 Okay, maybe a little lower. Maybe not a little lower. Okay, I think we're good. So good morning, everyone. My name is Joe, Joe Sloak. I currently run CTI and a few other things for a company called Huntress. They might not really like some of the stuff I'm talking about today, so we'll just kind of leave it at that. I've been lots of other places too or whatever, but this is the first time I ever spoke in a main stage DEF CONS. I was really excited about this because I never thought I would. Because I am not the hacker type, I am more of the defender type or whatever, but I think this talk on burrowing through the network and really contextualizing something called the Vulcan leaks or Vulcan papers is something that's not just really valuable for my community, talking like blue teamers and so forth, but also provides a really good insight into how high level advanced stage cyber operations work for our real high end state sponsored entities or adversaries, depending upon your perspective. So with that, our agenda today is we're going to talk about like what the fuck are the Vulcan files or whatever, like I showed up here or whatever, I don't even know what these things are. So we'll level set on that and then get into how Vulcan relates to the ecosystem of Russian cyber operations and then orient what Vulcan looks like within the context of greater cyber history, because I think as a relatively young discipline, we still do a real shit job in understanding what has come before and how it all links together and comes evolves over time. With that in mind, we'll then talk about what the future looks like for cyber operations, offensive espionage and other and close out with some conclusions and hopefully I'm not over time at that point because they will throw me off the stage if I am. So the Vulcan files, what are the Vulcan files? So the Vulcan files are a cache of documents that were disclosed to primarily two German journalists, Hakan Tanravarty and Hannes Munzinger, who were both former at Sudo-H's Oitang. They're now working for the German state broadcaster and for this effort they worked with Dr. Spiegel. Hundreds and hundreds of pages of project documentation, contracting documents and similar for a bunch of cyber operation tools and effects payloads sponsored by various Russian agencies. Really cool stuff. It was a pleasure to help out Hakan and Hannes or whatever on this work, but there was also coverage in English in the Washington Post. Eleanakashima and others published on this as well for American audiences. And you had cyber firms or whatever like Mandiant now, part of Google Cloud, part of something or other, Alphabet, whatever that chain looks like, who did a deep dive on this as well. Some really good contextualization from like, you know, the so what cyber defense perspective on these things. So that was all pretty cool. We'll get back to like, well, why am I not hearing about this until today or whatever for, I'm guessing a non-trivial number of folks in the room. But in looking at what the Vulcan leaks are, they involve a company called NTC Vulcan, just look at it in Russia. The leaks themselves, I've already said like hundreds and hundreds of pages of materials or whatever, like primary source documents that I think for historians will be quite interesting or whatever as we write the story of what cyber looked like in the 2020s and 2010s. And then the significance of these things. So in looking at NTC Vulcan, this is a computer technology firm that is owned and operated by Russian military veterans with the approval or authorization to perform classified or sensitive work for Russian state organizations. Not all that different from how many veteran owned businesses you'll see scattered up and down, you know, the highway or whatever between say Northern Virginia and Southern Maryland and whatnot. So, you know, other folks have contractors or whatever that are coming out of dot gobspace dot mill space and starting up their own dot coms or whatever for twice the salaries and so forth. The leaks themselves came from an unknown entity. There is some discussion that this was an entity who was upset and disgusted with his country's policies towards Ukraine and that this was an active protest for some of the capabilities that they were responsible for or linked to in development. But obviously for their safety, they have not been revealed. Lord knows where they are right now or whatever, hopefully somewhere far away from Russia at this point in time. But provided this documentation to the journalists I mentioned earlier who then went through a consortium of paper cut media in order to disseminate this to a variety of other news organizations. The Guardian, I can't remember if it was LeMond or LeFigaro, but anyway, French publications, Washington Post, et cetera, to try to get this far and wide. And then the significance of these, like, we don't see this kind of shit very often. We see it a lot when it comes to, say, the US space, and I'll get to that a little later on, and some leaks that have come about from Western sources or whatever. But like other than things, like if you are familiar with the Intrusion Truth Twitter account and some of the work that they've done in publicizing Chinese nexus operations, seeing this sort of leak or disclosure or whatever from an insider doesn't happen terribly often and we haven't seen a whole lot of this coming from the Russian space. And so really getting this view into the nuts and bolts of cyber network or computer network operations is pretty cool and pretty interesting shit. So here's Vulcan. I don't know if they're still in this building or not, but that's the Google Street view from the address that was up to date as of like 2021. So hi guys. I'm going to call them assholes because we're all kind of in this together and who among us