- Understanding the Role of Cyber Threat Intelligence Analysts:
- The Greatest Challenge CTI Analysts Confront…. Themselves (bias)
- Types of Threat Intelligence
- The Threat Intelligence Lifecycle
- Threat Modeling
- Cyber Espionage
- Attribution Confidence
- Attribution Process
- Attribution Tips
- Common Attribution Mistakes
- Diamond Model of intrusion
- The Cyber Kill Chain framework - developed by Lockheed Martin to better understand APTs
- Mitre ATT&CK
- Threat Intelligence Platforms
- Communicating Findings
Understanding the Role of Cyber Threat Intelligence Analysts:
- Analysts are primarily responsible for defending organizations against threats and mitigating breaches in order to prevent further compromise and inform decision making.
- CTI Analysts work to understand who the attacker is in addition to their tactics, techniques, and procedures (TTP) for the purposes of building out threat profiles.
- CTI analysts can serve in preventative and response functions: triaging, vulnerability/risk management support, information sharing, and resource allocation.
- The strength of a CTI team is its diversity of backgrounds, cultures, subspecializations, education, and personal interests (e.g, geopolitics)
- CTI Analysts have a hunter’s/scout’s mindset - life beyond the castle!
- CTI Analysts provide actionable threat intelligence - they should not only be able to explain what and how something is happening but how to remediate the vulnerability as well!
The Greatest Challenge CTI Analysts Confront…. Themselves (bias)
- Your upbringing, education, and experiences create cognitive biases
- Biases create a tunnel vision leading to inaccurate/illogical reasoning
- Confirmation bias is deadly, you only allow the investigation to unfold according to your limited viewpoint of the situation likely producing the results you sought to “discover” in the first place
- Lean on Structured Analytic Techniques (SATs) - anchor the investigation in logic
- Know yourself, know your team, look for new approaches in your CTI workflow
Types of Threat Intelligence
Threat intelligence comes in four primary forms: strategic, tactical, technical and operations. Knowing the differences between each can help you categorize your findings and establish guidelines for data collection and processing.
The Threat Intelligence Lifecycle
Traditional intelligence focuses on six distinct phases that make up what is called the “intelligence cycle”: direction, collection, processing, analysis, dissemination, and feedback.
- Understand your organizational infrastructure
- Determine what data and intellectual property your organization has that would provide an attacker with a competitive advantage
- How will threats affect operational capacity and business continuity?
- What are the intelligence requirements of your organization?
- Work to establish effective collection management framework capabilities
- Take a data-driven approach, ask reasonable questions based on available data
Critical to the identification of threats is using a threat categorization methodology. A threat categorization such as STRIDE, or a value-based risk model such as DREAD can be utilized.
- STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
- DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)
Categorizing the Threat
- CTI analysts place an emphasis on understanding the who and the why?
- Most adversaries fall into one or more of the following categories: hacktivists, cybercriminals, cyber spies, and unknown entities
- Personal, political, or religiously motivated
- End goal: to publicly embarrass their opponents and advance their cause
- Hacktivists are known for DDoS attacks, website defacements, and data leaks (sensitive information)
- History of medium to high success
- Examples include: WikiLeaks, Anonymous, LulzSec, etc.
- Financially motivated
- Masters of social engineering; usually targeting individual consumers
- Subcategorization: cybercrime as a service whereby criminals can pay for cybercrime services on the Dark Web (Want to see an awesome video on this topic? John Hammond discussed the how to with David Bombal)
- Cybercriminals often sell compromised data and malware on the Dark Web utilizing cryptocurrency for transactions
- There are often two categorizations of malware: commodity malware (publicly available malware for general utility) and custom malware (case-specific with advanced detection elusion capabilities)
- Key point: malware can be bought or leased
- Most cybercriminals are after credentials, ransom, or compromising point-of-sale systems
- The more crafty cybercriminal criminals often look into infrastructure as a service, as it provides an additional layer of anonymity. The responsibility of the cybercriminal consumer is to stage and distribute malware, provide a portion of their profits to the service provider, and administer the command and control (C&C) services.
