Cyber Deception a Path Ahead for Cyber Defenders
hello
my name is dr stanley barr and i’m here
to tell you about some pathfinding work
that i have been a part of while this is
a story about
mitre work my part started a long time
ago
in the early 1990s i was a student at
the university of lowell in
massachusetts
i worked in a lab called the center for
productivity enhancement
and i worked for a seasoned professor
named dr patrick crolack
but to every student in the lab he was
just uncle pat
uncle pat was truly a visionary and i
could go on for hours about uncle pat
but let me just say that there was one
team project
that i worked on for him that set the
course of my career
and i dare say the course of my life in
that research we used expert systems
an early form of artificial intelligence
to protect computers from faults and
intruders
during the course of that work i learned
how vulnerable
computers could be i learned just how
easy
it was for intruders to access a
computer and how they could do
serious damage to our university and to
our world
without anyone knowing until it was far
too late
thirty years later i work at mitre a job
i got through working for uncle pat
and i have teamed with some of the
smartest most dedicated engineers and
scientists you will meet
anywhere know that while i’m presenting
this work
there are many people collaborating
together back at mitre
to make this type of research happen i’m
just the lucky one who gets to talk
about it on stage
i’ve been fascinated to see how both
cyber attacks
and cyber security has evolved and i
have observed some things along the way
that i want to share
i’ve observed how cheap it is for nation
states to mount
cyber campaigns where the tools can be
used again and again
often times even against the same
company
i’ve observed how cyber operations can
be covert
and how hard it can be to detect attacks
and
even after discovery how hard it can be
to attribute them back to an actor
i’ve observed that nation-state actors
feel
cyber is a safe place a place that
emboldens these actors to mount
sophisticated and crippling attacks
against their adversaries with little
fear of being held responsible
so sit back and let me tell you some
stories
as with all good stories this one starts
with an
ancient proverb and it rings as true
today
as it did when it was first uttered 2500
years ago the chinese military
strategist sun tzu is quoted as saying
if you know the enemy and you know
yourself
you need not fear the result of a
hundred battles
now i realize most of you probably don’t
move through your days
thinking about battles and defeating
enemies
but think about what that means just for
one minute
if you know your enemy and you know
yourself
you need not fear
the questions are what do these battles
look like
and how do we come to know elusive cyber
adversaries
let’s fast forward to the early 2000s
and i’ve taken
just a couple news clippings from the
headlines
and it seems like there’s an endless
list these highlight
events from those time period i start
here as this is broadly accepted as the
awakening
of the whole world to the threats posed
by cyber actors
in 2005 it’s revealed that chinese
actors repeatedly hacked numerous u.s
networks
in an operation called titan ring in
2006 it’s revealed that suspected
chinese attackers
breached the u.s navy war college in
2008
it’s revealed that foreign attackers
attacked the united states department of
defense
it’s claimed that this attack right here
led to a whole new approach
being taken by the department of defense
in 2008 it’s revealed that foreign
attackers collected emails from
both the two major campaigns officials
believe it was to understand
their evolving policy positions
and in 2009 it’s revealed that actors
got access to the program building the
united states most sophisticated plane
this is where we found ourselves when we
got some funding
and we’re asked to look at things
differently
the headlines are one thing but let me
tell you about how this looked
from the inside of a high-tech company
one that works for the united states
government
we spent lots of time on things learned
by others
with varying relevance to us and it was
difficult for us to find
badness on our network and yet we knew
the
absence of evidence wasn’t the evidence
of absence
with so little information on what bad
guys did
post-break-in there wasn’t
always a clear picture on how to prepare
for a possible event
so we put a lot of effort and a lot of
thinking into changing the game
we wanted to stop being concerned that
we would wind up being one of these
headlines
we wanted the ability to use anything we
learned from bad guys
as a thread to pull on and learn more
about them
we wanted the ability to impact and
impose cost
on their operations in some way
in any way before i tell you what we
learned
news from the last year tells me things
haven’t gotten any better
and this knowledge now is applicable to
everyone
in 2019 it’s revealed that the united
states navy and the partners
are under constant cyber siege from
hackers
in the spring of 2020 it’s revealed that
multiple
iranian actors were working together to
attack the us and israel
and in just in september we learned that
cyber crime actors hit a u.s healthcare
giant with ransomware
our national security and now our
medical data
our very lives are at stake
now we find ourselves here for all of
you who don’t know the story of this
iconic meme it comes from a movie called
the matrix
in one scene there comes a moment when
the hero
is offered a choice take the blue pill
and remain in blissful ignorance or take
the red pill
and have the truth revealed for us the
blue pill
is for us to just go about our business
and not worry about
cyber let this talk wash by
leave here go home and click on
everything
in every email no matter how sketchy
since we’re all at a ted event i’ll
assume that we are comfortable with
learning the truth
so let’s pretend like we have taken the
red pill
and now just like in the movie we go
down the rabbit hole
and come to terms with our new reality
at first glance it might seem like i’m
suggesting
in this new reality that we are left up
the creek with no paddle
but bear with me for a moment will i
introduce
standstand metaphor in this metaphor the
bad actors and their tools are like
drops of water
the dam is our cyber defenses that we
all rely on
and our private and sensitive data is
like the unseen
village lying downstream the first
truth in the new reality we must accept
is there is an endless
torrent of badness coming our way
luckily our defenses will stop most
things
the second truth in the new reality we
