Learn How to Speak Malware: A New Approach to Combat Attacks - Todd O'Boyle

so this number is hopping we this region here I taught me to talk about in order for an attacker to steal from you any person access this means ensuring that their Sirica to is reliable to resilience takedown that's the main reason why we're 90 percent of our units for command and control and exfiltration the good news is that this percentage is something we can use against the attackers in order to find her accesses and how we respond the dispossession Todd will explain a new approach that goes beyond simply walking and dropping malware see two attendees we learn how to speak malware in order to better respond when an attacker targets them and we'll be doing a Q&A after any

questions whether I'm Todd thanks I'm from st. Louis and last year we held our first b-sides and the the number of people in this room was bigger than all of the people that showed up to our b-sides so it's it's really great to be here last year about 50% of our attendees and besides st. Louis were students so how many in the room are our students now Oh awesome okay you guys are all camouflage that's great welcome I so one of the things I wanted to start off with is I've been in security for twenty years and if you want to talk about different paths and security you know and you're going to hear some

stories about some fun things that I've done in 20 years I'd love to talk about that stuff so please find me after the talk at the happy hour tonight and you know I'd love to talk about that with you um so I'm going to talk about it's it's more of an idea piece right I'm not going to hand you a piece of technology at the end of the talk or send you to a github where you can download our software I'm going to work on some ideas with you and I'm going to need your brains participation throughout the whole talk so I'm Todd I'm one of the founders and CTO at at strong-arm we are

headquartered in the Boston area which is how I ended up here so we're up in Wakefield and the reason we are up in Wakefield is so I was a I was a Purdue guy and I studied at serious gene Stafford's Research Center and my story on how I came into security was I was walking by a lecture hall like this and somebody was talking about Kerberos inside inside the room and so I just kind of wandered in because you know it sounded interesting it was a cool name and the cool thing actually Kerberos is a really interesting protocol and so I wandered in and these grad students had figured out a weakness in ticket granting and in the ticket granting

ticket process which is like that's that's the holy grail of of Kerberos if you can if you can get tickets you win and at that point I was hooked so I listened to the talk I was just enthralled I really got into crypto and the system side of security and then uh my goal in life was to go to NSA and be a Code Breaker but that didn't work out for for a variety of reasons and so I ended up at mitre which is headquartered in Bedford Massachusetts at mitre I my first job was writing forensics tools for the Defense Department what was what is now the defense cybercrime Center was the forensic Center back then and I did

15 plus years of active Incident Response at one point I was on the other end of a connection with with bad people and so I split my time between real-world incident response stuff and doing research and I'm going to talk to you about some of the research we've done today and what we've turned into a product so I left mitre two-and-a-half years ago and started a company called strongarm and that's the the mitre is mitre in Bedford is our connection to to Wakefield so I I'm an Irishman life I'll tell stories the whole time I won't really refer much to to the slides so I was working on a team doing incident response and we had in a

set of analysts brilliant people and I was their tool builder type so I was q-branch for these for these individuals and we built custom tools to track persistent and highly capable attackers they were well-funded so the one day we found that someone not good was accessing an unsecured web app that we had had been running and this was like 2003 2004 so you know web apps without user IDs and passwords that it wasn't an uncommon thing and it turns out that this web app stored some pretty sensitive information so what we did our response to that was I I'll go from left to right on the slide so what the attacker did is on on

your left and what we did is on the right so um one of the crazy things we did back then was put filtering on what domains could talk to the web server so we think that it took the attacker about a week to circumvent that they simply proxied through the trusted domain they figured out what it was and went through the trusted name and at that point they were a week later six months later we found them so that's the time frame where we're working out here and so we're going to get them we're going to make people get user IDs and passwords for this system and so that took us about three months worth of effort a few

hundred people hours to implement that and the attackers simply found a way to route around the process they found a weakness that we didn't know of in in how passwords were reset you simply had to have an email with a specific extension on it and the password reset process would say here's a new password and so you know it took us however um you know six three to six months to implement that and you know the attacker tried some stuff and they were back in within two weeks again a year later we found them back in the system so we've got gaps in visibility we've got asymmetry right so the attackers are are spending a week and

