We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

"Cyber" Who Done It?! Attribution Analysis Through Arrest History

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
3
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Kouns, Jake Johnstone, Lee

Formal Metadata

Title
"Cyber" Who Done It?! Attribution Analysis Through Arrest History
Title of Series
Number of Parts
93
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
There have been over 20,000 data breaches disclosed exposing over 4.8 billion records, with over 4,000 breaches in 2015 alone. It is clear there is no slowdown at all and the state of security is embarrassing. The total cybercrime cost estimates have been astronomical and law enforcement has been struggling to track down even a fraction of the criminals, as usual. Attribution in computer compromises continues to be a surprisingly complex task that ultimately isn’t definitive in most cases. Rather than focusing on learning from security issues and how companies can avoid these sorts of data breaches in the future, for most media outlets the main topic after a breach continues to be attribution. And if we are honest, the media have painted an “interesting” and varied picture of “hackers” over the years, many of which have caused collective groans or outright rage from the community. The Arrest Tracker project was started in 2011 as a way to track arrests from all types of “cyber” (drink!) and hacking related incidents. This project aims to track computer intrusion incidents resulting in an arrest, detaining of a person or persons, seizure of goods, or other related activities that are directly linked to computer crimes. The Arrest Tracker project currently has 936 arrests collected as of 4/23/2016. How does tracking this information help and what does the data tell us? A lot actually! Who is behind these data breaches and what are the demographics such as average age, gender, and nationality? Which day of the week are you most likely to be arrested? How many arrests lead to assisting authorities to arrest others? How many work by themselves versus part of a group? These observations, and a lot more, paint an interesting picture of the computer crime landscape. Bio: Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. He has presented at many well-known security conferences including DEF CON , Black Hat, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. With all of that said, many people are shocked to find out that he has a CISO title, and many others can’t believe that he has been attending DEF CON since the good old days of Alexis Park!
00:00
Mathematical analysisFinite-state machineAttribute grammarMultiplication signCyberneticsVulnerability (computing)Roundness (object)Mathematical analysisInformation security
00:44
User interfaceCyberneticsSource codeExecutive information systemRootSlide ruleGame theoryCyberneticsPressureInformation securityBit rateRight angleCuboid
01:21
Source codeSelf-organizationMathematical analysisInformation securityProcess (computing)Right angleType theorySelf-organizationHacker (term)Likelihood functionTerm (mathematics)
02:16
Graphical user interfacePoint (geometry)Row (database)Multiplication signEvent horizonRight angleAttribute grammarDisk read-and-write headComputer animation
02:55
InformationstheorieSource codeProcess (computing)Event horizonData acquisitionCyberneticsGoodness of fitAttribute grammarCyberneticsSystem callProcess (computing)Source codeEvent horizonPhysical lawRight angleComputer animation
03:32
Power (physics)MIDILink (knot theory)Boom (sailing)Multiplication signAttribute grammarPower (physics)CASE <Informatik>Right angleInformation securityCyberneticsPlastikkarte
04:11
CyberneticsNP-hardHacker (term)Link (knot theory)Induktive logische ProgrammierungPlastikkarteCyberneticsAttribute grammarGame theoryBusiness reportingWebsiteRight angleSelf-organizationData managementQuicksortHacker (term)Hidden Markov modelComputer animation
04:47
Vector spaceWordLocal GroupData managementWhiteboardSystem callCyberneticsExplosionBusiness reportingRight angleAttribute grammarCyberneticsComputer forensicsTwitter
05:23
Large eddy simulationMach's principleMyspaceHacker (term)TwitterAttribute grammarPoint (geometry)MyspaceGoodness of fitMultiplication signInformation securityTape drive
06:04
RSA (algorithm)Maxima and minimaLarge eddy simulationAttribute grammarMaxima and minimaRight anglePoint (geometry)XML
06:41
System callRadio-frequency identificationImplementationConnected spaceLocal GroupRight angleInformationstheorieCASE <Informatik>Confidence intervalHacker (term)Group action
07:43
Radio-frequency identificationLinker (computing)Hacker (term)Normed vector spaceInformation securityInformationstheorieQuicksortPasswordMachine codeView (database)Data managementCASE <Informatik>Attribute grammarPoint (geometry)
08:36
Large eddy simulationMaizePoint (geometry)InformationstheorieRight angleFlagQuicksortMultiplication signFlow separation
09:26
CyberneticsDean numberPlastikkarteInformation managementMaxima and minimaDiscrete element methodInformationstheorieRight angleAttribute grammarClosed setResultantQuicksortStatement (computer science)CollaborationismInformationstheorieMIDIMeeting/Interview
10:04
Hacker (term)Bit
10:39
Statement (computer science)QuicksortProduct (business)Statement (computer science)Computer animation
11:18
Hacker (term)Normed vector spaceInformation securityRSA (algorithm)Pay television1 (number)Twitter
11:58
Hacker (term)InternetworkingAreaRecurrence relationLevel (video gaming)Data managementCyberneticsGoodness of fitRight angleOnline helpAttribute grammarInternetworkingComputer animation
12:32
CyberneticsNP-hardBoundary value problemAttribute grammarCyberspaceUniqueness quantificationMalwareTrailTime zoneHacker (term)Data acquisitionAttribute grammarMalwareQuicksortSpacetimeRight angleTime zoneMachine codeCyberneticsWordBoundary value problemSource codeSampling (statistics)Embedded systemCyberspaceComputer animation
13:54
Large eddy simulationElectronic data interchangeEmailServer (computing)User profileCyberneticsSlide ruleRight angleSpacetimeInformation securityServer (computing)Term (mathematics)EmailHacker (term)Metropolitan area networkQuicksortProfil (magazine)Attribute grammarComputer animationLecture/Conference
