200 likes | 319 Views
Technology Deathmatch The arms race is on. Sean M. Bodmer, CEH, CISSP, NCIA Chief Researcher Counter-Exploitation Intelligence CounterTack. Who is this tool?. Sean M. Bodmer, CISSP, CEH, NCIA Arrested @16 years of age for hacking NASA and 3 other . gov networks
E N D
Technology DeathmatchThe arms race is on Sean M. Bodmer, CEH, CISSP, NCIA Chief Researcher Counter-Exploitation Intelligence CounterTack
Who is this tool? • Sean M. Bodmer, CISSP, CEH, NCIA • Arrested @16 years of age for hacking NASA and 3 other .govnetworks • Yes, it did put a damper on my life for a few years • >50% of my time spent in non-gov’t based clandestine cyber operations • 2012 – Helped US Entities seize and recuperate > $6M USD • Brief Bio • Over 16 Years in IT Systems Security • Over 10 Years in Intelligence and Counter-Intelligence Operations • Lectured at numerous Industry Conferences • Co-Authored 2 Books w/McGraw-Hill (writing 2 more) • Quoted and Named in > 400 • Magazines, newspapers, radio, and tv-news • CounterTack, Inc. • Focused on in-progress detection and attribution of threats • Develops and deploys custom high-interaction honeypots • Provides customers tailored Threat Intelligence Services • Knowledge Bridge Intelligence, Inc • US IO Subject Matter Expert
There is more than one • Distribution/Delivery (MAS) • Specialized distribution network • Attracts and infects victims • Global & targeted content delivery • Delivery through Spam/drive-by/USB/etc. • Offers 24x7 support • Author(s) • Original malware creator(s) • Offer malware “off-the-rack” or custom built • May offer DIY construction kits • Money-back guarantee if detected • 24x7 support • Leader • Individual or criminal team • Maintains and controls order • Holds admin credentials • Resilience/Recovery (MAS) • Provides C&C resilience services • Anti-takedown network construction • Bullet-proof domain hosting • Fast-flux DNS services • Offers 24x7 Support • Operator • Operates a section • Issues commands • May be the leader
Cloud as a Service Model • YES, criminals are mirroring our e-biz models
The Arbitrary Icon THIS DOES NOT MEAN YOU ARE SAFE !!!
Today’s Problem Set • Almost all discoveries are post-mortem • Next day or countless days later • Generally, through laborious manual analysis • Easily detectable over time • Static defenses can be identified by skilled adversaries • Difficult to use • Heavily dependent on human expertise • Staging and maintaining honeynets • Manual reporting and analysis • Manual correlation between data sources
Let’s Look @ Something • What can one find when p0wning bad-actors? Carberp Source Code Leak
Questions?? sbodmer@countertack.com Twitter@Spydurw3b Skype @Crypt0k1d