How To Be A Ghost presented at deepsec 2017

by Rhett Greenhagen, Jean Yav,

Summary : In the security community, most threat researchers are conducting research in an insecure and time-consuming environment. Whether intelligence is gathered from private communications over an IRC server or postings on an underground forum, researchers must be able to identify, document, and disseminate their findings quickly and without compromise. Having a secure and monitored enterprise covert communications framework in place will allow your researchers to focus on producing finished intelligence. In this workshop, we will discuss everything from creating/securing system architecture to developing methods for automation, all while staying protected.
The speakers will begin by detailing virtual server presence and configurations for virtual machines. The systems will be setup properly with tools and services commonly required by researchers. Network communications and anonymization techniques will also be covered in depth. This includes best practices for buying online services with Bitcoin and cash, the caretaking and sharing of online personas, and demonstrations on how actions done on a website, IRC server, forum, or gaming chat room can be tracked back to the researcher. Counter-log activities, the integration of mobile/social platforms, and legal implications/nuances will also be discussed.
The Advanced Programs Group within McAfee has experience in conducting sensitive and timely investigations in an enterprise environment. APG’s lessons learned in creating and maintaining these systems can assist research teams of any size in their endeavor to be more secure and deliver timely intelligence.
Presentation Outline
⦁ Introduction and key terms (VPN, VPS, COVCOM, COLLCO, etc…)
⦁ Basic terminology
⦁ ESXi Architecture and Hypervisor Support
⦁ How to install ESXi and lock it down for specific tasks
⦁ How to create different templates for different types of research
⦁ Disabling services and systems configuration to counter malware infections and stop infections from breaking out of the analyst’s virtual machine
⦁ Which services to enable to allow malware analysis to take place using tools such as Cuckoo Sandbox or Mcafee ATD
⦁ Creating Virtual Private Servers
⦁ How to purchase virtual private servers anonymously
⦁ Creating network communication between virtual private servers and virtual private networks for effective communication
⦁ Registering with a Regional Internet Registry and as well as Acquiring a /24 and /48 network
⦁ Getting connectivity between your Virtual Private Servers and the covert network
⦁ How to choose a secure address and BGP sessions based on pricing and anonymity
⦁ Social Media
⦁ Creating online personas for long term investigations, and how to document the usage of the persona so that any analyst can be assigned a persona
⦁ Behavior differences between online personas online, in things such as forums and IRC servers
⦁ How to track social media accounts being used by the analyst with alerts to keep a persona alive
⦁ Developing collections
⦁ How to run automated scrapes to gather intelligence for later investigations
⦁ How to log behavior within an IRC server covertly
⦁ Develop methods and working pipelines to gather information from closed sources regularly without being identified as a scheduled process
⦁ Ways how researchers get caught.
⦁ How researchers have been d0xed, case examples and how they could have been prevented
⦁ 10 commandments of things a researcher should always follow while ‘acting’ out an online persona
⦁ Using bitcoin to create and setup accounts/systems/network/etc
⦁ How to stay legal
⦁ General thoughts and ideas that might arise, situations such as being forced to attack a server to being sent unsolicited pictures
Attendee Takeaways
⦁ How to develop a secure environment that can be used to conduct online investigations and stay secure. How tools leave traces and how they interact with online instances.
⦁ How to conduct malware analysis within an enterprise network with systems put into place to help with automated malware analysis.
⦁ How to keep network communications secure and anonymous.
⦁ Understanding requirements for threat intelligence research and knowing how actions can be countered by forms of counter intelligence.