14:49
Point (geometry)Computer networkParsingCyberneticsHacker (term)EmailMachine codeAlphabet (computer science)Keyboard shortcutGroup actionAbsolute valueRight angleRow (database)Multiplication signCyberneticsAttribute grammarAlphabet (computer science)Time zoneMalwareKeyboard shortcutCASE <Informatik>HypermediaQuicksortDifferent (Kate Ryan album)Information securityMachine codeGroup actionWordNumbering scheme
16:19
Link (knot theory)EmailHacker (term)Line (geometry)Expert systemInformation securityQuicksort1 (number)Point (geometry)State of matterHacker (term)Multiplication signLine (geometry)Data conversionComputer animation
17:14
Hacker (term)CyberneticsCyberneticsMultiplication signState of matterHacker (term)
17:54
CyberneticsLarge eddy simulationAttribute grammarMathematicsSelf-organizationRight angleCyberneticsDependent and independent variables
18:27
CyberneticsGroup actionNormed vector spaceFinitary relationAttribute grammarCyberneticsStatement (computer science)Theory of relativityLie groupDifferent (Kate Ryan album)Physical lawState of matterCentralizer and normalizerComputer animation
19:15
Expert systemHacker (term)Dependent and independent variablesNP-hardGroup actionInformation securityProxy serverServer (computing)Address spaceCorrelation and dependenceInformationstheorieSource codeMathematical analysisLatin squareCyberneticsDependent and independent variablesFigurate numberSpacetimeCyberspaceSource codeNP-hardMalwareInformationstheorieMathematical analysisMultiplication signRight angleHacker (term)Information securityIP addressWritingProxy serverComputer animation
20:15
NP-hardCyberneticsAttribute grammarPerfect groupCyberneticsMobile appTerm (mathematics)PlastikkarteComputer animation
20:54
Large eddy simulationCyberneticsType theoryComputerProjective planeComputer crimeAttribute grammarRight angleDifferent (Kate Ryan album)CyberneticsIncidence algebraQuicksortTrailGoodness of fitBusiness informaticsSlide ruleField (computer science)Computer animation
22:11
Normed vector spaceGraphical user interfaceAuthorizationQuicksortField (computer science)AliasingRight angleIncidence algebraTerm (mathematics)Operator (mathematics)Projective planeUniform resource locatorProfil (magazine)Hacker (term)MereologyComputer animation
22:51
Large eddy simulationExpandierender GraphCyberneticsOnline helpMetric systemRight angleLimit (category theory)Information securitySet (mathematics)Incidence algebraComputer crimeComputer animation
23:28
RippingTrailPersonal digital assistantRAIDHypermediaQuicksortRight angleBusiness reportingCASE <Informatik>Attribute grammarSource codeInformationstheorieComputer animation
24:07
InformationstheorieComputerInternet service providerHacker (term)Hacker (term)CASE <Informatik>BitSet (mathematics)StatisticsMedical imagingQuicksortRight angleProfil (magazine)LaptopNumbering schemeHypermediaAuditory maskingComputer animation
24:46
Hacker (term)RobotReal numberCyberneticsLarge eddy simulationHacker (term)Right angleRoboticsReal numberProjective planeQuicksortIncidence algebraComputer animation
25:19
Plot (narrative)Zoom lensAreaCyberneticsSpacetimeIncidence algebraCyberneticsRight angleGroup actionDiagramComputer animation
25:54
Data acquisitionIncidence algebraOnline helpElectronic mailing listProfil (magazine)BitDifferent (Kate Ryan album)Row (database)Multiplication signComputerComputer animation
26:43
InternetworkingLoginMyspaceComputer networkHacker (term)Game theoryReal numberPhysical systemComputer-generated imageryMassLarge eddy simulationMyspaceInternetworkingHypermediaHacker (term)Game theoryReal numberVideo gameProfil (magazine)Multiplication sign
27:18
Finitary relationMyspaceRAIDComputerBusiness reportingMultiplication signProjective planeIncidence algebraBitMyspaceComputer animation
27:51
Incidence algebraMultiplication signPhysical systemComputer animation
28:29
Group actionRegulator geneVector potentialMultiplication signGroup actionLengthFlow separationHacker (term)Profil (magazine)Computer animation
29:02
Game theoryInformationstheorieLocal GroupVideoconferencingInformationstheorieVideo gameData structureQuicksortService (economics)InternetworkingGroup actionWeb 2.0PlastikkarteMetropolitan area networkComputer animation
29:47
Student's t-testUniverse (mathematics)Distribution (mathematics)Group actionControl flowSpring (hydrology)Incidence algebraQuicksortComputer animation
30:20
AverageGenderGenderRange (statistics)Equaliser (mathematics)Right angleSpacetimeBitHacker (term)
30:56
Hacker (term)User interfaceHacker (term)Multiplication signNumberRight angleComputer animationLecture/Conference
31:34
Large eddy simulationChaos (cosmogony)ComputerExpressionComputer crimeLocal GroupOrder (biology)Hacker (term)Military operationTotal S.A.QuicksortMusical ensembleMereologyTerm (mathematics)Hacker (term)Operator (mathematics)AreaIncidence algebraComputer crimeDisk read-and-write head1 (number)Computer animation
32:32
Term (mathematics)Right angleMessage passingQuicksortCountingComputer animation
33:07
AverageLinker (computing)RAIDStatisticsQuicksortAverageIncidence algebraCASE <Informatik>Computer animation
33:42
Large eddy simulationLinker (computing)CyberneticsComputerRight angleCASE <Informatik>MereologyHacker (term)Computer crime10 (number)Number
34:29
Total S.A.Multiplication sign1 (number)Graph coloringLevel (video gaming)Computer animation
35:12
WebsiteHacker (term)Right anglePhishingMultiplication signTerm (mathematics)CASE <Informatik>DatabaseHacker (term)Point (geometry)Online help
36:07
Personal digital assistantLarge eddy simulationField (computer science)NP-hardMultiplicationCASE <Informatik>Multiplication signOnline helpBitFigurate numberDatabaseAuthorizationField (computer science)Profil (magazine)Lecture/ConferenceComputer animation
36:48
CyberneticsUser profileGenderAverageHacker (term)Range (statistics)Hacker (term)Profil (magazine)Single-precision floating-point formatComputer crimeRight angleType theoryBitQuicksortRange (statistics)AverageGenderRow (database)Computer animation
37:40
User interfaceNormed vector spaceCyberneticsEmailUser profileInformationstheorieElectronic mailing listProfil (magazine)CyberneticsQuicksortAliasingCASE <Informatik>Sheaf (mathematics)Informationstheorie
38:35
Large eddy simulationTotal S.A.Identity managementHacker (term)Ring (mathematics)InformationElectronic mailing listProfil (magazine)WebsiteMedical imagingTotal S.A.Point (geometry)Vector potentialHacker (term)Quicksort1 (number)Gastropod shellInformationstheorieLecture/Conference
39:27
Information securityDatabaseEmailInformationstheorieAddress spaceHacker (term)QuicksortLatent heatCASE <Informatik>BitCharacteristic polynomialInformationstheoriePhysical lawComputer crimeGroup actionData qualityMultiplication sign
40:10
Logical constantAverageCyberneticsPersonal digital assistantCopyright infringementInformationstheorieComplex analysisTrailInformation securityIntegrated development environmentFeedbackOpen setField (computer science)QuicksortIncidence algebraEvent horizonComputer crimeType theoryProfil (magazine)Hacker (term)BitInformation securityUniform resource locatorOnline helpCopyright infringementComplex analysisOpen setSpacetimeRight angleIntegrated development environmentProcess (computing)Computer animation
42:04
Presentation of a groupCyberneticsProjective planeOnline helpSlide rule40 (number)
42:37
CyberneticsMathematical analysis
Transcript: English(auto-generated)
00:00
So Jake is going to talk about attribution um which I can only presume is going to be exclusively about either Russia or China. So let's give Jake a big round of applause. Thank you everyone. Great to see everyone here. I seriously don't see enough beverages
00:23
in people's hands though so maybe you should fix that. But my name's Jake. I'm the CSO for risk based security. Been doing a bunch of vulnerability and data breach intelligence stuff for quite some time. I want to also recognize Lee Johnstone for all the work and the creation of the data and and everything. So the talk here is uh today it's cyber whodunit attribution analysis through arrest history. So we really are gonna play a cyber
00:46
drinking game. You guys are just gonna have to get over it because it's gonna we're gonna say cyber a ton through this talk so um anytime you see in the slides that it says cyber or you hear me say cyber you should drink. And I only see a few beverages over here so
01:02
we'll see. Um and I don't care if it's beer or root beer so no pressure. Alright so if you look back over the last 5 years data breaches just keep occurring at alarming rates right? It's it's just ridiculous uh the amount and it just shows that it's not getting better. And so it doesn't matter how many blinky lights, boxes we buy from
01:22
security vendors we're still just seeing a ridiculous amount of breaches. In fact 2015 was the most amount of breaches that we've ever ever tracked. When you look at it from uh you know how are these things occurring there's that old 1970s thought process I think from the FBI that says the insider right? But when you look at the data from 2015 it
01:41
shows that 77% of them are actually coming from the outside right? Now an insider may hurt you the worst but it shows in terms of likelihood the outside where it's occurring. And then when you break it down by the breach types it just hackings through the roof right? So we're just seeing a ton- ton of hacking and it's been that way the last couple years. When you look at it from where it's happening what countries where
02:03
these organizations are that are being impacted it's just isn't just a USA issue right? Now while the USA and the um UK are accounted for 46 plus percent of the breaches it's not just there right? So it is a world issue. And year to date we still suck right? We're not getting any better. Uh over 2,000 data breaches confirmed already
02:24
and it's the most amount of records that we've ever lost in a single year. We're already at over 1.1 billion records being lost and we still have a couple months ago. So um not seeing much improvement at this point. The question we get all the time when we're tracking these data breaches is who's behind all this stuff right? Who
02:41
is behind in causing all of these data breaches? It comes up all the time. Specifically the hacking events. Who's behind it? So this leads us to this whole concept of attribution right? And if you try to get your head wrapped around attribution and what does it really mean you can start looking on good old Wikipedia right? And that gives us a few different ideas about what attribution is in other
03:01
disciplines. So in social psychology attribution is a process of explaining calls and behavior of events. In copyright law it's about crediting the work. In journalism it's about attribution to a source right? So you start to get familiar there. Now in the cyber world we basically just want to know who did this right? We want to know what the hell
03:21
did you just do? What actually happened? What was done? And then finally why? Why did you do this? What are the motives? Can I have some reasons right? So if you think about it you always hear this saying you know knowledge is power but in these days and times it's really starting to be attribution is power right? And this seems to be the
03:40
case. We want to know what's going on. Who's behind all of this stuff? So nothing brought this attribution debate and problem um more clear than the Sony breach in December 2014 right? So we should all remember this whole uh GOP guardians of the peace post credit taking credit for this breach. Um and there was serious debate over this
04:02
breach. What was the motives? Who did it? And it was so ridiculously bad about the back and forth it led just to a ridiculous amount of lulls from the security community right? So we actually created these cyber war attribution bingo cards. It still exists if you want them you can go out to the website and generate your own cards and play along right? And see what happens. But if you're not up for games then then there was a
04:25
couple guys that created the Sony hack attribution generator so you can go to the website and then sort of refresh to get what you want so that you go to this first one and you get the nice report here about a Sony manager behind it. I don't like that one. Uh Romania organization hmm that's better. Well now we have North Korea right?
