The Unforeseen Consequences of Data Breaches and Hacking

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success hello everybody I'm Wally Prather my talk today is the unforeseen consequences of data hacking and breaching I am the senior intelligence analyst for McAfee x' advanced programs group were a cell that's dedicated to providing intelligence products instead of reversing malware the same-old same-old we actually have intelligence professionals on the entire team and we take data and we turn it into something that you're probably not used to what we're going to talk about today we're gonna break break this down into three different sections first a methodology how we do things how we look at

intelligence our cycles of intelligence we're also gonna use show you our case study which is a look that people don't usually take when you get hacked what actually happens is particularly with foreign intelligence services and then our final part of this talk is basically how we take all these intelligence methodologies from Special Forces from the Marine Corps from clandestine services and how do we apply that to cyber security so as a disclaimer with like especially the dnc hack and the Clinton emails and the Podesta emails there's a lot of personnel information we've redacted everything in here so there's actually all the phone numbers or 867-5309 and all the way down so we took out actual individuals personal

data because that wouldn't be proper to throw people under the bus I didn't that being said second point is none of the none of the data in here is meant to be political at all and so think of it this way you know political hacking is nothing new but the largest hack that ever happened was the DNC hack during the 60s the Russians had multiple campaigns against the Kennedy administration when Kennedy was running for office they set up NGOs they had propaganda nowadays the propaganda is digital instead of physical so we're going to talk about data some of the doctrine what do what do foreign intelligence analysts look for what makes you a target in a good target for

them some network analysis we're going to talk about vulnerabilities and specifically if they can't find a vulnerability on you how do they create a vulnerability and then also the human toll and some other applications for the methodology so what if foreign governments look for it's called human intelligence it's one of the oldest professions in the world if you have ever read about American history you'll know that George Washington spoke very highly of his spies it was most of the intelligence back then obviously was human intelligence so what is foreign intelligence services look for they look for adversary intelligence people they look for heads of state heads of municipalities teachers university professors they look for tribal leaders

they don't just look for everybody on the top they also look for the middlemen guys and also people at the bottom of the food chain per se they need people who can plug thumb drives nowadays into servers they need people who can pick up trash from companies organizations once they find people who they think could be a plausible target or somebody who might commit espionage against their country they look into three key factors PAA placement access and accessibility that's that individuals placement access and accessibility to that data set or to that issue or to that human so with that being said what I usually ask the crowd is if you were looking into the Iranian

nuclear program who do you think would have the best placement access and accessibility to that information any guesses throw out a name anybody how about Mahmoud Ahmadinejad so obviously Mahmoud Ahmadinejad would have placement access accessibility to literally anything you wanted to know about that program he helped modernize it and start it up but there's other factors involved so what's his level of cooperation going to be do you think that he's going to cooperate with the Americans probably not you know is he does he have a vulnerability that we can exploit not likely and would even if he did give us information would it be reliable no if the information you want is already at the top probably the place to start to

go get it is not the top so what we did was there every intelligence agency in the world has an intelligence cycle when I came on board with McAfee what we what we knew we had to do immediately was start a cycle and a methodology taking our many many combined years of deployments and intelligence community experience and put that on papers so for us every in every agency shines in different places for us it's collection and utilization utilization we'll talk about in a little bit but collection we have an incredible ability to do what we call persistent stare once we start looking at something at my section we never stop looking at it we know that

sometimes the threats wait 18 months and they reuse information later and they will use the domain for one attack then they let it sit on the shelf for two years then they'll pick that back up and use it again so when that happens if you're always looking and you're always able to collect you're able to capitalize on mistakes in addition to that it's important from an intelligence perspective to have a covert communications network we have a very advanced one where we have you know we're across the dark web or across the normal web and we have personas to boot for every operation that we do with utilization that'll come a parent here in the next couple slides but every time

we build a network for anything we keep that Network and then we're able to see the evolution of malware the viruses ransomware any type of remote access tool kit and we're able to compare that to other samples worldwide so with our methodology on the left is this special operations methodology in Vietnam when you see things in the news especially during the Vietnam era as large-scale raids it was bringing people to the table to have discussions the Green Berets knew that that's not where you attack that everything that is allowing that to happen is under the surface of the iceberg so for us it's the same we know that there's a shared common infrastructure when you see the news you see the large

