SlideShare una empresa de Scribd logo

An Underground education

G
grugq
Tecnología
1 de 73
Descargar para leer sin conexión
An Underground Education Lessons in Counterintelligences from History’s Underworld @thegrugq
Agenda Counterintelligence Processes Threats Contributing Factors Professional Thieves: CI Hackers: CI
Counterintelligence
Processes of CI Basic Denial Adaptive Denial/Insight Covert Manipulation
Basic Denial
Prevent the transfer of information to the adversary Primarily proscriptive Don’t engage in some behavior Enough for basic survival
OPSEC STFU COMSEC Vetting members to prevent penetrations examples
The first breach of security occurs when the opposition becomes aware that information worthy of targeting exists. Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
Adaptive Denial
Insight into oppositions techniques/processes Develop countering tactics Analyze security posture for weaknesses Develop remediations Ongoing process Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
Adjust to remedy unique vulnerabilities and/or adversarial strengths Greatly benefits from access to adversarial know- how Active penetrations of the adversary are very useful here Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
Covert Manipulation
Provide the adversary with false information Deceive the adversary into taking futile action Deceive the adversary into not taking action Mostly irrelevant for hackers Misdirection could be valuable, maybe. Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
Intelligence Threats The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
Penetrations Technical Penetrations Passive Surveillance Media Exposure HUMINT, SIGINT, ... OSINT
Informants
Intel Lingo: penetrations Recruited Inserted Most serious threat HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
Technical Monitoring
Wiretaps, etc Trojans and monitoring software Video / audio surveillance An increasing threat See: media reports of legal trojans FinSpy, etc.
Surveillance
Passive observation from local population Dedicated active surveillance teams Not really a threat for hackers or professional thieves
Media Exposure
Media coverage creates an OSINT footprint Can be dangerous for hackers Raises profile which draws adversarial attention
Contributing Factors Factors that contribute to the groups CI strengths and vulnerabilities.
Organizational structure Controlled territory Popular support Adversarial capabilities Resources
Organizational Structure
Hierarchical vs. Flat Flat can react faster Hierarchical can enforce good practices Flat leads to poor compartmentation Hierarchical increase value of high level penetrations
Tight vs. Loose Loose, each node has a unique CI signature, harder to attack efficiently Tight, can enforce CI discipline better Loose, can have poor practices and CI resources Tight can be rigid, introducing systemic CI vulnerabilities Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
Controlled Territory
Area safe from adversarial intelligence gathering Reduces incentives to develop robust CI posture We’ll see that later, with China and Russia.
Popular Support
Active support from the population Housing, food, etc Passive support from the population Don’t report activity to the adversary Not really an issue for hackers, but thieves faced a hostile population.
Adversary’s Capabilities
Highly capable adversary Strong intelligence capabilities Experienced and knowledgeable Low capability adversary Floundering reactionary moves that are ineffective and make people angry
Resources
Adversarial resources available for Performing intelligence gathering Analysis Follow up actions Agency resources for counterintelligence Dedicated CI team(s)
Organizational Learning The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
Competitive Adaptation The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
Adverse environments breed stronger actors
Competitive Adaptation Organizations are superior to individuals Can afford some losses and still recover Deeper experience base to draw from (more metis)
Setbacks lead to sense-making and recovery Damage Assessments Adaptive Denial Setbacks - flaps in “Intel Speak”
Professional Thieves Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
Professional Thieves Historical class of professional grifters From 1890s to 1940s in America Self identify as thieves (honorific) Thieve argot used to demonstrate membership A large community of practice
Thieves Con men Long con, short con Cannons (pickpockets) Boosters (shoplifters)
Organizational Structure Flat Loose Small “mobs” with great indivudual variation Autocratic groups survive better than democratic groups in the face of adversarial competition
Controlled Territory Operating inside “fixed” towns Small meeting rooms
Popular support None Relied on high level penetrations of law enforcement apparatus
Professional Thief Assets Core skill was “larceny sense” Experience derived cunning Access to fixers and fences Social network with memory for vetting members Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
Rules for effective thievery Steal an item at a time Stash it at a drugstore or restaurant Mail it back home to a friend Never keep it at home / in car Never grift on the way out
Rules, cont. Never draw attention to a working thief Never fail to draw attention to an adversarial threat Failsafe triggers to indicate problems, i.e. arrest Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
Strict rules against informants (“rats”) Violent retaliation against “rats” was sanctioned “A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
Heavy investment in fixers to limit handle problems Little/No adaptive denial capabilities Adversary maintained fixed capabilities No competitive adaptation After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
Hackers
Organizational Structure Flat hierarchy No commanders Loose group structure Individuals pool resources, but act on their own
Controlled Territory Nation state protected hackers Russia, China, etc. Political protection: e.g. USA hacking Iran Secure private servers and channels Unmonitored information transfer
Popular Support Not relevant Cyberspace is not a “space” Support requires knowledge Who, what, etc.
Counterintelligence Denial, Insight, Manipulation
Basic Denial Vetting of members Pseudonymity Limited compartmentation Internal to a group But.. gossip spreads far and fast
Adaptive Denial Limited sensemaking from colleagues’ busts Over reliance on technical protections No case, ever, of a hacker penetration of LEO Resulting in actionable intel to adapt
Covert Manipulation Occasional poor attempts at framing others ProFTP AcidBitches hack Nation state level, certainly happens False flag attacks What is the cost of a VPS in Shanghai?
Hacker Community of Practice Informal community Social groups connected via social mediums Sharing of metis via formal and informal means Zines, papers, blogposts, chats
Communities of Practice Three main hacker communities English Russian Chinese Clustered by language of information exchange
Communities of Practice Operate inside controlled territory Russian Chinese Operate in hostile environment English Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.
Comm of P. CI Controlled territory provides protection against adversarial intelligence collection Discourages robust operational security practices Hostile environments force adaptation Darwinian selection
Favorable elements in any operational situation should be taken advantage of, but not by relaxing vigilance and security consciousness. Soviet doctrine on clandestine operations https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol9no1/html/ v09i1a06p_0001.htm
Learning Disabilities Hacker communities of practice have severe learning disabilities Incurious about why colleagues got busted No lessons learned No damage assessment
Learning Disabilities Hacker groups are too compartmented for info sharing Not compartmented enough to prevent intelligence collection
Lessons Learned
Identity Operational secrets When How Critical Secrets These are the things that hackers most need to be concerned about.
Hacker CI Focus on Basic Denial Create virtual controlled territory Political cover for hacking
Conclusion
Adapt or die
Thank you.

Recomendados

OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
grugq
 
Spear phishing attacks
Spear phishing attacksSpear phishing attacks
Spear phishing attacks
Jorge Luis Sierra
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 

Recomendados

OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
grugq
 
Spear phishing attacks
Spear phishing attacksSpear phishing attacks
Spear phishing attacks
Jorge Luis Sierra
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
ICT Frame Magazine Pvt. Ltd.
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Dark Web and Privacy
Dark Web and PrivacyDark Web and Privacy
Dark Web and Privacy
Brian Pichman
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
Olakanmi Oluwole
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
primeteacher32
 
Cyber crimes and their prevention
Cyber crimes and their preventionCyber crimes and their prevention
Cyber crimes and their prevention
Ansar Gill
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Deep Dark Web - How to get inside?
Deep Dark Web - How to get inside?Deep Dark Web - How to get inside?
Deep Dark Web - How to get inside?
Anshu Prateek
 
Cybercrime
CybercrimeCybercrime
Cybercrime
Vasiliki Zioga
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
An Underground education
An Underground educationAn Underground education
An Underground education
grugq
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
Stefano Maccaglia
 

Más contenido relacionado

La actualidad más candente

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 

La actualidad más candente (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Dark Web and Privacy
Dark Web and PrivacyDark Web and Privacy
Dark Web and Privacy
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cyber crimes and their prevention
Cyber crimes and their preventionCyber crimes and their prevention
Cyber crimes and their prevention
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Deep Dark Web - How to get inside?
Deep Dark Web - How to get inside?Deep Dark Web - How to get inside?
Deep Dark Web - How to get inside?
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 

Similar a An Underground education

powerpointpresentThreat Actor Groups.pptx
powerpointpresentThreat Actor Groups.pptxpowerpointpresentThreat Actor Groups.pptx
powerpointpresentThreat Actor Groups.pptx
deveraralph2
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
Russell Publishing
 
module 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptxmodule 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptx
Gautam708801
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
Dharmesh Makwana
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
banerjeea
 

Similar a An Underground education (20)

An Underground education
An Underground educationAn Underground education
An Underground education
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
powerpointpresentThreat Actor Groups.pptx
powerpointpresentThreat Actor Groups.pptxpowerpointpresentThreat Actor Groups.pptx
powerpointpresentThreat Actor Groups.pptx
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
Social engineering
Social engineering Social engineering
Social engineering
 
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
PACE-IT, Security+3.3: Summary of Social Engineering AttacksPACE-IT, Security+3.3: Summary of Social Engineering Attacks
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
 
module 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptxmodule 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptx
 
Unit-2 ICS.ppt
Unit-2 ICS.pptUnit-2 ICS.ppt
Unit-2 ICS.ppt
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Hacking presentation
Hacking presentation Hacking presentation
Hacking presentation
 
Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth Vasavada
 
1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
 
Unit 2
Unit 2Unit 2
Unit 2
 
Unit 2
Unit 2Unit 2
Unit 2
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

An Underground education

  • 1. An Underground Education Lessons in Counterintelligences from History’s Underworld @thegrugq
  • 4. Processes of CI Basic Denial Adaptive Denial/Insight Covert Manipulation
  • 6. Prevent the transfer of information to the adversary Primarily proscriptive Don’t engage in some behavior Enough for basic survival
  • 7. OPSEC STFU COMSEC Vetting members to prevent penetrations examples
  • 8. The first breach of security occurs when the opposition becomes aware that information worthy of targeting exists. Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
  • 10. Insight into oppositions techniques/processes Develop countering tactics Analyze security posture for weaknesses Develop remediations Ongoing process Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
  • 11. Adjust to remedy unique vulnerabilities and/or adversarial strengths Greatly benefits from access to adversarial know- how Active penetrations of the adversary are very useful here Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
  • 13. Provide the adversary with false information Deceive the adversary into taking futile action Deceive the adversary into not taking action Mostly irrelevant for hackers Misdirection could be valuable, maybe. Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
  • 14. Intelligence Threats The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
  • 17. Intel Lingo: penetrations Recruited Inserted Most serious threat HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
  • 19. Wiretaps, etc Trojans and monitoring software Video / audio surveillance An increasing threat See: media reports of legal trojans FinSpy, etc.
  • 21. Passive observation from local population Dedicated active surveillance teams Not really a threat for hackers or professional thieves
  • 23. Media coverage creates an OSINT footprint Can be dangerous for hackers Raises profile which draws adversarial attention
  • 24. Contributing Factors Factors that contribute to the groups CI strengths and vulnerabilities.
  • 25. Organizational structure Controlled territory Popular support Adversarial capabilities Resources
  • 27. Hierarchical vs. Flat Flat can react faster Hierarchical can enforce good practices Flat leads to poor compartmentation Hierarchical increase value of high level penetrations
  • 28. Tight vs. Loose Loose, each node has a unique CI signature, harder to attack efficiently Tight, can enforce CI discipline better Loose, can have poor practices and CI resources Tight can be rigid, introducing systemic CI vulnerabilities Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
  • 30. Area safe from adversarial intelligence gathering Reduces incentives to develop robust CI posture We’ll see that later, with China and Russia.
  • 32. Active support from the population Housing, food, etc Passive support from the population Don’t report activity to the adversary Not really an issue for hackers, but thieves faced a hostile population.
  • 34. Highly capable adversary Strong intelligence capabilities Experienced and knowledgeable Low capability adversary Floundering reactionary moves that are ineffective and make people angry
  • 36. Adversarial resources available for Performing intelligence gathering Analysis Follow up actions Agency resources for counterintelligence Dedicated CI team(s)
  • 37. Organizational Learning The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
  • 38. Competitive Adaptation The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
  • 40. Competitive Adaptation Organizations are superior to individuals Can afford some losses and still recover Deeper experience base to draw from (more metis)
  • 41. Setbacks lead to sense-making and recovery Damage Assessments Adaptive Denial Setbacks - flaps in “Intel Speak”
  • 42. Professional Thieves Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
  • 43. Professional Thieves Historical class of professional grifters From 1890s to 1940s in America Self identify as thieves (honorific) Thieve argot used to demonstrate membership A large community of practice
  • 44. Thieves Con men Long con, short con Cannons (pickpockets) Boosters (shoplifters)
  • 45. Organizational Structure Flat Loose Small “mobs” with great indivudual variation Autocratic groups survive better than democratic groups in the face of adversarial competition
  • 46. Controlled Territory Operating inside “fixed” towns Small meeting rooms
  • 47. Popular support None Relied on high level penetrations of law enforcement apparatus
  • 48. Professional Thief Assets Core skill was “larceny sense” Experience derived cunning Access to fixers and fences Social network with memory for vetting members Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
  • 49. Rules for effective thievery Steal an item at a time Stash it at a drugstore or restaurant Mail it back home to a friend Never keep it at home / in car Never grift on the way out
  • 50. Rules, cont. Never draw attention to a working thief Never fail to draw attention to an adversarial threat Failsafe triggers to indicate problems, i.e. arrest Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
  • 51. Strict rules against informants (“rats”) Violent retaliation against “rats” was sanctioned “A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
  • 52. Heavy investment in fixers to limit handle problems Little/No adaptive denial capabilities Adversary maintained fixed capabilities No competitive adaptation After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
  • 54. Organizational Structure Flat hierarchy No commanders Loose group structure Individuals pool resources, but act on their own
  • 55. Controlled Territory Nation state protected hackers Russia, China, etc. Political protection: e.g. USA hacking Iran Secure private servers and channels Unmonitored information transfer
  • 56. Popular Support Not relevant Cyberspace is not a “space” Support requires knowledge Who, what, etc.
  • 58. Basic Denial Vetting of members Pseudonymity Limited compartmentation Internal to a group But.. gossip spreads far and fast
  • 59. Adaptive Denial Limited sensemaking from colleagues’ busts Over reliance on technical protections No case, ever, of a hacker penetration of LEO Resulting in actionable intel to adapt
  • 60. Covert Manipulation Occasional poor attempts at framing others ProFTP AcidBitches hack Nation state level, certainly happens False flag attacks What is the cost of a VPS in Shanghai?
  • 61. Hacker Community of Practice Informal community Social groups connected via social mediums Sharing of metis via formal and informal means Zines, papers, blogposts, chats
  • 62. Communities of Practice Three main hacker communities English Russian Chinese Clustered by language of information exchange
  • 63. Communities of Practice Operate inside controlled territory Russian Chinese Operate in hostile environment English Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.
  • 64. Comm of P. CI Controlled territory provides protection against adversarial intelligence collection Discourages robust operational security practices Hostile environments force adaptation Darwinian selection
  • 65. Favorable elements in any operational situation should be taken advantage of, but not by relaxing vigilance and security consciousness. Soviet doctrine on clandestine operations https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol9no1/html/ v09i1a06p_0001.htm
  • 66. Learning Disabilities Hacker communities of practice have severe learning disabilities Incurious about why colleagues got busted No lessons learned No damage assessment
  • 67. Learning Disabilities Hacker groups are too compartmented for info sharing Not compartmented enough to prevent intelligence collection
  • 69. Identity Operational secrets When How Critical Secrets These are the things that hackers most need to be concerned about.
  • 70. Hacker CI Focus on Basic Denial Create virtual controlled territory Political cover for hacking