APT Reports and OPSEC Evolution

without them this would not be possible um feedback you've heard me say it B bazillion times but bid.com feedback for site uh feedback um conference feedback and then if you have specific session feedback go in the schedule click on the uh session feedback oh sorry the feedback survey link on the particular session um again we have one more raffle coming up uh for $150 Amazon gift card courtesy of jamalo um so make sure to put in for that uh and then there's also some T-shirts uh I think there's some T-shirts left so feel free to go grab one if you can find one in your size um otherwise this is uh gy Evon going to

speak on AP reports and OPC Evolution hi everybody how are you doing today so originally be quiet these are the droids okay so originally this St was supposed to be an hour we gave it at CCC and then it was pushed down to 30 minutes at kasperski sauce and now I'm supposed to give it 25 minutes so I'm going to skip the introductions I'm gy I'm usually doing this talk with inbar RZ who gets a lot of credit for me and with that let's just get started so the the name of the talk is obviously AP reports and obsc evolution or as we like to call it these are not the AP reports you're looking for and the reason for that is

we think that most if not very many of the AP reports today simply suck I can use this language I'm not in a blacket type environment right now many of them are good many of them are not we would like to essentially simplify the attack process we like to show the evolution of different threat actors how they learn what they do with that and suggest ways to close that evolutionary Gap specifically by AP reports and how they can help us as opposed to just the talkers so I'm going to run through this as quickly as I can while still making sense I do want to say I did did this lecture a couple months ago and people

didn't know what AP is I'm not going to explain it's a thread actor or whatever definition you choose to use um there we go so let's start with a story just to get an idea of what I want to do once upon a time we had malware we've had malware forever it's not a new story we've been there we've done that that is fine but then an AP report came out the very first one I'm really aware of there have been incidents before naturally but the one that really hit the news and as security practitioner to be honest I didn't really care said yeah we know I mean they did take a picture of the

building in China where they work which was pretty cool but why should this particular report matter to me in any any way whatsoever but it did putting that report on the table when you go talk to the board trying to get funding or anything else this report made a whole lot of difference for me personally and for many others the ment AP1 report and more important ly the operations of AP1 the infrastructure was significantly disrupted but they were not alone we have seen many many other companes for example staet at flame staet was very tight it was a 500K malware very very Target specific very specific in what it wanted to do on the other end we had

flame flame was a monster it was 20 megabytes big every I I'm imagining that every single module they could have every vulnerability naturally I'm probably wrong but that's what I imagine they put in there when stocket was lost it was a big hit probably for whatever intelligence organization was behind it the Press says United States and Israel either or whatever when flame got out I'm trying to imagine the impact of an AP1 report at that scale and it boggles the mind operationally to have been there and trying to think did they have an upsc talk did they try to figure out what to do when 20 megabytes of all their tools get lost so actors started adapting this is

not chronological so let's look just a couple gaus they were scaled operation over 2K as far as we know but gaus also had been used on very very specific Targets in a way encrypted so it only opens on a specific machine how do you scale that do you scale that how much effort do you need to put into it to create such a specific attack rocket kitten it was my research along with some others such as Sky cure Tren micro worked on this a little bit and we did this talk a year ago at CCC they just used an off-the-shelf tool core impact if they lose that do they care do they not care was very easy for them to get this

capability supposedly run I ran we would like to think they had these upsc meetings so let's talk a little bit about opsc as we see it relevant here in 60 seconds why do you need opsc first of all you want to assure the success of your apprach op very simple you want to prevent the detection of the operation that's great what do what does success mean and you want to prevent attribution personally I understand why attribution is important I understand why people concentrate on attribution I see it as a waste of a lot of effort a lot of colleagues will disagree with me but that's fine and there analogous processes whether it's regular software development risk management we want to