scale ransomware attacks you see the hospitals getting shut down you see people hacking you know children's oncology departments in Ohio you see the Netflix hack but what we understand is that's that is the endpoint that is the what everybody looks at the bright shiny object under the surface there are a lot of things that allow those attacks to take place specifically things like shared common infrastructure of EPs networks bulletproof servers that's where we intend to exploit fully and so throughout this talk I'm going to talk about you're gonna hear the term merging quite a bit and so I wanted to explain that to you what that actually looks like this is adwin remote access tool kit on the top left is the IP

addresses on the top right is the domains so when I say merging it's taking two or multiple pieces of data putting them together and then at the bottom that's what that network looks like so we're gonna get into the to the dnc hacks the dnc hack and the data that was pulled from there also the Clinton emails and the Podesta emails so like any organization they had personnel data and it looks like a lot of different forms you know they also obviously had financial data this is Hillary Clinton's Travel traveled by plane in the dollar amounts and the time when she traveled and this data I mean I have tons of slides on this it's everything that you

would have at your corporation or your place of work who works there first of all obviously as a corporation you know that obviously if you have a financial department HR all that data is kept and stored if you know what you're doing it's a goldmine especially for a foreign intelligence service and so what if where would a Foreign Intelligence Service start so I started where when I used to do that for a living where would I start I look at the personnel within the organization so let's say I'm Russia and my goal is to infiltrate the DNC where would you start you have to know who works for it so this is a simple macro to micro of what

that looks like so for this slide its constituent services who's in could stick you in services what's their phone numbers what's their emails real simple here's another example party Affairs what is the what is the DNC going to do next what is their future planning the Democratic policy committee if you wanted to know what their policies are going to be in the future and this is just phase one this is just taking the data they have and not enriching it at this point just taking a look to maybe start start planning on a targeted F or elsewhere with our methodology once you have data you're able to look at things by location so for this example of New

York let's say the example from an intelligence perspective would be you're a Russian case officer and you're talking to your assets and you would say hey listen what's it like working in DC and the agents come back to you and they say well it's not a good place to work second we leave the embassy or our safe house we're follow the 100 percent time real-time and we can't get anything done well house New York well New York we can work there so with the methodology you take all these location data and like all your donor data and so what we see as analysts is like in New York will see a skyscraper of residential apartment

complex and we see hey okay well the 32nd floor you know 60% of the people donated to the DNC or at least submitted on some level for more information or a flyer or sticker what you can do then is you can start changing ideology through propaganda so you know that that floor 60% 80% of the people on that floor in that building for say subscribe to this ideology you can start swinging that ideology if you already know where the bases credit cards so financially it was when I got ahold of this data I was shocked so if you have your company and you have company credit cards please don't put all the cards on one excel spreadsheet

and then the people who own them and then a picture of the front in the back and all the information and then the card owner's personal identification number all the pedigree information including mother's maiden name don't put that all in the same excel and don't please password protect it if you do so when I got that I was like oh my goodness it's like oh now I got humid Dean's credit card and her personal cellphone so you know with just that amount of data I mean even if if you're a foreign intelligence service you don't care about the credit cards but what you can do with that is you can start a harassment campaign you can keep that

ongoing and ongoing and ongoing once you raise the stress people start making mistakes if you have an organization and it's probably not a good idea to make a list of your friends and a list of your enemies because that can be used against you phishing campaigns for say will cover that more in just a little bit amongst the emails and amongst the DNC data we found basically all huge thousand personal list of friends and thousand person list of enemies or do not contact this person underneath any circumstances preferred press lists etc with this list also that was included he will cover that a little bit in just another slide is this person donated a lot so they have preferential treatment

at this dinner or this meeting or this event so donor specific money works the same way as personnel networks so what we did was we took all the DNC donor information took it by it basically the individual Excel spreadsheet are the text documents and we took all that data and we merged together and you see here quite a large volume of data so what do you do with that why is that important I mentioned phishing campaign so let's say you want to start targeting people why not go after the five to ten million dollar donors that would be great they obviously have money to donate five to ten million so good chance that in some

way you can start rolling what I would do but my legal department shut me down was I was planning on going in and emailing all these people about 1.25 million and I was gonna offer him free 18 months credit monitoring because the heck gonna spoof the email and then once they click on the button just it goes to website shows us a clicker but our legal department said absolutely not no way so here's another example this is the 10 to 25 million and you can segregate this type of data any way you want and then you can focus targeting on that because this is just a this has been dubbed down there's more information behind all this data the

