 Good evening, everybody. The next talk is on these R&D APTs you're looking for. We will be hearing about the bad guys on the internet, how they are behaving, and how they are changing their behavior when we look at them to improve the defending against them. And here we have Inbar Ratz and Gadi Evron. I hope I pronounced it correctly. Who will give us an insight there? Stage is yours. Thank you. And play. Guys, we started. Well, we started. Anyway, while they fix that, Gadi, feel free to help them. Welcome to our talk called APT Reports and Obstacle Evolution. Or these are not the APT reports you're looking for. This is actually not the first time that I start talking without my presentation. So this is not at all exciting for me. Basically, what we're going to talk about today, we're going to talk about how APT reports mostly are beneficial, not to the defenders, but actually to the attackers. Now, when we say defenders, we're not talking about fellow malware researchers. These guys, they know their business. They've been doing that for a while. They're very technical. By the way, this presentation, oh, thank you. This presentation is not technical. If you're looking for IDA screenshots and stuff like that, it's not that. Malware researchers. Walk away now if you're looking for kernel shell code. Yes. Malware researchers, you guys can go to the encryption talk. So yeah, I know. I can see that. Thank you. So these are not the APT reports you are looking for. Quick introduction. I'm Inbar. This is Gadi. That's about it. And why are we here? So I used my time without the presentation to say that. We want to simplify the attack process and demonstrate the evolution of various actors over the years and suggest ways to close the gap. We're going to stipulate that there's a gap, an information gap, between the attackers and the defenders. And while I let Gadi start, there's just a little tradition that I have over the years. I'm going to take my shoes off. It makes me feel more comfortable. And I'd start with David with Kaspersky. He'll be watching that. So David, this is for you. Let's everybody watch Inbar take his shoes off. He's hiding behind his podium. So a little disclaimer. We're Israelis. So last year when I was talking with Tillman, I interrupted him. We talked together. But essentially, I need to do a disclaimer that as Israelis, we interrupt each other. We're not actually fighting. As a disclaimer, just so you're ready for that. Or at least that's the story. That's my claim and I'm sticking to it. So let's tell you a little bit of a story. We're going to get into several stories and several examples about APTs and their evolution, how we can counter that, as we believe we should. But before that, a couple of examples for what we are essentially interested in doing this talk. So we always admire. That's the beginning of cyber. We can agree to that. But then we had APT-1. And on the one hand, as a security guy, I said, what, what, what? I know this is happening. Why is this such a big deal? Why is it in the press everywhere? But APT-1 was cool. It was the first time that an attacker threat actor was fully compromised. They showed everything. APT-1 with their pants down, essentially. They even showed a picture of their offices. That was pretty awesome. And they changed how we see things because now we actually had proof this was going on. And it actually affected the bad guys. But they were not alone. They were not alone in finding out that their entire infrastructure is now gone. And what are we going to do now? Oh, my God, it's going to take us a year and a half to come back and build back our entire infrastructure. And all our new Trojan horses are gone and the vulnerabilities and everything. But then there were also other campaigns. Stuxnet, as compared to Flames. Stuxnet was very tight. Bigger than most malware, I guess. But that's debatable. Well, essentially it was 500K. Modular, built for a specific target, very much about Opset. It was all about these centrifuges in the Iranian facility. And then on the other hand, you have Flame. It's huge, 20 megabytes. Everything you can imagine, all the modules, all the vulnerabilities, everything that can possibly go wrong when the threat actor loses this specific campaign, this specific Trojan horse, is now done. Just try to imagine if APT1 was affected badly, at least according to Mandiant, were they to replace their entire infrastructure, their entire tool set, as far as we know. I wonder, we don't have any information, but how did the Flame guys act? 20 megabytes. It's insane. So how do people evolve? How do they cope with that? How do other threat actors react? So we can see a few examples. For example, Gauss, it was a scaled operation, but the example Kaspersky gave was very target specific. It would only open on a specific machine. They couldn't open the encryption. It was pretty complex, technically. I don't get it. Maybe you would if you read the report or read it. But it was pretty interesting. APT3, Perpy, depending on the name you like, we recently responded to an incident responsible with APT3. And much like many other types of APTs, they first now put a dropper down, do their thing, and then use their heavy tools, not to lose their tools immediately as they enter the network. You've got Rocketkitten. Tillman and I did the talk last year, the incident train micro and checkpoint and other people came in and talked about it as well. And essentially, they used an off-the-shelf tool, core impact, everybody with their own Opsik, with their own calculation. Now, Inbar. So let's cover Opsik in 60 seconds. What is Opsik? Opsik operational security. At first, you want to ask yourself, why do I even need that? Why do I achieve with that? So one, you have to assure success. You're here on a mission, right? You need to do something. You need to steal information. You want to sabotage. You want to do something. So if you came all the way here and went through all the trouble, you want to succeed. And then you want to prevent detection. Detection is not good for you. It's not good for your reputation, for your end of the year bonus. And it might even prevent you from finishing your task if you got detected too early. And last, but not least, is the thing called attribution. Attribution is... Well, it started as a serious thing. Not so much. We're going to come back to that later. But you would like to not be identified if you do get caught, because sometimes you do get caught. And this actually also exists in other processes as well. When you do software development, you're expected your QA process, your design, if you have security by design, and stuff like that. It's intended to basically achieve the same goals, maybe accept attribution because, obviously, they know who you are. But when is it compromised? When is your OPSEC not what you want? Well, first of all, time to market. OPSEC bears costs. It takes time to do. You have to invest resources in maybe developing tricks, or maybe you have to be very careful or do something very slow, okay? For example, I can walk through metal detectors, and obviously, you know, I am half metal, but there are some detectors that if you walk through them slow enough, you don't get caught. And you need to see the faces of the operators when I do that. True story. Scalability. Sometimes in order to be able to scale up your operation, you're gonna give up some principles. For example, what happens if one sample gets caught? Well, there are gonna be many others, and they're going to be looking for them, so that's something that goes away. And of course, ease of deployment. Maybe you wanna use the same CNC infrastructure. Maybe you wanna use the same distribution channel. If your distribution channel gets compromised, then now you have a big problem. And what we're basically saying, and this is a generalization, by the way, the entire talk, it's a generalization. So yes, there are always contradicting examples, but we have a storyline which we're trying to follow. So if you wanna tell us that there is a contradicting example, you're probably right, come tell us later. Most of the APT reports represent some sort of an opposite failure. Someone got caught, and someone managed to discover what happened there to a certain degree. So what we're trying to say here is, you need to know the enemy. Now as a defender, you don't always know the enemy, because when APT is being created by nation state actors, they don't really share their failures with you. You end up reading APT reports. So what we're trying to do is trying to figure out what the other guy thinks. Now we do have one good example, the hacking team. I hope there's no one here from that nice company. Well, they got caught, and not only did they get caught, but their emails were leaked as well. And we actually have information. We have their emails, and as the report says, their primary concern seems to have been not getting caught again, which is understandable, because it's kind of bad for your business. But when it comes to nation state actors, we don't have that information, so we're gonna try to figure it out. That's just for the record, we didn't really emphasize it, a citizen lab research blog quote. Yeah, thanks to citizen lab. And we're gonna try to sort of reverse engineer the thought process of an attacker, and here's a problem. Many APT reports suck. Now when I say suck, I am trying to be provocative, because I've learned that that's sometimes a way to achieve things. Inbler, didn't you write an APT report? DVI cover, what? Didn't you write an APT report? I did. It was one, one, I think a co-author is here, I'm not sure. And then I stopped. Didn't you present one here? I may have. You may have. I may have. You may have. Okay, so what's wrong with APT reports? This guy, he's a commentator. He sits up there, and he tells you what's going on in the game, right? And an APT report or a malware research is a lot like you telling me how good the other guy is, right? Look at this most sophisticated attack platform. Look at these amazing deployment technique. Look at this amazing root kit. And it's very nice, but as a defender, if I'm not a malware researcher myself, that's not useful to me. APT reports are commonly very long. Some of them are as long as 60 pages long. And in those 60 pages, there is so much technical information that sometimes you just don't know what to do with that. And many APT reports that we see, the public ones, they're not full. The ones that we see are intended for PR purposes. And the full reports are only shift to some, maybe paying customers, or maybe there's not even a fuller version than the one that we see. And as a result, there is an asymmetry. You were horrible. I see not everyone gets it. Asymmetry. He's calling me fat right now, just so we're clear on what's going on here. Oh, I called you bald. So there is an information gap because the attacker can use all that malware research stuff. So the information gap benefits the attacker, but not just the attacker. Everyone learns because all the other actors are reading the same reports. And even though this talk is about APT and nation state actors, we'd like to remind you guys that the malware writers that work in the cyber crime world, they also read the reports. And actually what we're seeing whenever there's an APT report out, the technology is leaking to the criminal world. And that makes APT reports actually free QA for the attackers. So sometimes you can see lessons learned, right? The APT1 C2 infrastructure was huge. Parts of it, like big parts of it were registered with the same name, same email address. You might remember ugly gorilla at 163.com. But the Terla malware use a very sophisticated satellite downlink hijacking through ISP to inject packets that could be received without actually exposing the location of the destination. And then we had learning in progress. So they're learning, but they're not done yet. So Stuxnet and Dooku and Flame, they all share the same code. All reports clearly show that. And guess what? Dooku too is still using large parts of that framework. Now remember we talked about Opsic. It's a lot of time and money to develop such a thing. So you do try to use whatever you have left. And some things, well, you never know. And attribution is a good case. If you look at Iron Tiger, clearly Chinese. But it was sent to Taiwanese targets with traditional Chinese versus simplified. The attack emails we're talking about, the matters of the straits. Coretto, well, everything fits so well. The language, the identities, everything looks perfectly Spanish. In fact, it looks too perfect. Even if you look at geolocation, their attacks were against some activists nobody would care about except for Spain. But in Dooku too, they were already playing games with the researchers. There are multiple false flags. We know that they put in the Ilegarilla string, which is Chinese. We know that they put in the Romanian anti-hacker, which is Kostin's Twitter alias. So they start playing back with us. So you read an APT report. You take the time. You read 60 pages. What do you get? Well, you get a lot of malware analysis. That's the major part of what you get. After that, you get a little bit of IOC's, indications of compromise. And they will be about the malware. That's actually actionable intelligence. But not all samples go on multiple targets. So you look at the C2 infrastructures. You get the main names. And that's also actionable. But with the development of Opsik, these stopped