figure out how much do we need to invest how much do we need to stop ourselves what capabilities can we actually reach more than that when is OBC compromised so first of all time to Market rushing it is never good scalability you try to scale the operation you're taking risks and ease of deployment how easy is it going to be for you do you need to flep an IT guy teach them how to do security sneak them in and then stick in a USB key I don't know could be a a pain so generally every and I don't use that word lightly every report out there every AP report 80 Pages report out there is based somehow on an upsex

failure so for me it comes down to what can we do to learn from this and use it against them to better ourselves in a way so with the hacking team we actually had a really good example according to Citizen lab we could actually read in their emails how they reacted to being exposed by citizen LA and the only thing they car and I'm going to quote their primary concern seems to have been not getting caught again really but we don't usually have this sort of visibility so we need to guess now looking at apt reports many of them are good but with many of them I feel like it's mainly made for PR purposes and they're really huge 80 60

pages long so essentially what do we get from them we often feel as if we're commentators just working on other people's work trying to figure it out so as a result there is an asymmetry and asymmetry in cyber right we like to call it cyber nowadays is really a problem we're facing every day we're not going to go into that and for me it's not just these AP reports are good for the attackers essentially being their QA but rather everybody is learning every actor out there is looking at these reports and how the other actors got compromised and the free QA just helps them so let's look look at the couple Lessons Learned just to get started AP1

very basic command control servers IP addresses compromised infrastructure is done we have trla which was released by kasperski and they were hijacking satellite traffic which is pretty cool as far as Evolution goes although we're skipping several years in between um there is learning in progress so stet Dooku and Flame flame Dooku two actually still had similar code in it that helped in attribution and then you never know for example iron tiger I'm sorry if you don't know all these campaigns that's fine was clearly Chinese we can go into that later over beer ketto the musk everything was so perfect you could even see the distribution of the attack who else would care about these dissidents in

Spain except for Spain right everything would be so perfect I would even say could this be a false flag how could we really make sure and lastly Dooku two they started learning there are multiple FSE Flags from many many APS trying to throw the researchers out of whatever they're trying to do so you read an rpt report that's pretty cool what do you actually get malware analysis A lot of it some ioc's indicators of compromise some C2 setup command control server pretty cool attack Vector not really attack your objective nearly never anything at all so this feels like it's really confusing again what do we actually do with this to move forward so for me we tried to

reverse engineer attacks by looking at at forensic data AP reports what if we try to use the same information and a lot of technical investigation went into this talk and we're not if anybody is expecting Kel shell codes or mal analysis please walk out I apologize in advance a lot of Investigation went into this just to be able to do one thing re-engineer the methodologies their operations based on technical information so let's talk about the attacker SI and move through this quickly first thing they do and this is simplified naturally it changes between thread actors in countries is intelligence requirements it's like going shopping what would you like to know examples are does Saddam Hussein

have wmds where are the wmds does he intend to use the wmds who is working on wmds how can we get knock Damon back whoever got the joke thank you very much I appreciate it in Germany not so much ah you laugh at that one nice now the second part is you know what you want let's compile the target list where can I find the answers or who holds the information I need examples verticals we get that in reports sometimes specific targets not so much again exceptions are SAS SEC gr pretty hot right now they're just opportunistic as far as I know they pick whatever they can we're not talking about any exceptions here intelligence gathering

third step in our simplified model first of all is the target report you're trying to figure out how does the Target what does the Target look like what am I going to face all that stuff nice second is attack plan and execution what is my plan of attack and what tool or weapon would I like to use in order to execute that attack perfect next let's think about a specific T tool such as stocket Dooku flame and gaus and then using some something on the ground for example this Del secure Works report showed using the alter system I hope I pronounced it right in order to using the provision provision provisioning system inside the organization to do

what they wanted to do but the thing is it goes on this same process can be on the outside of network then inside of network when you try to Pivot or do lateral movement and it goes on and on and it feeds on itself it's an intelligence cycle so how many of us watched this on Facebook when it came out and watched the whole thing through right I'm going to say sa you the trouble so at this stage we need to take a step back and think about intelligence gathering and all that's involved and figure out hey obsc is important again how do I plan an attack so for first thing I would do even 10 years ago is

