Cyber Intelligence and WarfareJeremy Makowski

Cyber Intelligence and Counter Terrorism Analyst

: makowski.jeremy@gmail.com: @JeremyMakowski: Jeremy Makowski

Executive Summary

1/ Cyber Space and IntelligenceI. Cyber Threat LandscapeII. Cyber Space and its different environmentsIII. Cyber Intelligence (Where to gather information?)IV. Threat Actor Profiles

2/ Cyber Warfare V. Global Vision of Cyber WarfareVI. Terrorist organizations and Cyber SpaceVII. State actors cyber capabilities

I. Cyber Threat Landscape

• One hundred million daily worldwide cyber attack attempts cybermap.kaspersky.com

Globalization of Threats

I. Cyber Threat Landscape

• Multiple Motivations

• Diversity of attacks

• Multiple targeted

sectors

I. Cyber Threat LandscapeDevelopment of the Open Source Ecosystem

• Forums (Open Source hacking tools, techniques)

• Social networks and Chat (propaganda, recruitment, sharing ideas…)

• Underground Networks (Darknet, private encrypted networks)

I. Cyber Threat Landscape Cyber Crime • Top 10 countries for cyber crimes (Russia, US, Eastern Europe, Vietnam, Indonesia, Brazil, Nigeria, China Romania, South Korea) Cyber Terrorism• Al Qaeda• Islamic State Hacktivism • Anonymous movements • Islamic Hacktivists

II. Cyber Space and its different layers

• Web (Google, Bing, Yahoo)

• Deep Web (Yandex, DuckDuckgo, Iseek)

• Darknet (TOR, I2P, Tail)

Web

• Use a spider program to fetch as many webpages as possible

• A program called an indexer then reads these webpages and creates an index, storing the URL and important content from webpages

• Each search engine has its own ranking algorithm that returns results based on their relevance to the user’s specified keywords

Deep Web

• Everything that is not found by a search engine’s spider program is considered to be the deep web

• Most of the web pages on the internet are not indexed by search engines. Around 75% of the entire internet is invisible web content

Deep Web Project

• Defense Advanced Research Project Agency (DARPA)

• Memex Search Engine was developed in 2014 and aims to secure the Internet from hackers, human traffickers and other criminals

• DARPA describes Memex as a set of search tools that are better suited to government (presumably law enforcement and intelligence) use than commercial search engines

.

The DarknetWhat is the Darknet?

Originally created for military purposes

In the 1970s to designate networks which were isolated from ARPANET (which later became the Internet) for security purposes the Darknet was able to receive data from ARPANET but had addresses which did not appear in the network lists and would not answer pings or other inquiries.

Open to the public

The darknet started to become available to the public in the 2000’s with the development of open source software such as Freenet, TOR, I2P etc…

Darknet Softwares

• Freenet Created in 2000

• The Onion Router (TOR) Created in 2002, gaining popularity since 2004

• Invisible Internet Project (I2P) Created in 2003

How to access the Darknet?

How does the Darknet work?

Based on overlay networks An overlay network is a computer network built on another network. The overlay network nodes are interconnected by logical links of the underlying network. The complexity of the underlying network is not visible to the overlay network Does not use regular URL’s Uses specific extensions which are not searchable http://ozy7mnciacbc5idc.onion http://drugs6atkjvtk64f.onion Does not expose the public IP address Hides the public IP address in order to keep anonymity

The Onion Router TOR• Tor works by anonymizing the transport

of data. • Tor encrypts the data you send through

the web in multiple layers. The data is then “relayed” through other computers. Each relay sheds one layer then finally arrives at the source in full form.

• The software bounces users around a network of open connections run by volunteers all over the globe.

.

The Onion Router TOR

.

III. Cyber Intelligence Data CollectionDifferent sources for gathering intelligence about different threats • Paste Sites and Leak Websites • Social Networks • IRC Chat • Website Defacement• Underground Forums • Black Markets

Paste Site

• Type of web application where users can publish and store plain text

• Often used by Hacktivists and Hackers to leak database, credit card and other private information

Paste Site

Social NetworksUsed as Command and Control C&C

• Easy to use for spreading ideologies• Share hacking tools• Set up hacktivist campaigns• Publish results of attacks

Each server contains multiple channels

IRC channels are used: • To discuss hacking issues• For dealing CC and PII

Internet Relay Chat (IRC)

Website Defacements

• Mostly used by hacktivists and hackers

• Archived and ranked defacements by threat actors, domains and countries

Underground Forums

Black Markets

Black Markets

Threat Actors profiling Cyber Criminals• Main goal: Make money• TTP: Phishing, Trojan Horse, SQLI, DDoS, PoS Malware, social engineering• Do not communicate unless for deals on the black marketsBlack Hat Hacker• Main goal: Show off• TTP: SQLi, Phishing, XSS, Defacement, Use hacking forums• Leak data for funHacktivists• Main goal: Ideology / Nationalism• TTP: SQLi, XSS, DDoS, Defacement, Use social media as C&C platform• Want people to know that they are behind the attack and broadcast their ideological political messages

Global vision of the Cyber WarfareCyber Crime • Criminals such as weapon dealers, drug dealers, fraudsters (financial fraud) • Cyber intelligence, security systems, CERP and cyber security policies Cyber Terrorism• Al Qaeda, ISIS, Hamas, Electronic Syrian Army • Cyber intelligence, Intelligence (HUMINT), Counter propaganda online Hacktivism • Anonymous movements, Islamic Hacktivists, Hacktivism related to conflicts• Cyber intelligence, VHUMINT, CERP

Cyber Espionage• States (USA and Five Hive, China, India, Russia, France, Germany, Iran, Israel) • Counter Espionage, National Cyber Defense Policy, Military Cyber Command

Terrorist Organizations and Cyber Space • In 2007 Al Qaeda developed an

original email encryption software named “Mujahideen Secrets”

• In 2013 Al Qaeda, through the GIMF, developed new encryption software for messages named “Asrar al Dardashah” and also through Al-Fajr “Amn al Mujahid”

• In 2013 ISIS developed an encryption program named “Asrar al Ghurabaa”

State Actors Cyber Capabilities China (Peoples Liberation Army):Military Cyber capability: Cyber Unit 61398, SIGINT Unit 61486

Notable state sponsored group: APT 30, Putter Panda, axiom group and others

Capabilities: Only for Unit 61396, 1000 servers, 2000 soldiers, Optic fiber connection

Techniques: Sophisticated Malware, Spear Phishing, Social Engineering

Operations launched:

Since 2006: Multiple cyber espionage attempts on 141 organizations across 20 industries worldwide

2010: Cyber attack on Google infrastructure for Intellectual property

State Actors Cyber Capabilities Russia (Federal Security Services):Military Cyber capability: FSB , FSO, GRU, Military Cyber Command expected in 2017

Notable state sponsored group: APT 28, Anunak APT CozyDuke APT

Techniques: Sophisticated Malware, Spear Phishing, Social Engineering, Zeroday exploits, code injection

Operations launched:.

Since 2008: Uroburos Malware for Cyber espionage purposes against US spread via phishing

2010: Energetic Bear cyber espionage campaign targeting foreign industries including 2800 victims worldwide, and 219 websites used as C&C. to spread malware

2013: Operation Armagedon cyber espionage attack against Ukraine EU agreement

State Actors Cyber Capabilities Iran (Iranian Revolutionary Guards)

Military Cyber capability: Army Cyber Defense Command, National Supreme Cyber Council, Cyber Police Unit

Notable state sponsored group: Ashyane Security Team , Basij group for propaganda

Parastoo, Iranian Cyber Army

Capabilities: Hundreds of Soldiers, Dozens of Civilian threat actors

Techniques: Sophisticated Malware, Spear Phishing, Social Engineering, code injection

Operations launched:.2011: Iranian claimed to capture a US spy aircraft by hijacking its navigation systems

2012: Iranian cyber-attack campaign on foreign critical infrastructures named “ OpCleaver”

2014: Cyber espionage operation against US and Israel named “Gholee Malware”

2015: Cyber-attack campaign across the Middle East named “Thamar Reservoir “

Thank You!