ChaosPad V1.1
Full screen

Server Notice:

hide

32c3-talk-7260 Latest text of pad 32c3-talk-7260 Saved Jan 12, 2021

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
 
 
Good evening, everybody. The next talk is on these armed deputies you're looking for, we will be hearing about the bad guys on the Internet, how they are behaving and how they are changing their behavior when we look at them to improve the defending against them. And here we have inbreds and Engardio one, I hope I pronounce it correctly, who will give us an insight there. Stages. Thank you. And play. Guys who started well, we started anyway while they fix that, got it, feel free to help them. Welcome to our talk called Apte Reports and OPSEC Evolution or these are not the AP reports you're looking for. This is actually not the first time that I started talking about my presentation. So this is not at all exciting for me. Basically, what we're going to talk about today, we're going to talk about how AAPT reports mostly are beneficial not to the defenders, but actually to the attackers. Now, when we say defenders, we're not talking about fellow malware researchers. These guys, they know their business. They've been doing that for a while. They're very technical. By the way, this presentation. Oh, thank you. This presentation is not technical. If you're looking for, you know, ideas, screenshots and stuff like that, it's not that. OK, I'll walk away. Now, if you're looking for Kernell shortcode. Yes. Marvel researchers, you guys can go to the encryption talk. So. Yeah, I know. I can see that. Thank you. So these are not the AP reports you're looking for. Quick introduction. I remember this is Godi. That's about it. And why are we here? So I use my time without the presentation to say that we want to simplify the attack process, OK, and demonstrate the evolution of various factors over the years and suggest ways to close the gap. We're going to stipulate that there is a gap, an information gap between the attackers and the defenders. And while I let you start, there's just a little tradition that I have over the years. I'm going to take my shoes off. It makes me feel mor
e comfortable. And it starts with David, with Kaspersky. He'll be watching that. So, David, this is for you. That's everybody watching Bart take his shoes off, you can look is hiding behind the podium. So a little disclaimer, we're Israelis, so last year when I was talking with Tillman, I interrupted him. We talked together, but essentially I need to do disclaimer that as Israelis, we interrupt each other. We're not actually fighting. OK, as a disclaimer, just so you're ready for that, or at least that's the story. That's what that's my claim and I'm sticking to it. So let's play a little bit of story. We're going to get into several stories and several examples about amputees and their evolution, how we can counter that if we believe we should. But before that, a couple of examples for what we are essentially what got us interested in doing this stuff. So we always had moer. That's the beginning of cyber. We can agree to that. But then we had a pretty one. And on the one hand, as a security guy said, what, what, what? I know this is happening, why this is such a big deal. Why didn't the press everywhere, but everyone was cool. It was the first time that it's an attack or threat actor was fully compromised. They showed everything. Everything went with their pants down. Essentially, they even showed a picture of their offices. That was pretty awesome. And they changed how we see things because now we actually had proof this was going on. And it actually affected the bad guys, but they were not alone. They were not alone in finding out their entire infrastructure is now gone. And what are we going to do now? Oh, my God, it's going to take us. So you didn't have to come back and build back our entire infrastructure and all our new Trojan horses are gone and the vulnerabilities and everything. But then there were also other campaigns. Stuxnet. As competitive flames, toxins with very tight, bigger than most power, I guess, but that's debatable. Well, essentially, it was 
500 K modular built for a specific target. Very much about OPSEC. It was all about the centrifuges in the Iranian facility. And then on the other hand, you have flame. It's huge, 20 megabytes, everything you can imagine, all the modules, all the vulnerabilities, everything that can possibly go wrong. When the threat actor loses this specific campaign, the specific Trojan horse is now done. Just try to imagine if one was affected badly, at least according to Mandiant, were there to replace the entire infrastructure of the entire toolset, as far as we know. I wonder we don't have any information, but how did the Flame guys act 20 megabytes? It's insane, so how do people evolve? How do they cope with that? How do other threat actors react? So we can see a few examples. For example, Gousse. It was a skilled operation, but the example Kaspersky gave was very target specific, it would only open on a specific machine. They couldn't open the encryption. It was pretty complex. Technically, I don't get it. Maybe you would if you read the report or read it was pretty interesting. Maybe three, three. BURBY depending on the name like. We recently responded to an incident responsible deputy three, and much like many other types of deputies, they first know put a dropper down. Do their thing and then use their heavy tools not to lose their tools immediately as they enter the network. You've got to get to the talk last year, since then, Trend Micro and Checkpoint and other people came in and talked about it as well, and essentially they used an off the shelf to contact everybody with their own OPSEC with their own calculation. Now, embar. So let's cover up sex in 60 seconds, what is OPSEC, OPSEC, operational security at first you want to ask yourself, why do I even need that? Wait, wait, wait, wait. Scheve with that. So, one, you have to assure success. You're here on a mission, right? You need to do something. You need to steal information. You want to sabotage, you want to do som
