SocialLinks: An Actual Investigation

We have a special treat today, an actual investigation and preservation exercise on a Russian company we have had our eye on for the last year. First, to understand why today is their lucky day, peruse this New York Times article:

Here’s the lede from the article for those who refuse to click through:

On the same day Facebook announced that it had carried out its biggest purge yet of American accounts peddling disinformation, the company quietly made another revelation: It had removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government.

This is a good step, but it isn’t the only housecleaning needed.

Available OSINT

If you open the current Maltego client you will see the Transform Hub, a listing of all service providers you can integrate. This is what you see this morning in the left hand column if you open the application on a 4k monitor. Note what is first and what is last.

SocialLinks Offerings In Maltego
SocialLinks Offerings In Maltego Transform Hub

I am the admin for the Maltego Group on LinkedIn. This is a screen shot I collected this morning. Implicit in this is a violation of Facebook terms of service, the source is SocialLinks CEO Alexandr Aleexev.

SocialLinks CEO Alexandr Alexeev Violates Facebook TOS
SocialLinks CEO Alexandr Alexeev Violates Facebook TOS

The company’s YouTube page has a variety of other demonstrations that indicate similar practices on other social media platforms. I snagged a screen shot from the video, which shows what they were doing a year ago.

SocialLinks Social Media Platforms
SocialLinks Social Media Platforms

This alone is enough to set off alarm bells given the current climate. We know a bit more about this company, because I assumed their appearance on the Transform Hub meant they were a quality provider. I spent $130 for a month of service in November of 2017, setting off six weeks of curious encounters, both with them, and disinterested counter-intelligence investigators on three continents.

Our Encounter

Needing to capture some Instagram content for a civil case, I grew weary of chasing threads after I got acquainted with the players, so I went looking for an automation solution that would capture their social network. I had an Instagram account to use from one of the parties to the case, but I assumed it would be burned the minute any evidence from it showed in a filing.

What I received just plain didn’t work. Not with Instagram, not with my personal LinkedIn network, not with Github, which should be fairly open.

SocialLinks Troubles
SocialLinks Troubles

This went on for a while, at first with me sharing details of DNS resolution issues for their servers and other stuff that seemed like normal troubleshooting. When I went to LinkedIn and made contact with CEO Alexandr Alexeev, I was immediately suspicious given his Moscow location.

We had an initial conversation on LinkedIn, below is an example of how things started. We agreed to meet on Wire, and there I was asked about VPNs, provisioning proxies in the U.S., and other means to circumvent access restrictions. I played along, thinking that some counter-intel attention might be forthcoming.

Alexander Alexeev 2018-01-20
Alexander Alexeev 2018-01-20

Counter-intelligence Failures

I felt there was plenty of reason for attention on this situation, but after a month of asking for attention, no fewer than three governments who should have been interested all struck out without so much as a single swing.

  • United States – target of Russian election interference.
  • United Kingdom – target of Russia referendum interference.
  • South Africa – home of Maltego maker Paterva.

I’m not saying that I typed this all into IC3, pressed ‘send’, and crossed my fingers. I had conversations with two people in the U.S. IC community, I talked to James Patrick at Liberty STRATCOM, and I have an associate who has a personal relationship with a brigadier in Hawks, South Africa’s Directorate for Priority Crime Investigation.

There are two ways to interpret this – either the system has already noticed and is working the problem, or the system is utterly overloaded and we are on our own. The fact that I got no response from any of the three countries made me think it was the latter. Having covered my own position, I sat back to see what happened next.

Further Cause To Act

Two months ago I met up with someone who had experiences with Social Links that were very similar to mine. I had already come to believe  I was dealing with someone trying to “handle” me, albeit clumsily, and probably seeking advice from someone else in the process. Talking to this other party hardened that impression. That’s all I am going to say about this.

Removal

As a last ditch effort, I reached out to an FBI Special Agent I know last week. They had the weekend to think it over, Monday to act, and the NYT article is the last piece of stimulus I need.  I just removed Alexeev from the LinkedIn Maltego Group and later today I am going to remove his posts, after announcing why he was removed.

Alexandr Alexeev Removal
Alexandr Alexeev Removal

Preservation & Publication

The particulars of what happened are important so I set out to preserve the details. Here are the steps I took:

  • Started Hunch.ly, preserved forty pages, both public and private. This application preserves content in an admissible fashion.
  • Launched MediaHuman’s YouTube Downloader  just in case they or YouTube decide to wipe their channel.
  • Preserved the @_SocialLinks_ Twitter account for further analysis using both Maltego and our internal tools.
  • Wrapped up the exported Hunch.ly casefile, the Maltego graphs, and the videos, transferred it to a person who will hand carry it to a former U.S. Attorney we employ for certain sorts of touchy situations.

That last bit is just for my protection, given that our President and Attorney General both appear to be compromised by the Russian government. I will not be subject to a raid that deprives me of exculpatory evidence, followed by a politically motivated prosecution.

Conclusion

In the absence of any response from the agencies that ought to handle problems like this, I guess we are in charge for the moment. If you’ve had similar troubles with this company, I advise you to back up everything, transfer it to legal counsel so that it is protected from seizure by attorney client privilege, then reach out to your local FBI field office.

I have shared the particulars with a couple reporters, too. If you have similar experiences and wouldn’t mind being interviewed on this, feel free to contact me.

Profound Tradecraft Failure: Wohl v. Mueller

Manchild scammer extraordinaire @JacobAWohl has been the center of a vortex of public attention for the last day or so, but it isn’t working out quite as he had envisioned. The scheme as revealed thus far has involved:

  • A front agency, Surefire Intelligence, with a claimed global footprint, based entirely on virtual office spaces.
  • A staff, several of whom had stock photos from A list celebrities, but only two of which had any contacts.
  • A second front agency, Atrium Private Intelligence, with a domain registered after Surefire’s, apparently existing to provide depth to the legend for the first agency.
  • Domains registered by proxy, but configured with a web site construction kit that included Wohl’s personal email in the SOA (Start Of Authority) for the domain.
  • Google Voice phone numbers, one of which Wohl validated with a real number belonging to his mother.

We are obviously publishing Analytical Tradecraft here, but Field Operations Tradecraft is another story entirely. One can not learn to tease things apart without gaining some sense of what not to do, but providing the affirmative defenses is a step we are not willing to take, at least not in the open. When we address Adversary Resistant Computing and Adversary Resistant Networking, the aim is to keep you safe in your pursuits. You will notice there is no Adversary Resistant Hosting category.

That being said, the failures can be summarized as “youthful enthusiasm”. Hertz will not rent to anyone under twenty five, our society’s firmest recognition that the neurological stuff that starts with the teen years doesn’t at high school graduation. Whatever role Jack Burkman and Jim Hoft played in this scheme, the execution was left in the hands of a lad that won’t be able to drink legally for another six weeks.

The primary reason you are reading this site (we think) is not for our slick production quality or our mastery of algorithms. You are here because we have been there. We try to keep what we do simple, rugged, and recoverable, because we are used to having too few resources, too many tasks, and not nearly enough time.

 

A Small Development Environment

The early version of the Netwar System ran with a handful of Twitter accounts and a flat file system. Today we use a 64 gig Xeon with 48 Twitter accounts for internal studies and a trio of 16 gig VPSes for botnetsu.press, our semi-public service. The requirements for an R&D system exceed a virtual machine, unless you’ve got a Xeon grade desktop.

We happen to have a Dell m4600 laptop and eight unallocated Twitter accounts, so this has been built out as an R&D environment. The system has a four core i7, 16 gig of ram, and in addition to the system volume there is a 60 gig msata SSD and a 500 gig spindle in the disk carrier that fits in the CD/DVD bay. This is essentially a miniature of our larger Xeon system.

Disk performance has always been our problem with Elasticsearch, so the msata drive was split into cache and log space for a 465G ZFS partition.

Disk /dev/sdb: 55.9 G

/dev/sdb1 28G

/dev/sdb2 27.9G

Disk /dev/sdc: 465.8 G

/dev/sdc1465.8G

 

The final configuration looks like this:

 

               capacity     operations    bandwidth

poolalloc free readwrite readwrite

—————————————-

zorp 612K 464G .   0 0 3.44K 5.37K

sdc1 612K 464G .   0 0 1.89K 4.32K

logs——

sdb2 4K .  27.7G .      0 0 1.55K 1.05K

cache ——

sdb1 40.5 . K28.       0G 0 0150 96

—————————————-

The following software is needed:

Once you’ve got them all installed you’ll see the following ports in use.

Elasticsearch

127.0.0.1:9200

127.0.0.1:9300

Kibana

127.0.0.1:5601

Neo4j

127.0.0.1:7687

127.0.0.1:7473

127.0.0.1:7474

Netdata

127.0.0.1:8125

0.0.0.0:19999

Redis

127.0.0.1:6379

A few caveats, first be sure these are the final lines in /etc/security/limits.conf or you will quickly learn to hate Elasticsearch.

elasticsearch – nofile 300000

root – nofile 300000

Next, examine the configurations for Elasticsearch and Kibana in /etc. You’ll want to ensure there is more than the default 2 gig for the JVM and modify the Kibana config so you can reach port 5601 from elsewhere.

 

We have come to the point where we must release configuration advice and some Python code in order for others to learn to use the system. We’re going to trust that the requisite system integration capabilities, analytical tradecraft, and team management skills are going to limit the number of players who can actually do this. There isn’t a specific Github repository for this just yet, but there will be in the coming days.

Suggested Reading: Complex Network Analysis in Python

Complex Network Analysis in Python
Complex Network Analysis in Python

There has been a gap in the social network analysis world since @ladamic stopped offering her excellent class via Coursera. I received my copy of Complex Network Analysis in Python earlier today, devoured the first five chapters, and I am pleased to report this book is a quality alternative to the class.

The book presumes you have enough Python to load stuff with pip and some pre-existing motivation to explore networks. Some key things to know:

  • The features and performance considerations of four Python network analysis modules are explained in detail; invaluable for those who are trying to scale up their efforts.
  • The visualization package Gephi is introduced in a very accessible fashion and advice regarding how to move data between it and your Python scripts is clear and simple.
  • There are a variety of real world examples included

The thing that is missing is Twitter – which is mentioned just once in passing on page 63. This seems like a good opening – the Complex Network Analysis Github repository is going to contain the Twitter related code we produce as we work through the examples in this text.

Making America Grey Again

The initial wave of NPCs were taken out by Twitter, about 1,500 all together according to reporting. A small number lingered, somehow slipping past the filter, and now they are regrouping. A tweet regarding the initial outbreak collected several new likes, among them this group of five:

Five NPCs
Five NPCs

And their 740 closest friends are all pretty homogenous:

NPCs: Diversity Through Conformity
NPCs: Diversity Through Conformity

A fast serial collection of these 740 accounts they follow was undertaken. Their mentions reveal some accounts that are early adopters, survivors of the first purge, or otherwise influential. 735 of them came through collection, the missing were empty, locked, or suspended.

These accounts made 469,889 mentions of others.  First we’ll look at 285,102 mentions of normal accounts, then we’ll see 184,787 mentions of Celebrity, Media, and Political accounts. Given that there are 67,000 accounts involved in this mention map, we’ll employ some methods we don’t normally use. This layout was done with OpenOrd rather than Force Atlas 2 and the name size denotes volume of mentions produced.

Many NPC Mentions
Many NPC Mentions

The large names here are based on Eigenvector centrality – they are likely popular members of the group, or in the case of Yotsublast, a popular content creator aligned with NPC messaging.

Popular NPC Accounts & Allies
Popular NPC Accounts & Allies

Usually we filter CMP – Celebrities, Media, and Politicians. These accounts are actively seeking attention so it is interesting to see who they reach out to in order to achieve that in these 184,787 mentions to about 18,500 others.

 

NPC Messaging Targets
NPC Messaging Targets

Attempting different splines with Eigenvector centrality leads to, after several tries, this mess.

Smaller Messaging Targets
Smaller Messaging Targets

Beyond the core at the bottom, Kathy Griffin, Alexandra Ocasio-Cortez, and Hillary Clinton are singled out for attention.

K-brace Filter Level 4
KBrace Filter Level 4

Mentions are directed but the best way to handle them at this scale seems to be treating them as undirected and using the KBrace filter. This is a manageable set of accounts to examine and the groupings make intuitive sense.

The 742 accounts were placed into our “slow cooker” but only 397 were visible. It isn’t clear why 350 were missed, but Twitter’s quality filter may have something to do with that.

