unclassified cyber attribution: campaigns and...
TRANSCRIPT
![Page 1: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/1.jpg)
CyberAttribution:Campaignsandrenegades
Dr.SamuelLiles
UNCLASSIFIED
![Page 2: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/2.jpg)
Caveats:Thefollowingrepresentsmyresearchovermanyyearsandnoneofitoccurredwhileafederalgovernmentemployee.Whileeveryefforthasbeenmadetoinsureaccurateportrayalofeventswithinthispresentationsomedetailsmaybeomittedduetotheresearchtopic.Opinions,conjecture,orobservationsarethoseofthepresenterandshouldnotbeconstruedtobeofficialpoliciesofopinionsofTheDepartmentofHomelandSecurity,TheFederalGovernment,orthecompanieswhoprovidedprimaryandsecondarysourcematerials.Abibliographyattheendofthispresentationcoverspastandcurrentdiscussiononthetopicbutisnotanexhaustiveexampleofthetopic.
UNCLASSIFIED
![Page 3: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/3.jpg)
Abstract
Attributionofadversariesisakeypointinariskmanagementapproachtocybersecurity.Thisisanartlefttotheintelligenceand lawenforcementcommunities.Uniquemethodsareexploredresultingindetermininganddefiningacyberadversary.Thisdiscussionisaresultofthecollisionbetweenapplication,science,andartwhereamulti-disciplinaryapproachresultsinacomprehensiveresult.
UNCLASSIFIED
![Page 4: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/4.jpg)
Goals
• Identifyandcharacterizeattributivetechniquesthatarescientificallyvalid
• Wherevalidityisnotpossibleorscientificmethoddoesnotsupportattributivetechniquesdetermineviabilityofothermethods
xxx
UNCLASSIFIED
![Page 5: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/5.jpg)
RiskResearchUNCLASSIFIED
![Page 6: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/6.jpg)
ThreatResearchUNCLASSIFIED
![Page 7: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/7.jpg)
ThreatResearch
UNCLASSIFIED
![Page 8: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/8.jpg)
ExploitationResearch
DiagrambySamLiles
UNCLASSIFIED
![Page 9: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/9.jpg)
UNCLASSIFIED
![Page 10: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/10.jpg)
TrackinganAdversaryinTimeandPlacebyvulnerabilities
DiagrambySamLiles
UNCLASSIFIED
![Page 11: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/11.jpg)
UNCLASSIFIED
DiagrambySamLiles
![Page 12: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/12.jpg)
DiagrambySamLiles
UNCLASSIFIED
![Page 13: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/13.jpg)
DiagrambySamLiles
UNCLASSIFIED
![Page 14: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/14.jpg)
UNCLASSIFIED
![Page 15: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/15.jpg)
RosettaResearch
DiagrambySamLiles.ConceptssupportedbyworkofRonaldKurtz
UNCLASSIFIED
![Page 16: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/16.jpg)
Boom
PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess
HostEnumeration
LateralMovement
Execution C2 Exfiltration
CommandandControlInstallationReconnaissance WeaponizationDeliver
y ActionsonObjective
Preparation Engagement Presence Effect/Consequences
DNIFramework
CyberKillChain
MITREATT&CK
NSATAO
Reconnaissance InitialExploitationEstablish
PersistenceInstallTools
MoveLaterally
CollectExfil
Exploit
Exploitation
ExternalActionsBeforeIntrusion
Pre-ExecutionActions OperationalA- Actions
InternalActions:“AfterIntrusions”
PlanActivity DeployCapability
Control DenyAccess
ConductResearch&Analysis InteractwithTarget
Hide ConsumeResources
DevelopResources&Capabilities
ExploitVulnerabilities
ExpandAlter/ManipulateComputer,Network,orSystemBehavior
ConductReconnaissance DeliverPayload
RefineTargeting ExtractData
StageOperationalTools&Capabilities
EstablishPersistence DestroyHW/SW/DATA
InitiateOperations EnableOtherOperations
Layer1Stages
Layer2Objectives
RosettaResearchUNCLASSIFIED
![Page 17: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/17.jpg)
AdversaryResearch
DiagrambySamLiles
UNCLASSIFIED
![Page 18: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/18.jpg)
Isattributionthatsimple?
Source:Attributionofcyberadversarieshttp://selil.com/archives/6791
UNCLASSIFIED
![Page 19: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/19.jpg)
Political
Technical
Forensic
EvidenceRequired
TimetoLevelofA
ttribution
EventHappens
Possible
Probable
Provable
Motive,means,opportunity
IOCs:IP,Hash,URL,method,time,etc.
Crypto,non-repudiation,multi-modesensing,direct
observation
Abductivereasoning,mostreasonableexplanationgivencurrentevidence
Deductivereasoning,Man->MortalSocrates->Man
Therefore,Socrates->Mortal
Inductivereasoning,givenwateriswet,ifIamwet,it
islikelywater.
Switchesbackandforth
Adversary
CapabilityInfrastructure
Victim
Meta-FeaturesTimestampPhaseResultDirectionMethodologyResources
Attribution
UNCLASSIFIED
![Page 20: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/20.jpg)
Howdoweanalyzeanintrusion?
