--[ PAI Operations: Everyone Can See What Lives Beyond Your Network Boundary

Presenter
$ getent passwd jdible
.
├─── name: Jared W. Dible
├──── org: Millennium Corporation
└─ social:
   └─ linkedin: in/jared-dible-691823160/
Experience

As the Senior Cyber Architect at Millennium Corporation, Jared is responsible for taking innovations across the company and making them a reality. Jared is a key leader in Millennium’s internal Research and Development efforts and oversees the Cyber Innovations Portfolio. Jared brings over 18 years of experience leading and executing highly technical services with a majority focus on systems engineering and cybersecurity inside the DoD.

Prior to joining the Millennium Team in 2016, Jared served in multiple Systems Engineer roles supporting intelligence systems for the US Air Force and US Navy. Jared also spent 6 years as a Cryptologic Technician in the US Navy before entering the civilian sector in 2007. Since joining Millennium as a Red Team Security Engineer, Jared has been instrumental in the planning and execution of countless cyber security assessments in support of Millennium’s customers as well as developing and implementing new corporate and customer cybersecurity capabilities.

Jared holds a Master’s Degree in Information Security from Friends University; a Bachelor’s Degree in Information Systems from Friends University; and he is a Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP).

Abstract

Open-Source Intelligence (OSINT) has been used for decades by the U.S. and adversaries alike to try and gain any information or competitive advantage. But with the explosion of work from home, bring your own device, advertisement data tracking, and cloud native platforms and data, the network perimeter has never been further away. Publicly Accessible Information (PAI) and commercially available data feeds are crucial in managing threats beyond the traditional security boundaries of any organization and the suppliers it depends upon to successfully execute their mission. PAI analysis is performed on data sets such as Internet netflow, Internet Domain Name System (DNS), Autonomous System Number (ASN), AdTech (geo-location, app usage, IP Address, and other metadata), and social messaging feeds without ever having to touch a target’s networks, systems, or users. This analysis can then be enriched with cyber threat intelligence or other data sources. For an organization’s security team, this analysis passively delivers visibility beyond their security boundaries, allowing for a broad compilation of use cases such as threat hunting and discovery, continuous monitoring, asset discovery, attack surface enrichment, and signature management. PAI can provide major impacts across Offensive and Defensive Cyber Operations, as well as Intel, Surveillance, Recon (ISR) and other DoD operations.

If an APT has gained initial access to a critical network inside an organization and successfully persisted, it likely means that they defeated both internal and perimeter security mechanisms to avoid detection. Before the adversary presence is ever known to the organization security team, the adversary must either trigger a defense mechanism with a future TTP in the attack chain or their 1st hop redirector must be flagged as malicious by a Cyber Threat Intelligence provider.

With PAI and commercially available data, analysts can work backwards starting at the attacker C2 server and analyze netflow traffic and DNS records across the various suspected redirectors, tunneled connections, and other obfuscated connections back to the target organization’s perimeter. The result of this analysis would be a tipper to the organization’s security team to guide internal investigations and incident response. Ultimately, this results in identification of a new IOC to be distributed to the organization and greater community for identification, remediation, and mitigation.

On the flip side, the same data sets and similar tactics can be employed for offensive purposes. A combination of netflow, DNS, AdTech, and social messaging can be analyzed to provide confidence in operational security of offensive TTPs and infrastructure. These data sets can also provide valuable insights and enrichment of a target attack surface. For both offensive use cases, it is important to realize that this analysis is performed on purely passive data sets, making this not only valuable intelligence but also an extremely stealthy means of enumeration, information gathering, and target development without ever touching a target network.

Millennium has spent the last 14 years supporting DoD Red Teams. This support and our desire to continually improve our customers capabilities led to the innovative and enhanced usage of PAI.