we're spending months and so eventually we hardened to this past this the the process of reset your passwords and at that point the attacker simply social engineered their way around it and the stuff they did was choice it was really nice work and you know at that point where we've got to do something big and so we implemented smart cards and the cost for this program was staggering staggering and the pain that it caused people you know this two-factor authentication thing was it was it wasn't like Bank of America made you do it back then it was really painful to do users hate it security people are working you know we we had we put a lot

of time and money into this program and the attacker simply moved over to softer targets so one hundred million dollar expenditure you know hand-wavy a hand-wavy estimate on the attacker simply moved away from where we had protected over to a softer target all they had to do is recalibrate themselves and you know they probably took them a couple of weeks to you know make some decisions on how to do that and then go target some softer some softer targets so one hundred million dollar expenditure and a couple of weeks on the attacker part so this at this point you know we we're starting to get some questions from from the leadership sorry there goes and my punchline my whole

punch line right so if you do the math the defenders aren't going to win ever if getting in fact the chasm is getting worse and so you know we've got we've got working military so there's generals on the other end of the table and they're asking us well it looks like all these technical things that you're doing that they're not buying us anything and by this time we we knew who the attacker was we had some ID you know some some idea of what they were after we we had an understanding of their level of sophistication simply from engaging them for seven years and and so we thought through like there's got to be a better way so I'd urge you I'm sure

there are plenty of people who who are in security is your approach how are you dealing with this asymmetry in your security programs you know just think about that and so uh on the other end of the table I didn't I didn't have a good answer and that stuff really bothers me when when I don't have any any perspective on a problem so um let's do some research and that's exactly what we did so show hands who here is familiar with the cyber kill chain from Lockheed Martin okay great so I I'm I'm going to have to explain the model for the rest of the audience so please bear with me but and I'm going

to show you a nuance but I think you'll really like maybe you already know so the cyber kill chain is a is a model for how attackers go after a target and it starts with with just that a target so an attacker is given a reason to break into something they don't indiscriminately do it and in this case it was intellectual property you may work in a intellectual property rich environment um so you may be targeted for that as well other things that we've seen are if you work in a highly competitive industry your competitors can hire people with less scruples to go break into your network and steal your customers from you that's one thing

we've seen and of course the theft of money is everywhere and ransomware stealing credit cards stealing a personal information selling it on the black market model model wah so they have a target at that point they decide to go after a set of those targets so they they begin to build typically phishing emails that look very very realistic and at that point they will package up something that goes boom and exploit no link to something to try and get you to take an action those kinds of things so then installation step exploitation step 4 that's when when the boom happens installation of their initial package and then then they start to embed themselves like a tank and so you know

your your victim is now talking to them and the bad you know the the attacker um can now start to take action on on what their whatever they're targeting the intellectual property or your customer database or money and so on what what I think is cool and what might be nuanced or something some you that understand the kill chain is this timeline column and this is what we paid most attention to so at this point we were spending all of our time in here and if you think about it most security tools spend their time in here they're trying to watch for this boom but it happens in a matter of seconds so if you

don't get it the first time you lose then any attacker parks and they start to you know just get comfortable might move laterally I'm going to move over here Park my support some new malware over there begin to look like an administrator that's a classic classic technique so they start to get domain credentials and then they become part of your system administration team and and all kinds of other fun stuff like that and then they start sending emails as you and and then things really get fun but very few people spend any time working here and we got all the time in the world months and back then it was over a year and I've seen 12 times in the three-year

mark so attackers who had access to a network for three years before they got caught so we got all kinds of time in the world to work on this so let's let's do that and that's what we did so another sorry for the established security people in the audience but this is what malware command and control looks like in essence in general it always starts with the victim and the victim says I am here I have broken in I'm I've landed on Todd's laptop and Todd is part of this workgroup and here's the you know here's where the the malware is loaded what version of the operating system what network shares are attached those kinds of things and then

the attacker gets to say something back and so normally what this is what we call a smash-and-grab operation so they a get in and then they'll take everything that was on on this this particular system just to figure out where they landed and in a in a highly sophisticated operation they'll hand that off to an analysis team and the analysis team will pick through what they've got access to and say I want more of that and so I'm a big music nerd and so you know they're there maybe that our target is a drum machine from the 80s and so they the attacker then searches for these terms the adsr envelope and the malware responds back

with I found a document that matches what you want and the attacker says okay give me that please and then they know the documents come down and then at that point they kind of settle in they know they are may do a little bit of lateral movement to establish themselves further in the network and and those kinds of things and so I'm gonna take a drink

unfortunately what we were what we would see and I was I was mostly a network guy I did a lot of work in IDS's and firewalls and what this looks like - an idea this and so I'm sitting at the other end of the table and I have to answer okay who is it what have they taken and where are they and this don't tell me that I can say they're there if I'm lucky I'll know that they've gotten you know like domain credential and then I could say well they took everything that's that's about the best I can do and so what we did well maybe we can hack malware so we did and it was it was a blast and so what we

did was we we did a man in though I'm sure you guys are all familiar with breaking SSL and doing SSL man in the middle I have philosophies on that that I like to debate so if you'd like to argue with me afterwards please so but what we did was built a man-in-the-middle for the malware and so we would use indicators compromise you know figure out our specialty was there for going out where their servers were their command and control servers and then what we see here is hey I'm on Todd's computer and we intercept this and we can apply a policy here so not only do we get to see it we get to

control what they're doing and in most cases yeah that's that's that's okay you can report that out and so the attacker would then begin to try to download everything and we could give them back we could give them back what they asked for we could also give them back an error which is most commonly what risk-averse people do we can put things in this channel I'll talk to you about that a little bit and so so on and so forth and and this disability really allowed us to go from let's see if this works from this in order to from from this kind of a picture and now if I'm sitting at the end of the table I can

say well we know that they were targeting this kind of information and they wanted to download these kinds of files and there's also some technical information that you can see inside the malware um that helps you do poor man's attribution and so there's a lot of you know goodness here um but it was all technical stuff right we really didn't get any closer to the to the to the human side of understanding really why and giving any other options for protection right we found the malware that's good we're going to reduce 12-time but that's not that's not really interesting stuff for us you know an executive who's just been been attacked and you know maybe they're they're all

their customer data was stolen so um maybe maybe we can hack the attackers themselves and I'm not talking about getting on the keyboard and going and blowing up their stuff on there and like let's get into their brain and so does anybody know about the farewell dossier anyone okay this is going to be great you'll love it so we hooked up with some social scientists and they were social scientists in the in the in the purest form they knew very little technical stuff which is kind of how we wanted it and they introduced us to this to this wonderful story so farewell was the name of a Soviet defector in the 80s and the French named named him and at one point

as the defection was happening the French premier came to President Reagan said we have a Soviet defector and they've told us all about the Soviets troubles building pipelines in Siberia they there have it they found oil but they don't know how to move it the Canadians with us we know how to move it so the Soviets had implanted a bunch of KGB agents into this company that was building and operating pipelines in Canada in order to steal from him and so the CIA took her on a plane went to Ottawa and told man I know the the Canadian equivalent of the the CIA national security so the Canadian equivalent of the CIA and you know their

first response was okay well we got all the names here let's go round him up and they said no no no no no no no we want you to give them this and so the you know the the Canadians placed all these documents some throughout this organization they're all paper documents this is the 80s and the the Soviets took them back to Moscow and about a year later there was a catastrophic failure in the pipeline and you know so you might you might count that as a win but the ultimate win even even more even more so than that was the the KGB began to distrust the information that they had stolen from the West and that is

more powerful than then you know any anything and so they they they started the purge um and revalidate and do you know and revalidate everything that they stolen and so if you work in an intellectual property heavy environment you know think about that as a protection mechanism for yourselves because I will tell you based on experience the the attackers aren't going to stop you have something they want and they're going to come see from you one way or another be it via a computer or implanting a spy in your organization they're going to figure out a way to to come after you so you'd have to come up with some clever ways to to respond and so we did

a bunch of research on this and so it's what we did this is an experiment I don't suggest you go run out and do this on your networks today I'm trying to implant some ideas in your head and so what we did was pitted a red team against the blue team the red team's job was to have an understanding of the Blues plans basically to predict what what the blue team was going to do and I'm not talking about like a computer blue team here these were military operations in this case and blues job wasn't to protect the computer network it was to ensure the success of the mission they had a job to do and it was

it was part of their job to ensure that things that their mission was successful through an understanding of where the attackers had come in to things like email boxes you know computers that could steal information the red team was fed a study stream of both true and misinformation um and uh you know ultimately the the were fully tricked into the story that they were that they were fed there is an awesome talk by the mitre people that they are Co researchers on this wrote a book and have given talks throughout the country public talks on this and let me know if you want URLs and whatnot and all I'll supply those and so one of my favorite

parts of this of doing the experiment was we had the social scientists with us and they they were deception experts that's that's what their background was and I can remember the first time we started talking about all of the access points that an attacker has on an organization and when I told them that if they put something in an email box this particular email box because we found out the account the account was compromised that the attacker would get it and they would know that the attacker would get it so like their eyes lit up and they started building these kinds of things into the plan and these were the engagement points that we identified and

use throughout the experiment email boxes are awesome if you find a popped email account it's a real opportunity to to give something back documents that are on on shared drives and that are on people's laptops as well there was a couple of instances of giving giving back there and then we actually had a totally failed experiment maybe I'll talk about that if I have a little extra time on web apps but web apps are also a real nice opportunity when you find a pop account to let them use the account for a little while so that you can figure out what they're after and where they're coming from because it's another thing that you get

to see and so by combining being able to give access to information by by giving information back to the attackers that was well formulated by the blue team the the research was a was a big success so I'll talk to you about one last thing maybe we can hack our own organizations kind of sticking with this theme of getting into people's heads and again I'm not talking about like breaking into your own people's like pen testing and those kinds of things so ninety still to this day I think this number is true 90% of attacks start with a fish despite new approaches coming out this is tried and true so the bianco to the top of the pyramid

of pain this is their TTP fishing is a TTP and if you can get out ahead of it you you're going to do better so let's work on this I have a technical degree for for better or for worse right it served me well in some regards and very poorly in others and I this this whole user education thing talking to your users about fishes was I blew it off when when I was a pup and you know that's that's actual statement for me there is no way that will work well it turns out was really really wrong talking to users about phishing really works like getting into their heads and another fun story to share

here on this one so start with the executives and there's a reason for that so we had a bunch of I think it's called whale session wailing wailing that's what it's not good with my lingo so we had a bunch of executives get targeted and one of them clicked and so we went to have a conversation with them and it turns out that they weren't the only ones targeted but that conversation turned into a conversation not between us security people and the executive the executives started talking amongst themselves they they started comparing notes hey I got this kind of a message last week and I found it I told the security people the but the kicker the

best of all my absolute favorite is they began comparing accounting like this is an executive in charge of plans or logistics or operations these aren't aren't security people but they they built it into their into their daily routine weekly routine to understand how their organization has been targeted by fishing and then they compared it with the other executives so my programs got fished five times how many times did your programs get fished and it was by this attacker and here's that here's the new thing that they've added another another fun fact public release on Monday it was using a phishing attack on Tuesday right hey look at this new press release from the organization the PDF with a boom in the

middle and so um make a game out of it get people talking to each other get people on the staff not security people talking to each other reporting to you as security practitioners um the the data that you can get out of these phishing emails is gold get your be nice to your people don't shame them when they get a phishing email don't shame them when they click please because that's that's Pavlovian that's bad badness get them talking to you about it build that rapport and get everybody in the organization working together because I I have seen that work and it's a it's really a win so this is about the end of the structured talk

that I have my goal today was to implant some ideas so if you guys have some fun ideas that you'd like to share with the audience on different ways you can get in the heads of bad people good people I'd love to have the conversation and I can share one more story if if the if the you guys don't want to talk I can do that yes yes please so my name is Darwin president of the cybersecurity Club at savvy Regina University in Newport Rhode Island and one one initiative that we have is cyber hygiene a cyber hygiene awareness campaign where we post a very practical tips around campus graphically please in but what we try to do is bring

the language down to everyday language when it so phishing passwords uh whatever it may be what do you think it would get to what do you think it would take to get the conversation started on the student level just for not only for people who are seeking on cybersecurity knowledge or tips but also like around the whole entire campus in our first semester we've we've gotten 68 members and it's a pretty small liberal arts school where we don't have a undergraduate cybersecurity program so it's like I feel like we're doing a lot but we could do more because everybody is vulnerable so yeah I was interested in seeing what your take on it would be oh man I have a

couple of ideas so it has to be about making a connection with with whoever you're targeting if make it make it real to them and so what one thing that's fun is do you have a relationship with IT like if people talk to you do people talk to you or IT about the fishes that they get

yeah so you got to get started somewhere right you gotta have the spark and then what happens once once you start to get people to like you'll become the fishing guy right and people will start talking to you and you you know from the from the assessment from the fishing assessment you know you'll have some stories of how many people clicked and from that people start talking about hey I got this brand new ups fishing email I didn't click on it but my buddy over there did and they they got there their whole computer taken over by ransomware and so you'll be able to relay those those stories to everybody on campus and you know at that point you can you can

pick and choose the the best one for the person that you're talking to you know if they're if they're are rampant clicker there's that one set of stories if they're you know the in this think tank off sensibly you're you're building cool stuff right that someone would want to steal and so that's that's a different story Thank You uncle welcome to security oh and I sorry I have another I have another anecdote here um so the the the simple down to earth there's a couple of people I can refer you to so the San Diego union-tribune has begun a nationwide cybersecurity publication that's targeted at laypeople so people that don't work in security and it's very down to earth very very

easy to read and then for a more a more sophisticated read there's a guy named Michael Sant Arcangelo who writes for CSO and he's got a couple of other really great programs on it's called security straight talk and it's it's just about making connections and ensuring that people understand the value of security and everything that they do I think we got a we got a mic in the back and then we'll go to the front like hello oh there hi my name is David Sloan I'm an IT manager at a software company in Somerville and we started doing phishing tests last year and the thing that was most successful for us was doing a super

unfair phishing test so it it looked a little bit like it was from the director of HR not exactly wrong email domain but mostly looked like everything but it was about company retreat that was coming up that people were talking about a lot it was it was supposed to be in Florida people are really concerned about Zika and it was super unfair like to make you click on this thing percent fire man up and bounce it was about well we got a lot of people upset but people either loved it or hated it and that was a great thing people talked about this thing for weeks and nobody had ever talked about fishing before we do want

to talk about it it's boring who cares go do your thing fix it save it we don't want we have work to do but it engaging people in this thing they cared about really really really raised awareness and so I definitely encourage you to do the things that are unfair and be willing to make a few people upset definitely get by and where you need to don't you know ruin your career anything but but be a jerk a little bit and and get people talking like you're saying yeah so the I can't say it enough one of the things that pisses me off more than more than anything in security I'll suffice to say it's user shaming drives

me nuts if I hear any of you doing it I'm going to stop you and I will give you a lecture don't do it it turns off the people that you're trying to work with do not make fun of them for clicking on phishing emails these people are victims they get chosen by an attacker and if you think they're dumb to click on a phishing email well your day may come

phonier you mentioned your shim Layer SSL inspection between the malware oh my god oh every try throwing a malicious Word document back at them you're set univ documents was your example download all the documents why not throw a bad macro in there somewhere it's so sure you could do that right you can put it you can put a PDF with a boom in it but it's so uninteresting to me and that's that maybe that was me uh you can put anything you want in these channels right and I'm not a lawyer so I don't I don't think that you should go put documents with exploits on your shared Drive or anything like that but for me it was I was trying to reach the

pinnacle of you know the the pyramid of pain and and really understand how the attackers were working against me and what they were after on so that I could build security programs as what we call in the military and operational level so if I have a program that nation state wants access to I'm going to put more money into that program and less money into you know the the picnics website and that's really what I was what I was looking for but you men you can put anything you want this channel especially if you live in a country without scruples