Source:Lukeintheskywithdiamondshttps://www.threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/
UNCLASSIFIED
![Page 21: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/21.jpg)
Stepstoattribution• TheDiamondModelisagraphicalrepresentationofan
intrusionbutnotofattribution
• Attributionisthesummationofaninvestigation
• Preparesetoffactscharacterizedbytime/date/event/DNIframework
• Eventshaveavictim(definedbybusinesstype,mission,category),adeployedcapabilitybyanadversary,andaninfrastructurebothofwhichareindicativeofIOCs
• Memory,disk,networkevidenceofcompromisearecategorizedbyDNIframework,typeofcompromise,andtimeofcompromise(evenifawindow)
• EacheventmayhaveseveralstagesofcompromiseasdepictedbythreadswithinonevictiminfrastructurethatbecomesuniquepatternofTTP
• InfrastructureofadversaryisidentifiedthroughIOCs
• Adversaryinfrastructuredeployedagainstonevictimisastartingpointforfurtherinvestigationofadversarycapability
• IOCsareusedtopivotthroughadversarynetwork(IPstodomains,SSLcertificates,ASNs,associatedphysical/logicallocations,passiveDNStolocateotherinfrastructure/victims)
• Determinetimewindowforeachcompromise(DONOTstackmultipleeventsbecauseiteasier)
• Whenfusingclassifiedintelligenceintounclassifiedattributionadmitmagichappens,utilizeknownanswertobackintounknowablesolution,butbewaryofthis
Adversary
Infrastructure
Victim
Meta-FeaturesTimestampPhaseResultDirectionMethodologyResources
Capability
Somebackgroundhttps://selil.com/archives/6791
UNCLASSIFIED
![Page 22: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/22.jpg)
Thread1 Thread2 Thread3 Thread4
Preparation
Engagement
Presence
EffectConsequences
Victim1 Victim1 Victim2 Victim?
Boom
A
IC
VA B
C
D
E F
A&CarethesamevictimB&DarethesamevictimB&CsharethesameattackinfrastructureC&DsawthesamecapabilityD&E&Fsawthesameattackinfrastructure
UNCLASSIFIED
Stepstoattribution
![Page 23: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/23.jpg)
FutureWork
• Artificialintelligenceorgameenginestructuretoautomateresponse
• Contextualizeandautomatedatacollectionintotheframework
• Operationalizetheresultantactivity
![Page 24: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/24.jpg)
Questions?
UNCLASSIFIED
![Page 25: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/25.jpg)
Bibliography1• Rid,Thomas;Buchanan,Ben“AttributingCyberAttacks”TheJournalofStrategicStudies,Vol38,1-2,4-37
• RidandBuchananspecificallyareconcernedthatthe“DiamondModel”suggestedbyCaltagirone,Pendergast,andBetzmaybesuspect.
• Boebert,Earl“Asurveyofchallengesinattribution”Proceedingsofaworkshopondeterringcyber-attacks:InformingstrategiesanddevelopingoptionsforU.S.policy,NationalAcademiesPress,2010
• Locard’s ExchangePrinciplefundamentallystatesthattheperpetratorofacrimewillbringsomethingtothecrimesceneandleavewithsomethingfromit.Incybernetworkdefenseexamplesincludemalware,internetprotocoladdresses,logfiles,netflow data,andotherartifacts(https://en.wikipedia.org/wiki/Locard%27s_exchange_principle)
• ScientificMethod(https://en.wikipedia.org/wiki/Scientific_method)
• Catagirone;Pendergast;Betz“TheDiamondModel”,DoDDocumentreleased2013
• Brady,Henry;Sniderman,Paul;“AttitudeAttribution:Agroupbasisforpoliticalreasoning”AmericanPoliticalScienceReivew,Volume79,December1985
• Clark,David;Landau,Susan,“UntanglingAttribution”,Proceedingsofaworkshopondeterringcyber-attacks:InformingstrategiesanddevelopingoptionsforU.S.policy,NationalAcademiesPress,2010
UNCLASSIFIED
![Page 26: UNCLASSIFIED Cyber Attribution: Campaigns and renegadesselil.com/wp-content/uploads/2017/04/Research-Presentation.pdf · • The Diamond Model is a graphical representation of an](https://reader033.vdocument.in/reader033/viewer/2022050100/5f3f6b4ba9add6121945664a/html5/thumbnails/26.jpg)
Bibliography2• Yamamoto,Teppei;“Understandingthepast:Statisticalanalysisofcausalattribution”,American
JournalofPoliticalScience,Vol0NO0,2011,pp1-20(pre-printcopyused)
• Confirmationbias(https://en.wikipedia.org/wiki/Confirmation_bias)
• Perfidy(https://en.wikipedia.org/wiki/Perfidy)• Falseflagordeceptionoperations(https://en.wikipedia.org/wiki/False_flag)
• USENIXEnigmaConferenceJanuary2016https://www.usenix.org/conference/enigma2016
• BruceSchnier reportsonBruceJoycediscussionatUSENIXEnigmaConferencehttps://www.schneier.com/blog/archives/2016/02/nsas_tao_on_int.html
• USENIXEnigma2016– NSATAOChiefonDisruptingNationStateHackershttps://www.youtube.com/watch?v=bDJb8WOJYdA
• SeeAdversarialTactics,Techniques,andCommonKnowledgehttps://attack.mitre.org/wiki/Main_Page
• Catagirone;Pendergast;Betz“TheDiamondModel”,DoDDocumentreleased2013pages26—30
UNCLASSIFIED