Betrayed by the keyboard: How what you type can give you away

Presented at DEF CON 26 (2018), Aug. 12, 2018, 2 p.m. (45 minutes).

Attribution is hard. Typically, the most useful identifiers-IP addresses, email address, domains, and so on-are also the easiest things to spoof, obfuscate, or anonymise. Whilst more advanced techniques, such as correlating malicious activity with timezones, or linking attacks through the use of similar techniques or malware, can be useful, they tend to take investigators further away from the individuals responsible; at best, some inference about the country or specific actor group/collective can be made.

In this talk, I present a method for linking incidents to individual attackers with a high degree of accuracy, based on extremely fine-grained behavioural characteristics. This involves an investigatory technique known as "case linkage analysis" (CLA), which uses granular aspects of crime scene behaviours to link common offenders together through statistical comparison. It's been applied to some crime types before, but never to cyber attacks.

I'll cover how CLA works, its advantages and disadvantages, and how it has previously been applied to a range of crimes, from burglary to homicide. I'll place it within the context of personality psychology, biometrics, forensic criminology, offender profiling, and forensic linguistics; and will walk through applying it practically.

I'll then show the results of a novel experiment I conducted applying CLA to network intrusion attacks, which involved logging the keystrokes of volunteer attackers across different simulated intrusions, breaking these down into specific behaviours and syntax, and using these to link individuals to their offences. The end result: the way you type commands, including your choice and order of syntax, switches, and options, can form distinctive behavioural signatures, which can be used to link attackers together. Linking accuracy rates as high as 99% were achieved.

Finally, I'll talk about the implications for both defenders and everyone else (particularly focusing on the privacy implications), explore ways in which these techniques could be defeated, and outline some ideas for future research in these areas.


Presenters:

  • Matt Wixey - Vulnerability R&D Lead, PwC
    Matt leads technical research for the PwC Cyber Security practice in the UK, works on its Ethical Hacking team, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security. @darkartlab

Links:

Similar Presentations: