the unforeseen consequences of data breaches and hacking...since 2006, steve has represented some of...
TRANSCRIPT
McAfee Confidentiality Language
The Unforeseen Consequences of Data Breaches and HackingAir Force Information Technology & Cyberpower Conference
Wally Prather I Senior Intelligence Analyst
McAfee Confidential
DisclaimerThis document may contain PII and sensitive technical data on individuals and organizations from public and proprietary sources. The data in this presentation has been thoroughly scrubbed and redacted to protect individual anonymity of any user data as much as is possible. Information in this document is intended for the APG customers only. This document may not be distributed externally or reproduced in any form without express written permission of APG. If you are not the intended recipient or have received this document in error please delete from your systems and notify the sender immediately. APG is a division of McAfee and an industry leader in Digital Threat Intelligence and Cyber Security.
3McAFEE CONFIDENTIAL
Thesis
Proactive hacking against political targets is not new by any means. This is true regardless of political affiliation, country, religion, etc.… The political hacks we will be discussing occurred between 2012 – 2017 and have shown the world that there is an huge need and desire to use political information for more effective propaganda. However, this presentation will not focus on politics but rather how a competent foreign intelligence service would use this data for target development and effective propaganda. This presentation is not even about the data; its about the process…
When exposed or leaked data comes into the public eye what happens? News media skims through what they can, political opponents look for ammo, blame is placed, and lawsuits begin. What about the long game? A determined adversary would look at this data and ask: how can I develop assets and long term access into specific organizations at the right level?
What does a senior intelligence analyst do with the data? This presentation by the McAfees Advanced Programs Group answers that question. All data presented has been anonymized and sanitized to protect any individuals and organizations.
This is what Foreign Intelligence Services are doing with the data, bet money on that.
4McAFEE CONFIDENTIAL
Overview
The following are subjects, methodologies, and targeting considerations for the aforementioned data sets.
§ Data§ Doctrine§ What are foreign intelligence analysts looking for?§ Network Analysis§ Vulnerabilities§ Targets of Interest§ The Human Toll§ Further Application
5McAFEE CONFIDENTIAL
HUMINT Doctrine / From the BOOK!!!
HUMAN INTELLIGENCE
1-3. HUMINT is the oldest collection discipline and a key contributor to the all-source picture of the battlefield. HUMINT is the intelligence, to include adversary intentions, derived from information collected from people and related documents. It uses human sources acquired both passively and actively to gather information to answer intelligence requirements and to cross- cue other intelligence disciplines. HUMINT is produced from the collection on a wide range of requirements with the purpose of identifying adversary capabilities and intentions.
PERSONNEL
7-27. Personnel are individuals that may be of CI interest. These include ADVERSARY INTELLIGENCE PERSONNEL, insurgent leaders, KEY DECISION AND OPINION MAKERS, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, reliability, placement, and access.
- Scientists or technicians engaged or potentially engaged in projects of interest to US intelligence.
LOCAL POLITICAL PERSONALITIES, police chiefs, HEADS OF SIGNIFICANT MUNICIPAL AND NATIONAL DEPARTMENTS OR AGENCIES, and tribal or clan leaders.
Sources:https://info.publicintelligence.net/CALL-CommandersGuideHUMINT.pdf
https://fas.org/irp/doddir/army/fm2-22-3.pdf
http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf
6McAFEE CONFIDENTIAL
Placement, Access, Accessibility
PAA +
Key personal are individuals that may be of HUMINT interest. These include adversary intelligence personnel, insurgent leaders, key decision and opinion makers, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, vulnerabilities, reliability, placement, and access.
§ P = Placement § A = Access§ A = Accessibility
Sources: http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf
http://securityantiterrorismtraining.org/perspectives-for-indian-army/node/24
https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/intelligence-human-intelligence.html
http://www.dtic.mil/dtic/tr/fulltext/u2/a544850.pdf
https://www.smartrecruiters.com/syntelligent/72462737-humint-targeting-officer-junior
https://www.indeed.com/r/7e2b0b27469eaa70
http://www.spiaa.com/pdfdoc/SPI%20HUMINT%20Class-glassford.pdf
https://www.reid.com/pdfs/20140617a.pdf
7McAFEE CONFIDENTIAL
Mahmoud Ahmadinejad
8McAFEE CONFIDENTIAL
Placement, Access, Accessibility
PAA +
Key personal are individuals that may be of HUMINT interest. These include adversary intelligence personnel, insurgent leaders, key decision and opinion makers, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, vulnerabilities, reliability, placement, and access.
§ P = Placement § A = Access§ A = Accessibility
Sources: http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf
http://securityantiterrorismtraining.org/perspectives-for-indian-army/node/24
https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/intelligence-human-intelligence.html
http://www.dtic.mil/dtic/tr/fulltext/u2/a544850.pdf
https://www.smartrecruiters.com/syntelligent/72462737-humint-targeting-officer-junior
https://www.indeed.com/r/7e2b0b27469eaa70
http://www.spiaa.com/pdfdoc/SPI%20HUMINT%20Class-glassford.pdf
https://www.reid.com/pdfs/20140617a.pdf
9McAFEE CONFIDENTIAL
A Doctrinal Approach
APG’s Intelligence CyclePlanning & Direction• Can the customer consume Intelligence?• Identify cyberattack/threat and determine course of
action and requirements to illuminate the adversary• Contract finalization
Collection
• Dev Team Engineers build and leverage capabilities tailored to requirements
• Aggregate information from internal/external resources
• Dev Team works to turn complex technical data into consumable information
• Constantly refining requirements and collection
Processing & Exploitation• Convert collected data into an
understandable form: enriched, text-based data to a visual representation; attribution
• +35 years combined experienced in All-Source Analysis, Technical Analysis, Reverse Engineering, and Malware Analysis
Production
• Combine visual representations, data, and industry reporting to create a comprehensive response to the attack/threat
• PhD & Principal Engineer editors• Written for Executive consumption
Dissemination• Private release only / NDA
Utilization
• Provides the end user the ability to generate courses of action: update/enhance security protocols; LE response
• Identify new requirements and reattack Sales
CustomerRequirements
APGLeadership
CapabilitiesAnalysis
Industry Trends
FeedbackLoop
RefineRequirements
ToolDevelopment
CollectionPlan
StructureQueries
Automation
Discovery Research
AnalysisAnalyticalExchange
OutlineGeneration
Drafts
PeerReview
Edits&
Rewrites
Formatting
LeadershipReview
FinalDraft
ProductPresentation
ProductDelivery
Customer Engagement
LessonsLearned
Implementation
CustomerFeedback
DecisionPoints
Improvement
APGResearch
10McAFEE CONFIDENTIAL
Special Operations vs. The Hacker
The Iceberg Methodology
Negotiated settlementInternational strategic
communicationsLarge and minor military and
paramilitary operations
Increased political violence, terror, and sabotageSapping of morale of
government and LEIncreased underground
activitiesIntensification of propaganda
Expansion of and coordination among resistance networks
Spreading subversive cells into all sectors of life
Penetration into professional, social, and political
organizations
Ransom paymentsExtortion, DOXing, DDoSLarge-scale data breachMinor hacksHacktivist action
Extorting insiders within a companySocial engineering to gain accessGaining access to e-mail serversStealing trade secretsCreating false accounts to gain access/propagate to outside companiesExfiltration of data from internal databasesAttacks against SCADA systemsHigh-level attacks on ISPs for communication monitoring
Special Operations
- OVERT -What the World Sees
- CLANDESTINE -Behind the scenes
Hacker
11McAFEE CONFIDENTIAL
Terms you need to knowMerging is a simple philosophy yet complicated. The basics are that through APGs analytical medium ANB we build Network Analysis Charts individually based on data. We then join individual charts together to get holistic view of the network.
