Monday, September 12, 2016

An old dailydave post on cyber attribution, and some notes

What I wanted to call out today was how technology is customized by people who use it. So while everyone can run the same rootkit or exploits or tools/methodologies of any kind, they are almost certainly going to modify them over time. Hacking groups evolve over time like everything else, and you can do biology-like tree diagrams of how that happens. VxClass, from Halvar Flake, but now a Google tool, does this at scale on implants, but it's true for all parts of the technology domain we live in.



That time signature shows the movement of information through an organization and between organizations as clearly as DNA does. Currently I'm reading this new paper by Herb Lin and you can't see that inside the paper.


The original post from 2013 follows:

We had this whole section in the early Unethical Hacking classes where
we talked about attribution, and anti-attribution methodology. To
summarize it, we realized that there are some things that can be
trivially changed by an exploit team - obviously the strings inside the
trojans are the best example of these. Or the emails they register their
cover accounts with. These mean nothing.

But there is meta-data they cannot change easily. What follows we call
the tripod of cyber attribution:

1. Knowledge of particular vulnerabilities, exploits, or techniques.
This produces a "chain"-like time-based fingerprint that is extremely
difficult to spoof, since you would need to replicate the entire Chinese
technology tree to pretend to be Chinese. Simply stealing some exploits
won't do, because you'll never have an exploit or exploit technique
BEFORE they go public with it. And you can also add "time to mature and
deploy a technology" to your analysis, making it a very robust
indicator. This is also true of operator methodologies, analysis
techniques, and attack surfaces.

2. Targeting. This is hard to change because it results not from
technological restrictions, but from policy restrictions and turf wars.
If you're not allowed by the Politburo to steal Chinese data, then you
won't. Faking this is possible, but it's somewhat complex. This, of
course, is why it's also dangerous to do "collision prevention" on your
rootkits. If you never catch Rootkits A and Q on the same box, ever in
the history of time, then A and Q are from the same team (or allied teams).

3. Dissemination. It's hard to pretend to be Russian if the data you are
stealing from Dow Chemicals ends up in Chinese state-owned enterprise's
product lines. This is one reason economic espionage efforts are so
dangerous to groups trying to hide attribution.

In any case, completely extraneous to this topic: Lurene did a podcast
you should listen to in your car or whatever -
http://theloopcast.podbean.com/2013/01/16/episode-6-offensive-cyber/ .
It's kind of like eavesdropping on two random people in a Starbucks in
DC who are talking about cyber - which .... is any two random people in
a Starbucks in DC, according to my sampling. :>

-dave

No comments:

Post a Comment