Corporate Spies

Lisbeth Salander vs James Bond

Overview

Background

Intelligence Life Cycle

War Stories

Anti-Anti-Corporate Spy Training

Conclusions and Review

Take Aways

The 4 principal motivators of betrayals

Anti-anti-espionage training

Incorporating what we’ve learned into our OPSEC measures

Mandatory Self Definition

@Antitree Intrepidus Group: mobile hacking BSidesDetroit12: Jukebox hack Organizer: BSidesROC Founding Member of Interlock Rochester “cyber”

Background

Every fortune 500 organization has an intelligence program under some other title› Competitive intelligence, corporate intel, business

analysis Corporate spies are almost never caught, and

almost never convicted, and never serve more than 1 year in a “corporate spy” prison.

James Bond

MI6 operative Relies on Humans as

sources of intel Somehow explodes

everything Makes love to pretty

ladies

Lisbeth Salander

Works as a PI Socially unacceptable Intelligence comes through technical

means Also makes love to pretty ladies

Types of Intel Agents Government Employees:

› CIA, Marines, Homeland security› Provide intel and counter intel services

Corporate Competitive Intelligence employees› Work for an organization to provide intel on their competitors› Mostly ethical practices

Private Corporate Spies› Individuals or private organizations that sell secrets between

companies› Focused, well paid, completely illegal

HUMINT VS TECHINT

Scenarios

Break into network steal documents Phishing campaign steals creds Malware targeting a company

TEC

HIN

T

Benefits

Costs

Direct unfettered access to intelligence No middlemen Limited risk of inflation, lying Lower risk of being caught

More defense measures are in place compared to HUMINT

Clearly defined laws regarding IP, hacking, etc

Scenarios

Turning a secretary to tell you who the CEO is meeting with

Paying a VP for financial information Convincing a QA dept to give you

access to products

HU

MIN

T

Benefits

Costs

Information directly from the source Can be the “fall guy” Can circumvent any network security

measures Context for intelligence

The most sensitive information is in small circles

Possibility for betrayal, lying, or inflating information

Humans need coddling

Principal Motivators for Betrayal

Money: I will pay you $50,000.

Ideology: Do it for the greater good of your country!

Coersion: If you don’t do this, your will will find out about your mistress.

Ego: I’ve been watching you and you’re the best in the business. I need your help.

The Intelligence Life Cycle

Intelligence Cycle For Spooks

Define Target

Develop Access

Process Intel Exit

Define Target

Develop Access

Process Intel ExitDefine

Target

Defining the target

Recon: (information gathering) Goals: (target identification)

› Secret codes› Business Plans

Entry Points: (vulnerabilities) Identify potential sources

Information Horizon

Information horizon› Knowledge of people in the organization› Knowledge of business practices

Attacks can use a combination of knowledge to exploit

Start in the outer hub, and ride a spoke to next layer

Pivoting

Finding People Online Ready To Turn

Ask benign questions for secret information “I’m thinking about buying a new digital camera, what

is Kodak coming out with?” “What kind of IDS does Linode use internally? I’m

concerned about sensitive information getting hacked” Question sites:

› Yahoo Answers› Stack Exchange› Forums

Turning Sources Single Parent Rule: People can justify just about any

action, if taken to improve the lot of their children. (Money)

Disgruntled Employees: Employees with cut salaries or got laid off turn bitter and vengeful (Ideology, Ego)

Bad credit scores(Money) Sexual disclosure (Coersion)

› Cheating spouse› Pornography habits

Define Target

Develop Access

Process Intel ExitDevelop

Access

Developing Access: TECHINT

Network penetration Surveillance Malware / APT OSINT

Developing Access: HUMINT

All Social Engineering tactics apply Study potential sources, their interests,

the habits Define personality type and

vulnerabilities: › Loud and egotistical › quiet and non-confrontational

Developing Access: HUMINT

Hang out at the bars they do Become friends Find what will motivate them

Define Target

Develop Access

Process Intel ExitProces

s Intel

Collecting Intel from sources

Establish a Tradecraft: (AKA Stego for meat sacks)

Dead Drops Meeting Points Code words

No Attribution!

Types of non-attribution:› Anonymity: no idea who did it› Spoof: blame someone else› Deniability: oh it was just a bot in China.

*shrug* Communication Security vs Storage

Security

Define Target

Develop Access

Process Intel ExitExit

Selling Intel

Sell to mid-level VPs not the CEO Organizations will always want

plausible deniability Negotiate the terms

Cleanup

Decommission operation theater Spin down connection with sources

› Maintain surveillance Destroy/Scrub all information

› Friends + Thermite

War Stories

Peter and the Wolf Peter is going through a divorce Alex – Russian spy – hangs out in bars and coffee shops near targeted

areas of DC Alex becomes Peter’s friend over 2 months Alex pays Peter for phone number of people inside his company Tradecraft:

› Used pass phrases to leave messages and confirm the identity while trading information

› Make a chalk mark on the mailbox Alex gets one of his other ops to exchange information about “Star Wars” Peter social engineers an IT admin fixing the wiring closet Peter steals the documents off the network and exfiltrates it back to

Moscow

Lessons Learned?

Primary Motivator: Money Spies are friendly Tradecraft

› Chalk mailbox› Pass phrases

Bill Gaede

Bill Gaede Started working for AMD in 1979 Walks up to the Cuban embassy in 1982 and says “I want

to be spy” 1989 communism is boring 1992 he turns himself into the CIA becomes a double

agent 1992 he goes to work for Intel 1994 he flies to South America and sells Pentium secrets Tries to sell the secrets to North Korea, China, Iran, and

AMD

How? Walked around picking up random documents and

photo copying them Used lots of photo copiers so security would never

notice Guards only looked for green or blue paper Charismatic

› Access to new tech was just because his friends gave it to him

› Offered to do favors for everyone› Always befriended secretaries

Lessons learned?

Primary Motivation: Ideology Good employees make good spies Security theatre

Corporate Spy Training

Countermeasures

Security programs The best way to catch a something

something is to act like a something something

Games to practice being a spy

Coffeeshopping

Walk into a room, look around, and leave› How many people are in the room?› How many people of each age group?› What color are the cars parked outside?› What was everyone doing?› How detailed can you draw the room?

Slowest Race

You need to choose which line to go into.

Profile the people in each line› Older, younger, attractive, tired, etc

Race the next person that uses the other line

Airports are great for this

Sudo Make Me a Sandwich

Thought exercise: How as the following rolls might you be able to exploit something in your organization?› Junior employee› Outside contractor› Delivery person› After hours staff

How can you remediate?

Spy Trainer

Conclusions

The principal motivators of betrayal are also the principal motivators of success

Think offensively about corporate spying

Our OPSEC measures should include our own personal “Information Horizon”

Questions / Insults / Comments

@antitree

antitree@gmail.com

antitree.com

http://is.gd/U8wOk8