being shared across campaigns. So the long-term value of each of these IOC's is very small. And at the end, at all, there's very little about the attack vector, how the attack was actually facilitated, how did it all start, and what was the attacker objective? What did they steal? Because you really want to know what they were doing there. It's nice that they hacked this company, but what were they looking for? So I'm a little bit confused at this stage, because we see a little bit of this. We see a little bit of that. There were maybe some false flags. We're trying to make sense of an APT report, perhaps, on research, perhaps, to defend an organization. What is actually going on? Are we getting the correct picture? So what we did so far in the previous slide is try to re-engineer, reverse engineer, what the forensics process essentially reverse engineers what the attacker does. So how about we re-engineer what they do and actually talk about the attack process, about the engagement of the attackers. In a simplified model, we just simply call it an engagement process. So we start with simple intelligence requirements, IRs, the thing we have the least information about. And it's essentially like going shopping. What am I interested in today? Is this this nuclear deal? Is it this interesting product that is developed somewhere around the world? What would you like to know? Now, let's just take an Iraq example, because it's older now, so people won't be as sensitive to it. That's what I'm saying as WMDs. Where are the WMDs? Does he intend to use said WMDs? Who is working on the WMDs? And can we save Matt Damon? Can we get Matt Damon back yet again? Just wondering about that. And then the second part is, let's compile a target list. Where can I actually get this information? So sometimes we're a person who would hold the information I want. So verticals, banking, pharmaceuticals, energy, aerospace, that's interesting enough. Or we can talk about specific targets. We're interested in this target because they hold the information we want. Then again, we said we won't do many counter examples. But one important counter example that Tillman gave us was the Sufacy Group. They're everywhere right now, very high-profile. And they seem to be very opportunistic. They don't seem to be working with any specific IOCs. It's like, they find the information, then try to sell it. So not everybody works according to this model. After the intelligence gathering, and I'm gonna pass it over to Inboard in a second, it starts with reconnaissance. And then we have a target report. Essentially, we're trying to figure out what's going on, what can we find out, how can we get in, and then get all this information in organized fashion. Inbar? So the target operation is basically everything you need so you can do your job, okay? And once you have that, you can start acting. And you do that by attack plan and execution. And this is an iterative step. You start by an attack plan. This is how I intend to plan. Let's say I wanna send an email, or I wanna use force scanning or SQL injection. I choose some technique. And for that, I need to choose my tools, right? Sometimes I will use off-the-shelf tools. Obviously, this is a very large shelf, as we've all learned. Sometimes I will customize. Sometimes I will write something particular for this target. Sometimes I'll just take somebody else's malware and make small adaptations, right? When you do that, you get these examples. Let's look at two, Stuxnet and Gauss. Stuxnet, as Gatti mentioned before, was very targeted. The code that was there was meant to deal with PLCs of specific vendors doing specific things. That thing had absolutely no use anywhere on the planet, anywhere else, right? And Gauss, it was a big multifunctional tool, but there's still one mystery that no one managed to solve. On the USB infection mechanism, they found an encrypted payload. The payload is encrypted by an MD5 hash run 10,000 times on certain parameters of the hard drive. And in fact, till this very day, no one managed to find out those parameters. They don't know which computer was the designated target. Many people tried to enumerate on that. We still don't know. We only know that there is only one computer on this planet that will have the payload decrypt and execute. Or in a Dell Secure Works report of one of the targets that they analyzed, turns out that the attackers took advantage of a platform that already existed in the target. It was an endpoint management program, and they used that to lateral move throughout the organization. By the way, we saw the same with target, right? They used accounts installed by another program to open shares, so we see that all the time. And once you're in, you acted on your plan so the first time you just get into the target. Now you're running code inside the target, but your job is not done. Now you need to move forward. Lateral movement, maybe get to the real place because you usually use the weakest link to get inside an organization. So now you go back to intelligence gathering, and this time it's a little different because now you're no longer outside of the screen. Everybody's staring at the screen. Stop talking. Who got that to their Facebook? Who didn't watch it all the way? Really? OK. So we're going to save you. That's a minute 40. But when you're inside the target, things look different. No, no, just kidding. We wanted to do that, but copyright in two more minutes of your life. Intelligence gathering is different now because now you're inside the target, and the target has all sorts of defenses. So your OPSEC gets revisited, right? You need to map the target's defenses. What are they using? Do they have an AV? Any peripheral devices? Well, what are they using? Any sandboxing? No, the interesting thing about this is when you think about intelligence operations, you think about your target. What am I going to face? Am I going to face an IDS? Am I going to face something else? I need the clicker. You talk the clicker thing. OK. There we go. Didn't say please, though. Please? OK. So essentially, originally, you would say, what am I facing? Then is it a threat to me? So for example, they may have a security control, and you wouldn't care about it because it wouldn't stop you. But then things started to change. You would start saying these antiviruses, for example, may not threaten me, and I can bypass them, but they have an entire home base, the back end, where they can go and later on threaten me. Quiet signatures, whatever it is that is written about right now, they can essentially find me after the threat. So that's a threat. I have to take different antiviruses into the threat now. That changes everything. But it's still not good enough. Look for other players. Think