> “It’s a big myth that there are thousands of [signatures] for any particular groups,” he notes. “These [TerritorialDispute] guys really focus on finding the two or three telltale signs that could lock you in [on an APT].”
I have a hard time accepting that. Sure,if it was a financially motivated actor or common malware a few "high quality" indicators are all you need. But APT actors know they are being tracked by their adversary using these same indicators. It isn't difficult or costly for them to avoid reuse of infrastructure and tooling. The few attribtions I looked at in detail require a more speculative and somewhat imprecise correlation by humans as opposed to clear and static indicators.
Please correct my ignorance if I am wrong.
EDIT: Security companies do use "thousands" of signatures and indicators to find events that might possibly be associates with an APT group. Why is the NSA special? That's what I can't accept. As good as the NSA is,multi billion dollar security companies are not far behind (I would say some are even ahead when it comes to defensive security)
I think people, especially on HN, like to think of these groups as far more professional than they are. Just look at all the talk of “tradecraft” and “threat actors”.
Empirically, it appears that hackers are simply people. These groups seem to have maybe just one or a handful of talented individuals at their core, and they all have habits they like to return to.
After meeting various nsa and US cyber security heads at RSA and having dinner with them and hearing their “war stories” about shit they have done, sure they are people, but IMO the people I met were straight up psychopaths.
This is my opinion of the type-a “hacker-types” that palantir hires...
(Had dinner with the head of US cyber-security and his minions and military contractors (This was when I was with Lockheed))
> Empirically, it appears that hackers are simply people. These groups seem to have maybe just one or a handful of talented individuals at their core, and they all have habits they like to return to.
Sure,that's why Indicators of compromise exist to begin with. What I don't get is this notion of a "high quality" indicator. You would normally match on all indicators you have.
I mean,why match with a dozen indicators knowing full well the attacker might reuse any one of the hundreds of indicators that exist? All the big name security companies match against all known indicators for a group. What practical benefit is there to limiting yourself to a few indicators,even if they are top notch indicators?
APT groups have a set of tools, techniques, and processes (ttps) that they use. They evolve over time, but generally consistent per APT group. It's maybe dozens of methods and signature moves that teams use to attribute the actor. Malware packages and so on leak data, c2 servers might get reused (or the way the c2 was obtained might inform something).
From the attacker point of view, you don't change your methods if they are working.
However due to this, you are right: it's incredibly messy and attribution is mostly bullshit. If you notice, it mostly warns the operator to seek help, so others can try to confirm.
It’s also a game of burning unused methods when it’s irrelevant to stay 100% black. Hitting something that the NSA truly wants none to trace back to them works better if most of their other attacks work with the same combination of tools.
>> APT groups have a set of tools, techniques, and processes (ttps) that they use.
This is interesting considering recent high profile attacks (The DNC, OPM, Sony) have pointed to state actors, but many in the InfoSec community have come back and said many of the tools have been out in the Wild for years. It means almost any hacking team could be using them, indicating that many of the tools are common amongst these groups so pinning a hack to a specific group because of the tools they used isn't a reliable way to track them.
Not my opinion, just something that would seem to contradict the idea that a set of tools indicates who the actors are.
It doesn't contradict anything, it just lowers the probability of being right a hair (For the extreme few APTs who would bother with such trivialities), hence the "attribution is bullshit" -- you can't ever know.
However, that does NOT contradict the simple fact that various APT groups do absolutely use the same tried and true TTPs get get in, gain foothold, and persist. They evolve them over time, but you'd be foolish to think they entirely wing it each time, using a chaotic set of techniques. They establish patterns, and you can absolutely build a signature off of that.
I suppose considering the cost (time, money, effort) it would have to be used somewhat carefully, but I would expect it to improve offensive capabilities to be able to make attacks that don't look like you. But agreed that it would have to be rationed out, in order to not lose ground in redoing things.
Except history shows that is not the case...APT actors make tons of mistakes and straight up re-use code and infrastructure on a regular basis.
There is the mythical claim that "someone is doing it right" but at the end of the day, these are just people. They make mistakes and are just doing a job.
A sophisticate team would probably use a mix of public tools, stolen private tools, and unique internally developed tools.
Public tools and stolen private tools are worse than useless for attribution because they are specifically used to avoid attribution or to cause false attribution.
Accurate attribution, if possible, can only be based on unique internally developed tools, which means you have to have the knowledge of the overall environment to see that some tool is unique and being deployed for the first time, and then track the deployment of that tool across other targets, and correlate it with the deployment of other unique tools.
>Public tools and stolen private tools are worse than useless for attribution because they are specifically used to avoid attribution or to cause false attribution.
Not necessarily. Given enough public tools, combinations of usage can be unique.
Any tool can be obfuscated and mutilated to oblivion...there are brilliant tools around these days that do wonders at the source code level.
false attribution shouldn't work. nobody blindly believes binary signatures like we did in the 20th century.
accurate attribution can only be based on the whole picture, with a focus on technique. i.e. types of exploits used, styles of shellcode used, c2 key exchange used, intel types gathered, etc. etc.
the arms race is real, information doesn't vanish, nothing is simple.
I think they're only looking for 2-5 IOC because they're checking the same machine they've broken into for operations.
Maybe they're looking for tools the other groups use to establish initial beachheads and not tools that are used for exploitation, info gathering or other more involved tasks.
When I read this (interesting) article, I was wondering whether there is any free or commercial tool for detecting those indicators of compromise on GNU/Linux machines. I know rootkithunter, but that seems to be fairly weak heuristically. Other tools like tripwire, on the other hand, are based on snapshots and hashes and only monitor changes.
I'd be interested in a tool that can indicate suspicious kernel modifications, USB drivers and other software that behaves in unusual ways without triggering tons of false positives and independently of any certificates or whether the software comes from a supposedly trusted repository. But AFAIK, there is not even a key logger detection tool for Linux.
sure, IOC monitoring can be done via osquery (free), or tanium ($$$). You just have to build your own ruleset to pickup IOCs.
Linux has AV, and nextgen stuff like Cylance (works but super buggy, runs as a kernel module).
You also have other HIDS, like bro, snort, and so on, but those mostly look for suspicious network traffic.
Microsoft OMS has been making some plays here, it frequently flags unusually process execution for me (eg: Python running from an uncommon path or some such)
I don't think that it makes sense in a technical point of view to try to observe something if an attacker has already compromised your kernel. As soon as this happens, there is nothing you can do, which is foolproof as long we don't have kernels which are separating privileges within the system. If you want to observer something you have to depend on a trust anchor. In most today systems you don't have a trust anchor when the kernel is compromised.
> It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as Advanced Persistent Threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.
Plot twist: Around 20 of them turn out to be separate clandestine programs operated by the US Government.
“They started to become concerned about sitting on a box with our tools and there being other actors there that could steal or figure out what we were doing.”
Seeing as they had all their tools stolen, that must have worked out really well.
Yeah, of all things to leak... even pre-Snowden, this is what I would expect the NSA to do, because watching other countries' intelligence agencies is what they're supposed to do.
You say this like it’s not obvious. Just because what they’re doing is OK doesn’t make it uninteresting. There are lots of posts on HN about completely sensible things.
Why does the NSA need defending this badly anyway?
I think people are conditioned to associate "leaks" with "scandals" (especially when it comes to the three letter agencies), when in actuality this "leak" is just a revelation of completely reasonable and expected activities.
Does it really need explaining? The sky is blue, the NSA isn't 100% evil.
It just feels really out of place under an article focusing on the technical side of things, not accusing the NSA of anything nefarious.
Despite neither the article or any of the comments here suggesting there's anything wrong with the NSA activities being discussed, several users felt the need to preemptively stand up the agency:
I was about to comment the exact same thing. It's known for years, now, that they do that. This practice is outlined in the book "Cyber War: The Next Threat to National Security and What to Do About It," in which the author explains how the NSA has a profile on all (know) Chinese hackers.
The news isn’t that they’re doing it, but that the documents detail how they do it. Disclaimer: I haven’t read the article yet, I’m basing this on the title.
It is at least somewhat interesting that there is so much state-sponsored attacking going on that the incidence of two different states/teams ending up on the same box is not only non-negligible, but even common.
It also makes you wonder why it isn't commonplace to harden targets against the exploit that was used to get in, to deny that space to competitors. Perhaps it is, and it's just that there's so many vulnerabilities out there that it's common for multiple teams to break into the same box via different exploits.
I have a hard time accepting that. Sure,if it was a financially motivated actor or common malware a few "high quality" indicators are all you need. But APT actors know they are being tracked by their adversary using these same indicators. It isn't difficult or costly for them to avoid reuse of infrastructure and tooling. The few attribtions I looked at in detail require a more speculative and somewhat imprecise correlation by humans as opposed to clear and static indicators.
Please correct my ignorance if I am wrong.
EDIT: Security companies do use "thousands" of signatures and indicators to find events that might possibly be associates with an APT group. Why is the NSA special? That's what I can't accept. As good as the NSA is,multi billion dollar security companies are not far behind (I would say some are even ahead when it comes to defensive security)