Upload
bhaskar-karambelkar
View
87
Download
5
Embed Size (px)
Citation preview
1All material confidential and proprietary
EXPLOITATION OF GEO-POLITICAL EVENTS BY STATE-SPONSORED ADVERSARIES
SECURITY DATA ANALYTICS
2All material confidential and proprietary
THE OTHER 2 VS OF BIG-DATA
•Volume - ✔
•Velocity - ✔
•VARIETY - ?
•VERACITY - ???Source:http://www.ibmbigdatahub.com/infographic/four-vs-big-data
3All material confidential and proprietary
SOUTH CHAINA SEA
•⅓ of the world's oil / $5T in global trade, energy rich area•Multi-national dispute over territorial claims•China claims the most of the region; has been the most assertive•China’s cyber efforts support a robust political, economic, and military effort•China claims it’s a victim not an adversary
4All material confidential and proprietary
WHEN REAL & CYBER WORLDS MEETTHE NAIKON APT (Advanced Persistence Threat)
•Conducts “high-volume, high-profile, geopolitically motivated attacks” since at least 2010
•Campaigns focus on individual countries, with toolsets deployed against a range of organizations
•Email as an attack vector
•Precise social engineering to identify targets
•Use of decoy documents, timely events as bait
5All material confidential and proprietary
MEET GREENSKY27•The malwares associated with Naikon APT talked to certain Command and Control (C&C) servers
•An oddball in what was largely a set of domains generated by algorithms (DGA) was “greensky27.vicp.net”
•Greensky27 has a long history going back 5 years
•What is a moniker doing in machine generated data ?
6All material confidential and proprietary
KUNMING; THE CENTER OF UNIVERSE
•DOMAINs map to IP Addresses• IP Addresses belong to
ASNs• ASNs are more or less
static and give us locations.•Greensky27 changed
IPs, a lot!
7All material confidential and proprietary
IP BASED BLOCKING NOT ENOUGH
• 80% IPs used were disposed within a day• 99% IPs were used only
3 times or less; 50% were never used.
HAIKU TIMEIPs are cheap; Adversary is smart; Good luck with that firewall!
8All material confidential and proprietary
CHI-SQURED CHI-NA
• A simple test of statistical independence confirms that not all locations play the same part in this drama.
• Certain Locations for mission activities and others for pit stops.
9All material confidential and proprietary
MEET GREENSKY27
•Turns out it’s an alias used by an actual water-ware (human, get it?)•Pivot from security data to social media and beyond.•We found a greensky27 on Weibo. A certain Mr. Ge Xing.•Stays in Kunming; Loves to post every little detail of his personal life; Works for the Chinese Military unit 78020•DOESN’T WEAR A HOODIE OR A BLACLAVA!
10All material confidential and proprietary
EVEN HACKERS NEED WORK-LIFE BALANCE
11All material confidential and proprietary
WHY DO THIS?•Threat Intelligence!•You have limited money/time/personnel to spend on security and your adversary has a seemingly endless supply of all three.•The more comprehensive your understanding of the security game, the better your risk management.•Don’t let your offence make the same mistake as your opponents.•Big data is not only about volume/velocity.
12All material confidential and proprietary
AND NOW FOR SOMETHINGCOMPLETELY DIFFERENT
13All material confidential and proprietary
US ELECTIONS 2016!!!•Marcel Lahel (aka Guccifer) a Romanian hacker laid claims to hacking Hilary Clintons personal email server without offering any evidence to back claim.
•Crowdstrike, a US InfoSec firm found Guccifer’s activities resembling Fancy Bear/ Cozy Bear APTs, and suspected Russian state hand.
•A huge treasure trove of emails from 7 DNC staff members and other documents released on Wikileaks by Guccifer 2.0
•The leaks created a huge firestorm in US which still continues to burn.
14All material confidential and proprietary
FAKETIVISM
•We have always fancied and admired our hackers.•Kevin Mitnick, Adriam Lamo, Kim Dotcom, Julian Assange, Edward Snowden
BUT…•How do you tell a hacktivist apart from a faketivist, a state sponsored stooge working relentlessly to advance his countries propaganda behind the veil of internet vigilantism?
15All material confidential and proprietary
SPELL CHEKC PLEASE
•misdepatrment[.].com spoofed misdepartment.com a legitimate MIS Department domain.•MIS lists DNC as one of its client. Domain spoofing is very common and very effective too.•But Wait misdepatrment[.]com ownership information shows Paris, France.•Upon pivoting we found that the IP which hosted it hosted other suspicious domains too.
16All material confidential and proprietary
VERACITY OF RUSSIAN ORIGIN•The additional infrastructure consistent with Russian APT actors.•Victims consistent with known targeting groups.
BUT…•Enter Guccifer 2.0, a self proclaimed Romanian hacker not involved with Russia claiming responcibility for DNC •Creates social media accounts / blogs ridicules research and posts even more sensetive information.
17All material confidential and proprietary
TIMELINE of EVENTS
18All material confidential and proprietary
WHAT DOES THE DATA SAY?•Analysis of competing hypothesis to produce best available information from uncertain data.•Activists seek glory, Guccifer 2.0 was oddly quite up until the hack was exposed.•The integrity of leaked documents was questionable.•Inconsistencies found in claims about hacking methodology.•Language analysis found inconsistencies about the Romanian origin claim.
19All material confidential and proprietary
THE SHIЙY ФBJЭKT?
•Purposeful breadcrumbs left behind to mislead analysts.•Internet blog / social media persona emerges only after discovery of hacking.•Overlap in infrastructure used by Guciffer 2.0 and Fancy Bear.
BUT…•Why alter the documents and create doubt?•Purposeful interference in US elections risks retaliation.
20All material confidential and proprietary
FINAL WORD•Enough evidence to suggest that Guccifer 2.0 is part of a Russian denial and deception campaign.•Claims of independent hacker origin very hard to back up.•Hacktivism and social reformist claims are very very suspicious.•Most likely intention is to present a controlled version of the truth. Worst case scenario influence the US elections directly.
21All material confidential and proprietary
IF ALL THIS WAS NOT ENOUGH• https://threatconnect.com/camerashy/
• https://threatconnect.com/blog/tapping-into-democratic-national-committee/
• https://threatconnect.com/blog/guccifer-2-0-dnc-breach/
• https://threatconnect.com/blog/whats-in-a-name-server/
• https://threatconnect.com/blog/guccifer-2-all-roads-lead-russia/
• https://threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/
• https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/
• https://threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/
22All material confidential and proprietary
THANK YOU!