map the targets defenses do they use an antivirus do I care do they use an IDs do I care can it stop me do I take the risk then suddenly we start thinking about security vendors backend capabilities can they put in silent signatures can they try to figure out what I do in retrospect I'm installing right now but they can find me later pretty complex stuff trying to figure that out when you're planning an attack and next we have rean that came out supposedly an NSA group and it was an AP magnet it was found in a machine read the report I don't want to quote kasperski wrong but it was found in a machine with other APS on it that's how

essentially they found it so many APS installed there what's going on so again read the exact report for exact information so am I do I need to collect intelligence now on all the aps out there look for their existence try to figure out if they're going to get caught before I install my own software that sounds like a hell of operation an operation for me so you need to really try to hide your identity now that's what we get out of it and then of course we have this example hurricane Panda again the names change this is the crowd strike name they had an actual case speaking of upsc where they didn't care that much they would do

incident response and then the attacker would change gears and they do incident response again and they fought on the network for quite a while many attackers don't really care when you start doing incident response kind of Buggles the mind but they did run away eventually according to the report so that's interesting to see now here you have the Simon Tech a part of the sech report about santic report about stocket and you can see for example the compilation time the infection time things for example if you see see a compilation times that never work on the shabbath maybe they're Israeli I don't know I have no idea but it can give you a lot of information for

example how when compile time infection time time to infect how long does it take them to actually create an operation not not necessarily but you can learn a lot and of course Duku to everything was scrambled so they do learn so let's take it an examp we call this a cyber engagement cycle Evolution so two example thread group Emissary panda they like many other thread doctors revert to OS um tools for example wmi Powershell at and that's pretty much what we're seeing as far as progress goes and duok 2 is a rare example where you can actually see Evolution at the lateral movement level that nearly never happens they were basically infecting only in Ram with very few machines

actually doing the work it was pretty cool to look at so as they evolve there is another part that we need to take into consideration which I haven't seen people really talk about and that's what we call the fold retreat part of the operation they have been discovered now what so I want to speak about three examples really quickly Red October they dismantled after the publication partially then fully two weeks whatever and then the Mas kto we spoke about that there was a vendor blog costin wrote about it on the kasperski blog and 4 hours just wrote the name the mask he didn't say anything else 4 hours later the entire infrastructure for the mask was down and then looking at

duuu this is of course my own interpretation don't wait for the publication break into the vendor figure out what they're going to do and what they want to release so there is a certain Evolution here if you want to look at it that way there are counter examples of again groups that don't care and keep operating but that's fine so the defender side this is really important to me it's not perfect but that's what we got to do to start progressing in making AP reports matter to us so we're going to talk about problem takeaways and solution based on the simplified model we just created for all APS right it's much more complex than that so first of all composed

intelligence requirements the problem is not enough information what are the attacker objectives we don't always know about RSA and locked marting how can we get more of that so the takeaway is first of all figure out that it's like having a stalker when they like you they really like you really like you they're not going to stop that's number one don't fool yourself this is an example from a Del secure Works report last RSA from fi Bret where he shows an example where they were attacking they started doing incident response they went away for the weekend and came back attacking again with slightly improved lateral movement tools they're not going to give it up most of

them which it's pretty interesting to me number two stealing data is just one option I mean everybody was not everybody naturally but a lot of people were surprised at Sony that they're actually k in the body think about it for a second we know what the troen or can do it's inside your organization doesn't matter if it steals data or something else but you haven't seen it before have you Sano you need to keep on top of that stuff so stealing data is just one of the options we need to figure out what else they can do once they're inside and we know they're inside so aside the Sunny the main action I believe we need to take is

going all the way back to boring security risk assessments risk assessments are boring documents we have absolutely no use for we use them mostly for compliance if they're this big if not bigger and we throw them away the minut they're done if we could figure out in a risk assessment make it reasonable make it tactical operational hey if they have a troen or inside they can also use it for something else that could be useful for us it needs to be updated it needs to be relevant that's my take on it second compile Target list problem there is no time sensitive information out there reports take time mostly meaning no pattern it's really hard to

