Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Open source intelligence (OSINT) collection
Your nickname or identity online is also highly important if you are actively engaging threats (actors/criminals/hacktivists) on the Internet. The following are the most important things to ensure consistency:
Your persona—your nickname or identity
Your persona’s goals—where do you fit in the underground?
Your persona’s background—who is your persona?
Your persona’s skills—what do you decide to share with the underground?
You want to ensure your focus sees what you expect him to see in the time allotted for the operation. With the proper host layout on each honeypot and several systems running a host-based tool to generate standard user-based traffic (such as sending e-mail and surfing to predefined websites that the identity/role of the profile on the honeypot would perform during daily workflow), the perceptual consistency is increased.
In a blind (black box) assessment of a network, a professional penetration testing team attempted to test a custom network of four network segments of various production and counterintelligence systems (honeypots). The team spent a two-day period laying down network noise to congest and confuse any network security (IDS/IPS) systems, and began scanning and rummaging through the network. This highly skilled penetration team found that many of the systems on the private segment appeared to be real, rather than honeypots.
The network penetration team easily gained access to every system they targeted and attempted to compromise. The network itself was a complete lab environment; each node had its own enterprise architecture, including mail, active directory, firewalls, and workstations.
Through this two-day test, the penetration team identified several honeypot systems that were intentionally made to look like honeypots, with no content and indicators of honeynet tools on two segments of the network. The identification of these systems showed them these segments were being monitored, and the team immediately halted any actions and focused on the other portions of the network where they believed there to be no honeypots. In their out briefing, they explained that any professional offensive team would immediately back out of any network or system they believed to be a honeynet or honeypot. Even the slight detection of one honeypot indicated to them that the specific segment was to be ignored completely unless it was critical to their mission. In the event of the criticality of the network segment, they would need weeks to slowly probe that segment before proceeding further.
In the end, perceptual consistency of your entire operation is one of the most important components of a cyber counterintelligence operation against an active threat.
When it comes to OSINT, you must maintain specific identities that need to be believable and capable of being trusted by the underground community. When building an alternate identity or persona, spend some time setting up various accounts on the underground security sites listed in
Chapter 3
(and any of the thousands of sites out there that we did not list). Just remember that the more you put your persona out there and the longer it is posted online in underground forums, showing you are an active participant and poster in the underground culture, your persona’s perceptual consistency and reputation will increase. Over time, criminals will come to you asking for help in their campaigns, and you will be able to spot the campaigns before they start. Some of the authors of this book actively engage the online underground in order to learn in-depth intelligence on active threats, criminals, motives, and their intent. This is one powerful weapon for your program to be able to know about campaigns and attacks before or precisely when they kick off.
Vetting Engagements
Ensuring the operation was used by your focus and not another threat/actor is another important component of validating your operation. When you are running your operation and actively monitoring a threat, how do you know another threat has not entered your analysis node (honeynet) where you are engaged in active analysis? This can occur when an opportunistic threat sells off for a portion of time (subleases) a criminal infrastructure to another criminal. This provides the original criminal additional income and is very common in today’s criminal underground ecosystem.
A great example of subleasing is the common distribution providers (infector groups) who operate and maintain exploit kits that exploit a victim upon visiting a website. The website may have an embedded malicious object/advertisement (malvertising) or a redirection to a purely malicious page via a link commonly found in e-mail. Once the browser begins to load the webpage, the exploit kit downloads a stage-one sample of crimeware, which in turn downloads another criminal’s bot or crimeware that actually performs the theft of personally identifiable, financial, and other information from a victim’s system.
Although this is a common practice among opportunistic threats, targeted threats have been known to leverage these distribution providers to gain internal access to an enterprise or network, and then have their crimeware downloaded for a predefined fee. It is very difficult to identify these types of scenarios. The following table illustrates how this would look over the network in a layered approach.
myapps-ups.org/ track.php?id=934faf2562b5a9c6 | Blackhole exploit kit |
myapps-ups.org/ w.php?f=28&e=2 | zeustrojan |
adhyocymvtp.com/ index.php?tp=001e4bb7b4d7333d | Blackhole exploit kit |
adhyocymvtp.com/ w.php?f=26&e=2 | trojanSinowal |
The table shows two different Blackhole exploit kits. Upon hitting
myapps-ups.org
or
adhyocymvtp.com
, you are exploited by the kit, and then both sites push down different bots to the victim—in this case, the Zeus bot or the Sinowal Trojan.
These examples are from common opportunistic criminal groups that are tracked by one of the authors on a daily basis. These two different groups, code-named Zeus Group D and Sinowal Group C, are both Eastern European organized criminal groups.
If within your enterprise you see commonly used crimeware, that does not mean it is an opportunistic attack. We’ve seen purported state-sponsored hackers using tools just like those employed by common criminals to avoid direct attribution of their operation.
Consider the Night Dragon event where there were purported Chinese state-sponsored hackers exfiltrating information from global energy firms. One thing that can be said about these so-called state-sponsored groups is that they were not creative when it came to the naming conventions of their CnC. Take a look at the public list of domains used by the Night Dragon threat during the campaign that pillaged natural energy firms around the world and reportedly stole an unknown volume of data from each network and organization. You will see that the third-level domain (3LD) is also the name of the host involved in the attack.
The actors behind this threat were comfortable enough with what they were doing that they actually named every 3LD after each victim. This has been seen in use for well over ten years: the bad guys get in and use the name of the victim as the 3LD.
Based on the following list, which was extracted from more than nine samples of the Night Dragon intrusion set malware, isn’t it easy to identify which firms were involved in the attack? The objective of the focus behind this campaign was to infiltrate each of the listed firms and steal as much sensitive information as possible.