NPC Creation Times
NPC Creation Times

Unlike the group of accounts in yesterday’s A Deadpool Of Bots, this wake/sleep cycle over the last ten days looks like humans making their own accounts to join in the fun. Given a good sized sample of tweets, an average adult will only consistently be inactive from 0200 – 0500, so those empty three hour windows, except for the first day, are a pretty convincing sign.

NPC Hashtags
NPC Hashtags

Their hashtag usage is entirely what one would expect.

NPC Daily Hashtag Use
NPC Daily Hashtag Use

Given the tight timeframe it was interesting to look at an area graph of their daily hashtag use for the last ten days.

 

As a society we have barely begun to adapt to automated propaganda, and now we’re facing a human wave playing at being automation. This is an interesting, helpful thing, as it provides a perfect contrast to what we explored in A Deadpool Of Bots.

A Deadpool Of Bots

Yesterday in chat someone pointed out a small set of accounts that followed this Dirty Dozen of known harassment artists.

Dirty Dozen De Jure
Dirty Dozen De Jure

The accounts all had the format <first name><last name><two digits>. We extracted two dozen from the followers of these twelve accounts, then ran their followers and found a total of 112 accessible accounts that had this same format. Suspecting a botnet, we created a mention map to see how they have been spending their time.

112 Bots & Mentions
112 Bots & Mentions

This image is immediately telling for those used to examining mention maps. There are too many communities (denoted by different colors) present for such a small group and the isolated or nearly isolated islands just don’t look like a human interaction pattern.

ICObench Nexus
ICObench Nexus

Adjusting from outbound degree to Eigenvector centrality, it was immediately clear what the focus of this group of accounts was. The next level of zoom in the names revealed two other cryptocurency news sites and a leader in the field as being the targets of the these accounts.

Thinking that 112 was a small number, we extracted their 7,029 unique followers’ IDs and got their names. Nearly 600 matched the first/last/digits format, but there were other similarities as well. We placed all 7,029 in our “slow cooker”, set to capture all of their tweets.

6,897 Bots
6,897 Bots

We were expecting to find signs of a botnet, but it appears the entire set of accounts are part of the same effort. The 6,897 we managed to collect were all created in the same twelve week period. The gap between creation times and the steady production of about eighty accounts per day seems to indicate a small hand run operation in a country with cheap labor.

Hashtags Used
Hashtags Used

The network is transparently focused on cryptocurrency over the long haul. Adjusting the timeframe to the last thirty days moved the keywords around a bit but the word cloud is largely the same. The clue to how these accounts got into the mix is there in the lower right quadrant – #followme and #followback indicate a willingness to engage whomever from the world at large, in addition to their siblings.

Why we have pursued this so far when it looks like just a cryptocurrency botnet is due to this clue.

The Big Clue
The Big Clue

Here are five bad actors with two other accounts created right in between them time wise. This is the most striking example, but there are others like it. And understand the HUMINT that triggered this – a group of people who do nothing but take down racist hate talkers all day feel besieged by a group that manages to immediately regenerate after losing an account.

Our Working Theory

What we think we are seeing here is a pool of low end crypto pump and dump accounts that were either created for or later sold to a ringleader in this radicalized right wing group.

Now that we have roughly 7,000 of them on record, we have to decide what to do. This is just such a blatant example of automation that Twitter might immediately take it down if they notice. The 6.5 million tweets we collected are utterly dull – the prize here is the user profile dataset. We’d need some mods to our software, but maybe we need to collect all the followers for this group of 7,000 and figure out what the actual boundaries of this botnet truly are.

This has been a tiresome encounter for those who make it their business to drive hate speech from Twitter, but this may be the light at the end of the tunnel. If one group is using pools of purchased accounts to put their foot soldiers back in play the minute they get suspended, others are doing this, too. No effort was made to conceal this one from even moderate analysis efforts. If we demonstrate this is a pattern and Twitter is forced to act, we may well find that a lot of the heat will go out of political discourse on that platform.

Exploring Conversation Spaces

Earlier today we captured seventy one Twitter accounts that we classified into three groups. These are Durant’s Dullards (21), Team Pillow Forts (23), and TheShed (27). The first are associated with RowdyPolitics[.]com, the second group are associated with CitJourno[.]org and Patribotics[.]blog, while the last group are unified by being stable, long term personas who are often forced to replace accounts due to suspension.

Three Co-Traveler Groups
Three Co-Traveler Groups

Visually, the Fortress of Pillowtude is on the left, the cluster of red accounts are the RowdyPolitics people, and The Shed’s frequent reincarnations leave them scattered around the perimeter on the right with fewer mentions.

This particular graphic has been filtered to remove 934 ‘CMP’ accounts – Celebrities, Media, and Politicians. The working theory behind this is that those accounts are ubiquitous, they cross group boundaries, and thus are not terribly useful for diagnostics. That thinly populated space in the middle are less notable CMP figures that haven’t been removed yet … but more importantly, some of those are ‘weak ties’, as covered in Mark Granovetter‘s 1973 classic social network analysis paper The Strength of Weak Ties.

Seeing The Whole Forest

While these groups lead in the creation, curation, and elevation of content, we want to be able to see them in the context of their operating environment. Graphs like this are useful for discerning structure, for identifying certain types of relationships, but those accounts generated over 262,000 mentions and over 12,000 others were mentioned twice or more. This is where we set aside Gephi and take up Elasticsearch.

Selecting the 2,739 accounts mentioned ten or more times is a good balance between getting what is important and not overrunning out available resources. Recent performance tuning means our collection system can now handle forty eight accounts in parallel. This run took 70 minutes to collect 6.48M tweets from 2,235 accounts that were actually available, an average of 32 accounts/minute. The 504 missing accounts are mostly those from The Shed that have been banned.

We want to see both overall features as well as group specifics, so JSON filters were created for each group. Applying them, we can see the top hashtags in use by each group over the last week. The fourth cloud is the overall set of hashtags employed by every account they mentioned. Here we begin to see what each group’s contribution to the overall conversation may have been.

Durant's Dullards Top 25 Hashtags
Durant’s Dullards Top 25 Hashtags
Team Pillow Forts Top 25 Tags
Team Pillow Forts Top 25 Tags
The Shed Top 25 Hashtags
The Shed Top 25 Hashtags
Top 25 Hashtags From All Accounts Mentioned
Top 25 Hashtags From All Accounts Mentioned

Temporal Matters

6.5 million lines of text is a lot to digest. When we employ Kibana we have powerful ways to search, filter, and abstract content, coupled with fine grained control of time. If we want to know the top hashtags over the prior seven days, limited to those that occurred with #MAGA or #Anonyous, and see how they compare volume wise, that’s easily done.

Top Hashtags Prior Week
Top Hashtags Prior Week

What if we want to see who first noticed the news of Elena Khusyaynova’s indictment on Friday? A few mouse clicks and we have the data from when the story broke. Long term observations are just as smooth – if we set the system up to spool content, it’ll just continuously capture the accounts that we decide are interesting.

Khusyaynova Indictment
Khusyaynova Indictment

Future Explorations

We are just getting started with the Kibana interface to Elasticsearch, using it as an advanced text search engine, and doing some simple infographics in the spirit of descriptive statistics.  There are complex, powerful tools out there, such as Timesketch and Wazuh, that are built on the Elasticsearch foundation. If we find just the right person, we may start branching in that direction.

An Old Investigation Worth Revisiting

There is something new brewing that we telegraphed on Twitter, but it’s going to take a bit to ripen. Between now and then let’s look over an unrelated event that is somewhat similar in spirit. Some of this originally appeared on Liberty STRATCOm as Russian Indictments, American Pinholes. The Internet Research Agency indictment revealed thirteen email addresses associated with Paypal accounts. It is believed that Ricky Pinedo had something to do with their procurement, but we were interested in what could be discerned from them.

Internet Research Agency Paypal Accounts
Internet Research Agency Paypal Accounts

We checked these against RiskIQ and only the first one came back with an associated domain.

DigitalFaceLab registered by wemakeweather@gmail.com
DigitalFaceLab registered by [email protected]

The domain registration was proxied, but unluckily for IRA, I used to live about two miles from this address, which was easily checked. It is a vacant lot between two other homes, and the woman’s name is common.

DigitalFaceLab Bogus Registration
DigitalFaceLab Bogus Registration

Don’t bother chasing DigitalFaceLab[.]com unless you have RiskIQ, it was moved to a Chinese IP after we started probing it, apparently a strategy to shift blame, and that’s not the real story in any event.

If you Googled the domain name when the indictment was relased, there was one hit, in YourDigitalFace[.]com’s front page source code.

