The Unforeseen Consequences of Data Breaches and Hacking · HUMINT is the intelligence, to include...

McAfee Confidentiality Language

The Unforeseen Consequences of Data Breaches and HackingAir Force Information Technology & Cyberpower Conference

Wally Prather I Senior Intelligence Analyst

McAfee Confidential

DisclaimerThis document may contain PII and sensitive technical data on individuals and organizations from public and proprietary sources. The data in this presentation has been thoroughly scrubbed and redacted to protect individual anonymity of any user data as much as is possible. Information in this document is intended for the APG customers only. This document may not be distributed externally or reproduced in any form without express written permission of APG. If you are not the intended recipient or have received this document in error please delete from your systems and notify the sender immediately. APG is a division of McAfee and an industry leader in Digital Threat Intelligence and Cyber Security.

3McAFEE CONFIDENTIAL

Thesis

Proactive hacking against political targets is not new by any means. This is true regardless of political affiliation, country, religion, etc.… The political hacks we will be discussing occurred between 2012 – 2017 and have shown the world that there is an huge need and desire to use political information for more effective propaganda. However, this presentation will not focus on politics but rather how a competent foreign intelligence service would use this data for target development and effective propaganda. This presentation is not even about the data; its about the process…

When exposed or leaked data comes into the public eye what happens? News media skims through what they can, political opponents look for ammo, blame is placed, and lawsuits begin. What about the long game? A determined adversary would look at this data and ask: how can I develop assets and long term access into specific organizations at the right level?

What does a senior intelligence analyst do with the data? This presentation by the McAfees Advanced Programs Group answers that question. All data presented has been anonymized and sanitized to protect any individuals and organizations.

This is what Foreign Intelligence Services are doing with the data, bet money on that.


Overview

The following are subjects, methodologies, and targeting considerations for the aforementioned data sets.

§ Data§ Doctrine§ What are foreign intelligence analysts looking for?§ Network Analysis§ Vulnerabilities§ Targets of Interest§ The Human Toll§ Further Application


HUMINT Doctrine / From the BOOK!!!

HUMAN INTELLIGENCE

1-3. HUMINT is the oldest collection discipline and a key contributor to the all-source picture of the battlefield. HUMINT is the intelligence, to include adversary intentions, derived from information collected from people and related documents. It uses human sources acquired both passively and actively to gather information to answer intelligence requirements and to cross- cue other intelligence disciplines. HUMINT is produced from the collection on a wide range of requirements with the purpose of identifying adversary capabilities and intentions.

PERSONNEL

7-27. Personnel are individuals that may be of CI interest. These include ADVERSARY INTELLIGENCE PERSONNEL, insurgent leaders, KEY DECISION AND OPINION MAKERS, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, reliability, placement, and access.

- Scientists or technicians engaged or potentially engaged in projects of interest to US intelligence.

LOCAL POLITICAL PERSONALITIES, police chiefs, HEADS OF SIGNIFICANT MUNICIPAL AND NATIONAL DEPARTMENTS OR AGENCIES, and tribal or clan leaders.

Sources:https://info.publicintelligence.net/CALL-CommandersGuideHUMINT.pdf

https://fas.org/irp/doddir/army/fm2-22-3.pdf

http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf

https://info.publicintelligence.net/CALL-CommandersGuideHUMINT.pdf

https://fas.org/irp/doddir/army/fm2-22-3.pdf



Placement, Access, Accessibility

PAA +

Key personal are individuals that may be of HUMINT interest. These include adversary intelligence personnel, insurgent leaders, key decision and opinion makers, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, vulnerabilities, reliability, placement, and access.

§ P = Placement § A = Access§ A = Accessibility

Sources: http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf

http://securityantiterrorismtraining.org/perspectives-for-indian-army/node/24

https://www.cia.gov/news-information/featured-story-archive/2010-featured-story-archive/intelligence-human-intelligence.html

http://www.dtic.mil/dtic/tr/fulltext/u2/a544850.pdf

https://www.smartrecruiters.com/syntelligent/72462737-humint-targeting-officer-junior

https://www.indeed.com/r/7e2b0b27469eaa70

http://www.spiaa.com/pdfdoc/SPI%20HUMINT%20Class-glassford.pdf

https://www.reid.com/pdfs/20140617a.pdf










Mahmoud Ahmadinejad


Placement, Access, Accessibility

PAA +

Key personal are individuals that may be of HUMINT interest. These include adversary intelligence personnel, insurgent leaders, key decision and opinion makers, scientists, religious leaders, and terrorists. Individuals are evaluated on their level of cooperation, vulnerabilities, reliability, placement, and access.

