Hackers hunting Hackers: An open source exercise on APT32
Show transcript [en]
all right good morning once again Casey enjoy their first talk we are on track to so you don't have any other announcements really so I ain't gonna do too much opening here David here works at CenturyLink if you don't know much about Kansas City's purity scene since really happens to house a lot of bright minds in security community a lot of the core members of set pasty in fact work at CenturyLink so again a lot of smart folks out there they have been awesome about dedicating their free time to telling us about what it is they know sharing that knowledge and making us all stronger as a result of that so yeah oftentimes we have hackers that are
attacking us and the best to hunt down those hackers then other hackers so without further ado let me do it up the Neyman take it away [Applause]
today's finite space a little bit about that
basically 2010 you guys have corrected me do a block those can you to those organizations provision for access so we create I think pedals and wrap they're talking to us and then uh monitor policies and
I know and then one through 1005 they only cover down on 23 though
so the sectors that we monitor go across the board from coms Energy Finance give all in the science and interpretation so if you work on any of those spaces all it's kind of where we work where we want you know and this is really to identify organizations or sectors where they went down under
so basically they operate so as you can see there these are all specific threats over here on the left and then you know the the size of the circle is the amount of time to see like where different athletes or actors in that Beach right here in the back we go even further and look at some you know the breach as you can see the because you watch for the the IOC to talk to you here over a certain period of time or the rule to do this when a organization who's going to attack another sector or country or
okay we're going to do it this time because that was in that time whatever it's actually a really big counter on the wall and Bob I think it's kids somewhere on the weekends I can't operate in our war room with mistakes the next month they scheduled
not one operative is going to be performing actions gets every sector every sector and the companies within that sector so some of the ways that we're doing a sort of went through there's once on a little bit quick remarks you're out Valentina you know so that's kind of how great particular about how to use to market for right after you she's so lucky one line on this program about three years ago we had all the stack of data like we got to do it for this guy you can't come on for a fly out of seats why couldn't you know he performing something like advanced algorithms against this DXi we have it we'll be doing a power base you know analytics
against it like I've been doing you know exposure out of the exposed attributable
we're able to do all that we're leading up to
so the way that we pull it there's in gold in active blocking but then extract features that we need that would be Bobo tomorrow we kind of see the way no each model requires specific number of attributes one of the other ways that we're doing those atoms we're seeing known breaches and our second based partners go back to talk with us to say what was like this it was like that and you'd like this will get well database for that and it's called in biotech that we're going to actually take their information that they're getting to us about classified information another side because they're giving this information to us unclassified so not even take these attributes of known
threats apply a buyer attacks platform to it and then release that information back immediate gives web and a new sector to being targeted by this organization like this and be able to point specifically something
or
no it's actually have so these are non share to PPE sports for active groups so this is a 2849 337 approved our hotel Elderwood so these are our key piece that are not shared of any other group which case if you see this we were doing a research project on the collaboration are they sharing with other groups in order to answer is yes but in the class is doing how heroes identified there's actually something on share with anybody no one else in the market is using log on scripts you know the High Court ruling certainty that's going to be 28 walk to that cordon line that made us because other ones are being reported but it is
actually kind of a difficulty along Pacific possible but I already kind of get in the ocean Louis notion of infrastructure they kind of gave out a big report on and sort of PSA toleration with capital gains what they're doing tomorrow so they released specific number of Iowa seeds on them and the infrastructure that they were using to target and different people going to their science so basically what that means is let's just say you have a bunch of victimized infrastructure over here guys on our website
they gain access to this and they put a JavaScript page on that and it feedback from them boom - owned by them and then beat back a few notes so that's our c2 platform that's our victim structure
specifically around the right information information collection white list of targets teacher critical determinant comic strip and then multiple backwards like even further malicious JavaScript design profiling fingerprint each visit that's left to be framework in order to target anyone here okay well is actually
website
we know these are the right answers but we want to be able to do a
lot of stuff
for you but we can actually push it back to the vendor for both sections again so we're going through this
so we actually look at this and it really is
so the way that we are seeing we have Matthew back he addressed these two ideas both with you - different structures so that kind of lead us to believe there may be an announcement to the vendor and not the cycles out and then you know the routing so basically taking this information from the open source report was over here and are we see even a little similar to what we're seeing we're here and for Jax for seeing like this now let's go back to the last four months and see how often we've seen this and how many other web sites these IP addresses that are hackathon infrastructure how many other websites do they talk to you know the profile
information capture back introspection community
[Music]
but I [Music] would say that the answer has actually no pay for the organization
yeah what are your thoughts on minor caldera what are your thoughts on MITRE caldera the post exploitation like simulation
yes how much of the teaching he and I are seeds that you
we are not use any of that so for me to say it right not another information would be alive with the person who have guilty knowledge but none of that would be sitting here we are not so in this case the leveraging of our these four active groups is directly to the open source yes
like that yeah yeah so there are the rabiner topic for our infrastructure and as a writer for a nickel to actually see an h-class so our TV for signature act similar
the coms with
so with question recent years that
less and less space to detoxify things or unclassified things in order so if an organization that we work with how they need from Africa access what we do is we'll submit a downgrade request request about declassify something but he has temporary permission to share with no organization and they can't share so they have you know anybody the reason that this is is not because the official returners don't want to give away it's because of the later time somebody somewhere sitting somewhere
and we represent things that's why
but I'm one contractor half as many conversations as you want to about how when you can also be doing this as well you can do the exact same thing and if you have questions about those want copies of micron advanced algorithms or eg a exposure time race anything like that this is not our stuff
[Music]
well right now because the way that we're collecting the information from our organizations it is being pushed out on a lot of essentially Express themself beats fortunately are paid for means burn this
before we
you're saying you're saying these are hosted by those organization right yeah so you know you're saying like before giving the information from Microsoft to where we're at that's not really the way we get our information we get it from other organizations and so we could come to Microsoft when see we'll be having this blockage at position Microsoft would have submitted
so service that you're doing for your customers or you doing this on the kindness of your heart for everybody
there
it's outside the scope of our partners value for
well
right
yeah how we collect and identify ROC
so so big question was kept using the eye are you seeing any predictive analytics and blocking for yes that's kind of where our exposure and our malicious infrastructure that's previously planned out so there's no information about it right now that that's that other than it meets every other attributes with known back so as we monitored tore down a key interest yes however on the big sticker on that that's not I would not call that they are or just call that data science machine learning
structure
okay okay
okay sure cappuccino so sorry the answer here it's not me it's a anything 100% I will say that if you think if there's any doubt there's about you're definitely heart their neck that organizations are not going to attack and target the doctor you know the doc out spaces by themselves sometimes you see blanketed you know emails that go out like those are not your targets that's sort of shocking
if you do that in other work or commercial work you do work with the double spaced marker question
in Texas right now
well yes chunsik X I would say for the morning total sort of this issue that don't got funding they don't have a lot of company like Vietnam or 3x there are ensuing money from other people others
the contrast comparisons across the board from the attack hider framework and so I'm seeing like tool sets and anything like that where where we can say hey you know how the world is Pakistan and North Korea the only people using is a really advanced technique we'll go back and wins laughs oh we saw that whether you see it published when we see a huge initially over soft music issue this is not true salvation is used by China like six months ago and now
basically
that would be
correct you know for my understanding with only using CT Hollis
so the utilization of that down to identify threats and not
[Music]
but I assume you're focusing on the customers that are paying for this because otherwise it's just too much you know you're not going out there and saying oh it's key Mart right whatever are their customer are they paying for this you're actually focusing on the the companies that are that's our pain
so I can't say you literally go back
so you talked a lot about using your positions back Alberta's family fine pardon Africa life are you you source data from other sources like conventional social media to help identify
we
some of the addresses maybe get worse back to the open ports or like things are bad other open-source
you know unfortunately and do that if we're giving back to the know these are the source IP address we solve right in there again providing medication you know I would say based on the information
start getting back again I really know
criterias for what changes right based on the modeling bar so our algorithms based on known rep data from either you know these open source patient's information for people like me from community yeah but you're shutting this callback crime stamp for two hours and then you're applying the right my variable 15 minutes on either side of this you need something that does
so that yes you know we're doing that not good anymore now it's an hour and a half so we'll change over to include 15 minutes and our hackers or ask as we work with other people in the general community while we're talking about ask people contribute information
okay
comeback committee my needles that I handed go back to her life well
you
Related talks
47:19
21:52
47:57
34:22
37:09
47:42