Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
1. Going Kine)c on Electronic
Crime Networks
THOTCON0x06
John Bambenek, Fidelis Cybersecurity
2. Introduc)on
• Sr. Threat Researcher with Fidelis Cybersecurity
• Faculty at the University of Illinois at Urbana-
Champaign
• Producer of open-source intelligence feeds
• Run several takedown-oriented groups for various
malware families
3. Problem Statement
• Right now we are on the losing
end of an arms race
• The adversaries produce more malware than we can
possibly analyze.
• We have to operate in the open while they operate in
secret.
• Their core business is exploitation, security for us is a
cost center.
• We operate in a global economy without an effective
means of global law enforcement.
4. TL;DR
Bad News: We’re Doomed
Good News: Unlimited Job Security
5. What to do…
• You could keep playing defense:
• Firewall Rules
• IDS/IPS Rules
• AV Signatures
• IoCs
• Etc etc etc
6. The problem of “sufficiency”
• Once we “detect” a threat work occurs until some
“defense” is developed.
• Once a threat is “blocked”, the work tends to stop.
• The threat actor can operate with impunity and just
has to tweak tactics occasionally.
• Those in most need of security are least likely to
have it / afford it.
7. What to do…
• Or you can take the fight to the
adversary and go kinetic?
• Why kinetic?
• No, I’m not talking about predator
drones…
• Or hacking back…
9. What is a takedown?
• An attempt to disrupt an ongoing electronic
crime operation with the intent of ending it
entirely.
• Successful takedowns: Operation Tovar,
Conficker
• Unsuccessful takedowns: Kelihos (all 4)
• Complete disasters: No-Ip
11. Aren’t takedowns just media ploys?
• Right now there is far too much media
pimping in our industry by <insert company
name here>.
• There have been plenty of takedowns for PR
purposes. And white papers. And blog
posts… etc.
• Doesn’t mean to stop trying to have an
impact.
12. How to tell difference?
• Takedowns, like all security related activity
requires OPSEC.
• What’s the first rule of OPSEC?
13. Do takedowns do any good?
• Some argue because crime doesn’t stop
takedowns don’t do any good.
• Sure, stupid takedowns don’t do much
good.
• But arrests haven’t stopped rape,
murder and theft in a few thousand
years either.
14. Do takedowns do any good?
• Writing detection rules don’t stop
criminals from adapting either.
• Key is to do things in a thoughtful way
to maximize impact and minimize risk.
• Hopefully along the way an indictment
can be had.
15. How to do takedowns…
• Largely depends on the threat and the
complexity.
• Can be as simple as asking a provider
to shut someone down.
• Can be as complicated as involving
dozens of organizations, law
enforcement across multiple countries.
16. The Easy Way
• Getting things taken down for criminal
activity can be time-consuming.
• Getting things taken down for “brand
damage” / DMCA is generally easy.
• Seriously, ICANN has minimal
security rules for domains, but they
are all over brand damage /
impersonation.
17. The Easy Way
• That only works for “small” threats…
the kind of threats that are easy to come
back anyway.
• Most threats are too big for one
organization to handle.
• There are shared threats and unique
threats. Most are shared threats.
18. Building the Intel for Takedowns
• Have to build the “what” before you can
answer the “how”.
• Almost all malware wants to talk
“somewhere”.
• Enumerate *ALL* avenues an adversary
can contact an infected machine.
19. Example #1
• Example #1: Domain Generation
Algorithms
• Based on some math, a pseudo-random
but predictable list of domains are
generated.
20. Example #1
• If you can RE a DGA, you can use it to
build intel.
• See Johannes Bader’s blog:
johannesbader.ch
• Create a domain list, use adns-tools to
resolve large numbers of them on a
routine basis, instant SIGINT tool
21. Example #1
tmabjkeyftudpk.com , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
eiavquoeipblqq.net , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
rvyqndcrbqsxqu.biz , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
fjccjegtytxxsh.ru , Domain used by Cryptolocker - Flashback DGA for 11
May 2015
swbwgmthrupkju.org , Domain used by Cryptolocker - Flashback DGA
for 11 May 2015
gqfoopfpkaxjjf.co.uk , Domain used by Cryptolocker - Flashback DGA for
11 May 2015
22. Example #1
• You could use this list to find what
resolves and where the adversary is
sitting…
50.63.202.25 , IP used by matsnu C&C
54.228.194.98 , IP used by matsnu C&C
23. Example #1
• Or you could take all the domains current and
future in a legal action.
• If there is no other path to access, you have
severed the adversary’s ability to control.
(Operation Tovar did this).
• You could also buy all the domains…
• Expensive, unless you are a registrar which is
cheaper than you think to do.
• Or you could ask registrar to suspend. Many will
take action (some won’t).
• AlienSpy example
24. Example #2
• Example 2
• Mine malware for C2 information
• https://github.com/kevthehermit/RATDecoders
• Python scripts that will statically rip configurations
out of 32 different flavors of RATs.
• Disclaimer: I had nothing to do with the
development of these tools; they just fit my need
and Kevin Breen deserves mad props.
