SlideShare une entreprise Scribd logo

An Underground education

G
grugq
Technologie
1  sur  73
Télécharger pour lire hors ligne
An Underground Education Lessons in Counterintelligences from History’s Underworld @thegrugq
Agenda Counterintelligence Processes Threats Contributing Factors Professional Thieves: CI Hackers: CI
Counterintelligence
Processes of CI Basic Denial Adaptive Denial/Insight Covert Manipulation
Basic Denial
Prevent the transfer of information to the adversary Primarily proscriptive Don’t engage in some behavior Enough for basic survival
OPSEC STFU COMSEC Vetting members to prevent penetrations examples
The first breach of security occurs when the opposition becomes aware that information worthy of targeting exists. Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
Adaptive Denial
Insight into oppositions techniques/processes Develop countering tactics Analyze security posture for weaknesses Develop remediations Ongoing process Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
Adjust to remedy unique vulnerabilities and/or adversarial strengths Greatly benefits from access to adversarial know- how Active penetrations of the adversary are very useful here Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
Covert Manipulation
Provide the adversary with false information Deceive the adversary into taking futile action Deceive the adversary into not taking action Mostly irrelevant for hackers Misdirection could be valuable, maybe. Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
Intelligence Threats The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
Penetrations Technical Penetrations Passive Surveillance Media Exposure HUMINT, SIGINT, ... OSINT
Informants
Intel Lingo: penetrations Recruited Inserted Most serious threat HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
Technical Monitoring
Wiretaps, etc Trojans and monitoring software Video / audio surveillance An increasing threat See: media reports of legal trojans FinSpy, etc.
Surveillance
Passive observation from local population Dedicated active surveillance teams Not really a threat for hackers or professional thieves
Media Exposure
Media coverage creates an OSINT footprint Can be dangerous for hackers Raises profile which draws adversarial attention
Contributing Factors Factors that contribute to the groups CI strengths and vulnerabilities.
Organizational structure Controlled territory Popular support Adversarial capabilities Resources
Organizational Structure
Hierarchical vs. Flat Flat can react faster Hierarchical can enforce good practices Flat leads to poor compartmentation Hierarchical increase value of high level penetrations
Tight vs. Loose Loose, each node has a unique CI signature, harder to attack efficiently Tight, can enforce CI discipline better Loose, can have poor practices and CI resources Tight can be rigid, introducing systemic CI vulnerabilities Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
Controlled Territory
Area safe from adversarial intelligence gathering Reduces incentives to develop robust CI posture We’ll see that later, with China and Russia.
Popular Support
Active support from the population Housing, food, etc Passive support from the population Don’t report activity to the adversary Not really an issue for hackers, but thieves faced a hostile population.
Adversary’s Capabilities
Highly capable adversary Strong intelligence capabilities Experienced and knowledgeable Low capability adversary Floundering reactionary moves that are ineffective and make people angry
Resources
Adversarial resources available for Performing intelligence gathering Analysis Follow up actions Agency resources for counterintelligence Dedicated CI team(s)
Organizational Learning The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
Competitive Adaptation The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
Adverse environments breed stronger actors
Competitive Adaptation Organizations are superior to individuals Can afford some losses and still recover Deeper experience base to draw from (more metis)
Setbacks lead to sense-making and recovery Damage Assessments Adaptive Denial Setbacks - flaps in “Intel Speak”
Professional Thieves Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
Professional Thieves Historical class of professional grifters From 1890s to 1940s in America Self identify as thieves (honorific) Thieve argot used to demonstrate membership A large community of practice
Thieves Con men Long con, short con Cannons (pickpockets) Boosters (shoplifters)
Organizational Structure Flat Loose Small “mobs” with great indivudual variation Autocratic groups survive better than democratic groups in the face of adversarial competition
Controlled Territory Operating inside “fixed” towns Small meeting rooms
Popular support None Relied on high level penetrations of law enforcement apparatus
Professional Thief Assets Core skill was “larceny sense” Experience derived cunning Access to fixers and fences Social network with memory for vetting members Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
Rules for effective thievery Steal an item at a time Stash it at a drugstore or restaurant Mail it back home to a friend Never keep it at home / in car Never grift on the way out
Rules, cont. Never draw attention to a working thief Never fail to draw attention to an adversarial threat Failsafe triggers to indicate problems, i.e. arrest Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
Strict rules against informants (“rats”) Violent retaliation against “rats” was sanctioned “A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
Heavy investment in fixers to limit handle problems Little/No adaptive denial capabilities Adversary maintained fixed capabilities No competitive adaptation After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
Hackers
Organizational Structure Flat hierarchy No commanders Loose group structure Individuals pool resources, but act on their own
Controlled Territory Nation state protected hackers Russia, China, etc. Political protection: e.g. USA hacking Iran Secure private servers and channels Unmonitored information transfer
Popular Support Not relevant Cyberspace is not a “space” Support requires knowledge Who, what, etc.
Counterintelligence Denial, Insight, Manipulation
Basic Denial Vetting of members Pseudonymity Limited compartmentation Internal to a group But.. gossip spreads far and fast
Adaptive Denial Limited sensemaking from colleagues’ busts Over reliance on technical protections No case, ever, of a hacker penetration of LEO Resulting in actionable intel to adapt
Covert Manipulation Occasional poor attempts at framing others ProFTP AcidBitches hack Nation state level, certainly happens False flag attacks What is the cost of a VPS in Shanghai?
Hacker Community of Practice Informal community Social groups connected via social mediums Sharing of metis via formal and informal means Zines, papers, blogposts, chats
Communities of Practice Three main hacker communities English Russian Chinese Clustered by language of information exchange
Communities of Practice Operate inside controlled territory Russian Chinese Operate in hostile environment English Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.
Comm of P. CI Controlled territory provides protection against adversarial intelligence collection Discourages robust operational security practices Hostile environments force adaptation Darwinian selection
Favorable elements in any operational situation should be taken advantage of, but not by relaxing vigilance and security consciousness. Soviet doctrine on clandestine operations https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol9no1/html/ v09i1a06p_0001.htm
Learning Disabilities Hacker communities of practice have severe learning disabilities Incurious about why colleagues got busted No lessons learned No damage assessment
Learning Disabilities Hacker groups are too compartmented for info sharing Not compartmented enough to prevent intelligence collection
Lessons Learned
Identity Operational secrets When How Critical Secrets These are the things that hackers most need to be concerned about.
Hacker CI Focus on Basic Denial Create virtual controlled territory Political cover for hacking
Conclusion
Adapt or die
Thank you.

