Re: Wired: Pentagon Searches for 'Digital DNA' to Identify Hackers

[Dragos Ruiu <dr () kyx net>]

On 26-Jan-10, at 9:24 AM, r.b. wrote:

> '“In other words,” The Register’s Lew Page notes, “any code you write,
> perhaps even any document you create, might one day be traceable back
> to you - just as your DNA could be if found at a crime scene, and just
> as it used to be possible to identify radio operators even on
> encrypted channels by the distinctive ‘fist’ with which they operated
> their Morse keys. Or something like that, anyway.'
>
> This makes great copy but it doesn't sound like they've heard about,
> or bothered to take into consideration:
>
> JITs
> Automated code generation
> Optimizers
>
> Or a slipperier issue:
>
> Just because someone wrote the code doesn't mean they launched the  
> attack.
>
> This idea has been hyped before without result. I don't expect that to
> change any time soon.
>
> -r
>
> On Tue, Jan 26, 2010 at 17:58, Larry Seltzer  
> <larry () larryseltzer com> wrote:
> > > > One of the trickiest problems in cyber security is trying to figure
> > > > who’s really behind an attack. Darpa, the Pentagon agency that  
> > > > created
> > > > the Internet, is trying to fix that, with a new effort to develop  
> > > > the
> > > > 'cyber equivalent of fingerprints or DNA' that can identify even  
> > > > the
> > > > best-cloaked hackers.
> >
> > > > http://www.wired.com/dangerroom/2010/01/pentagon-searches-for-digital-dna-to-identify-hackers/
> >
> > How much luck can they actually have with this?


You folks are thinking too mechanistically.
That's the problem with using real world metaphors like DNA analysis  
and fingerprints... the internet isn't exactly like the physical domain.
So it doesn't just have to be running some filter on a binary piece of  
code.

I've worked with enough penetration test teams and different pen  
testers to identify that each attacker/intruder definitely
has identifiable "styles," habits and other traits that could be  
identifiable give-aways. What the attacker does after getting
on the machine for reconaissance for instance(I.e. how thoroughly do  
they examine local processes on the machine, or do they go
immediately for the next hop network survey and pivot, timing,  
aggressiveness, noise level, etc...), the sequence or ordering
they use to check for vulnerabilities etc... These correlational bits  
of information could very well lead to some sort of
identification of different attackers and attack campaigns.

You are also limiting your scope of imagination to single discrete  
intrusions - but identifying objectives and different attack teams
could be done across a whole series of intrusions in an attack  
campaign to identify different "advanced persistent threats" as it  
were.... ;-P

I'm not agreeing or disagreeing with the methodology espoused or know  
enough about what the team mentioned in the
article is trying to identify to say whether it can work, but it's not  
right to out of hand dismiss the idea of identifying
different separate attack campaigns across a series of intrusions by  
their properties enough to differentiate different
threat vectors.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 22-26  http://cansecwest.com
Amsterdam, Netherlands June 16/17 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp






_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.