Everybody's At It But Why Aren't We? - Raj Samani

over to you my friend oh thank you so much hopefully you can all see the screen um so I'm just going to get started Sam I can't see you in Newcastle so if there's a problem please just let me know and I'll I'll kind of reboot the computer or or the rout or something so today what I want to talk about well for those of you that might be fans of Lily Allen May recognize the T the title of the talk everyone's at it so why aren't we what I want to do is actually talk about the prickly subject of attribution because if I was to ask you or rather if you were to tell people

what you do as a living they'll turn around and say well the hackers are all coming from this country aren't they and if I was to do a poll to the audience and say where do you think most of the attacks are coming from chances are you'd probably mention Russia you'd probably mention China you'd probably mention North Korea basically you'd start to list the countries that have red flags uh no pun intended but the reality is is if we start to think about what's actually happening out there in the world today literally everyone is at it and a really good case study for that was actually demonstrated by citizen lab a couple of years back now we're really

lucky because the work that was being done by citizen lab really showcased the offensive cyber operations being done by countries that you wouldn't automatically assume that are carrying out such acts and I'm going to show you some of their reports and of course this is taken from the finfisher and the hacking team breaches because remarkably when these organizations were breached the criminals because that's effectively what they were they effectively disclosed all of the information about the customers that these organizations have had and and these organizations were certainly providing tools that could be used for surveillance purposes or other nefarious purposes but like the countries that we have listed aren't the countries that you automatically would assume are the

ones that effectively they don't have red flags I mean you know actually I don't know what the flag from Mongolia is but you wouldn't have classers in the same category as say for example some of the other nations that we think about and that the reality of the world that we live in today and by the way this is from 2015 and 2014 so the likelihood is that we've seen or certainly we anticipate the use of of digital or cyber effectively we would call it but we've seen an increase in the use of that compared to physical Warfare and there was an amazing report done by the Department of Defense on North Korea I think it was like the

early 2010s 2012 and they basically made the assertion that they were witnessing and seeing the growth and rise in in digital means for for Warfare because it provides the government the opportunity to be able to have non-repudiation in other words like in the words of Bart Simpson you can kind of shrug your shoulders say it wasn't me and in the digital realm that's the reality that we live in because actually doing true attribution is and certainly only through technical means is actually almost impossible now that doesn't mean that we can't sit and actually make really good highly confident assertions about who we believe to be to be behind these attacks but that's not quite what's happening today and of course we

have to acknowledge the fact that there are literally so many nefarious threat actors out there and and many of whom are kind of intermingling so this this kind of economy that's occurring today in which very technically capable individuals are are are effectively guns for hire and those guns for hire are switching between you know AP groups or switching between you know criminal organized criminal groups really with a purpose of for them getting paid but ultimately serving the purpose of their pay masters and this was kind of recognized actually throughout industry for some time now where and this is actually from cyber reason but the nation states are now using private companies to carry out operations and of course these groups do

have an incredible level of sophistication um I was on the well I am on the board for the European cyber crime Center EC3 and uh the head of EC3 trolls Zing back in actually a few years ago now actually made the assumpt made the assertion that there are organized criminal gangs today that have a higher level of capability in sophistication than most nation states and that's the reality that we live in is that those slides and and some some of you may have seen slides today where you kind of see you know the category of hacker I hate the word hacker but they say category of hacker they say strip Kitty they they've got criminal gangs and they've got

nation states and they've kind of got a sophistication line going kind of like inferring that actually nation states have the most level of capability I mean that's [ __ ] right and and anybody that puts that kind of slide up today really needs to kind of rewind and go back to 2010 and use those slides then and not use them anymore because it's a very very fluid environment and we see and we witness individuals switching very very quickly and it's such a fluid space that actually making those assertions I would argue can be really quite dangerous and detrimental and so the world that we live in today we've got this attribution roulette and and you could argue that

actually the attribution rouette today is based upon on really flimsy indicators I mean you know I've seen there was one particular case that I thought was remarkable in which they looked at the source IP address of the intrusion and the source IP address was coming from China and then they turned around and said yeah the attack is coming from the Chinese government other examples we'll witness is just purely using the time in which criminals are actually accessing an environment or yeah it's criminals right whether they're nation states or criminals it's the same thing and you can't just use single indicators as an indic as a as a suggestion as to who the attributor is or who's behind