ething. So if you came all the way here and went through all the trouble, you want to succeed and then you want to prevent detection. Detection is not good for you. It's not good for your reputation, for your end of the year bonus. And it might even prevent you from finishing your task if you got detected too early. And last but not least, is this thing called attribution? Attribution is well, it started as a serious thing now, not so much. We're going to come back to that later. But you would like to not be identified if you do get caught, because sometimes you do get caught. And this actually also exists in other processes as well. When you do software development, you're expected your Kuai process, your your design. If you have security by design and stuff like that, it's intended to basically achieve the same goals, maybe accept attribution, because obviously they know who you are. When is it compromised? When is your OPSEC not what you want? Well, first of all, time to market OPSEC bears costs. It takes time to do you have to invest resources in maybe developing tricks or maybe you have to be very careful or do something very slow. OK, for example, I can walk through metal detectors and obviously, you know, I am half metal, but there are some detectors that if you walked through them slow enough, you don't get caught and you need to see the faces of the operators want to do that. True story, scalability, sometimes in order to be able to scale up your operation, you're going to give up some principles. For example, what happens if one sample gets caught? Well, there are going to be many others and there are going to be looking for them. So that's something that goes away. And, of course, ease of deployment. Maybe you want to use the same science infrastructure, maybe you want to use the same distribution channel, if your distribution channel gets compromised, then now you have a big problem. And what we're basically saying, and this is a generalization, by the w
ay, I interpret the entire talk. It's a generalization. So, yes, there are always contradicting examples, but we have a storyline which we're trying to follow. So if you want to tell us that there is a contradicting example, you're probably right. Tell us later. Most of the AP reports represent some sort of an opposite failure. Someone got caught and someone managed to discover what happened there to a certain degree. So what we're trying to say here is you need to know the enemy now as a defender, you don't always know the enemy, because when Apte is being created by nation state actors, they don't really share their failures with you. You end up reading, Apiata reports. So what we're trying to do is trying to figure out what the other guy thinks. Now, we do have one good example, the hacking team. I hope there's no one here from that nice company. Well, they got caught and not only did they get caught, but their emails were leaked as well. And we actually have information. We have their emails. And as the report says, their prime primary concern seems to have been not getting caught again, which is understandable because it's kind of bad for your business. But when it comes to nation state actors, we don't have that information. So we're going to try to figure it out. That's just for the record. We didn't really emphasize it. The Citizen Lab Research Blog quote, Yeah, this is thanks to Sezen Lab. And we're going to try to sort of reverse engineer the thought process of an attacker. And here's a problem. Many Apte reporters suck now when I say suck. I'm I am trying to be provocative because I've learned that that's sometimes a way to achieve the interview for an AP report I cover. What, didn't you write an AP report? I did. It was one one I think a coauthor is here. I'm not sure. And then I stopped it. Didn't you present one here? I may have. You may have. I may have. You may have. OK, so what's wrong with AP reports? This guy, he's a commentator. He sits up there 
and he tells you what's going on in the game. Right. And in AP to report or a malware research is a lot like you telling me how good the other guy is. Right. Look at this most sophisticated attack platform. Look at this amazing deployment technique. Look at this amazing rootkit. And it's very nice, but as a defender, if I not a malware researcher myself, that's not useful to me, Apiata reports are common, commonly very long. Some of them are as long as 60 pages long. And in those 60 pages, there is so much technical information that sometimes you just don't know what to do with that. And many AAPT reports that we see the public ones, they're not full. The ones that we see are intended for PR purposes, and the full reports are only shipped to some maybe paying customers or maybe there's not even a fuller version than the one that we see. And as a result. There is an asymmetry. Horrible, horrible, I see not everyone gets it, a cemetery is calling me first right now, just so we're clear on what's going on here. I called you Bould. So there is an information gap because the attacker can use all that malware research stuff, so. The information gap benefits the attacker, but not just the attacker. Everyone learns because all the other actors are reading the same reports. And even though this talk is about nation state actors, we'd like to remind you guys that the malware writers that work in the cybercrime world, they also read the reports. And actually what we're seeing whenever there is an AP to report out, the technology's leaking to the criminal world. And that makes APEC reporters actually free Kiwa for the attackers. So sometimes you can see lessons learned, right? The one key to infrastructure was huge. Parts of it, like big parts of it, were registered with the same name, same email address. And I remember Ugly Gorilla 163 dotcom. But the Turlough malware is a very sophisticated satellite downlink, highjacking through ISP to inject packets that could be received w
ithout actually exposing the location of the destination. And then we had learning in progress. So they're learning, but they're not done yet. So Stuxnet and DeQuan Flame, they all share the same code. Old reports clearly show that. And guess what, Dooku, too, is still using large parts of that framework. Now, remember, we talked about OPSEC. It's a lot of time and money to develop such a thing. So you do try to use whatever you have left and some things, well, you never know. And attribution is a good is a good case. If you look at Iron Tiger, clearly Chinese, but it was sent to Taiwanese targets with traditional Chinese versus simplified. The attack emails. We're talking about the matters of the straits, Capretto. Well, everything fits so well. The language, the identities, everything looks perfectly Spanish. And in fact, it looks too perfect. Even even if you look at geolocation, their attacks were against some activists nobody would care about except for Spain. But in Duku, too, there were already playing games with the researchers. There are multiple false flags, right? We know that they put in the gorilla string, which is Chinese. We know that they put in the Romanian anti hacker, which is Christine's Twitter alias. Right. So they start playing back with us. So you read an AP report, you take the time, you read 60 pages. What do you get? Well. You got a lot of malware analysis, that's the major part of what you get. After that, you get a little bit of IONSYS indications of compromise, right, and they will be about the malware that's actually actionable intelligence. Not all samples go on multiple targets, so you look at the setu infrastructures, you get domain names and that's also actionable. But with the development of OPSEC, these stopped being shared across campaigns. So the long term value of each of these IONSYS is very small. And at the end, if at all, there's very little about the attack vector, how the attack was actually facilitated, how did it all s