- Bulletproof Hosting (BPH) is often the most popular infrastructure as a service; whereby, malware is hosted, botnets can be controlled, along with other illegal activities
- Botnets are a network of infected computers controlled by an individual
- Botnets are often used for DDoS attacks or spam phishing attacks
- Botnets are incredibly useful in evading detection by law enforcement since the victims powering the botnet are often unaware that criminals are utilizing their systems
- Goal: steal sensitive information for the purposes of geo-political advantage against adversaries
- Key signature: custom, advanced malware
- Massive attack campaigns with frequent changes in infrastructure
- This category is the most likely to have access to zero-day exploits
- Watering-hole attacks are popular attack methods used by nation states
- A watering-hole attack is where attackers focus on a specific website that many of their victims visit and infect it with malware which compromises the viewers’ machines and network
- How is this done? Usually hackers gain access and place an HTML iframe (which redirects visitors to attacker-controlled infrastructure and covertly downloads malware) in a web page’s source code
- Attribution focuses on infrastructure, persona, malware, and targeting
- The goal of attribution is to understand the hacker’s motives and identity
- Attribution requires facts/evidence - don’t make assumptions!
- The danger of assumptions is the misguided intelligence that is used to inform decisions on vulnerability management - while you focus your efforts on one front, it opens the opportunities for other attack vectors to come into the picture
- People are creatures of habit - think about how much can be told about you, specifically by open-source repositories. Hackers have go-to tools, attack vectors, and malware.
- Low - circumstantial/weak, intelligence has major gaps
- Moderate - little evidence with additional secondhand information or circumstantial evidence
- High - Conclusive evidence from multiple components of the attribution model
- Always consider that evidence may be purposefully misleading to guide one to false attribution and therefore false intelligence
Step 1. Gather all attributable data
Step 2. Assess the data based on metrics and analytics
- Create the timeline
- Examine the log files and extract pertinent information such as domains/IP addresses
- Examine malware
Step 3. Build the case
- What attributes do you have? What is the confidence in the attributes?
- Form your hypothesis
- Are there outliers that can lead to attribution theories?
Step 4. Debate
- Evaluate evidence
- Rank competing hypotheses & attributions
- Play devil’s advocate - be incredibly skeptical of each theory and try to find weaknesses
- Work to formulate the most likely hypothesis and conduct a confidence assessment
- Document/communicate knowledge/results
- Keep in mind the distinction between hypothesis and assessment
- Don’t make official statements without a sufficient level of supporting evidence/data
- The CTI team is inherently part of the experiment. Don’t base your investigation off of your inclinations - pride comes before the fall. Look to imitate a juror’s mindset (considering the evidence before drawing certain conclusions) rather than taking the role of the executioner. Do your best to eliminate cognitive bias.
- Don’t rely on someone else’s thought process or experience - if team members have valid points they need to be able to elucidate the supporting evidence for their theories
- Be consistent in mapping techniques, and document extensively. Just because you don’t think you need that information/data now, it will come in handy later as you track activity over a long timespan leading to greater insights.
- Mistakes happen - correct them as soon as possible, it is much more dangerous to withhold information due to the consequences of malattribution and false intelligence
- Humans are creatures of habit with biases and preferences - track activity over a period of time, collect evidence, and ensure proper documentation/communication
- Be cognizant of copy cat attacks
- Generalizations kill - if you are uncertain whether attacks/evidence/TTPs are related, treat the collection as a separate grouping/incident.
- Shortcut: Rule of 2 - Using the Diamond Model of Intrusion, look for overlaps in intrusions/campaings, identify unique characteristics, and map unique characteristics. It is a deductive reasoning strategy that is really effective.
- Don’t ignore Transport Layer Security (TLS), they are helpful in finding C2 infrastructure. The TLS certificate evaluation provides us with:
- Subject Alternative Name (SAN) with identifies hostnames or IP addresses associated with the certificate
- Look for self-signed or unknown/suspicious CAs
- Look at the validity period of the certificate
- Certificate Revocation Status - checked by the CRL or OCSP
- Data pivoting is essential to domain evaluation
- Identify the domain and what it tells you
- Start with a single attribute that the domain provides
- Pivot - what other data points do you have that could shed light on this domain?