Recommandé

OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 
My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentationPaul Wilson
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber AwarenessCyber Security and Cyber Awareness
Cyber Security and Cyber AwarenessArjith K Raj
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Security & Hygine
Cyber Security & HygineCyber Security & Hygine
Cyber Security & HygineAmit Arya
 

Recommandé

OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 
My darkweb-presentation
My darkweb-presentationMy darkweb-presentation
My darkweb-presentationPaul Wilson
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiComputer Security Cyber Security DOS_DDOS Attacks By: Professor Lili Saghafi
Computer Security Cyber Security DOS_DDOS Attacks By: Professor Lili SaghafiProfessor Lili Saghafi
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber AwarenessCyber Security and Cyber Awareness
Cyber Security and Cyber AwarenessArjith K Raj
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Security & Hygine
Cyber Security & HygineCyber Security & Hygine
Cyber Security & HygineAmit Arya
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseAspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseRohit Revo
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
Social Media Security
Social Media SecuritySocial Media Security
Social Media SecurityDel Belcher
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyberstalking
CyberstalkingCyberstalking
CyberstalkingTrevschic
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk ProtectionDigital Shadows
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeDebayon Saha
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 

Contenu connexe

Tendances

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detectionJisc
 
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseAspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseRohit Revo
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
Social Media Security
Social Media SecuritySocial Media Security
Social Media SecurityDel Belcher
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyberstalking
CyberstalkingCyberstalking
CyberstalkingTrevschic
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk ProtectionDigital Shadows
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 

Tendances (20)

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Incident response
Incident responseIncident response
Incident response
 
Deception technology for advanced detection
Deception technology for advanced detectionDeception technology for advanced detection
Deception technology for advanced detection
 
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offenseAspects of Cyber Crime theory | Criminal or a Noncriminal offense
Aspects of Cyber Crime theory | Criminal or a Noncriminal offense
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
Social Media Security
Social Media SecuritySocial Media Security
Social Media Security
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cyberstalking
CyberstalkingCyberstalking
Cyberstalking
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk Protection
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 

Similaire à An Underground education

An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
module 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptxmodule 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptxGautam708801
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hackDharmesh Makwana
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
Hacking presentation
Hacking presentation Hacking presentation
Hacking presentation Ajith Reddy
 
Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaKrutarth Vasavada
 
1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdfShamsherkhan36
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 

Similaire à An Underground education (20)

An Underground education
An Underground educationAn Underground education
An Underground education
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
Social engineering
Social engineering Social engineering
Social engineering
 
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
PACE-IT, Security+3.3: Summary of Social Engineering AttacksPACE-IT, Security+3.3: Summary of Social Engineering Attacks
PACE-IT, Security+3.3: Summary of Social Engineering Attacks
 
module 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptxmodule 3 Cyber Risks and Incident Management.pptx
module 3 Cyber Risks and Incident Management.pptx
 
