Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS InformaticaDigital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Dalla teoria alla pratica: Hacker's Profilinge live demo sul Dark Web
(con una particolare attenzione ai Data Breach).
Raoul «Nobody» Chiesa
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Agenda
HPP – The Hacker’s Profiling Project
Evidences from Field Operations
CTI - Cyber Threat Intelligence
Dark Web “live session”
Q&A
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Disclaimer
Le informazioni contenute in questa presentazione non violano alcuna proprietàintellettuale né indicano strumenti e/o informazioni che potrebbero consistere in unaviolazione delle leggi vigenti .
I dati statistici presentati sono di proprietà del Progetto “Hacker’s Profiling” promossoda UNICRI e ISECOM.
I Marchi citati appartengono ai proprietari che li hanno registrati.
Le opinioni espresse sono quelle dell'autore (i) e oratore(i) e non riflettono le opinionidi UNICRI o di altri organismi e/o agenzie delle Nazioni Unite, né le opinioni di ENISA edei suoi PSG (Permanent Stakeholders Group), di CIPS Informatica o di SecurityBrokers.
I contenuti di questa presentazione possono essere riportati, alla sola condizione che lafonte sia citata, ma non possono essere riprodotti integralmente.
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
The Speaker President, Founder, The Security Brokers
Founder, Swascan.com
Indipendent Special Senior Advisor on Cybercrime @ UNICRI
(United Nations Interregional Crime & Justice Research Institute)
Roster of Experts @ ITU (UN International Telecomunication Union)
Former PSG Member, ENISA (Permanent Stakeholders Group @ European UnionNetwork & Information Security Agency)
Founder, @ CLUSIT (Italian Information Security Association)
Steering Committee, AIP/OPSI (Privacy & Security Observatory)
Board of Directors, ISECOM (Institute for Security & Open Methodologies)
OSSTMM Key Contributor (Open Source Security Testing Methodology Manual)
Board of Directors, OWASP Italian Chapter
Cultural Attachè. Scientific Committee, APWG European Chapter
Former Board Member, AIIC (Italian Association of Critical Infrastructures)
Supporter at some security community
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Once upon a time…
Black-hat: those who violate information systems, with or without personal advantage. They are rallied on the "bad" side,
crossing over the clear demarcation line between "love for hacking" and the deliberate execution of criminal
actions. For these actors, it is normal to violate an information system and to penetrate it its most secret meanders,
stealing information and, given their hacker’s profile, reselling them, i.e. to foreign countries (“Hagbard” and “Pengo” [DE]
– The Cuckoo’s Egg, 1989).
Grey-hat: those who don't want to be labeled as "black or white" and can consider themselves "ethical hackers." They often
could have performed intrusions in information systems, but they have decided not to use this approach.
White-hat: also defined "hunters", they have the necessary skill to be a black-hat, but they have decided to side with “the
good guys”. They collaborate with the Authorities and the Police, they are in the first row in anti computer-crime
operations, they are advisors for governments and companies; in their life they don't usually violate computer systems,
or if they do, it is never for criminal purposes or for economic gain.
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica 6
“The day money became the focus of malware
is the day the Internet changed.”
Graham Ingram, AusCERT GM
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
HPP
Modus Operandi (MO)
Evaluation and correlation standards
Lone hacker or as amember of a group
Motivations
Selected targets
Relationship between motivations and targets
Hacking career
Principles of the hacker's ethics
Crashed or damaged systems
Perception of the illegality of their own activity
Effect of laws, convictions and technical difficulties as a deterrent
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS /PURPOSES
Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t”
GROUP End-User For fashion, It’s “cool” => to boast and brag
Script Kiddie 10-18 years The script boy
GROUP: but they act alone SME / Specific security flaws To give vent of their anger / attract mass-media attention
Cracker 17-30 yearsThe destructor, burned ground
LONE Business company To demonstrate their power / attract mass-media attention
Ethical Hacker 15-50 yearsThe “ethical” hacker’s world
LONE / GROUP (only for fun)
Vendor / Technology For curiosity (to learn) and altruistic purposes
Quiet, Paranoid, Skilled Hacker 16-40 yearsThe very specialized and paranoid attacker
LONE On necessity For curiosity (to learn) => egoistic purposes
Cyber-Warrior 18-50 yearsThe soldier, hacking for money
LONE “Symbol” business company / End-User
For profit
Industrial Spy 22-45 yearsIndustrial espionage
LONE Business company / Corporation For profit
Government Agent 25-45 yearsCIA, Mossad, FBI, etc.