04:41
Here's a nice detailed report you can just keep refreshing right? So you guys can get reports. They weren't the only one. We actually had another website created called who hacked us dot com. You can get attribution reports here. Here we get uh China right? Crouching panda hidden dragon so there's your China reference starting. But if you don't want a detailed report and that's just too much guess what? We had the
05:03
industry create cyber attribution dice. So you can just roll the dice and get the answer right? And why would you pay for high price forensics when you can just roll the dice right? That's probably the best attribution you're gonna get anyways. Some people weren't so thrilled about the cyber dice and they said you know what we need? We need a
05:21
magic 8 ball. And guess what? Twitter answered. We have the attribution 8 ball right? Unfortunately it hasn't been active here recently so whoever's behind this account I'd appreciate if you could step up your game and start tweeting out some stuff again for us. But Twitter's not just enough so we have duo that comes up right? And they create the actual attribution 8 ball. And of course it's China and you gotta love the
05:45
pictures behind there right? It was China and and who's showing right? So we see that. Then we see good old Swift on security when we're talking about the MySpace breach and should we blame Russia or what's going on? Saying hey we need another magic 8 ball. And at this point in time because we know the at uh the attribute attribution 8 ball is so
06:03
important, threat butt comes to the rescue. And so no offense to duo but threat butt creates an attribution 8 ball and if you don't know about threat butt you should because uh they basically provide the maximum protection from threatening threaty threats like China. So we're really pleased that they were able to help us out here. So thanks to
06:22
threat butt for all your hard work. So with all of the lulls aside I mean it's a serious issue when people joke about stuff like this it's because there's something behind it right? And the jokes are funny but let's get back to the Sony breach and walk through it. And the point was who did this thing? Right? Everyone wanted to know. And for the
06:42
purposes of this talk there was basically 2 major viewpoints. One was North Korea and the other one was an insider also known as not North Korea right? And so on the North Korea side we predominantly had CrowdStrike and then the FBI. And on the insider also known as
07:03
not North Korea we had Norse, Mark Rogers and Kim Zetter from Wired coming out with information. So here's here's from Norse right? So Norse basically was not involved in the case itself but they were they said they were doing their own investigation. Uh they said that the Norse data was pointing towards a woman who called herself Lena and claimed to be connected with this the GOP hacking group.
07:24
Norse believed that uh they identified the woman who had worked at Sony in Los Angeles for about 10 years and then was involved with it. And so what comes from them is we are very confident that this was not an attack masterminded by North Korea right? So they're coming out pretty vocal it's not like maybe it's we're pretty we're pretty damn
07:42
confident it's not them. Then you have Mark coming out basically saying he wasn't seeing hard evidence either and he has some really good articles that if you haven't read you should go to his website and read to better understand his point of view. But he mentioned things like the broken English that was being used for attribution looked really too deliberate right? Uh the code that was written on a PC with the Korean
08:03
local um makes it actually probably not North Korea. Uh hard coded paths and passwords and whatnot really did uh make it seem like someone knew that information from Sony from the inside. And one of the other things that he said too was blaming North Korea was an easy way out for people. Uh including the security
08:20
vendors that were brought in and paid and Sony management and all that because of the whole interview movie and everything. It was just sort of an easy way to do it. And you can see here even after the FBI started to come out and saying it was North Korea he was still saying I still don't believe that that's the case. Kim Zetter from Wired she basically published a story saying that the evidence was flimsy. Uh it's
08:42
again a great article if you want to get some more information about it. Uh and she basically was saying that the assertions about about who's behind it um should be you should be skeptical of these things. And it's easy for attackers to plant these false flags or point to North Korea and and those sorts of things and a lot of the evidence that was presented was circumstantial right? And then here's uh Dimitri from Grout Strike. So he
09:05
comes in and basically says North Korea and that's it North Korea nothing else. Now what's funny is at Black Hat I ran into Dimitri for the first time and I sort of told him hey Dimitri your your face is gonna pop up several times in my talk at DefCon and we sort of had a spirited debate for about an hour. Uh he still believes it's
09:24
North Korea and that's that right? Now what was also interesting was we started to see this attribution stuff go really in the mainstream right? Here you have Mark Rogers and Dimitri on PBS doing a live debate on attribution. Who did it right? So we're seeing this isn't just you know in our industry it's starting to come out
09:41
more and more people trying to figure out what's going on. So then we have Sony and this is sort of mid December 2014 they publish a more of official update and a statement basically saying that as a result of our our investigation and close collaboration with other government agencies the FBI has now enough information to conclude that North Korean government is responsible. So pretty definitively from from the FBI. No matter
10:06
even though that that came out we still are seeing Grout Strike versus Norse quite a bit and there were a few others but those were the most loudest if you will um talking about this stuff. Actually Fire Eye and Mandiate um who was hired by Sony they also they were pretty quiet in the press. Kevin Mandiate did come out and say a few
10:23
things such as um the the the the attacks that happened in South Korea in 2013 were very similar the same uh that was being used for Sony so they attributed those 2013 hacks to North Korea so therefore it was Sony behind er uh North Korea behind this. So we
10:40
were actually at RBS we were documenting this whole thing and we've got this big article like a breakdown of it trying to track everything that was going on and we started to think right you have these two you know you've got Grout Strike and you've got Norse that are these two ridiculously funded VC companies the hottest threat intelligence with ridiculously polar opposite like it's an insider and this is North
11:00
Korea and they were both sort of arguing. So it made us to sort of start to think these bold statements um if you make this bold statement and it turns out to be wrong does it mean that the intelligence you sell sucks? Can't be trusted right? You come out and say oh this is definitely an end it's proven wrong then is your product any good? So what we see happen is is in January so all that stuff's going on in December 20 2014 then
11:24
we see um the FBI comes out and again says hey look it definitely is uh North Korea behind this. A week or so after that update then we see Krebs come out and say that there's some rumors that Norse is about to implode right? And they're the ones remember that said it was an insider not North Korea. Whether that has to do with it or not it's
11:44
quite interesting. Further on that in March of 2016 you can see this tweet Sadness Defined this is the RSA booth it looks like they threw down a huge amount of money for a booth and then it was this kind of this deserted smaller thing right? So not so good. And everyone was immediately worried right? We're gonna lose the live
12:02
attack map and while most people that I know could care less about that they like showing it to management to get more budget right? Like look at the we get serious stuff in cyber right? We need help. But the good news is we have good old threat butt that's come back to help us again. Serious right? The threat butt internet hacking attack attribution map. And you can see here by leveraging the patent clown strike technology
