-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
The Internet is on fire, and every connected device and user is at risk. How did we get here? By not seeing the dangers ahead, by being lazy and by not understanding the threats we are facing and the consequences of failing at building secure and robust infrastructure. This needs to change, and you need to contribute.
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.
This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.
When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.
It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
Presentation from 2018 RSA Conference
2018 could be the year we see the first battle of the AI bots… Cyber-Criminals build systems that can ‘learn’ and adapt to defenses… o NachiWorm –RPC vulnerability, Blaster removal and installed patches o Mirai-a zombie malware strain that enslaved “Internet of Things” (IoT) o Reaper and IoTroop-computer worms; built to spread automatically, still to be unleashed… o Artificial intelligence researchers warn re: internet-connected robots, with hundreds calling on governments to ban weaponized robots. Bots are becoming one of the fastest growing trends with intelligent reasoning, messaging and conversational interfaces
This session will review security techniques on how to navigate different personalities using traditional hacking techniques. Determine what “operating system” they are running. What patches are in place? What vulnerabilities can you exploit? What configuration issues does this person have? Your results based off the hack will help you work with the different personalities revealed.
(Source: RSA USA 2016-San Francisco)
Preparation, Activities, Challenges.
Bagaimana memulai karir di bidang Cyber Security?
Apa saja yang perlu dipersiapkan?
Apa rutinitas dan aktivitas yang dilakukan?
Ketahui lebih lanjut di presentasiku ini (Jakarta, 24/06/2020)
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
HITB2013AMS Defenting the enterprise, a russian way!F _
This presentation was delivered at HITB 2013 Amsterdam as a lab session of enterprise defensive techniques and covers range of aspects from picking drive by download attacks to targeted mails.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
The clash of the open Internet and espionage was inevitable. Enjoy the show as we learn how espionage adapts to the fifth domain.
Video of the talk here: youtu.be/qlk4JDOiivM
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
What is Threat Intelligence? It's more than raw source feeds and technical information.
If you ask most vendors, they talk about their lists of "bad" IP addresses and domain names, which don't enable the business to make informed decisions on assessing risk and taking action; it lacks -- well, intelligence.
We'll cover what Threat Intelligence is, why analysis is an important factor and methods available to analyze raw data.
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
The Internet is on fire, and every connected device and user is at risk. How did we get here? By not seeing the dangers ahead, by being lazy and by not understanding the threats we are facing and the consequences of failing at building secure and robust infrastructure. This needs to change, and you need to contribute.
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.
This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.
When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.
It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
Presentation from 2018 RSA Conference
2018 could be the year we see the first battle of the AI bots… Cyber-Criminals build systems that can ‘learn’ and adapt to defenses… o NachiWorm –RPC vulnerability, Blaster removal and installed patches o Mirai-a zombie malware strain that enslaved “Internet of Things” (IoT) o Reaper and IoTroop-computer worms; built to spread automatically, still to be unleashed… o Artificial intelligence researchers warn re: internet-connected robots, with hundreds calling on governments to ban weaponized robots. Bots are becoming one of the fastest growing trends with intelligent reasoning, messaging and conversational interfaces
This session will review security techniques on how to navigate different personalities using traditional hacking techniques. Determine what “operating system” they are running. What patches are in place? What vulnerabilities can you exploit? What configuration issues does this person have? Your results based off the hack will help you work with the different personalities revealed.
(Source: RSA USA 2016-San Francisco)
Preparation, Activities, Challenges.
Bagaimana memulai karir di bidang Cyber Security?
Apa saja yang perlu dipersiapkan?
Apa rutinitas dan aktivitas yang dilakukan?
Ketahui lebih lanjut di presentasiku ini (Jakarta, 24/06/2020)
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
HITB2013AMS Defenting the enterprise, a russian way!F _
This presentation was delivered at HITB 2013 Amsterdam as a lab session of enterprise defensive techniques and covers range of aspects from picking drive by download attacks to targeted mails.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
The clash of the open Internet and espionage was inevitable. Enjoy the show as we learn how espionage adapts to the fifth domain.
