Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
•Download as PPTX, PDF•
5 likes•3,519 views
Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Similar to Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data (20)
More from Chema Alonso
More from Chema Alonso (20)
Recently uploaded
Recently uploaded (20)
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
- 1. Cazando cibercriminales con: OSINT + Cloud Computing + Big Data Chema Alonso (@chemaalonso)
- 2. Problem: Cybercrime in Android
- 3. Problem: Cybercrime in Google Play
- 4. OSINT (Open Source Intelligence) • OSINT is the art and science of creating ethical, evidence-based decision support using only open sources and methods, legal and ethical in every respect. – Big data to store & process – Analytic toolkits to detect patterns and anomalies • Beyond that, OSINT is all about humans- analysts who can think, and deciders who can listen. Robert David Steele on OSINT - 2014
- 5. Tacyt • Goal: Build an OSINT platform –Android Markets • Google Play Included • Process all data related to apps & markets –Build up a Big Data –Build a real time processing tool for analyst –Create connections to other security tools
- 6. Tacyt • Real Time integration of apps • Real Time processing of filters • Interactive Console • Cross-Market analysis • Cross-Time results (Dead apps) • API
- 7. Tacyt Demo 1: Fake Apps + Fake Devs
- 10. Shuaban Botnet
- 11. Tacyt Demo 2: Shuabang Botnet
- 12. Tacyt • Apply some intelligence to the way attackers work on Google Play. Anomalies & Singularities. • Do not concentrate on DETECTING, but on CORRELATING data. Detecting is difficult, but once you know your enemy and with the right amount of information and data, correlating is easy. • We try to find singularities • Avoid code. Code is a wall you go against again and again. Attackers know how to avoid being detected.
- 13. Tacyt • We need to know our enemies and what makes them singular. • Android apps are APK, which are just Java files, which are just ZIP files signed with a selfsigned certificate. We have identified and dissected most of the technical characteristics. • Android apps are hosted in Google Play, with a developer, comments, descriptions, images, versions, categories… • There is plenty of information. Almost 50 “checkpoints”.
- 14. Gremlin App
- 15. Gremlin App
- 16. Buying Gremlin Apps • But…. What apps make sense to mutate?
- 17. APT Providers: Gremlin apps for targeted attacks • Lets find some applications that fit with different target profile. • These apps needs to be attractive but don’t seem to provide a critical functionality because It is needed that once they are installed, keep under the radar. • We need a rich porfolio of applications.
- 18. “Perfet” Target Apps • How to select the perfect set of applications for an APT once the reconnaissance of the victim has been achieved.
- 19. APT Providers: Gremlin apps for targeted attacks permissionName:"android.permission.GET_ACCOUNTS" permissionName:"android.permission.INTERNET" permissionName:"android.permission.READ_EXTERNAL_STORAGE" permissionName:"android.permission.READ_PHONE_STATE" permissionName:"android.permission.ACCESS_NETWORK_STATE
- 20. Tacyt Demo 3: Profiling Attack - Clicker
- 21. Examples: Research and clusterization • We can correlate data and cluster apps: – From an app, we can include the person or company who made it and correlate it with other developers in which account they hide. – We can detect anomalies: developers uploading 50 apps in a row? Developers sharing exactly the same files in their APK? Developers sharing images? APKs with just a second of developing time?...
- 23. Tacyt • Allows to correlate data and detect –Anomalies –Singularities • Helps to search quickly in a Big Data of apps • Helps to avoid code in detecting cybercrime • Provides an API to be an OSINT and integrate with other tools.
