Getting Into Information Security Intelligence Gathering: A BlueHat v10 Retrospective from Speakers Ian Iftach Amit and Fyodor Yarochkin

Having a mild case of “professional ADHD” is probably what got me started on this whole “cyber” thing. Having done research, development, integration and consulting in the past, I was starting to get too many unanswered questions in my mind when dealing with customers and individuals who were being compromised left and right. The main driver for me has been getting to the bottom of exactly who these aggressors are that we’re dealing with and really understanding their motivations.
Having a chance to share this kind of research and finding like-minded individuals who are busy working the same angles is a real treat, and one of the major quality assurance measures we should all factor into our work… scientists call it peer-review! :-).

I got into this thing through a random incident. Grugq and I have been pals for a long time. At one point, one of our “friends” was curious about the availability of “certain software” on the market. Naturally, I just went around to the groups of people I am familiar with and asked for leads. We found some sources for him at that time and referred him to a few guys offering similar software. The “friend” was surprised by our findings and suggested we do some more digging. So, we started building an automated system for gathering and indexing/tagging the information so it could be easily query-able, even for English speakers. Naturally I read Russian and Chinese, which basically helps. IMHO, the language barrier is one of the reasons why the “security crowd” doesn’t always get the whole picture of the global situation. We don’t have this problem.

Honestly, I believe a lot of talk about “cyberwarfare” is actually coming from the U.S. (i.e., this is basically the American way of looking at things). I don’t think there really is a concept of cyberwarfare in Russia or in China as it is being portrayed in the media. In my opinion, the current situation is more like the Wild West, where there are service providers and service consumers… and where some of the politically affiliated parties sometimes make use of such services. The availability and accessibility of such services makes it easy even for ordinary, otherwise patriotic people to buy a DDoS against Georgia for example.
Going back to the cyber thing, what really has been researched and analyzed in Russia is information warfare. This is not new and was one of the main priorities during the Cold War. And, in my opinion, this is actually more effective than paying a gang of geeks to hack (i.e., the Latvian and Georgian incidents were, in my view, the outcome of mass-opinion manipulation through the public media, which IS a part of information warfare strategy).

I know, I know. There is no “cyber war” (sorry Howard, I had to use that term again). But seriously now, taking a (huge) step back from the picture that we already managed to paint, of how the criminal world operates in the online market (see how I didn’t say “cyber crime”? Oops! ;-)). Some patterns were starting to appear in terms of linking more politically inclined incidents, as well as full-on nation-state-related incidents, online. That’s where I started my research into it. This whole thing wouldn’t have come to life if it wasn’t for the amazing community we all work in. I have had a chance to get to sources and raw data that have been loosely analyzed before and take a fresh look at them from another angle. Without the people of different CERTs, organizations, and commercial companies, this would not have been possible at all.
I truly believe (and have personally witnessed) that making shortcuts on a national level to gain “cyber” capabilities ALWAYS results in using tools and techniques from the criminal side of things (with some adaptations at best), much like in the “real” world.

Attack Attribution
Ian & Fyodor:
At conferences, people are often more interested in actual attack attribution than they are in the concept of the attack itself. There are a couple of hints we can share on this matter. First of all, look at the tools. Different social groups develop their own habits of using or building tools in particular ways. So, analyzing the binary characteristics (compiler footprint, coding habit, AV, and anti-debugging methods) can be a good pointer to the origin of the code. Additionally, the majority of crime-related activities are done using tools produced by a small number of people, which is often another hint to an activity’s origin. The third but not last interesting component is motivation.

– Crime is always about money.
– Crime is also conducted very much like a business.
– Ergo, criminals will be very inclined to use tools and techniques that are purpose-built for maximizing the effectiveness of the attack (buy tools, services).
– In terms of attribution, this makes things VERY difficult. Usually, attacks will be “seen” as originating from random places, with very little means of being traced back to a true source. And, the code used is usually from a group specializing in creating such code. Linking the evidence back to the attacker is a long reach at best, and even techniques that aim to “identify” the code origin only get you to the manufacturer, not the user (think guns).
– Carrying on the traditional forensics example, if ballistics were to point to a specific weapon, on the cyber front that weapon would have little if any fingerprint evidence on it that could be attributable to the assailant.

Future plans
I like to play in different fields, from the technical domains to the corporate ones, on up to the political ones (at the national level, or on the international level where I have had the fortune of starting work recently). But the bottom line is that I’m focusing on several research areas: data exfiltration techniques that avoid traditional protections (and how to detect them), linking crime and terrorism groups in terms of tool and techniques (already in the works), and countermeasures at the national and international levels in terms of political power and deterrence.
As I like to say to my clients, “Everything is fair game; everything is in scope :-).

Automated Intelligence analysis is a challenging area that mixes the pure technical fields with social and psychological studies. Reverse engineering, natural language processing, and distributed systems for large-scale data mining could all come in handy in building such automated frameworks. It is basically a fun area, experimenting with non-conventional technologies, and we are looking forward to exploring more of them. Generally, it is relaxing to take a break from your daily pen-test, reverse-engineering, corporate-objective-focused activities to play with something that is fun :-).
As for the future, we are planning to move on multi-lingual supporting analysis of Chinese content and most likely are going to focus more on scaling. We are also thinking of building public servers for awesome netglub ( transforms (along w/ Maltego), so some of the data can be publicly accessible.


…—===END POST===—…