Video of the talk here: youtu.be/qlk4JDOiivM
Click and Dragger: Denial and Deception on Android mobilegrugq
A presentation on OPSEC for mobile phones, covering the design and reasoning behind the CryptogenMod ROM and the DarkMatter app.
Source for DarkMatter: https://github.com/grugq/darkmatter
This is a working document for presentation to Cyber Security Professionals concerning a tactical mindset in securing cyberspace within organizations. High level, can add in case studies, more content to come Dec 2010 for the European, UK and German presentation. Feel free to respond to add to brief. Requires Notes
UN session about modern ICT threat landscape.
The session was aimed to introduce recent threats targeting UN agencies and some potential recommendations to improve detection, investigation and understanding of these threats and their goals.
Individual Project #1You are an intelligence analyst for the Feder.docxwiddowsonerica
Individual Project #1
You are an intelligence analyst for the Federal Bureau of Investigation (FBI) assigned to the Counterintelligence (CI) Division. The FBI’s CI Division has been involved in the field of CI for decades. During this period, the CI division has conducted thousands of CI investigations, many of which have had a major impact on the history and national security of the United States. It is important as an intelligence analyst with the CI Division to have a clear understanding of these cases and to learn from both its past CI successes and failures.
You have been asked by your supervisor to research major espionage cases to produce an intelligence assessment from a historical perspective that will help to recognize anomalies that might indicate the presence of espionage and assist in the neutralization process in the future.
Assignment Guidelines
For this assignment, you must write a counterintelligence case study, approximately 750–1,000 words in length, on one of the following major espionage cases:
Robert P. Hanssen
Aldrich H. Ames
Ana B. Montes
John A. Walker
For your selected case study, you will address the following in detail:
Who
What was this person's personal background?
What was this person's professional background?
Were there any accomplices? If so, explain.
Which foreign powers were involved?
When
When did the espionage begin?
For how long did the espionage continue?
When was the spy apprehended?
Where
Where did the espionage take place?
Consider military intelligence, U.S. soil, agency/rank, and so on.
What
What information was being leaked?
For what purposes could that information have been used?
How
How was the information taken from U.S. facilities or databases? Explain in detail.
How was the information delivered to the foreign power or powers? Explain.
How was the spy apprehended? Explain.
Why
What was the motivation for the espionage? Explain.
Answer the following questions as well:
What lessons were learned after the selected case concluded?
What impact did this particular case have on U.S. policies and operational standards?
Consider successful and unsuccessful investigative techniques, implications, and recommendations.
Compile your responses in your final case study, and submit the file to your instructor.
All sources must be referenced using APA style.
Individual Project #2
You are an intelligence analyst for the Federal Bureau of Investigation (FBI) assigned to the Counterintelligence (CI) Division. You have been embedded on the Kartesia Country Team and are responsible for producing a counterintelligence assessment to forecast the potential counterintelligence threat posed by Kartesia.
For many years, Kartesia and the United States have been political and economic adversaries. Kartesia, which is led by an oppressive dictatorship, has long feared that the United States will initiate military action against it to topple the regime and institute a democratic form of government. Although K.
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...BeyondTrust
This presentation examines the types of attacks that try to exploit privileged credentials, particular in a governmental environment, and explores defensive strategies to bring privileges, and the associated threats, under complete visibility and control.
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical)
Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Leading Change strategies and insights for effective change management pdf 1.pdf
An Underground education
1. An Underground EducationAn Underground Education
Lessons in Counterintelligences fromLessons in Counterintelligences from
History’s UnderworldHistory’s Underworld
@thegrugq
10. Insight into oppositions techniques/processes
Develop countering tactics
Analyze security posture for weaknesses
Develop remediations
Ongoing process
11. Adjust to remedy unique vulnerabilities and/or
adversarial strengths
Greatly benefits from access to adversarial
know-how
Active penetrations of the adversary are very
useful here
13. Provide the adversary with false information
Deceive the adversary into taking futile action
Deceive the adversary into not taking action
Mostly irrelevant for hackers
Misdirection could be valuable, maybe.
27. Hierarchical vs. Flat
Flat can react faster
Hierarchical can enforce good practices
Flat leads to poor compartmentation
Hierarchical increase value of high level
penetrations
28. Tight vs. Loose
Loose, each node has a unique CI signature,
harder to attack efficiently
Tight, can enforce CI discipline better
Loose, can have poor practices and CI
resources
Tight can be rigid, introducing systemic CI
vulnerabilities
34. Highly capable adversary
Strong intelligence capabilities
Experienced and knowledgeable
Low capability adversary
Floundering reactionary moves that are
ineffective and make people angry
36. Adversarial resources available for
Performing intelligence gathering
Analysis
Follow up actions
Agency resources for counterintelligence
Dedicated CI team(s)
43. Professional ThievesProfessional Thieves
Historical class of professional grifters
From 1890s to 1940s in America
Self identify as thieves (honorific)
Thieve argot used to demonstrate membership
A large community of practice
48. Professional Thief AssetsProfessional Thief Assets
Core skill was “larceny sense”
Experience derived cunning
Access to fixers and fences
Social network with memory for vetting
members
49. Rules for effective thieveryRules for effective thievery
Steal an item at a time
Stash it at a drugstore or restaurant
Mail it back home to a friend
Never keep it at home / in car
Never grift on the way out
50. Rules, cont.Rules, cont.
Never draw attention to a working thief
Never fail to draw attention to an adversarial
threat
Failsafe triggers to indicate problems, i.e. arrest
51. Strict rules against informants (“rats”)
Violent retaliation against “rats” was
sanctioned
52. Heavy investment in fixers to limit handle
problems
Little/No adaptive denial capabilities
Adversary maintained fixed capabilities
No competitive adaptation
55. Controlled TerritoryControlled Territory
Nation state protected hackers
Russia, China, etc.
Political protection: e.g. USA hacking Iran
Secure private servers and channels
Unmonitored information transfer
58. Basic DenialBasic Denial
Vetting of members
Pseudonymity
Limited compartmentation
Internal to a group
But.. gossip spreads far and fast
59. Adaptive DenialAdaptive Denial
Limited sensemaking from colleagues’ busts
Over reliance on technical protections
No case, ever, of a hacker penetration of LEO
Resulting in actionable intel to adapt
60. Covert ManipulationCovert Manipulation
Occasional poor attempts at framing others
ProFTP AcidBitches hack
Nation state level, certainly happens
False flag attacks
What is the cost of a VPS in Shanghai?
61. Hacker Community of PracticeHacker Community of Practice
Informal community
Social groups connected via social mediums
Sharing of metis via formal and informal means
Zines, papers, blogposts, chats
62. Communities of PracticeCommunities of Practice
Three main hacker communities
English
Russian
Chinese
Clustered by language of information exchange
63. Communities of PracticeCommunities of Practice
Operate inside controlled territory
Russian
Chinese
Operate in hostile environment
English
64. Comm of P. CIComm of P. CI
Controlled territory provides protection against
adversarial intelligence collection
Discourages robust operational security
practices
Hostile environments force adaptation
Darwinian selection
65. Favorable elements in any operational situation
should be taken advantage of, but not by relaxing
vigilance and security consciousness.
Soviet doctrine on clandestine operations
Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
HUMINT, SIGINT, ... OSINT
HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
FinSpy, etc.
Factors that contribute to the groups CI strengths and vulnerabilities.
Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
We’ll see that later, with China and Russia.
Not really an issue for hackers, but thieves faced a hostile population.
The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
Setbacks - flaps in “Intel Speak”
Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
Autocratic groups survive better than democratic groups in the face of adversarial competition
Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
“ A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
Denial, Insight, Manipulation
Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.