about it. There is another player on the machine, and Reagan is a very good example. When Kaspersky even called the computer, they found it on an APT magnet. So now am I supposed to think about looking at the computer and saying, which other nation state slash criminal organization slash whoever it might be, have some tools installed here already and I need to collect intelligence on that in retrospect or wait and analyze every system I go to? That sounds like a little bit too much work, but it's something that depending on your app stack, you're going to have to face now. Then the last thing is really, but really try to hide your identity, unless you're some of the Chinese group and then you don't care. So we have a few example. The hurricane panda, you can read the report about quiet strike. There was actually a duel there. They got detected, the incident response team came, they started dueling for a while and it took a while of this dueling before the actor decided to give up. This is from Symantec's report, the Stuxnet. Look at the information. Back then no one cared about anything or maybe they were just naive because nothing had been caught before that with maybe one or two exceptions. Here you have the compile compilation times of all the files used inside the target and then you have the infection time. Now aside from the fact that as you can later see in Kaspersky reports, the compilation times are used to determine the attribution. This gives you a lot of information. This tells you how long it takes them from the creation of the file to the deployment. That will tell you about their attack operation. Does it take a minute, a day, a month? You can learn a lot from that. So we have other examples. Actually just one thing is if you look at Ducat 2 you can see they started to randomize that. They started looking at forensic analysis as a threat to their existence which goes back to the previous slide. So obviously the threat actors evolve, right? We have views of previously existing tools or integral tools of the operating system because you can't sign on those, they're gonna be there. So you don't need to deliver anything, you don't need to worry about deployment encryption. You land there and just use like PowerShell or AT or IP config. And Ducat 2, and we keep reminding that sample because it's very impressive, they had this huge leap forward. It's a revolutionary deployment mechanism. They actually, the lateral movement was done in RAM only. They only used several vantage points, computers that they were sure that they would maintain command of and everything else was running code in RAM. So if that machine rebooted then the superior computer could reinfect it from far. But that changes everything about how you act inside your organization. So another aspect which people usually don't talk about when it comes to APTs or other types of operations is their retreat. We often talk about dismantling, but we don't talk about the folding action, the full deck. And we can see some examples over time. Costin Raiou spoke about this a few times. For example, right October, they dismantled the operation after the publication, took them a little bit of time. The mask, Keredo, there was a blog at Kaspersky and four hours into this blog publication, they were gone. And Kaspersky didn't say anything, they gave their own name, the mask. And within four hours, their entire infrastructure was gone as far as I know, we can talk to Costin about that. And Dukut too, they didn't even wait. They hunted the vendor, they went into Kaspersky to try and figure out what's going to happen. Maybe they had other reasons as well, but it shows an interesting story. Of course there are counter examples, again we don't give many of these, but some of these guys just don't care, like APT-12, Gaza Hacker team. I believe that Rocket Keaton from last year, they're still alive, they don't give a shit for human language. They just don't care. Or they don't know. Or they don't have the operational capability to even know, hey there is a security conference called CCC, let's go watch if we're being compromised. So with that, we would like to take the methodology we built about how the attacker worked, what we re-engineered about their tactics and try to look at the defender side. Now because of the limitations we have of information in forensics and the reports, this is a little bit difficult, this is work in progress. Maybe you can help us out. Maybe we can build it to be better, which is the entire idea of this talk. So we're working by problem, take aways, and action for each one of these issues. So first of all, the intelligence requirements. We do not have enough information about the attacker objectives. If you remember the graph from earlier, that was the least amount of knowledge we had about any attacker, or most attackers. And essentially, the understanding here is they are kind of stalkers. If in their information requirements, they know they're interested in something you have, they're not gonna give it up. And if they like you, they like you. You know, you might wake up and say, squeezy. Squeezy? Actually, there's one example for that. You can see at this report presented RSA conferences, RSA conference by Dell. Silver Debt did that at RSA this year from CrowdStrike. Yeah, from source, yeah. I guess I'm too tired from Dell Secureworks, there we go. So you can see that there was some battling going around there, and then the attacker lost. And then there was a quiet weekend, but when the weekend was over, they came back with new tools. Why? Because they had an objective. They had things that they needed to bring over. And just the fact that they got detected once does not mean that they're gonna say, okay, forget this guy, let's go somewhere else. There's an interesting issue discovered here which Phil usually writes about, which is they will escalate as needed. Meaning they may use pre-lame lateral movement tools and then escalate as they find a position. Right? So the second takeaway we have is that stealing data is just one of the options. And I believe everybody remembers when this happened, and many readers they started saying, what? How did this happen? It is huge. Now again, just like APT-1, coming from a security background, I said, yeah, this is just another hack. Naturally, from their perspective, this was a major issue. Naturally so, if they should take it seriously, and I feel sorry and I would help if I could. But the main point here was there was a risk. And that risk was what might happen once they have a foothold inside my organization? And everybody is used to thinking mostly about data theft. They kicked the body here. And that is something we need to take into consideration. Essentially actions. There is a classic tool in security management called risk assessments. Usually it's a useless tool. It's a huge document, 200, 600, 2000 pages. You write down for regulation, throw it away at some point or you need just to click the box. But risk management is meant to be used and used correctly. Meaning if you know there is a potential risk of an attacker getting in, and then you know the potential risk is them doing, for example, damage check your impact. The impact is important to determine that risk. Make risk assessments make sense for your daily operation as opposed to being some documents that's policy that's never used. The second part is what can we do about the target list? So first of all, our problem is we don't have time sensitive information. We can't really determine a pattern. Now maybe this is available in closed circuits. Maybe not, maybe not always, but our takeaway from this is that we need to be able to get the information which we'll talk about, but more than that, if you have a similar target to you being compromised or you're using similar technologies or platforms, take note. Don't wait to be attacked or for an organization just like yours to be attacked for you to take note and start doing something about it. So if you guys follow Brian Krebs and you know that right after the target breach, every other week there was a new piece about this was breach and that was breach and this was breach. And the thing is, the first moment that there was a target breach and they stole credit card numbers from point of sale devices, everyone who has a point of sale device should have said, oh my God, I could be next. And instead of actually going and making a big, big effort to see if they had already been compromised, everybody was just sitting and hoping that their name doesn't come up on the following week. Which brings us to another tool in classic securities that's been ignored and that's essentially the threat assessment. Threat, I mean, depends on how you define it, some definitions go as far as threat equals intent plus capability. So now we know they have a capability but we also know about the intent. Not necessarily against you, but we know this has happened. It should change how we operate. This is based on intelligence. We may not have exact intelligence. This guy is trying to get us but we have intelligence out there now. Somebody is doing this and more than that they may be doing it to people similar to us. Now when it comes to the cyber engagement cycle or so we call it, the cycle of the three repeating steps, we decided that we're gonna change a little bit the format or we're gonna treat all three steps together or we're gonna divide it into two stages, the pre-engagement and the engagement itself. Now, pre-engagement is when everything still happens outside of your organization. The problem is twofold. One, publicly available sensitive data. Anywhere from complete employee lists, network sketches, sketches to say who works in your organization, under who, what's the hierarchy. Anything that you can get from the other. People who will later you will be discovering use security questions whose answers are on their Facebook. Okay, that also happens. And the second problem is lack security awareness which in turn allows probing. Now that probing can happen in two ways. The first one is the one we all know. You just use it automatically. You use tools, you scan the network, you look for open ports or default passwords or bad configurations. Everyone does that. You just take a tool set, you do it. But people always also do that manually. Making phone calls, right? In my previous job I worked at Checkpoint at least twice. I was randomly next to the reception desk while the reception desk was trying to deal with such a decoy call. And on both times then they handed it over to me because I was excited that the opportunity to speak to a scammer. And you start asking them a question and then they hang up, but this actually happens. Next, there we go. One more. The understanding here is that, and this is basic, right? The attacker can gain a lot of information. They can do the full operation sometimes without ever doing anything active against your operation. You need to know this is possible. You need to control what's going on. You need to limit public information as much as possible. Naturally, you won't be able to do everything. You need to act outside your own perimeter, which is a critical thought to even have in this day and age. As well, and this is very important to indoor specifically, awareness refreshments. This is a human problem, not a technical problem. It's whatever awareness can gain, even if it's not much, should be attempted. It helps. You can tell you from my own experience in the Israeli cert, human sensors, so-called, people report to us. We are open to them. We're asking them, what's going on? And sometimes, I don't want to say waste of time. That will be rude. Sometimes the call is negative about nothing. And that's fine. We treat it with all seriousness because many of the best reports we ever got were from people when you were interested, new to watch for stuff and alerted us. Now, the problem with that is that, let's face it, these are quite obvious. But at the same time, they still don't happen. So the attackers still make the same progress because the basic stuff keeps staying under the radar or unattended to. So we come to the engagement scale, so a stage. Now, the attacker is already inside your network. Not a lot of compromised organizations or APT reports, for that matter, share the lateral movement part. Mostly it's about secrecy or privacy or... They may not even have this information sometimes. Now, let's face it. Everyone is being hacked. Everyone will be hacked. Everyone has been hacked. It's not a shame anymore, okay? It happens to everyone. And if you pretend that it hasn't happened to you, then I'm worried because you're probably hiding something else as well. And the takeaway is the engagement is an ongoing process because it's not a hit-and-run thing. They don't not always get directly to the computer that was interesting and the data that was interesting. They will stay around in your network for a while and it gives you many opportunities to get in the way. You have more time, you can think, you can plan, you can influence, and the action is indeed influence. You need to put as many obstacles as possible. Layered security, deception, okay? The attacker needs to spend time and effort and resources in your network because the longer they are in your network, the safer you are. It takes them more time to get to the interesting part and it gives you more opportunities to catch them. We may have separated the pre and the post engagement. Sorry about that. Go