 Good afternoon, everybody. Welcome to the home stretch of Saturday. Thanks for being here at Crypto and Privacy Village. We've got another fantastic talk lined up. Ken Gears, Senior Research Scientist at Komodo is going to run us through traffic analysis in cyberspace. All the cybery-cybers. Thanks, Ken. Give it up. Awesome. Thanks for being here. I really appreciate it. So I'll just, I think the most important takeaway from this talk is that, you know, the math works and it doesn't really matter how, you know, how solid your crypto is if somebody can see what you're doing, you know, if somebody basically knows, you know, if they're looking for you especially. But given ubiquitous surveillance and sensors today, you know, often people just can see who you are and where you are and we'll get to that in just a second. But I'm sort of having intelligence background to kind of look at things with an international relations perspective. So a geopolitical perspective and that's what I've done at government for 20 years and then with a couple of companies as well. So who knows what pizza and the pentagons have in common? Yes. Exactly. So, you know, if you're a journalist, you can sit out at 2 in the morning outside the pentagon and just count the number of pizza deliveries. And if it's average 200 and then on one night it's 20,000 pizzas, the largest office building in the world, something is probably happening that you might want to be interested in, right? And then if you go to Alan Turing in World War II, you know, when the Japanese fleet sent sail for Pearl Harbor, well, they kept the communications going as much as possible as normal even though the ships weren't there. When we invaded France on D-Day from Normandy, we had all kinds of fake things happening. We wanted the Nazis to think that we were going to invade to the left and we went to the right, right? And the same thing is on the enigma machine from the German perspective. The Germans had great faith in the enigma for a long time because the math was sound. You know, if it's trying to find one star in a universe of billions, you know, it's pretty good. The problem though is it's in the process, right? And Gary Kasparov, if you heard his talk yesterday, he talked about this. He said it's all in the process. He said, honestly, he said a very average intelligence person with a smart phone can beat almost the best chess players today if they just know how to operate the phone well and they don't question the wisdom of the phone. So it's all about intelligence, but you have to have a smart people. And like with Bletchley Park and Alan Turing, there were thousands of people supporting him doing human and SIGINT and all kinds of other intelligence operations behind them. So just a couple of slides on this. You know, if you have a whole bunch of traffic, right, on your network or in your country, or in your home even, you can usually figure out, if you just start sorting it out, who's in charge, right? In other words, chain of command. And by timing, you can see when things happen that are important, right? And so that's how a lot of attribution. I spent years in the basement of the Pentagon trying to do attribution for these big intrusion sets that DOD looks at. Well, one of the basic ways to do that is time. You know, you take the majority of the traffic and you say, okay, between nine and five, where is it happening work time-wise? Okay, this intrusion set is nine to five binging time. This is Moscow time. This is Maryland time. Aha, okay, here we have sort of the APTs sorted out, right? And so again, if you imagine yourself sort of in a bunker in World War II, you know, with headphones on, you know, it's the frequency of the communications, the volume of communications. And a lot of times this is going to give away even things like SSH and TLS, security protocols on the internet, or they're subject to basic time and size and frequency attacks, right? Just depending on how often you're communicating and with whom you're communicating, a lot of times the metadata is enough. You don't even really want the content, right? Because content just slows you down. It's hard enough, I can tell you it was a linguist at NSA. It's hard enough to understand, for a person to understand what somebody else is saying, especially on the other side of the world, in a different context, a different language, it's even harder for computers, right? You know this from the Turing test. So the metadata is really what you want. And you want to be able to chew on that, you know, algorithmically, and you can almost know more quicker, faster, better without the content. So back and forth might be communications and random, it might be security or some kind of operation. You know, rapid, slow silence, right? If all kinds of data is flooding all of a sudden, well, something important is happening if there's no communications. Well, guess what? That also might signal something very interesting. Let's say you're following a spy, your counter intelligence, and then all of a sudden communications are completely broken. Maybe there's an important operation going on, right? And that's an important takeaway from no-coms. So then on countering basic signals intelligence or traffic analysis, how do you do it on defense, right? So one of the basic ways is to burst communications. So over the course of a month, you know, if I fire off some this morning and then next Thursday, and then that's it, I'm hoping you're going to not be listening at the right time. So it's all about when you're listening. Spread spectrum is all about where you're listening. You know, there's a range of frequencies, and so I shoot one up here, one down here, and one down here. You know, you're only going to get part of it, right? Indirect communications are very important, because like at the Pentagon way back when 15 years ago, let's say Chinese intrusion sets or whatever intrusion set, you know, coming from the Pentagon, they're not going to take the data directly back, right, to headquarters, but it's going to go to Maryland or go to Virginia, go to Canada first, right? Cyberspace, there's only one cyberspace and only one Internet, right? And we're all in the same space together. So that gives attackers all kinds of possibilities, because I don't know if I have it in this presentation, but I have a slide basically of all the C2 comms over about a six month period, and there's connections between any two countries on the planet. So what does that mean if you're really smart hacker, you can route it a different way every time, right? Buried fiber like in Iraq, this gave NSA for a long time, you know, all kinds of headaches, you know, you digitize communications, you put them underground, very hard to find it. Now one of the only ways really to get around theoretically, traffic analysis is by continuous ciphertext. So just encrypt everything to the nth degree and then fire it 24-7-365 at full value. And why is that the only way to get around traffic analysis? It's because then somebody can't do timing attacks, frequency attacks, size attacks against your traffic, right? And failing all else, there's human courier. But then again, that's the silence problem, right? So in Abadabad, Pakistan, you know, when the CIA is trying to find Osama bin Laden, and that huge house on the corner has no telephone, no internet communications, well guess what, silence is in and of itself a huge red flag, right, if you're on the hunt for someone. So if you work for a big company, you probably also have a picture like this of the world, you know, this is malware detections for the past few months that I've been looking at, and I really enjoy it because the company I work at now, we actually have clients in every country on the planet because you can download and use software for free, security software, so what does that mean? In every little island in province and city and state, I get malware traffic to analyze. You know, but all of these, they kind of lie outside your sovereignty and law enforcement jurisdiction, so you have to think of some other ways to get at this. And so if you plot it as a network, same data, but you plot it as on a network chart, then you get a different picture, and again here you can see sovereignty and jurisdiction are not so important anymore because we're all in the same cyberspace to some degree. So the malware analysts at my company, they put things in categories like Trojan, application malware, et cetera, and I think more in terms of countries. So all these little orange circles around the side are, you know, Netherlands, Iran, Latvia, et cetera. You can see where we have most of our detections, Russia, US, Germany, et cetera. But what you can see here is that if this is truly an international problem, it requires an international solution from a legal policy perspective, but as an analyst you know, you can do a lot with this too by clicking on your country and your particular malware type, and all of a sudden you blow it up and you make it, you simplify the problem, and here's our top five for the spring, malware types, along with the top ten countries for each, and then you color code them a little bit and you can see where most of our detections are in Russia, in the United States, and you can work out from there. So application is a huge malware category for us. We have you know, unwanted application, potentially unwanted application, malicious application, et cetera. So I threw those out, just take these four for this particular analysis. But you can see Trojan is not only the largest, but it's the most complex data set. Over the coming year I really want to do something on analysis of complexity versus simplicity, and Trojan is a tough one because of the Swiss Army Knife. When you get that code on your system, you know, you can do ransomware, you can do basically anything, but so it's the largest energy you'll see in a second, and also the most complex. It is also, as you'll see, backdoor, I think is the most valuable category. So here, if you sort, for example, and I'll show you a little bit of this, but countries by the ratio of these four malware types, according to the ratio within each country, backdoor is, they're all very rich countries, at the highest ratio, and worm is all the very poorest countries. And I'll show you a little bit of that in a second. But with these four malware types I can show you we have every country on the planet. There's, you know, 190 some odd countries in the UN, but there's 255 country code top level domains. But that's kind of the way I sort them. And there's a lot of fun ones if you like geography. You'll find that there's some little semi-autonomous and quasi-independent publics in various places that you can find on the map. But here's another way to sort your data that's really helpful because here's what I want to say also in this presentation. You can do anything, I think, with traffic analysis. You just need to just keep changing your perspective, thinking about the attacker's perspective, the defender's perspective, but also conceptual ideas like what vertical, vertical is kind of a buzzword, but here so you put our