[Dailydave] Getting called out

Dave Aitel dave at immunityinc.com
Thu Jan 17 15:15:38 EST 2013

We had this whole section in the early Unethical Hacking classes where
we talked about attribution, and anti-attribution methodology. To
summarize it, we realized that there are some things that can be
trivially changed by an exploit team - obviously the strings inside the
trojans are the best example of these. Or the emails they register their
cover accounts with. These mean nothing.

But there is meta-data they cannot change easily. What follows we call
the tripod of cyber attribution:

1. Knowledge of particular vulnerabilities, exploits, or techniques.
This produces a "chain"-like time-based fingerprint that is extremely
difficult to spoof, since you would need to replicate the entire Chinese
technology tree to pretend to be Chinese. Simply stealing some exploits
won't do, because you'll never have an exploit or exploit technique
BEFORE they go public with it. And you can also add "time to mature and
deploy a technology" to your analysis, making it a very robust
indicator. This is also true of operator methodologies, analysis
techniques, and attack surfaces.

2. Targeting. This is hard to change because it results not from
technological restrictions, but from policy restrictions and turf wars.
If you're not allowed by the Politburo to steal Chinese data, then you
won't. Faking this is possible, but it's somewhat complex. This, of
course, is why it's also dangerous to do "collision prevention" on your
rootkits. If you never catch Rootkits A and Q on the same box, ever in
the history of time, then A and Q are from the same team (or allied teams).

3. Dissemination. It's hard to pretend to be Russian if the data you are
stealing from Dow Chemicals ends up in Chinese state-owned enterprise's
product lines. This is one reason economic espionage efforts are so
dangerous to groups trying to hide attribution.

In any case, completely extraneous to this topic: Lurene did a podcast
you should listen to in your car or whatever -
http://theloopcast.podbean.com/2013/01/16/episode-6-offensive-cyber/ .
It's kind of like eavesdropping on two random people in a Starbucks in
DC who are talking about cyber - which .... is any two random people in
a Starbucks in DC, according to my sampling. :>


On 1/14/13 10:17 PM, Brian Keefer wrote:
> On Jan 14, 2013, at 7:41 AM, Dave Aitel wrote:
>> http://www.wired.com/threatlevel/2013/01/red-october-spy-campaign/
>> That's what it looks like when the Russians call the Chinese out for
>> pretending to be them. How cool is that! "Here we are, pretending to
>> think it's a Russian trojan because of all that tricky Russian slang
>> left in the code. BUT WAIT, they're using exploit chains out of China!
>> And they use the Chinese target set! We will let you draw your own
>> conclusions."
>> -dave
> Is it just as plausible that the Russians are stealing all the good Chinese exploits because the Chinese have shit OPSEC? Why do all the fuzzing and exploit dev when you can just smash & grab the weaponized goods?
> --
> bk

INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130117/ad386810/attachment.sig>

More information about the Dailydave mailing list