Download presentation
Presentation is loading. Please wait.
1
Tracking Cyber-threat Actors
Effective Methods for Link Analysis and Attribution
2
Defining Threat Groups
Smallest atomic unit: the individual Largest cloud unit: the scam Fraud, IP-theft, access reseller A.B.C narrowing cloudspace to individual Developers Less than number of malware (with malware defined before MD5 created aka pre-packing) Users Larger than number of developers
3
Hacking Groups From China Like Cyber Café
The country has more than 81,000 Internet cafes with 4.7 million computers.
4
The Fraud Marketplace The largest and most successful established market Sets the model for all other marketplaces
5
Payment system developer
$500+ Implant Vendor $1,000+ Exploit Pack Vendor $10,000+ for 0-day Exploit Developer $10,000+ for 0-day Rootkit Developer Rogueware Developer Back Office Developer $1000+ Wizard Bot Vendor eGold ~4% of bank customers Payment system developer Country that doesn’t co-op w/ LE Secondary atm Keep 10% Victims Small Transfers A single operator here may recruit 100’s of mules per week $5,000 incrm. Drop Man Account Buyer Affiliate Botmaster ID Thief Endpoint Exploiters Keep 50% $ per 1000 infections PPI Forger Cashier / Mule Bank Broker Sells accounts in bulk Country where account is physically located $5.00 per $50 Keep 10%
6
IP-Theft This marketplace is largely unmapped
Buyers/Sellers have quite a bit of risk so information brokers have emerged A general auction/market has not been established due to the general exposure risk Many actors are directed at targets by a controller-individual State-sponsored attacks
7
Access Theft Because the IP-Theft market is difficult to emerge, the next-best thing is reselling access Industry-specific, nature of access described Sold on the basis of potential data-access Sometimes data will be enumerated (not actually stolen, just characterized) This is highly lucrative and well established, with prices in double and triple digits USD/Euro
8
Fingerprinting Malware Developers
Use of forensic toolmarks See HBGary’s presentation on Malware Attribution for technical details on this subject
9
Malware Consumers (users)
Requires information exposure that leaks PPI about the users Penetration of social cyberspaces / marketplaces Forums Back-end systems for license control Back-end systems for PPI accounting Download logs / user-id’s on systems
10
Exploitation Affiliates
These are like foot soldiers Typically a numerical ID can be extracted from the exploit payload, as this is used to register a successful infection in a PPI program This is how they get paid $$$$
11
Example finding consumers via forum
Toolmark leads to developer, which leads to forum for technical support, which leads to consumers
12
Example: Link Analysis with Palantir™
Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor
13
Example finding consumers via leaky license key
Developer’s identity leads to postbin site, which leads to unprotected dynamic files, which leads to a cleartext listing of licensed user-keys
14
Keylogger (link analysis)
15
Penetrating Cyberspaces
Maintaining and building digital cover Non-attrib pop on ‘net Multiple identities Contribution for bonafides
16
Building and Maintaining Digital Cover
17
Solutions for non-attribution
Require access to the ‘net that cannot be attributed May require point-of-presence in specific country This is more difficult than it sounds Don’t think you can just buy a local dialup account
18
Time of day
19
Challenges of Forum-Scraping
20
Analysis Identifying an actual threat group
pre-existing / established capability and motive Identifying newly emerging threats New attack / new motive Predicting new threats Getting into their head, what are they going to think of next?
21
Working back the timeline
Who sells it, when did that capability first emerge? Requires ongoing monitoring of all open-source intelligence, presence within underground marketplaces Requires budget for acquisition of emerging malware products
22
Clustering a malware collection
Large number of samples Need to group self-similar items into “clusters” Like a “strange attractor” From the cluster, perform link analysis into social cyberspaces to find “participants” Some participants may “resolve” into a developer, user, or other archetype
23
Following the Money
24
WebMoney
25
PayPal
26
PerfectMoney
27
Liberty Reserve
28
Moneybookers
29
AlertPay
30
BankWire
31
Neteller
32
cashU
33
eGold
34
Exchanges Exchanges convert one currency to another
They also convert “virtual currencies” such as poker cash
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.