the source of the attack and and whilst it's been okay in the past whil fine it's been great for for generating and creating PR you know getting certain companies the opportunity to be able to stand up on BBC News moving forward it's not really going to be an option uh and in part because the whole industry is basically going to be turned on its head with one decision and that decision isn't coming from us as the cyber security Community or from law enforcement for that matter it's actually coming from insurers and I want you just to think about this for a second because there's no question that that cyber insurance as a as a risk

mitigation approach is is viable but if you can think about it for a second if you as a company have paid like incredibly large premiums and those premiums are being used to kind of offset the potential impact of an attack against your environment and all of a sudden the insurer turns around and says yeah but it came from a nation state and that entire policy is completely void or certainly that claim is completely void it's going to leave you in a really difficult position but of course the question you've got to ask yourself is well how are Lloyds going to determine what a nation state attack is I mean you know like Lloyd is an

incredible insurer but last time I last time I heard they weren't doing you know they weren't reversing Mau and determining the likely attribution or source of a particular attack and and you've seen this just recently I think it was this large shipping company that actually had their insurance um denied because it was asserted that it came from a nation state and of course they took the insur to court and ultimately won but you know do you really have the time to go through that and so as we begin to move forward as we begin to get over Co but like you know really deal with a scenario in a world in which attribution really matters there is a risk that insurers

may just look and look at the headlines on the register or look at the headlines on Zedd net and just say yeah that particular attack came from a nation state and and it's not just a simple case of saying well you know if it's spnr it's an AP group and ransomware it's not because actually large nation state groups actually do ransomware attacks and you might remember w a cry in 2016 that was asserted by the doj to have come from a nation state so if you suffered an impact through one AC cry and you had insurance today that wouldn't be covered and certainly wouldn't be covered if you had an insurance policy like this and that

ultimately is the challenge that we face and so what I want to do today is really kind of walk you through uh an incident that I actually um worked on but kind of walk you through how how we've done it or certainly I've done attribution and some of the things that we should be thinking about if we're going to make these assertions because actually making these assertions are important and some of you may be sitting there thinking well why the hell would you you know some bloke sitting in a Garden Room in London like be the right person to be making claims around you know an an entire nation carrying out attacks against an organization and so

what I want to do with you is just kind of share with you the reason why I think it's important and fundamentally the steps in the methodology or certainly a set of steps in methodology that can be used and leveraged and the example I want to give you is and I think I published this but I can't remember I couldn't find it so I might not have but there was a case in which I got called in it was in 201 21 it was early 2021 and the phone call I got was we think that there's been an intrusion inside our Network and uh at the time I was like well how do you know and they was like

well we're seeing some strange traffic in our in our environment and at the time it like it wasn't even raised by the ceso it was just a sock operator and of course the question was I I was working for a software company at the time a vendor at the time and they're like well you should have stopped it so get that a lot by the way and so the we kicked off an investigation we started to undertake or go through a set of U like identifying and and and and analyzing logs really with a view to try to understand what was happening and what we found actually was really remarkable because the attack itself based upon the analysis that we found

actually started in 2015 in fact what was remarkable about this particular case was that under normal circumstances you'd make the assumption that the adversary would basically you know wipe everything and leave no Trace that they were there but what happened in this case was they were actually in the environment from 2015 and because they hadn't been detected like I mean we're talking about seven or six years at the time because they hadn't been detected they just didn't bother cleaning up and and that was I mean that was actually a first for me I've got to be honest uh and actually as we began you just as an FYI but as we beg to do additional deep

analysis and additional deep dives into this it actually turned out that actually they' been compromised from 2014 but at the time it wasn't even on the cesos radar like it was it was it was just at the sock level and as we began to do analysis what we found was actually it was it was an internet server on the DMZ that had been compromised they' obviously managed to gather credentials and they' maintained and implemented multiple persistence mechanisms inside the environment now this has never happened before but obviously a we had the logs but what was really phenomenal was we were able to find a compressed folder in in one of the servers and that compressed folder was actually being

used to submit and transfer information to an infrastructure that we believe to be owned by the Mustang Panda Group which is an AP group based out southeast Asia now I'm not saying it was definitely Mustang Panda just based upon infrastructure but the data that we found in the XO folder was like like TLP Red Data like like because this was a defense contractor and they were providing information and support for the Department of Defense for that country I'm not saying it was the us but for that country and so now all of a sudden we're kind of dealing with a scenario in which actually we've got State secrets being exfilled to an infrastructure being hosted by another nation and it was at

that point we kind of said look we need to get with a CIO we need to get with the c we need to share with you what we've actually found and the really scary part was I was like look and this was January and I said look the truth of the matter is is that we found uh the initial entry Vector we found some persistence mechanisms inside the network but what we need and you're not going to like this is we're going to need to keep them in your network and like this was like freaking them out because at this point the CEO had been called um and by by kind of February March the prime minister's

office had been notified I mean it became like a major major issue and and there was like well look all we want you to do is throw them bad guys out and I said look if you do that if you if you don't if we don't sit and monitor what's happening in the environment and find out all of the persistence mechanisms they're not only going to come back but the are they'll come in and torch the environment and you know when we did the bank of Taiwan investigation what we found was actually they were using ransomware as a vehicle to to wipe uh all traces of the threat actor activity so we were really concerned we said look

if you don't keep the bad guys in the network for at least at least six to eight weeks then we're not going to find the additional persistence mechanisms and of course this was like remarkable but they actually agreed to allow they actually allowed us to do that so we actually sat there like watching these thread actors come inside the environment drop tools steal data but actually allowed us to gather information and so by the time March came around we were able to do a Golden Ticket reset like like delete all of the back doors and actually like touch wood we've not heard of the thread actors come back and and again but you know the

time I would say our attribution was probably a little flimsy at the time initially but what we began to do was we began to look at all of the complete all of the various different indicators and Assets in the environment and we were able to determine who the likely threat actor was and what that enabled us to do it enabled us to actually have the discussion at the CEO level so then we could make a decision and a discussion around can you allow criminals inside your network to continue to steal State Secrets I mean that literally was the qu that was the ask that we had of them but because we were able to say look you're

dealing with a with what we believe to be a state um and if you don't do this this is what they are capable of that's why attribution was so imperative with regards to this discussion because if we hadn't done that and if we hadn't given them some indication as to the likely threat actor you can bet that the sock analyst would have said just throw them out and then the state would have come back in and WIP wiped out the entire environment I will say my recommendation was to completely torch the network um and re build it from scratch that wasn't something they were willing to do so they weren't completely listening to everything I told them and so as we

begin to kind of think about well okay how are we going to be able to determine attribution how are we going to be able to do this you know one of the things that that that we that we do constantly is you know we'll look at the the mitro attack techniques and we map these mitro techniques a set of ttps tools taxes and procedures and allocate those to specific threat groups and so in this instance what we were able to do is say hey look you know this the ttps inside this particular environment correlate to this particular threat group the other thing that we were able to do and and I think like obviously this is this is the

obvious part but obviously we get the the malare samples we analyze the back doors and the other thing actually which I think is really key is you know doing a source code analysis on the malware and looking at Clear overlaps between other attributed uh samples that we may have again begins to contribute towards that kind of picture that we determin to be attribution and of course we can look at the times that thread actors get in and like I know I I know I was pretty rude about this particular me methodology but like but like if you add it and contribute towards it then of course this does help and of course this particular time zone

was um oh my gosh it's asking me to update soon not now all right so of course that does do begin to contribute towards that assertion where we had look at the times we look at the bway we look at the infrastructure we were also able to look at look at the X4 data and that then allows us to basically determine who we suspect is behind this um can I just say by the way if you are uh a an an AP uh criminal or you're working on behalf of an of a state you don't really do many hours I mean realistically you only really do like three days work a week um and I kind of looked and we kind

of joked afterwards and I said blind me you know like like you got to say they really achieve a good work life balance if you are working on behalf of a of a nation state because I mean realistically you're kind of shutting off at 5:00 pm on most days and you're not really doing much on the weekends but again you know like that was tongue and cheap but it does begin to kind of paint a picture and if we map this out and we kind of say well okay what does this actually look like we can kind of look at the challenges that we face but fundamentally you know it's all of the above it's all of the intelligence and

