©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

®

1

Using system fingerprints

totrack

attackers

Using system fingerprints

totrack

attackersLance Cottrell

Ntrepid/Anonymizer

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

When You Are Under Attack

2

You may ask:

Who was that masked man?

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

As a Defender, You See...

3

IP: 37.123.118.67Lat / Long: +54 / -2Country: UKPing: 110msISP: as13213.net (AKA UK2.net) server hostingOpen Ports: SSH, HTTP

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Is THIS Really the Attacker?

4

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Which is the “Real” Attacker?

5

It’s Turtles All the Way Down

It’s Turtles All the Way Down

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

What If You Could Spot People Hiding?

Block Web Access

Redirect to Honeypot

Add Firewall Rule

Deny Credit Card

Flag in Logs

6

NOTRESPASSING

DETOUR

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

What If You Could Identify Your Attacker?

7

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

How Do They Hide?

Proxies

VPNs

Chained VPNs / TOR

Botnets / Compromised Hosts

Tradecraft

8

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

How Can You Spot Them?

9

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Known Anonymous IP

10

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Anon IPs are well known

11

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Open Proxy / Ports

12

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Obviously not a home PC

HTTP

X11

FTP

SSH

13

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Non-Consumer IP

14

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Identifying non-consumer IP

9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms

10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms

VS13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms

14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X

15

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Latency vs. Ping Time

HTTP / Javascript

DHCP Ping

16

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

DNS Mismatch

HTTP from Chicago

DNS from Nigeria

17

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Identify the Attacker

18

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Identity Leakage

Embedded Media

Apps bypass proxy / VPN

Phone home

19

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Fortunately (for you),

Good OPSEC is HardTools can be slow and cumbersome

May go direct for “innocent” activity / reconnaissance

May forget to use it

Accidentally cross the streams of personas

Correlate attacker print with all previous activity

20

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Cookies and Bugs

21

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Browser Fingerprints

22

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Fingerprint Entropy

12.3 - User Agent

5.4 - HTTP_ACCEPT Headers

21.9+ - Browser Plugin Details

5.0 - Time Zone

7.5 - Screen Size and Color Depth

21.9 - System Fonts

0.4 - Cookie Test

0.9 - Super Cookie Test

23

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Attacker Use of Virtualization

24

Advantages Disadvantages

Easy to Clean Cloned Each Time

No Cookies or Super-Cookies

Too Clean or Outdated Cruft

Detection as VM Requires Local Execution

Can Be Detected as VM

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Dread Pirate Roberts

25

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Why Should YOU be StealthyLurk in IRC and Forums

Discover Plans

Learn Techniques

Hide your interest & activity

Bait Honeypots

Drop False Leads and Links

Government

Has Other More Aggressive Options26

®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

Thanks

Contact me at:

Email: lance.cottrell@ntrepidcorp.com

Commercial / Gov: http://ntrepidcorp.com

Consumer: http://anonymizer.com

Blog: http://theprivacyblog.com

Twitter: @LanceCottrell

LinkedIn: http://linkedin.com/in/LanceCottrell

27