tart and what was the attacker objective? What did they steal? Because you really want to know what they were doing. It's nice that they hacked this company, but what were they looking for? So I'm a little bit confused at this stage because we see a little bit of this facility that there may be some false flags, we're trying to make sense of an AP report, perhaps for our own research, perhaps to defend an organization. What is actually going on? Are we getting the correct picture? So what we did so far in the previous slide is try to re engineer, reverse engineer what the forensics, the forensics process essentially. Reverse engineers, what the doctor does so but we reengineer what they do and actually talk about the attack process, about the engagement of the attackers and the simplified model, we cannot just simply call an engagement process. So. We start with simple intelligence requirements. Here's the thing we have the least information about, and it's essentially like going shopping. What am I interested in today? Is this this nuclear deal? Is it this interesting product that is developed somewhere around the world? What would you like to know? Now. Let's just take an Iraq example, because it's older now, so people won't be as sensitive to it that Saddam Hussein has WMD, where are WMD? Does he intend to use said WMD? Who is working on WMD? And can we save Matt Damon? Can we get Matt Damon back yet again? Just wondering about that. And then the second part is let's compile a target list. Where can I actually get this information? So sometimes we person who would hold the information I want, so verticals, banking, pharmaceuticals, energy, aerospace, that's interesting enough or we can have both. We talk about specific targets. We're interested in this target because they hold the information we want. Then again, we said we won't do many counterexamples, but one important counterexample example that you gave us was this officer group. There are everywhere right n
ow very high profile and they seem to be very opportunistic. They don't seem to be working with any specific agency that they find information and then try to sell it so that everybody works according to this model. As to intelligence gathering and I'm going to pass it over to anybody in a second, it starts with reconnaissance and then we have a target to report, essentially trying to figure out what's going on, what can we find out? How can we get in? And then get all this information in an organized fashion. So the target operation is basically everything you need so you can do your job OK. And once you have that, you can start acting and you do that by attack, plan and execution. And this is an iterative step. You start by an attack plan. This is how I intend to plan. Let's say I want to send an email or I want to use for scanning or as injection. I choose some technique. And for that I need to choose my tools. Right. Sometimes I will use off the shelf tools. Obviously, this is a very large shelf, as we've all learned. Sometimes I will customize, sometimes I will write something particular for this target. Sometimes I'll just take somebody else's malware and make small adaptations. Right. Well, you do that. You get these examples, let's look at two Stuxnet and Goss', Stuxnet is you mentioned before, was very targeted. The code that was there was meant to deal with pulses of specific vendors doing specific things. That thing had absolutely no use anywhere on the planet anywhere else. Right. And Gousse, it was a big multifunctional tool. But there's still one mystery that no one managed to solve on the USB infection mechanism. They found an encrypted payload. The payload is encrypted by an empty five hash run ten thousand times on certain parameters of the hard drive. And in fact, till this very day, no one managed to find out those parameters. They don't know which computer was the designated target many people try to enumerate and that we still don't know. We onl
y know that there is only one computer on this planet that will have the payload decrypt and execute. Or in a Dell SecureWorks report of one of the targets, uh, that they analyzed, turns out that the attackers. Took advantage of a platform that already existed in the target, it was an endpoint management program, and they use that to lateral move throughout the organization. By the way, we saw the same with Target, right? They used accounts installed by another program to open shares. So we see that all the time. And once you're in, you acted on your plan. So the first time you just get into the target, now you're running code inside the target. But your your job is not done. Now you need to move forward, lateral movement, maybe get to the real place because you usually use the weakest link to get inside an organization. So now you go back to intelligence gathering and this time it's a little different because now you're no longer outside and everybody staring at the screen stop talking. Who who got that Twitter, Facebook? Who didn't watch it all the way? Really? OK, so we're going to save you, that's a minute 40, but when you're inside the target, things look different. No, no, just kidding. We wanted to do that about copyright in two more minutes of your life. Intelligence gathering is different now because now you're inside the target and the target has all sorts of defenses, so you're OPSEC gets revisited, right? You need to map the target's defenses. What are they using? Do they have any of any peripheral devices? What are they using any sandboxing? Now, the interesting thing about this is when you think about intelligence operations, you think about your target. What am I going to face? Am I going to face an AIDS, am I going to face something else? I need the clicker to click everything. OK, there we go. Didn't say please don't. Please. OK, so essentially originally you would say, what am I facing then? Is it a threat to me? So for example, they may have a sec