yeah yeah so I didn't talk to you at all about what I do so the question was it was about the strong-arm product do you deploy it and use it to find malware or is it something that we intend to leave behind so one of the nuances I don't know if anybody caught it but when when the government got good at security the bad people squirted over to enterprise and eventually went down to small businesses and strong-armed is a security product for small midsize businesses so that's what I do I help companies from a hundred people to 500 people protect themselves and so to answer the question Strahm is awesome at finding malware that's embedded in a network you know as

long as soon as the thing beacons we find it and talk to it that's that's part of the what the product does but for our especially for small businesses they're they're laden with clickers and so putting strong-armed in and then taking it out doesn't provide them any fishing more malvert icing perfection protection and that's what we you know that we try and move to the left side of the boom by protecting people from from those kinds of attacks did I answer your question

oh no so we don't we don't do that I apologize if I if I if that's that was your understanding so let me go back and and I didn't give you guys very good context there that stinks so this only happens when we when a victim tries to talk to a command-and-control server all the rest of the traffic no I don't know I I don't see it so that's why that's where we get scalability I'm not building the proxy here I'm kind of but it's not web proxy right and I'm not going to route everybody's web traffic through it and break SSL in fact I am a staunch opponent of breaking SSL that's that's a beer conversation though so

this this what would happen here is if you have a database of indicators as a perfect example and you know where Kemal where command control servers have been set up you add them to a DNS based blacklist and we use the DNS to shunt the traffic over to strongarm that's how works better okay

yeah for sure for sure um yeah yeah um so uh you guys can don't care about the story but we so we actually tried to sell this this whole man-in-the-middle thing and either people didn't care because they just want to find out where they've been you know where their victims are and and go get rid of them or they would not accept the risk we've actually had a bunch of people say I cannot leave an attacker on my network and I have some good responses for that and they still weren't buying it so what we did with the product is we split this stuff in half um so our product today is just the black hole so we only see the

victim talking but we can still speak malware with it so the victims hey I'm on Todd's computer I'm over here and we have a we hold the handshake open so that the attacker can't get access to the system we know or its server and in that channel we give it some stuff we give the victim some stuff back until little coffee of information about who it is and that's how we find the victim and help you remediate it quickly and that's what most of our customers want frankly and then we've got some awesome ideas for the red side that we're going to do if everybody knows what show Dan is we're we're going to do some cool

stuff with shown in and speaking malware but that that's coming later ask your question okay question in the front can we mic him it seems like you're a fan of handing back information to these attackers just to see kind of what you can get from them to learn about them oh it was so much more than seeing what you could get it was a well cast rated that's what emotions so kind of like your product is somewhat in the you know area of a honeypot I was going to say are there any a honeypot projects or anything that you recommend checking out or yeah so um we had some colleagues and you know there's there's lots of let's see

inbound honey pots and we had some colleagues that were focused on you know taking taking malware and double-clicking on it and seeing what happened and that the the challenges is if the environments not good right if the if the Outlook email box isn't full of email the attackers know that you know pretty much instantly and then then if you don't have that you have to go make it right and everything has to be perfect and in fact why don't I tell my story as a response to your question so I get I got a couple minutes and then I'll have to have to get off the stage so we took strong-armed and we wanted to

apply it to hack credentials so for for a web app we took the attacker and the the credentials that we knew were owned the passwords that was stolen and we shunted them over to a system that we took control of and gave them the information that we wanted to give them it was a total disaster and first of all you got it you have to do this right you have to kind of duplicate real information give give give them a little bit of fake stuff so it's really hard from a technical perspective and then the things absolutely fell apart when the attacker had two accounts all they did was logged into the other account and validated that the information was

correct and then at that point we we just turned the thing off and and walked away and so from a honeypot perspective we've done a bunch of work in that area but I I still believe the you know this this this was somewhat successful when we when we when we deployed it and the the deception social science stuff was those were our two successes and we had lots of research failures lots because that's research trip okay I think I can take one more question I get out you're the boss though yeah