- 24. “Apache Storm is a free and open source distributed realtime computation system. Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch processing. Storm is simple, can be used with any programming language, and is a lot of fun to use! “ Sinfonier
- 26. + + = Drag & Drop Interface Automatic Deploy API (Nightly version) Storm Cluster How It works
- 29. Faast (Vamps)
- 30. Conclusions • Cybercrime in Apps is huge • Research in Google Play is not easy • Tacyt allows to – Discover and Investigate anomalies & singularities – Cross-Market – Cross-Time • Synfonier helps to – integrate other sources – Automate Intelligence Generation • Faast help us to reduce security Windows – Managing vulnerabilites in a persistent way
- 31. Summary • Cybercrime in Apps is huge • Research in Google Play is not easy • Tacyt (Path 5) allows to – Discover and Investigate anomalies & singularities – Cross-Market – Cross-Time • Security Enforcement en Markets is NECESSARY
- 32. ¿Questions? • If you want give a try to TACYT, contact me! • http://www.elevenpaths.com • Chema Alonso • @chemalonso • chema@11paths.com • http://www.elladodelmal.com
Editor's Notes
- Aquí lo interesante es ubicar OSINT como un tipo de Inteligencia aplicada a la seguridad. OSINT tiene solape con CYBINT en cuanto parte de la recupeación de la información de fuentes abiertas se puede realizar a través de sistemas informáticos, y con HUMINT, por que también una fuente humana está contemplada entre las fuentes de información. Esto permite ligar esta slide con la siguiente en la que se definirá OSINT A continuación la definición de los distintos tipos de Inteligencia: HUMINT - Human Intelligence—gathered from a person on the ground. Espionage Friendly accredited diplomats Military attaches Non-governmental organizations (NGOs) Patrolling (Military police, patrols, etc.) Prisoners of war (POWs) or detainees Refugees Strategic reconnaissance, as by special forces Traveler debriefing (e.g., CIA Domestic Contact Service) GEOINT - Geospatial Intelligence—gathered from satellite, aerial photography, mapping/terrain data IMINT—Imagery Intelligence: gathered from satellite and aerial photography MASINT - Measurement and Signature Intelligence Electro-optical MASINT Airborne Electro-Optical Missile Tracking MASINT Tactical Countermortar Sensors Infrared MASINT Optical Measurement of Nuclear Explosions LASER MASINT Spectroscopic MASINT Hyperspectral Imagery MASINT Space-based Staring Infrared Sensors Nuclear MASINT Radiation survey and dosimetry Space-based Nuclear Energy Detection Effects of Ionizing Radiation on materials Geophysical MASINT Weather and Sea Intelligence MASINT Acoustic MASINT (also known as ACOUSTINT or ACINT - Acoustic phenomena) Seismic MASINT Magnetic MASINT Gravitimetric MASINT Radar MASINT Line-of-Sight Radar MASINT Synthetic aperture radar (SAR) and Inverse Synthetic Aperture Radar (ISAR) MASINT Non-Cooperative Target Recognition Multistatic Radar MASINT Passive Covert Radar Materials MASINT Chemical Materials MASINT Biological Materials MASINT Nuclear test analysis Radiofrequency MASINT Frequency Domain MASINT Electromagnetic Pulse MASINT Unintentional Radiation MASINT OSINT - Open Source Intelligence—gathered from open sources. Can be further segmented by source type; Internet/General, Scientific/Technical and various HUMINT specialties (e.g. trade shows, association meetings, interviews, etc.) SIGINT - Signals Intelligence—gathered from interception of signals COMINT - Communications Intelligence ELINT - Electronic Intelligence: gathered from electronic signals that do not contain speech or text (which are considered COMINT). FISINT - Foreign Instrumentation Signals Intelligence, was formerly known as TELINT or Telemetry Intelligence. TELINT, entails the collection and analysis of telemetry data from the target's missile or sometimes from aircraft tests. TECHINT - Technical Intelligence—gathered from analysis of weapons and equipment used by the armed forces of foreign nations, or environmental conditions. MEDINT - Medical Intelligence: gathered from analysis of medical records and/or actual physiological examinations to determine health and/or particular ailments/allergetic conditions for exploitation. CYBINT/DNINT - Cyber Intelligence/Digital Network Intelligence—gathered from Cyber Space FININT - Financial Intelligence—gathered from analysis of monetary transactions
- La aplicaciones convierten al dispositivo en un zombi, que cada 10 minutos recoge tareas que realizar, entre ellas, recoger esas cuentas falsas del servidor central y asociarlas a los datos del teléfono de la víctima. IMPORTANTE: La cuenta de Google "original" en el dispositivo de la víctima permanece a salvo y el atacante no tiene acceso a ella en ningún momento. Cada cuenta es asociada a entre 10 y 30 dispositivos físicos de las víctimas. Las combinaciones entre cuentas de Google y asociación de dispositivos son innumerables. En la imagen se muestra un ejemplo de cuenta del atacante, asociada a 18 dispositivos reales en la India de las víctimas.
- 1.- yu jinhui 2.- Xray Body Scan {Detalles de Path 5, Big Data, Búsquedas} 3.- Búsqueda por imagen 4.- Nuevo desarrollador: shi qingte 5.- Buscado por imagen de “Toque Electríco” Shui hongli developerEmail:*yeah.net* OR developerEmail:*163.com* AND gmtInfo:8 AND permissionName:*ACCOUNTS*
- Synfonier helps to integrate other sources Automate Intelligence Generation Yes, You Can play with madness ( and it is fun)