addresses the account numbers in a lot of cases the credit card information or the checking information but the banking information is already there also all their personal information and so we what we did was we had names to money and we have people to places and then we merge those together and right now you're already looking at about a million individual entities on the screen and this is a micro view you can take the micro into macro so the Clinton emails so I have a security clearance I couldn't go into the emails but what I did was we figured out we had them all on a zip file and we gave each email an individual unique identifier and then we

had sender and receiver and the program we're using by the way to do all this is called analyst notebook it's owned by IBM I too and so we have a color okay I forgot to mention it green is money we have a color coding blue is communications so this is when we enriched it and took a look at it so what does this tell us what is this it's the communication network this is actually a better representation so you see how there's clusters of people and those are those are people and the communications going out what we do is we do social network analysis and the Pareto distribution which we'll talk about in just a little bit but once you

take out the clutter what's left in the middle is the people who talk the most now sometimes there's false positives here those false positives can be people like executive assistant who sends out email HR who sends out group and mass emails those are pretty easy to identify outside of that once you're looking at communications once you identify that people who talk to you have a target this guy talks a lot he has a lot of influence within the network he's easy to spot he might be easy to turn and so here's what a cross-section looks like taking it from macro to micro so this is just in the middle cluster there's that's just one gentleman how he talks and how

that information spreads elsewhere

and once combined with the previous merge you see it's a rather large network and this is just the what we call cluster this is the large cluster because everything else is too big to put on the screen essentially okay so here's something that people don't think about quite a bit is if you're if you're within it if you're with the political organization like the DNC and you get hacked they had quite a bit of information on the LGBT community so if you were on the extreme end of ideological difference with the DNC you could take all this information you can start a campaign against the LGBT community I was really surprised the LGBT stuff within the DNC was very

detailed and it wasn't password-protected it wasn't encrypted they had everything in there like male LGBT focused parties and who was the attendees who were the people's dates what was on the menu I mean all these little details that there's no reason to keep but they did keep them and then we merge them together so I want you to focus on the red star because if you're an intelligence agency you have to pick targets and so what we did was we found somebody in the DC area who is unnamed and we took a phase one look at phase one exploitation of a human so what does that look like in reality it's if we get your hands on you you're

already screwed there's nothing you can do but for this you see two huge networks top and bottom and then you see the star in the middle that's social network analysis that's connectivity that's AG and vector centrality and there's a lot of other factors to go involved with choosing targets so meet Steve I chose Steve he was in the middle of centrality but I saw the name of his company and I was like oh that's a pretty cool name for your company I'll see what this guy is doing if this guy you probably remember about two years ago the DNC had some issues about emails coming out talking about what works after the lawyer was killed in DC he was

one of the people emailing Podesta about I didn't know the DNC still did what works so everything you see here on the bottom is from one of his websites and we'll move on to the next this is what the first phase of exploitation of a human looks like from a network analysis perspective so where can you find data obviously social networks so you see that little blip in the middle between the two large clusters that's what it looks like when you protect yourself on Twitter on the left and the right that's Facebook and another Twitter that's what it looks like when you don't that's why privacy settings are so good without breaking the box you can get

very little information outside of that he's a lobbyist he gets paid by a political organization all that is on file with the Library of Congress so every financial transaction that's ever been made to him or his companies is publicly available that tells you a lot we also looked at his employment data everywhere he worked from start to finish he's been on TV quite a bit so we got copies of everything that he ever did pertaining to media and press we also look at his his education and then we had emails so we knew who he was talking to on a regular basis and we know who he wasn't talking to so when you look at

his companies you wouldn't go straight to Steve what you would do is you would find people who know Steve and you would start there so if you were going to look at his companies he owns two companies he's a co-founder of one the founder of the other so you see right here in the middle they put all their pictures of all their employees online so with those employees you would obviously go to the people who are involved with both companies they would have information you would have to double up your resources to try to exploit two people to get into both companies with clients so this comes into the vulnerabilities let's think about it realistically if

you're a politician if you're a sports figure or you're an actor and you simply get accused of something like sexual harassment whether it's founded or not what happens to your sponsorship it goes away immediately every time so the same thing applies when you're trying to create a vulnerability for an intelligence target somebody who can answer questions for you you have all its clients what happens if you pick one client and you start spreading falsehoods about the person and start creating stress and you start messing with their wallet once you start messing with people's money the chances of them flipping to tell you what you want to know increases drastically okay so what we're gonna do

