Years ago, I was asked to speak at a military conference in Germany. One of the other speakers gave a talk about using social media in Russia to look at the patterns of communications between various hacker/malware author etc type. Who connected to who? Who was the center of some of the larger networks of these types of people. A lot of the work was done manually, he had a bunch of sla^H^H^Hgrad students that were fluent in Russian and other Eastern European languages and they fed the posts and identifiers into a graphing program. I remember thinking, "If this could be automated then smart people would have to be pretty careful how they use social media".
So I reached out to Daniel Clemens of ShadowDragon and Packet Ninjas and asked for his thoughts on what is possible and the direction things are going.
So Daniel, is ShadowDragon different than Packet Ninjas?
Since 2005 we had been running Packet Ninjas. It is still running and great for consulting. In the context of consulting we had been pushed into many strange cases that had typically involved some form of corporate espionage in countries where the rule of law may not be as robust as the US. Attribution was needed and our clients starting around 2006 started asking for attribution. Obviously, this was strange and we started to look for "where can we buy data" versus engineer things. This moved us to creating tools. The first being SocialNet. (( attached ). SocialNet helped us and our clients start correlating the who behind the what and has served well over the years as an output to many platforms, specifically Maltego.
We have over 900 transforms and cover some of the strangest platforms for attribution and the OSINT workflow.
"Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence."
Is this similar to Threat Hunting, I have been hearing that term a lot recently? And does it work?
I would caveat with OSINT or what the industry now calls "Threat Intelligence" there should be an expectation that 60% success is a good day and normal scientific process of theory and questions should be posed and practiced. I also have to warn that some people might not be ready for this type of work even though it sounds cool. Any investigation as you know is usually intriguing, but with attribution and an industry we are close to where we the country was pre-National Security act in the 40s.
So ShadowDragon is the Social Network company?
We also created 4 other tool sets for different workflows, OIMonitor - monitoring many different things. For us "situational awareness", collection and analysis is different for many different verticals. Stix/Taxii
Let me stop you for a second, I think I remember reading about STIX a year ago or so, ah yes, according to Blue Coat's Brett Jordan:
"A new language, designed to define and describe a broad swath of threat activity, is beginning to take shape. This language, known as STIX, and its transport method, called TAXII, offers security firms, industry, and government the promise of better and faster cyber threat intelligence sharing.
STIX and TAXII have been getting key support and backing from groups as diverse as the Department of Homeland Security, The MITRE Corporation, and members of various information security groups and vendors, including Blue Coat Systems.
For the past 6 months, I have been heading up Blue Coat's participation in this effort.
STIX (Structured Threat Information eXpression) is a language used to communicate a set of cyber threat intelligence idioms, including:
- Threat Actors
- Techniques, Tactics, and Procedures
- Exploit Targets
- Courses of Action
The STIX and TAXII standards have matured well beyond their initial drafts and first release in 2013. In fact, major vendors are lining up to announce support and governments, incident responders and CERTs, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) (to name a few) have already started using STIX and TAXII in their production environments."
In my experience STIX/TAXII, whatever really isn't even a discussion item even though many people want it to be. Something like Unicode, collection, context and scalability should be thought of first before some type of weak community sharing model.
You might be right, I will admit I just groan sometimes at Mitre's handling of CVE, so where does your information come from? Are you monitoring in strange places?
Not as strange as you would think, but it is always entertaining. There obviously are some restrictions, but I can share where it started. The end of 2010 we had been asked to monitor Anonymous. Not for attribution but for something very different. That being analysis of tools, techniques, targets and analysis of tools. This resulted in the creation of OIMonitor for this workflow but really acted as a platform for robust collection as a lead gen and historical context. We had used OIMonitor to monitor for tools and even had great success with identifying Sabu and "Murder" much earlier than others. We produced over 50 signatures for the tools and capabilities of everyone involved and at one time had monitoring of ALL of the IRC servers based on some oversights the operators had made in clustering.
I just read a recent article on active defense. Isn't attribution essentially an unsolvable problem?
Attribution can happen, but it relies on process and tools based on the foundation of investigative principles. For instance the latest naming and shaming of qcf in Iran/ME... It was our opinion they named the wrong folks. Attribution can go wrong or right and either way there can be repercussions that are unforeseen in the optic of typical right and wrong western perspectives. In short, a bad report or blogging in the public world may be interpreted differently in a different culture and people can die. I hate to be dramatic but this seems to be a turning point for those who want to make a name for themselves as bloggers and those who are quietly doing the work. All within the context that no one is doing this for a government. But, government workers read blogs too so be careful.
I will do my best to be careful Daniel, thank you for sharing your thoughts!