we have that outlined then we we can actually create different types of heat maps the heat maps will then kind of show you the actor activity within individual sectors as you look at that actor activity in different sectors if you can go back through and see things like an active breach for instance so from here you kind of look at normal

activity and then when it whenever things you have like significant outliers if you know what a breach looks like now if you see this type of stuff and you think okay well this is different than everything else it must be a breach no you need to go back and actually talk the organization if it's your own organization just to verify you need to verify as an active Greeks and what they're seeing is malicious because it might just be some you know one of you guys performing analysis and trying to call up to this domain or you know using this piece of malware all the time and then it's not an active breach so you know talk to your defense teams

don't just do grab them but then as we actually push that data back together we can take a look at breach actor attribution so you know that these domains associated with this activity in this sector is this actor and again this is really good to be able to push this information back up to your I mean managers anybody who's a fan your paycheck for instance but it's also good for you to kind of know as you pull apart the TTP's associated with how they're attacking you kind of know and cover down with what your gaps are yeah just basically kind of be able to cover down what your gaps are and how you need to like sorry they're talking

is like really I'm like try not to listen to what they're saying but it's it's what does he have that works yeah so basically as you actually experience active breaches and those teach a piece of such with the breach it allowed for you to know what you need to you know based on the time series analysis of these active breaches we're expecting to see another breach between the dates of the six and the 12th of April and sure enough we saw that right now we're actually in an active breach time period we're expecting to see an active breach between the days of June 6th and June 12th in the energy sector United States so we've kind of pull out I'm gonna

start we pushed out a call for responses back to that but kind of say hey are you guys actually seeing active breaches come back and let us know and I mean from the people that we are not covering down on so if we're coming down on these organizations obvious we're gonna see that but just for the rest of the community so right now everything we've talked about is the data that we're using within our org but now we want to do a spot check so in that spot check we take the TTP's associated with what we know and we tear that against my to attack TTP analytics so we access this programmatically by pulling the information down from their

website nothing that we do is I'm gonna go do it manually or so on and so forth it's all automated as we do this data automated we can we push the data back into a CSV and the CSV can start to push together like another heatmaps so just to kind of explain what this is this is a this is a heat map in the bottom of of TCPS in the bottom they're actually techniques they don't they don't store tactics and they don't really store procedures right now they're only storing techniques and then so on the left-hand side is all of the actor groups that mitre tracks and then on the bottom is all the techniques this

is not really helpful for an analyst it's just a cool slide so you guys can kind of see how many there are so as we kind of move in we say how many times do I see a technique used and how many actor groups are using that same technique this is kind of where it gets interesting now we see a pattern of attribution of techniques to actor groups so they're using you know specific techniques and as we you know view that type of data we can say are we seeing any TTP's crossing country lines you know we see something used over the course of you know a six-month time period and then this TTP stops and then

this organization starts using again right as we see that we know let's just say for instance we might know that they're sharing relationships with organizations like I don't know North Korea and China for instance if that were happening we could then take and look and see a TTP used by China it stopped being used as you know sort of run their course and then all of a sudden North Korea starts using it now we can actually start to put together a better map of what organizations are using what cgb is who they're sharing with because then we can actually say who's North Korea targeting we're watching China use this TTP and they're targeting this organization and six

months they're gonna stop using it and the North Korea is gonna start using it and they're gonna start using it to attack whoever their targets are now we can perform analysis and be prepared for these types of attacks in these sectors six months before they actually happen and so you know pulling this data out and and monitor and take a look at it we can also do link analysis on the sector's the actor groups and their TTP's one of the things that we do out here for instance is these are all of the unique techniques so if you see these techniques in the wild the probability that it's this actor group is is really high cuz they're not being

used right now by any other actor group but when we look at sort of some of them more difficult techniques and how they're being shared across lines you know performing a larger analysis of the actor groups and their geographic location to encode okay so here's another thing say for instance in the minor tech framework they're hosting pass the hash and the sangolo pass - there's only being used by these three actor groups is that great guess what anybody with Kali is using pass - it doesn't really matter so now you have to perform now you have to perform some type of severity analysis on how difficult is it to use this gtp is it really easy can everybody use it is it

everywhere yes then just completely take that out we don't even want that in the map we want all the things that are really difficult because now we can actually show yes they're using this so for instance execution through API like if you're actually performing you know attacks through api's you're probably a fairly advanced attacker like there's not a whole lot of people probably running around doing that WI event subscription for instance that is pretty common actually in the last two years but but then we get into like standard na application protocols and different types of attack like that so these are our anticipated potential sharing groups so you know North Korea Pakistan actually I got

these letter but these are the non potential sharing groups so let me go forward then okay so here we go so these are our potential sharing groups like they'll start to hijacking a PT 27 and 10 look like that they're sharing TTP's well great they're both in China of course they're sharing TTP's that's not very helpful so pass the ticket for instance apt 15 and bronze butler both in china like of course they're sharing that the probably being trained by the same group if we go back and we say okay now these are some of our more questionable sharing things unknown groups it's been said in multiple works that money water and fin 7 might