has not provided like, you know, controversial tools to government agencies or whatever as part of our employment. Don't answer that question, I suppose. Again, Vulcan files covering lots of stuff, but three primary programs of interest, one of which we'll focus on today. So the one that will focus and spend the most amount of time on is scan or scan V, which is a scanning suite, but it's a lot more than that. We'll get into the significance of that shortly. A information operations platform called Amazon, which while we're not going to spend too much time on that, very interesting from a forward deployed information operations sort of capability space. And then there was another tool called Crystal 2V, which we're not going to talk about that much at all, because I frankly don't find it all that interesting other than that it exists. That looks to be a sort of like a testing or penetration testing platform for industrial control environments and similar, but doesn't appear to be as concerning or whatever as some of the malware we've seen coming out of Russia like Triton, Indistroyer and similar. But to get back to scan V, what we're talking about here is a really interesting program combining multiple networks to set up a scanning enumeration, exploitation and data collection platform that goes across several different information domains. So I don't have a pointer or anything here, but if you look at this, we go from the external internet where systems that are set up with a bunch of publicly available and non-publicly available exploits and or knowledge of vulnerabilities and exploit payloads for those vulnerabilities, being able to deploy those to victim nodes as well as extract information in task exploited nodes to then move into a processing environment that if you can make it out, it's a little small. You see on the right with that red network and the green network in the corner, CD and CD. So talking true sneaker net operations and moving data into classified processing platforms for further analysis and evaluation. This is cool shit. Like this is like how the sausage gets made when it comes to state sponsored cyber operations. You'll notice I'm not saying nation state because if you say nation state, it hits you in the head with a sock with a bar of soap in it. But anyway, the idea here being is that scan V by design is a distributed multi component system with various information boundaries, public internet, private, you know, internal network that has internet connectivity, and then having out of band networks, not air gaps because we are sneaker netting shit over there to classified processing mechanisms. It's designed for the automated tasking and action within preprogrammed capabilities. So we're talking about basically standing up a platform to do exploitation and subversion at scale. The purpose of this, we can't really there's not like a explicit purpose document that I was able to find at least in the Vulcan documents, which by the way, you can download if you want to look at them and read Russian, it's linked at the end of this presentation. But really looks to combine external scanning functionality with a catalog of vulnerable software and exploits. So like go after all of the Ford OS like everyone else in the world or here's your six Citrix devices or whatever and pop those and we'll talk to how this links to other Russian operations here in a little bit. But the main idea here is automating or increasing the efficiency of cyber operations as well as infrastructure harvesting, not just identifying endpoints that are valuable in themselves as sources of information or targets of disruption, but setting up the sort of network intermediaries that could be used to tunnel and launder network traffic so it doesn't look as malicious. It's coming from Susie's home router or whatever from their ISP and not directly from GRU headquarters located on the outskirts of Moscow. Amazit is another program that I won't again, we're not going to spend too much time on that here because again, we only have 45 minutes. And so, you know, we have many miles to go before we sleep and such. But it is interesting in that it provides a platform that by physically connecting to mobile and information networks, so installing hardware in the switching center or at the BSC or BTS if we're talking cellular networks and so forth, that it provides the ability of not just reading traffic and you can see the panel on the left that we have Twitter, the contact of live journal I think is up here, I guess that's still popular in Russia, who the hell knows. But various posting and social media platforms, not just for a collection perspective, but also providing the capabilities of injecting into and modifying those communication streams. That's pretty interesting because it moves beyond espionage to being able to do things like modify or send tweets impersonating individuals to influence conversations and do other sort of info ops activities. So in looking at this, we have Amazit as an information operations and collections platform. There's also some like ICS OT shit or whatever related to that as well. Drago's did a deep dive into that if you're curious, we're not going to get too much into that here today. It's interesting because it's capable of capturing and processing communication streams, not just for collection, but for that manipulation piece as well. And that has potential applications because this is a mobile sort of system. So it's not just about deploying this in Dagestan or Chechnya or something like that for internal communication monitoring, but you could imagine although there's not been evidence of this to date that we are aware of, of taking this into occupied areas of Ukraine or similar in order to establish some degree of population influence or control through capturing and manipulating social media streams. So scary stuff as shit or whatever people really getting their tentacles into these sorts of areas. So that's all cool and scary and cyber even whatnot. But the response to the Vulcan really leaks was kind of meh and was really unfortunate because I thought this was some cool shit. But after like the week that all this came out seemed like no one really cared and I don't really know why that is. You know, certainly there's a lot going on in the world right now. You've seen the meme or whatever of like aliens land on earth and like dude or whatever is in the corner smoking is like dude, I got a lot of going on right now. I can't do this. So like, you know, what else has been going on? Well, we've got this asshole getting indicted or whatever. So, you know, stuff like that. We've got, you know, Taylor Swift taking over the world, you know, so other things to attract our attention. And yeah, we got UFOs out there. So maybe people were just busy. I don't know. But that's one of the reasons why I thought this would be a useful presentation to a wider audience because not just what was reported in the news, but also connecting Vulcan to the history of cyber operations, which we'll get into here momentarily. So in diving into the Vulcan leaks, they represent a significant event in the history of cyber operations. Now we just need to review what the hell is inside these things after that short overview. So in looking at the Vulcan leaks, we have NTC Vulcan as an entity. And then these programs, ScanV, Amazit, Crystal2V, also MiniDuke, which Google's tag associated with Russian operations and linked it based upon the Vulcan leaks to NTC Vulcan as well. So for software programs, one not explicitly documented in the leaks themselves that link to this one organization. But more importantly, these items also directly linked to various elements of Russian cyber operations. ScanV is associated quite directly with the Russian military intelligence GRU unit 74455, also known as Sandworm, which is a pretty gnarly actor that does lots of asshole-ish shit or whatever all across the world, and especially in Ukraine these days. Amazit, as an information operations platform, was linked to the Radio Research Institute in Russia, which is also associated with the Russian Federal Security Service, or FSB. So internal intelligence and security services, but certainly with an external mission as well. And then MiniDuke was linked back to SVR operations, our APT-29, and whatever mess that is these days between Nobellium and throw a bunch of other stupid names or whatever at the problem or whatever. But we're seeing NTC Vulcan working with each leg of the Russian CNO tripod, which is kind of interesting. Because for various reasons, especially between the civilian intelligence agencies like SVR and FSB, and then the GRU, if you've looked at something like Mark Galliotti's Russian Putin's cyber hydra or whatever, a lot of these organizations don't get along very well and are actually quite competitive with each other. Yet FTC, or NTC Vulcan, is doing work for all three roughly simultaneously, which is kind of interesting. It's not completely unique, but it is sort of rare to see that sort of spread across multiple facets of cyber operations, instead of having just one or two dedicated customers as part of this. So with that, we see that Russian cyber operations has a variety of links to the private sector. So one example that I actually presented at Virus Bulletin last year is Schnickham, TSN, IIHM, a research institute associated with Russia's Ministry of Defense, and an entity referred to as Xenotime, which we're not quite sure where it aligns with Russian cyber operations. It seems GRU-ish, but not necessarily so, and there's some nuanced reasons for that that we can't get into today for timing reasons, but we've also seen organizations like the SVA Institute, another research organization in ties to the SVR, or ODT, yet another public-private research organization tied to the FSB's front-on botnet that was used in disruptive operations. A Kovant Institute, another public-private research organization linked to the FSB in supporting and enabling operations and sanctioned by the U.S. Department of the Treasury. And also in-controller and pipe dream. Wait a minute, no one linked in-controller and pipe dream to Russia, right? We talked about that here, I think in track 4 last year, a former colleague of mine, Jimmy Wiley, did a deep dive into pipe dream and in-controller, which was quite fascinating. But if you look around enough or whatever, you'll see that there are folks that have tied in-controller or pipe dream, depending on which vendor you're going with a naming schema, to a organization called Advanced System Technologies, a contracting entity in Russia. So again, seeing this nexus of private sector organizations developing and deploying tooling, such as Droverub, also associated with AST, and that was the subject of a fairly lengthy malware analysis report released by the United States during COVID, which again kind of floated off the radar a little bit. But the idea of this privatization of cyber warfare, I said it, I'm sorry, but the idea being is that we're maximizing on capabilities by extending beyond the silos of government organizations to take advantage of public-private relationships and research institutions, as well as outright commercial entities to support state-directed efforts. So in looking at this, NTC Vulcan is both an example and a pioneer in a way of increasingly outsourced cyber development and engineering for state-directed operations. However, it's important to note, this is not just Russia, this is not just happening there by any stretch of the imagination, and there are probably some people at that other event or whatever up the strip earlier today that had