YourDigitalFace[.]com unitedvetsofamerica@gmail.com
YourDigitalFace[.]com [email protected]
And the [email protected] account is one of the other Paypal accounts in the indictment. Now we might be on to something …

The domain YourDigitalFace[.]com was originally registered by Scott Orlosk in New Hampshire.

YourDigitalFace[.]com Original Registration
YourDigitalFace[.]com Original Registration
But it’s unclear what happened here. Did Orlosk lose control of the domain? It ends up tied to a Russian registrar, but not until May of 2017, which hardly makes sense given the overall time frame of events.

YourDigitalFace[.]com Expires
YourDigitalFace[.]com Expires
So what might be happening here?

  • RiskIQ is good, but not perfect, it misses things, it finds things later, it updates where and when it can get additional information. Maybe we are missing a key piece.
  • YDF expired, but Orlosk recovered it during a grace period, and may have been involved in developing and running DigitalFaceLab[.]com
  • Some exceedingly clever IRA person used DFL for the 2016 election and just happened to leave this subtle trail of clues to confound analysis.

But we know that IRA scrambled to clean up after the FBI made them – this is admitted in their indictment. Concealment at the theorized level is something we do in operations, we’ve run across similar things in other encounters with Russians, but this just … doesn’t feel like that. It doesn’t seem planned, it seems hasty, after the fact.

There are precisely three weeks to go till the 2018 midterm. This is a fine time to recall that Ricky Pinedo was just sentenced to six months in prison for what he took to be a crime below the threshold that would be pursued. His life will never be the same and everyone who had any transactions with those thirteen accounts has no doubt had some sleepless nights. Pinedo being sentenced means any cases based on his cooperation are going to quickly move to arrests, search warrants, and unsealed indictments becoming available.

Tools Of The Trade

Articles here are written by a single author (thus far) but represent the collective views of a loose group of two dozen collaborators, hence the use of the first person plural ‘we’. We take on civil investigations, criminal defense, penetration testing, and geopolitical/cybersecurity threat assessments.

Group members have native fluency in English, French, German, Spanish, Romanian, and we do a fair job with Arabic when it is required. Several of us have corporate or IPS infrastructure backgrounds, and our tools, both chosen and created, reflect this internal integration capability.

This is an inventory of the major systems we currently employ.

Gephi

The Gephi data visualization package is a piece of free software which permits the handling of networks with tens of thousands of nodes and hundreds of thousands of links. We use this for macro scale examinations of Twitter and some types of financial data, coding import procedures to express complex metrics, when required. When you see colorful network maps, this is likely the source.

Maltego

The Maltego OSINT link analysis system began life as a penetration tester’s toolkit. It offers a rich set of entities, integration of many free and paid services, and local transform creation. There is a team collaboration feature for paid subscribers and the free Community Edition can read any graph we produce. This is used internally in the same way a financial audit firm would employ a spreadsheet – it is a de facto standard for recording and sharing investigation information.

Sentinel Visualizer

Sentinel Visualizer is a law enforcement/intel grade link analysis package that supports both geospatial and temporal analysis. This only comes out in the face of paying engagements with large volumes of data, as it has a somewhat intimidating learning curve.

Hunch.ly

Hunch.ly is a Google Chrome extension that preserves the trail of web sites one visits, applying a standing list of selectors to each page and permitting the addition of investigator’s notes. This tool supports the notion of multiple named investigations, preserves content statically, and can export in a variety of formats. Users are free to follow their noses without the burden of bookmarking and making screen shots while investigating, then later attempting to share their findings in a coherent fashion. The system recently began supporting local Maltego transforms.

RiskIQ

The RiskIQ service is an aggregator of a dozen passive threat data repositories in addition to it’s own native tracking of domain registrations, DNS, SSL certificates, and other threat assessment data. The service is delivered as a web based search engine and a companion set of Maltego transforms. This system is a panopticon for bad actor infrastructure which we use daily.

Elasticsearch

The Elasticsearch platform is used for many things, but for us it is a full text search engine with temporal analysis capabilities that will easily handle tens of thousands of Twitter accounts that have produced tens of millions of tweets. This is a construction kit for us, the right way to collate and correlate the work of teams of Actors, Collectors, and Directors. We currently curate 25 million tweets from ISIS accounts that were collected by TRAC, we support Liberty STRATCOM with collection and analysis, and the botnetsu.press system is in use by activists who track violent right wing groups in the west.

