AvengerCon VII: PAI Operations

UNITED STATES

12.01.2022

Video by Steven Stover 

780th Military Intelligence Brigade (Cyber)

✔ ✗ Subscribe

11

Part of the AvengerCon VII presentations cleared for public release:

Presented by Jared Dible.

Open-Source Intelligence (OSINT) has been used for decades by the U.S. and adversaries alike to try and gain any information or competitive advantage. But with the explosion of work from home, bring your own device, advertisement data tracking, and cloud native platforms and data, the network perimeter has never been further away. Publicly Accessible Information (PAI) and commercially available data feeds are crucial in managing threats beyond the traditional security boundaries of any organization and the suppliers it depends upon to successfully execute their mission. PAI analysis is performed on data sets such as Internet netflow, Internet Domain Name System (DNS), Autonomous System Number (ASN), AdTech (geo-location, app usage, IP Address, and other metadata), and social messaging feeds without ever having to touch a target’s networks, systems, or users. This analysis can then be enriched with cyber threat intelligence or other data sources. For an organization’s security team, this analysis passively delivers visibility beyond their security boundaries, allowing for a broad compilation of use cases such as threat hunting and discovery, continuous monitoring, asset discovery, attack surface enrichment, and signature management. PAI can provide major impacts across Offensive and Defensive Cyber Operations, as well as Intel, Surveillance, Recon (ISR) and other DoD operations. If an APT has gained initial access to a critical network inside an organization and successfully persisted, it likely means that they defeated both internal and perimeter security mechanisms to avoid detection. Before the adversary presence is ever known to the organization security team, the adversary must either trigger a defense mechanism with a future TTP in the attack chain or their 1st hop redirector must be flagged as malicious by a Cyber Threat Intelligence provider. With PAI and commercially available data, analysts can work backwards starting at the attacker C2 server and analyze netflow traffic and DNS records across the various suspected redirectors, tunneled connections, and other obfuscated connections back to the target organization’s perimeter. The result of this analysis would be a tipper to the organization’s security team to guide internal investigations and incident response. Ultimately, this results in identification of a new IOC to be distributed to the organization and greater community for identification, remediation, and mitigation. On the flip side, the same data sets and similar tactics can be employed for offensive purposes. A combination of netflow, DNS, AdTech, and social messaging can be analyzed to provide confidence in operational security of offensive TTPs and infrastructure. These data sets can also provide valuable insights and enrichment of a target attack surface. For both offensive use cases, it is important to realize that this analysis is performed on purely passive data sets, making this not only valuable intelligence but also an extremely stealthy means of enumeration, information gathering, and target development without ever touching a target network. Millennium has spent the last 14 years supporting DoD Red Teams. This support and our desire to continually improve our customers capabilities led to the innovative and enhanced usage of PAI.

Boiler:

AvengerCon is a free security event hosted every fall by Maryland Innovation and Security Institute to benefit the hackers of the U.S. Cyber Command community and the U.S. Army 780th Military Intelligence Brigade. The event is open to all service members and employees of U.S. Cyber Command and Department of Defense personnel supporting cyberspace missions. AvengerCon features presentations, hacker villages, training workshops, and much more.

The event is open to all service members and employees of U.S. Cyber Command and Department of Defense, and related partners supporting cyberspace missions.

The views expressed are those of the presenter, and do not reflect the official position of the 780th Military Intelligence Brigade, U.S. Cyber Command, the Department of the Army, or Department of Defense.