booths that are just as involved in this space as well. So let's go into ScanVee and Sandworm, because that's kind of the most interesting item from my perspective, especially because I'm kind of an infrastructure analyst at heart when it comes to what I do in the security space. So Sandworm historically leverages compromise legitimate infrastructure. They don't spin up their own like Hetsner or HostSailer or AWS Node. They'll go out and compromise someone else's server or whatever and tunnel traffic through there as an OPSEC mechanism and to try to break the trail going back to them in their organization. And there's multiple examples of this, going all the way back to like Indistroyer from the 2016 Ukraine event where they used what appeared to be compromise TorExit nodes as the last step command and control infrastructure before accessing the Ukranian infrastructure where Indistroyer was deployed. But also more recent items like VPN filter and Cyclops Blink. We'll get back to those in here in a minute. But the important thing is that what ScanVee represents is a way of getting this sort of burnable, deniable infrastructure and doing it and tasking it at scale in a semi automated fashion. So being able to hack the planet in a way that allows an operator to enter in some criteria and then step off keyboard. So when looking at this we can operationalize this sort of idea by stockpiling vulnerabilities and as anyone here who does any sort of red teaming knows it doesn't have to be a damn zero day. People don't patch it for years especially when it comes to infrastructure crap. But you know coming up with a list of publicly known plus one day vulnerabilities and then sparkle in a couple of zero days if you really have to I suppose and you have a quiver of arrows to launch at a variety of targets in order to get points of presence in a variety of networks. Then I just need to identify vulnerable nodes and what's interesting is that ScanVee does have a showdown plugin. So yay a little unfortunate but you know you can't avoid these sorts of things I imagine but also it does its own scanning and evaluation and so forth and looking for these vulnerabilities and then through exploitation marshal victims into proxy chains for operations so that I can go from GRU HQ where my operators are doing operations to some so-ho micro-teaker whatever that's out there in the wild to my ultimate victim and probably having multiple steps in the middle there so that all my net flow analysis or whatever that scare the shit out of Ron Wyden and other folks really kind of goes down the toilet because I'm doing chained communication or whatever across multiple items along the way and so what I get is this not like just some creepy old man staring into the Palantir or whatever the hell this orb is or whatever but really check out my orb operational relay boxes people who say command and control nodes and to call them orbs you can probably guess either they worked somewhere previously or their larping is someone that works someone somewhere previously the idea being is that you get burnable reusable infrastructure that's not directly linked to yourself in order to execute operations to avoid tracing back and to also allow for you to burn that infrastructure without losing something more valuable in the process so what's the so what behind these sorts of items like okay it's cool hacking programs they got leaked or whatever big fucking deal dude like well there's this focus on scalability and control of widespread operations if you want to be an intelligence agency in the 21st century at this point there's a lot of shit out there in order to go after and doing this on a very human scale basis just doesn't scale all that effectively unless you can throw thousands of bodies at it which is what some people assume China is doing which seems almost borderline racist in a certain sort of way but the idea being is that you either need lots and lots of operators or you need to figure out a way to do this in an automated fashion so getting that greater efficiency and extent of cyber activity as enabled by a platform such as scan v gets you to that point where i can do more with less you know this is the whole impetus behind you know detection is code and dev sec ops and whatnot is that just like we are in the defender's face trying to do more with less because i don't know like we do have the people many of them have unfortunately been laid off over the last like eight months or whatever which really fucking sucks but even still anyone who worked their salt within this space knows that we can't just continually throw bodies at security problems and expect good things well it kind of works on the offensive side too is you have more and more stuff floating into information space and so we're really talking about moving beyond one operator one op campaigns to massive distributed operations enabled by this platform of gathering information collecting infrastructure for use and then doing a combination of unclassified and classified network processing and tasking of what has been compromised all right that's cool but is this unique what's Vulcan look like in cyber history well is Vulcan activity unique I've already given you this answer like fuck no it's not unique this sort of shit's been around for a bit so what's it look like though previously so have we seen similar examples yes we have we've seen similar examples in Russia we've seen similar examples in China maybe we've seen similar examples in the US I don't know we'll we'll get to that here in a minute but really we can just choose our hacker and by the way if anyone in the audience knows or is responsible for creating this image please let me know because I wanted to make stickers or shirts of this for years and I can't find the original source for it so yeah hit me up or