Unit-2 ICS.ppt
Unit-2 ICS.pptUnit-2 ICS.ppt
Unit-2 ICS.ppt
 
Ethical hacking a licence to hack
Ethical hacking a licence to hackEthical hacking a licence to hack
Ethical hacking a licence to hack
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
Hacking presentation
Hacking presentation Hacking presentation
Hacking presentation
 
Ethical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth VasavadaEthical Hacking by Krutarth Vasavada
Ethical Hacking by Krutarth Vasavada
 
1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf1-Domain ComTIA Security+.pdf
1-Domain ComTIA Security+.pdf
 
Cyber Crime.ppt
Cyber Crime.pptCyber Crime.ppt
Cyber Crime.ppt
 
Unit 2
Unit 2Unit 2
Unit 2
 
Unit 2
Unit 2Unit 2
Unit 2
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

An Underground education

  • 1. An Underground Education Lessons in Counterintelligences from History’s Underworld @thegrugq
  • 4. Processes of CI Basic Denial Adaptive Denial/Insight Covert Manipulation
  • 6. Prevent the transfer of information to the adversary Primarily proscriptive Don’t engage in some behavior Enough for basic survival
  • 7. OPSEC STFU COMSEC Vetting members to prevent penetrations examples
  • 8. The first breach of security occurs when the opposition becomes aware that information worthy of targeting exists. Counterintelligence: Theory and Practice After the adversary knows there is something to look for, then the game begins. You can’t go back underground. :(
  • 10. Insight into oppositions techniques/processes Develop countering tactics Analyze security posture for weaknesses Develop remediations Ongoing process Dual pronged approach. On the one hand, learn how the adversary works and attempt to work around those strengths/capabilities On the other, look at organisational weaknesses and address them. Iterative. Best if there is a penetration into the adversary to monitor how they function
  • 11. Adjust to remedy unique vulnerabilities and/or adversarial strengths Greatly benefits from access to adversarial know- how Active penetrations of the adversary are very useful here Colombian narco traffickers used court discovery heavily to discover the Tactics, Techniques and Procedures of the adversary The PIRA started to do the same thing later in their struggles, forcing the .gov to reveal details
  • 13. Provide the adversary with false information Deceive the adversary into taking futile action Deceive the adversary into not taking action Mostly irrelevant for hackers Misdirection could be valuable, maybe. Adversary has multiple channels for receiving information, have to send fake signals down them all. HUMINT, technical penetrations, open source INT, etc. etc.
  • 14. Intelligence Threats The capabilities of the adversary are described as “intelligence threats”, that can be used to gain information about the agency.
  • 17. Intel Lingo: penetrations Recruited Inserted Most serious threat HUMINT is the biggest threat. Many sources, from forcing someone to “turn state’s evidence”, to undercover operation, to recruiting someone in place/defections... lulzsec’s collapse ultimately stems from a single individual leaving Anonymous and dumping IRC logs in public.
  • 19. Wiretaps, etc Trojans and monitoring software Video / audio surveillance An increasing threat See: media reports of legal trojans FinSpy, etc.
  • 21. Passive observation from local population Dedicated active surveillance teams Not really a threat for hackers or professional thieves
  • 23. Media coverage creates an OSINT footprint Can be dangerous for hackers Raises profile which draws adversarial attention
  • 24. Contributing Factors Factors that contribute to the groups CI strengths and vulnerabilities.
  • 25. Organizational structure Controlled territory Popular support Adversarial capabilities Resources
  • 27. Hierarchical vs. Flat Flat can react faster Hierarchical can enforce good practices Flat leads to poor compartmentation Hierarchical increase value of high level penetrations
  • 28. Tight vs. Loose Loose, each node has a unique CI signature, harder to attack efficiently Tight, can enforce CI discipline better Loose, can have poor practices and CI resources Tight can be rigid, introducing systemic CI vulnerabilities Tightly controlled organisations react slowly and can develop rigid CI practices. This means they’re exploitable.
  • 30. Area safe from adversarial intelligence gathering Reduces incentives to develop robust CI posture We’ll see that later, with China and Russia.
  • 32. Active support from the population Housing, food, etc Passive support from the population Don’t report activity to the adversary Not really an issue for hackers, but thieves faced a hostile population.
  • 34. Highly capable adversary Strong intelligence capabilities Experienced and knowledgeable Low capability adversary Floundering reactionary moves that are ineffective and make people angry
  • 36. Adversarial resources available for Performing intelligence gathering Analysis Follow up actions Agency resources for counterintelligence Dedicated CI team(s)
  • 37. Organizational Learning The way that adversarial groups learn and adjust to each other’s behaviour is well studied. It is a subset of Organizational Learning -- Competitive adaptation.
  • 38. Competitive Adaptation The way these factors and processes interact is called competitive adaptation, as two adversarial groups learn from and adjust to each other’s strengths and capabilities
