Diamond Model Analysis of Whatsapp Security Breach by Shira Stepansky

[Music] [Applause] [Music] [Applause] okay um they told me my notes would be in front of me they're no longer in front of me um i just want to tell you that i'm speaking here today because i was at my first besides in 2017 and i'm giving back to the community because i love a community that shares what it learns and teaches each other and so i want you all to be here hopefully sooner than five years from now speaking yourselves so um wait that was supposed to be that see if we can get it to work okay um okay so my talk my talking i'm really glad it followed on the one before because the one report is a huge amount of information and i think one of the challenges in cyber security and analysis is the fact that there is just so much information and we're all fishing in the same sea but we're all looking for something different in other words a person who's working for a cyber security company is looking in that information for one thing and this person who owns a regular company and needs to defend their company from malware like you just saw needs different information and they're all looking in the same and people who are working on cyber policy for governments are looking for other information but we're all looking at the same data so the question is how do you take that massive amount of information and make it accessible for all these different uses so so as there are a number of different models there's this is only a chart of only three of them of which i'm speaking about the diamond model and which was actually developed by three researchers i believe in 2013 and their intro discussion of their model was over 45 minutes but don't worry my talk is 20 minutes in total so you're getting the cliff notes version come back here okay okay i guess these are out order um so the diamond model basically uses a diamond and what it uses is it uses two there's two at least two levels to it the first level is each corner is one of the four major pieces of data that you're looking for when you have a breach and the breach and though that data is who got hit who got hurt who did the hurting capabilities is how they did it and the infrastructure is by what means did they do it actually okay the capability is um what what what you have to defend from or what the what the attacker has to to use to to to attack with like the malware for example uh i think we just skipped again okay so what once you have the information first of all one of the things that the diamond model shows you even though it looks very simple what it is it's a place to hang all that information it's a way to organize it and show you what what what information do you have and what information are you still missing what do you need to look for once you have that information then you can start working with the lockheed kill chain and start figuring out what's going on what happened what really happened and what you need to do to keep it from happening next time so although it started with one simple diamond each diamond represents an individual event so what you have here is now that you've figured out what they did how they did it how they're going to possibly use it again you can now then look and plan and think how can we defend against this so now that you know that you're at least looking for in a forest or where the question is now what do you do with it okay i've got okay so this is an intro one minute introduction to the actual breach that i'm going to show how you use the diamond model for assuming i can get it to play thanks okay so you don't get the video so um the one thing that i missed on the diamond is there's the second level of the diamond is actually the axis you know the vertical axis is the victim and the the attacker and the question is what's their relationship no it was were they attacked for a specific reason or was it a random attack and then obvious the second axis from right to left is um your technology you know all the technology that was being used so the the what's up um the weather breach occurred in 2019 and you'll be happy to know that it was very quickly fixed but what it was was um the ability for an attacker to um to send an sms to a what's up or actually they called they called a number on the west what's on a what's up on the what's up app and even if the receive recipient didn't answer it still install the malware on their software i mean on their cell phone and it was used to track and harass uh a number of people and allegedly one person was killed by um a government agency from saudi arabia as a result of being attacked through this breach okay so um so again so this basically the reason i wanted to the victims were clearly the clients that were that bought a software called pegasus from a company called nso which happens to be an israeli company i believe i'm pretty sure it still exists and it sells software to it exports software to companies that it claims are vetted and approved by the israeli government um the what's up app made it very clear that there are a number of these clients and um in particular saudi arabia was the first one identified but since then china and india have been implicated as well and so the victim of this particular breach was all the people that these governments want to target and obviously when what's up filed in u.s court against nso they listed themselves as the victim but they weren't really the victim the victim was their users who were attacked and harassed and eventually some of them killed so the question with the capabilities was what's the was pegasus software which is actually a group of pieces of malware not just one particular item and it was obviously deployed through the what's up mobile infrastructure and it worked on on all of them it worked on it works on android it works on iphone and it worked on back then people still using blackberries okay so we discussed the victim so um no and we discussed adversary so the capabilities i also mentioned was pegasus okay we got through that and the infrastructure was as we said um your mobile phone and your mobile phone provider um okay so now what do you do with all the information okay as we saw in the previous oh we've probably seen all day there's just so much information what do you do with it so it depends on who you are and what you need it for so it can be used for political making making government policies it can be used for figuring out how to defend yourself it can be used for figuring out how to attack if that's what you do um and so what i chose to was this cyber policy i chose cyber policy because i'm a dual us citizen i was served in the us army in maintenance and worked for the faa critical infrastructure and i now live here so for me i was very interested in the political implications of such a mult multinational attack and as you can see the several of those major questions are who gets to decide who gets to buy this um and obviously people in the us weren't too happy um and the question is who can export to where so i don't know why this this should have been one of the other things you can do is you can take as i discussed when i showed you the the diagrams but this is the lockheed kill chain using the same information [Music] and one of the reasons this is very helpful is because as you can see you can really it's really obvious what information you have and what information you're missing and the kill the kill chain basically tells you the point of no return at what point in your analysis and at what point of attack or a breach can you still defend and at what point is it too late yeah this this point this all sounds very simple but when you've got massive amounts of information the question is how do you organize it and that's what the diamond model was designed to do was to organize this and once only once you have your analysis do you know what you're really looking at is not really so the political social analysis is is actually is usually done on three levels on the organization level on the state national multinational level and the level of transnational which most people would probably refer to is international so on the national national on the organizational level obviously we have a number of israeli companies who produce cyber defense software i don't need to say anything that there are a number of places in the world that create malware and the offices of both those companies many times have direct contact not through government agencies not necessarily asking governments for permission but they have direct contact and direct relations to sell their software to whoever they feel like the question is should that be the case should that not be the case okay on the national level every country has obviously different laws so the question is what's good for one country may not be good for another country the us is not very happy with people spying on their citizens on the other hand they have been caught doing it several times um right now in germany there are new laws authorized authorizing major major surveillance of their people and uh and the ua the eu in general has increased their privacy and other cyber security requirements for people who are operating legally the question is what about people who may not be so with regards to making policy these are the big questions if you're selling if you're selling something that hurting people do you have the right to do that if so who has the right to do that and who decides who gets that right and according to nso they changed their policies but they're still selling the question is who's deciding what and where and ensuring transparency of the actual tools that are being used well we all have the internet we've all we probably all use the internet to research most of what we do in terms of finding out what was out there but how transparent is what's really there and how transparent should it be and then of course with a particular what's up applica um breach what happens to people's human rights and what happens going forward so my takeaway for this was basically when i started you we're all fishing in the same sea we're all using the same data the question is what are we using it for and how do we make use of it and the diamond model is one particular very useful tool for showing us what we have what we don't have and then being able to build on that to build into the into the lockheed model and the kill chain and and be able to create software and policy that helps us deal with the problems that we have today with the internet and other malware issues so thank you [Applause] [Music] any questions okay thank you very much questions anyone you you mentioned like who is the authority you mentioned with the authority to again who is the authority to allow those companies like nso to sell and i'm not from nso but i know that they were they had to get a permit from the government to sell to government uh agencies of certain countries who are on the white list okay not to the to those the end and the question is actually who gives the authority to sell weapon not cyber weapon to all the countries and the us is the largest uh exporter and us as well and we sell to whoever pays right so an excellent question the question is who actually makes this decision and it's not always clear and that was on one of the slides that didn't really show up well and that's exactly why i was interested in the cyber policy issue of the breach because the reach is pretty cut and dry what happened the question is now what do we do at now that we've seen this happen and that is the giant question is who decides whether nso can sell it or export it in the first place and who decides um to whom they can sell it and that is an off an office in the israeli government which i'm not necessarily in a position to state i don't know i can find out free i can that's one of the things i'm actually researching to find out who it's part of that's part of the whole social political issue and and that's one of the things that that makes this this whole analysis very interesting because it's not cut and dry yeah the technical part's cut and dry what happened and maybe who got hurt but the implications are far from cut and dry and that's what made this analysis project very interesting to research and i'm still working on and yes i would if you'll give me your information afterwards if i find out who in the israeli government if it's public information i'm sure it is yeah but i just have to look it up um and also and also the same thing with the u.s the question is okay let's say the nso got approval to sell it and they sold it to saudi arabia well back in 2019 2000 maybe saudi arabia was not such a friend of the us so can he should can and or should the us be able to say no you can't sell it even though the israeli government says yes you can and that's where the transnational issues come in and that's what makes this whole thing very i want you to have you could say not you know nothing meaning n-o-t-t-y meaning k-k-n-o-t-t-y meaning forney meaning complicated or or you want to just take the what we call here the rosh catan which is the the small mind meaning just do the simple thing and that never works it's right it's far beyond it and it's very complicated and that's what makes this kind of analysis very interesting because the answer you come up with the answer i come up it may not be the same thing and the answer to the nso came up was obviously it was not the same thing okay next question anyone else any more questions okay shira thank you very much [Music] [Applause] you