Leviathan: Command and Control Communications on Planet Earth

Kevin Thompson

Fri, 25th November 2016


Speaker Bio 1:
Kevin Thompson
Before joining FireEye, Kevin worked as a cyber-analyst for the Central Intelligence Agency in Washington DC. As an analyst, Kevin used digital exploitation and all source analysis to educate multiple agencies of the US Government on current and future cyber threats. Kevin's analytic work has been included in Presidential Daily Briefings and became a case study used in multiple training classes.

Learning Objectives:

Kevin will explain:

  • First, this talk covers the techniques that hackers use to communicate with compromised infrastructure across the globe. The authors analyze the domains, protocols, ports, and websites used for malicious C2. They explain how covert C2 works, and how attackers keep their communications hidden from network security personnel.
  • Second, this talk looks at strategic impact. The authors examine relationships between the targeted industries and countries and the first-stage malware servers communicating with them. This section correlates C2 communications to traditional geopolitical conflicts and considers whether computer network activity can be used to predict real world events.

 

Questions and answers

Max, Concise Courses:
Let me ask you three questions as they came in. First question here is “You mentioned that the majority of command and control services are located in the USA, so are these hack services?”

Kevin Thompson:
You know we couldn’t really tell the actual command and control service if they were hacked or if they were purchased or if someone had set them up. Our focus for this particular sort of sliver of research was just where they were going to. So we wanted to look at where they were coming from or where they were going to, and we didn’t really take the time to look into “okay where they register these domains, were they set up, were they hacked into.” And a lot of times we don’t have sort of the access to do a deep dive into 20 or 30 million call backs to say these are the percentages that were hacked versus these ones were purchased. We did look into how many of them were from no IP, IDNs and things like that that you can purchase and there wasn’t any really outlined events that you can say “Oh this is the same amount that was purchased versus hacked.” So we really wanted to keep the focus on this since we had so much data and our research was so widespread as it is, we really wanted to focus on what the call backs were doing and where they were going to, versus if it was hacked or not.


Max, Concise Courses:
So was it just two of you working on this project?

Name of Speaker:
well the two of us did a lot of research. We had a Data Scientist who was an intern at FireEye who helped us do some of the graphs and crunch some of the numbers. And then we had some support from some other people who helped us to pull the data together, and also a lot of people were viewing sort of the sanity check aspect of it.


Max, Concise Courses:
got it, sounds good. I want to touch on that point in a second. The second question here is “Why should you need call backs to domains…, you mentioned this to be within the education sector, is this indicative of the education sector being less tough with their security posture?” And she goes on to say, “Great presentation by the way.”

Kevin Thompson:
thank you very much. So yeah, I would say that it is exactly because of the education sector. A lot of times when we sit with them and work with them they have more of an open environment. So there is a lot of discussions of we’re sharing our data, our information is freely available, we don’t want to close down access, we want access to be available to people, especially our research and our studies and those sorts of things. So from what we have seen on education and universities they are not as locked down as a lot of other companies. Now you can make the case, maybe they don’t have as much intellectual property as a company so it’s not that big of a deal, but then again with all the amount of research that they are doing maybe the argument is they should be a little bit more locked down. But from what I’ve seen there is a direct correlation with the amount of call backs going back to them and not having as tight of a lockdown because of the sort of mentality of sharing information is one of the major goals.


Max, Concise Courses:
terrific! I always ask this question, and I’m interested to hear your answer, so I always ask “What do you know now that you wish you knew when you started your career in information security?” And the reason why I ask you that is because we have a lot of people who watch this who are looking to break into the cyber security arena and they are in essence looking for words of wisdom and inspiration I think more than anything. For somebody looking at this- a well put together presentation, FireEye- big brand, easy to understand, broken down into clear English, it was speaking management if you will, you can sort of understand. So what do you know now that you wish you knew when you started your career in information security? For somebody who wants to get to your level and your position and work for a company like Fire Eye.

Kevin Thompson:
you know that’s a great question. I would say the biggest thing that I wish I would’ve known when I started is the importance and how much you can contribute by having knowledge and background and information about non-technical things and bringing that to some of the technical problems that we have. So a lot of times people get overwhelmed either at the starting point or as they build their career that it has to be 100% technical, it’s got to be all ones and zeros, and it has to be “you have to be the smartest person in the room.” But I think when we’re looking at cyber security we’re looking at these problems, there is so much room for outside influences. In cyber security we need a communist or people who can explain the business case in companies and why they need security. We need people with history to talk about this is why China and Russia are hacking us, this is why Iran is trying to steal this data. We need Political Scientists. I’m a communications major with a philosophy background, so we need people who can articulate this information. So the technology, while a very major, major part of this I think is only one aspect of the grand scheme of when we’re talking about security. So I wish I would’ve felt comfortable thinking back and say “Okay how does this fit into a historical context? What are the geopolitical aspects of this country? Why would they be hacking it? What are the economics behind why these attackers are doing it? So taking outside influences and outside information through my security career, I think that’s been a great help as I sort of learned that lesson. But I think it’s something that I wish would’ve started from the beginning instead of only focusing on ones and zeros.


Max, Concise Courses:
Do you think your philosophy, your response and I totally agree with you obviously because at the end of the day just like you said you had a team behind this research and everyone contributed in different ways, it wasn’t just pure tech. Do you feel that that’s being encouraged from the perspective of let’s say recruitment and people looking for more rounded skills or just FireEye. FireEye sounds like this company who’s got a pretty diverse team, but do you feel that that’s coming through?

Kevin Thompson:
I think it depends on the position. Obviously, if you’re looking to be an engineer the number one goal is to have your technology chopped. But if you’re looking to be a strategic analyst you’re looking to come in to talk about what are the targets, or what are the threats to the oil and gas industry, or what are the threats to the financial industry. Technology is a part of it but you need to know the ins and outs of why would someone target the financial industry, number one. And number two, what sort of information do they have that makes them more of a target? So I think it really depends on what you’re going for and what your goals are. But I see a lot more of companies putting intelligence out and intelligence have sort of become sort of a sexy buzzword. But we see a lot more of the intelligence that come out is not solely here is the reverse engineering of the malware that we have seen. Now we’re seeing here are the victims and here’s the type of data that was stolen, and here’s some analysis on maybe what they were stealing and why they were trying to steal that data. So I think especially as cyber security becomes more of a board room issue and less of a propeller head issue we’re starting to understand that the need for the ‘why’ of what’s going on instead of just the ‘what’.


Max, Concise Courses:
You’re exactly right, I fully agree with you, that’s terrific. You’re a gem and a superstar and a guru. And thank you very much for coming on hacker hotshots and sharing your expertise and we’d like to stay in touch with you and get you back on again in the foreseeable future for a follow-up.

Kevin Thompson:
Yes thank you of course. Thank you for the opportunity, I really appreciate it.