  • 40. Competitive Adaptation Organizations are superior to individuals Can afford some losses and still recover Deeper experience base to draw from (more metis)
  • 41. Setbacks lead to sense-making and recovery Damage Assessments Adaptive Denial Setbacks - flaps in “Intel Speak”
  • 42. Professional Thieves Perfectly suited for their time, failed to exhibit adaptive denial and learn from competitive adaptation. They were darwinialy selected out of modern society. The lesson here for hackers is simple, either adapt where the thieves didn’t or enjoy your fading golden years...
  • 43. Professional Thieves Historical class of professional grifters From 1890s to 1940s in America Self identify as thieves (honorific) Thieve argot used to demonstrate membership A large community of practice
  • 44. Thieves Con men Long con, short con Cannons (pickpockets) Boosters (shoplifters)
  • 45. Organizational Structure Flat Loose Small “mobs” with great indivudual variation Autocratic groups survive better than democratic groups in the face of adversarial competition
  • 46. Controlled Territory Operating inside “fixed” towns Small meeting rooms
  • 47. Popular support None Relied on high level penetrations of law enforcement apparatus
  • 48. Professional Thief Assets Core skill was “larceny sense” Experience derived cunning Access to fixers and fences Social network with memory for vetting members Example tale of two thieves in boosting from a store. Thief A doesn’t get the alert from B, has item in suitcase already, sees shopkeeper, approaches and demands to see the manager. Is taken to manager, while B collects suitcase and leaves. Thief A is then confused, and walks out.
  • 49. Rules for effective thievery Steal an item at a time Stash it at a drugstore or restaurant Mail it back home to a friend Never keep it at home / in car Never grift on the way out
  • 50. Rules, cont. Never draw attention to a working thief Never fail to draw attention to an adversarial threat Failsafe triggers to indicate problems, i.e. arrest Lots of codes and signs - “nix” for coppers around, changing the conversation to prevent people - always punctual to meetings, only reason to be late is arrest - mob will break up - always call someone at fixed time at end of day, on failure they assume arrest and search
  • 51. Strict rules against informants (“rats”) Violent retaliation against “rats” was sanctioned “A professional thief will never say anything dangerous, and someone who is not a professional thief doesn’t know anything dangerous to say”
  • 52. Heavy investment in fixers to limit handle problems Little/No adaptive denial capabilities Adversary maintained fixed capabilities No competitive adaptation After the adversary changed their game, lost the corruption and the “old style police work”, the professional thieves day’s were numbered. The environment became too hostile to support them in number.
  • 54. Organizational Structure Flat hierarchy No commanders Loose group structure Individuals pool resources, but act on their own
  • 55. Controlled Territory Nation state protected hackers Russia, China, etc. Political protection: e.g. USA hacking Iran Secure private servers and channels Unmonitored information transfer
  • 56. Popular Support Not relevant Cyberspace is not a “space” Support requires knowledge Who, what, etc.
  • 58. Basic Denial Vetting of members Pseudonymity Limited compartmentation Internal to a group But.. gossip spreads far and fast
  • 59. Adaptive Denial Limited sensemaking from colleagues’ busts Over reliance on technical protections No case, ever, of a hacker penetration of LEO Resulting in actionable intel to adapt
  • 60. Covert Manipulation Occasional poor attempts at framing others ProFTP AcidBitches hack Nation state level, certainly happens False flag attacks What is the cost of a VPS in Shanghai?
  • 61. Hacker Community of Practice Informal community Social groups connected via social mediums Sharing of metis via formal and informal means Zines, papers, blogposts, chats
  • 62. Communities of Practice Three main hacker communities English Russian Chinese Clustered by language of information exchange
  • 63. Communities of Practice Operate inside controlled territory Russian Chinese Operate in hostile environment English Interesting that 2/3 communities are operating in controlled territory, where they have carte blanche to operate, provided they avoid antagonizing the local authorities.
  • 64. Comm of P. CI Controlled territory provides protection against adversarial intelligence collection Discourages robust operational security practices Hostile environments force adaptation Darwinian selection
  • 65. Favorable elements in any operational situation should be taken advantage of, but not by relaxing vigilance and security consciousness. Soviet doctrine on clandestine operations https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol9no1/html/ v09i1a06p_0001.htm
  • 66. Learning Disabilities Hacker communities of practice have severe learning disabilities Incurious about why colleagues got busted No lessons learned No damage assessment
  • 67. Learning Disabilities Hacker groups are too compartmented for info sharing Not compartmented enough to prevent intelligence collection
  • 69. Identity Operational secrets When How Critical Secrets These are the things that hackers most need to be concerned about.
  • 70. Hacker CI Focus on Basic Denial Create virtual controlled territory Political cover for hacking