on. We may have separated the pre and post engagement but it is an ongoing cycle and that's the important thing to understand. They got in, they used the node, they find. The more obstacles you put in place, the more basic security you put in place, the more time you will have to find them and it will be hard for them to continue operating. And don't be shy. Share your breach data. Yes, someone has to be the first but you don't have to tell everything. Tell about the technique. Tell about the things that other defenders and other CISOs or IT security guys can use and you start sharing, other people start sharing and we're all safer. And the last stage is essentially the fold and retreat. And hey, if you don't wanna share the actual information, the heads up would be nice, just saying. So this is interesting. I never previously had this thought. It's really interesting for me when I think about something that's new for me in security. At least emphasize the security in a different way. Everybody says cyber nowadays. What's different? And one of the realizations is yes, attackers have been deleting logs throughout the lifetime of security but the attacker can destroy forensic evidence. Do we plan for that? A lot of our security today is based on after the fact incident response and forensics. That is a major understanding for us right now. It's not just about endless monitoring and endless alerts. That is effectively where many of us gets our first alert, post the fact. And if an attacker can destroy the forensic evidence, we need to make sure it's there. Snapshots and logs, both, can potentially save the day. So we built up this idea that backup of log files, for example, and snapshots could be, and I'm going to exaggerate, more important than even active monitoring, the backup of the logs. Naturally it shouldn't be that way but nowadays it just might be. And while we were working about this, we decided to, well, INBAR came up with this word to describe this new backup response plan, everything is abbreviated in security, right? Just saying. So with that, let's try and understand what we just went through because some of this was common sense. Some of this was a little bit new but the idea is to be able to make it repeatable. What can we learn from the APT reports and how can we use them on a daily basis? How can we use them whenever a new APT report comes out to better our security against known threats? So we looked at the left here about the information we have in APT reports and the diminishing levels of it and we look at the engagement process as we simplified it and like it. Now, if you get an APT report, first of all, try to understand, not just read the report and look for the IOCs, how much information do you actually get for each of these? Do you have any attacker objectives in there? You know, when you talk about the targets, usually maybe if you're lucky, you have the verticals, pharmaceuticals, whatever, aerospace. Once you're through that, it's easier for you to go to the re-engineering process and say, let's look at how the attacker works, the engagement process, try to put the data in there and to do what we just did. What are the takeaways specific to this report as far as intelligence gathering goes? What are actions? Actions I can actually take based on this report, based on what knowledge I have, the scope of the knowledge, the relevance of the knowledge from the APT report. And the key part of this really is we need to demand better APT reports, APT reports that are actionable. Now, we have one more problem. We don't actually have a solution for that but we thought it was important enough to note it. It is something that we call the decline of shame. In the beginning, like we said, you didn't really want to be exposed. Attribution was a huge risk for you. And it still is for many actors, especially very particular nation-state actors or in the case of other nation-state actors, very particular branches or subgroups of those nation-state actors. But with some of the nation-state actors and with some of the criminal groups, you see that they don't care anymore. They get caught. And you know what happens then? Pretty much this. They continue working and operating while... Leave it on for a while, please. Leave it on for a while. Yeah. Some groups have actually been following the blogs of the AV vendors that were tracking them, adapting in real time. There was a case. I don't want to quote too much about it because I didn't have time to research it, where Trend Micro and Alien Vault were updating their blog live, if I remember correctly, and the attackers were changing their modus operandi just now. They're not much more than that according to network defenses as opposed to something else. Live, which is really interesting. So we were being optimistic. We said, okay, what do we want to see? Because we said in the beginning, this is not a technical presentation. This is a high-level thing and we're presenting sort of a raw thought process that we started... I mean, think about it for a minute. We took the time to study many, many cases of APT reports and to talk to many of our friends just like Thielman and many others we'll give credit to in a minute and to look at our own research and forensic information. All this data, all this time on AIDA that I didn't do, and just to come up with a high-level presentation. Just think of that concept for a minute. We're thinking, once again, not about the fellow malo researchers but the people that actually have to defend certain organizations. And it's not all corporates with their own IT security teams that are all very skilled and very qualified. Sometimes it's an organization that has an 11-people IT team and then two of them wake up one morning and they are told, you do security now. This is reality. I've talked to more than one customer that has that happening to them. So we would like to see better and more actionable APT reports. We need, and when I say we, it's not just Gadi and myself, it's the community. It's the poor people that need to protect organizations with the knowledge that they are being attacked all the time. We're not saying that all APT reports suck. Some of them are very, very good. We're just saying nowadays most of them are just for PR and that is hurting us. It's helping the attackers. It's the attackers QA. We would like to see better reports for us, for more vendors. They need to be more actionable. If I am a CIS over an organization, there should be something that I can use. Use, and I want to be at a better place after taking the time to read one of those reports. And we need earlier breach reports. Like Gadi said before, give us a heads up. It's important to understand that maybe there's a new trend going on. Maybe if we had the heads up on target and everybody else were after listening to this talk, then all the other point of sale vendors would say, you know what, maybe we should look into our setup. Because even until today, after so many compromises, there are still so many point of sale terminals connected to the internet with default credentials. It's been written in so many places. I was really worried about, well, weary, about the next item on the list. Because I have this thing where I identify, it's not fair given, but I identify people who are new business security by them saying information sharing collaboration. And somebody says, oh, we need to do more information sharing. I say, oh geez, not again. But honestly, actionable information sharing and public information sharing. Information sharing is happening. Some of it is actionable. Much of the public information sharing, which isn't much, isn't actionable. We need to understand that even the heads up we talked about could be critical, really critical. And understanding how this can help us as a common ground. And lastly, and Kudos to Dave Marcosif is watching us, enough with attribution stuff. Yes, we care about attribution. Yes, it helps us. Yes, we can think about the business as opposed to think about who is actually looking at us. Targets, I understand that. But then, what does it actually give us? How much is the attribution work that people spend so much time on just to justify the lizard part of the brain so we feel better about it, better than the other information we could have had to actually protect our organizations? I'm not really sure. But it annoys me in a way. Enough with attribution, or at least enough with the attribution that makes no sense. Attribution is about more than just IP addresses and we've given a few examples during the talk. I mean, yes, if the compilation times, they never work on a Shabbat. It's maybe Israel, I don't know. But then again, nowadays, we've seen a lot of false flags starting to be put in there. It's not easy. There's political information to consider, but we never really know. But whenever we talk about APTs, people go out and say, I was seized on the one hand because it's available. And on the other hand, who did it? Who done it? Tell me. Okay, I'm willing to give it the chance to say, fine, but it's not the most important thing. And if you do it, do it right. So final words, APT reports can be a huge help, but there has to happen some change. The problem with the change is that contradicts certain economic interests of the people that create those APT reports. But we believe that if they start producing more value then that influences the amount of customers. We will be evolving as well as the attackers. Right now, APT reports are so-called bad, which is arguable, because they're the only ones really evolving. If they were made the right way, we're not saying our way is the right way necessarily, but if they were made in a way that would help us more, they could be a huge help. And remember, attackers are not going anywhere. We're not gonna have any less business because of better APT reports. And something that we call, stay on the attacker's six, they need to be worried all the time. They need to be looking behind the shoulder to see if there's anyone on their six. This is a pilot jargon. Think what this evolution means. Gauze, for example, as opposed to Flame. If they have to spend so much time on one target, their cost grows exponentially. If we can do that with APT reports, hey, I like this evolution. It's not necessarily bad that they have to get better. And the last thing, increase the cost of the attacker. Anything you can do to increase the cost of the attacker, do it, whether by installing products, using services, improving the people or the awareness of the people that work for you. You want to make it harder for the attacker. It gives you more time. It's probably not gonna deter them, okay? Let's face it, they're gonna come anyway. They're doing their job just like you're doing yours. There is an asymmetry, and as we said, we are not, the attackers are more powerful than we are. We have to admit that right now. We're trying to change that. But more than that, they're not gonna give up the IRs. They're gonna keep going. That said, we can start making it better for us. Create more symmetry. So this is important, so let's go through this. Yes, we did a lot of research. Yes, we looked at a lot of code. Yes, we looked at a lot of reports. Yes, we have a lot of information that is not public. But trying to construct it in a way that will number one, not be boring, while trying to create this sort of methodology out of it, while trying not to do too technical, while still giving examples that build the methodology of the attackers based on what we know about them wasn't easy, and we stand on the shoulders of giants. People in the community, industry, blogs, reports, a lot of people we wouldn't be here without and they need to deserve their credit. Special thanks and references we took from, Tillman right here, Ned Moran, Phil Burdette, Kostin Rayu, H.D. Moore, Peter Cruz, Chris McConkey, Kevin Mandia, and the Grok. And especially to Nitsan Sedan, who did a lot and provided a lot of significant research support for this presentation, so thank you. And with that, I would like to, before we ask the questions, most therapeutic reports, not all of them, suck. This hurts us. They become better. We can be better than they are. We can use this to keep them on their six, like we have seen with them evolving to a place where they can do less. They can scale less. And that is what we would like to see. Thank you, and we would love to have questions. So thank you, Inbar and Gali. We have a question from the watchers on the internet. Hi, so the question is what is the state of APT response across industries and which industry do you think is most vulnerable now? This is C, so I'll just say, oh, shit. Okay, I'll try to respond. I think APT response, there are a few organizations out there that are extremely good at this because they have decent security. They have incident response. They have controls in place. They have monitoring place. They are good at security, which is why they're good at APT response. That said, a lot of the APT response, a lot of the incident response is now outsourced. So they bring companies in to do it for them. And that is why I believe that saving the logs, as I said, as a backup is more important. And essentially the incident response is becoming a way, again, I'm gonna get flints for this, are monitoring. So I'd say some people have really good stuff going on. Most people don't. And those and others bringing the outside help. Another problem with the outsourced security or incident