1 00:00:00,734 --> 00:00:03,003 (suspenseful music) 2 00:00:09,843 --> 00:00:12,612 (audience claps) 3 00:00:15,081 --> 00:00:18,918 - This is just my story about submitting a profile 4 00:00:18,918 --> 00:00:23,923 to MITER ATT&CK and think those folks are here. 5 00:00:26,626 --> 00:00:27,961 I need to meet Katie 6 00:00:31,297 --> 00:00:35,535 but quick disclaimer, I'm not here in the name of 7 00:00:35,535 --> 00:00:38,238 or speaking on behalf of my employer. 8 00:00:38,238 --> 00:00:40,673 All opinions here are expressed are my own. 9 00:00:40,673 --> 00:00:41,941 Just here to tell a story. 10 00:00:43,176 --> 00:00:44,944 Okay, so a little bit of background. 11 00:00:46,046 --> 00:00:47,680 Like I said, I was a consultant. 12 00:00:50,150 --> 00:00:55,120 Did a lot of work doing incident response in forensics. 13 00:00:58,191 --> 00:01:01,795 I'm gonna talk about what that was like before ATT&CK, 14 00:01:01,795 --> 00:01:06,800 discovering ATT&CK, the research that I did, 15 00:01:07,534 --> 00:01:08,601 the submissions I made, 16 00:01:09,669 --> 00:01:11,604 talk about indicators and techniques 17 00:01:11,604 --> 00:01:15,408 and some of the differences between the IOCs and TTPs 18 00:01:15,408 --> 00:01:16,609 and a few takeaways. 19 00:01:17,944 --> 00:01:21,948 Okay, so it all began for me in about 2010. 20 00:01:21,948 --> 00:01:26,419 I went from doing forensics work for law enforcement 21 00:01:27,854 --> 00:01:32,459 to one of the big consulting firms 22 00:01:32,459 --> 00:01:35,862 and one of our clients was repeatedly a victim. 23 00:01:37,263 --> 00:01:41,668 We did a lot of incident response all over the world. 24 00:01:43,303 --> 00:01:47,006 We got to know how they did what they did very well 25 00:01:48,041 --> 00:01:50,810 but as happens in consulting, 26 00:01:50,810 --> 00:01:54,314 you get different clients, you move on. 27 00:01:54,314 --> 00:01:56,082 That was kind of a new thing for me 28 00:01:56,082 --> 00:02:00,987 because in law enforcement, as a forensic examiner, 29 00:02:02,188 --> 00:02:05,992 you didn't just move on until a case was closed 30 00:02:05,992 --> 00:02:09,362 and the bad guy was where he needed to be. 31 00:02:09,362 --> 00:02:14,033 And so these guys kind of in my view got a pass from that 32 00:02:17,303 --> 00:02:22,308 so I never forgot really about what they had done 33 00:02:24,043 --> 00:02:29,048 to our client but life moves on, four years go by, 34 00:02:31,151 --> 00:02:32,619 and in those four years, 35 00:02:32,619 --> 00:02:35,688 some things changed for me personally. 36 00:02:39,192 --> 00:02:42,262 I moved, got a new job, got married, 37 00:02:43,530 --> 00:02:45,565 and now I have three kids. 38 00:02:49,936 --> 00:02:53,072 And if you don't know, three is harder than two. 39 00:02:55,875 --> 00:02:59,312 And both my bosses told me to have fun today 40 00:02:59,312 --> 00:03:00,880 so I hope we have some fun today. 41 00:03:02,282 --> 00:03:03,850 If you're married, you know what I'm talking about, 42 00:03:03,850 --> 00:03:04,951 having two bosses. 43 00:03:07,020 --> 00:03:12,025 Okay, so four years went by but I wanted to talk about 44 00:03:15,695 --> 00:03:20,700 and share living through this constant barrage of repeated 45 00:03:22,735 --> 00:03:27,740 attacks and what it cost as far as time and travel and work. 46 00:03:30,310 --> 00:03:35,048 There just wasn't a lot of things out there. 47 00:03:36,516 --> 00:03:40,553 I could talk about it but I couldn't really share much. 48 00:03:40,553 --> 00:03:43,122 It felt like I was in the dark ages or something 49 00:03:43,122 --> 00:03:47,193 because there wasn't a lot at this time in 2012 50 00:03:47,193 --> 00:03:52,198 the best one I found was the Mandiant, it was really great. 51 00:03:53,633 --> 00:03:58,538 I shared this a lot but it was one of two that I could find 52 00:03:59,872 --> 00:04:04,510 that really, I think, describe well enough 53 00:04:04,510 --> 00:04:07,679 what was going on so to me, it was the dark ages. 54 00:04:09,082 --> 00:04:12,619 And so in May of 2015 when the ATT&CK framework come out, 55 00:04:12,619 --> 00:04:17,624 was published, I immediately recognized its incredible start 56 00:04:21,661 --> 00:04:26,065 a way to share how adversaries behave. 57 00:04:27,367 --> 00:04:32,372 And ATT&CK now has all of these 11 tactics, 58 00:04:33,706 --> 00:04:37,443 70 threat groups, 200 techniques, tools, but to me, 59 00:04:38,845 --> 00:04:41,714 the most valuable thing were the references. 60 00:04:41,714 --> 00:04:46,719 That to me, was the thing that stood out 61 00:04:48,588 --> 00:04:50,490 because those references 62 00:04:50,490 --> 00:04:53,026 and I'll talk about this in a little bit, 63 00:04:53,026 --> 00:04:57,897 they were pretty authoritative. 64 00:04:59,065 --> 00:05:03,903 And so to me, the dark ages were over 65 00:05:04,771 --> 00:05:08,074 and information security to me 66 00:05:08,074 --> 00:05:10,743 was the beginning of the Renaissance. 67 00:05:10,743 --> 00:05:12,278 When you talk about the Renaissance, 68 00:05:12,278 --> 00:05:14,247 you have to talk about the Mona Lisa. 69 00:05:14,247 --> 00:05:16,983 To me, ATT&CK is like information security 70 00:05:16,983 --> 00:05:18,384 entering the Renaissance. 71 00:05:18,384 --> 00:05:22,555 So I saw it, I wanted to be a part of it. 72 00:05:22,555 --> 00:05:25,191 In August 2015, I emailed them. 73 00:05:25,191 --> 00:05:28,027 They said, here's what you need. 74 00:05:28,027 --> 00:05:30,263 You have public references that 75 00:05:30,263 --> 00:05:33,032 associate the malware to the threat group. 76 00:05:34,500 --> 00:05:37,236 Do you have public references that 77 00:05:37,236 --> 00:05:40,306 associates the techniques to the threat group? 78 00:05:40,306 --> 00:05:44,310 And can these references be linked to a definitive source? 79 00:05:44,310 --> 00:05:46,813 And are they clear and not open to interpretation? 80 00:05:48,514 --> 00:05:52,051 I mean, it sounds pretty similar coming from law 81 00:05:54,020 --> 00:05:57,957 enforcement, I kinda knew what they were asking for. 82 00:05:57,957 --> 00:06:01,561 I thought about it a little bit more and bottom line, 83 00:06:01,561 --> 00:06:04,664 they basically just wanted proof and what is proof, 84 00:06:04,664 --> 00:06:06,132 it's simply evidence of the truth. 85 00:06:06,132 --> 00:06:07,633 And if you're former law enforcement, 86 00:06:07,633 --> 00:06:11,503 you know that evidence comes from the Latin word provideo. 87 00:06:11,504 --> 00:06:15,274 They wanted to see and have it be obvious. 88 00:06:17,043 --> 00:06:19,078 So nothing that you had to interpret. 89 00:06:19,078 --> 00:06:24,082 They wanted it to be definitive and so they wanted, 90 00:06:25,685 --> 00:06:28,888 after looking into it, a little bit more detail. 91 00:06:28,888 --> 00:06:32,758 They've since come out with the philosophy paper 92 00:06:32,759 --> 00:06:34,560 that details this even more. 93 00:06:34,560 --> 00:06:38,931 If you haven't read that, I recommend it. 94 00:06:38,931 --> 00:06:42,301 Philosophy and design paper, I think, June or July, 95 00:06:42,301 --> 00:06:43,603 they came out with it 96 00:06:43,603 --> 00:06:45,972 and they talk about empirical evidence. 97 00:06:45,972 --> 00:06:48,474 And for me, former law enforcement, 98 00:06:48,474 --> 00:06:52,512 empirical evidence that supports your science-based 99 00:06:52,512 --> 00:06:55,314 investigation, that is your forensic evidence. 100 00:06:55,314 --> 00:06:57,250 So light bulbs went off for me, 101 00:06:57,250 --> 00:07:01,053 okay, they just want some evidence. 102 00:07:01,053 --> 00:07:03,089 But they wanted empirical evidence 103 00:07:03,089 --> 00:07:05,758 and empirical comes from the word experience 104 00:07:05,758 --> 00:07:09,495 so experience comes from your sense so again, 105 00:07:09,495 --> 00:07:12,432 they wanted to see and have it be obvious. 106 00:07:15,668 --> 00:07:19,672 It's hard to, video being the best form of evidence. 107 00:07:19,672 --> 00:07:23,376 It's hard to get, you don't often get your adversaries 108 00:07:23,376 --> 00:07:27,613 on video doing the crime, it does happen. 109 00:07:28,714 --> 00:07:31,818 Anybody seen the recent Muller indictment? 110 00:07:32,985 --> 00:07:35,087 Thanks to the Dutch intelligence service, 111 00:07:35,087 --> 00:07:39,859 they did actually catch them on video, it does happen. 112 00:07:42,428 --> 00:07:44,931 But in October, they came back. 113 00:07:44,931 --> 00:07:49,101 They said, "don't think there's enough public reporting 114 00:07:49,101 --> 00:07:53,973 "to assert with high confidence" of what I gave them. 115 00:07:53,973 --> 00:07:58,611 They were right, there wasn't a lot. 116 00:07:58,611 --> 00:08:00,712 Most of what I knew from my experiences 117 00:08:00,713 --> 00:08:05,184 had not been made public so I kinda knew some things 118 00:08:05,184 --> 00:08:07,887 but I wasn't able to disclose. 119 00:08:07,887 --> 00:08:12,658 And so they were right to say we don't think so. 120 00:08:15,394 --> 00:08:18,498 They said, we need to go deeper and they were right 121 00:08:18,498 --> 00:08:23,503 so back to the drawing board but at the same exact time, 122 00:08:24,670 --> 00:08:27,507 come to find out Mircon is going on in DC 2015 123 00:08:29,108 --> 00:08:30,877 and for the first time, 124 00:08:30,877 --> 00:08:35,882 the threat group that I had dealt with finally got a name. 125 00:08:37,049 --> 00:08:40,886 FIN5, they finally got definitively 126 00:08:40,886 --> 00:08:44,155 associated with their malware RawPOS 127 00:08:44,155 --> 00:08:47,993 so for me, it was like okay, case back open. 128 00:08:47,994 --> 00:08:50,096 And another mention a day later, 129 00:08:50,096 --> 00:08:55,067 I didn't close out my case, I kept it open, 130 00:08:55,067 --> 00:08:59,805 I kept occasionally looking, there was new stuff. 131 00:08:59,805 --> 00:09:04,709 That's one of my takeaways, just have a little persistence. 132 00:09:04,710 --> 00:09:09,715 If you find yourself on the trail 133 00:09:10,583 --> 00:09:13,586 of one of these threat groups, 134 00:09:17,423 --> 00:09:19,559 they're the ones that need to be afraid 135 00:09:19,559 --> 00:09:21,459 if you have persistence. 136 00:09:21,460 --> 00:09:24,664 They made a mistake, you caught them, you're following them, 137 00:09:24,664 --> 00:09:28,234 just keep watching, you'll find more. 138 00:09:30,002 --> 00:09:34,306 So a year later, in GrrCon, this presentation, 139 00:09:34,307 --> 00:09:36,576 attacking the hospitality and gaming industries, 140 00:09:36,576 --> 00:09:39,579 tracking an attacker around the world in seven years, 141 00:09:39,579 --> 00:09:44,050 it was a 55 minute talk, it had tons of details. 142 00:09:44,050 --> 00:09:48,154 So much detail that I reached out to some former colleagues 143 00:09:48,154 --> 00:09:53,159 who were still consulting and they confirmed it's exactly, 144 00:09:53,159 --> 00:09:54,560 they're talking about the same person. 145 00:09:54,560 --> 00:09:58,497 So Mandiant had been dealing with the same group 146 00:09:58,497 --> 00:10:03,502 that we were and so it was really great confirmation 147 00:10:04,904 --> 00:10:07,607 and the only thing that was different was some of the names. 148 00:10:07,607 --> 00:10:09,507 They liked to name things differently 149 00:10:09,508 --> 00:10:13,212 but after decoding that, it became obvious again 150 00:10:13,212 --> 00:10:15,681 that we were dealing with the same group 151 00:10:15,681 --> 00:10:19,485 and now I had some information to add to mine. 152 00:10:19,485 --> 00:10:23,055 Another thing he mentioned in the talk that these guys 153 00:10:23,055 --> 00:10:27,026 were in or around a place called Hackerville. 154 00:10:27,026 --> 00:10:28,460 Anybody heard of Hackerville? 155 00:10:29,862 --> 00:10:34,867 It's a place in eastern Europe, one of the towns that 156 00:10:36,435 --> 00:10:41,239 is like the Ferrari and Lamborghini capital of the world. 157 00:10:42,441 --> 00:10:43,476 These guys, 158 00:10:46,612 --> 00:10:49,147 I'm not super upset with these guys 159 00:10:49,148 --> 00:10:51,851 but they're criminals, they belong in jail 160 00:10:51,851 --> 00:10:56,822 from my experience, they're still out seven years later, 161 00:10:58,257 --> 00:11:00,892 driving Ferraris, I'm driving a Ford. 162 00:11:04,497 --> 00:11:05,330 I'm not upset. 163 00:11:06,866 --> 00:11:11,771 So they talk about their everything, their whole lifecycle 164 00:11:13,305 --> 00:11:16,541 from compromise to reconnaissance to privilege escalation, 165 00:11:16,542 --> 00:11:18,711 conducting their mission, completing their mission. 166 00:11:18,711 --> 00:11:22,615 It's all identical, I now have a great reference point. 167 00:11:25,017 --> 00:11:29,522 They use RawPOS, talk about how they do it. 168 00:11:29,522 --> 00:11:34,326 If it's RawPOS, it's FIN5, authoritative, direct proof. 169 00:11:36,162 --> 00:11:40,966 So I keep looking, I find more. 170 00:11:40,966 --> 00:11:45,471 I had some of these because they'd been around for so long. 171 00:11:45,471 --> 00:11:47,039 I knew there was more out there 172 00:11:47,039 --> 00:11:51,510 so I start looking some more and I find more. 173 00:11:51,510 --> 00:11:56,482 And so as an investigator, one of your jobs is to keep sight 174 00:11:58,918 --> 00:12:01,654 of the big picture just like putting a puzzle together. 175 00:12:01,654 --> 00:12:03,723 Anybody like puzzles? 176 00:12:03,723 --> 00:12:05,991 All it takes is a little bit of time, 177 00:12:05,991 --> 00:12:09,462 a little bit of connecting the dots. 178 00:12:09,462 --> 00:12:12,298 So I took what I had, I made sure they were linked, 179 00:12:12,298 --> 00:12:15,868 but I come to find out there were more, I was missing a few. 180 00:12:15,868 --> 00:12:19,071 I added a few more, I'm up to 14 now 181 00:12:19,071 --> 00:12:22,341 and so the next thing I do, I have a great picture. 182 00:12:22,341 --> 00:12:24,176 It's coming together, it's not all the way yet 183 00:12:24,176 --> 00:12:28,380 so I keep looking, I go back to that Mircon conference 184 00:12:28,380 --> 00:12:30,249 and I look at who talked. 185 00:12:30,249 --> 00:12:34,553 There's a great resource out there called ConCollector. 186 00:12:34,553 --> 00:12:39,558 It's a database that now has around 50,000 speakers 187 00:12:42,361 --> 00:12:47,366 and presenters covering 2,000 conferences 188 00:12:48,134 --> 00:12:49,335 of the last 30 years. 189 00:12:49,335 --> 00:12:51,937 It's a tremendous resource for finding out 190 00:12:51,937 --> 00:12:54,607 who has talked where on what. 191 00:12:54,607 --> 00:12:59,578 And Emmanuel and Barry, best talk in hospitality industry, 192 00:13:02,648 --> 00:13:04,550 APT in hospitality and gaming industry. 193 00:13:04,550 --> 00:13:07,051 This talk was never published 194 00:13:07,052 --> 00:13:10,256 and these guys never spoke again unfortunately. 195 00:13:11,557 --> 00:13:13,859 But this talk Preston Lewis and Matt Bromley, 196 00:13:13,859 --> 00:13:15,161 they spoke again. 197 00:13:21,567 --> 00:13:25,237 NolaCon last year in fact was Matt Bromley's. 198 00:13:25,237 --> 00:13:27,973 Talked about their use of PsExec 199 00:13:27,973 --> 00:13:31,310 and what version it was, had some great details, 200 00:13:31,310 --> 00:13:35,247 and then Preston Lewis talked about attacking 201 00:13:36,715 --> 00:13:38,350 the hospitality and gaming industries, 202 00:13:38,350 --> 00:13:40,753 tracking an attacker around the world in eight years. 203 00:13:40,753 --> 00:13:44,757 And that was another great talk, hour long talk almost, 204 00:13:44,757 --> 00:13:49,093 full of details so I had another great reference 205 00:13:49,094 --> 00:13:52,565 so the picture is coming together. 206 00:13:55,067 --> 00:13:56,735 Just a little bit of persistence. 207 00:13:59,338 --> 00:14:03,742 Again, the lifecycle, a lot of details. 208 00:14:05,010 --> 00:14:08,080 Anybody notice any additions to this? 209 00:14:11,550 --> 00:14:13,117 It's hard to see. 210 00:14:13,118 --> 00:14:18,123 So they are slow to do many changes, 211 00:14:19,558 --> 00:14:21,393 I was surprised they did any 'cause it still works. 212 00:14:21,393 --> 00:14:24,930 What they're doing is still working since 2008 213 00:14:25,998 --> 00:14:27,566 but they did change, 214 00:14:27,566 --> 00:14:30,202 I guess things are getting a little harder. 215 00:14:30,202 --> 00:14:33,172 They added Mimikatz which is latest greatest way 216 00:14:33,172 --> 00:14:38,177 to capture credentials to their escalating privileges. 217 00:14:40,012 --> 00:14:43,314 They added HeidiSQL for reconnaissance 218 00:14:43,315 --> 00:14:47,052 and they are starting to defeat single factor VPNs 219 00:14:47,052 --> 00:14:48,988 for their initial access 220 00:14:48,988 --> 00:14:52,124 so interesting additions to their techniques. 221 00:14:53,759 --> 00:14:57,329 Next thing I do to try to finish this picture 222 00:14:57,329 --> 00:15:02,133 so that it's pretty obvious for them is 223 00:15:02,134 --> 00:15:07,139 I use a tool called POC Parser by Armand Buscher I believe. 