now is we're gonna show you how we took like the basically the human factors in the human intelligence something you would do if you were developing sources and looking at human networks now we're gonna take a look at how that applies to malware ransomware viruses anything that affects you guys as an industry and what we try to do is we try to do both we look at the cyber infrastructure and we know that there's humans behind that so once they make a mistake we're able to capitalize them we build what you just saw on the first section so this is just like a human network this is a PT 10 this is a PT 10 from 2016 you see big

clusters in little clusters what that probably is is you have the main c2 infrastructure and then after that you have likely the toolkits involved things like credential harvesting you know brute force tools typically the Chinese make their own tools they do use some off-the-shelf and they also share some infrastructure wherever they're attacking this is what a PT 10 looks like as of 4 months ago so you see quite a big difference between the two any state actor and many of the very squared away groups 18-man b-team you can watch the evolution as they as they start hacking places and then they get busted they change up the toolkits they change up their infrastructure and so when I started this job I thought

it was really curious that Chinese and Russian and Iranian and activist groups out of North America Canadian groups they all had infrastructure that touches in the middle and I was like why would they do that is that an agreement between countries probably not but they need the same services like VPS servers and they need bulletproof servers and just things that people aren't going to touch and so this is what we call a master merge we take each one of these color-coded is an individual family of malware and we put them on into the same chart and if the IP address is the same they automatically merge together and this is kind of the result of what you get as

I've been doing this now for three years I can see some really interesting things so the top two clusters there those are Chinese related IOC infrastructures and you can see that it's allowed to touch this but not touch that essentially so what does that tell me lawyers lawyers are involved just like many attacks when we attack people you know you can do this but you can't do that they have the same type of thing going on and you see that there's a big difference between the the red and the blue on the top right compared to some of the yellow where it's all over the place it's connected to things that that's spread so taking a closer view of

this will do a b28 first so a bt 28 Russian GRU really super advanced network it evolves daily essentially but this is the most recent most recent view of that it also shares infrastructure with the rest of the world so the top of to south 2016 six of the top ten ransomware is touched now this is not false positives obviously if his location Russia is a big place China is a big place we took out all those and this is unenriched one thing we do is once we get IOC s we enrich them with McAfee data and community data gives us a better picture of what's on that hash the domain what is it what's on the IP what is it

resolved to etc but this is without false positives the first step and so this is very important because that's really odd like I don't know if maybe I'm just the only one who didn't know but yeah six of the top ten touch now this is what it looks like when you enrich it and close in a little bit so we know there's common infrastructure but we never knew that it would share with other people no does that indicate that it's the same group with three or four different types of TAC possibly more than likely those groups just have the same insight into protecting their selves and they work together and this is what a micro view of those

connections look like between type A and type B for this Tesla Krypton crypto wall PHP it's you know database links to get data to the database the same shared common infrastructure also applies to cryptocurrency a lot of people think cryptology and privacy privacy is secured with cryptology which isn't the case so one of my first jobs I was looking at DD for BC they're attacking a bank in the UK and we were able to get the P and GS and the emails and wherever look at the Bitcoin and then we exploit that in from start to finish and at the finish they made a mistake and then we were able to alert law enforcement but

then we keep that data part of the utilization we never get rid of anything and we always keep it and we always watch it in case it pops back up again so about a year later the Ashley Madison hack happened and we grabbed all those bitcoins sure enough the Bitcoin wallets from the Ashley Madison exploitation hit the DD for PC so you have a Malaysian centric das for Bitcoin group and a North American hacktivists organization shared Bitcoin wallets that's not intentional the one group probably doesn't even know the other not likely what it is is they're both had they both have a common goal it's what you would consider the mobs new coin laundry service and but it's crypto

logical and so with always taking a look at something whenever they make a mistake able to capitalize on it and so for this this is this has to do with wanna cry so when we want to cry the whole purpose of committing some of these crimes and these cyber threats is to get paid so if you're always watching the Bitcoin the blockchain at once they make a mistake they made it and then you can take that and you can enrich it and then you can watch it and then something's on your list so this is an example of what that looks like basically what we think was one of the attackers made a transaction from their