LONE / GROUP Government / Suspected Terrorist/Strategic company/Individual
Espionage/Counter-espionageVulnerability testActivity-monitoring
Military Hacker 25-45 years LONE / GROUP Government / Strategic company Monitoring /controlling /crashing systems
The 9 emerged profiles
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Profiling Hackers – the book
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica 10
Cybercrime ≠ “hackers”
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Let me tell you a story: Cha0
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Esempi (reali)
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Esempi (reali)
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
A casa di Cha0
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
A casa di Cha0
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
A casa di Cha0
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
RBN dealer’s party
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Esempi (reali): RBN dealer’s party
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Esempi (reali): dealer’s party
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica 20
The new Hackers Profiling Project (HPP v2.0)
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
PROFILE MAY BE LINKED TO WILL CHANGE ITS BEHAVIOR?
TARGET (NEW) MOTIVATIONS & PURPOSES
Wanna Be Lamer No
Script Kiddie Urban hacks No Wireless Networks, Internet Café, neighborhood, etc..
Cracker PhishingSpamBlack ops
Yes Companies, associations, whatever
Money, Fame, Politics, Religion, etc…
Ethical Hacker Massive Vulnerabilities Probably Competitors (Telecom Italia Affair), end-users
Big money
Quiet, Paranoid, Skilled Hacker Black ops Yes High-level targets Hesoteric request (i.e., hack “Thuraya” for us)
Cyber-Warrior CNIs attacksGov. attacks
Yes “Symbols”: from Dali Lama to UN, passing through CNIs and business companies
Intelligence ?
Industrial Spy Yes Business company / Corporation
For profit
Government Agent Probably Government / Suspected Terrorist/Strategic company/Individual
Espionage/Counter-espionageVulnerability testActivity-monitoring
Military Hacker Probably Government / Strategic company
Monitoring /controlling /crashing systems
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Cyber Threat Intelligence
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Cyber Threat Intelligence - is an area of cybersecurity that focuses on the collection and analysis of information about current and potential threats
Key Mission - to research and analyze trends and technical developments in 4 core areas: Cybercrime, Hacktivism, Cyber Espionage and Terrorism
Mixed Approach: - CYBINT, HUMINT (Covered Operations), SIGINT (VSAT KU and C Band)
Cyber Threat Intelligence (CTI)
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Cyber Threat Intelligence (CTI) – Key Domains
Defense
• Data Acquisition
• Breach Prevention
• Threat Intelligence
• Digital Risk Monitoring
• Threat Feeds
• IOC/IOA/TTPs
• Threat Actors Profiling
• SOC/CERT/CSIRT Operations
Offense
• Data Acquisition
• Cyberespionage Campaigns
• Information Warfare
• Tradecraft Acquisition
• Zero-Day Intelligence
• CNE/CNA/Psy Operations
• SIGINT/ELINT Operations
Intelligence
• Data Acquisition
• Dark Web
• Terrorism
• National Security
• Financial Crimes
• Drugs Trafficking
• Human Trafficking
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
• Aggregation
• Normalization
• Indexing
• Tagging
• Morphology Analysis
• Correlation
• Enrichment
Data Science in Threat Intelligence
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Cyber Intelligence Platform
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Scenario 1 – Dark Web Monitoring
• Resecurity developed a purpose built operational intelligence platform to focus on contextual correlation across multiple intelligence sources.