Negative Decisions

What not to do is just as important as the right stuff. Here are some things we avoided, that we tested but did not implement, or that we have used but later abandoned.

Analyst’s Notebook – nonstarter, 2x the cost of Sentinel Visualizer, and not nearly as open.

Windows – with the exception of Sentinel Visualizer, we don’t have anything that is Windows dependent. Generally speaking, things have to behave for Linux and OSX, with Windows support being nice, but not required.

Splunk – we tried to love it, truly we did. It just didn’t work out.

OSSIM – largely abandonware from what we hear. AlienVault’s Open Threat Exchange is doing fine though, and it all turns up in RiskIQ.

Aeon, Timeline, etc – we always jump at collaborative timeline tools, then later end up sitting back and being annoyed. SaaS solutions are out there, but we have confidentiality concerns that hold us back from using them.

TimeSketch – very cool, an Elastic based tool, but more incident response focused than intel oriented.

SpiderFoot – very cool, but we settled on RiskIQ/Maltego installed on a remotely accessible workstation. This is one we should put back up and use enough to advise others.

There have been many more digressions over the years, these are some of the more formative ones.

 

Adversary Resistant Networking

Much like our thinking regarding Adversary Resistant Computing, we have some ideas on dealing with opponents who exhibit enough situational awareness to spot a visitor originating in a certain place, and then devise some way to cause trouble for them.

First, what hunts you?

Our taxonomy of threats from the ARC article is a bit much here. Any foe you might encounter will fall somewhere on this spectrum:

  • Simple detection via web site logging or documents seeded with some means of ‘phoning home’. Threats are doxing, civil discovery, or maybe an attempt to involve law enforcement.
  • Detection and fingerprinting for browser, OS, and the like. Threats as above, adding perhaps browser hijacking or spearphishing attempt.
  • Detection, fingerprinting, temporal analysis, and other corporate defense tactics. Threats as above, adding much more likely civil or criminal trouble.
  • Competent nation state or Five Eyes, curious and tracking large classes of anomalous behavior, watching (and interfering) in ways you can not quite imagine. Threats scale up with their perceived value of what interests you.

Second, what role does your organization play?

If you are noticed, what does your presence convey to the entity that has detected you? Are they about to get some negative press? A lawsuit? A raid by authorities? Are you a vanguard for a sanctioned intrusion or some sort of subversion of their systems? They will be doing a threat assessment on you, just as you should be doing on them.

Third, how much are you willing to give up?

You can not interact with a remote system without leaving some sort of trace. There are a variety of ways to hide, from the Tor anonymizing network, to various VPNs, to physical travel away from your normal haunts. And if you have a budget, there is realm beyond this one.

Some Real World™ scenarios:

The Tor network provides a multi-hop routing architecture, hundreds of global exits to the clearnet, and a private darknet of websites with onion addresses. Entry level opponents will be baffled by this, wary ones will simply use the Tor exit nodes list to block access, and nation states are in a position to attempt traffic correlation and other mischief.

There are many VPN providers out there. If they require you to use a binary bundle, you should turn and run. Free services that accept OpenVPN connections are profiling you, injecting ads, and likely trying to hijack your system. We trust ProtonVPN to not be doing this, and for certain other activities the very feral Cryptostorm is a good choice. The problem with each is that their exits are discoverable by anyone willing to spend $5 to $125 to explore, and once your pattern is recognized,

Tor will happily engage its network after exiting a VPN node. Some VPN providers, like Cryptostorm, offer free low speed services, and they will accept TCP connections that arrive from the Tor network. The first is good discipline if you might be facing one of those nation state opponents, the latter is a technique used to circumvent Tor access bans while still enjoying its protection.

The real hazards here are forgetting to do some certain step, say turning on a VPN, or having a a failure that in some way exposes your location. We are big fans of “fail closed networking” – if something isn’t right with your connection, it should behave in such a way that you must repair it before resuming your work.

There are tools that purport to do this for desktop operating systems; we find all of them to be less than comforting. Linux can be made to behave in this fashion, and Linux based firewalls can enforce such discipline for your entire network, including those devices which otherwise have no hope of operating safely.