Profiling the attacker - using offender profiling in SOC environments - James Stevenson

cool can you all hear me can we come in your back to you this great so I normally start this talk with a quote and generally it's kind of a bit buzz wordy but it kind of gets the point across so for besides I kind of wanted to start it with a question instead I want to the say well so what does Agent Smith from the matrix what is the Joker from Batman and what is Darth Vader from Star Wars all have in common and it's not that idea that there are often films it's not the idea that they're all villains it's the idea that they're all villains with motives and purposes they all do what

they do for a reason whether that's enslaving humanity in the matrix or building the Death Star in Star Wars all of these bad guys are doing something for a reason and then generally the heroes in these films will use that motive they'll use that purpose to destroy the villain or something along those lines and that's kind of what offender profiling is about it's about building a knowledge base or malicious actors it's but understanding who the bad guys are so that we can better protect ourselves so coming back to that quote this call is about pre-emptive security it's about the idea of doing something now spending some money now spending some time now to help protect

ourselves in the future an offender profiling is a type of pre-emptive security offender profiling is all about building that knowledge base it's all about building that bigger picture behind an attack so that we can better protect ourselves I want to break today up into three main areas I want to talk about what offender profiling is and why it's important I want to talk about what already exists some white papers some research papers that use offender profiling and then finally I want to talk about where else we can use offender profiling how we can use offender profiling in security operations and some practical methods for doing that before I begin though who am i right well my name's Jim Stevenson

and this time last year I was a student at the University of South Wales studying computer security before that I was a graduate sorry I was an intern at allit logic a cloud security company and these days I'm a graduate in BT security I've also run several websites team teams and got me in hacking calm and also on twitter at underscore James Stevenson that's kind of the boring stuff right so going back to offender profiling what is offender profiling I keep talking about it but what actually is it as I keep saying knowledge base where it's all about that knowledge base and a very high level we can break that knowledge base down into three main areas the first area is

information on the target you know who is the target the who and the what are they an individual a group are they a government organization and what was at there what was targeted what asset was specifically targeted to build that knowledge base we also need some information on the attacker again the who and the what who was the attacker again with an individual a group with a state-sponsored and what attack vector was used finally to build that knowledge base to build that profile we need some general and overall information and that's when did this attack occur and why did this attack occur and it's all of that information that allows us to build that bigger picture there's an example I like

giving for offender profiling and I'll be honest I like unit because it's simple it's easy to get our heads around it's the idea of a dos attack so let's say we're protecting a customers Network and they're continually getting dosed by a Scandinavian hacker group between the hours of 3:00 and 6:00 each day we can tell our customers ok put extra load balances in place at those times and then for the rest of the day use what you usually have so here we're using offender profiling pre-emptive security and some general security techniques to help protect our customers and that's kind of what offender profiling and attack profiling are all about so that's what offender profiling is but why is it

important what do we need it well this is a quote from Los Angeles police chief so actually do with predictive policing but I think it describes offender profiling quite well it's the idea that we're not getting more stuff we're not getting more money we have to use what we have now effectively and that's the same in security because security is not the buzzword it once was doesn't have the endless budgets it once did it's all about utilization using what we have right now so that if we can spend some money now and spend some resources now using pre-emptive security then that can help us protect ourselves from something exponential in the future so that's what

offender profiling isn't that's why offender profiling is important to be weh security important but wimpy today if we didn't believe security was important well this is a statistic from have agreement if you don't know have been poned it's got a massive online database of breached account credentials you type your email address in and it tells you if you can part of a data breach now this is the amount of compromised accounts that were listed on having been poned on the 12th of the second 2018 and this number is really interesting right it's really interesting for two reasons it's interesting because well that's a massive number but it's also interesting because it shows us security isn't going

anywhere it shows us Security's in it for the long haul because as long as we have things we have things that can be broken as long as we have things that can be broken we have things that need protecting so that's why I think profiling is important that's why security is important but what already exists what are some examples of white papers examples of research papers that use offender profiling well this of white people by mandiant probably first white paper I've ever read and it's going all of these days but it's on a PT one a Chinese hacker group that attacked Western organizations believed to be state-sponsored this white paper uses offender profiling because it delves

into who the malicious actors are because into their motives goes into their attack patterns and all in all it builds a bigger picture on who they are and what they do we've got another white paper here this one is by f-secure this white paper goes into the Callisto group and again it's quite similar it looks at who they are looks at their motives looks their attack patterns and again it builds that bigger picture so that we can better protect ourselves a final white paper here this way is slightly different this one is by McAfee and this is McAfee's annual threat report this white paper goes into a whole range of different malicious actors different motives different attack patters but

again builds a bigger picture on all of them so we can probably start seeing a pattern here right because offender profiling is all about that bigger picture so about using the information from that bigger picture to protect us so there's some examples of offender profiling in research and white papers but where else can we use offender profiling well as I said earlier I worked in a Security Operations Center within a company called alert logic for around about a year and a very high level we can break a security operation center down into two main elements we have our customer and we have our stock a Security Operations Center our customer will have an IDs an intrusion

detection system a woth web application firewall or some sort of logging system but then send those logs to our sock in our sock will have an analyst who will review those logs they'll say well what's actually happening here is this a false positive is this a false negative they'll then write up some form of feedback and send that back to the customer and that works really well we get this kind of really good feedback loop we got logs analysis feedback and they said that works really well where that doesn't work either is generally we're any of looking at one attack at a time we might be looking at multiple events or multiple incidents but generally

weren't even looking at one attack at a time and the problem with that is we're not looking at the bigger picture the bigger picture of which we said was so important for offender profiling so the question is then could we implement offender profiling into security operations well yes we could it's been done one of the ways we do this is by latching on a framework to what already exists by latching on a framework for offender profiling into our security operation center so we take our logs as usual we analyze them as usual but then we also start bucketing that information we said well this attack is related to an attack you had a month ago this

attack is related to an attack you had a week ago and this attack is related to another attack and never one of our customers has had and then when we send that analysis back to our customers as usual we can send this bucket information we can allow our customers to understand what's happening we can allow our customers to build that bigger picture and to build that knowledge base and that's really what's important

so this is alice alice is a security analyst for an up-and-coming security startup alice manages a small team of security analysts and it's their job to deal with incidents from their customers as they come in and that generally works really well Alice's job is then to action those incidents so maybe that's writing up some feedback or maybe that's promoting in or calling customers I said generally that works really well where that doesn't work really well is when Alex's team gets swamped by incidents because the way these attacks are prioritized is based on time so the sooner an attack comes in the higher a priority has so alice has done some research and she's looked into ways that she can prioritize

attacks in her team security operation center based off elements outside of time so how can these attacks be prioritized not just on the time they come in and these are the methods that were going to be talking about for the rest of today so after alice has implemented these methods these security techniques her team can now action these objectives based on their risk so high risk attacks no one get get lost in a flurry of lower risk attacks so you probably thinking okay James that's great surely it's time to dive into some of these methods for offender profiling well not quite before we do any of that we have to do something I like to call method zero for

offender profiling and methods zero is all about understanding what we're protecting because at the end of the day we can't protect what we don't know so as I said earlier on a website James Stevenson dot me that's an asset that's something I'm protecting that's its name well its classification is it high risk is it low risk it's description well it's a wordpress website running an email server back-end owner custodian that's myself and finally the user that's the public that's that's you annoy and again the reason why we build these asset profiles the reason why we build these information classifications is to better protect our assets let's say we have two assets a high risk asset

and a low-risk asset if we have a malicious character targeting both of these assets which one do we prioritize well we'll probably prioritize the high-risk asset right because that one's intrinsically of a higher risk and we'll see how this comes into play later on but for now we just need to know that to better protect our assets we need to know what they actually are so moving on to our first real method for offender profiling this method looks at the frequency of attacks and my fan of the name of this method because actually describes what it's doing and it's all today we're plotting the frequency of attacks and the way we do this is we

take a time frame so here I think we've got the time frame of around about a month and whenever we see an attack from a specific malicious actor to a specific asset we increment its frequency that's not as simple as adding one there's a mass behind it but really that's all we need to know and if we don't see an attack from a specific malicious actor to a specific asset we decrease the significance we half-life it so what we end up getting is these peaks and these troughs and that's really useful because that then allows us to compare malicious actors so here we can see two different monitors we can see a malicious actor from China and kind of a light blue and