actually be the same group might just be spin-offs of that top-level groups so as you start to look at their shared relationship of TTP's and then cobol coop for instance you know becomes kind of clear that they might be sharing not necessarily TTP's but people there's probably a person going from organizational organization using TTP's and then going back to this group this again it's kind of our non anticipated TTP sharing kind of what we're seeing so execution 3 API is being used by 37 which is North Korea and Pakistan kind of a fairly difficult technique to use and so how in the world is Pakistan using and like who are they learning from who are they getting this

information from so on and so forth you know abt 29 and Leviathan and then three and platinum as we start to see where we don't really know the attribution of the country doing a little bit more deep dive of what that organization is and who they're using yeah and so

sorry one sec so as we were able to sort of put this information back together the tracking and the the predictions capabilities of of these attack metrics become easier for us to use in a you know four to six month time period I know that they're using this I know who their targets are I know where they're going and I know how to stop them so that was actually like this is supposed to be one hour talk and that was super quick but does anybody have any questions at all yeah

okay yep this is Wyatt hi there so on this graph here it looks like the x-axis is corresponding to dates what was that y-axis corresponding to okay so that's quick question the just to clarify here I'll answer more than what you asked but the colors in the center are the active groups on the left hand side is the number of hits maybe not necessarily associated with the same with the same you know signature it might be like well these 15 signatures from this active group are used over this time period and so those are the number of hits for that active group in that specific time period

approximately let's just say over 40 yeah don't tell anybody I told you that

that's a great question so his question was what's the importance of attribution and why and how can it be used why is it important so if we know who the actor groups are targeting and we know that they're sharing techniques and we see one being used now and we know that they're about to share that technique with another group we can be six months in advance of knowing let's shore up on this ticket you know to fight against this technique because we're about to see it in six months in the energy sector so for instance DHS and what June of last year pushed out and said we're about to see an increase in energy sector activity in the night

and us-based critical infrastructure and then in November it gets what happened we saw an increase in energy sector activity in the United Sates on for structure I mean it was like it was clear so if we know what they're gonna use we know where they're going we know what's about to happen we can we can sort of be pre-emptive about about blocking its is that answer your question yes sir those a cream we have

so now you say yes that's kind of ongoing because we've only been doing this for about 18 months it's hard for us to prove out that that sort of analysis but it is happening you know we are not seeing a less mature organization using a TTP first and then giving it to 28 most the time it's the other way around but again I can't say definitively that that's actually happening because every once in a while we see TTP s used at the same time and so on and so forth and that sort of skews our metrics yep yes sir he's gonna need him I feel sorry that you elaborate on how you identify that a

threat belongs to a particular P P a preserver yeah a bigger apt so that's sort of a section that I left out so the we do this on a program called enhanced seven security services which is the DHS program and we only use classified intelligence so that cots fight intelligence is immediately linked so again I can't give that information to you but that is how we're doing it so but most of the time the IOC s are tied to known infrastructure and as you know that infrastructure and you pull this information in for known reports you can actually just create those same columns and then mark the actor group so you can do the same data with the emaan so you

can perform the same analysis with the same for the data that you have it's just we're dealing with different data sets that are basically the same yes

that's a great question kind of we actually think that that again that it's people exactly that there's a gigantic calendar on a whiteboard somewhere and they're just marking these things down and saying well my son has soccer on Friday so I need to do this on Tuesday yes sir that's that's a great question again we need to be very clear about what we're talking about here they're not sharing infrastructure they're sharing techniques is that what you meant to say

hang on one second I'm losing about every other word so can you give him the mic okay okay the answer to your previous question um he said that one of the things you use to tie in everybody together on the classified level which we won't forget speak we won't get into is that they use common infrastructure common technique um okay common technique that has been my mistake yeah no no it's great if I did say infrastructure right yep exactly right yep right well not even generally if they're sharing infrastructure then that's like a surprise to everybody why would a nation-state run so many of these apt groups for the same nation-state as a distinguished by

target or that's a great question I get I'll try to answer that question generically if I answer it specifically I'll probably giving away some of our own stuff so I'll just sort of do it like generically here yes I would say that they have different goals some goals are to track this and some goals are to track that so say for instance if you are working you know in Langley and then up in Maryland those two groups are gonna have different goals and guess what Russia probably has a bTW group of names for us and there's two of them so it just sort of make sense yes

yeah he's just wanting everybody here what the question is so wait you get the mic next question yes sir hey so you had mentioned that you used pandas a little bit of Jupiter could you talk a little bit more about the tech stack that you find yourself working with day in and day out did you say the tech stack like using a you ingest with Jupiter notebook that's using pandas is there anything else that you find useful to do this type of analysis so now we'll kind of get into the conversation where I'm honest with everyone and I'm not a data scientist so you know learning how to use pandas and you didn't you learning how to use you

know nested expressions and even the Jupiter canvass for instance numpy arrays and everything like that way I know how to use them now but if you were to say it can use this more advanced can use this in a different way the answer the question is absolutely no I have no idea you know we have a couple of other works that within our shop at CenturyLink that help me do this and they're a bunch of PhD really smart people and say hey I need to make this make sense they say have you tried this yet I don't even know that was a thing so no I haven't tried that yet so and then I go and I do that if you have more

questions about that specifically you know feel free to tag my handle and then hit me up and I'll put you in I'll put you in contact with the people who know answers to those types of questions who again is that me any other questions cool thanks so much guys okay it's good 30 minutes back you guys around