Common Attribution Mistakes
- Don’t consider DDNS infrastructure for attribution - it is an additional anonymity protection. The root domain is owned by DDNS provider. The subdomain is the attacker’s. Note providers and themes.
- When mapping out domains and hosting IP addresses, identify the C2 server. Identify the IP address associated with domain names. When looking to see if there are multiple domains hosted on the same IP address, don’t conclude their relatedness or unrelatedness without serious consideration. Research.
- Avoid attribution arising from domains registered by brokers. Many more domains, potentially related and unrelated, can result in incorrect attribution by including all domains registered by the same broker and linking it to a single attacker. This can also mislead future cyber threat hunts based on this malattribution. The registration information from the brokers is worth looking into, but is not always available/reliable.
- Don’t automatically base attribution on publicly available hacking tools, consider it part of the data collection necessary for documentation/analysis. Attackers will often do their best to avoid custom tooling, preferring to “live off the land,” because of their awareness of its utility in attribution.
- Malware is an important discussion point. Malware is first released somewhere from a particular group but often it is re-tooled in different campaigns - be careful! Look at TTPs. Leverage malware zoos (e.g., VirusTotal, Hybrid-Analysis, Joe Sandbox, etc.), as it is incredibly useful for CTI collection.
- Be cautious of unjudiciously incorporating “trusted sources’” threat data into your threat feeds
- Data discrepancies - does your internal source data match open source data? Are there trends? Ensure statistical rigor and data reliability.
The Pyramid of Pain
Diamond Model of intrusion
- Adversary - Who is the attacker? Why has this attack occurred? What is the timeline and planning? Where are the attackers geographically located?
- Infrastructure - What infrastructure is supporting the attack? What are the data management controls and where has the data leaked to, if it has been leaked?
- Capability - What skills and methods are the attackers using to deliver attacks? What resources are they using?
- Target: Going along with the “why,” who is the attack intended to harm?
- Strength of the Diamond Model of Intrusion Analysis is the focus on measurability, testability, and repeatability
The Cyber Kill Chain framework - developed by Lockheed Martin to better understand APTs
- First step: reconnaissance - OSINT
- Second step: weaponization - exploit is weaponized through modification, the addition of payloads, or packaging the exploit
- Third step: delivery method - done by email attachments, web, USB, etc.
- Fourth step: exploitation - Code is executed on the victim’s system due to vulnerability exploitation
- Fifth step: Installation - malware
- Sixth step: Command & Control (C2) of victim’s infrastructure
- Seventh step: Actions on objectives - attacker achieves original goals
ATT&CK is largely a knowledge base of adversarial techniques — a breakdown and classification of offensively oriented actions that can be used against particular platforms, such as Windows. Unlike prior work in this area, the focus isn’t on the tools and malware that adversaries use but on how they interact with systems during an operation.
ATT&CK organizes these techniques into a set of tactics to help explain to provide context for the technique. Each technique includes information that’s relevant to both a red team or penetration tester for understanding the nature of how a technique works and also to a defender for understanding the context surrounding events or artifacts generated by a technique in use.
Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical objective for performing an action. Tactics serve as useful contextual categories for individual techniques and cover standard, higher-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data.
Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials to gain access to useful credentials within a network that can be used later for lateral movement. Techniques may also represent “what” an adversary gains by performing an action. This is a useful distinction for the Discovery tactic as the techniques highlight what type of information an adversary is after with a particular action. There may be many ways, or techniques, to achieve tactical objectives, so there are multiple techniques in each tactic category.
Another important aspect of ATT&CK is how it integrates cyber threat intelligence (CTI). Unlike previous ways of digesting CTI that were used primarily for indicators, ATT&CK documents adversary group behavior profiles, such as APT29, based on publicly available reporting to show which groups use what techniques.