do pattern recognition now the takeaway is if you have similar data or platform on any organization at any organization you can know you're on the list and more than that you can perform a threat assessment threat for some equals intent plus capability stay on top of it see what's going on if Target is getting hacked and it's because of their point of SES systems make sure your point of Sal systems are sec and what's going on there three cyber engagement cycle let's talk about it a little bit pre-engagement stage publicly available sensitive data is not really there there's lack security awareness it's pretty much an issue a attacker can get a lot before reaching your network

that's fine you need to limit the public information need to act exide your own perimeter which is blowing my mind right now and periodical rareness Refreshments it's basically kept and obvious but I have nothing better to say at this stage engagement stage not many share lateral movement reports please start doing that takeways the engagement keeps going there are many many opportunities for you to intervene figure that out you are not alone in this game and last put as many obstacles as you can out there load security deception share your bridge data it helps in fold in Retreat the attacker can destroy the forensic evidence I even go out and say which is I'm I'm not going to Buck it up right

now I'm just saying it's a possible Outlook at this logs matter a lot not just for monitoring it's today we base a lot of our security effects on incident response if that is the case backing up can be really important snapshots of the day logs keep them and back up your logs for instent response they can destroy their evidence it's pretty simple I actually made an name for this my partner in crime dead burp backup response plan this is important make sure you have this data and you can try this at home essentially you have two things we talked about we have the amount of data type of data that you actually have in AP reports see any AP

report that comes out or any information you get how much do I actually have how much can I rely on this and number two go through this engagement process figure out what you can do for defense it's not just about ioc's if you do this with every IP report if you demand more from your vendor you will get more and that is my personal takeaway from this now there is something else I would like to talk about and that is something we like to call the decline of shame it seems to me almost like AP reports have come to a point where the AP thread actors no longer care about way you know the first time AP1 got got caught it's

true they lost their infrastructure but they were shine away quietly nowadays people get caught they don't even care they keep moving this is I want to keep it up there for another minute I'm just having fun with this but there is a certain evolution in the mindset of thread actors as well which we need to take into consideration what we would like to see first of all better more actionable AP reports many of them are very good many of them are theak it's basically malware information demand them number two earlier breach reports hey if you can give us a heads up and we know your vertical is targeted that's really important if we know the type of

platform being attacked hey that's pretty important a lot of this is shared in closed circles most of this is not think about it third actionable public information sharing I was very weary about actually saying this because for me for many many years anybody who says information share coordination is a noob to the security space but I believe in this if you guys can share more information they'll be amazing and that's that and last I understand a lot of people want attribution it's something with the lizard brain and it can help with policy but enough with the attribution already kudos to Dave Marcus of course whenever I attribution it's not the most important thing as we have

shown please okay so we'll talk later don't attributes based on IP addresses please for me okay no public reports based on IP addresses final words AP reports can be a huge help they really can think about it we said there were the QA for the attackers but it's more than that when you release the report they are hurt in a major fashion if you release a report that helps us create the defense we need that would be really great which means we want to stay on the attacker six keep releasing the information keep making it relevant it does help but let's make it better and essentially let's increase their costs everything I do from my startup to

any project I'm involved with to other people I'm talking about the a symmetry and their cost if we can change this cost aspect of the attackers and attacks that's all I really care about personally and this is something I think AP reports can really help with um thank you very much and if you have any questions and I have time I would be most happy to answer but I will say this has been very quick there is an entire research behind it if you're interested I'll be most happy to share thank you very much [Applause] 22 minutes well done we got we got time for questions if you can just raise your hand I'll come find

you come on someone's got a question yes no thank you so much appreciate thank you thank you so much much and again on behalf of besides and thanks to one of our sponsors Fitbit here's a Fitbit there thanks appreciate it thank you all right