Hack3rcon V presentation by @tothehilt and @synackpwn on the current state of 'cyber threat intelligence', how scanning CONPOTs make you OMG CHINA, and other nonsense in the industry.
8. OMG Chattanooga?
However, DouceNoozle Inc founder and Chief Technical
Officer Herbert A Derp points out that nation-states
sometimes launch attacks from computers within their own
borders because they control the Internet there and can
ensure the computers won't get taken offline.
10. "The scans were to
honeypots, so there is
no reason for any traffic
to be going to these
systems.”
“We found almost
nothing publicly
available about this IP."
“They run no legitimate services and have no DNS
entries, so any traffic to them is suspicious, especially
traffic to tcp port 102 that conforms to the S7comm spec.”
20. What is (Real)Intel Analysis?
- Develop specific expertise, discern patterns of complex behavior, and
provide an accurate understanding of present and future threats.
- Apply highly developed inductive reasoning skills to provide a proactive approach to
potential threats.
- Navigate a variety of records, reports, miscellaneous communications, case files, and other sources to support
research and analysis.
- Initiate, establish, and maintain effective working relationships inside and outside the
FBI.
What makes a good IA? According to Marita Cook, a strategic analyst at FBI Headquarters, “You have to be very data
oriented. You need to understand the data and how all the pieces can be used together to see the larger picture. You
need to be intrigued by questions—why are things happening
the way they are? And above all,” she said, “you have to be persistent, following every lead to its logical conclusion.”
Find Meaningful Patterns in Meaningless Noise
21. What is Not?
Data Visualization ≠
Intel Analysis
22. Magic Quadrant
Level 0:
Just scanning shit - No
obfuscation needed
Level 1:
Non attribution - Still
legal
Level 2:
Non attribution -
Probably Illegal
Level 3:
OMG NSA - Going to
GITMO
23. Level 0
The ‘ErrataRob’ Model - Fuck you, I can scan
what I want and I’m going to let you know about it
24. Level 1
The ‘I Don’t Want to Be Weev’ Model - Still legal, but you
don’t want to deal with the hassle
Active scanning, browsing, FTP, etc. Not attacks, just using
the services available.
25. Level 2
The ‘Internet Census 2012’ Model - Illegal tactics for the
greater good (mostly harmless)
26. Level 3
The ‘Swat Brian Krebs’ Model - I just want to cause
harm on the internet, because lulz.
27. “NextGen Threat Intel”
Level 0 - OMG APTCHINA: Pings and port scans are
tagged as advanced attacks from adversaries.
Level 1/2 - Noise: Just obfuscated enough for them
to not care, activity not interesting enough to
investigate
Level 3 - Nation State Attention: FBI/NSA is on your
ass
28. Master De/b/ater
If you’re not doing anything
wrong, then you have
nothing hide.