ℹ️ More About MITRE ATT&CK
The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do. The Navigator doesn't care - it just allows you to manipulate the cells in the matrix (color coding, adding a comment, assigning a numerical value, etc.). We thought having a simple tool that everyone could use to visualize the matrix would help make it easy to use ATT&CK.
Live Version: https://mitre-attack.github.io/attack-navigator/
The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base - e.g. showing just those techniques for a particular platform or highlighting techniques a specific adversary has been known to use. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.
#1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques. You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases, ATT&CK is not perfect. Furthermore, not everything is documented in ATT&CK.
🔧 MITRE ATT&CK Tools & Resources
Step 1: Identify Behaviors
- What are the most common behaviors found within the evidence?
- What behaviors have the worst consequences?
- What is your confidence in the data/findings?
- Evaluate the strength of evidence and consider the possibility of false positives because they can be equally damaging in building out an updated defensive strategy for vulnerability management
Step 2: Acquire data
- Consider what data is stored and collected by existing sensors and logging mechanisms
- Examine settings and rules on sensors/logging mechanisms - expand the database
- New tools or capabilities may be required for data collection
- MITRE ATT&CK framework favors Splunk-based architecture
- Splunk Universal Forwarders (on endpoints) send data to Splunk Heavy Forwarder
- Key point: network sensing (via netflow, packet capture, firewalls, proxies, etc.) at ingress and egress points are a fundamental endpoint sensing design flaw. Endpoint snapshots are also unreliable due to potential IOCs occurring between snapshots. It is important to examine what traffic occurs within a network and between systems.
- Endpoint detection is necessary for post-compromise review, which will provide additional data for ATT&CK adversary behaviors
- Ensure the analytics are intuitive - they are only as useful as the least trained/experienced SOC analyst’s ability to use them is
Step 3. Analytics
- Analytics are conducted on SIEM platforms
- Splunk’s query language, SPL, is an awesome tool
- Four analytic components are required: behavioral (behaviors mapped to techniques), situational awareness (e.g. sensor status), anomalies/outliers, and forensic evidence (e.g. list of compromised credentials)
Step 4&5: Adversary/Threat Emulation (Pentest)
- This verifies the efficacy of cyber defenses to include the utility of the aforementioned analytics and their functionality
Step 6: Investigation
- How well did the analytics perform against a simulated threat?
- Identify the weakest link in the analytics
- Construct the event timelines
- Gaps point to areas where additional analytics are required, look to add additional tooling for overlap/additional coverage
- Information gathering is required for hosts involved/compromised, data breached, and APT objectives/TTPs
Step 7: Performance Evaluation
- What must the blue team stop, start, or continue doing?
- What analytics need refinement?
- What further training would increase the efficacy of the SOC team?
- What tools, if any, would lead to greater coverage?
What does all of these steps provide a company with? Information about:
- Resource development
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Event Impact
Threat Intelligence Platforms
- First decision Open Source or Commercial Storage Platform?
- Open Source is free, has tremendous space, and ability to share across communities but the implementation can be difficult along with required maintenace
- Great Open Source options are CRITS, MISP, Threat_Note, and YETI
- Commercial storage platforms come with support in addition to advanced analytics and integration tools but it comes at a cost!
- Having trouble deciding? Look at your workflow and storage requirements/functionality
- Know your audience well - is your deliverable presented/written in a way the personnel can understand? Are you talking to the CISO, network defenders, or other roles? Context matters.
- Understand your role - you are a tactician
- What is the purpose of the communication? Is it for strategic, operational, technical or tactical purposes?
- Develop story-telling skills - CTI isn’t only about telling war stories but how history meets today's threat environment. Be able to deliver a full cycle CTI topic discussion.
- Consider variations in learning styles - include effective visualizations, have summary sheets, and always leave time for questions
- Ensure that all supporting documentation is thorough, accurate, and effective.
- Focus on metrics that matter! Data is only as effective as its visualizations and implications
- Clearly define your requests and how the requests will allow your team to accomplish the mission/objective
- What are the components of an assessment? Confidence, analysis, evidence, and sources
- Stay up to date with latest trends through reliable news sources, podcasts, social media content, books, courses, and more