Re: Mission

From:aaron@hbgary.com To: greg@hbgary.com Date: 2010-09-17 00:04 Subject: Re: Mission

Agreed nothing really ground breaking from what you can collect through a rootkit. Its taking all that data and looking at what it can tell you about the person and what he/she is doing and what their intentions are. Can we develop a DDNA type scoring for risk behavior? So person does X and X and X and X ===== threat score of 95%. I like the paranoia meter. Screen grabs, mouse and keyboard traffic. Does someone act different when they are reviewing a document for corporate resaons then when they do it for espionage reasons? Do they make different facial expressions, different eye movements? What human factors from everything that we collect can we analyze? I think you need to do some level of pattern matching combined with maybe the human factor analysis? Aaron On Sep 16, 2010, at 9:57 PM, Greg Hoglund wrote: > > > On Thu, Sep 16, 2010 at 6:24 PM, Aaron Barr <aaron@hbgary.com> wrote: > OK Guys, > > I think I can write most of this but I need help on developing the monitor on the box that collects all of the behavioral information and then develops statistical norms across the enterprise as well as for the individual. So you have all these boxes with a rootkit monitoring file access, email communications, IM traffic. You develop norms for the organization, probably even more detailed by functional groups or sub-organizations (HR people have different patterns than developers). > > You bring all that data back to a central location and then flag when activity falls out of the norm by some amount over some time period. > > Greg: Please write about the technical details of the rootkit and what it can collect about all the different dimensions below and how it can collect and store the metadata on these dimensions so we can do statistical analysis for normal and abnormal behavior. > > The rootkit loads as a stealth kernel-mode base implant, which will consist of the basic driver framework and installation and removal program. Development will include an initial implant test harness. The rootkit will collect select file access, process execution with parameters, email communications, keyboard activity with a time/date stamp, network/TDI activity (and the actual network data if appropriate), and IM traffic. If detailed surveillance is required, it can be enabled to capture screenshots and construct a video stream. All traces of the rootkit installation will be removed after the initial deployment (event log, etc). Collected data will be exfiltrated over a covecoms channel to a controlling server. Communication outbound to the controlling server will emulate outbound HTTP browsing, and if possible will be burst transmitted at the same time as the user is browsing the web or using some other messaging or social media application. The outbound burst will be formatted to resemble an ad-click or some other appropriate subterfuge. > Coms encryption details: Rootkit implant communications will be based on a secure cryptographic algorithm to encrypt data to and from a controlling server. The controlling server will utilize a private key to encrypt data to the implant and the implant will verify incoming commands by checking the encryption signature against the corresponding public key. The implant will generate a new public/private key pair with each connected session to the controlling server and use that key to encrypt outbound data. > > Screen capture and stream details: Rootkit will be able to capture the current desktop screen in a standard image format (like JPG/PNG/BMP). Also, the rootkit will be able to take sequential screenshots and stream them to form a screen capture video. Each screen frame will be compared to the previous frame and only changed pixels will be encoded and sent. Periodically a full screen frame will be sent to provide the ability to seek and synchronize viewing from any point in the timeline. Resulting frames will be compressed prior to sending to the controlling server. > > Note: none of the above is really that ground breaking, its all been done with rootkits before > > Note: i was going to suggest we create a pattern recognition system here, and attempt to detect when the user deviates from normal behavior - however, i don't actually think that will work in practice - it will have too many false positives - also, mudge indicated they were skeptical of those systems from failures in past experience > > > > Mark/Ted: Look at what I have identified as Dimensions and make recommendations on what is stupid or what I have missed. > > Aaron: I will write the overall context of the insiders behavior, what we will look to correlate across the organization. > > ------------------------- > > Mission: Recruited Spy in Defense Contractor ACME wants to remain as employee while continuously identifying, gaining access, collecting, and exfiltrating information on the companies contracts with the government as well as its IP on technologies developed for the government. > > Dimensions: > (A) Exploration > a. Data Stores > b. Passive network monitoring > c. Advertised network shares > d. References to organization data repositories within documents > h. Communications with other groups inside the company > i. Use of corporate social media and collaboration technologies > (B) Analysis of Data (identified in A) for information of interest > a. Iterative walk of the file system (index) > b. Identify information of interest within files > c. Identify relevant file attributes > d. Develop Corporate link analysis > e. Develop Project to employee trees > (C) Collection > a. Pull relevant data and files back to host > b. Cut and Paste information from accessed files or emails. > c. Asking for people to send them digital copies of presentations > d. Saving corporate communications > (D) Prepare documents for exfiltration > a. Perform finer grain analysis for information of interest > b. Encode documents for transmission > c. Store information in email or remotely accessible filesystem > e. > (E) Exfiltrate information > a. Physically walk data off premises > b. Transmit documents to external system > i. Web/HTTP > ii. E-mail > c. Access files through VPN or remote email client. > d. Put information on removable media > (F) Avoid detection to permit continued mission operation > a. Surveillance Detection Routine (SDR) > b. Intentional self-throttling of activities used in pursuing other tasks > c. Looking for monitoring and security capabilities within the company. >