12:25
they've made it even better right? So they did give credit to uh Pew Pew but they make all the threat stuff better so. Alright so why is this attribution stuff so hard? And it's actually even hard to put in into words but I and there's people that are
12:41
gonna disagree if you're in this space I'm sure you're already upset at me or tweeting me bad things or whatever but the the reality is it's still challenging right? So I want to put out a few things of why attribution in the cyberspace is a little tricky. So a lot of the attributes that you typically see in the real world just don't exist in the cyber world. So that sort of hardcore CSI forensics investigation work just
13:05
isn't as possible right? It's considered to be easy to spoof some of these things, plant these things. Uh it's considered to be easy to embed other people's work, tools, exploits, malware. You know just because you see this sample of this in this particular attack doesn't mean it was the exact same person right? Someone's could have
13:22
easily taken that code. Now for people in this space they'll they'll get a little snippy sometimes and say well if the source code wasn't available there was no way it could have been found. I mean there's there's lots of debates about this stuff but it makes it challenging. And then that whole sort of concept of not having a a physical territory right? Some markers that you'll hear in the cyber warfare world um or the
13:43
traditional warfare world like an assembly zone, boundaries that cross you know being able to track things back specifically like a missile launch all those sorts of things just they just don't really exist in the cyberspace right? And honestly I have so many slides to get through because as I'm working on this talk there's just more and more shit happening right? So then we have the DNC that gets hacked right? Um so right and then
14:06
it's actually so bad that Jeff and Black Hat have to decide they gotta raise some money for them to get better at security it seems so. Uh anyways. Um so this one we have the we have the issue right? And then we have Guccifer 2.0 that comes out and
14:20
takes credit for the breach right? So now we're starting to look at attribution in terms of taking credit for it. And so if you know anything about the original Guccifer it was a Romanian man who hacked uh lots of high profile government accounts claimed to hack Hillary's private email servers all those sorts of things. And Guccifer 2.0 goes on to say uh that Guf- Guccifer may have been the first one who penetrated Hillary's
14:42
and other democratic mail servers but he certainly wasn't the last no wonder any other hacker could have easily got into these DNC servers right? So then again now we go immediately in the press to alright cyber attribution and questions there right? And so everyone's immediately trying to figure out who did this and it seems like an absolute broken record and uh Dimitri's back right? So he's back and CrowdStrike tells us this
15:06
time it's Russia. Now what's interesting for this one it's a little bit different than the the Sony one there was a lot of people sort of arguing on both sides on the Sony one but so far most people seem to agree and are saying that it's it's Russia in this
15:20
particular case. Actually the only one so far that I've seen that hasn't said it was Russia was Donald Trump was being interviewed and he said something like Russia Russia eh it's probably China. So um now China's somehow brought in allegedly so. But here we actually have Fidelis um they're another security company and they came out and they basically said they are also very confident that it's Russian actions or actors and what
15:44
they said it was was due they that they looked at the code uh there was a use of the Russian alphabet keyboard and the time zone it was compiled in some of the the malware and those sorts of things. They also went on to say that the evidence pointing to Russia was so convincing it would have been a very elaborate scheme um for it
16:02
to be anyone else. And so that's a little um I don't know. I look at it and I start thinking these are the things that people complain about the last time around that could be spoofed and all those sorts of problems. So if it is the wording that they're using is a little tough. Alright so then the media right now still isn't clear. There's another
16:23
article that's published saying hey is this an individual? Is this a Russian front? Um even though I see most of the security people agreeing they're sort of saying experts aren't so sure. Can you imagine that? We don't agree in the security world. Uh and again everyone sort of does point to Russia right now. We have Clinton stating this
16:43
Russia. She draws some sort of line to Trump maybe. Um it's a bit confusing because it sounds like the DNC's been owned for a really long time so in my mind I don't even Trump wasn't even considered a candidate then but now we're blaming him for potentially being doing it. And and my sort of the reason why I think this one's
17:00
interesting is because now it's just not who did it it's who's behind it trying to orchestrate and make people you know do these hacks right? So we're just getting more and more of this this sort of stuff and the and the conversation about who what is there to be gained and who can gain from these these attacks. Alright now we're getting a little more interesting in the DNC because shortly after the DNC uh hack was attributed to
17:23
Russia it's now reported that there's a professional cyber attack that hit the Russian government. So we start thinking hack back now right? And so some articles come out saying that the NSA is likely hacking back uh due to the DNC hack. Now most of you are giving me blank looks dirty looks saying hey you think this is the first time that we
17:42
haven't been hacking all over the place the NSA hasn't been hacking but other other people will say and start to believe that this may be the first major time that you know a sanctioned nation state hack back has occurred right? So we just keep going down this path. So it leads us to the question of does it actually matter if we get cyber attribution correct? Do we even care right? For most companies and organizations where you
18:04
work does it really matter who attacked you? You've gotta deal with the breach you gotta deal with the problem the fact that you got hacked is the issue that's not gonna change a whole lot about financials or whatever else right? Uh but for other cyber attribution it does really matter because after the Sony attack right when the FBI
18:21
concluded it was North Korea then the USA imposed new sanctions on North Korea in response. In uh February of 2016 Congress sends North Korea cyber sanctions bill to Obama uh saying that anyone that's caught aiding the country's cyber cane they're gonna get uh penalties now as well. So we're seeing the attribution leading to real world
18:41
things. So last month North Korea expressed their thoughts about the US sanctions uh the foreign ministry issued a statement carried by the Korean central news agency basically saying the sanctions on Kim and 10 other and officials were peppered with lies and fabrication and then went on to say that now that the US has declared war on the
19:03
DPRK any problem arising in relations with the US will be handled under the latter's wartime law. So we're seeing things even though there's a lot of rhetoric that comes out of certain countries we're seeing things escalate based on attribution. And then just a few days ago um now it's reported that the United States is considering economic sanctions on Russia for hacking right? Nefarious activities in the
19:25
cyberspace and that economic sanctions have been used before and they could possibly be used in preparing for response of cyber threats. So how can we actually figure out what's going on behind these hacks? Uh no s- or why can't we might be a better
19:40