§ P = Placement § A = Access§ A = Accessibility

Sources: http://www.survivalschool.us/wp-content/uploads/ST-2-22.7-Tactical-Human-Intelligence-and-Counterintelligence-Operations.pdf

















A Doctrinal Approach

APG’s Intelligence CyclePlanning & Direction• Can the customer consume Intelligence?• Identify cyberattack/threat and determine course of

action and requirements to illuminate the adversary• Contract finalization

Collection

• Dev Team Engineers build and leverage capabilities tailored to requirements

• Aggregate information from internal/external resources

• Dev Team works to turn complex technical data into consumable information

• Constantly refining requirements and collection

Processing & Exploitation• Convert collected data into an

understandable form: enriched, text-based data to a visual representation; attribution

• +35 years combined experienced in All-Source Analysis, Technical Analysis, Reverse Engineering, and Malware Analysis

Production

• Combine visual representations, data, and industry reporting to create a comprehensive response to the attack/threat

• PhD & Principal Engineer editors• Written for Executive consumption

Dissemination• Private release only / NDA

Utilization

• Provides the end user the ability to generate courses of action: update/enhance security protocols; LE response

• Identify new requirements and reattack Sales

CustomerRequirements

APGLeadership

CapabilitiesAnalysis

Industry Trends

FeedbackLoop

RefineRequirements

ToolDevelopment

CollectionPlan

StructureQueries

Automation

Discovery Research

AnalysisAnalyticalExchange

OutlineGeneration

Drafts

PeerReview

Edits&

Rewrites

Formatting

LeadershipReview

FinalDraft

ProductPresentation

ProductDelivery

Customer Engagement

LessonsLearned

Implementation

CustomerFeedback

DecisionPoints

Improvement

APGResearch


Special Operations vs. The Hacker

The Iceberg Methodology

Negotiated settlementInternational strategic

communicationsLarge and minor military and

paramilitary operations

Increased political violence, terror, and sabotageSapping of morale of

government and LEIncreased underground

activitiesIntensification of propaganda

Expansion of and coordination among resistance networks

Spreading subversive cells into all sectors of life

Penetration into professional, social, and political

organizations

Ransom paymentsExtortion, DOXing, DDoSLarge-scale data breachMinor hacksHacktivist action

Extorting insiders within a companySocial engineering to gain accessGaining access to e-mail serversStealing trade secretsCreating false accounts to gain access/propagate to outside companiesExfiltration of data from internal databasesAttacks against SCADA systemsHigh-level attacks on ISPs for communication monitoring

Special Operations

- OVERT -What the World Sees

- CLANDESTINE -Behind the scenes

Hacker


Terms you need to knowMerging is a simple philosophy yet complicated. The basics are that through APGs analytical medium ANB we build Network Analysis Charts individually based on data. We then join individual charts together to get holistic view of the network.

Data Management and Merging


Marine Corp Logic Yut Yut Yut

Turning Data into Intelligence


Constituent Services

DNC Contacts By Department


Party Affairs



Technology / Democratic Policy Committee



New York / New York

Location Specific Data


Financial Data

DNC Credit Cards


Creating list in excel makes life easy for the analyst

Friends of HRC List


Follow the Money Clinton Foundation Donors (Free Beacon) / Clinton Foundation 25K + / Donors By MM 1 and 2 / Donors 1

Donor Specific Targeting / Merging

Free BeaconClinton Foundation 25K + Donors By MM

Donors By MM 2

Donors 1


The Mean Green Machine

Financial Merge


Focused Financial Targeting


THE MERGE Large Cluster


Big Network = Big Trouble / 41151 Emails

Clinton Emails


Color Coded / Flow of Information

Clinton Emails


Cross Section Exploitation

Clinton Emails


Emails Merged With Donor Info and Personnel Data

Clinton Emails


Tailored Phishing Campaigns

Risk of Subculture Backlash

At minimum there are 1800000 individual emails addresses in the data


LGBT and the DNCFor this exercise we felt it important to show that in addition to a clear level of political compromise there is also a HUMAN factor that hasn’t been discussed.

The DNC kept multiple list pertaining to LGBT events, supporters, staff, donations, Events, etc.…

We merged 6 excel sheets

Remember the RED star


LGBT Merge


Everyone Meet Steve

Target Selection

Steve is a xxx founder and partner, and is widely recognized as one of D.C.’s preeminent political strategists. With a career on Capitol Hill and in politics spanning more than 30 years, Steve’s tenure in Washington has been grounded in daily interaction with the White House, administration officials, senators, members of Congress and leading interest groups on the front lines of the economic, social, domestic, national security and foreign policy debates in the last decades. Steve rose to the highest level Democratic staffer in the House of Representatives as Chief of Staff to House Democratic Leader Richard Gephardt, and upon leaving the Hill served as a senior advisor to the Gephardt, Kerry and Clinton presidential campaigns. Since 2006, Steve has represented some of the nation’s most important corporations, trade associations and organizations on critical legislative and regulatory issues, helping to drive their businesses, build their brands and expand their market shares. He has been a frequent guest on CNN, MSNBC and Fox News, and is consistently listed among the most influential leaders in Washington by Politico, The Hill, GQ and other national publications.