we can see a malicious actor from Russia in a red and we can see that this malicious actor from China continues to attack the asset throughout this time frame well the malicious actor from Russia attacks stops attack stops and continues so again if this was the only information we had which of these attacks would we prioritize well it'd probably be the malicious actor from China right because that when it's far more frequent it's far more pressing on us or our customers so we're going to try a second method for offender profiling our second method that we can use to prioritize or compare or understand attacks this method looks at risk it says what is the risk of this

attack to my or my customers organization and the way we do this is we ask several questions and rate them with a score between zero and ten for those you that know the a wasp risk weighting methodology this is super similar so we then break those questions as questions like complex of attack ease of discovery ease of exploit loss of confidentiality loss of availability of loss of integrity and so on and again we rate them between zero and ten we then take an average of those scores times them together and get our overall risk the overall risk score will be a number in or between zero and a hundred with the higher the number the

higher the risk so again if we had two attacks one of the risk of seventy and one with a risk of thirty which of those attacks would we prioritize will it be the risk of seventy right because that one is again is intrinsically higher and intrinsically has a higher risk we view our third method for offender profiling so here I really didn't want to talk about the cyber kill chain some people love the cyber kill chain and some people hate the cyber kill chain for those who that don't know the cyber kill chain is a method by Lockheed Martin for analyzing the life cycle of malware exploitations generally it works really well it has several areas like

reconnaissance weaponization actions and objectives but it's quite overused it's generally used across security when really it should only be used in deploying malware so for this example we're going to be using a far more generic kill chain model for computer security the model that covers five areas that the malicious actor might undergo as part of an attack so sections like researching the target testing infrastructure actively attacking actions which is doing the thing and then finally covering tracks and planting backdoors and you might be thinking well James that's great and all but what does that have to do with offender profiling and the reason we do this is so we can then pin these categories to our malicious actors we

can say well at this time and date malicious actor a was in the research stage well at this same time in Tate malicious actor B was in the actions stage so again if that was the only information we had which of those attacks would we prioritize will it be the malicious actor in the actions stage right because that was further along in their attack the malicious actor in the research stage may never get to that we're going to talk an alternate method for offender profiling this method can be the simplest or it can be the most complex because it's altered to of asking questions and the simple answer is we just might not know the answer to

them we ask questions on the targets and questions on the attacker questions like well who was the target if we what we probably do know but if we know are they an individual are they a company are they a government organization and questions they're like well why were they targeted was this part of a massive reconnaissance attack was this part of a singular spear phishing attack then finally we ask the question of well why was this organization targeted why was company a targeted and not Company B nextdoor targeted within also asked questions on the attacker again if if we know them questions like well who was the attacker within individual a government organization where they

state-sponsored and do we know their intent was it malicious was it financial was it hacktivism and then finally did anything happen leading up to this attack was there anything on social media was there anything on the news did we receive any frats were there any new laws or legislation passed and it's the answers to all of these questions that allow us to answer this final question and that's with the knowledge we have now with the knowledge we have on our target and the knowledge we have on a malicious actor is this attack likely to continue because building a knowledge base is great looking at the bigger picture is great but understanding if we are still at risk is far more important

so moving on to our final method for offender profiling method 5 this method is called method 5 but really it could be called method 0.5 because instead of looking at offender profiling or attack profiling it looks at offender categorizing and that's the question well can we create a sub unique identifier a sub unique naming convention for our malicious actors that we can instantly glean information from the way it does this is it bricks that name into four main areas it takes the location the most was first seen or is most commonly seen the date the motor sector was first seen the risk score which is the number we derived earlier on so that's the number

between zero and a hundred are then finally the last octet of the food scene or most common IP address and that just gives it its kind of sub unique identifier and again the reason why we do this is so we have a naming convention for our malicious actors now we could use IP addresses we could use hashes we could use MAC addresses this is just one example of something we could use so we've gone through what offender profiling is and how we can use it we've gone through why it's important we've gone through examples of offender profiling in research and white papers we've also gone through offender profiling and attacked profiling in security operations the real takeaway of

this talk though comes in around the next thirty seconds or so and it's inspired by this quote because intrusion analysis security analysis network analysis they're far more than the tools we use but generally about understanding something in some cases that might be about understanding an attack and when that's the case offender profiling shows us that every attack is orchestrated every attack has a motive and a purpose and in better understanding that motive and purpose we can better protect ourselves so thank you a few time if you've got any questions feel free to ask me now come find me afterwards or as I said the most on Twitter and underscore James Stevenson again thanks to all the organizers as well

[Applause]