clients into particular economic sectors, basically health care, education, et cetera. And what you'll find is you can fingerprint malware types and families, threats, threat actors, you know, ever more precisely. And so you don't have to defend against everything, but you can defend only against some things. Now this is only obviously a partial data set, but I think it's already pretty revealing. So for my data over the past six months I've started to put them into malware, you know, verticals, then malware types, then malware families. But what you find is if you work out from there and you can go the other direction too, and that also is interesting, but I only have so much time here. But like online services, for example, all the ones I've been able to look at so far have been in the worm category. And then those have been mostly in just two malware families, Nimda and Runowns, right? So very quickly you say, well, if I do online services I better take care of this one, at least start here. Because, you know, there's quantity and there's quality and quality sometimes trumps quantity, but as you've probably heard, quantity has a quality all its own, right? So you have to deal with the big stuff first, the elephant in the room. Sorry? Oh, thank you. Yeah, quote from Stalin. So I've lived most of the BASDA gate in the former Soviet Union, so thank you for sharing that with me. Here's our African traffic and the list goes away on down because there are like 60 some odd countries in Africa. But this is one way you can do it. So this is in Kibana, elastic stack, but you can use anything. And I just said, okay, for each of the countries I want to see the top spike over the last month or two for this data. And so that's really interesting because you can click on one at a time and open it up and see what was the spike. So where was the outbreak? Where was the largest amount of infections for a given country? And then over time, time is kind of your best friend sometimes as an analyst too because you can see, you know, it happened on Christmas or New Year's or Valentine's Day or whatever it was. And why is that? And you can also sort, you know, by time of day. So this traffic is from the Middle East. I took six countries in the Middle East. And again, so this is kind of like the network perspective. This is malware detections. Okay, now I'm going to drop something else on there. You can see I dropped, I went back and I said, okay, for each of these countries is there something interesting that happened at that time? And I can't promise you these things are directly related. But I happened to firmly believe, because I have more of a government background, so that's the way I think. But I happened to think that there's a whole lot of nation-state operations going on in cyberspace, many more than we imagine. So in this case, the red on the left is Saudi Arabia detections. And I looked and on that day or right about that day or two, there was a missile fired from Yemen at Mecca. In Yemen on that same day, there was a bomb that killed 48 soldiers. In Egypt there was a church bomb. In Turkey, probably remember this was big in the news. This is New Year's day here. There was a bomb at a discotheque in Istanbul that killed almost 40 people. That was also the biggest spike. And then over here there's a cluster of them. And I said, what happened around here? And you just go back in Google News to look at what was happening at that time. And there was a missile test in Iran that may have been of interest to all these countries. May or may not be related directly, but here's the way I put it. I think a combination of law enforcement, domestic intelligence, foreign intelligence, hacktivist, loan hacker, cyber criminal, various things basically. I think there is a relationship at least to some degree. So I was at a company about five years ago, well only three years ago now. And I did an 18 month study on malware callbacks. And here's what I said, okay there's a to and a from. And I think the to, the person receiving the callback is going to get greater weight. So let me see, the malware callbacks to a particular country, I'm just going to plot them all. I had 30 million rows of data over an 18 month period. I'm not sure quite how many are on this screen, maybe 18. But on the yellow column on the right is March 2014. And in March 2014 was a very critical month I think in geopolitics because I presented this at Black Hat 2014. And so in March of that year Russia annexed Crimea and had troops on the border. Gazprom the big Russian company was threatening an oil shut off to Ukraine. The West was threatening sanctions against Russia. And so my own belief is that basically cyberspace is just a reflection of traditional human affairs. You'll never find an election or military invasion that is not reflected in network traffic and also in your malware data if you happen to be within that sort of geopolitical fault line. So here you can see the blue is callbacks to Ukraine from anywhere in the world. Red is callbacks to Russia from anywhere in the world. And the Russian is not so clear because I think as you'll see in a second there's, Russia's riddled with malware. There's a lot of other countries are too. But the single highest amount, see this is the month, the yellow of the peak tension, international tension. And you can see Ukraine basically rising up in the data to that particular point. And so anyway, I think there is pretty clear even eyeballing it. I'm not Alan Turing but even just looking at the data you can tell. So in the data I'm looking at for the last few months, I'm also, I'll show you a couple of ways that I'm trying to analyze it. And this is this spring, this is April, May, and June. And basically these four malware categories I was showing you earlier, there's just wild swings in them. And this is global data. This is, you know, this is a you know, there's about a billion rows of data and about 50 million that have been tagged by our malware analysts into a particular category. But you can see that there's a huge outbreak of worm and then tapers off. And you know, people figure out the exploits and vulnerabilities and shut them off. And virus going back to the number one or the number two at the end of the category. Trojans are maintaining pretty solid, you know, number one overall and less with virus. You can also say where do these infections take place. And so you, by country code here and then also you can see where those worm infections largely were in the Philippines and Indonesia on the left. Right? And that gets less as other countries then, you know, take that room. But Russia there in the middle is the third country and you can see big spikes. May 29th, I don't know, but what happened on May 29th, if you're a Russia analyst, you may be able to associate that with legislation, with international tension, with domestic politics. You know, it could just be pure cyber crime, but then again, I'm not always sure there's such a thing as pure cyber crime that has no connection to what's happening in politics. But here you can see and ideally you want to be able to open these up, right? And look inside them. So here I plot a Trojan worm virus in back door on this tree map. And so you can see by country code the top. And we'll just look at the top. This is a short presentation, so we'll just look at the number ones of anything. But if we highlight the number one country for each malware type, I think you'll be able to see something that's pretty very interesting. The U.S. has a particular problem with Trojans, but you can see that Trojans have, they've occupied an interest, so if you say what is the relative ratio between countries, you'll see that the United States scores very low on worm and virus, but top on Trojan. So I think it's a higher value, higher return on investment, more targeted operation in cyberspace. Here you can see worm, the Philippines, but the Philippines then they drop way down on Trojan, further down on virus and not, at least in this short bit, top on back door. But it's a worm is a lower category of cyber attack. It's going after the low hanging fruit in cyberspace, unpatched, unmanaged, unlicensed, the easy pickings, right? So here, virus, Russia, even though Russia is well known for kind of being an aggressive player in cyberspace, you can see that they have all kinds of trouble on their networks. There's no doubt about that. It's number two on Trojan, number two on worm and number one on virus. So really enough said, I think. And if you look at Poland, which came in number one on back door, a little bit less on the others, but the fact that it comes in number one in our very strategic data set in terms of back door is something they should look at. These are families. So once you get into the particular families of each malware type, then you can get more precise, right? Whether you're on offense or defense, because those are kind of one and the same in a sense. So here, you can see the U.S. occupying again a very high ratio of the detections here. This is a virus, you can see Russia, Russia, Russia here. It's a lower. In the worm category, you can see Philippines, Indonesia, but also Russia, Russia, Russia, right? So this is very important. I think these networks have a lot of work to do. You can see dark comment here is our top back door. Also, the previous company I was at, also the top back door was dark comment. But you can see that this is a higher value, higher return on investment data set. Poland, Singapore, U.S., Great Britain, Great Britain, India. And if you look at it here, you can see if you just start with back door, you can see Australia, Great Britain, Japan, the top countries. Trojan, you look at the top ones here. This is by ratio U.S., Great Britain, Australia. And worm, I'll just skip down to the bottom, South Africa and Russia. You can see it pretty clearly and you can sort of plot it on a map and again, basically this is strategic traffic analysis, but I think it applies in a smaller micro context too, within your office, your home, your enterprise, your vertical in your country, within countries. But you can see globally, if you plot the top malware types by color on the screen, you'll see that there are patterns. I'm approaching the end of my time, but you can see here the most people with the most money with the most malware in the United States, basically on this graph. And here also this further sort of strengthens my argument. Worm, you can see the bubble size is per capita income. And as you go higher ratio worm, these are smaller economies. Higher ratio backdoor, larger economies. Ransomware, here you can look at it by month and you can see the United States crawling through the data at the beginning of the year. This is January, February, March, April and May. You can see Russia, Russia, Iran, Poland, the U.S. And my theory here is that they're practicing malware, they're experimenting with it and they're working it out into the richer economies with practice. So thank you very much. I'm out of time, but I appreciate your time and attention. So thank you. If you have any questions, feel free to send me an email.