Data Management and Merging
12McAFEE CONFIDENTIAL
Marine Corp Logic Yut Yut Yut
Turning Data into Intelligence
13McAFEE CONFIDENTIAL
Constituent Services
DNC Contacts By Department
14McAFEE CONFIDENTIAL
Party Affairs
DNC Contacts By Department
15McAFEE CONFIDENTIAL
Technology / Democratic Policy Committee
DNC Contacts By Department
16McAFEE CONFIDENTIAL
New York / New York
Location Specific Data
17McAFEE CONFIDENTIAL
Financial Data
DNC Credit Cards
18McAFEE CONFIDENTIAL
Creating list in excel makes life easy for the analyst
Friends of HRC List
19McAFEE CONFIDENTIAL
Follow the Money Clinton Foundation Donors (Free Beacon) / Clinton Foundation 25K + / Donors By MM 1 and 2 / Donors 1
Donor Specific Targeting / Merging
Free BeaconClinton Foundation 25K + Donors By MM
Donors By MM 2
Donors 1
20McAFEE CONFIDENTIAL
The Mean Green Machine
Financial Merge
21McAFEE CONFIDENTIAL
Focused Financial Targeting
22McAFEE CONFIDENTIAL
Focused Financial Targeting
23McAFEE CONFIDENTIAL
THE MERGE Large Cluster
24McAFEE CONFIDENTIAL
Big Network = Big Trouble / 41151 Emails
Clinton Emails
25McAFEE CONFIDENTIAL
Color Coded / Flow of Information
Clinton Emails
26McAFEE CONFIDENTIAL
Cross Section Exploitation
Clinton Emails
27McAFEE CONFIDENTIAL
Emails Merged With Donor Info and Personnel Data
Clinton Emails
28McAFEE CONFIDENTIAL
Tailored Phishing Campaigns
Risk of Subculture Backlash
At minimum there are 1800000 individual emails addresses in the data
29McAFEE CONFIDENTIAL
LGBT and the DNCFor this exercise we felt it important to show that in addition to a clear level of political compromise there is also a HUMAN factor that hasn’t been discussed.
The DNC kept multiple list pertaining to LGBT events, supporters, staff, donations, Events, etc.…
We merged 6 excel sheets
Remember the RED star
30McAFEE CONFIDENTIAL
LGBT Merge
31McAFEE CONFIDENTIAL
Everyone Meet Steve
Target Selection
Steve is a xxx founder and partner, and is widely recognized as one of D.C.’s preeminent political strategists. With a career on Capitol Hill and in politics spanning more than 30 years, Steve’s tenure in Washington has been grounded in daily interaction with the White House, administration officials, senators, members of Congress and leading interest groups on the front lines of the economic, social, domestic, national security and foreign policy debates in the last decades. Steve rose to the highest level Democratic staffer in the House of Representatives as Chief of Staff to House Democratic Leader Richard Gephardt, and upon leaving the Hill served as a senior advisor to the Gephardt, Kerry and Clinton presidential campaigns. Since 2006, Steve has represented some of the nation’s most important corporations, trade associations and organizations on critical legislative and regulatory issues, helping to drive their businesses, build their brands and expand their market shares. He has been a frequent guest on CNN, MSNBC and Fox News, and is consistently listed among the most influential leaders in Washington by Politico, The Hill, GQ and other national publications.
32McAFEE CONFIDENTIAL
Steve’s Network
Target Development
What's in it?
1. Personal Data from multiple sources2. Social Network Data3. Employment Data4. Library of Congress Data5. Clients6. Political Events / Fund Raisers7. Talks8. Education9. Emails
33McAFEE CONFIDENTIAL
Steve’s Companies
Target Development
34McAFEE CONFIDENTIAL
Clients
Target Development
35McAFEE CONFIDENTIAL
The big question, how can this be applied to other target sets? Using the intelligence cycle combined with HUMINT, Human Targeting, Special Operations and irregular warfare network analysis methodologies we are able to take data from any source and build / map / develop targets, networks, or accurate representations of a cyber and human network. Instead of chasing the bright and shiny object we look under the surface and exploit the underlining factors creating the issue.
Further Application
36McAFEE CONFIDENTIAL
Indicators of Compromise for APT 10
APT 10
37McAFEE CONFIDENTIAL
Indicators of Compromise for APT 10
APT 10
38McAFEE CONFIDENTIAL
Merging IOCs
Other IOC Examples
39McAFEE CONFIDENTIAL
Indicators of Compromise
APT 28
40McAFEE CONFIDENTIAL
BIG View Top 10 Ransomware of 2016 Initial Merge
Cerber
Crowti
HydracryptShadeCryakl
Powerware
Cryptolocker
Teslacrypt
Locky
Cryptowall
41McAFEE CONFIDENTIAL
Cryptowall
Cryptolocker
Crowti
Teslacrypt
There are intersections pre enrichment in the IOCs.
This indicates common infrastructure.
More exploitation to follow.
IOC Networks – Top 10 Ransomwares of 2016
They “Inter-connect”
42McAFEE CONFIDENTIAL
IOC Networks – Top 10 Ransomwares of 2016
Inter-connections
43McAFEE CONFIDENTIAL
Cryptocurrency Extortion
This slide specifically outlines the existing Bitcoin Wallets that have been used by DD4BC
DD4BC & Ashley Madison
DD4BC specializes in the extortion of companies,
websites, and people through advanced DDoSattacks. A typical TTP of DD4BC is to extortBITCOIN from the aforementioned users to stop
the DDoS attack.
DD4BC seems to reuse Bitcoin wallets for multiple attacks;
the same Bitcoin wallets that were used to extort Ashley Madison users have been used in various other attacks.
…YGi6D
…aVyMU
…xvW7z
…N1T2y
…MiYgrQ
…NQQkly
…kiyEsp
…VaKrZ
…XWgvT
…wkedP
…Gdelvl
…X9bQN
…KW1Xu
…HqLXR
…aebV8
…hJx4C
DD4BC
44McAFEE CONFIDENTIAL
Transactions associated to IP Address 130.185.144.96, this IP has been flagged as malicious, is located in the UK, and has 14 domains connected to it.
Tracking cryptocurrency, tumblers, and connecting networks.
WannaCry Ransomware Transactions
45McAFEE CONFIDENTIAL
The Pareto Distribution Applied to Indicators of Compromise
Pareto Distribution
It’s a square route law: If you look at the number of people who are in a given domain who are producing the square route of the people produce half the product. So that means if you have 10 employees 3 of them do half the work. So if you have a thousand employees 100 do half the work or more…
The Pareto Distribution (also known as the 80/20 rule, the law of the vital few, or the principle of factor sparsity) states that, for many events, roughly 80% of the effects come from 20% of the causes. ... Pareto developed both concepts in the context of the distribution of income and wealth among the population.
46McAFEE CONFIDENTIAL
Indicator of Compromise Merge Highlighted Inner Network
Adwind Pareto Distribution
The largest cluster contains an inner and outer network. The inner network who’s icons are highlighted in red can be viewed in the next section should be treated with a higher level of scrutiny due to their centrality and importance in the network hierarchy.
47McAFEE CONFIDENTIAL
Inner Network
The inner network of the main large cluster. The below network identifies the Pareto distribution within the IOC network for Adwind. What this means basically is that within a network there is a distribution of effort that is likely around 80/20. The network below is likely the 20% of the Adwind RAT that is responsible for 80% of the payload. Further enrichment will be conducted in the future to exploit how the inner network works specifically in regards to Adwinds operational capabilities.
Adwind Inner Network
48McAFEE CONFIDENTIAL
WannaCry Ransomware Transaction B
A
B
Transaction B is associated to IP Address 130.185.144.96, this IP has been flagged as malicious, is located in the UK, and has 14 domains connected to it.
Due to unforeseen technical difficulties Bitcoin transaction B has not been fully exploited.
49McAFEE CONFIDENTIAL
Closing Statements
51McAFEE CONFIDENTIAL
Questions
Wally
Dave
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC.