##### The Art of Attribution ###### Identifying and Pursuing your Cyber Adversaries SESSION ID: ANF-T07B ###### Dmitri Alperovitch CrowdStrike, Co-Founder & CTO ----- #### ABOUT ME ######  Dmitri Alperovitch  Co-Founder & CTO, CrowdStrike  Former VP Threat Research, McAfee  Author of Operation Aurora, Night Dragon, Shady RAT  MIT Tech Review’s Top 35 Innovator Under 35 for 2013  Foreign Policy’s Top 100 Leading Global Thinkers for 2013  Twitter: @DmitriCyber ----- ``` ORGANIZATIONS BELIEVE THEY HAVE A MALWARE PROBLEM ``` ----- ``` ORGANIZATIONS BELIEVE THEY HAVE A MALWARE AN ADVERSARY PROBLEM ``` ----- #### Importance of Attribution ----- ###### ► Attribution: PLA Navy ► Targets: ► Governments ► Military / Defense ► Intelligence ► NGO ► Oil ► Green Energy ► Shipping ----- ----- #### Attribution is Impossible in Cyberspace ----- #### Attribution Paradox ----- |Co De Fo An Ae Im Kar Ke Poi NG Pu To Un Vix|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|IR|AN|Col20|Col21|nies tary,| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||CHI|NA||||||||||||||C|utting Ki|tten: En|ergy Com|panies|| ||mment P|anda: Co|mmerci|al, Gover|nment,|Non-profi|t||||||||||Magic Kit|ten: Dis|sidents||| ||ep Pand xy Panda|a: Financ : Techno|ial, Tech logy & C|nology, ommuni|Non-prof cations|it|||||||||||IN|DIA|||| ||chor Pan rospace,|da: Gove Industri|rnment al Engine|organiza ering, N|tions, D GOs|efense &||||||||||V F|iceroy T inancial,|iger: Gov Media,|ernment Telecom|, Legal,|| ||personat|ing Pand|a: Finan|cial Sect|or||||||||||||RU|SSI|A||| ||ma Pan yhole Pa|da: Dissid nda: Elec|ent grou tronics &|ps Comm|unicatio|ns|||||||||||||||| ||sonous Os, Dissi|Panda: E dent Gro|nergy Te ups|chnology|, G20,|||||||||||E|nergetic|Bear: Oi|l and Ga|s Compa|| ||tter Pand|a: Gover|nmental|& Milita|ry||||||||||||NO|RTH|KOR|EA|| ||xic Panda ion Pand|: Disside a: Indust|nt Grou rial com|ps panies|||||||||||||||||| ||en Pand|a: Gover|nment|||||||||||||S F|ilent Ch inancial|ollima: G|overnm|ent, Mili|| ``` IRAN CHINA ``` Cutting Kitten: Energy Companies Magic Kitten: Dissidents Comment Panda: Commercial, Government, Non-profit Deep Panda: Financial, Technology, Non-profit `INDIA` Foxy Panda: Technology & Communications Viceroy Tiger: Government, Legal, Anchor Panda: Government organizations, Defense & Financial, Media, Telecom Aerospace, Industrial Engineering, NGOs Impersonating Panda: Financial Sector `RUSSIA` Karma Panda: Dissident groups Keyhole Panda: Electronics & Communications Energetic Bear: Oil and Gas Companies Poisonous Panda: Energy Technology, G20, NGOs, Dissident Groups Putter Panda: Governmental & Military ``` NORTH KOREA ``` Toxic Panda: Dissident Groups Union Panda: Industrial companies Silent Chollima: Government, Military, Vixen Panda: Government Financial ----- |Sing Unio Andr Dext H V Dead Ghos Cors Extre|CRI|MIN|AL|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||||||| ||ing Spid|er: Com|mercial|, Financ|ial||||||||||||||||| ||n Spide omeda|r: Manu Spider:|facturin Numero|g us|||||||||||||||||| ||orous Sp|ider: Ret|ail||||||||||||||||||| ||ACKT|IVI|ST/A|CTI|||||||||||||||||| ||IST/|TER|RORI|ST|||||||||||||||||| ||eye Jac|kal: Co|mmercia|l, Finan|cial, Me|dia, So|cial Netw|orking|||||||||||||| ||t Jackal|: Comm|ercial, E|nergy,|Financi|al|||||||||||||||| ||air Jack me Jac|al: Com kal: Milit|mercial, ary, Go|Techno vernmen|logy, Fi t|nancial|, Energy||||||||||||||| ||||||||||||||||||||||| ``` CRIMINAL ``` Singing Spider: Commercial, Financial Union Spider: Manufacturing Andromeda Spider: Numerous Dextorous Spider: Retail ``` HACKTIVIST/ACTI VIST/TERRORIST ``` Deadeye Jackal: Commercial, Financial, Media, Social Networking Ghost Jackal: Commercial, Energy, Financial Corsair Jackal: Commercial, Technology, Financial, Energy Extreme Jackal: Military, Government ----- |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||OPER|ATIO|NAL|WIND|OW||||TARG|ETIN|G||||| ||||||||||||||||||||||| ||||||||May 2|011 to|Prese|nt||||Fi|nanci|al Insti|tution||||| |||||||||||||||M|edia/N|ews|||||| |||||||OBJ|ECTI|VES||||||So|cial N|etwor|k Plat|forms|||| ||||||P|ropag|anda||||||||||||||| ||||||D|isinfo|rmatio|n|||||TOOL|S|||||||| ||||||D|isrupt|ion|||||Sp|earph|ishing|||||||| |||||||||||||W|eb Ex|ploitat|ion||||||| |||||||||||||Fa|ceboo|k Spa|mmi|ng|||||| ``` OPERATIONAL WINDOW TARGETING ###### May 2011 to Present Financial Institution Media/News OBJECTIVES Social Network Platforms Propaganda TOOLS Disinformation Disruption Spearphishing Web Exploitation Facebook Spamming ``` ----- ######  “Human Toolmarks”  Mutex names  Kernel pool tags  Tradecraft  Resource Language  Passwords  Timezone information  Build times  Indicators  C2 check-in times  Domain Registration  IP Ownership  Code Styles ----- ######  Predictive security requires intelligence & attribution  Know Thy Enemy  Tailor defense to attacker’s capabilities and motivations  Involve the business in the risk-based decisions!  Know your Pandas, Bears, Kittens and Tigers! -----