Hacker: we can see youGetting through to security

incidents Hinne Hettema

IT Security Team Lead, The University of Auckland

Cyber Security Lecturer, Unitec

Contents

• From incidents to groups: who’s behind our incidents?

• The advantages of ‘group data’ over incident data

• Predictive controls: why you need them

• Predictive controls: how to do them

• Conclusions

From incidents to groups: who’s behind our incidents?

Hacking is only Human

• Behind all hacking and intrusion attempts stands a human intruder

• Humans hack for a reason

• Motivations related to a ‘threat stack’ – one way to categorise hacking attempts

Threat Stack (‘benign’ to ‘bad’)

• Experimentation

• Vandalism

• Hacktivism

• Cyber Crime

• Information warfare (example: denial of service, sabotage)

• Cyber espionage (state sponsored or private)

• Surveillance

• Cf. ‘Maslow’s hierarchy of [hacker] needs’

Threat stack is cumulativeThreat Motivation Very Rough Timeline

Experimentation Curiosity Late 1970s - now

Vandalism Web graffitiDestructiveShow off

1997 -

Hacktivism ActivismPolitical

2005 -

Cyber Crime Financial 2003 -

Cyber Espionage (APT) Intellectual Property theftPolitical

1995 -

Information Warfare(state sponsored or private)

Disruption in Manufacturing, Infrastructure, FinancialOverall Nation State disruptionMilitary disruption

2007 -

State sponsored ‘Advanced Persistent Threat’

Economic and Military PowerMilitarisation of cyberspace

2010 -

Surveillance Security industry (surveillance)Data passed on for competitive reasons?

2005 – (it probably happened)2013 – (we think we know about it)

Strategising the threat stack

• Tools and techniques move down the stack

• What was used for APT two years ago is now becoming common in cyber crime

• What was common in state surveillance is now a hacker tool (BadUSB)

• Hence it makes sense to ‘design defences for the bleeding edge’

Lose sleep here…

• Rapid accumulation of threats

• Fragmentation of incidents

• More sophisticated incidents

Assume compromise

• PWC (2011) ‘A New Philosophy for Cyber Security’

• Philosophy’s all well and good, but what do we do?

• Sharing some of our experiences over 2014 with looking at ‘groups’ instead of ‘incidents’

The advantages of ‘group data’ over incident data

Incidents

• Are ‘one-offs’

• Are dealt with tactically – i.e. you do what you always do and do it well

• Can be opened and closed

Hacking ‘groups’

• Cluster around a motivation

• Are persistent and generate many ‘incidents’ per group

• Have a more or less defined, but evolving, Modus Operandi

• ‘Modus Operandi’ consists of tactics, technical toolset, business model, discovery techniques, hosting, alliances

• Modus Operandi is relatively stable!

• Are dealt with strategically – i.e. anticipate and react pre-emptively

Some speculation

Such groups possibly

• Visit many organisations in a market segment (they ‘specialise’ on a single market segment – i.e. tertiary education)

• Move up from small and simple to large and complex

• Share knowledge and tactics with each other

• Divide up the landscape of victims?

• ‘Hand over’ targets to rival groups in exchange for something else?

Unpacking the Modus Operandi

• Because they are persistent, they will use something like a ‘kill chain’, a model or strategy for their attacks

• They’ll use the same or similar tools and strategies for identical stages in the kill chain in differentincidents

• They have a business model – you can follow the $$s and work out what it is

Why follow the money?

• The Underground Economy is important

• If you understand the business model of a group you can defend against it (by fouling it up)

• Their $$s are usually your loss or your customers’ loss, so this cuts both ways

• Business model lets us focus on what is stable in a series of incidents – the attackers usually want the same stuff all the time

‘Incident’ally: The Kill Chain

• Discovery

• Weaponisation

• Delivery

• Exploitation

• Installation

• Command and Control

• Actions on objectives

• [Optionally] Target Destruction

Key consequences of the kill chain

• ‘Incidents’ look complex: different methods and tools used in different phases

• Most people only pick an incident up in the ‘Target Destruction’ phase:

• Fake AV

• Cryptolocker / Cryptorbit

• TOR Exit nodes

• DDoS traffic exiting the network

• ‘It no longer works’ or ‘Something funny’

Progress of an attack: Complex!

A

B

C

P(Loss)

Time

Initial

Exploit

Tools

Available

Transition

to other

AttacksResidual

Attacks

Predictive controls: why you need them

Incidents: Verizon Report 2014

Consequence of complex incidents: we are LOSING

• More than 75% of systems compromisedwithin a timeframe of ‘days or less’

• Less than 25% of these systems are discoveredin ‘days or less’

• And the gap grows

Short Summary

Many people only discover they’ve been hacked

• AFTER the attacker has achieved their objectives

• AFTER the attacker has started wrecking the place

hence

• AFTER the damage is done

The key question

What if we could detect an attack at the

• Reconnaissance phase

• Weaponisation phase

• Delivery phase

Rather than at the Target Destruction phase?

We could

• Trick the attacker by diverting them mid-attack

• Watch them in action and discover their tactics

• Add to our arsenal of ‘malware tools still to analyse’ (but so little time…)

• Waste their time

• Warn other victims in time

Predictive controls: how to do them

All this can be done

• Picking up discovery is not that hard – you probably already have the data

• Picking up weaponisation is not that hard – you probably already have the data

• […]

There’s just so much of it

• Knowing about the groups that try to attack you over and over gives perspective to the data

• And also lets you search very effectively

AMBER

Recipients may only share TLP: AMBER information with members of their own organisation who need to know, and only as widely as necessary to act on that information.

Will NOT be in distributed slides!

[12 slides of confidential information]

Green

Conclusions

Trends

• Attacks are getting smaller

• Attacks are getting more sophisticated

• ‘Cloud’ adds complexity to everything (it is easy to hide in clouds)

• Harder and harder to take an ‘incident view’ of security

• A ‘bad guys out’ strategy does not work

Next Generation Defence

• ‘Groups’ are more stable than incidents

• Can be followed over time

• Groups have a business model which does not vary a lot over time

• Business model can be attacked as part of defence

• Attacks from ‘groups’ can be predicted if you know what you’re looking for

Key business elements

• Get your data sharing and takedown channels sorted prior to an attack

• Partner with ‘competitors’ – in cyber defence, they are your friends and fellow victims

• Understand the value of your data in the context of your attackers’ business model

Key technical elements

• Implement aggregated and NoSQL accessible logging for everything

• Flexible control over filters on incoming email / web

• Canary accounts

• Security team must own discovery and attack infrastructure somewhere in the cloud prior to an attack

• Do a lot of active egress monitoring (ingress attacks now mostly automated and largely uninteresting)

• Collect incident artefacts

Questions?

Extra: References and Reading

• PWC report from 2011: Are you compromised but don't know it? A New Philosophy for Cyber Security: http://www.pwc.com/us/en/forensic-services/publications/are-you-compromised.jhtml

• Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D.: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf