OCR of the Document

View the Document >>

Government of Canada, Hackers are Humans Too: Cyber Leads to CI Leads, 2011. Top Secret.

TS I SI REL TO CAN AUS GBR NZL and USA ooo Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Hackers are Humans too Cyber leads to Cl leads Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 1 Security I Communications I 'I Establishment Canada TSl SI REL TO CAN AUS GBR NZL and USA Centre de la securite des telecommunications Canada Introductions o o Cyber-counterintelligence o My primaryfocus is MAKERSMARK Russia o CSEC - Covert NetworkThreat CNT group - New name same Cyber CI groupyou know and love - Cyber and traditionalCl sittingside by side - Focusedon Foreign Intelligence not Information Assurance Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 2 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Goals o How do we attribute cyber intrusion sets o How do we go beyond the hacking face of a CNE program - Expose management structure operators - Requirements technological advances o This presentation portrays only one method - Passive infrastructure tasking contact chaining - Many other are available Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canad a 3 TS I SI REL TO CAN AUS GBR NZL and USA ooo Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Initial Seed o Infrastructuretasking - Mostlyexposedthroughmalware contentdelivery o Careful and manual monitoringof anomalous networksessions o Nothingfancy o Not Web 2 0 but it works Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 4 TSl SI REL TO CAN AUS GBR NZL and USA ooo Commun ications Security Establishment Canada Centre de la securite des telecommun ications Canada Overview o MAKERSMARK Misuse of OperationalInfrastructure Poor OPSEC practices Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 5 TS I SI REL TO CAN AUS GBR NZL and USA ooo Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERS MARK Russian CNE Designedby geniuses Implementedby morons Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 6 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERS MARK o The MAKERSMARK less attributed LA systemsare reallywell designed o This has not translatedinto securityfor MAKERSMARKoperators o PersonalbrowsingthroughLA systems - Workshops ORBs and controllers o Developmentshop infectedby crimeware - 4th party collection Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 7 TS I SI REL TO CAN AUS GBR NZL and USA ooo Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERSMARK Less Attributed Overview SIGINT Intercept Spoofe d Source IP MAKERSMARK Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canad a 8 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERSMARK Misuse of Infrastructure o Less Attributableinfrastructureused for highly attributablepurposes - Hostingimplantcallbackservers - Live testingof new implantprotocols - Collectingexfiltration o This is not CNE best practices Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 9 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada MAKERSMARK Misuse of LA Systems o PersonalSocial Networking - Vkontakt - mail inbox bk ruaccounts o PersonalEmail y' - r - Webmail POP - Personalretrievalthroughmasquerading infrastructure If II' W fr -11 1 o Personalweb browsing Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 10 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada MAKERSMARK 4th party collection o Implant development shop infected by GUMBLAR botnet - Crimeware - Sends pharmaceutical spam o Exfiltration to Canadian bullet proof' host - HTTP FTP logins - Collection of MM operator browsing habits - MM LiveJournal accounts included in collection Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canad a 11 TS I SI REL TO CAN AUS GBR NZL and USA 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Closing Remarks o You have to keep an eye out - A lot of value can be lost by not followingleads - Typicallythe windowto exploitinformationis short - Knowingwhat to lookfor is half the battle o These exploitationopportunitiesdon't last forever o As a CNE programmatures so will its OPSEC Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de 'information Canada 24 TS I SI REL TO CAN AUS GBR NZL and USA ooo Commun icatio ns Security Establishment Canada Centre de la securite des telecommun ications Canada Questions Safeguarding Canada ' s security through information superiority Preserver la securite du Canada par la superiorite de 'information Canad a 25                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu