This document discusses the concepts of swarm intelligence and hive networks in the context of cybersecurity. It provides examples of how botnets have begun to utilize swarm behaviors by removing centralized command and control servers. This allows for botnets to operate in a more decentralized and autonomous manner. The document also discusses how security strategies need to evolve from static boundary defenses to more agile micro and macro segmentation approaches that emulate hive defense strategies found in nature. Specifically, the integration of security solutions and intelligence sharing is presented as a way to coordinate defenses against advanced persistent threats that utilize swarm and hive-like tactics.

1. SESSION ID:
#RSAC
Derek Manky
ORDER VS. MAD SCIENCE
ANALYZING BLACK HAT SWARM
INTELLIGENCE
HT-W02
Global Security Strategist
For>net, Office of CISO
/in/derekmanky

2. WAR GAMES
The Rise of the Machines

3. #RSAC
§ Experimental self-replica>ng program
§ WriJen in 1971 to demonstrate a ‘mobile’ applica>on
§ Infected DEC PDP-10 computers running TENEX OS
§ Just 1 year aQer Unix ‘Epoch Time’ began
§ ‘Reaper’ worm created in ‘72 to delete it
1 January 1970 00:00:00 GMT à Epoch >mestamp 0
1971: Creeper – The First Computer Virus

4. #RSAC
COMPOUNDED CYBERCRIME
Evolving AJack Capabili>es
Threat Landscape
CRIMEWARE PRODUCERS
Source Code
Junior Developers
Copy & paste
Senior DevelopersExploits Packers Special
Pla^orm
s
Mobile
CRIME SERVICES ENABLERS
Quality Assurance
Crypters / Packers
Scanners
HosMng
Infec>ons / Drop Zones
Management
Botnet Rentals
Installs / Spam /
SEO / DDoS
Money Mules
Accounts Receivable
ConsulMng
Affiliates
Criminal
OrganizaMons
Sales, Licensing,
Maintenance
Partnerships
Affiliate Programs
FakeAV / Ransomware / Botnets
VicMms
Bank
Accounts
Creden>als
& Data
Digital Real
Estate

5. #RSAC
SPEED KILLS: SWARM BOTNETS
AcceleraMng the ATack Chain
Hit Me With Your Best Shot – Fire Away

6. #RSAC
Swarm – Individual Survival Using the Group
Starlings flock toward dusk in order to avoid predators…
create a ‘murmuring’
Collec>ve behavior
exhibited by en>>es,
par>cularly animals
Similar size or
same species
Aggregate together,
usually moving together
in some direc>on
Ants build resiliency through cooperaMve structures or
mass defense / aTack strategies

7. #RSAC
Other Biomechanical Examples
of Swarm Behavior
Stock trading is o`en irraMonal relaMve to the underlying value of a
company due to swarm behavior
Group behavior can be radically different
from individual behavior
Humans also Behave in Swarm Fashion
Old saying – a person is
smart, a crowd is not
Tend to exhibit swarm
behavior depending on
situa>on
Aggregate and size of
grouping determines
behavior

8. #RSAC

9. #RSAC
EXFILTRATION 5
GATHER 4
EXPAND3
BREAK-IN2
PLANNING1
• Deliver remote exploits and
malware
• Establish backdoors for
commands
• Iden>fy and collect
sensi>ve data
• Staging Server
• Research target
• Build or Acquire Tools
• Test tools + detec>on
The Accelerated AJack Chain
Automa>on & Swarm Decrease TTB (Time to Breach)
• Move laterally to increase
system access
• Stronger Foothold
• Data exfiltra>on through
command and control services to
external network
SURVIVE… Or PROFIT?
6

10. #RSAC
• Shodan is a search engine that indexes open ports and services
• AJacker Queries Shodan
• AJacker uses a list of known exploits to aJack known IoT and other
systems based on indexed queries given by Shodan
• AJackers then aJacks IoT or vulnerable systems directly bypassing
per miter security features gaining a foothold into internal networks.
Autosploit – Building Swarms

11. #RSAC
Autosploit Workflow
Autosploit
Interface
Shodan
Query
Gather Known
Vulnerabili>es
Indexed by
Shodan
Launch
and run
exploits
1. Attacker launches Autosploit script
2. Autosploit queries Shodan for known
exploits
3. Autosploit uses intelligent matching
(optional) to match additional exploits
to ports and services
4. Autosploit configures metasploit as
a “reverse listener” to launch an
attack to a victim.
5. Victim connects back to the
attacker’s Autosploit, allowing (many
times) for the attacker to bypass
security measures

12. #RSAC
Problems with Autosploit
Easy to launch
No real skills needed
No discrimina>on between hosts
Uses dangerous exploits that may crash/destroy sytems
Shodan
Shodan uses hive func>ons by looking for similar systems with similar func>ons
Categorizes vulnerabili>es
Allows users to search for vulnerable systems that are live

13. [ AUTOSPLOIT DEMONSTRATION ]

14. #RSAC
Botnet Building Blocks
Typical Botnet Components
AJacker
(botmaster, herder)
C&C Server Zombies Vic>m / target Communica>ons
channels
AJacker Control Server Botnet AJach Nodes Vic>m
Ini>ate AJack AJack Traffic

15. #RSAC
Blackhat Swarms – Removing the C2
Next GeneraMon Botnet 3.0: Swarm
What if Botnets could u>lize swarm intelligence?
§ Largely Accelerated AJack Chain
§ Human Out of Loop
§ Strengthened Blackhat Hive
Botnet AJach Nodes Vic>m
AJack Traffic
Satori Botnet example
§ If camera is hacked or under stress it skips the
system if beJer targets are found (pheromones)

16. #RSAC
Frankenstein Malware
§ Localized swarm behavior – code building blocks
from legi>mate running processes
§ Seman>c Blueprint contains malware goals
§ Malware scans for exis>ng underlining code in
memory
§ Malware uses pieces of code from various
programs to create new malware
§ Lua gives flexibility, add code
§ Debug in real->me

17. #RSAC
Hajime Precursor
• Intelligent IOT Botnet – Nine Pla^orms + x86
• TR-069 Exploit (MSSP/Telco Control)
• First detected October 25, 2016
• 30,000+ detec>ons per day (For>Guard)

18. #RSAC
Hajime Precursor
• Hajime, a mul> pla^orm worm with a decentralized C2 (First known IOT)
• IoT is the target, basically any pla^orm that runs busybox
• ARMv5-7, MIPS LiJle endian, Intel x86-64
Once ini>ally infected will
randomly probe for other
devices
If found a telnet port open it
will try to brute for logins
Once inside a couple of
commands are issued
These commands are used
to further iden>fy the
enviroment
$ enable
$ system
$ shell
$ sh
$ /bin/busybox ECCHI
Once iden>fied the target
architecutre, binaries for
that pla^orm are
downloaded from the
aJacking host
# echo -ne
"x7fx45x4c
x46x01x01x01x00x00x00x00x00x00x00x00x00x02x00x28x00x01x0
0x00
x00x54x00x01x00x34x00x00x00x44x01x00x00x00x02x00x05x34x0
0x20x00x01x00x2
8x00x04x00x03x00x01x00x00x00x00x00x00x00x00x00x01x00"
> .s; /bin/busybox
ECCHI
# echo
The purpose of this piece of
code which is basically piped
in hexadecimal through the
network and dumped to a
local file and then executed
is to download the stage2
The download of the stage 2
begins, which is the botnet
comminica>on part, using
encrypted trackerless
torrent uTP
# unlink file
AQer all Hajime deletes itself
from the filesystem, having
footprint in memory only

19. #RSAC
Hide and Seek
• Second known decentralized P2P IOT botnet
• Swarm characteris-cs
• Known exploit to spread to TP Link routers
• Confirmed Capabili>es
• AMD x64, ARM
• Brute force aJacks
• Target addi>on to random list
• File retrieval commands through P2P nodes
• Peer request-response model
• ‘i’ request à ‘I’ response
• ‘h’ request à ‘H’ response
• ‘z’ request à ‘O’ response
• ‘~’ request à ‘^’ response

20. #RSAC
Hide and Seek
Fig 1: HNS Adds firewall rule to allow traffic
on UDP port for P2P
Fig 3: P2P communicaMon traffic captured, retrieving ELF files
Fig 2: Scanning for next vicMms
Fig 4: List of supported run Mme commands

21. #RSAC
Hide and Seek
'e' + IP:PORT's' + path
‘m<data’ ßà Y<data>’
2) Target is identified by swarm
3) Target is swarmed, penetrated
4) File information leaked
through swarm (IP, etc)
1) Seed the Swarm Autosploit)

22. #RSAC
ORDER: HIVE NETWORKS (HIVENETS)
All Your Bots are Belong To Us
Building a Cohesive Security Fabric

23. #RSAC
Hive – Group Survival Using the Individual
Elephants, Meercats, and even humans ac>ng as a corpora>on
Decentralized,
mul>component
mind
Displayed by
social insects and
some animals
Individual is the
lowest cell unit
Quickly dies if
individual
becomes
separated
Many animals
display forms of
this behavior…

24. #RSAC
Hive – Group Survival Using the Individual
Bees: individual = simplis>c
• As a group the intelligence rises
• Individuals responsible for jobs
• Complex communica>on and
rituals
• Sub-groups have specific roles
such as food gathering, digging,
feeding pupae, cleaning
• All will act in defense of aJack
Example – complex sub-group communicaMons
Circular = nearby food Tail wag = far away food

25. #RSAC
Is Cloud a Hive?
Cloud
• More of an extension of the hive
• As a component it is oQen like a sub-group
• Serves a func>on to infrastructure, resources
• Connects worker nodes and extends func>onality
• Example: cloud-based security solu>ons such as
sandbox, web content filtering, others
Hive
• Decentralized, mul>component
• Group is intertwined through individuals
• Individual is the lowest cell unit
• Unable to act sufficiently as a stand-alone Quickly

26. #RSAC
Hive Defense Strategy

27. #RSAC
Hive Defense Strategy

28. #RSAC
Cyber Threat Alliance
Integra>on of CTA Intelligence into Mul>ple Vendors (Swarm)
FOUNDING MEMBERS AFFILIATE & CONTRIBUTING MEMBERS
“The best way to combat the negative impact of cybercriminals and best protect our customers is
through cooperation and partnership based on actionable intelligence from diverse sources.”
Ken Xie, founder, chairman of the board and CEO, Fortinet

29. #RSAC
ex·pert sys·tem
noun
COMPUTING
a piece of soQware programmed using ar>ficial
intelligence techniques. Such systems use databases of
expert knowledge to offer advice or make decisions in
such areas as medical diagnosis and trading on the stock
exchange.
Advanced Solu>ons for Swarm

30. #RSAC
Advanced Solu>ons for Swarm: AI An>-Malware
MALICIOUS
CLEAN
OUTPUT
L J
INPUT
RAW SAMPLES
Feature Set Improvements
§ Quality
§ Stabilized Number
§ Weigh>ng Confidence
ConMnued Accuracy to
a High Degree of
Confidence
FEATURESQuan>ty
Quality

31. #RSAC
YESTERDAY’S PRIMARY STRATEGY:
STATIC BOUNDARY SECURITY
SWARM STRATEGY:
AGILE MACRO AND MICRO SEGMENTATION
IoT
Mobile
Windows
Mac
Visibility,
Control,
Consistency
100G
5G
Private
Campus
Core
WAN
Access
Public

32. #RSAC
IoT
Mobile
Windows
Mac
Visibility,
Control,
Consistency
100G
5G
SWARM STRATEGY:
AGILE MACRO AND MICRO SEGMENTATION
Public
Private
Campus
Core
WAN
Access

33. #RSAC
Recon
Delivery
Exploit
C & C
Internal Recon
Maintain
Accelerated AJack Chain Defense: Hive Defense in Kill Chain
Protect Detect Disrupt Degrade Deceive Contain
LOWRISKHIGH
NG Firewall
AV, IPS,WF,
Botnet
Mail
Security
Advanced Threat ProtecMon
Framework
(Sandbox Technology working with FW, Endpoints, Mail, WAF)
Database Monitoring and MulM-AuthenMcaMon
Internal SegmentaMon Firewalls – Architecture

34. #RSAC
Following Through
§ Next week you should:
§ Think about your hive – where is it located (distributed, centralized, etc)
§ In the first three months following this presentaMon you should:
§ Iden>fy cri>cal assets, resources within your hive
§ Within six months you should:
§ Create an orchestrated security model that is your hive defense
§ Integra>on of security devices vs. kill chain
§ Consider AI solu>ons vs. zero day code
§ Shared, ac>onable intelligence between security solu>ons
§ Think about how to repurpose human admins (SOC/NOC) with such solu>ons
34

35. #RSAC
ORDER VS. MAD SCIENCE