1. Tracking Cyber-threat Actors
Effective Methods for Link Analysis and Attribution

2. Defining Threat Groups
Smallest atomic unit: the individual
Largest cloud unit: the scam
Fraud, IP-theft, access reseller
A.B.C  narrowing cloudspace to individual
Developers
Less than number of malware (with malware defined before MD5 created aka pre-packing)
Users
Larger than number of developers

3. Hacking Groups From China Like Cyber Café
The country has more than 81,000 Internet cafes with 4.7 million computers.

4. The Fraud Marketplace
The largest and most successful established market
Sets the model for all other marketplaces

5. Payment system developer
$500+
Implant Vendor
$1,000+
Exploit Pack Vendor
$10,000+ for 0-day
Exploit Developer
$10,000+ for 0-day
Rootkit Developer
Rogueware Developer
Back Office Developer
$1000+
Wizard
Bot Vendor
eGold
~4% of bank customers
Payment system developer
Country that doesn’t co-op w/ LE
Secondary
atm
Keep 10%
Victims
Small Transfers
A single operator here may recruit 100’s of mules per week
$5,000 incrm.
Drop Man
Account
Buyer
Affiliate Botmaster
ID Thief
Endpoint Exploiters
Keep 50%
$ per 1000 infections
PPI
Forger
Cashier / Mule
Bank Broker
Sells accounts in bulk
Country where account is physically located
$5.00 per
$50
Keep 10%

6. IP-Theft This marketplace is largely unmapped
Buyers/Sellers have quite a bit of risk so information brokers have emerged
A general auction/market has not been established due to the general exposure risk
Many actors are directed at targets by a controller-individual
State-sponsored attacks

7. Access Theft
Because the IP-Theft market is difficult to emerge, the next-best thing is reselling access
Industry-specific, nature of access described
Sold on the basis of potential data-access
Sometimes data will be enumerated (not actually stolen, just characterized)
This is highly lucrative and well established, with prices in double and triple digits USD/Euro

8. Fingerprinting Malware Developers
Use of forensic toolmarks
See HBGary’s presentation on Malware Attribution for technical details on this subject

9. Malware Consumers (users)
Requires information exposure that leaks PPI about the users
Penetration of social cyberspaces / marketplaces
Forums
Back-end systems for license control
Back-end systems for PPI accounting
Download logs / user-id’s on systems

10. Exploitation Affiliates
These are like foot soldiers
Typically a numerical ID can be extracted from the exploit payload, as this is used to register a successful infection in a PPI program
This is how they get paid $$$$

11. Example finding consumers via forum
Toolmark leads to developer, which leads to forum for technical support, which leads to consumers

12. Example: Link Analysis with Palantir™
Implant
Forensic Toolmark specific to Implant
Searching the ‘Net reveals source code that leads to Actor
Actor is supplying a backdoor
Group of people asking for technical support on their copies of the backdoor

13. Example finding consumers via leaky license key
Developer’s identity leads to postbin site, which leads to unprotected dynamic files, which leads to a cleartext listing of licensed user-keys

14. Keylogger (link analysis)

15. Penetrating Cyberspaces
Maintaining and building digital cover
Non-attrib pop on ‘net
Multiple identities
Contribution for bonafides

16. Building and Maintaining Digital Cover

17. Solutions for non-attribution
Require access to the ‘net that cannot be attributed
May require point-of-presence in specific country
This is more difficult than it sounds
Don’t think you can just buy a local dialup account

18. Time of day

19. Challenges of Forum-Scraping

20. Analysis Identifying an actual threat group
pre-existing / established capability and motive
Identifying newly emerging threats
New attack / new motive
Predicting new threats
Getting into their head, what are they going to think of next?

21. Working back the timeline
Who sells it, when did that capability first emerge?
Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces
Requires budget for acquisition of emerging malware products

22. Clustering a malware collection
Large number of samples
Need to group self-similar items into “clusters”
Like a “strange attractor”
From the cluster, perform link analysis into social cyberspaces to find “participants”
Some participants may “resolve” into a developer, user, or other archetype

23. Following the Money

24. WebMoney

25. PayPal

26. PerfectMoney

27. Liberty Reserve

28. Moneybookers

29. AlertPay

30. BankWire

31. Neteller

32. cashU

33. eGold

34. Exchanges Exchanges convert one currency to another
They also convert “virtual currencies” such as poker cash