whatever because I want to make sure that you get recognition and whatever else or whatever out of that because I think that that picture is freaking awesome anyway so as we're choosing our hackers here and figuring out like who's been doing this sort of rationalization of cyber operations we have to look at Russia in cyber manipulation and where is the lines with Russian cyber operations history so from we have two facets here looking at sconvy and amazit we have building compromise networks and monitoring and manipulating information from those overall mission profiles we've seen previous examples of this so we've seen vpn filter and cyclops blink from a infrastructure perspective and swarm the system for domestic monitoring within the Russian Federation when it comes to information collection and operations so we're looking at this vpn filter and cyclops blink are two capabilities somewhat related that were network device targeting capabilities like find a bunch of vulnerable micro ticks knock them over and rope these into network collections of nodes that can be tasked for various purposes in the case of vpn filter it looked like this was being built into a large distributed denial of service network likely to target Ukrainian entities although it was disrupted by US authorities in conjunction with private sector and some others before it could be used but these could also be used to proxy traffic and that appears to be the case for cyclops blink when it was deployed as a similar capability of again targeting network devices in order to take advantage of unpatched or vulnerable systems to proxy traffic for following operations but there's also evidence that there were further capabilities at least in review if not in outright use such as a mod bus protocol capability associated with vpn filter was only able to collect mod bus a OT based traffic protocol for those unfamiliar but if you're gathering that information presumably you're doing so for a reason that could lead to following exploitation manipulation man in the middle that stuff or similar so as a result scan v represents a mechanism to automate control and manage these sorts of capabilities that Russian organizations principally sandworm have already deployed but gaining that scalability and efficiency to make these operations more realistic and essentially more efficient and cheaper to run at scale but from an information operations perspective we've also seen this with respect to swarm which is related to a Russian law that allows for well requires that the Russian security services bolt in some hardware into telco providers and similar in order to gather up traffic and perform surveillance at scale so this has been around for over 10 years at this point and has been documented by variety of organizations whether we're talking about commercial press or things like the European Council of Human Rights and so forth but the thing is that swarm requires putting hardware into the telco providers network and then stepping away where swarm gives way to something like opposite is the ability to forward deploy that and allow for information influence operations to move beyond just the network backbone that's already under direct physical and legal control by the authorities in question but they begin deploying that in say the occupied areas of Ukraine or similar regions to sort of extend that sort of visibility and capability into areas where it would otherwise take significantly more effort in order to try to rebuild and re-architect the backbone behind the communication networks and such organizations I can instead take a suitcase plug it into the base station controller of a given area and boom I start collecting and man in the middleing information especially across social media platforms so okay we picked on Russia a lot all right poor Russia right actually no fuck them but okay but what about China like you know what about China China's out there too right you know aren't they really you know active in this space well he certainly are and one of the ways I think a lot of folks are familiar with is the Great Firewall of China one of several reasons why I will you know as much as I would love to go to China someday I know it's not going to happen anytime soon but you know why VPN services are such a hot commodity for people in the Chinese ecosystem to try to evade Great Firewall traffic control and traffic interception less heralded but honestly more interesting in my opinion there was a capability that was disclosed by the folks at Citizen Lab at the Munk School in Toronto about China's Great Cannon so this was a capability that almost took the same infrastructure behind the firewall of deep packet inspection and traffic moderation and added on the ability to inject into traffic streams to deliver exploitation payloads to targets of interest based upon the traffic recorded certainly things like SSL or your friend in these sorts of cases unless that is also being proxied as part of the firewall operations but the idea here is providing an effective means to exploit individual users at scale based upon selectors identified in traffic to get endpoints on or you know compromised endpoints for dissidents political opposition commercial organizations or whatever that might be opposed to the regime or present a risk of some sort and there's a desired need to monitor so we're looking at this the Great Cannon that came out in 2015 that's almost 10 freaking years ago where was technology 10 years ago this is a lot different or whatever now or whatever if nothing else we're on generation what for iPhones right but you know the idea being is that shits change and as a result presumably and we've seen this that the PRC is continuing to invest and invest quite heavily in CNO capabilities and other cyber operations and we've seen this reflected