Steve’s Network

Target Development

What's in it?

1. Personal Data from multiple sources2. Social Network Data3. Employment Data4. Library of Congress Data5. Clients6. Political Events / Fund Raisers7. Talks8. Education9. Emails


Steve’s Companies

Target Development


Clients

Target Development


The big question, how can this be applied to other target sets? Using the intelligence cycle combined with HUMINT, Human Targeting, Special Operations and irregular warfare network analysis methodologies we are able to take data from any source and build / map / develop targets, networks, or accurate representations of a cyber and human network. Instead of chasing the bright and shiny object we look under the surface and exploit the underlining factors creating the issue.

Further Application


Indicators of Compromise for APT 10

APT 10


Merging IOCs

Other IOC Examples


Indicators of Compromise

APT 28


BIG View Top 10 Ransomware of 2016 Initial Merge

Cerber

Crowti

HydracryptShadeCryakl

Powerware

Cryptolocker

Teslacrypt

Locky

Cryptowall


Cryptowall

Cryptolocker

Crowti

Teslacrypt

There are intersections pre enrichment in the IOCs.

This indicates common infrastructure.

More exploitation to follow.

IOC Networks – Top 10 Ransomwares of 2016

They “Inter-connect”


IOC Networks – Top 10 Ransomwares of 2016

Inter-connections


Cryptocurrency Extortion

This slide specifically outlines the existing Bitcoin Wallets that have been used by DD4BC

DD4BC & Ashley Madison

DD4BC specializes in the extortion of companies,

websites, and people through advanced DDoSattacks. A typical TTP of DD4BC is to extortBITCOIN from the aforementioned users to stop

the DDoS attack.

DD4BC seems to reuse Bitcoin wallets for multiple attacks;

the same Bitcoin wallets that were used to extort Ashley Madison users have been used in various other attacks.

…YGi6D

…aVyMU

…xvW7z

…N1T2y

…MiYgrQ

…NQQkly

…kiyEsp

…VaKrZ

…XWgvT

…wkedP

…Gdelvl

…X9bQN

…KW1Xu

…HqLXR

…aebV8

…hJx4C

[email protected]

[email protected]

DD4BC


Transactions associated to IP Address 130.185.144.96, this IP has been flagged as malicious, is located in the UK, and has 14 domains connected to it.

Tracking cryptocurrency, tumblers, and connecting networks.

WannaCry Ransomware Transactions


The Pareto Distribution Applied to Indicators of Compromise

Pareto Distribution

It’s a square route law: If you look at the number of people who are in a given domain who are producing the square route of the people produce half the product. So that means if you have 10 employees 3 of them do half the work. So if you have a thousand employees 100 do half the work or more…

The Pareto Distribution (also known as the 80/20 rule, the law of the vital few, or the principle of factor sparsity) states that, for many events, roughly 80% of the effects come from 20% of the causes. ... Pareto developed both concepts in the context of the distribution of income and wealth among the population.


Indicator of Compromise Merge Highlighted Inner Network

Adwind Pareto Distribution

The largest cluster contains an inner and outer network. The inner network who’s icons are highlighted in red can be viewed in the next section should be treated with a higher level of scrutiny due to their centrality and importance in the network hierarchy.


Inner Network

The inner network of the main large cluster. The below network identifies the Pareto distribution within the IOC network for Adwind. What this means basically is that within a network there is a distribution of effort that is likely around 80/20. The network below is likely the 20% of the Adwind RAT that is responsible for 80% of the payload. Further enrichment will be conducted in the future to exploit how the inner network works specifically in regards to Adwinds operational capabilities.

Adwind Inner Network


WannaCry Ransomware Transaction B

A

B

Transaction B is associated to IP Address 130.185.144.96, this IP has been flagged as malicious, is located in the UK, and has 14 domains connected to it.

Due to unforeseen technical difficulties Bitcoin transaction B has not been fully exploited.


Closing Statements


Questions

Wally

[email protected]

Dave

[email protected]

mailto:[email protected]

mailto:[email protected]

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC.

The Unforeseen Consequences of Data Breaches and Hacking · HUMINT is the intelligence, to include...

Documents

Transcript of The Unforeseen Consequences of Data Breaches and Hacking · HUMINT is the intelligence, to include...