 So Jake is going to talk about attribution, which I can only presume is going to be exclusively about either Russia or China. So let's give Jake a big round of applause. Thank you, everyone. Great to see everyone here. I seriously don't see enough beverages in people's hands, though, so maybe you should fix that. But my name's Jake. I'm the CSO for risk-based security. Been doing a bunch of vulnerability and data breach intelligence stuff for quite some time. I'm going to also recognize Lee Johnstone for all the work and the creation of the data and everything. So the talk here is today, it's Cyber Who Done It? Attribution analysis through Arrest History. So we really are going to play a cyber drinking game. You guys are just going to have to get over it because we're going to say cyber a ton through this talk. So anytime you see in the slides that it says cyber or you hear me say cyber, you should drink. I only see a few beverages over here, so we'll see. And I don't care if it's beer or root beer, so no pressure. All right, so if you look back over the last five years, data breaches just keep occurring at alarming rates. It's just ridiculous, the amount. And it just shows that it's not getting better. And so it doesn't matter how many blinky lights, boxes we buy from security vendors, we're still to see in a ridiculous amount of breaches. In fact, 2015 was the most amount of breaches that we've ever ever tracked. When you look at it from how are these things occurring, there's that old 1970s thought process I think from the FBI that says the insider, right? But when you look at the data from 2015, it shows that 77% of them are actually coming from the outside, right? Now an insider may hurt you the worst, but it shows in terms of likelihood, the outside of where it's occurring. And then when you break it down by the breach types, it just hackings through the roof, right? So we're just seeing a ton of hacking and it's been that way the last couple of years. When you look at it from where it's happening, what countries, where these organizations are being impacted, this isn't just a USA issue, right? Now while the USA and the UK are accounted for 46 plus percent of the breaches, it's not just there, right? So it is a world issue. And year to date, we still suck, right? We're not getting any better. Over 2,000 data breaches confirmed already and it's the most amount of records that we've ever lost in a single year. We're already at over 1.1 billion records being lost and we still have a couple months to go. So not seeing much improvement at this point. The question we get all the time when we're tracking these data breaches is, who's behind all this stuff, right? Who is behind in causing all of these data breaches? It comes up all the time, specifically the hacking events, who's behind it? So this leads us to this whole concept of attribution, right? And if you try to get your head wrapped around attribution and what does it really mean, you can start looking on good old Wikipedia, right? And that gives us a few different ideas about what attribution is in other disciplines. So in social psychology, attribution is a process of explaining calls and behavior in events and copyright law, it's about crediting the work and journalism is about attribution to a source, right? So you start to get familiar there. Now in the cyber world, we basically just wanna know who did this, right? We wanna know what the hell did you just do? What actually happened? What was done? And then finally, why? Why did you do this? What are the motives? Can I have some reasons, right? So if you think about it, you always hear this saying, you know, knowledge is power, but in these days and times, it's really starting to be attribution is power, right? And this seems to be the case. We wanna know what's going on, who's behind all of this stuff. So nothing brought this attribution debate and problem more clear than the Sony breach in December 2014, right? So we should all remember this whole GOP, Guardians of the Peace post credit, taking credit for this breach. And there was serious debate over this breach. What was the motives, who did it? And it was so ridiculously bad about the back and forth, it led just to a ridiculous amount of lulls from the security community, right? So we actually created these cyber war attribution bingo cards. It still exists, if you want them, you can go out to the website and generate your own cards and play along, right? And see what happens. But if you're not up for games, then then there was a couple of guys that created the Sony hack attribution generator. So you can go to the website and then sort of refresh to get what you want. So you go to this first one and you get the nice report here about a Sony manager behind it. I don't like that one. A Romania organization, that's better. Well, now we have North Korea, right? Here's a nice detailed report. You can just keep refreshing, right? So you guys can get reports. They weren't the only one. We actually had another website credit called whohackedus.com. You can get attribution reports here. Here we get China, right? Crouching panda, hidden dragon. So there's your China reference starting. But if you don't want a detailed report and that's just too much, guess what? We had the industry create cyber attribution dice. So you can just roll the dice and get the answer, right? And why would you pay for high price forensics when you can just roll the dice, right? That's probably the best attribution you're gonna get anyways. Some people weren't so thrilled about the cyber dice and they said, you know what we need? We