challenges that we have so what does this all mean and and and and how can we begin to do this well unfortunately from an investigative perspective our work has become a lot more difficult than it ever has uh as I said like I'm on the um the European or Euro's European cyber crime Center H Advisory Board and within that we published the the ioa report and I would say that that is a tremendous report it's actually written by EC3 we have contribution from from industry of course but it is a it is a EUR it is a law enforcement report um ictor is in um internet organized crime threat assessment report and what was remarkable was they actually talked

about the challenges that they face in conducting investigations and one of the challenges that we all face now because of gdpr is who is this basically gone dark and so look I I acknowledge that that you know criminals won't register domains in their own name like I accept that but from a metadata perspective it's the first thing we always do and now with who is going dark of course that's not really that's not really a viable option as the first step in fact you've got to submit um an mlap which a mutual legal assistance treaty in order to be able to get the data but law enforcement have to do the same as well so one of the things that I think we

need to be thinking of as an industry is like with such a fragmented industry with such a fragment we actually we'd rather we'd rather attack each other on Twitter then we would kind of get together and work and find out ways that we can actually stop things like who is going dark and so like one of the things that I'd like the messages I'd like to get across is yeah attribution is really difficult um but not impossible but what what I'd love to be able to do is like we as an industry need to be more collaborative and actually that's part of the reason why I wanted to do bsides because bsides to me is one of those

communities where actually it is a supportive community and it is where we're kind of working together and looking to collaborate together and so like my ask is as we kind of move forward like let's continue to in that Spirit of collaboration because I'll tell you from a privacy perspective they they really work well together which is why we've seen you know laws that are protecting the privacy of individuals which is great but the unintended consequences it also protects criminals as well and so let me share with you what kind of we do today and but that there's no product pitch here I can promise you none at all um so obviously within my team we we run the Metasploit

framework and some of the tools that you can use and some of the tools that you can access obviously you all know Metasploit it's it's free to use the framework is completely free to access we've got like it 4 and a half thousand modules that are freely accessible we also provide um a scanning Technologies this is all available free of charge you can access this if you wish and we also run our honey pots and you know the way that we currently doing attribution today and not like absolute attribution but the way that we're determining the context of an attack today is we have our honey Poots sitting there listening to connections those honey Poots are

gathering ttps and ioc's which are then backed and analyzed against our threat act library and that then determines who we suspect to be likely behind specific attacks that context we then use to support law enforcement and other operations now not quite yet but what I will say is that all of this data will be accessible and available for you free of charge so um if you bear with me I'll I'll post it on Twitter and and so forth when we're ready but you know we are making this information available to you as as researchers as academics in order for you to be able to to understand what's happening in the threat space but also to to secure your

own environments and again this is all free of charge so please bear with me I'm I'm like a couple of weeks into the new role so but but we are going to be making all of this data available under open data um I kind of I'm going to pause actually I'm going to go to the last slide well I can't actually because it's not working and my laptop's frozen fantastic let's try this okay let me try again sorry share screen that's embarrassing um no that's not working all right it looks like Chrome has completely crashed on me no it's not okay looks like Chrome is completely crashed on me let me try that again let me see if I can share

that once more um I really only had one slide and then what I want to do is kind of get into a Q&A but also I'd like to give you uh I'd like to make available okay there we go and so the last slide that I'd like to really say here is is that um you know one of the things that like I think is really important from us as like a as a company that is actually does have the Telemetry is we are making as much of this information available to you so you know from our from our met exploit teams obviously you got access to the modules you got access to in-depth exploitability analysis through

attacker KB we publish the intelligence report so we analyze things like known time to time to known exploitation of vulnerabilities and of course all of the critical details around emerging threat response all of this we've made available for you please you know um let me know if there's more that we can do to help you as the community like our our competition isn't other vendors our competition our criminals and quite frankly we need to work and collaborate together to do everything we can to stop them because look you know I kind of co-founded no more Ransom in 2016 and like the whole reason for that is because we live in a world in which you

know an you know a clinician can open up an email and a hospital will no longer be able to provide patient care like that to me is just a scenario in a world in which is just unacceptable so let's work together let's find ways to collaborate and like I said reach out and um we'll start to make all of this information and and content available for you and like I said you've got Metasploit you've got attack kbam we've got Velociraptor like all of these tools that have freely accessible we will continue and you have our commitment to continue to provide that to you okay I'm going to pause um and open it up for Q&A Sam I'm