urity control and you wouldn't care about it because it wouldn't stop you. But then things started to change. You would start saying these aren't viruses, for example, may not threaten me and I can bypass them, but they have an entire home base, the back end where they can go in later on, threaten me, quite signatures, whatever it is that is written about right now, they can essentially find me after the fact. So that's a threat. I have to take different other viruses as a threat now. That changes everything, but it's still not good enough. Look for other players, think about it, there is another player on the machine, and Reagan is a very good example. When Kaspersky even called the computer, they found it on an apt magnet. So now am I supposed to think about looking at the computer and saying which other nation states, criminal organizations slash whoever it might be? And some tools installed here already, and I need to collect intelligence on that in retrospect or wait and analyze every system I go to. That sounds like a little bit too much work, but it's something that, depending on your OPSEC, you're going to have to face now. Then the last thing is really but really try to hide your identity, unless you're some of the Chinese group and then you don't care. So we have a few example, the hurricane panel, you can read the report, but quiet strike, there was actually a duel there. They got detected. Then the incident response team came. They started dueling for a while and it took a while of the scheduling before the actor decided to give up. This is from Semantics Report, the Stuxnet look at the information back then, no one cared about anything or maybe they were just naive because nothing had been caught before that with maybe one or two exceptions. Here you have the compile compilation times of all the files used inside the target and then you have the infection time. Now, aside from the fact that, as you can later seen, Kaspersky reports, the compilation time
s are used to determine the attribution. This gives you a lot of information. This tells you how long it takes them from the creation of the file. To the deployment that will tell you about their attack operation, does it take a minute, a day, a month? You can learn a lot from that. So we have other examples, actually, just one thing is if you look at Duke two, you can see the start to randomize that they started looking at forensic analysis, the threat to their existence, which goes back to the previous slide. So obviously, the threat actors evolve, right, we have use of previously existing tools or integral tools of the operating system because you can't sign on those, they're going to be there. So you don't need to deliver anything. You don't need to worry about deployment, encryption. You land there and just use like power show or act or IP config and Dooku to and we keep reminding that sample because it's very impressive. They had this huge leap forward. It's a revolutionary deployment mechanism. They actually the lateral movement was done in RAM only. They only use several vantage points, computers that they were sure that they would maintain command of and everything else was running code in RAM. So if that machine rebooted, then the superior computer could reinfected from far. But that changes everything about how you act inside your organization. So another aspect which people usually don't talk about when it comes to equities or other types of operations is their retreat. We often talk about dismantling, but we don't talk about the folding action, the full deck, and we can see some examples over time costing spoke about this a few times. Red October. They dismantled their operation after the publication took them a little bit of time. The Mask corridor. There was a blog at Kaspersky and four hours into this blog publication, they were gone and they they give their own name, the mask. And within four hours, their entire infrastructure was gone. As far as I 
know, we can talk to Christine about that and do to. They didn't even wait. They hunted the vendor, they went into Kaspersky trying to figure out what's going to happen, maybe they had other reasons as well, but he chose an interesting story. Of course, there are counterexamples. Again, we don't give many of these, but some of these guys just don't care, like LPT 12 Gaza Hucker team, I believe that Rocket Keating from last year, they're still alive. They don't give a shit for human language. They just don't care or they don't know or they don't have the operational capability to even know. Hey, there is a security conference called C.C.C.. Let's go watch TV and we are being compromised. So with that, we would like to take the methodology we've built about how the attacker works, what we reengineered about their tactics and try to look at the defender side now because of the limitations we have on information in forensics and the reports are a little bit a little bit difficult. This is a work in progress. Maybe you can help us out. Maybe we can build it to be better, which is the entire idea of this stock. So we're working my problem takeaways and action for each one of these issues. So, first of all, the intelligence requirements. We do not have enough information about the attack or objectives, if you remember the graph from earlier, that was the least amount of knowledge we had about any attacker or most attackers. And essentially, the understanding here is they are kind of stalkers, if they're interested in their information requirements, they know they're interested in something you have. They're not going to give it up, and if they like you, they like you. You know, you might wake up and say, excuse me, Miss Goosy, actually, there's one example for that. You can see it, this report presented at RSA conferences, RSA conference by Philbert, to say this year from Croute from a source. Well, I guess I'm too tired from Dell SecureWorks. There we go. So you can see t
hat there was some battling going around there and then the attacker lost and then there was a quiet weekend. But when the weekend was over, they came back with new tools. Why? Because they had an objective. They had things that they needed to bring over. And just the fact that they got detected once does not mean that they're going to say, OK, forget this guy, let's go somewhere else. There's an interesting issue discovered here, which Phil usually writes about, which is they will escalate as needed, meaning they may use pretty lame lateral movement tools and then escalate as they find a position. So. The second takeaway we have is that stealing data is just one of the options, and I believe everybody remembers when this happened. And many in the industry started saying, what how did this happen? It is huge now, again, just like a big one coming from a security background. Yeah, it's just another hack. Naturally, from their perspective, this was a major issue naturally. So they should take it seriously. And I feel sorry and I would help if I could. But the main point here was there was a risk. And that risk was what might happen once they have a foothold inside my organization and everybody is used to thinking mostly about data theft. They kicked the body here. And that is something we need to take into consideration, essentially actions. There is a classic tool in security management called risk assessments. Usually it's a useless tool. It's a huge document. Two hundred six hundred two thousand pages you write down for regulation, throw it away at some point or you need just to click the box. But risk management is meant to be used and used correctly, meaning if, you know there is potential risk of an attacker getting in and then, you know, the potential risk is them doing, for example, damage, check your impact. The impact is important to determine that risk, make risk assessments make sense for your daily operation as opposed to being some documents. It's policy