need a magic eight ball. And guess what? Twitter answered. We have the attribution eight ball, right? Unfortunately, it hasn't been active here recently. So whoever's behind this account, I'd appreciate if you could step up your game and start tweeting out some stuff again for us. But Twitter's not just enough. So we have Duo that comes up, right? And they create the actual attribution eight ball. And of course it's China. And you gotta love the pictures behind there, right? It was China and who's showing, right? So we see that. Then we see good old Swift on security when we're talking about the Myspace breach and should we blame Russia or what's going on saying, hey, we need another magic eight ball. And at this point in time, because we know the attribution eight ball is so important, Threatbut comes to the rescue. And so no offense to Duo, but Threatbut creates an attribution eight ball. And if you don't know about Threatbut, you should because they basically provide the maximum protection from threatening Threaty threats like China. So we're really pleased that they were able to help us out here. So thanks to Threatbut for all your hard work. So with all of the lulls aside, I mean, it's a serious issue when people joke about stuff like this, it's because there's something behind it, right? And the jokes are funny, but let's get back to the Sony breach and walk through it. And the point was who did this thing, right? Everyone wanted to know. And for the purposes of this talk, there was basically two major viewpoints. One was North Korea. And the other one was an insider also known as not North Korea, right? And so on the North Korea side, we predominantly had CrowdStrike and the FBI. And on the insider also known as not North Korea, we had Norse, Mark Rogers and Kim Zetter from Wired coming out with information. So here's from Norse, right? So Norse basically was not involved in the case itself, but they said they were doing their own investigation. And they said that the Norse data was pointing towards a woman who called herself Lina and claimed to be connected with this, the GOP hacking group. Norse believed that they identified the woman who had worked at Sony in Los Angeles for about 10 years and then was involved with it. And so what comes from them is we are very confident that this was not an attack masterminded by North Korea, right? So they're coming out pretty vocal. It's not like, maybe, we're pretty damn confident, it's not them. Then you have Mark coming out basically saying he wasn't seeing hard evidence either and he has some really good articles. If you haven't read, you should go to his website and read to better understand his point of view. But he mentioned things like the broken English that was being used for attribution looked really too deliberate, right? The code that was written on a PC with the Korean local that makes it actually probably not North Korea. Hard coded pass and passwords and whatnot really did make it seem like someone knew that information from Sony from the inside. And one of the other things that he said too was blaming North Korea was an easy way out for people, including the security vendors that were brought in and paid and Sony management and all that because of that whole interview movie and everything. It was just sort of an easy way to do it. And you can see here, even after the FBI started to come out and saying it was North Korea, he was still saying, I still don't believe that that's the case. Kim Zetter from Wired, she basically published a story saying that the evidence was flimsy. Again, a great article if you wanna get some more information about it. And she basically was saying that the assertions about who's behind it should be skeptical of these things. And it's easy for attackers to plant these false flags or point to North Korea and those sorts of things. And a lot of the evidence that was presented was circumstantial, right? And then here's Dimitri from Grouch Shrike. So he comes in and basically says North Korea. And that's it, North Korea, nothing else. Now what's funny is at Black Hat, I ran into Dimitri for the first time and I sort of told him, hey, Dimitri, your face is gonna pop up several times in my talk at DEF CON. And we sort of had a spirited debate for about an hour. He still believes it's North Korea and that's that, right? Now what was also interesting was we started to see this attribution stuff go really in the mainstream, right? Here you have Mark Rogers and Dimitri on PBS doing a live debate on attribution. Who did it, right? So we're seeing this isn't just, you know, in our industry it's starting to come out more and more people trying to figure out what's going on. So then we have Sony and this is sort of mid-December 2014. They publish a more official update and a statement basically saying that as a result of our investigation and close collaboration with other government agencies, the FBI has now enough information to conclude that North Korean government is responsible. So pretty definitively from the FBI. No matter even though that came out, we still are seeing Krauss-Steich versus Norse quite a bit. And there were a few others, but those were the most loudest, if you will, talking about this stuff. Actually, Firehine Mandiat, who was hired by Sony, they were pretty quiet in the press. Kevin Mandiat did come out and say a few things such as the attacks that happened in South Korea in 2013 were very similar, the same that was being used for Sony. So they attributed those 2013 hacks to North Korea. So therefore it was North Korea behind this. So we were actually at RBS, we were