in widespread intrusion operations like the proxy shell proxy logon exploitation campaigns going back to last year to something that Orange Psy eventually presented at Black Cat I believe as well as Def Con but that was weaponized by Chinese threat actors for quite some time due to mysterious items around the disclosure of those vulnerabilities to Microsoft but also more recent campaigns targeting Barracuda email security gateways and other infrastructure that China is going just like wild on popping infrastructure right now and we can see hints of the automation aspect when it comes to something like the gray cannon so looking at the combination of great firewall and cannon functionality starts giving us glimpses of similar ambitions and similar programs that we see in the Russian space with the main question being the scalability and management of these capabilities and how they would link to more widespread intrusion campaigns could China build their own scan v essentially my answer is like yeah they're pretty fucking smart of course they could build it if they want to and now that this information is out there probably incentivized to do so at some point in the future but wait there's more hey remember the Snowden leaks like that that wasn't too long ago right that was only like 15 years 10 years ago yeah 10 years ago like a month ago so note and obligatory cover my ass or whatever statement here that the following slides are based on public commentary and posting and neither confirmed or denied the accuracy or veracity of the items discussed these are all theoretical things that people have posted about that have analyzed the Snowden files or Snowden leaks directly anyway that out of the way the leaks of their implications is that we had a popular conception that mostly revolved around the prison program that was a questionable program for domestic surveillance and so forth targeting a variety of communication platforms and social media and so forth that was certainly important and arguably very very bad but that wasn't the only thing leaked which is why there's questions about Mr. Snowden's motivations and so forth based upon the other things that were cast out into the world as well because there were additional programs disclosed including Snowden and potentially others because we've seen things like shadow brokers and other sorts of entities come along over time disclosing significant information on computer network operation capabilities such as widespread automated exploitation and control frameworks that were being used by NSA and 5i partners according to reporting prior to those leaks coming wild or coming into the wild so we can talk about a quantum of exploitation so looking at Fox IT and other organizations there was an item in the Snowden leaks concerning a program called Quantum that essentially provided a man on the side capability of monitoring traffic through various observation points and then when traffic of interest is identified injecting into that traffic stream and trying to then achieve exploitation based upon selectors sounding a little different because there's that man in the middle portion of events but from the automated exploitation and control perspective like this is looking a little bit like Scandi in certain aspects and there were fun diagrams or whatever noting how the internet or whatever was basically targeted or whatever in such a way to allow for identification of traffic of interest that would then result in not just exploitation but then marshaling those exploited end nodes into intelligence agency controlled apparatus so fun stuff there the main thing with this sort of automated exploitation at scale is that they represent automated exploit systems similar to what we're seeing with Scandi disclosed publicly and certainly you started seeing articles and wired and the Fox IT article and some hacker forum posts and like how you can do this on your own you know started popping up about 2012 2013 or whatever not that long after or 2013 2014 not that long after the leaks but what's interesting is that what was five-eye alleged state of the art almost 15 years ago at this point given the likely origin of when the documents actually were emerged that Mr. Snowden then decided to yeet out to the world we see artifacts of this now reflected in Russian and Chinese operations so the point is is that if true these Snowden leaks were arguably a disaster for the United States related to CNO and SIGG capabilities by deploying disclosing methodology like as an intelligence agency that's very very fucking bad however it also appears that multiple other parties were paying attention and taking notes on how to build similar or potentially even more ambitious programs based on these disclosures disclosures whether we're talking Snowden Vulcan or anything in between like Vault 7 or Shadowbrokers and we've seen this with Shadowbrokers eventually leading to WannaCry this shit doesn't happen in a void just because some researcher or journalist or whatever pushes us out there doesn't mean like oh capabilities are burned move on like nope folks are taking notes and learning from each other and making sure that they're trying to adapt to the state of the art of adversaries or even allies as they may see fit or necessary to do so so what's the future of offensive cyber then in light of all this sort of activity well well well there's a popular conception of cyber of computer network operations if you got one asshole on a keyboard or whatever doing bad stuff or like if you're a red teamer doing bad stuff for good reasons and that's cool at all and maybe it encapsulates some of what still counts for red teaming and pentesting or whatever operations and maybe for some state-sponsored programs but a more realistic depiction of CNO these days well you're sitting in a freaking