Tracking Cyber-threat Actors Effective Methods for Link Analysis and Attribution

Defining Threat Groups Smallest atomic unit: the individual Largest cloud unit: the scam Fraud, IP-theft, access reseller A.B.C  narrowing cloudspace to individual Developers Less than number of malware (with malware defined before MD5 created aka pre-packing) Users Larger than number of developers

Hacking Groups From China Like Cyber Café The country has more than 81,000 Internet cafes with 4.7 million computers.

The Fraud Marketplace The largest and most successful established market Sets the model for all other marketplaces

Payment system developer $500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $100.00 per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%

IP-Theft This marketplace is largely unmapped Buyers/Sellers have quite a bit of risk so information brokers have emerged A general auction/market has not been established due to the general exposure risk Many actors are directed at targets by a controller-individual State-sponsored attacks

Access Theft Because the IP-Theft market is difficult to emerge, the next-best thing is reselling access Industry-specific, nature of access described Sold on the basis of potential data-access Sometimes data will be enumerated (not actually stolen, just characterized) This is highly lucrative and well established, with prices in double and triple digits USD/Euro

Fingerprinting Malware Developers Use of forensic toolmarks See HBGary’s presentation on Malware Attribution for technical details on this subject

Malware Consumers (users) Requires information exposure that leaks PPI about the users Penetration of social cyberspaces / marketplaces Forums Back-end systems for license control Back-end systems for PPI accounting Download logs / user-id’s on systems

Exploitation Affiliates These are like foot soldiers Typically a numerical ID can be extracted from the exploit payload, as this is used to register a successful infection in a PPI program This is how they get paid $$$$

Example finding consumers via forum Toolmark leads to developer, which leads to forum for technical support, which leads to consumers

Example: Link Analysis with Palantir™ Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor

Example finding consumers via leaky license key Developer’s identity leads to postbin site, which leads to unprotected dynamic files, which leads to a cleartext listing of licensed user-keys

Keylogger (link analysis)

Penetrating Cyberspaces Maintaining and building digital cover Non-attrib pop on ‘net Multiple identities Contribution for bonafides

Building and Maintaining Digital Cover

Solutions for non-attribution Require access to the ‘net that cannot be attributed May require point-of-presence in specific country This is more difficult than it sounds Don’t think you can just buy a local dialup account

Time of day

Challenges of Forum-Scraping

Analysis Identifying an actual threat group pre-existing / established capability and motive Identifying newly emerging threats New attack / new motive Predicting new threats Getting into their head, what are they going to think of next?

Working back the timeline Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products

Clustering a malware collection Large number of samples Need to group self-similar items into “clusters” Like a “strange attractor” From the cluster, perform link analysis into social cyberspaces to find “participants” Some participants may “resolve” into a developer, user, or other archetype

Following the Money

WebMoney

PayPal

PerfectMoney

Liberty Reserve

Moneybookers

AlertPay

BankWire

Neteller

cashU

eGold

Exchanges Exchanges convert one currency to another They also convert “virtual currencies” such as poker cash http://www.exchangemoneyplace.com/