224 00:15:08,274 --> 00:15:11,877 His name, it's on GitHub, it's great tool 225 00:15:11,877 --> 00:15:15,781 if you want to extract IOCs out of PDF files for example. 226 00:15:15,781 --> 00:15:18,684 Here are the hashes I got out of the reports. 227 00:15:18,684 --> 00:15:23,689 So I started researching the hashes just to keep going here. 228 00:15:24,890 --> 00:15:26,292 These reports were good but they were not great, 229 00:15:26,292 --> 00:15:28,627 they were not the smoking guns or anything. 230 00:15:28,627 --> 00:15:33,632 So keep going, next thing I do is I import all those hashes. 231 00:15:35,067 --> 00:15:38,604 I'm still driving my Ford so I'm mad but I'm not so mad 232 00:15:38,604 --> 00:15:40,306 I'm gonna go through every single hash 233 00:15:40,306 --> 00:15:42,241 from every single report. 234 00:15:42,241 --> 00:15:45,477 Obsession is not required to do this. 235 00:15:45,477 --> 00:15:46,978 It's just a little bit of persistence. 236 00:15:46,979 --> 00:15:51,817 So I found a shortcut so by, I'm familiar with Multego, 237 00:15:53,018 --> 00:15:54,753 it's a great tool if you're not familiar. 238 00:15:54,753 --> 00:15:58,991 It can handle CSVs and you can do anything with it 239 00:15:58,991 --> 00:16:01,160 to create a visual. 240 00:16:01,160 --> 00:16:04,762 I created this, the yellow are the reports 241 00:16:04,763 --> 00:16:08,867 and the red are the hashes and some of the red are bigger. 242 00:16:08,867 --> 00:16:10,269 That's 'cause those are the ones 243 00:16:10,269 --> 00:16:12,671 that are in multiple reports so I focus on those. 244 00:16:12,671 --> 00:16:16,375 Turns out more reports, these guys have been around 245 00:16:16,375 --> 00:16:18,978 a long time I knew there was more out there. 246 00:16:18,978 --> 00:16:23,247 These were definitive, these were directly linked, 247 00:16:23,248 --> 00:16:28,253 these were authoritative so October 2017, 248 00:16:29,421 --> 00:16:32,791 I felt I had enough to make another submission. 249 00:16:34,994 --> 00:16:39,565 Included 10 tactics, 14 techniques, from 30 references, 250 00:16:39,565 --> 00:16:42,167 from 30 different security organizations. 251 00:16:43,802 --> 00:16:47,206 Carbon Black being one of them, they were great. 252 00:16:47,206 --> 00:16:49,074 So give a shout out to our sponsor. 253 00:16:53,912 --> 00:16:58,384 And they came back this time and they published. 254 00:16:58,384 --> 00:17:00,686 They published five at first. 255 00:17:00,686 --> 00:17:04,656 There's now, I don't know how many now up there, 256 00:17:06,358 --> 00:17:08,627 at least 10 or so but they covered, 257 00:17:08,627 --> 00:17:12,964 I was pleased they covered each stage in the lifecycle 258 00:17:12,964 --> 00:17:17,970 and so now I felt like my case was finally closed. 259 00:17:19,872 --> 00:17:24,777 I have shared what cyber criminals were doing, 260 00:17:24,777 --> 00:17:27,413 how they were doing it, and so now, 261 00:17:27,413 --> 00:17:31,183 this is my way of doing that. 262 00:17:31,183 --> 00:17:34,453 So some of my favorite of the techniques 263 00:17:34,453 --> 00:17:38,624 being a former law enforcement forensic examiner, 264 00:17:40,092 --> 00:17:43,362 the anti forensic techniques were my favorite. 265 00:17:43,362 --> 00:17:46,265 The removing of indicators, 266 00:17:46,265 --> 00:17:48,667 that they would delete the event logs. 267 00:17:48,667 --> 00:17:51,003 At the time, that's all you could do was delete, 268 00:17:51,003 --> 00:17:55,974 you couldn't edit them like you can now thanks to NSA. 269 00:17:55,974 --> 00:17:59,278 Dumped by the, who was it, the shadow brokers. 270 00:18:01,980 --> 00:18:03,515 So a little bit harder to tell now, 271 00:18:03,515 --> 00:18:06,418 that was a big giveaway at the time. 272 00:18:06,418 --> 00:18:09,955 The other one was encrypting their tool sets 273 00:18:09,955 --> 00:18:14,960 so they would encrypt RAR files full of all their tools 274 00:18:17,229 --> 00:18:20,799 and that was sometimes effective. 275 00:18:20,799 --> 00:18:24,436 We usually could crack the password but not always 276 00:18:24,436 --> 00:18:26,572 so it was sometimes effective. 277 00:18:26,572 --> 00:18:30,908 Time stomping at the time, that was not super effective 278 00:18:30,909 --> 00:18:35,914 because like on XP systems, there're two sets of timestamps, 279 00:18:39,351 --> 00:18:41,753 standard information attribute, 280 00:18:41,753 --> 00:18:44,188 filename attribute and at that time, 281 00:18:44,189 --> 00:18:46,825 you could not change the filename attribute 282 00:18:46,825 --> 00:18:48,861 only the standard information attribute 283 00:18:48,861 --> 00:18:51,597 which is the timestamp you saw on Windows. 284 00:18:51,597 --> 00:18:54,600 The back up timestamp, there was no way to change it 285 00:18:54,600 --> 00:18:58,971 so they were simply hiding from administrators basically 286 00:18:58,971 --> 00:19:00,706 by changing these timestamps. 287 00:19:00,706 --> 00:19:04,142 We had a tool we could run a comparison, pretty quick, 288 00:19:04,143 --> 00:19:09,148 and we could see what they did stood out pretty quick. 289 00:19:11,917 --> 00:19:14,386 Now, unfortunately, there's tools, 290 00:19:14,386 --> 00:19:16,687 there's ways to change both timestamps 291 00:19:16,688 --> 00:19:18,290 so it's a little bit harder now 292 00:19:19,691 --> 00:19:23,362 if you're doing incident response but there is a way 293 00:19:24,763 --> 00:19:29,434 and I encourage vendors to, especially EDR vendors, 294 00:19:31,103 --> 00:19:34,740 to grab this information when you change timestamps, 295 00:19:34,740 --> 00:19:38,043 you're not changing the entire time. 296 00:19:38,043 --> 00:19:42,147 You're only changing the minutes, seconds, hours. 297 00:19:42,147 --> 00:19:45,384 You're not changing the milliseconds or nanoseconds. 298 00:19:45,384 --> 00:19:47,419 Those are zeroed out. 299 00:19:47,419 --> 00:19:51,256 If you see zeroed out nanoseconds that's an indicator 300 00:19:54,726 --> 00:19:57,062 so EDR vendors, take note please. 301 00:19:58,664 --> 00:20:01,934 File deletion, so they used SDelete, 302 00:20:03,135 --> 00:20:05,037 it's a sysinternals tool, Secure Delete. 303 00:20:05,037 --> 00:20:08,674 It's very effective because it didn't delete. 304 00:20:08,674 --> 00:20:11,476 It overwrites and once that happens, 305 00:20:11,476 --> 00:20:12,911 there's no more evidence. 306 00:20:14,346 --> 00:20:19,251 Okay, here's a graphic, I just love this graphic. 307 00:20:20,118 --> 00:20:23,355 It was recently on Twitter. 308 00:20:23,355 --> 00:20:26,191 Guy by the name of Control Commando put it out there. 309 00:20:26,191 --> 00:20:29,194 I loved it because it shows that 310 00:20:30,395 --> 00:20:35,367 not all techniques are under just one tactic. 311 00:20:36,602 --> 00:20:39,571 So different adversaries use different techniques 312 00:20:39,571 --> 00:20:40,805 for different tactics. 313 00:20:40,806 --> 00:20:45,110 So I think that's just important to note. 314 00:20:45,110 --> 00:20:47,779 If you're trying to do attribution with ATT&CK, 315 00:20:47,779 --> 00:20:49,248 just keep that in mind. 316 00:20:50,515 --> 00:20:52,784 ATT&CK will get you started 317 00:20:52,784 --> 00:20:54,820 but it will not get you all the way there. 318 00:20:54,820 --> 00:20:59,825 So if you find yourself encountering an adversary 319 00:20:59,825 --> 00:21:02,995 and you think there's any chance it's gonna happen again, 320 00:21:02,995 --> 00:21:06,631 incident response best practices say you need to get 321 00:21:06,632 --> 00:21:10,035 the tools, the tactics, the techniques right. 322 00:21:11,203 --> 00:21:15,107 This NIST is from the NIST best practices 323 00:21:15,107 --> 00:21:18,277 and I recommend it because it works. 324 00:21:18,277 --> 00:21:20,078 We kept our client out of the news 325 00:21:20,078 --> 00:21:22,848 because we got their TTPs. 326 00:21:22,848 --> 00:21:25,783 We knew what they were gonna do before they did it 327 00:21:25,784 --> 00:21:27,352 so we could watch for them. 328 00:21:27,352 --> 00:21:30,088 We saw them start to complete their mission, 329 00:21:30,088 --> 00:21:33,258 we would cut them off before they could finish. 330 00:21:35,160 --> 00:21:36,928 If you're sharing, if you're intelligence 331 00:21:36,928 --> 00:21:39,364 and you're sharing cyber threat intelligence, 332 00:21:40,766 --> 00:21:43,268 intelligence is more than indicators. 333 00:21:43,268 --> 00:21:45,137 Intelligence includes the tactics, 334 00:21:45,137 --> 00:21:46,605 techniques, and procedures. 335 00:21:49,374 --> 00:21:54,079 Everybody knows David Bianco, pyramid of pain. 336 00:21:55,480 --> 00:21:56,982 I just love this slide. 337 00:21:56,982 --> 00:22:01,586 This has been out how long now, five years now. 338 00:22:02,321 --> 00:22:03,655 It's awesome, thank you. 339 00:22:08,126 --> 00:22:11,062 This shows where ATT&CK lives, the ATT&CK framework lives. 340 00:22:11,063 --> 00:22:15,300 It lives up there in the TTPs that are so hard to change. 341 00:22:15,300 --> 00:22:18,235 That's why when you get those TTPs, 342 00:22:18,236 --> 00:22:22,007 you can predict what they're gonna do with some accuracy 343 00:22:22,007 --> 00:22:24,976 because it's hard for them to change these things. 344 00:22:26,011 --> 00:22:27,879 Hash values are trivial. 345 00:22:29,181 --> 00:22:31,817 IP addresses, right, easy. 346 00:22:33,018 --> 00:22:36,221 Little bit more about hashes in a second. 347 00:22:38,123 --> 00:22:43,128 And Joe Slowik, he has done some posts recently 348 00:22:44,129 --> 00:22:46,098 talking about indicators 349 00:22:46,098 --> 00:22:50,802 and how they essentially expire immediately now. 350 00:22:52,270 --> 00:22:56,942 It used to be they were useful for a little while 351 00:22:58,910 --> 00:23:02,114 and I think that's, if that was ever true, 352 00:23:02,114 --> 00:23:04,783 that's no longer true, unfortunately 353 00:23:04,783 --> 00:23:08,919 and Threat Connect said the same thing not long ago. 354 00:23:10,088 --> 00:23:12,557 Guy by the name of Wade Baker who, 355 00:23:14,092 --> 00:23:19,097 if anybody's familiar with the Verizon DBIR, 356 00:23:20,198 --> 00:23:21,500 the Data Breach Investigations Report, 357 00:23:21,500 --> 00:23:23,802 he helped spearhead that. 358 00:23:23,802 --> 00:23:27,272 That's a great report, been reading that for years. 359 00:23:28,440 --> 00:23:32,010 I love that report because it's based on 360 00:23:32,010 --> 00:23:35,680 that empirical forensic evidence also. 361 00:23:39,451 --> 00:23:44,456 But IOCs again, not lasting long. 362 00:23:45,791 --> 00:23:49,828 Hash values, if anybody's heard of Webroot. 363 00:23:51,196 --> 00:23:55,033 They now have one of the largest hash databases available. 364 00:23:59,137 --> 00:24:00,639 For the last 3 years, 365 00:24:00,639 --> 00:24:04,141 over 90% of malware has only been seen at one endpoint. 366 00:24:06,111 --> 00:24:11,116 So it's really brief, really narrow shelf-life 367 00:24:11,983 --> 00:24:13,385 for hash values in particular. 368 00:24:15,287 --> 00:24:19,391 So don't count on an IOC getting you out of trouble. 369 00:24:22,861 --> 00:24:24,729 Okay, adversary emulation. 370 00:24:26,164 --> 00:24:30,735 It's another great use case for the ATT&CK framework. 371 00:24:30,735 --> 00:24:32,838 I was kinda skeptical about this at first. 372 00:24:32,838 --> 00:24:37,408 Like, how you gonna pretend to be an adversary. 373 00:24:37,409 --> 00:24:40,178 You don't know what an adversary's gonna do. 374 00:24:40,178 --> 00:24:42,981 Well if you know their TTPs, 375 00:24:42,981 --> 00:24:45,817 you can't just change those easily. 376 00:24:45,817 --> 00:24:50,822 You can absolutely can IOCs are backward looking, 377 00:24:53,525 --> 00:24:55,126 TTPs are forward looking 378 00:24:55,126 --> 00:24:58,363 so you absolutely can in a meaningful way now 379 00:24:58,363 --> 00:25:03,301 thanks to how empirically supported these techniques are, 380 00:25:05,003 --> 00:25:08,572 it is absolutely something you can do 381 00:25:08,573 --> 00:25:11,409 and they're in the process of in fact 382 00:25:11,409 --> 00:25:15,514 testing a lot of the EDR vendors right now. 383 00:25:15,514 --> 00:25:18,183 And I very much look forward to those results 384 00:25:18,183 --> 00:25:21,920 'cause those are gonna show who can detect what. 385 00:25:26,024 --> 00:25:30,160 It's very exciting to be part of the Renaissance here. 386 00:25:35,867 --> 00:25:40,872 There's only I think two and correct me if I'm wrong, 387 00:25:42,073 --> 00:25:44,042 there's two I think categories of things 388 00:25:45,477 --> 00:25:47,279 there's still vendors out there who want to spread 389 00:25:47,279 --> 00:25:50,048 and sow on your fear, uncertainty and doubt. 390 00:25:51,483 --> 00:25:55,419 Well, there's still a couple of things to worry about. 