Cyber Threat Intelligence: Observing the adversary
May 17, 2016
By Mark Arena, CEO of Intel 471.
Following my previous blog post that compared the incident-centric and actor-centric approaches to cyber threat intelligence, this post will detail a number of ways we can potentially observe our adversary. I’ll preface this post by saying that prioritizing and identifying who the adversary is, their motivations, their intentions and goals will drive where you seek to observe them. This could be different depending on the vertical in which your organization sits.
The #1 place to observe your adversary is your own attack surface
The top and hopefully most well known place to observe your adversary is your attack surface. If you’re a financial institution or managed security service provider (MSSP), we could include things touching your customer’s attack surface as being another top place to observe your adversary. Analysis of logs sourced from your security devices is a great way to identify the type of cyber threat activity that is impacting you directly. Although Intel 471 is an intelligence vendor, we still believe that an organization’s #1 source of relevant threat data is their own attack surface. One of the first steps into developing a threat intelligence program should be the identification, consumption, and analysis of all relevant internal sources of information to include attack surface data.
Referencing the incident-centric approach detailed in our previous blog post, our goal is to build off our incident information to identify the TTPs (Tactics, Techniques and Procedures) and associated campaigns then ultimately the actor piece to include the who, motivations, goals and intent.
In most cases the attack surface provides technical information such as:
- Files (filenames, hashes, etc) that are dropped onto a system that is compromised;
- Registry keys added/changed;
- Command and control (C2) server information (domains, URI paths, IP addresses, domain registration email address, etc).
In addition to identifying potential incidents, analysis of technical data can lead to the identification of TTPs and campaigns:
- How was the malware dropped onto the system, i.e.:
Was it a targeted spear-phish sent to a specific target?
Was it the result of a user visiting a compromised website that was tied to a specific exploit pack thus not targeted in nature?
What exploit/exploit method was used?
- What malware was dropped on the compromised system?
- What functionality did the malware provide?
- What other tools were dropped on to the compromised system?
- What did the malware and tools enable the threat actor to access on the compromised system or the wider network?
- Where there other internal or external victims of the same or similar attacks?
When answering the question of who the actor is, the usefulness of attribution to a specific person often depends on the motivation of the threat actor. For example, knowing the personal identity of a threat actor involved with state sponsored cyber espionage is only truly useful to a very small number of organizations.
However, when it comes to cybercrime and hacktivism knowing the actual person behind the keyboard provides additional options for a victim organization, such as submitting a complaint to law enforcement. There is continuous debate in the information security community about the usefulness of attribution of threat actors and groups, but we believe that attribution to various levels (person, group, nation-state, etc.) provides valuable insights that support decision-making at all levels.
The most value of actor-centric information lies with identifying motivations, goals and intent. This enables analysts to produce predictive intelligence that can drive proactive decision making and action at numerous levels of an organization.
Collaboration with similar organizations and your competitors
Collaboration with similar organizations, even your competitors, is another great way to observe your adversary. We’ve previously written why organizations shouldn’t have tunnel vision by focussing on threats that only mention or impact your organization directly. It’s a given that the same threat actors impacting your competitors or other organizations in the same vertical or sector as you are or will eventually turn their focus to you. The panacea of a threat intelligence program is to be proactive, predictive and ahead of the adversary. Examining this activity will often allow you to proactively block or detect this activity through policy or security control changes among other things however, don’t forget to share back as it’s a two-street. If you don’t, you’ll quickly become the organization that nobody wants to share with. It’s in the business interests of all parties, competitor or not, to establish some type of sharing and collaboration. An Information Sharing and Analysis Center or (ISAC) may also be available for your specific sector which may share information on threat actors impacting or seeking to impact your sector.
Traditionally governments have not been good at sharing and collaborating with the private sector, but with the massive impact of cyber threats impacting the private sector and the private sector effectively running the internet, they’ve been forced to both share and collaborate. They still might not be the fastest to share nor the best at doing it efficiently, but there are certainly elements within various government departments that are fighting the good fight to be able to share threat data with the private sector in a timely and efficient manner. This can be a very valuable resource for your threat intelligence program.
Technical collection can be described in general as legal infrastructure and toolset monitoring. Infrastructure monitoring can involve targeting threat actor’s re-use of things such as:
- IP addresses for command and control (C2) servers
- Malicious host names
- URIs (paths for command and control servers)
- Email addresses to register domains
Toolset monitoring can involve things like:
- Creation of YARA signatures to upload to VirusTotal to be alerted on new samples submitted there
- Google Alerts on specific malware string names
Places where threat actors plan and collaborate
A final place to observe the adversary is where they communicate, plan, and collaborate. I personally dislike the term deep/dark web but rather like to segment these sources into two types:
- Open sources: places where you can observe or gain access simply by searching Google (or other search engines) with no barrier to entry. Other examples are social networks such as Facebook and Twitter.
- Closed sources: places where some barrier of entry exists. At the lower level this might be a forum requiring registration for access. At the upper level it might be a vetted or invite only cyber crime forums and marketplaces.
Advantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:
- Identification of actors and attacks early in the planning stages of an attack against your organization before it appears on your attack surface
- Enables a greater understanding of the business process, enablers and pain points behind cyber threat activity and threat actors.
- Supports the production of predictive intelligence that enables proactive decision making at various levels (NOC/SOC, fraud, executive, risk management, etc)
Disadvantages of monitoring open and closed sources where threat actors communicate, plan and collaborate:
- Sometimes difficult to extrapolate from information that does not directly mention or impact your organization
- Often information is non-technical in nature making it difficult to equate that to specific observables you can look for on your attack surface
- Risk of additional attacks or focus if your organization is exposed as being active where threat actors interact.