Dailydave mailing list archives
Re: Getting called out
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 17 Jan 2013 15:15:38 -0500
We had this whole section in the early Unethical Hacking classes where we talked about attribution, and anti-attribution methodology. To summarize it, we realized that there are some things that can be trivially changed by an exploit team - obviously the strings inside the trojans are the best example of these. Or the emails they register their cover accounts with. These mean nothing. But there is meta-data they cannot change easily. What follows we call the tripod of cyber attribution: 1. Knowledge of particular vulnerabilities, exploits, or techniques. This produces a "chain"-like time-based fingerprint that is extremely difficult to spoof, since you would need to replicate the entire Chinese technology tree to pretend to be Chinese. Simply stealing some exploits won't do, because you'll never have an exploit or exploit technique BEFORE they go public with it. And you can also add "time to mature and deploy a technology" to your analysis, making it a very robust indicator. This is also true of operator methodologies, analysis techniques, and attack surfaces. 2. Targeting. This is hard to change because it results not from technological restrictions, but from policy restrictions and turf wars. If you're not allowed by the Politburo to steal Chinese data, then you won't. Faking this is possible, but it's somewhat complex. This, of course, is why it's also dangerous to do "collision prevention" on your rootkits. If you never catch Rootkits A and Q on the same box, ever in the history of time, then A and Q are from the same team (or allied teams). 3. Dissemination. It's hard to pretend to be Russian if the data you are stealing from Dow Chemicals ends up in Chinese state-owned enterprise's product lines. This is one reason economic espionage efforts are so dangerous to groups trying to hide attribution. In any case, completely extraneous to this topic: Lurene did a podcast you should listen to in your car or whatever - http://theloopcast.podbean.com/2013/01/16/episode-6-offensive-cyber/ . It's kind of like eavesdropping on two random people in a Starbucks in DC who are talking about cyber - which .... is any two random people in a Starbucks in DC, according to my sampling. :> -dave On 1/14/13 10:17 PM, Brian Keefer wrote:
On Jan 14, 2013, at 7:41 AM, Dave Aitel wrote:http://www.wired.com/threatlevel/2013/01/red-october-spy-campaign/ That's what it looks like when the Russians call the Chinese out for pretending to be them. How cool is that! "Here we are, pretending to think it's a Russian trojan because of all that tricky Russian slang left in the code. BUT WAIT, they're using exploit chains out of China! And they use the Chinese target set! We will let you draw your own conclusions." -daveIs it just as plausible that the Russians are stealing all the good Chinese exploits because the Chinese have shit OPSEC? Why do all the fuzzing and exploit dev when you can just smash & grab the weaponized goods? -- bk
-- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Getting called out Dave Aitel (Jan 14)
- Re: Getting called out Brian Keefer (Jan 17)
- Re: Getting called out Dave Aitel (Jan 17)
- Re: Getting called out Brian Keefer (Jan 17)