Collecting diamond chains - threat intelligence analysis tools

After travels around the globe we are entering the vast world of operations in cyberspace - specifically how they are analyzed and how it helps in defense. One of the inspirations for the name of this blog - counterintelligence.pl - was that the activity known as Cyber Threat Intelligence (CTI) is, in my opinion, much more counterintelligence than intelligence activity. Analysts focus on dissecting into specific actions and examining the traces left by entities trying to gain unauthorized access to systems (who are sometimes directly officers of intelligence agencies) and creating methods of detecting and neutralizing such activities. So when we look at the definition of counterintelligence contained in Executive Order 1233 that regulates intelligence activities in the United States can be found there:

"Counterintelligence means information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations or persons, or international terrorist activities, but not including personnel, physical, document or communications security programs. "

This coincides with the essence of the work of CTI teams that collect information about hostile activity and help other teams to counteract it more effectively. Cyber Threat Intelligence, however, has already adopted so much in the environment that we probably no longer have a chance to switch to Cyber Counterintelligence, which is much cooler in my opinion.

So much for the introduction. Coming to the point, in this post, I would like to present the tools that are used in CTI analysis and how they help in understanding hostile activity. However, these will not be software or hardware tools such as systems for malware analysis, network traffic capture or computer forensics, but analytical structures that help in categorizing individual elements of activity and putting them together. These instruments will be the Cyber Kill-chain, Diamond model of intrusion analysis and the Miter ATT & CK. So let's take a quick look at each of them, and then see how they help network defenders make their attackers' lives harder.

First of them, The cyber kill-chain is the work of Lockheed Martin employeeswho break down the process of hostile activity into seven successive stages:

1. Reconnaissance - the attacker collects information about the victim. This can take the form of employee listing, network infrastructure mapping, analysis of publicly available materials to identify the most valuable or critical resources for the organization's operation.
2. Weaponization - preparation of tools necessary to carry out a break-in, such as attachments to phishing e-mails, implants that enable the use of vulnerabilities and establishing access to the target system.
3. Delivery - the use of network (e-mails, services available from the Internet, instant messaging) or physical (USB stick) communication channels to introduce the prepared tools into the victim's environment.
4. Exploitation of vulnerabilities - obtaining the ability to execute commands in the victim's environment by using previously detected vulnerabilities.
5. Installation - ensuring the continuity of access to the environment by installing implants on the victim's machines, e.g. adding a scheduled task that runs the malware each time the computer is turned on.
6. Communication with the Command and Control infrastructure - attackers transmit commands to the tools they have successfully installed and receive feedback on activity in the environment.
7. Actions on Objective - in the end, the attacker completes the goals he assumed when planning the attack, e.g. by stealing data or encrypting the contents of disks.

The assumptions behind this approach to attack are that each preceding stage is necessary for the execution of the next one, and that the stages follow one another. In this way, the defenders of the network have seven stages "at their disposal" - interrupting the attackers' activity on at least one of them allows them to avoid or limit (if we are talking about the last stage) the effects of a hack.

The second tool is the Diamond Model of Intrusion Analysis, developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz. According to the authors, the idea itself was born in 2006, but it took a total of 7 years to create and refine the model. Finally, an article describing the model was published in 2013. I encourage you to read it, but the assumptions of the model are best explained through its graphical representation:

The basic "unit" of the model is therefore an event described by four main attributes:

1. Attacker - entity responsible for hostile actions.
2. Infrastructure - means of delivering capabilities to the victim, such as C2 servers, files attached to phishing emails or watering hole domains.
3. Abilities - technical means to gain access to the victim's resources - exploits, implants, skills such as social engineering.
4. Victim - the target of the attacker's actions.

The authors also describe additional attributes that can be used to describe an element in more detail, such as time, result (whether the attacker managed to achieve his goals) or phase (e.g. Cyber Kill-chain phase or Miter ATT&CK). And these last two attributes will be the key to combining the models we describe here and using them to analyze the activity. It is also worth paying attention to how the axes of the model describe the characteristics of the event on two planes. The horizontal technical axis between infrastructure and capabilities is a typical technical description of an attack in the context of factors such as malware activity, communication protocols with C2 servers, social engineering methods used to induce a victim to take specific actions, or ways to avoid detection. From my perspective, however, the horizontal axis - socio-political - that defines the relationship between the attacker and the victim seems to be no less important. The discussion about the importance (and necessity) of attributing cyber operations, assigning activities to specific attackers, is a topic for a separate post, but in my opinion it is impossible to ignore the motivations of attackers and the victimology of the operation. Such events do not happen in a vacuum and an inquisitive analyst should always bear in mind what the operation was carried out and why against a specific organization. Putting aside these deliberations and going to practice, I personally most often use DM in two formats. First, small diamonds describing the individual events of the incident, which can then be assigned to the subsequent activity phases, such as:

Here we can see how the kill chain delivery phase was broken down into the diamond tips, which nicely shows how a certain John Doe was trying to send a phishing email with an alleged invoice to our victim's accounting department. The phrase "he tried" is also crucial here because, as we mentioned, the description of the event may also include whether the action achieved the intended effect by the attacker.

The second form of diamond is large diamonds describing the entire groups of activities tracked as part of the threat intelligence practice, for example:

Therefore, the whole (of course, in general) activity of a given group is presented here, which allows analysts to catalog the techniques used by given groups and to search for connections between individual incidents. The topic of attribution returns here, and the way we approach assigning actions to actors, we can indicate two schools of approach to the topic:

The use of the phrase "threat actor" is most often used by teams that try to assign operations to specific people sitting behind the keyboard - the best examples are companies such as CrowdStrike or Mandiant, which often indicate specific military units or intelligence agencies responsible for intrusions in their reports.

The second approach is the "activity group" popularized by Dragos. In this model, we are not interested in who exactly is behind the operation, whether they are organized groups or individuals, criminals or service officers. What is important is whether the elements of the activity coincide in the course of subsequent analyzed cases.

Based on the example presented, in the "threat actor" approach, our Wicked Emu group would represent a specific group of people carrying out operations that can be characterized by the description presented on the diamond's vertices. If, however, we decide on an "activity group", we are not interested in whether Wicked Emu is actually one person, several people or even several organizations that do not know about each other. As long as they are united in their mode of operation, we will observe them as one group. I will not judge here which approach is better, but in my opinion the "activity group" will be more methodologically correct for most teams - especially those dealing with threat intelligence for the protection of the organization's infrastructure. It is based on the directly observed elements of group activity, without the need to carry out the often time-consuming and not always possible process of attribution. Regarding the use of the Diamond Model in the analysis of incidents, I also refer to the presentation that I had the pleasure to present at the SECURE 2019 conference.

The last and newest tool is Miter ATT&CK that is, a catalog of Tactics, Techniques and Procedures (TTP) used by attackers. The assumption is to build a common dictionary of terms, which will make it easier for defenders to analyze activity and introduce addressing security. Here we see, for example, tactics (Reconnaissance), technique (Active Scanning) and two procedures (Scanning IP Blocks and Vulnerability).

At this point, however, it should be noted that the authors of ATT & CK decided to take a slightly different look at the definition of TTP than the one widely understood in threat intelligence. Commonly, tactics are how attackers achieve their goals, techniques are detailed descriptions of methods, and procedures are specific implementations. In ATT & CK, however, tactics are goals in themselves (like reconnaissance here), and only sub-techniques in Miter are what we would usually call techniques. This is not a criticism of this model, but you have to keep this detail in mind to avoid any misunderstandings.

By going through the application of the model, using the catalog, we facilitate the use of threat intelligence products by other teams and we get another tool for cataloging activity in the environment. First, the catalog of observed activities can be used by threat hunting and detection teams as a guide to the course of action. Secondly, we can assign specific ATT&CK entries to the activities we observe, which in the long run allows us to create histograms showing which activities most often occur in our environment. Which, depending on the interpretation, may indicate that we should focus on implementing security measures against them, or that the detection capabilities should be developed because we do not see other techniques 🙂 Let's go back to our example and see how we can develop the analysis:

So we added the following identifiers:

T1102 - Web Service - when attackers use commonly used services such as Dropbox, Google Drive or their own GitHub for C2 communication.

T1204.002 - User Execution: Malicious File - Here we see an example of a Miter sub-technique. T1204 is the identifier of the technique to trick the user into launching the malicious element, a 002 is flagging the use of a malicious file (other possibilities here include malicious link or malicious picture).

S0363 and S0154 - in addition to the methods themselves, the ATT&CK catalog also includes tools used by attackers and entries marked with the letter S are software related entries.

The techniques we found can be tagged in the catalog using ATT&CK Navigator which allows you to work with the catalog by assigning values to specific entries, using colors to mark the techniques you are interested in or exporting tables to a spreadsheet. So this is what Navigator looks like, where I assigned the activity that we observed the value "1" (we can, for example, increase the value with each subsequent detection of the technique):

Finally, let's look at all the tools as a whole and see how we can use them together for comprehensive campaign tracking. First of all, by tracking the kill-chainy of successive break-in attempts, we can find common elements and create activity groups as a result, gaining knowledge about what groups are interested in our environment. A graphic representation of such an analysis looks like this:

Each column of diamonds represents a single incident here, and the arrows represent the tip of the diamond for a given phase which was a common element, so we see, for example, similar activity at the stage of weaponization, delivery, installation and actions on objective for the second and third incidents. Further, by analyzing a specific incident, we can firstly classify the activity we have observed, and secondly, it is easy to judge where we are lacking in visibility:

From this presentation of the analysis of the observed activities, we can clearly see, for example, that we have mapped the capabilities that the attacker used quite well, and we know less about his infrastructure, and in particular we need to work on the analysis of the vulnerability exploitation phase.

In conclusion, I would like to add that from my perspective, the tools I have discussed helped me a lot when I took my first steps in threat intelligence, because they help to break down even very complex hacking attempts into basic elements that are easy to describe. It can be overwhelming to deal with the enormous amount of data resulting from the DFIR incident's analysis of the incident and the enrichment of the indicators with information from external sources. However, if we start slowly assigning individual finds to the activity phases, diamond tips and ATT&CK identifiers, it will certainly be much easier to find what happened in the attacked infrastructure.