cube farm man this is a discipline now that has evolved beyond like one individual executing a single operation to trying to develop frameworks to do these sorts of operations at scale and we've seen this in multiple aspects at this point so just looking at this slide we have scan v we have the Snowden leaks items and we have the great cannon all representing attempts some successful some still maybe notional it's debatable if scan v actually went live or not I've been looking for a scan v node if you find one let me know I'd be curious to take a look at it but the idea being is that we're looking for a road to scalable cyber and that applies across personnel targeting and operational security so from a personal standpoint cyber talent while it is available right now because vcs are laying people off and they suck the talent is still expensive especially if you're working in the dot govern dot mill space they have to compete with private industry and so forth so the ability to codify skills and capabilities in programs and in applications becomes quite useful in extending and expanding programs so you're not doing a you know arithmetic expansion like one operator one up but rather a geometric expansion that I get a couple of devs and I can get a you know exponential increase in the number of potential operations and endpoints that I can exploit that gets us to targeting where if you are a significant authority or state sponsored intelligence agency with any sort of ambition whatsoever global actions or global ambitions require global actions being able to successfully target and manipulate networks at a vast scale and just throwing thousands of you know a million monkeys on a million terminals or whatever can maybe exploit the internet or whatever in a million years and so forth but that's not realistic so to really come up with a way to hack the planet so to speak we need to figure out ways of automating and making that efficient but also top tier threat actors know that they don't just buy AWS nodes or something like that these days some still do and there are reasons to do so but if you're really trying to do things like conduct offensive cyber operations or disruptive operations it behooves you to start making the final hop to the victim network and where you're originally starting operations from as far apart as technically feasible both to maintain your own sources methods and command and control frameworks as well as to potentially muddy the waters around think thorny questions like attribution but also more importantly retaliation and response based upon that but importantly the Vulcan leaks are now lagging indicators this activity has already taken place we're looking at this now in the past tense thus we need to anticipate even greater degrees of automation queuing and reactive targeting emerging over time again five eyes were doing these over 10 years ago China was doing a version of this about six or seven years ago Russia was doing something kind of like this or whatever would VPN filter and Cyclops blink and then with scan v decided to like go to 11 on the volume and really make this into a much more wide spread sort of capability so this shit's going on and it's been going on and it's only going to get better or worse depending on your perspective for things so what should we expect I would argue that we should expect greater automation and improve scalability just you know accountants and so forth or whatever they want to try to make you do more with less and that applies in dot gov dot mill space as well so it's it's going to happen that's not a very sexy point but more interesting is this marshaling of the neutral web for offensive actions where your unpatched soho router or whatever becomes a frontline article or whatever in targeting excuse me critical infrastructure in Ukraine so how do we start defending that and do we start doing things like automated remediation of vulnerable nodes or whatever that are in neutral space can we do that is that legal will that piss people off yes it will piss people off but it really becomes a thorny issue for how we start responding reacting and doing things like takedowns against these sorts of capabilities there's also and this is actually kind of cool I think less reliance on rock stars and more commoditization of capabilities so we want to talk about lowering the baler the barriers to entry when it comes to cyber this is one way that I don't need to rely on like two or three top tier hacksores or whatever in order to execute all my operations rather I just need to identify ways of getting that knowledge that is employed by those individuals putting it into code and then deploying it in some way that scales effectively and also you know I'll give all the AI vendors or whatever a lot of shit because there's so much bullshit out there right now but there are non-bullshit applications for artificial intelligence when it comes to this sort of activity so imagine if you will that in addition to building say an automated fuzzing platform for vulnerability identification you extend that even a little bit further to a system that can do system scanning and classification that say could identify based upon the system type and vulnerability what is a reasonable vulnerability that I could exploit that minimizes my risk of detection and then what follow on payload is most suitable for this device to ensure either it's a lasting note in my network or I can use it as an immediately burnable item for say deploying a wiper against a system of interest that I want to take out of the internet I apologize it's like day three of DEF CON my voice is going yeah so where does that put us it's like conclusions like yeah average series innovate man like that's cool but where are we now capability inspiration and proliferation basically so average series