must accept is
like with heavy rains in our case
massive cyber attacks
some badness will always find its way
through
luckily for us the bad guys like water
will often try
the easiest path first and i’ll give you
some examples in a moment
and like with the overflowing dam
controlled spill
is the best way to release a surge of
water
we just have to give the water a course
a course that stares its path
away from our village now this might
seem a little esoteric right now
so let me tell you about how this very
approach
was used successfully and recently
by a real target in a real high-stakes
contest
our story starts in 2016 when the
hillary clinton campaign
suffered a massive data breach i
honestly believe
it caused her campaign a good amount of
tumult
in france the presidential candidate
emmanuel macron saw was happening
and election day was fast approaching he
feared he would be targeted in the same
way
and his campaign accepted they could not
stop
some amount of successful hacking
and in fact they were hacked attackers
stole the equivalent of about
900 thousand pages of printed emails
almost literally at the eleventh hour
the attackers dumped their damaging
trove of data
luckily macron in his campaign had taken
some proactive steps
they created fake email accounts and
filled them with realistic and
far-fetched content
they created fake emails among real
campaign workers
some of this data was so absurdly
hyperbolic
not even i will repeat the content they
spam their own users with emails
some claiming to provide user names and
passwords to both
fake and real accounts i’m assuming
there was some
legitimate sounding rules like hey can
you log in check for anything important
my phone is broken here’s my username
and password
now usually username and passwords are
the holy grail
for getting someone’s email so the
attackers use this as their path of
least resistance
this channeled the adversaries towards
the places the defenders wanted them to
go
when the credentials were used and the
accounts were accessed
the defenders were able to see exactly
what was going on
when it was happening and how it was
being done
when the email dumps dropped journalists
and citizens alike started pauling
through
many instantly recognized the face and
of course the campaign was quick to
point out the most absurd ones
even though only an estimated 20 percent
of the data was fake
it immediately cast out on all the
remaining
stuff that was stolen these simple steps
helped mitigate the attacker’s goals of
dumping
damaging materials and influencing the
french election
in that story you’re probably wondering
cool stan but how do they steal the
first email
honestly i don’t know
in my experience there are two very
effective approaches
first often times users have weak email
account passwords
cannot caution you against this enough
second bad guys frequently use something
called a spearfish
this is basically an email with a
malicious link or attachment
users click the thing something bad
happens and the bad guys are off to the
races
let me tell you a little bit about what
we do at mitre
when we find something interesting
suppose we find
a suspicious email or file
we put it on a special machine then we
double click on whatever it is
the thing does its thing then we watch
and we wait
and we hope the fun begins when it works
it closes gaps in our intelligence we
have learned about
adversary tools and tactics and
procedures
sometimes we learn what they’re after
and what better needs to be protected
however it’s not without risks let me
tell you the
story about mitre’s great thumb drive
debacle
we found this cool thing and in a moment
of haste the newest member of the team
was told to set everything up he was
told put the malware
on the usb put the usb in the computer
copy the malware to the desktop and
double-click the malware
what happened next is a story that will
never grow old
the adversary was waiting they instantly
started doing stuff
and we were watching the bad guys took
their time and they did some stuff
to see where they were and what this
computer was all about
then they listed the contents of the
user’s folder
and boy had we made sure there was some
good stuff there
we were so hoping that they would start
taking stuff
and exfiltrating it and then
then they decided to see if there were
any usb drives plugged in
and time stopped for us they had found
ours
we had forgotten to take it out they
listed the files and there it was plain
as day
malware.exe what happened
next was crazy they spent the next 30
minutes manually typing frantically
and doing all sorts of crazy things to
try and mask their tracks
finally they did something to make sure
the computer would not boot again
and vanished after we were finished
being stunned
we had never seen a bad guy so angry
over being caught
we popped out the drive and threw it in
the bin to be reformatted
we popped in a brand new one full of
good stuff
fresh stuff reset our trap and we were
up in a matter of minutes
we made him waste a lot of time on our
fake machine
he wasn’t attacking real victims instead
of just bugging out and calling it a day
he wasted all time creating a spectacle
we made some notes we archived our
findings and moved on we had in
fact imposed costs over the years we
have had a lot of these engagement we’ve
captured
hundreds of tools and hundreds of other
indicators of compromise
we’ve run long-term operations we know
by who
and how and when certain things are done
we can extrapolate
forwards and backwards about attacks we
have
confidence now not a confidence says it
says we’ll never be hacked
but a confidence that says we are now
better prepared
and we assert maybe
just maybe the data you steal from us
might not be worth using we’ve shared a
lot of data
both publicly and privately to protect
ourselves our partners and the cyber
community at large
in summary if you take one thing away
from this
talk let it be we can all
every one of us better prepare we can
make sure there is deceptive information
just lying around
so someone gets your data they get fake
stuff too
in addition this area needs a lot more
work
we need cyber people to make scalable
traps
social scientists who know how to fool
the human brain
policy experts to explain why this is
proper and needed
we need companies to mix it up with bad
guys
when they’re operating in deceptive
environments they aren’t
stealing real data
we need people to share what they learn
in fact
share with me i promise i will open
anything you send me
finally let’s make my uncle pat proud
and make the bad guys question
everything
they take thank you very much for
listening