response is that there is a huge difference or there can be a huge change in your ability to do proper response based on what your network looked like before. So if you only call the guys when your house is already on fire, there's not a lot they can do. But if you brought them in before and they help you treat the house, then you're much better off. Another aspect that's interesting, although small, is that forensics and incident response used to be about keeping logs, chain of evidence, all of that stuff. People still do that. But honestly, today with APTs, it's not as important. It's more about finding the actor as fast as possible, a week, two weeks, three weeks, and then moving on to remediation, which will take forever and cost a lot of money. And then it's essentially, in many cases, about installing some agent on all computers and then trying to identify what's going on. So it's not as much about what forensics used to be when you learned the forensics course anymore. But I am not an expert on this as much, and you should ask this question again from other people as well. Thank you. Okay, and microphone two, please. Yes. First, I'm not really sure this is the correct audience for your talk, because at least I'd suspect that most people here, when they build a network and when they, they're already trying to make it as secure as they can, even without considering a special attacker or a special type of attacker or considering what information an attacker might try to get because they'd probably try to make the system as secure as possible as is. And if they do not take a certain choice to use a certain type of security mechanism, it's probably just because their use case simply does the lower it. And even if they had been hacked, they couldn't change that. For example, I work in a public sector and with us the problem is mostly just you have to, you don't have the people to fix stuff. I work at a university and they're basically the situation is that every professor and every institute and every whatnot has its own IT team. And usually the IT team is just the secretary that was put on the list that is saved at the knock where they know which subnet is attributed to which institute, but usually they don't have an IT team at all. So basically what you see is that an institute of let's say 20 or 30 computers runs Windows XP in the year 2015. Most of them not even patched with the patches that are there for Windows XP. And I know that this is not just a single case at my university, but I know that there's plenty of other universities and other stuff where it looks just like this and usually the problem there is they don't even have an IT. So the actual problem is that first you'd probably need to get the, what you'd call the management level above, the lacking IT to actually hire people at all to have an IT team at all. Yeah, well, that was my line. That was my line. So what's the actual question? So let me answer that. First of all, you're correct. And obviously you care about that and you shoot. So two answers. First of all, you talked about the audience. CCC is a huge stage and a lot of people are gonna be watching that, not just the people in the crowd, but people who watched it streamed and people who are gonna watch that later. That's one thing. Second thing is that we're trying to start something here. We could fail. We failed before in certain things, but if we can start changing something then in the long term, we will make a difference. And what you're saying is true. It's easy though to pick that one example where nothing that I've said will help. That does not make what we've said not good because progress takes time. And maybe with time, some of that progress gets into default setups. And when you say that most people here have a secure setup, well, guess what? It's the same opposite that I mentioned before. Sometimes you have time constraints. Sometimes I work at a startup company. You know you rush. Sometimes you get to things later than before. You have a project to make. You have deadlines. You rush. Sometimes you do things later than after. It does not mean you don't know it. But at the end of the day, the reality that the attacker sees is what matters. So maybe not everyone in here was the right audience. By the way, we didn't choose the audience, right? It's not that I have anything against you guys. Thank you. I knew you were coming, though. Yeah, say, say. The thing is, CCC is where the trenches are. CCC is where people who do stuff are. CCC is where the ideas get born. CCC is where people go back to their organizations from where the technology is and grow. This is exactly the right place in my view to do this type of talk. You're asking for a different type of talk. You're asking for how can I do hunting on my own when I don't have a lot of resources? And in our talk, we only gave this a little bit of reference in risk assessment and essentially risk assessment is, connects to how much resources do you have, what you can have, but that's a different talk, how to do that. So I'm sorry we didn't give it much attention to that. I'd also have a second question. You asked that people should release information about bridges earlier. Doesn't that contradict your example where you said that you had cases where the attackers were changing their attack schemes in life while, for example, when Michael was... That's a very, very, very good question. Thank you for bringing that up. It's always about timing. Again, we couldn't bring everything into the talk. That's a comment a friend of ours gave us. If you're still engaging in IR, maybe you can give it heads up to somebody, maybe in a closed circles, maybe in open circles. You don't need to give away the home world. Definitely, it's always about timing, about the right time around the place. We would like, whenever it's possible, to release the information and not necessarily all of it. But you're absolutely right. Okay, thank you. Okay, and we are out of time, but I want to hear the last question from our viewer because these people are not here and they can't be asking you after your talk. Very nice, thanks. So, when you say APT reports suck, do you just mean the publicly released ones or also the ones from security firms to their customers? So, obviously, we talk about the public ones because a lot of work is being done by a lot of vendors, but not everyone is a customer of all the vendors. Usually, you're only a customer of one vendor and some vendors have more luck with APT. Depends on their coverage and some don't. And at the end of the day, this problem is about everyone. So, we don't want to improve it just for people using a certain vendor. We want to improve for everyone, and yeah. Kumbaya. Thank you very much. Thank you. Thank you.