 that's never used. The second part is what can we do about the target list? So first of all, our problem is we don't have time sensitive information, we can't really determine a pattern. Now, maybe this is available in closed circuits, maybe not, maybe not always. But our takeaway from this is. That we need to be able to get that information, which we'll talk about, but more than that, if you have a similar target to you being compromised or you're using similar technologies or platforms, take note. Don't wait to be attacked. For an organization just like yours to be attacked, for you to take note, to start doing something about. So, guys, if you guys follow Brian Krebs, then you know that right after the target breach every other week, there was a new piece about this was breach and that was breach and this was breach. And the thing is, the first moment that there was a target breach and they stole credit card numbers from point of sale devices, everyone who has a point of sale devices should have said, oh, my God, I could be next. And instead of actually going and, you know, making a big, big effort to see if they had already been compromised, everybody was just sitting and hoping that their name doesn't come up on the following week. Which brings us to another tool in classic securities has been ignored, and that's essentially the threat assessment threat by some. I mean, depends on how you define it. Some definitions go as far as threat equals intent plus capability. So now we know they have a capability, but we also know about the intent, not necessarily against you, but we know this has happened. It could change how we operate. This is based on intelligence. We may not have exact intelligence. This guy is trying to get us, but we have intelligence out there now. Somebody is doing this. And more than that, they may be doing it to people similar to us. Now, when it comes to the cyber engagement cycle, or so we call it, the cycle of the three repeating steps, we
 decided that we're going to change a little bit, the format that we're going to treat all three steps together, but we're going to divide it into two stages, the pre engagement and the engagement itself. Now. Free engagement is when everything still happens outside of your organization. The problem is twofold, one, publicly available sensitive data, anywhere from complete employee lists, network sketches, sketches to say who works in the organization under who, what's the hierarchy? Anything that you can get from the people who will. Later, you will be discovering U.S. security questions, whose answers are on their Facebook. OK, that also happens. And the second problem is lack security awareness, which in turn allows probing. Now, that probing can happen in two ways. The first one is the one we all know. You just use it automatically. You use tools, you scan the network, you look for open borders or default passwords or bad configurations. Everyone does that. You just take a tool set, you do it. But people always do also do that manually making phone calls. Right. In my previous job, I worked a checkpoint at least twice, I was randomly next to the reception desk while the reception desk was trying to deal with such a decoy call and on both times and had they handed it over to me because I was excited that the opportunity to speak to a scammer and, you know, you start asking them question and then they hang up, but this actually happens. Next. Well, there is one more. The understanding here is that and this is basic, right, the attacker can gain a lot of information, they can do the full operation sometimes without ever doing anything active against your operation. You need to know this is possible, you need to control what's going on, you need to limit public information as much as possible. Naturally, you won't be able to do everything. You need to act outside your own perimeter. Which is a critical thought to have in this day and age as well, and this is very im
portant to endorse specifically. Awareness, refreshments, this is a human problem, not a technical problem, is what whatever awareness can gain, even if it's not much should be attempted, it helps. I can tell you from my own experience in these early certa human sensors, so-called people report to us. We are open to them. We asking them what's going on. And sometimes the they don't want to say a waste of time. That will be rude. Sometimes a call is a negative about nothing and that's fine. We treat it with all seriousness because many of the best reports we ever got were from people who knew we were interested in you to watch for stuff and alerted us. Not a problem with that is that, let's face it, these are quite obvious. But at the same time, they still don't happen. So the attackers still make the same progress because the basic stuff keeps staying under the radar or unattended to. So we come to the engagement skills stage now. The attacker is already inside your network. Not a lot of compromise organizations or AP reports, for that matter, share the lateral movement part. Mostly it's about secrecy or privacy, or they may not even have this information sometimes. Now, let's face it, everyone is being hacked. Everyone will be hacked. Everyone has been hacked. It's not a shame anymore, OK? It happens to everyone, and if you pretend that it hasn't happened to you, then I'm worried because you're probably hiding something else as well. And the take away is the engagement is an ongoing process because it's not a hit and run thing. They don't, you know, not always get directly to the computer. That was interesting. And the data that was interesting. They will stay around in your network for a while and it gives you many opportunities to get in the way. You have more time, you can think, you can plan, you can influence, and the action is indeed influenced. You need to put as many obstacles as possible. Layered security, deception, OK? The attacker needs to spend time an
d effort and resources in your network because the longer they are in your network, the safer you are. It takes them more time to get to the interesting part and it gives you more opportunities to catch them. We may have separated the pre and the post engagement. Sorry about that. Oh, it as we are separated the pre and post invasion, but it is an ongoing cycle and that's the important thing to understand. They got in the U.S. and they find the more obstacles you put in place, the more basic security you put in place, the more time you will have to find them and it will be hard for them to continue operating. And don't be shy. Share your breach data. Yes, someone has to be the first, but you don't have to tell everything. Tell about the technique, tell about the things that other defenders, other CIA CEOs or I.T. security guys can use. And you start hearing other people start sharing and we're all safer. And the last stage. Essentially, the fold in retreat, and if you don't want to share the actual information, a heads up, heads up would be nice, you know, just say. So this is this is interesting, I never previously had this thought, it's really interesting for me when I think about something that's new for me in security, at least emphasizes security in different way. Everybody says cyber nowadays. What's different? And one of the realizations is, yes, the doctors have been deleting logs throughout the lifetime of security, but they can destroy forensic evidence. Do we plan for that? A lot of our security today is based on after the fact, incident response and forensics, that is a major understanding for us right now. It's not just about endless monitoring and endless alerts. That is effectively where many of us get our first alert post. The fact. And if an attacker can destroy the forensic evidence, we need to make sure it's their snapshots and blogs, both can potentially save the day. So we built up this idea that backup of log files, for example, and snapshots co
uld be and I'm going to exaggerate. More important than even active monitoring the back up of the logs, naturally, it shouldn't be that way, but nowadays it just might be. And well, we were talking about this. We decided to well, inva came up with this word to describe this new backup response plan, which everybody everything is abbreviated in security. Right. Just saying. So with that, let's try and understand what we just went through, because some of this was common sense. Some of this was a little bit new. But the idea is to be able to make it repeatable. What can we learn from the IPCC reports and how can we use them on a daily basis? How can we use them whenever a new AP report comes out to better our security against known threats? So we looked at the left here about the information we have in your reports and the diminishing levels of it. And we'll look at the engagement process as we simplified it. And we like it. Now, if you get an AP report, first of all, try to understand, not just read the report and look for dioceses, how much information do you actually get for each of these? Do you have any attack objectives in their. And you know, when you talk about the targets usually used, maybe if you're lucky, you have the verticals, pharmaceuticals, whatever, aerospace. Once you're through that, it's easier for you to go through the engineering process and say, let's look at how that Tucker works. The engagement process tried to put the data in there and to what we just did, what are the takeaways specific to this report as far as intelligence gathering goes? What actions actions can actually take? Based on this report, based on what knowledge I have, the scope of the knowledge, the relevance of the knowledge from the AP report. And the key part of this really is we need to demand better AP reports, AP reports that are actionable. Now we have one more problem, we don't actually have a solution for that, but we thought it was important enough to know that it is
 something that we call the decline of shame. In the beginning, like we said, you didn't really want to be exposed, attribution was a huge risk for you and it still is for many actors, especially very particular nation state actors, or in the case of other nation state actors, very particular branches or subgroups of those nation state actors. But with some of the nation state actors and with some of the criminal groups, you see that they don't care anymore. They get caught. And you know what happens then? Pretty much this they continue working and operating while we it for a while. Please leave it on for a while. Yeah, some groups have actually been following the blogs of the vendors that were tracking them, adopting in real time. That was there was a case I don't want to quote too much about it because I didn't have time to research it. Were Trin Micro Alien VoLTE were updating their blog live, if I remember correctly, and the attackers were changing their modus operandi. Just malware, not much more than that, according to network defenses as opposed to something else. Leive. Which is really interesting. So we were being optimistic, we said, OK, what? What do we want to see, because we said in the beginning, this is not a technical presentation. This is a high level thing and we're presenting sort of a raw thought process that we started. I mean, think about it for a minute. We took the time to study many, many cases of ABC reports and to talk to many of our friends, just like Thielemann and many others will give credit to in a minute and to look at our own research and forensic information, all these data all this time on Ida that I didn't do. And just to come up with a high level presentation, just think of that concept for a minute. We're thinking once again, not about the fellow researchers, but the people that actually have to defend certain organizations, and it's not all corporates with their own I.T. security teams that are all very skilled and very qualif
ied. Sometimes it's an organization that has an 11 people, I.T. team, and then two of them wake up one morning and they are told you do security. Now, this is reality. I've talked to more than one customer that has that happening today. So. We would like to see better and more actionable AP reports. We need and when I say we it's not just guardian myself, it's the community, it's the poor people that need to protect organizations with the knowledge that they are being attacked. We're not saying that all ABC reports suck. Some of them are very, very good. We're just saying nowadays, most of them are just for PR and that is hurting us, it's helping them Tucker. Tucker Eskew, who would like to see better reports for us from more vendors, they need to be more actionable. If I am the CISO of an organization, there should be something that I can use use and I want to be in a better place after taking the time to read one of those reports. And we need earlier breach reports. Like I said before, give us a heads up. It's important to understand that maybe there's a new trend going on. Maybe the if we had the heads up on target and everybody else were after listening to the stock, then all the other point of sale vendors would say, you know what, maybe we should look into our setup, because even until today, after so many compromises, there are still so many point of sale terminals connected to the Internet with default credentials. It's been written in so many places. I was really worried about well, worry about the next item on the list. Because I have this thing where I identify it's not fair given, but I identify people who are newbies and security by then saying information sharing collaboration and someone says, oh, we need to do more information, say, oh, she's not again. But honestly, actionable information sharing and public information sharing. Information sharing is happening, salvages actionable much of the public information sharing, which isn't much, isn't actio
