Profiling Malicious Actors

hi everybody my name is James Stevenson for those you that don't know me I'm a student University of South Wales studying Compu security I'm actually graduating next month as well as that this time last year I was an intern logic a cloud security company I also run a Blog where I news reviews and things along those lines and I'm telling you this so kind of later down the road you can understand the decisions I've made and conclusions I've come to so why are we here well most presentation start with a quote right so we've got one here this is by IBM and it's a bit buzzwordy but what it's pretty much saying it's saying we we need to stay

ahead of the threat we need to look at new techniques new methods this one is specifically talking about preemptive security Now preemptive security is the idea of doing something now spending some money now doing some research now to help protect ourselves in the future so offender profiling is a type of preemptive security and offender profiling is what I'll be talking about today I'm going to split it up into a few sections I'm going to talk about what profiling is right I'm going to talk about why it exists and why we have it I'm also going to talk about what already exists in the field so some white papers some tools and things along those lines I'm also going to talk about

what I've been doing the past year so as part of my bachelor's in science I've created a framework that allows us to profile malicious actors but before that what is offender profiling right I keep talking about it but what actually is it so offender profiling is the idea of looking at a hacker looking at a malicious actor and figuring out what they're doing looking at their motives looking out their patterns figuring out that an attack isn't just one thing figuring out that multiple things are in linked now an example I like giving for offender profiling and I'll be honest I like giving it because it's simple it's easy to get our heads around is a Dos

attack right let's say we're protecting a customer and they're getting continually dossed by a Norwegian malicious actor right a Norwegian hacker group and we can look at our customer we can use some offender profiling to look at okay when are you getting attacked let's say they're getting attacked with a sustained attack each day between 1 and six and for the rest of the day strips and drabs we can then tell our customer okay put extra load balancers in place at that time and for the rest of the day have what you usually have so here we're using preemptive security we're using offender profiling to help protect our customers so that's what offender profiling is but why is it important why

do we do it so this is a quote from the Los Angeles police chief and it's actually to do with predictive policing but it's a great example of offender profiling what this quote is saying is it's saying we're not getting more money we're not getting more stuff we have to use what we have now effectively and that's what security and offender profiling is all about it's the idea that security is less of a buzzword than it once was there's no more endless budgets for security we have to be doing that small stuff now spending that little money now and utilizing what we have to help protect ourselves in the future so that's why Fender profiling is

important but why is security important we wouldn't be here today if we didn't believe security was important so this is a stat from malware Tech and it's to do with W cry and I checked it this morning and it's almost double that or it's actually more than double that and it's to do with W cry and it says that over 283,000 devices were compromised with W cry now that's interesting for two reasons it shows us yeah security is changing right W cry was a massive leap and so were many more less publicized attacks but it also shows us security is not going anywhere Security's in it for the long haul and that paired with the

idea that we need to be looking at new ways to protect ourselves we need to be looking at preemptive security offender profiling really come hand in hand so that's why security is important that's why offender profiling is important but what already exists right what are some great examples of this so this is a white paper by mandiant and it's probably the first white paper I ever read and it's on AP1 now ap21 are these Chinese hacker group that Target Western organizations and this is a great example of an offender profiling in a white paper it talks about their motives talks about their attack patterns what they do and is a great example got another one here this one by F secure

this white paper goes into Kalisto group again looks at patterns looks at motives looks at how people act the way they do again we've got one by maffy this is mcf's annual threat report and goes into different malicious actors different attack patterns and is a great example of offender profiling so those are some um white papers right those are some white papers that exist what about tools and techniques right what what about those so most people know about this the Cyber kill Chain by loed Martin this is a model broken up into seven sections not necessarily to do with offender profiling but can be used for offender profiling so we can look at reconnaissance we can look at

weaponization actions and objectives and really understand where in an attack a malicious actor is it really allows us to understand that bigger picture another one here the diamond model breaks an attack up into four sections you've got the adversary the capabilities the infrastructure and the victim and again is there to make people know that an attack is more than an IP address an attack is an individual a group a machine and really allows you to understand that bigger picture so it does beg the question right if all of these great white papers exist all these great techniques exist why did I decide that I need to spend a year out developing a framework for offender

profiling and the answer is twofold the first part of this answer is quite simple it's the idea that these aren't perfect right the diamond model isn't perfect the Cyber kill change isn't perfect these white papers aren't perfect the second half part of this answer comes from experience as I said I worked in a sock I work in a sock for about 10 months great company great organization and great people however for this example I'm going to be taking it very high level right we're going to talk about a sock as if it was an Ideal World now sadly It Isn't So the way this ideal sock works is we have twofold right we got two two main entities we've

got our customer and we've got our sock the customer has an IDs and intrusion detection system something along those lines and they send traffic to the sock in the sock we have an analyst that analyst is going to look at the attack and go okay well what's Happening Here is it's a false positive is this a false negative and then they're going to send remediation back to the customer and that works really well right for getting quick remediation to customers where it lacks however is it's not insightful data we we're not really comparing things we're taking every attack as a oneof and that shouldn't be the case right so let's add something to this let's add a framework that allows us to

profile these malicious action that allows us to understand an attack is bigger than one event and here while the sock has that data where they're building that remediation let's take some of that attack data let's shove it through a framework and let's create a profile of the malicious actor that we can you we can give to the customer as a one-off report we can give it to the customer with the remediation so the customer really understands what's happening to them as well as fellow analysts right if analysts have that information about the attack they can make more uh better decisions so that is why I set out to create this framework but I keep talking

about this framework what is it right so primarily it's a framework for profiling malicious actors again a bit buzzwordy so what does that mean well it's a framework broken into seven sections sections like significance of an attack longevity of attack understanding things like the likelihood risk impact all of these things connected to an attack asks questions like what tools were used in the attack did they leave any calling signs are they likely to attack again questions like this that can be answered at a high level at a low level can be given to a customer can be given to a security analyst or can be given as an executive summary or a technical report and that diversity in how this framework

works really allows you to look at that bigger picture of an attack but look at what you want to look at understanding that you can use one of these modules you can use all of these modules and it really has that diversity now today I'd love to spend hours talking to you about all of these modules I'd love to talk about the the pitfalls the strengths of them sadly we don't have the time what we do have the time for however is to talk about one of these modules to grab one of these modules and to talk about how this module allows you to look at the bigger picture how a fender profiling as a whole allows you to look

at that bigger picture before I dive into one of these modules I do want to talk a bit about data so this module uh sorry this framework is completely manual at the moment it's all done by hand so I could give you a book and you could pretty much go through this framework as well as that the way it collect data so the way it Aggregates malicious actors at the moment it's all done by IP and I'll tell you why that fails in a little bit before that though this module right so this is a spreadsheet where I took data from a honey poot I was running using one Honeypot Network I shoved it into it and

this module specifically creates graphs like this and the way this module works it looks at significance of an attack and the way it works at significance it says the longer an attack is the more significant it is now that's not always the case but it's a good Baseline so the way this works we say okay if multiple events occur in a time frame let's increase the significance it doesn't quite double but we'll say it doubles and then if events don't occur in a time frame let's halflife it let's decrease it so we get these Peaks and we get these troughs and that allows us to start comparing data that allows us to start going are these events related are

these events connected and that really allows us to see that bigger picture and that's what this framework is all about it's all about seeing that bigger picture understanding for yourself your customers or your team the bigger picture of security and that's what it set out to do but it does have its flaws these are a few of the flaws I picked out myself and a few of my friends and peers have shown me some of these like as I said socks don't work that way they're not that simple you have slas customers not understanding remediation if I'm using that as an example surely I should be using something else again I used a Dos because a Doss is easy to explain if I

go to F and more complex attacks they're harder to get your heads around and my head as well aggregating by attack so as I said um if I'm looking at a malicious actor and I'm saying if he has the same IP or she has the same IP then it must be the same person and that's not the case what if they're using a proxy what if they're using a t Exit node that could be multiple people correlation does not imply causation that's an interesting one what that's pretty much saying is the opposite of what this framework relies on this framework says okay well if something equals something today then surely it should equal the same tomorrow

and that's not the case attackers can't really be predicted and then finally risk just isn't that easy to work out just because you define something as low risk doesn't mean it is so do I think the framework sets out what it's set to do yes it can be used for profiling malicious actors but it's not perfect right it would be unfair of me to say the Cyber kill chain wasn't perfect it would be unfair of me to say the diamond model and those white papers weren't perfect if I didn't say my own model wasn't perfect but then again nothing is perfect just like offender profiling where you should be looking at multiple attacks you should be understanding the

bigger picture security is the same you can't just use one Technique One model even one framework you have to be using a myriad of these and I think this quote summarizes that quite well so the idea that intrusion analysis isn't just about one tool it's not just about one technique it's about much more than that and I think that actually comes quite into besides idea of the conference stud about sharing is carrying I think that summarizes it quite well now I'm quite uh quite a lot of time left but that is the end of my talk um I said I've been James Stevenson if you any questions prefe to ask me now come find me afterwards or as I did say

I also have a website so you can also find me on that thank you [Applause]