documenting this whole thing and we've got this big article, like a breakdown of it, trying to track everything that was going on. And we started to think, right? You have these two, you know, you've got Krauss-Steich and you've got Norse, that are these two ridiculously funded VC companies, the hottest threat intelligence with ridiculously polar opposite, like it's an insider and this is North Korea and they were both sort of arguing. So it made us to sort of start to think about these bold statements. If you make this bold statement and it turns out to be wrong, does it mean that the intelligence you sell sucks? Can't be trusted, right? You come out and say, oh, this is definitely in it, it's proven wrong, then is your product any good? So what we see happen is in January, so all that stuff's going on in December, 2014, then we see the FBI comes out and again says, hey look, it definitely is North Korea behind this. A week or so after that update, then we see Krebs come out and say that there's some rumors that Norse is about to implode, right? And they're the ones, remember that, said it was an insider, not North Korea. Whether that has to do with it or not, it's quite interesting. Further on that in March of 2016, you can see this tweet sadness defined, this is the RSA booth, it looks like they threw down huge amount of money for a booth and then it was this, kind of this deserted smaller thing, right? So not so good. And everyone was immediately worried, right? We're gonna lose the live attack map. And while most people that I know could care less about that, they like showing it to management to get more budget, right? Like look at those, it's serious stuff in cyber, right? We need help. But the good news is we have good old threat bot that's come back to help us again, serious, right? The threat bot internet hacking attack attribution map. And you can see here by leveraging the patent clown strike technology, they've made it even better, right? So they did give credit to Pew Pew, but they make all the threat stuff better, so. All right, so why is this attribution stuff so hard? And it's actually even hard to put it into words, but there's people that are disagree, if you're in this space, I'm sure you're already upset at me or tweeting bad things or whatever, but the reality is it's still challenging, right? So I want to put out a few things of why attribution in the cyberspace is a little tricky. So a lot of the attributes that you typically see in the real world just don't exist in the cyber world. So that sort of hardcore CSI forensic investigation work just isn't as possible, right? It's considered to be easy to spoof some of these things, plant these things. It's considered to be easy to embed other people's works, tools, exploits, malware. Just because you see this sample of this in this particular attack doesn't mean it was the exact same person, right? Someone's could have easily taken that code. Now for people in this space, they'll get a little snippy sometimes and say, well, if the source code wasn't available, there was no way it could have been found. I mean, there's lots of debates about this stuff, but it makes it challenging. And then that whole sort of concept of not having a physical territory, right? Some markers that you'll hear in the cyber warfare world or the traditional warfare world, like an assembly zone, boundaries to cross, you know, being able to track things back specifically like a missile launch, all those sorts of things, they just don't really exist in the cyberspace, right? And honestly, I have so many slides to get through because as I'm working on this talk, there's this more and more shit happening, right? So then we have the D and C that gets hacked, right? So, right, and then it's actually so bad that Jeff and Black Hat have to decide they got to raise some money for them to get better at security, it seems, so. All right, anyways. So this one, we have the issue, right? And then we have Guccifer 2.0 that comes out and takes credit for the breach, right? So now we're starting to look at attribution in terms of taking credit for it. And so if you know anything about the original Guccifer, it was a Romanian man who hacked lots of high-profile government accounts, claimed to hack Hillary's private email servers, all those sorts of things. And Guccifer 2.0 goes on to say that Guccifer may have been the first one who penetrated Hillary's and other democratic mail servers, but he certainly wasn't the last, no wonder any other hacker could have easily got into these D and C servers, right? So then, again, now we go immediately in the press to, all right, cyber attribution and questions there, right? And so everyone's immediately trying to figure out who did this, it seems like an absolute broken record. And Dmitri's back, right? So he's back and CrowdStrike tells us this time it's Russia. Now, what's interesting for this one, it's a little bit different than the Sony one. There was a lot of people sort of arguing on both sides on the Sony one, but so far most people seem to agree and are saying that it's Russia in this particular case. Actually, the only one so far that I've seen that hasn't said it was Russia was Donald Trump was being interviewed and he said something like Russia, Russia, eh, it's probably China. So, now China is somehow brought in allegedly, so. But here we actually have Fidelis, they're another security company and they came out and they basically said they are also very confident that it's Russian actions or actors. And what they said it was due that they looked at the code, there was a use of the Russian alphabet keyboard and the time zones it was compiled in, some of the malware and those sorts of things. They also went on to say that the evidence pointing to Russia was so convincing it would have been a very elaborate scheme for it to be anyone else. And so that's a little, I don't know. I look at it and I start thinking these are the things that people complain about the last time around that could be spoofed and all those sorts of problems. So if it is, the wording that they're using is a little tough. All right, so then the media right now still isn't clear. There's another article that's published saying, hey, is this an individual? Is this a Russian front? Even though I see most of the security people agreeing, they're sort of saying experts aren't so sure. Can you imagine that? We don't agree in the security world. Crowdstrike, what were the ones hired by the DNC? But again, everyone sort of does point to Russia right now. We have Clinton state in this Russia, she draws some sort of line to Trump, maybe. It's a bit confusing because it sounds like the DNC's been owned for a really long time. So in my mind, I don't even, Trump wasn't even considered a candidate then, but we're now blaming him for potentially being doing it. And my sort of, the reason why I think this one's interesting is because now it's just not who did it, it's who's behind it trying to orchestrate and make people do these hacks, right? So we're just getting more and more of this sort of stuff and the conversation about who, what is there to be gained and who can gain from these attacks. All right, now we're getting a little more interesting in the DNC because shortly after the DNC hack was attributed to Russia, it's now reported that there's a professional cyber attack that hit the Russian government. So we start thinking hack back now, right? And so some articles come out saying that the NSA is likely hacking back due to the DNC hack. Now most of you are giving me blank looks, dirty looks saying, hey, you think this is the first time that we haven't been hacking all over the place, the NSA hasn't been hacking. But other people will say and start to believe that this may be the first major time that a sanctioned nation state hack back has occurred, right? So we just keep going down this path. So it leads us to the question of does it actually matter if we get cyber attribution correct? Do we even care, right? For most companies and organizations where you work, does it really matter who attacked you? You've got to deal with the breach, you've got to deal with the problem. The fact that you got hacked is the issue. That's not going to change a whole lot about financials or whatever else, right? But for other cyber attribution, it does really matter. Because after the Sony attack, right? When the FBI concluded it was North Korea, then the USA imposed new sanctions on North Korea in response. In February of 2016, Congress sends North Korea cyber sanctions bill to Obama, saying that anyone that's called aiding the country's cyber cane, they're gonna get penalties now as well. So we're seeing the attribution leading to real world things. So last month, North Korea expressed their thoughts about the US sanctions. The foreign ministry issued a statement carried by the Korean Central News Agency, basically saying the sanctions on Kim and 10 other officials were peppered with lies and fabrication, and then went on to say that now that the US has declared war on the DPRK, any problem arising in relations with the US will be handled under the latter's wartime law. So we're seeing things, even though there's a lot of rhetoric that comes out of certain countries, we're seeing things escalate based on attribution. And then just a few days ago, now it's reported that the United States is considering economic sanctions on Russia for hacking, right? Nefarious activities in the cyberspace and that economic sanctions have been used before, and they could possibly be used in preparing for response of cyber threats. So how can we actually figure out what's going on behind these hacks? Or why can't we, might be a better question, right? No security firms typically tend to agree. We can't trust when people are claiming attacks, easy to hide IP addresses via proxy servers, tour, et cetera. Correlations, as we've already talked about between certain pieces of malware, really aren't just hard evidence, although people in this space will debate that to the death. Information and evidence many times isn't fully shared to protect sources. So just say, trust me, this is what it is. And then there's this whole behavioral analysis of doing analysis of writings and things like that, which doesn't come across to many as very hard evidence. So then as we go from there, then the question becomes, do we actually need to improve our cyber attribution capabilities? And I don't really care for the folks that think that they're doing it really awesome and it's well enough or perfect, that's great. There's still others that aren't so sure. But I think that if we're gonna be punishing countries and getting more of this active war rhetoric, we better be damn sure that when we come out and say something that we actually know what's going on. And so regardless of whether you're on one side or the other in terms of how we are with attribution right now, I think we can all agree that we need to continue to invest in and improve a digital attribution. It's clear that the impact could have. And there are a lot of smart people working on this, so I think that's great. All right, so this leads us to the arrest tracker project. So what we wanted to do was we wanted to collect data to hopefully better understand what's going on with cyber crimes, right? Another viewpoint to attribution and a much different lens, right? And so a arrest tracker was originally founded by Lee Johnstone. He's also the founder of Cyber War News if you've ever followed any of his stuff, really smart researcher. And so it was founded in 2013. And the project aims to track computer intrusion incidents resulting in arrest, detaining of persons, seizure of goods and all sorts of other things. Tracking incidents from all cyber. Again, if you have alcohol, drink, I've been trying to say it as much as I can. Also, if you notice in the lower right-hand corner, it says cyber on every slide, so I wanted to make sure we were gonna get to where we needed to for later tonight. And hacking related incidents. So right now there's over 1,400 incidents collected and it's more than just arrest, but we ended up finding out that there's, if you just say you're only in a tracker arrest, there's a lot that goes on it, so it's more than that. We're labeling it cyber crime. And now, as of today, the project is officially launching. You can go out and sign up and check things out, et cetera. So it's arresttracker.com. So the fields in there, we're trying to figure out all the different fields that we're trying to track. And with any project, if you've ever done data work, you start out and try to track a few fields and all of a sudden you're like, what about these? And you just keep adding stuff on, right? But so far we're trying to figure out things like the profile, name, alias, gender, age, location. Are they part of hacker collectives, operations, all those sorts of things? In terms of the incident, when did it occur, which country, arrested, charged, rated, all that sort of stuff? And then even looking at things like courts, was there a deal, was there trial, fines, fine amounts, convicted, sentenced, all those sorts of things, and even some more things about the legal side and authorities. All right, so what can arrest tracker help us with? Well first, we definitely need to recognize there's some limitations with the data, right? So some click disclaimer. So if you're a data scientist or a data security metrics nerd and you wanna come give me grief, I get it. But we're trying to start somewhere and grow this so we can have some data sets to look at as we improve and get better. But you have to remember, there are some limitations. We have to remember that this is mostly about arrest data, right? Arrest incidents is what we have the most of. And so it tells the story from that viewpoint. We've expanded, as mentioned, to recover more cyber crime and we're gonna continue to mad as much as we can. We're using data based on reported arrests and raids, right? So we're gathering everything we can from the media. So if the reporting is bad or wrong, it's an issue, right? We do source everything in there to try to have our own attribution to where we got the information from. And if the courts are wrong, which, when has that ever happened, right? That's an issue too, but we're pulling all the data that we can in and put it in. So we also need to remember that in many cases, the government allegedly would rather track and follow criminals instead of arresting them for various reasons. So again, we're only adding in data here that has had some sort of crime, prosecution, arrest, et cetera. So with that said, what can a arrest tracker tell us? Well, quite a bit, actually. So detailed statistics about crime arrest. Who's behind these data breaches in crime? What are the demographics? What's going on with extradition? Details on sentences, monetary fines, learning about law enforcement and what's going on? Certain judges and how do they view cases? And then profile a hacker, and I'm sure anything else that you guys can think of, we can ask the data set. So most people always are asking us what is a hacker? What's the profile of a hacker? And the media basically is settled in on the ski mask behind the laptop, right? We all agree on that. I sort of thought it might be funny and interesting if I asked Google images what it was, and here it is, and what I found here was as long as you have a hoodie on, you're a hacker in Google's mind. But we also have a couple new faces now with Mr. Robot, right? So these are some new faces of what a hacker is. But what's even more interesting is these are the real faces from a rest tracker behind the project, right? So we're tracking what folks look like and all those sorts of things as well. So you can see this helps us better understand. So looking at the timeline, here's an eye chart for people way in the back shows that there's been crime and incidents going back to the 1970s, right? There was some and you can see that over the course, but really not a lot of activity in this space or incidents that we've tracked until the 2000s. If you drill in closer on the 2000s, you can see that things are on the rise without a doubt, right? We're seeing a lot more activity in this space. So the cyber incidents over the past decades, the 70s we saw two, 80s, 37, 1990, 59 incidents and the 2000s, 345 and the current decade, 988 incidents. So we're seeing quite a bit that we're adding in. Now, that being said, there is a lot of old research. So JerichoVatrician.org has done a to-do list. It's been on it for a while. Actually, I'm gonna have to give them some grief to go through some of these old books and pull out some more incidents from the 70s and 80s. So definitely need more help and more research putting in some of the older things as well. So the oldest incident from the 70s we actually have is from 1971 and that's this screenshot of what the rest tracker profile looks like where we're trying to capture all the different bits of data. And so you can see here, Hugh Jeffrey Ward, it occurred in 71. He was 29 years old at the time. He was accused of breaking into the ISD computer systems and stealing data. Trade secret theft, pled guilty, fined $5,000 in 36 months of probation. So that's 1971. Now, does anyone recognize this picture? That's laughing, but does anyone really know it? The guy that had the most friends on the internet for a while? This is Tom, there we go, right? This is Myspace Tom. So Myspace Tom, maybe people don't know this, he was a co-founder of Myspace, but the media back here reported him as a real life war games hacker in the 1980s. And so he was also known as Lord Flathead, AKA Myspace Tom. And so this is his profile in a rest tracker. And so in 1985, he had an issue. He was about 14 or 16 at the time. There's some conflicting reports there. But he allegedly hacked into Chase Manhattan Bank, told his friends how to do it. The FBI raided him in California and seized all of his computers. And so no charges or criminal convictions have ever been made and related to this incident. He was a minor at this time. So again, that's one of those reasons why we expanded out the project just from saying these arrests into tracking a bit more stuff. So 1980s, Myspace Tom. And what's interesting about this, as we've been collecting each of these incidents about the people and what's going on, each incident in a rest tracker has this story to be told, right? And so from the 90s, we pulled out some folks, the Mitnick story's been told many times, even last night, had the movie Night of the 2600 stuff, but there's many other people in here that each have their own story to be told. Here's from the 2000s, some notables that you may recognize or not, but some of these folks that you may not know what they were up to and they have their own story. And then here's some more recent interest rates, and some of them have some really bad and sad consequences of our legal system as well. So there's lots of other notable arrests out there for various reasons, things like the first prosecution of a particular crime, the severity of a crime, the length of a jail time or what the fines were, potential overreaching of regulatory actions, impact to those accused, et cetera. All right, so some statistics on arrests. So we get asked just absolutely all the time, anytime we mention a rest tracker, it's the profile of a hacker. That's the biggest question that comes up. So we knew that once we had a fair amount of data, we needed to start looking at the demographics of things. And so we started with age. And so the youngest age that we have is 12 years old, believe it or not, traded, pirated information to the hacktivist group Anonymous for video games. So sentenced to 18 months, includes limited access to internet devices, 30 hours of community service, and under supervision for six months, the boy must also had had to choose some sort of structured activity of his choosing. And this was in 2013 in Canada. So 12 years old is the youngest. And the oldest though was 66 years old. John McHugh, a guy named Devilman as well. Mail busted for selling cards on the dark web. This was in the United Kingdom and he was jailed for two years. So you can see this one. And so what that led us to look at is we knew we had the youngest at 12 and the oldest at 66, but what's sort of the breakdown in the distribution of ages, right? Most people when you say who's hacking, who's doing all this stuff, it's some board high school or some college university student on spring break. But what we saw from the distributions is you can see 18 through 25, 349 incidents, and 26 through 35, 304 incidents. So those were the largest groups while there were still other age groups. And that currently leads us to an average age of 27 years old. And then we want to look at that 27 year olds across all the years to see, how was it year over year? And it was pretty spot on year over year in that range. All right, gender equality. There's been a lot talked about this all over the place and so we thought, hey, we should look at the same thing to see what's the breakdown in genders for crime and arrests. And yeah, it's all guys. So we still have a little more research to do here, but in general it was 81 plus percent were male. And so we're gonna do a little bit more work in this space, but again, just trying to get those profile demographics. So which countries do most hackers reside in or what's in our world? What's the country of origin for the arrest? We gotta ask this all the time as well. And everyone really thinks this is gonna be this, you know, it's gonna be China, right? This is what it looks like with just Chinese hackers everywhere. But again, if you think about what we're doing with arrest data, it's based on arrest data, right? And so obviously for us, United States is number one, right? You can see there. Note that China's number 10 in this. So there are arrests and there are crime things going on, but because of the data and the lens that we're looking through, number one is the United States and number two is the United Kingdom. Now, collectives. We wanted to get our heads wrapped around do most folks that get in trouble in a cyber crime area, are they sort of solo, like lone wolf hackers on their own, or are they part of some sort of collective? And also if one person gets arrested, does that mean that like a bunch of others are gonna follow? And so a rest tracker, there's 58 known collectives that have had some sort of confirmed incident. And we see that anonymous is at the top with 130. So anytime that we'll find out about an issue, if it's related back to a collective, then we go ahead and add it in. Same thing with hacker operations. We wanna start trying to get a better feel for when you talk about these hacker operations and what they're going after, how many are they and what do they lead to in terms of arrests or any crime sort of prosecution? Right now we know about 21 hacker ops with operation payback at the top. And for some of you old school folks in there, you'll laugh at a couple of the other ones that are listed up there as well. All right, so is an arrest inevitable? Are you definitely going to get arrested? So if you look at it in terms of the data breaches, right? So in 2016 year to date, we already said there was approximately 2,000 data breaches year to date. We've seen 70 confirmed arrests so far. In 2015, there were approximately 4,000 data breaches and we saw 134 confirmed arrests. Going back to 2014, sort of the same message, right? Approximately 3,000 data breaches, about 47 arrested. So nowhere are we seeing the, in terms of a data breach equaling arrests, right? And what's interesting is the data so far shows that there's 610 days on average from when a crime happens, if you will, until the incident or the arrest. So there's definitely a tail from when something occurs to when there's some sort of prosecution or raid or whatever and we're going to continue to add data and stats in that regard. All right, so then we started to wonder, maybe silly things, but when would you most likely to be raided or arrested? Which day would it be? Anyone have a guess? I think I heard it over here. Hello, Monday, right? So someone maybe have a bad case of the Mondays, could be really bad, right? We originally guessed when we thought about it, we thought it would be on a Friday, but it looks like looking at the data, you get to enjoy your weekend and then on Monday, it's gonna be a real bad day for you potentially. And then we started asking other questions like what part of the year, what month would it be, right? And a rest tracker could tell us that same thing. No one ever gets this one right, so I won't even ask you guys, but April seems to be when more showers can come under the hacker community as well. So now countries pursuing cyber crime, as you can easily guess, USA is the most active number one, right? But the top 10 is somewhat surprising in some cases and China, no, they're not in the top 10 of pursuing cyber crime, okay? We started to look at things like extradition, extradition, and we're currently seeing that only the USA has any extraditions that are tracked. And there's 42 of them that we're aware of. And so you can see the top five countries, Russia to the United States at eight, Romania to the US seven, Estonia to the US six, Canada to the US three, and the United Kingdom three as well. Not every country allows the USA to extradite folks, but there are treaties in place with more than 100 countries out there. Here's a quick little map of it. You can see in the darker purplish color, that's the USA and all the blue ones are places that we allegedly, according to Wikipedia, have extradition treaties. So now we looked at jail time. The longest jail time that we had, the worst case, we thought, what would that be? And what we found was it was actually crazy, 334 years. So a guy in Turkey, he created fake websites, then impersonated banks, and I think the lesson that a rush tracker will tell all of you right now is don't mess around in Turkey, because it's bad news there in terms of jail time, right? We started to look at fines, and we want to understand things, what's the average fine, what's most common, the largest fine, et cetera. And what we found was the average fine that we know of right now is a million US dollars, but the most common fine that occurred 13 times within the database was $5,600. The largest fine was the World Pay Hacker Victor, $8.9 million US dollars, and he was convicted and tried in a Russian court under FBI charges. The other thing too that goes on is there's some people that just can't help themselves, they just can't stop. So many times, there'll be cases, multiple cases that are consolidated in one case, so this can be a little bit hard to figure out sometimes, but we've been able to find through a rush tracker that 17 people have had multiple arrests. And we're asked all the time, so another question we get asked all the time is how many people when they get busted are assisting authorities. And so we do have the fields in a rush tracker to track this. However, it is pretty rare and it's hard to find this data, but when looking through the database right now, there are 30 people that have confirmed to have assisted the authorities in some fashion. All right, so getting down to this, what is a profile of a hacker? So the data suggests that really, there's no single hacker or cyber criminal type, right? It's sort of a bit all over the place, but if we were forced to say what the profile of a hacker is based on averages and things that we can find, gender's gonna be a male, the age range is gonna be 18 to 35, or in the average 27 age range. Again, gonna be in the US, a lot of that is because again, the arrest data that we source, but if not the USA, it's gonna be the UK or Philippines. The crime will be hacking, if it's not hacking, then after that it'll be some sort of cyber fraud or data theft that we classify. And most likely active since