question right? No security firms typically tend to agree uh we can't trust when people are claiming attacks, easy to hide IP addresses via you know proxy servers, Tor etcetera. Correlations as we've already talked about between certain pieces of malware really aren't just hard evidence although people in this space will debate that uh to the death. Uh information and evidence many times isn't fully shared to protect sources so
20:04
just say trust me this is what it is. And then there's this whole behavioral analysis of of doing analysis of writings and things like that which doesn't come across to many as very hard evidence. So then as we go from there then the question becomes do we actually need to improve our cyber app attribution capabilities? And you know I don't
20:24
really care for the f- the folks that think that they're doing it really awesome and it's well enough or perfect, that's great. There's still uh others that aren't so sure. But I think that if we're gonna be punishing countries and getting more of this active war rhetoric we better be damn sure that when we come out and say something that we actually know what's going on. And so regardless of whether you're on
20:42
one side or the other in terms of how we are with attribution right now I think we can all agree that we need to continue to invest in and improve a digital attribution. It's clear that the impa- impact could have. And there are a lot of smart people working on this so I I think that's great. Alright so this leads us to the arrest tracker project. So what we wanted to do was we wanted to collect data to hopefully better
21:02
understand um what's going on with cyber crimes right? Another viewpoint of to attribution and a d- a much different lens right? And so arrest tracker was originally founded by Lee Johnstone uh he's also the founder of cyber war news if you've ever followed any of his stuff. Really smart researcher. And so it was founded in 2013 uh and the
21:23
project aims to track computer intrusion incidents resulting in arrest, uh detaining of persons, uh seizure of goods and all sorts of other things. Uh tracking incidents from all cyber again if you have alcohol drink I've been trying to say it as much as I can. Also if you notice in the lower right hand corner it says cyber on every slide so I wanted
21:43
to make sure we were gonna get to where we needed to for later tonight. Um and hacking related incidents. Um so right now there's there's uh over 1400 incidents collected and it's more than just arrests but we ended up finding out that there's if you just say you're only gonna track arrests there's a lot that goes on it so there's it's it's it's
22:00
more than that we're we're labeling it cyber crime. And now uh as of today the project is officially launching you can go out and sign up and and check things out etcetera. So it's arrest tracker dot com. So the uh fields in there we're trying to figure out all the different fields that we're trying to track and with any project if you've ever done data work you start out and try to track a few fields and all of a sudden you're like
22:22
what about these and you just keep adding stuff on right? Um but so far we're trying to figure out things like the profile uh name, alias, gender, age, location, are they part of hacker collectives, operations, all those sorts of things. Uh in terms of the incident, when did it occur, which country, arrested, charged, raided, all that sort of stuff. And then even looking at things like courts um was there a deal, was there trial,
22:44
fines, fine amounts, convicted, sentenced, all those sorts of things and even some more things about um the legal side and and authorities. Alright so what can arrest tracker help us with? Well first we definitely need to recognize there's some limitations with the data right? So some quick disclaimer so if you're a data
23:02
scientist or a data security metrics nerd and you want to come give me grief, I get it but we're trying to start somewhere and grow this so we can have some data sets to look at as we improve and get better but you have to remember uh there are some limitations. We have to remember that this is mostly about arrest data right? Arrest incidents is what we have the most of and so it tells the story from that viewpoint. Uh
23:23
we've expanded as mentioned to cover more cyber crime and we're gonna continue to understand that as as much as we can. We're using data based on reported uh arrests and raids right? So we're gathering everything we can from the media. So if the reporting's bad or wrong, it's an issue right? We do source everything in there to try to have our own
23:42
attribution to where we got the information from. And if the courts are wrong, which when has that ever happened right? Um that's an issue too but we're pulling all the data that we can in and and put it in. So we also need to remember that in many cases the government allegedly would rather track and follow criminals instead of arresting them for various reasons. So again we're only we're only adding in data here that
24:03
that has had some sort of uh crime, prosecution, arrest, etc. So with that said, what can arrest tracker tell us? Well quite a bit actually. Um so detailed statistics about crime arrest, who's behind these data breaches in crime, what are the demographics, what's going on with extradition, details on sentences, monetary fines, um learning
24:25
about law enforcement and what's going on, certain judges and how do they view cases and then profile a hacker and I'm sure anything else that you guys can think of we can ask the data set. So most people always are asking us you know what it what is a hacker, what's the profile of a hacker and you know the media basically is settled in on the
24:41
ski mask behind the laptop right? We all agree on that. I sort of thought it might be funny and interesting if I ask Google Images what it was and and here it is and what I found here was as long as you have a hoodie on, you're a hacker in Google's mind. But we also have a couple new faces now with Mr. Robot right? So these are new faces of what a hacker is. But what's even more interesting is these are the real faces from
25:04
arrest tracker behind the project right? So we're we're tracking what what folks look like and all those sorts of things as well so you you can see uh this helps us better understand. So looking at the timeline, here's a an eye chart for people way in the back um shows that there's been crime and incidents going back to the 1970s right? Uh
25:22
there was some and you can see that over the of the course but really not a lot of activity in this space or incidents that we've tracked until the 2000s. If you drill in closer on the 2000s you can see that things are on the rise without a doubt right? We're seeing a lot more act activity in this space. So the cyber incidents over the past
25:40
decades, the 70s we saw 2, 80s 37, 1990 uh 59 incidents and the 2000s 345 and the and current decade 988 incidents so we're seeing quite a bit that we're adding in. Now that being said there is a lot of old research so uh JerichoPatrician.org is on his to do list, it's
26:00
been on it for a while actually I'm gonna have to give him some grief to go through some of these old books and pull out some more incidents from the 70s and 80s so definitely need more help and more research putting in some of the older things as well. So the oldest incident from the 70s we actually have is from 1971 and that's this uh screenshot of what the uh arrest tracker profile looks like where we're
26:20
trying to capture all the different bits of data. Um and so you can see here Hugh Jeffrey Ward it occurred in 71 he was 29 years old at the time he was accused of breaking into the ISD computer systems and stealing data. Uh trade secret theft, pled guilty, fined $5,000 and 36 months of probation so that's 1971. Now does anyone
26:44
recognize this picture? That's laughing but does anyone really know it? The guy that had the most friends on the internet for a while? This is Tom there we go right this is MySpace Tom. So MySpace Tom uh maybe people don't know this he was a co-founder of of MySpace
27:04
but the media back here reported him as a real life war games hacker in the 1980s and so he was also known as Lord Flathead uh aka MySpace Tom and so this is his profile and arrest tracker. And so in 1985 he had an issue he was about 14 or 16 at the time there's
27:23