Bitcoin wallet on their computer and they probably forgot to turn on their security settings maybe they forgot their VPN or something and they got an IP address and then what's how what's housed off that IP address and what files what hashes okay so this is really cool if you're a total nerd like me but the Pareto distribution it's an 8020 factor it's typically used with to explain differences in societal sociology but it also applies to basically everything in the universe 20% of the stars have 80% of the mass the same uh same with trees that break the canopy same with Heights of mountains that go over a mile or two or something like that but it also applies to cybersecurity so

what does that actually look like so this is adwin another edwin when the Pareto distribution is fly so we apply social network analysis and we look at the clusters the center of the cluster is what essentially allows the cluster and everything to work so it's kind of like cutting the head off the snake the body fails so what you are identifying is basically the multiple head pariah that's in here and then once you get this you simplify basically a huge giant network into a really simple infrastructure and this is where you want to spend most of your time and most of your dedication you want to if this is part of a threat this is what you blacklist first or this is

any way you can exploit it this is where you start okay so in closing I hope you got something out of this talk I've been wanting to talk of besides DC for quite some time but as you're doing things the artifacts of your life they're all over the internet those will be used against you if you're up against a government absolutely they know how to collect it they know how to control it they know how to maintain it and they know how to find it the DNC hack tells us one thing that you need to adequately protect yourself you need to password protect your personal and private PII information you need to encrypt files that you don't want

anybody to have and one thing that if anybody has insight I'd love to talk to you about the shared common infrastructure and shared with hacker groups but in reality if there's probably 12 organizations that are controlling 90% of the threat traffic and so if you take those out you significantly reduce the threat to America in the world and go vote so are there any questions

not at all yeah there we go

so I did this let me give you a little example I did this I spent three weeks on it and then I updated it as I went and had some different ideas for it if you with that data set that I did this with if you were a government and you had a team like a fusion cell where you had a collection manager probably so many sick and imagery HUMINT you would be this whole project would have been done times ten in a week tops it wouldn't take them off but yeah if you're a civilian and you're in this situation against the government your host time to move back to your parents live a simple life you know well yes so

that's the one thing are you a target or not that's where placement access and accessibility comes in so if you're at a if you're at a senior level of something or you're like a systems they go for systems administrators quite a bit an IT staff you may not think you're important but you have the keys to the to the door right but it is it don't think you're not at the way to think is that don't think that you're not a target because of who you are because you don't know that your adversaries goals essentially you might be a target because you're a millennial and they may think that you're lazy so they may think that you

didn't do what you needed to do to protect yourself so they may target you to get what you know to get to something else you may just be a stepping stone super non-board yeah

nobody that's right that's a tough question if I was them I mean I would just rebel to rework the entire organization I would move people from one division to the other so everything that they did know that could be exploited then is no longer valid its I would definitely change the department's around I would change the whole communication infrastructure around and I would also obviously the financial stuff I would set basically a standard operating procedure that everything will not be stored in a in the same place everything will be protected via these methods here's here's an eye-opener for you - I didn't cover this before with all the financial information we also got their budget for everything and they

spent something like thirty six thousand dollars on antivirus and no hacking protections and dlp 36 thousand dollars is nothing you know that's that's something that a high schooler can break and now obviously they're they've taken steps to mitigate any further issues cuz this one was a doozy you know I that's what I would do sir in the back

very

well you could start with google arts for your social and your personal information that would be a simple simple way and if somebody starts looking for you on X Y & Z you'll get a notification I would get rid of unnecessary social social networks if you just have them to have them because you think they're cool and you don't really do anything with them delete him something else obviously if you start getting contact by people with accents you start getting emails that are stuff that's outside your your normal pattern of life starts happening to you start seeing the same cars the same people sometimes that's okay because you live in a place you have neighbors you have

people live down the street but basically think of think of your life and your patterns as different islands so you live in DC but you work in Alexandria but you like to go down to rest in for dinner every two weeks so if you start seeing somebody in DC a lot or a car and then you see that same thing in Alexandria and then you go to a gas station here and they happen to pull up next to you those should be serious red flags so if you see one person on one Island all the time that's fine if you start seeing that same person place or thing in your other islands that you travel to then that's bad and then you

need to change up your change up your patterns of life and let somebody know that's one of the first things if you have a clearance or a security officer and you think something's wrong it most certainly is and you need to let somebody know and they can help mitigate that yes sir nope nope it wasn't McAfee I've been asked that almost every time I was waiting for it but knowing it wasn't McAfee the judging by the indicators that compromised if they would have had McAfee and it would have been updated it would have catch caught everything that needed to be caught to not have the DLP kick so anybody else any crazy questions anything well I'm gonna be here for the

remainder of the day if anybody doesn't want to speak up now I'm more than happy to answer your questions I have cards if you ever like to come and visit us in Columbia Maryland we're more than happy to have you this is the one thing that I like to tell people this is really about 5% of what we've had the pleasure of exploiting since my time in McAfee so but I think thanks everybody for your time really appreciate you come in and thanks for coming to besides DC