26. Sample njRat config
Key: Campaign ID Value: 1111111111111111111
Key: Domain Value: #####.ddns.net
Key: Install Dir Value: UserProfile
Key: Install Flag Value: False
Key: Install Name Value: svchost.exe
Key: Network Separator Value: |'|'|
Key: Port Value: 1177
Key: Registry Value Value:
5d5e3c1b562e3a75dc95740a35744ad0
Key: version Value: 0.6.4
27. Processing DNS/IP Info
• Config takes FQDN or IP in free-form field.
• The only configuration item any processing is done
on is here.
• If RFC 1918 IP, then drop config.
• If FQDN resolves to RFC1918 IP, keep it.
• If it doesn’t resolve, keep it.
28. Sample Output
0739b6a1bc018a842b87dcb95a73248d3842c5de,150213,Dark Comet Config,Guest16,######.ddns
.net,,1604,,,,o1o5GgYr8yBB,DC_MUTEX-4E844NR
0745a4278793542d15bbdbe3e1f9eb8691e8b4fb,150213,Dark Comet Config,Guest16,######.noip.me,,1604
,,,,aWUZabkXJRte,DC_MUTEX-TX61KQS
07540d2b4d8bd83e9ba43b2e5d9a2578677cba20,150213,Dark Comet Config,FUDDDDD,######.no-ip.biz,
204.95.99.66,1604,,,,qZYsyVu0kMpS,DC_MUTEX-8VK1Q5N
07560860bc1d58822db871492ea1aa56f120191a,150213,Dark Comet Config,Victim,######.no-ip.biz,,1604
,,,,sfAEjh4m1lQ7,DC_MUTEX-F2T2XKC
07998ff3d00d232b6f35db69ee5a549da11e96d1,150213,Dark Comet Config,test1,,192.116.50.238,90,,,,4A
2xbJmSqvuc,DC_MUTEX-F54S21D
07ac914bdb5b4cda59715df8421ec1adfaa79cc7,150213,Dark Comet Config,Guest16,######.ddns.net,31.13
2.106.94,1604,1.#######.z8.ru,######60,######2012,zwd8tEC0F0tA,DC_MUTEX-W3VUKQN
NOTE – Redacted entries are username and password for FTP drop for
keylogs.
29. So you have data. Now what?
• You have four options for takedown
related actions:
• Use the criminal justice system
• Use civil litigation
• Work with providers directly (AUP/
ToS/Contract enforcement)
• Other “less legal” means which we
will not discuss here.
30. Criminal Jus)ce System
• The ideal result… someone gets arrested.
• Generally, work for big online crime cases
starts with private sector research.
• Very time consuming but low cost.
• LE in almost every country willing to work
with anyone who can help build cases.
• Yet cooperation between countries can be
problematic.
31. Criminal Jus)ce System
• Important tool to motivate law enforcement
is to enumerate harm.
• Sinkhole domains (if possible) to build victim
information.
• Before LE will act they want to know how
their citizens are impacted.
• Possible to get cooperation even in “hostile”
jurisdictions.
32. Civil li)ga)on
• Involves an aggrieved party (or
regulatory body) going to court for some
remedy.
• Generally not available to most people
for lack of “standing”.
• Can also lead to some collateral damage.
33. Work with providers directly
• Some are more cooperative than others.
• Many go from uncooperative to cooperative.
• Takes time to build a relationship and trust.
• Bypasses “foreign policy” issues and gets
results.
• As example, I’ve gotten cooperation inside
Russia and China on security issues.
34. Risk assessment
• Before any takedown is taken, a “risk
assessment” should be done.
• What collateral damage could be done?
• Is action being taken against a third-party
and not the target?
• Will less aggressive means accomplish the
mission without resorting to heavy-handed
tactics?
35. Post-‐Takedown ac)vity
• Just because you takedown the C2 network,
it doesn’t necessarily mean you have cleaned
up infected machines.
• Operative Tovar created a mechanism for
people to recover files and to see if they were
infected to make private individuals “whole”.
• This is the most neglected part of takedowns.
36. The Key to All of This…
• Most threats are too big for one
organization to tackle.
• Many organizations have unique data or
skillsets.
• Key is to have a group of people across
organizations all contributing to a
reasonable amount to the goal.
37. The Key to All of This…
• Private working groups aren’t exclusive
to big companies or security companies.
• Takes willingness to contribute
something to get something in return.
• Added benefit is access to information
to protect your organization you
wouldn’t have otherwise.
38. Venues to par)cipate in takedown ac)vity
• Microsoft CME Program
• Private working groups (some are more
open than others)
• I run 4.
39. The Upshot
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do
so.
• Reverse-engineering
• Tooling
• OSINT research
• Etc.
• Much of the work is not as high-skill as you would
think, just takes time, motivation and a willingness
to learn.
40. Call to Ac)on
• There is more work than could possibly be done.
• If you want to contribute effort, find a venue to do
so.
• Reverse-engineering
• Tooling
• OSINT research
• Etc.
• Much of the work is not as high-skill as you would
think, just takes time, motivation and a willingness
to learn.
41. Bocom Line
“The infosec industry doesn’t need
another white paper.
What we need is bodies in the streets.”