• Platform was specifically designed in mind for intelligence analysts, investigators, CNA/CNE operators.
• Core Functions:
• Instant targeting and access to data
• Discover foreign actors and their targets
• Monitoring of multiple subjects of interests
• Targets development through data enrichment
• Non-attributable CNA/CNE planning
• Integration with third-party systems and tools
Extremist Portals
Underground Markets
Anonymous Resources
Espionage Groups
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
5BThreat artifactsincluding indicators of compromise (IOCs), tools, tactics and procedures (TTPs) of adversaries with valuable meta-data stored in historical form used for investigations
How (really) big is Dark Web?
9MAdversariescollected from various underground communities and criminal marketplaces, intelligence reports and security expert community with associated metadata
300MDark Web entriesindexed and tagged data entries with extracted artifacts, associated meta-data, graphical screenshots and links visualization
40Languagesa built-in offline translation solution and unique linguistic expertise in order to provide details on threat actors’ chatter
20K+Sourcesa constantly updated repository of Dark Web sources, including: Tor; I2P, Freenet, IRC, IM groups (Telegram)
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica© Copyright 2019 Security Brokers SCpA. All rights reserved.
Dat
a St
atis
tics
Total records
319M
Total IOC’s
22.3M
Total actors
9,3M
Total sources
24,154
Threat Artifacts
5B
Dark Web Data Collected50M
40M
30M
20M
10M
0
2017-05 2017-07 2017-09 2017-11 2018-01 2018-03 2018-05
23,20%
37,50%12,90%
5,80%
12,00%
0,30%1,70% 6,70% Dark Web
External Sources
IRC
Jabber
www
Telegram
TOR
Sources Distribution
Data Breaches Collected
1500M
1000M
500M
0
2017-01 2017-04 2017-07 2018-01 2018-04
Total records
8.97B
Passwords (hashed)
1.55B
Passwords (plaintext)
5.18B
E-mails
6.28B
Botnet Data
300M
23,00%
77,00%
Hashed
Plaintext
Password Type Distribution
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Data Volume Growth (Monthly Trend)
130
180
220240
300324
400
0
50
100
150
200
250
300
350
400
450
January February March April May June July
Million Records
Botnet Data
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Sources Categorization
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Graph-based Analysis
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Graph-based Analysis
- Threat Actor
- Known Aliases
- Known Profiles
- Known Contacts
- Saved Messages (History)
- Known IOCs
- Known TTPs
- GEO2IP
- ISP Data
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Scenario 2 – Compromised Data Monitoring
The 773 Million Record "Collection #1" Data BreachCollection #1 is the name of a database of sets of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs.
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Scenario 2 – Compromised Data Monitoring
Data Breaches
Botnets (C2C)
Cloud Leaks
Payment Data
9,58 Billion Records Over 80 TBs
Over 230 TBs 102 Million Records
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
• The appearance of new cyber threats and security challenges requires effective tools for their timely identification and in-depth analysis.
• Cyber became a 5th Dimension of Modern Warfare (after Land, Air, Sea and Space), where Cyber Threat Intelligence (CTI) plays the key role;
• Dark Web Ecosystem is rapidly growing and developing globally involving new technologies, and CTI may help to analyze and prevent such activity;
• Cyber Threat Intelligence (CTI) may enable law enforcement and national security agencies to be proactive VS reactive, making our future safer.
Summary
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica 37
To learn more
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
My latest Amazon.com order
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
My latest Amazon.com order
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
My latest Amazon.com order
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
My latest Amazon.com order
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
My latest Amazon.com order
Digital Channel Forum, Spring Edition - Milano, 23 maggio 2019 by CIPS Informatica
Thanks for listening!
Raoul “Nobody” Chiesa
rc [at] security-brokers [dot]com
Contacts