nable. We understand that even the heads up we talked about could be critical, really critical. And understanding how this can help us is a common ground. And lastly, and kudos to Dave Marquis if he's watching us enough with the attribution stuff, yes, we care about attribution. Yes, it helps us. Yes, we can think about the business of the post to think about who is actually looking at US targets. I understand that. But then what does actually give us how much is distribution work that people spend so much time on just to justify the liesbeth part of the brain? So we feel better about it, better than the other information we could have had actually protect our organizations. I'm not really sure. But it annoys me in a way. Enough with attribution or at least enough with the. Attribution that makes no sense. That's the reason he's about more than just IP addresses and we've given a few examples during the talk. I mean, yes, if the compilation times they never work on shabbath, it's maybe Israel. I don't know. But then again, nowadays, we've seen a lot of false flags starting to be put in there. It's not easy. They're political, this political offensive to consider, but we'd never really know. But whenever we talk about these people go on and say, I will seize on the one because it's available. And on the other end, who did it? Who it tell me. OK, I'm willing to give it the chance to say fine. But it's not the most important thing, and if you do it, do it right. So final words. AP reports can be a huge help, but there has to have been some change, the problem with the change that contradicts certain economic interests of the people that create those changes, AP reports. But we believe that if they start producing more value, then that influences the amount of customers we will be evolving as well as the doctors right now. AP reports are so-called bad, which is arguable because they're the only ones really evolving. If they were the made the right way, we're not seeing 
our ways the right way necessarily, but if they were made in a way that would help us more, they could be a huge help. And remember, attackers are not going anywhere. We're not going to have any less business because of better AP reports. And something that we call. Stay on the attacker six, they need to be worried all the time, they need to be looking behind the shoulder to see if there's anyone under six. This is a pilot jargon. I think what they say is what this evolution means, Gousse, for example, as opposed to flame. If they have to spend so much time on one target, their cost grows exponentially. If we can do that with ABC reports, hey, I like this evolution, it's necessarily bad that they have to get better. And the last thing. Increase the cost of the attacker, anything you can do to increase the cost of the attacker, do it whether by installing products, using services, improving the people or the the the awareness of the people that work for you. You want to make it harder for the attacker, it gives you more time. It's probably not going to deter them. OK, let's face it, they're going to come anyway. They're doing their job just like you're doing. There is a cemetery. And as we said, we are not that the attackers are more powerful than we are. We have to admit that right now we're trying to change that. But more than that, they're not going to give up the IRS. They're going to keep going. That said, we can start making it better for us, create more symmetry. So this is important. So let's go through this. Yes, we did a lot of research. Yes, we looked at a lot of code. Yes, we looked at a lot of reports. Yes, we had a lot of information that is not public, but trying to construct it in a way that, well, no one would be boring while trying to create the sort of methodology out of it. Well, try not to be too technical while still giving examples that build the methodology of the attackers based on what we know about them wasn't easy. And we stand on the shou
lders of giants, people in the community, industry, blogs, reports, a lot of people we wouldn't be here without. And they need to deserve their credit. Special thanks and references we took from Tullman right here, Ned Moran, Fehlberg costing you more, Bieler, Chris, Chris McConkey, Kevin Mandia and the Grug. And especially to this incident did a lot and provided a lot of significant research support for this presentation. So thank you. With that, I would like to you know, before we ask the questions, most are repeated reports, not all of them suck. This hurts us. They become better. We can be better than they are. We can use this to keep them under six like we have seen with them evolving to a place where they can do less, they can scale less. And that is what we would like to see. Thank you and would love to have questions. So thank you in Bahrain, Gary, we have a question from the Watrous on the Internet. Hi. Um, so the question is, what is the state of Apte response across industries? And which industry do you think is most vulnerable now? Um, this is a sea. So just like, oh, shit. OK, I'll try to respond. I think LPT response, there are a few organizations out there that are extremely good at this because they have decent security, the evidence response, they have controls in place, they have monitoring place. They are good at security, which is why they're good. Apiata response. That said, a lot of the response to all of the incident response is now outsourced. So they bring companies in to do it for them. And that is why I believe that saving the logs, as they said, as a backup, is important and essentially the instant response is becoming a way again. I'm going to get Flins for this hour monitoring. So I say some people have really good stuff going on. Most people don't. And those and others bring in the outside help. Another problem with the outside, with the outsourced security is a response is that there is a huge difference or there can be a huge change 