some conflicting reports there but uh he hacked allegedly hacked into Chase Manhattan Bank told his friends how to do it uh the FBI uh raided him in California and seized all of uh his computers and so no charges or criminal convictions have ever been made
27:41
and related to this incident so he was a minor at this time so again that's one of those reasons why we expanded out the the project just from saying these arrests into tracking a bit more stuff so 1980s MySpace Tom. And what's interesting about this as we've been collecting each of these incidents about the people and what's going on each incident and arrest tracker has this story to be told right? And so from the 90s you know we
28:03
pulled out some folks you know the Midnick story's been told many times even last night you know we had the movie night of the 2600 stuff but there's many other people in here that each have their own story to be told. Here's from the 2000s some notables that you may recognize or not um but some of these folks that you may not know what they were up to and and they have their own story. And then here's some more
28:23
recent interests and some of them have some really bad and sad consequences of our legal system as well. So there's lots of other notable arrests out there for various reasons things like the first pro prosecution of a particular crime, the severity of a crime, the length of a jail time or or what the fines were, potential overreaching of
28:42
regulatory actions, impact to those accused etcetera. Alright so some statistics on arrests. So we get asked just absolutely all the time anytime we mention arrest tracker it's the profile of a hacker. That's the biggest question that comes up. So we knew that once we had a fair amount of data we needed to start looking at the
29:00
demographics of things. And so we started with age. And so the youngest age that we have is 12 years old believe it or not. Traded pirated information to the hacktivist group anonymous for video games. Um so sentenced to 18 months includes limited access to internet devices, 30 hours of community service and under supervision for 6 months uh the
29:23
boy must also had to choose some sort of structured activity of his choosing. This was in 2013 in in Canada. So 12 years old is the youngest. And the oldest though was 66 years old. Um uh John McHugh a guy named Devilman as well. Um male busted for selling
29:40
cards on the dark web. Uh this was in the United Kingdom and he was jailed for 2 years. So you can see this one. And so what that led us to look at is we knew we had the youngest at 12 and the oldest at 66 but what sort of the breakdown in the distribution of ages right? Most people when you say you know who's hacking who's doing all this stuff it's some bored high schooler or you know or some college
30:01
university student on spring break. Um but what we saw from the distributions is you can see 18 through 25, 349 incidents and 26 through 35, 304 incidents. So those were the largest groups while there were still other age groups. And that currently leads us to an average age of 27 years old. And then we want to look at that 27 year old across
30:22
all the years to see you know was it how was it year over year and it was it was pretty spot on year over year in that range. Alright gender equality. There's been a lot talked about this all over the place and so we thought hey we should look at the same thing to see you know what's the breakdown in genders uh uh for crime and arrests and yeah it's all guys. So we still have a little more research to do here.
30:48
Um but in general it was 81 plus percent were male. Um and so we're gonna do a little bit more work in this space but again just trying to get those profile demographics. So which countries do most hackers reside in or what's in our world what's
31:01
the country of origin for the arrest? Um we get asked this all the time as well and everyone really thinks this is gonna be this you know it's gonna be China right? This is what it looks like with just Chinese hackers everywhere. Um but again if you think about what we're doing with arrest data it's based on arrest data right? And so obviously for us the United States is number one right? You can see there. Note that
31:23
China's number number ten in this so there are arrests and there are crime uh things going on but because of the data and the lens that we're looking through number one is the United States and number two is the United Kingdom. Now collectives. We wanted to get our heads wrapped around do most folks that that get in trouble um in the cyber
31:42
crime area are they sort of solo like lone wolf hackers on their own or are they part of some sort of collective? And also if one person gets arrested does that lead does that mean that like a bunch of others are gonna follow? And so at Rest Tracker there's fifty eight known collectives that have had some sort of confirmed incident and we see that
32:02
anonymous is at the top with a hundred and thirty so anytime that we'll find out about an issue if it's related back to a collective then we go ahead and add it in. Same thing with hacker operations we wanna start trying to get a better feel for when you talk about these hacker operations and what they're going after you know how many are they and and what do they lead to in terms of arrests or or any crime sort of
32:23
twenty one hacker ops um with operation payback at the top and for some of you old school folks in there you'll laugh at a couple of the other ones that are listed up there as well. Alright so is an arrest inevitable? Are you definitely going to get arrested? So if you look at it in terms of the data breaches right so in twenty
32:41
sixteen year to date we already said there is approximately two thousand um data breaches year to date we've seen seventy confirmed arrests so far. In twenty fifteen there were approximately four thousand data breaches and we saw a hundred and thirty four confirmed arrests going back to twenty fourteen sort of the same message right approximately three thousand data breaches about forty seven arrested so no where
33:02
are we seeing um you know the in terms of a data breach equaling arrests right? Um and what's interesting is the data so far shows that there's six hundred and ten days on average from when a crime happens if you will until the incident or or the arrest. So there's definitely a tail from when something occurs to when there's some sort of
33:22
prosecution or raid or whatever and we're going to continue to add data and stats in that regard. Alright so then we started to wonder maybe silly things but when would you most likely to be raided or arrested? Which day would it be? Anyone have a guess? I
33:41
think I heard it over here. Hello Monday. Alright so someone maybe have a bad case of the Monday's could be really bad right? Um we originally guessed when we thought about it we thought it'd be on a Friday but it looks like looking at the data you get to enjoy your weekend and then on Monday it's going to be a real bad day for you potentially. And then we started asking other questions like what part of the year what month would it
34:02
be right? An arrest tracker could tell us that same thing no one ever gets this one right so I won't even ask you guys but April seems to be uh when more showers can come onto the hacker community as well. So now countries pursuing cyber crime as you can easily guess USA is the most active number one right? But the top tens somewhat
34:22
surprising in some cases and and China no they're not they're not in the top ten of pursue pursuing cyber crime ok? Um we started to look at things like extradition extradition um and we're currently seeing that only the USA has any uh extraditions that are are tracked and there's forty two of them that we're aware of and
34:41
so you can see the top five countries Russia to the United States at eight uh Romania to the US at seven Estonia to the US at six Canada to the US at uh three and the United Kingdom three as well. Not every country allows the USA to extradite folks but there are treaties in place with more than a hundred hundred countries out there here's
35:01
a quick little map of it you can see in the darker purplish uh color that's the USA and all the blue ones are places that we allegedly according to Wikipedia have uh extradition treaties. So now we looked at jail time the longest jail time that we had the worst case we thought what would that be and what we found was it was actually crazy
35:22
three hundred and thirty four years. So uh a guy in Turkey he created fake websites and impersonated banks and I think the lesson that a rush tracker will tell all of you right now is don't mess around in Turkey because it's bad news there in terms of jail time right? We started to look at fines and we wanted to understand things what's the
35:42
average fine what's most common uh the largest fine etcetera and what we found was the average fine that we know of right now is a million US dollars but the most common fine that we that occurred thirteen times uh within the database was fifty six hundred dollars. The largest fine was uh the world pay pay hacker Victor eight point nine
36:01
million US uh dollars and he was convicted and trotted in a Russian court under FBI charges. The other thing too that goes on is there's some people that just can't help themself they just can't stop um so many times you know there there'll be cases multiple cases that are consolidated into one case so this can be a little bit hard to figure out sometimes but we've been able to find through a rush tracker that uh seventeen
36:24
people have had multiple arrests. And we're asked all the time this is another question we get asked all the time is how many people when they get busted are assisting authorities? And so we do have the fields in a rush tracker to track this however it is pretty rare uh and it's hard to find this data but when looking through the database
36:42
right now there are thirty people that have confirmed uh to have assisted the authorities in some fashion. Alright so getting down to this what is a profile of a hacker? So the data suggests that really there's no single hacker or cyber criminal type right that's sort of a bit all over the place but if uh we were forced to say what the
37:04
profile of the hacker is based on averages and things that we can find uh gender is gonna be a male the age range is gonna be eighteen to thirty five or in that in the average twenty seven age range again gonna be in the US a lot of that is because again the rest data that we source but if not the USA it's gonna be UK or Philippines uh the
37:23
crime will be hacking if it's not hacking then after that it'll be some sort of cyber fraud or data theft that we classify and most likely active since year two thousand. Motivation right now still having problems tracking that in a relevant way so we're still trying to figure what we can do in a rush tracker to to make that a bit more clear.
37:41
Alright most want it. Who hasn't been arrested yet? Well I'm not sure if everyone knows this or not but the FBI at their website maintains a listing of want it cyber folks you can go out there and check it out. There are twenty eight total listed as of just this this week uh they have a profile basically on everyone that's listed up there so they'll have your you know your your picture and a want it poster and then uh an
38:04
alias and a whole bunch of other information you know weight, eye color, all that sort of stuff and then details on the rewards that they'll offer if you can help bring them down some other remarks um and there's this other section that's called caution uh that'll put a lot more details on what they were up to and even mention things like if
38:22
they're considered a flight risk and all those sorts of stuff. And in this particular case uh offering a reward up to three million dollars for the information leading to the arrest or conviction of this this particular um this particular guy. So you can see here here's a listing of all the the images from the website um the profile looks a little different
38:42
than the arrest data that we've been talking about right? Um and what's interesting if you had to guess the total amount of reward money all added up uh it's about four point nine million dollars in potential rewards if all these people were uh someone informed them to the FBI. What we're also starting to see too is that um how when hackers or doxed or
39:05
when information becomes aware are they definitely going to get arrested and so what we saw in March of 2016 is Ghost Shell many of you know uh doxed himself he revealed himself uh and he described that he's been active since January 2012 that he was one of
39:20
the ones that started opera mania he's attacked the government all those sorts of things so this is you know March 2016 but then here he's leaking thirty nine million accounts in protest and that was in June right so uh all the information about him he came out and basically said everything who he was etcetera but he's still active. And so it's clear that for us we still want to make sure we understand a bit more about law
39:42
enforcement specific about cases are there certain characteristics of data breaches or cybercrime that leads to more law influence um those sorts of things so we're we're trying to track more on that so we can get a better answer. Alright so as we're wrapping up here now so what's next for us? Well the actions are clear for us is data quality is top
40:00
of our mind we want to make sure that we continue to have the best data that we can have everything that we need to so these we can answer these questions uh as as best as we can but at the same time answer all the questions that people have for us. So if you find something wrong and you log into the project please tell us right there's no pride in authorship we wanna we wanna fix things up we care about the data we want it to be accurate and we want more data we want to increase coverage of cyberc- uh crime
40:23
events we want more data fields per incident by person all those sorts of things so if you're interested in helping out please do. For future ideas and features that we're looking at we're trying to add more data uh fields about individual persons so the ability to handle complex issues things that you wouldn't necessarily think like um a
40:43
Romanian national that lived in Canada for 15 years but then was arrested in the United States right we wanna be able to try to track some of those things when we ask we get asked about location and profile we can explain it a bit more. A lot of a lot of thoughts been going into ability to track motivation and then mapping to known data breaches so we can understand impacts and all those sorts of things you know are there
41:02
certain types of hacker profiles that go in after certain types of industries etcetera. More work on the most wanted uh some thoughts we've thought about are you know how long are they on the most wanted before they get arrested um things like that now how many people that have been arrested work for security companies right um and then even a subsection for piracy and and all those sorts of things. So what comes next uh are we
41:25
gonna see arrests in cybercrime prosecution increase or decrease we think the answer is gonna be increasing um we're trying to figure out what the legal environment's gonna look like and if that's gonna get more harsh um and then can we take this data from arrest tracker and actually apply it to your work right can you use this to help you not
41:44
just you know laugh about yeah it's Monday and April and those sorts of things but if you're in uh in the legal space can you look at how things are happening are there overreaching uh regulations in your day to day job can this help you figure out how to be defensive etcetera. So we're open for new ideas if you're interested in working with us we'd love it uh if you've got other ideas we're open to that feedback and if
42:03
you wanna help definitely please contact us. So I wanna thank uh Lee John uh Johnstone for all his hard work founding the arrest tracker project it's a ton of data it's a ton of work. I wanna thank Brian Martin for all his help um I wanna thank uh everyone else that's been interested and hung out here and been drinking with us for this session and thanks to the
42:22
DefCon CF uh CFB team for the opportunity to present. So believe it or not this was a hundred and forty slides and cyber was pretty much on every single one of them so I hope you guys had fun playing along look forward to seeing you tonight if you have questions I'll be over here. Thank you.