Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
4. OSINT (Open Source Intelligence)
• OSINT is the art and science of creating
ethical, evidence-based decision support using
only open sources and methods, legal and
ethical in every respect.
– Big data to store & process
– Analytic toolkits to detect patterns and
anomalies
• Beyond that, OSINT is all about humans-
analysts who can think, and deciders who can
listen.
Robert David Steele on OSINT - 2014
5. Tacyt
• Goal: Build an OSINT platform
–Android Markets
• Google Play Included
• Process all data related to apps &
markets
–Build up a Big Data
–Build a real time processing tool for analyst
–Create connections to other security tools
6. Tacyt
• Real Time integration of apps
• Real Time processing of filters
• Interactive Console
• Cross-Market analysis
• Cross-Time results (Dead apps)
• API
12. Tacyt
• Apply some intelligence to the way attackers
work on Google Play. Anomalies & Singularities.
• Do not concentrate on DETECTING, but on
CORRELATING data. Detecting is difficult, but
once you know your enemy and with the right
amount of information and data, correlating is
easy.
• We try to find singularities
• Avoid code. Code is a wall you go against
again and again. Attackers know how to avoid
being detected.
13. Tacyt
• We need to know our enemies and what
makes them singular.
• Android apps are APK, which are just Java files, which
are just ZIP files signed with a selfsigned certificate. We
have identified and dissected most of the technical
characteristics.
• Android apps are hosted in Google Play, with a
developer, comments, descriptions, images, versions,
categories…
• There is plenty of information. Almost 50
“checkpoints”.
17. APT Providers: Gremlin apps for
targeted attacks
• Lets find some applications that fit with different
target profile.
• These apps needs to be attractive but don’t
seem to provide a critical functionality because It
is needed that once they are installed, keep
under the radar.
• We need a rich porfolio of applications.
18. “Perfet” Target Apps
• How to select the perfect set of applications for an APT
once the reconnaissance of the victim has been
achieved.
21. Examples: Research and
clusterization
• We can correlate data and cluster apps:
– From an app, we can include the person or
company who made it and correlate it with
other developers in which account they hide.
– We can detect anomalies: developers
uploading 50 apps in a row? Developers
sharing exactly the same files in their APK?
Developers sharing images? APKs with just a
second of developing time?...
23. Tacyt
• Allows to correlate data and detect
–Anomalies
–Singularities
• Helps to search quickly in a Big Data of
apps
• Helps to avoid code in detecting
cybercrime
• Provides an API to be an OSINT and
integrate with other tools.
24. “Apache Storm is a free and open source distributed
realtime computation system. Storm makes it easy to
reliably process unbounded streams of data, doing
for realtime processing what Hadoop did for batch
processing. Storm is simple, can be used with any
programming language, and is a lot of fun to use! “
Sinfonier
30. Conclusions
• Cybercrime in Apps is huge
• Research in Google Play is not easy
• Tacyt allows to
– Discover and Investigate anomalies & singularities
– Cross-Market
– Cross-Time
• Synfonier helps to
– integrate other sources
– Automate Intelligence Generation
• Faast help us to reduce security Windows
– Managing vulnerabilites in a persistent way
31. Summary
• Cybercrime in Apps is huge
• Research in Google Play is not easy
• Tacyt (Path 5) allows to
– Discover and Investigate anomalies &
singularities
– Cross-Market
– Cross-Time
• Security Enforcement en Markets is
NECESSARY
32. ¿Questions?
• If you want give a try to
TACYT, contact me!
• http://www.elevenpaths.com
• Chema Alonso
• @chemalonso
• chema@11paths.com
• http://www.elladodelmal.com
Editor's Notes
Aquí lo interesante es ubicar OSINT como un tipo de Inteligencia aplicada a la seguridad. OSINT tiene solape con CYBINT en cuanto parte de la recupeación de la información de fuentes abiertas se puede realizar a través de sistemas informáticos, y con HUMINT, por que también una fuente humana está contemplada entre las fuentes de información. Esto permite ligar esta slide con la siguiente en la que se definirá OSINT
A continuación la definición de los distintos tipos de Inteligencia:
HUMINT - Human Intelligence—gathered from a person on the ground.
Espionage
Friendly accredited diplomats
Military attaches
Non-governmental organizations (NGOs)
Patrolling (Military police, patrols, etc.)
Prisoners of war (POWs) or detainees
Refugees
Strategic reconnaissance, as by special forces
Traveler debriefing (e.g., CIA Domestic Contact Service)
GEOINT - Geospatial Intelligence—gathered from satellite, aerial photography, mapping/terrain data
IMINT—Imagery Intelligence: gathered from satellite and aerial photography
MASINT - Measurement and Signature Intelligence
Electro-optical MASINT
Airborne Electro-Optical Missile Tracking MASINT
Tactical Countermortar Sensors
Infrared MASINT
Optical Measurement of Nuclear Explosions
LASER MASINT
Spectroscopic MASINT
Hyperspectral Imagery MASINT
Space-based Staring Infrared Sensors
Nuclear MASINT
Radiation survey and dosimetry
Space-based Nuclear Energy Detection
Effects of Ionizing Radiation on materials
Geophysical MASINT
Weather and Sea Intelligence MASINT
Acoustic MASINT (also known as ACOUSTINT or ACINT - Acoustic phenomena)
Seismic MASINT
Magnetic MASINT
Gravitimetric MASINT
Radar MASINT
Line-of-Sight Radar MASINT
Synthetic aperture radar (SAR) and Inverse Synthetic Aperture Radar (ISAR) MASINT
Non-Cooperative Target Recognition
Multistatic Radar MASINT
Passive Covert Radar
Materials MASINT
Chemical Materials MASINT
Biological Materials MASINT
Nuclear test analysis
Radiofrequency MASINT
Frequency Domain MASINT
Electromagnetic Pulse MASINT
Unintentional Radiation MASINT
OSINT - Open Source Intelligence—gathered from open sources.
Can be further segmented by source type; Internet/General, Scientific/Technical and various HUMINT specialties (e.g. trade shows, association meetings, interviews, etc.)
SIGINT - Signals Intelligence—gathered from interception of signals
COMINT - Communications Intelligence
ELINT - Electronic Intelligence: gathered from electronic signals that do not contain speech or text (which are considered COMINT).
FISINT - Foreign Instrumentation Signals Intelligence, was formerly known as TELINT or Telemetry Intelligence. TELINT, entails the collection and analysis of telemetry data from the target's missile or sometimes from aircraft tests.
TECHINT - Technical Intelligence—gathered from analysis of weapons and equipment used by the armed forces of foreign nations, or environmental conditions.
MEDINT - Medical Intelligence: gathered from analysis of medical records and/or actual physiological examinations to determine health and/or particular ailments/allergetic conditions for exploitation.
CYBINT/DNINT - Cyber Intelligence/Digital Network Intelligence—gathered from Cyber Space
FININT - Financial Intelligence—gathered from analysis of monetary transactions
La aplicaciones convierten al dispositivo en un zombi, que cada 10 minutos recoge tareas que realizar, entre ellas, recoger esas cuentas falsas del servidor central y asociarlas a los datos del teléfono de la víctima.
IMPORTANTE: La cuenta de Google "original" en el dispositivo de la víctima permanece a salvo y el atacante no tiene acceso a ella en ningún momento.
Cada cuenta es asociada a entre 10 y 30 dispositivos físicos de las víctimas. Las combinaciones entre cuentas de Google y asociación de dispositivos son innumerables. En la imagen se muestra un ejemplo de cuenta del atacante, asociada a 18 dispositivos reales en la India de las víctimas.
1.- yu jinhui
2.- Xray Body Scan {Detalles de Path 5, Big Data, Búsquedas}
3.- Búsqueda por imagen
4.- Nuevo desarrollador: shi qingte
5.- Buscado por imagen de “Toque Electríco” Shui hongli
developerEmail:*yeah.net* OR developerEmail:*163.com* AND gmtInfo:8 AND permissionName:*ACCOUNTS*
Synfonier helps to
integrate other sources
Automate Intelligence Generation
Yes, You Can play with madness ( and it is fun)