in your ability to do proper response based on what your network looked like before. So if you only call the guys when you are when your house is already on fire, there's not a lot they can do. But if you brought them in before and they help you treat the house, then you're much better off. Another aspect that's interesting, although small, is the forensics and response used to be about keeping logs, chain of evidence, all of that stuff. People still do that. But honestly, today with APD, it's not as important. It's more about finding the actor as fast as possible, a week, two weeks, three weeks, and then moving on to remediation, which will take forever and cost a lot of money. And then it's essentially in many cases about installing some agent on all computers and networking, trying to identify what's going on. So it's not as much about what forensics used to be. When you look at the forensics cars, of course, anymore. But I am not an expert on this as much. And you should ask this question again from other people as well. Thank you. OK. Microphone two, please. Uh, yes, Ms. OK, um, first, I'm not really sure if this is the correct audience for your talk, because at least I suspect that most people here, when they build a network and when they they already trying to make it as secure as they can, even without considering a special attack or a special type of attack or considering what information an attacker might try to get because they probably try to make the system as secure as possible as is. And if they if they do not take a certain choice to use a certain type of security mechanism, it's probably just because they use case simply doesn't allow it. And even if they had been hacked, they couldn't change that. For example, I work in the public sector and with us the problem is mostly just you have to you don't have the people to fix stuff. I work at a university and they're basically situationist that every professor and every institution, every whatnot, um, ha
s its own I.T. team. And usually the other team is just the secretary that was put on the list that is saved, that the NOC, where they know which subnet is attributed to which institute, but usually they don't have an I.T. team at all. So basically what you see is that, um, an institute of, let's say, 20 or 30 computers runs Windows XP in the year 2015, most of them not even patched with the patches that are there for Windows XP. And I know that there is this is not just a single case at my university, but I know that there's plenty of other universities and other stuff where it looks just like this. And usually the problem there is they don't even have an I.T., so. The actual problem is that first you'd probably need to get to what you'd call the management level above the lacking 80 to actually hire people at all to to have a team at all. Yeah, well, that was my line. So what's your question? Let me answer first of all, you're correct and obviously you care about that and you shoot. So to answer, first of all, you said you talked about the audience is a huge stage and a lot of people are going to be watching that, not just the people in the crowd, but people who watch it streamed and people who are going to watch that later. That's one thing. Second thing is that we're trying to start something here. We could fail. We fail before and certain things. But if we can start changing something, then in the long term we will make a difference. And what you are saying is true. It's easy, though, to pick that one example where you know what? Nothing that I've said will help. That does not make what we've said not good because progress takes time and maybe with time, some of the progress gets into the full set ups. And when you say that most people here have a secure setup, well, guess what? It's the same opposite that I mentioned before. Sometimes you have time constraints. Sometimes I work at a startup company. You know, you rush sometimes, you know, you get to things lat
er than before. You have a project to make. You have deadlines. You rush sometimes to do things later, then after. It does not mean you don't know it. But at the end of the day, the reality that the attacker sees is what matters. So maybe not everyone in here was the right audience. By the way, we didn't choose the audience. Right. It's not that I have anything against you guys. Thank you. The thing is that I knew you were coming Safet. The thing is C.C.C. is where the trenches are. This is where people who do stuff are. Where the ideas get born is where people go back to the organizations from where the technologies and grow. This is exactly the right place, in my view, to do this type of talk. You're asking for a different type of talk. You're asking for how can I do hunting on my own when I don't have a lot of resources? And in our talk, we only give this a little bit of reference in risk assessment. And essentially risk assessment is. Connects to how much wishes do you have, what you can have, but that's a different topic, how to do that? So I'm sorry we didn't give as much attention to that. I also have a second question you asked if people should release information about breaches earlier, um, doesn't that contradict your example where you said that you had cases where the attackers were changing their attack schemes, life, while, for example, Trent Microbus? That's a very, very, very, very good question. Thank you for bringing that up. It's always about timing. Again, we couldn't bring everything into the talk, that comment. A friend of ours gave us. If you're still engaging in ah, maybe you can give it a heads up to somebody. Maybe in close circles. Maybe in open circles. You don't need to give away the Homeworld. Definitely, it's always about timing, about the right time, right place, we would like, whenever it's possible to release the information and not necessarily all of it. But you're absolutely right. OK, thank you. OK, and we are out of time, but I w
ant to hear the last question from our viewer because these people are not here and they can be asking you after you talk. Very nice things. So when you say Apte report Socrata, you just mean the publicly released ones or also the ones from security firms to their customers. So obviously we talk about the public ones because a lot of work is being done by a lot of vendors, but not everyone is a customer of all the vendors. Usually you're only a customer of one vendor and some vendors have more luck with Apte depends on their coverage and some don't. And at the end of the day, this problem is about everyone. So we don't want to improve it just for people using a certain vendor. We want to improve for everyone. And yeah. Kumbia. Thank you very much. Thank you.