your 2000. Motivation right now, still having problems tracking that in a relevant way, so we're still trying to figure what we can do in a rest tracker to make that a bit more clear. All right, most wanted. Who hasn't been arrested yet? Well, I'm not sure if everyone knows this or not, but the FBI at their website maintains a listing of wanted cyber folks. You can go out there and check it out. There are 28 total listed as of just this week. They have a profile basically on everyone that's listed up there, so they'll have your picture and a wanted poster and then an alias and a whole bunch of other information, weight, eye color, all that sort of stuff, and then details on the rewards that they'll offer if you can help bring them down, some other remarks. And there's this other section that's called caution that'll put a lot more details on what they were up to and even mention things like if they're considered a flight risk and all those sorts of stuff. And in this particular case, offering award up to $3 million for the information leading to the arrest or conviction of this particular, this particular guy. So you can see here, here's a listing of all the images from the website. The profile looks a little different than the arrest data that we've been talking about, right? And what's interesting if you had to guess the total amount of reward money all added up, it's about $4.49 million in potential rewards if all these people were, someone informed them to the FBI. What we're also starting to see too, is that when hackers or docs or when information becomes aware, are they definitely going to get arrested? And so what we saw in March of 2016 is Goshell, many of you know, doxxed himself, he revealed himself. And he described that he was been active since January 2012, that he was one of the ones that started Operomania, he's attacked the government, all those sorts of things. So this is, you know, March 2016, but then here he's leaking 39 million accounts in protest and that was in June, right? So all the information about him, he came out and basically said everything, who he was, et cetera, but he's still active. And so it's clear that for us, we still want to make sure we understand a bit more about law enforcement, specific about cases. Are there certain characteristics of data breaches or cyber crime that leads to more law influence? Those sorts of things. So we're trying to track more on that so we can get a better answer. All right, so as we're wrapping up here now, so what's next for us? Well, the actions are clear for us as data quality is top of our mind. We want to make sure that we continue to have the best data, that we can have everything that we need to so we can answer these questions as best as we can, but at the same time, answer all the questions that people have for us. So if you find something wrong and you log into the project, please tell us, right? There's no problem in authorship, we want to fix things up. We care about the data, we want it to be accurate. And we want more data. We want to increase coverage of cyber crime events. We want more data fields per incident, by person, all those sorts of things. So if you're interested in helping out, please do. For future ideas and features that we're looking at, we're trying to add more data fields about individual persons. So the ability to handle complex issues, things that you wouldn't necessarily think like a Romanian national that lived in Canada for 15 years but then was rested in the United States, right? We want to be able to try to track some of those things when we get asked about location and profile, we can explain it a bit more. A lot of thought's been going into ability to track motivation and then mapping to known data breaches so we can understand impacts and all those sorts of things. Are there certain types of hacker profiles that go in after certain types of industries, et cetera? More work on the most wanted. Some thoughts we've thought about are, how long are they on the most wanted before they get arrested? Things like that. Now how many people that have been arrested work for security companies, right? And then even a subsection for piracy and all those sorts of things. So what comes next? Are we gonna see arrests in cyber crime, prosecution increase or decrease? We think the answer is gonna be increasing. We're trying to figure out what the legal environment's gonna look like and if that's gonna get more harsh. And then can we take this data from a rest tracker and actually apply it to your work, right? Can you use this to help you not just, you know, laugh about, yeah, it's Monday and April and those sorts of things, but if you're in the legal space, can you look at how things are happening? Are there overreaching regulations in your day-to-day job? Can this help you figure out how to be defensive, et cetera? So we're open for new ideas. If you're interested in working with us, we'd love it. If you've got other ideas, we'll open that feedback. And if you wanna help, definitely please contact us. So I wanna thank Lee Johnstone for all his hard work founding the Arrest Tracker Project. It's a ton of data, it's a ton of work. I wanna thank Brian Martin for all his help. I wanna thank everyone else that's been interested and hung out here and been drinking with us for this session and thanks to the DEF CON CFP team for the opportunity to present. So believe it or not, this was 140 slides and cyber was pretty much on every single one of them. So I hope you guys had fun playing along. Look forward to seeing you tonight. If you have questions, I'll be over here. Thank you.