391 00:25:58,156 --> 00:26:01,126 One of them are things that are not in ATT&CK yet. 392 00:26:02,494 --> 00:26:06,097 The second, our adversaries like this for example 393 00:26:06,097 --> 00:26:10,068 who are in this case APT29, 394 00:26:10,068 --> 00:26:12,804 which I know some of you are very familiar with, 395 00:26:12,804 --> 00:26:16,308 and I wanna talk to you later if you know more than me 396 00:26:17,509 --> 00:26:21,746 but here's an example of how bad it can get. 397 00:26:23,582 --> 00:26:25,550 If they're determined and they're persistent 398 00:26:25,550 --> 00:26:27,052 and they're not giving up, 399 00:26:27,052 --> 00:26:30,155 it can take months to get them out of your systems 400 00:26:30,155 --> 00:26:33,258 and this is just an example of worst case scenario 401 00:26:33,258 --> 00:26:34,492 I recently read about. 402 00:26:34,492 --> 00:26:37,796 David Sanger had a book recently, 403 00:26:37,796 --> 00:26:39,331 I don't know if anybody's read it, 404 00:26:39,331 --> 00:26:43,767 called The Perfect Weapon, talks about this situation 405 00:26:46,271 --> 00:26:51,276 and anybody, Rob Joyce from NSA, 406 00:26:52,444 --> 00:26:56,548 he talked about this at DEF CON this year. 407 00:26:56,548 --> 00:27:00,952 It was in the book, it was called A Digital Dogfight. 408 00:27:02,253 --> 00:27:05,724 Incident responders had very rough time 409 00:27:05,724 --> 00:27:08,659 with getting them out and I don't know 410 00:27:08,660 --> 00:27:13,665 if it is this talk by Mandiant, excuse me, FireEye 411 00:27:15,967 --> 00:27:19,004 but this talk was about APT29 as well. 412 00:27:19,004 --> 00:27:22,107 Very interesting talk, I recommend you check it out. 413 00:27:22,107 --> 00:27:27,112 It's a very amazing, from incident responder's standpoint, 414 00:27:28,580 --> 00:27:32,984 very cool story, Nick Carr and Matthew Dunwoody from 415 00:27:34,786 --> 00:27:38,823 Mandiant, given this talk a couple times I think now. 416 00:27:39,958 --> 00:27:43,128 It's really amazing what they can do 417 00:27:45,230 --> 00:27:49,801 so if you run into an organization bigger than yours, 418 00:27:49,801 --> 00:27:52,736 it's okay to call for help, I recommend you call. 419 00:27:52,737 --> 00:27:54,506 There's two I can recommend to you. 420 00:27:57,909 --> 00:28:00,245 FireEye and also CrowdStrike, 421 00:28:00,245 --> 00:28:02,246 they're two of the incident response firms. 422 00:28:02,247 --> 00:28:04,582 The only two in the world that are both 423 00:28:04,582 --> 00:28:08,753 accredited by the NSA and by the payment card industry 424 00:28:08,753 --> 00:28:11,723 so they're in the news a lot 425 00:28:11,723 --> 00:28:14,091 because they do a lot of good work. 426 00:28:16,895 --> 00:28:19,164 So call for help if you need it. 427 00:28:19,164 --> 00:28:21,066 In the meantime, I recommend you, 428 00:28:22,867 --> 00:28:25,070 if you run into an attacker, 429 00:28:25,070 --> 00:28:27,839 recover what they're doing, recover the evidence. 430 00:28:27,839 --> 00:28:30,442 If your forensics guys aren't 431 00:28:30,442 --> 00:28:32,977 drawing you that picture, get them to. 432 00:28:34,612 --> 00:28:38,016 If they can't do it, get outside folks. 433 00:28:38,016 --> 00:28:42,487 You can determine how your attacker likes to operate. 434 00:28:42,487 --> 00:28:45,223 You can get, ever hear of left of boom? 435 00:28:46,658 --> 00:28:49,928 You can get left of them and David Sanger in his book talks 436 00:28:49,928 --> 00:28:53,698 about left of launch which I thought was pretty interesting. 437 00:28:53,698 --> 00:28:55,600 Talking about the North Korean missile launch 438 00:28:55,600 --> 00:28:59,204 and how we actually apparently 439 00:29:01,005 --> 00:29:03,975 stopped some of those with electronic means. 440 00:29:05,176 --> 00:29:06,511 Pretty interesting, 441 00:29:06,511 --> 00:29:08,747 so just a little persistence is all you need 442 00:29:08,747 --> 00:29:11,449 to put together that hard evidence 443 00:29:11,449 --> 00:29:15,487 that can be now be shared thanks to the ATT&CK framework. 444 00:29:15,487 --> 00:29:19,491 So get out there, share, if you run across something, 445 00:29:19,491 --> 00:29:21,126 let us all know about it. 446 00:29:21,126 --> 00:29:24,529 Alright, thank you very much, appreciate it. 447 00:29:24,529 --> 00:29:27,265 (audience claps) 448 00:29:28,099 --> 00:29:31,101 (suspenseful music)