learn from operations and open source research every action comes with some sort of response or reaction in some great newtonian reflection within the cyber ecosystem and thus today's leak or disclosure becomes the inspiration for or the hey where the fuck are we doing that for some other party or whatever that happens to be involved in this space with that computer network operations is not a static field but a constantly evolving one with multiple factors and you want to talk about three body problems we're talking about like a five or six body problem here in terms of adversary and defender reactions and relationships as well as other sort of factors that come into play so what's our guidance for defenders and decision makers my community well adversaries are constantly evolving and learning like no shit Sherlock of course they fucking are otherwise a loser jobs well legacy techniques and tradecraft for defense and identification will fail if we're relying on things like block listing or the IP addresses associated with C2 frameworks or whatever it's a losing game why because of a thing like scan v it's like oh you block this note well I have 15 more or whatever over here for just this one up and I can get a hundred more if I want later on it's playing whack-a-mole and it's a game that defenders are going to lose so instead we need to start building an emphasis on things like behavioral analysis of traffic patterns and anomaly enrichment are necessary items which kind of gets us into that creepy AI space a little bit but again have done well and done accurately without the marketing bullshit around it can actually be a valuable way of trying to resolve some of these problems so the idea here is that defenders can't rely on just sort of statically addressing individual threats but trying to understand categories of threat action in order to then take some sort of defensive response okay that's my community what about your community for all the red teamers and hackers and such out there whatever well in addition to thank you for letting me speak to you for a while and I hope this was interesting really what we're looking for is that human-driven operations are rapidly being replaced by high-end threat actors we're not talking about like the elite hacker or whatever in the hoodie or whatever or Mr. Robot tapping away or whatever in the dark it's like that shit just doesn't happen anymore we're talking about bureaucracies of dedicated developers infrastructure teams exploit development teams working in concert in order to develop and deploy capabilities for whatever reason as a result actually emulating adversaries while it's really you know depending on the organization that you're working with some of this goes out the window because it's like you have single factor off on your VPN like please you know try harder you know for those organizations they're already screwed but if we're talking about trying to emulate adversaries for more mature organizations as hackers, red teamers pen testers etc we need to think at a higher level of like okay how does this sort of operation scale how can I start mimicking this sort of activity in a meaningful way that I'm not just testing defenses but providing opportunities for defenders to look at traffic and actions that are similar to what my adversaries are doing less testing and probing will become more challenging it's not just about spinning up an AWS node and then brute forcing traffic on the single factor VPN anymore and then migrating to the domain controller point creds and game over but really thinking about like okay how do I start really emulating what we've seen over the last 10 years in terms of infrastructure deployment and then action on the part of high end threat actors so where do we go from here networks of various types that will continue to be weaponized by threat actors either as end targets so I'm going direct to my victim less likely for my high end threat actors but more likely as means to reaching them I'm going after and doing these exploited scale campaigns not because these targets are immediately of interest but because they provide me with a way of tunneling my traffic to my ultimate victims and that neutral or third party web space in between starts to become a very interesting battleground where there's not a whole lot of agreement on authorities to operate and what defenders let alone law enforcement can do to respond to them like if you hack back or whatever on the C2 server and it's a application server for a university somewhere what have you done have you committed a crime arguably yes is that a reasonable response or whatever for that node being used to send like some L-DOS based wiper or whatever on your network probably not but how do we figure this out these are questions that policy people should be addressing but instead they're talking about commercial threat attribution and naming scheme is another bullshit like that and not really helping out that's my world I'm sorry the idea though is that the increasing scale and velocity of campaigns will make defense and response challenging but not impossible we just need to recognize the state of where things are and begin moving and adapting defensive controls and countermeasures and tandem with that to come up with reasonable solutions I have no freaking idea where I am on time right now I had two minutes that's not enough time for questions really I'm happy to meet out in the hallway afterwards if anyone wants to discuss I'll hang out like over there somewhere like by the windows or something but this is available on the media server bunch of references and resources related to these topics if you're interested in going deeper into these since we really just cover things at a high level but thank you so much this was a lot of fun I hope this was interesting for you