Strategic analysis: malware C2 and geopolitics

Every day, computer network attackers leverage a worldwide system of compromised network infrastructure, based in every corner of the globe, to play hide-and-seek with network security, law enforcement, and counterintelligence personnel.

Compromised infrastructure: source data from FireEye

From the tactical, technical perspective of most cyber defenders, it is often difficult to see the forest for the trees. However, strategic players (like FireEye, where I worked before moving to Ukraine), can exploit very large data sets to deduce strategic relationships, patterns, and trends in an otherwise unfathomable sea of information.

One method is called traffic analysis, which examines the size, direction, and frequency of network communications to discover hidden meaning within them. Witness the use of traffic analysis during the World Wars.

Malware C2 map: source data from FireEye

Recently at Black Hat, we presented a paper, Leviathan: Command and Control Communications on Planet Earth, which employed high-level traffic analysis. We examined over 30 million malware callbacks to over 200 countries and territories over an 18-month period (Jan 2013-Jun 2014). From that data, we drew some interesting maps of Planet Earth, based not on traditional parameters, but on hacker command and control (C2) communications.

Strategic data sets can yield surprising (and sometimes strategic) conclusions. For example, looking at the recent conflicts in Ukraine and Israel, we saw pretty clear evidence that malware comms sent to countries in the middle of a national security crisis will rise. The simple explanation, in my opinion, is that computer network operations are now an essential part of modern intelligence collection and military operations. And with a strategic data set on hand (which could include the A, B, and/or C hacker teams of any given country), such operations may be hard to hide.