assuming that like that internet didn't crash and I haven't been talking to myself over the last kind of 20 25 minutes um and I do have a book to give away as well but it's an old book but like I thought would be nice to just kind of provide that so I'm going to shut up for a second and uh see if you're all still there hello can you hear us Raj I can indeed yes excellent thank you very much that was an amazing talk uh I cannot believe that you can't just look at the IP address or something and decide to blame an entire government you've rocked you have rocked my world but but you know the crazy thing

was so there was a there was um there was an admittance from a UK law enforcement agency that said publicly if we see that the IP address of an of a Cyber attack is coming from China we won't investigate it because it's just too difficult and that was publicly admitted by a law enforcement official and it doesn't surprise me at all but shocking that they would admit it does anyone have any questions for oh wait thanks Raj that was brilliant um question I had right at the start you sure the report from Finn Fisher and you sort of showed the global map of the customers um of that tool in particular and you pointed out that sort of The

Usual Suspects weren't on that list do you think that's because the usual suspects just aren't using those tools and they're doing absolutely everything in house or is do you think there's something else behind that yeah so there's definitely a capability Gap um you know some of the smaller nations are definitely Outsourcing but many of the larger nations would have their own capabilities and there is a LP red briefing that I have in which we've actually mapped out you know one nation's entire cyber offensive capabilities and tools and teaming I mean it's like some of them are really good like they've got entire teams dedicated to ENT entire teams like like creating faking tin profiles and fishing

people all of the time I mean some of these nations have like in fact um I think it was the dod reference to North Korea who basically said they're actually investing in cyber as opposed to traditional Warfare because it's more cost effective and non-repudiation so actually yeah some of these nations that I referred to right at the beginning have have have really cap really really frightening capabilities thank you very much any other questions oh oh hello you um on the qu on the question on the investigation that you discussed and the importance of attribution in going to the CEO um how much would you say there's a likelihood for chasing for an attribution to go to a CEO with that

kind of conversation in mind um well actually I think um and here's the scary thing I think it's I think it's always required because the the sad reality is is what we do as as an industry is we are devoid of context you know if if you think about the logs if you think about everything that we can we stop and we see there's no real context as to what's actually happening and when we're talking to the business then they desperately need the context around making those business decisions and you know for us for for me if we hadn't been able to provide that context I wouldn't have got to the CEO they would have basically said well you're

just going to like like like you know close off the initial entry vector and then and you know we found about 8 to 12 different back doors after that and they had 84 compromised credentials so we didn't even know that at the time so I I I would say that like determining context wherever you can is imperative in every investigation in every case the challenges is that we just don't have the time and resources to be able to provide context on everything but like I think that's the challenge we face as an industry because you know how many alert like when when we were at Intel I think we had some something ridiculous like millions of alerts a day and we just

didn't have the time to understand the context behind those Millions a day so that's the challenge that I think we face is taking those millions of alerts and getting it to like the five or six that you really want to focus on that are probably more critical but like that's the challenge is how do you get context scale thank you very much rise yeah I think uh context this isn't technical as well I mean when you're dealing with alerts and stuff it's the what does the company do especially if you don't work for that company and you're coming in as a a person like a remote sock or a remote instant responder it can be

really oh yeah it's fine we've seen this a million times close it down sort of thing whereas you don't realize one other their customers is and it's a supply chain attack so uh context behind everything doesn't really matter whether it's technical or like a social thing is always super important any other so let me share with you a quick story so um I had to do an investigation against a company that had a sod K attack which is the reval group uh the ransomware group and I mean I got like pters they're like you know you didn't protect us your crap like I mean I got so abuse and so I was like okay well what we did was I I got

the team we actually did some work with law enforcement on on disruption of an IDP shop and we actually found their creds available for sale in this IDP shop and I went back to the CIO and I said well with all due respect I said they gone in through RDP 11 months ago you ignored the alert and your password for your for your for your web facing RDP system was Welcome 123 and like and so like context to me is imperative but the amount of work that had to go into that was was was was not insignificant but that's the challenge that we face is is that like I I think you know organizations see it as binary like

you're protecting me or you're not but actually our our our challenge is to provide the kind of the bin in between um and I will tell you that was the most enjoyable conversation I've ever had in my career yeah I've had a couple of them myself it's awesome while you're trying not to smile we' got another question am I on am I on hello you're not on where's the question where's the question where's the question question all right I have a question but I will also give contacts contexts at the end of the question um my main question is what in your uh can private companies in your professional opinion give uh accurate attribution and the

reason I asked this is about a month and a half I was uh at the UN in Geneva and uh the deputy minister of information security uh was very angry at the un uh for having private companies participate in the summit and it was his opinion that only governments should be doing it and and um I I believe he also told off the UN and stormed off and cursed at some people um so that's the context you can't do this without us that might sound like the most arrogant thing on the planet but it like like if you think about infrastructure today infrastructure today by and large is hosted by private companies um you know the Telemetry of

global attacks are hosted by by private companies H you know so it has to be a public and private thing like there is no other way and you know like one of the first takedowns I did with europol was the bbone botnet and that was a true public and private partnership you know we had law enforcement agencies from across the globe we had private sector companies doing analysis tracking the threat we had NOS like Shadow server doing the sink holing I mean it can't be done with like it can't just be done with private sector it can't just be done with Nos and it can't just be done with you know with with with public

sector and I think you know politicians that that I mean you hear this all the time like oh we're going to build our Our Only Internet just for us or we're g or you know we're going to ban encryption and like wake up you know like that's it's not we're in the 20 first century you know it's just I keep forgetting what year we are cuz i' kind of like I think Thanos has like stolen three years from me but like you know we're in 2022 and like modern policing modern law enforcement and digital crime has to be a collaborative has to be a collaborative effort and like a great example of this is I always say like look at no more

Ransom you know no more Ransom was at the time when I was with McAfee kasperski National high-tech Prime unit in the Netherlands and Euro and Amazon and Barracuda agreed to host it for us and we've prevented I think 10 million downloads of 3D cryptos and that could not have been done just by us or just by law enforcement so I'd love to speak to that individual that stormed out I would have to speak to that individual oh more questions I think I'm on now as well I I'm on okay over to you um uh it was in the United States about uh 2 or 3 years ago they were starting to propose laws about actually um hacking back or

attacking back on um criminal organizations or even nation states what's your view on that sort of approach I I mean well I I I guess a lot of it depends upon the infrastructure or or or really the attribution that you've done of course you know there is likely to or po there is the potential of the risk of you attacking somebody that didn't have anything to do with it um and so there is there is that risk but look I personally I think you know I my my opinion is is that we we need to set an example and I think actually carrying out offensive operations um I I think from private sector's perspective that's not what we

do I think if governments want to do that then more power to them so you know I'm not in a position to say what government should be doing but from a private sector perspective that's not what we do and in fact there was um I was at a conference recently and there was a there was a CEO of a company who stood up and said to the audience Yeah we actually do hack back and I was like well that's actually criminal but if you feel comfortable enough to say it publicly then go ahead but I I don't think we should do it and in fact I did a I did a piece with the Cyber peace

Institute on following the Ukraine and Russia War around the dangers of we as individuals doing hack back or hacking operations against the Russian state so I I know it's controversial but what I would say is that that blog is still up there and it kind of articulates My Views but I don't think we should be doing it I think if governments want to do it or and intelligence agencies want to do it then that's up to them but for me I I I I wouldn't and it's legal so don't do it a spiky question man it's a spiky question though but yeah look you know we we're there to defend that is our that is our

role we're there to protect we're there to defend we're there to educate we're there to enable that is our role um it is not to go and arrests it is not to out people it is not to dark it is not to you know bring down infrastructure because it suits The Narrative that is our role and um I look forward to being flamed [Laughter] later awesome what great start to the day everyone big round of applause for Raj samani hey Sam I have a question for the audience and I'm willing to give away one of one of the books that I wrote in the past um I'm a huge Sam Fender fan and I know Sam's um from from the

Northeast can somebody in the audience tell me what canny chant means CU it's in his um lyrics with 17 going under and I have no idea what it means and there is a book in it for you the first person that come up with an answer CH KY Cher Just a person that KY Chan you wants to try something off I'm G to say let me put you on microphone Steve it's it's just a person that wants to try something on thank you very much Sam if you can share the contact details I will with Steve and get a book out to him in the next week fantastic love it m all right that's brilliant thank you

again so much my friend that was awesome um we very much appreciate your time so U there we go We're Off to the Races keynote one in the bag thank you byebye cheers [Applause] Raj