2 Introduction An Advanced Persistent Threat is a cyberattack which is performed on a network, here the attackers gain access to the network in an unauthorized way and remain hidden for a long time and steal sensitive information like Personally identifiable information, Intellectual property etc. from the network over the period. The most effective way to detect the APTs in the network is through threat hunting. Threat hunting is the search for a malware in the network using automation, which has bypassed the security controls within the environment and accessed the network. There are different definitions for threat hunting and the Endgame states threat hunting as a process of searching for the signs of malicious activity in the network without knowing about the signs. This helps the security analyst to look for the security controls that are implemented which are not being detected. Threat hunting helps in reducing the dwell time of attackers inside the network and this is the main objective of threat hunting. The first step in threat hunting is to create a hypothesis which helps the security analysts to check whether a malicious activity is being taken place or not in the network and for the endgame process the MITRE ATT&CK matrix is being used to ease the generation of hypotheses since it contains a lot of techniques used by APT. There are three level of architecture MITRE ATT&CK matrix and they are tactics, techniques and procedures which is called as TTPs. Tactics is the column heading in the top of MATRIX, techniques represent the cells in each of the column and procedures consist of details for performing a technique. Major column headings in the MITRE ATT&CK are phases from the Attack Lifecycle by Mandiant. The Column heading are various phases of the Attack Lifecycle. Each phase of the matrix represents different techniques used by APTs. According to Richard Bejitlich the Network security monitoring is the process of collecting, analyzing and escalating all the indicators and alerts for detecting and responding to the intrusions on the network. NSM is something which helps the detect the intrusion in the network and respond to it before they perform something destructive to the organization. The NSM inspects all the network traffic for detecting threats in the network. This research helps in reducing the dwell time of an attacker within the network, since the security analysts are having both host-based and network-based techniques for performing the threat hunting. 3 Background Based on the research paper the definition for APT is an opponent who targets a network who has the ability, time and resources to create the required tools to bypass the security and access the network unauthorized and stay in the network for a long time. The objectives are different for different APT. There are a lot of APT incidents in the past 20 years and some of them are breach occurred in 2019 spring in Ticketmaster, Newegg and British Airways which focused on the consumer credit card records. Targeted ransomware campaigns which occurred in states of Georgia and Florida. Based on various financial attacks which had occurred Fireeye created term called FIN representing financially motivated attackers. The 2016 election result in the US was altered using the internet power. A group called APT 28 had hacked the Democratic National Committee and on further analysis it was figured that the attack was performed by a Russian-threat actor active from 2000 who was responsible for various campaigns against Aerospace, Energy, Defense, and various media sectors. It was found that Russian government mostly target the defense ministries. Another type of threat actor is hacktivists. They are anonymous and they target the victims to draw attention to their goals. In year 2010 DDoS attacks have been performed by anonymous against Mastercard, Amazon. The APT groups accomplish their goal without bothering about the difficult and the cost. A project called FMX was being started by MITRE in the year 2013 and the objective of the project was the detection of attackers in the network who had already accessed the system. This helps in mapping all the attacker lateral movement and the way the attacker had achieved the goal. The main objective behind the project to understand the attacker’s mindset while achieving the objective. The creator of MITRE ATT&CK matrix stated that many companies use IOCs as a strategy of security. The IOCs include IP address, domain names, hashes of file, certain unique strings found inside malware. The IOCs only last only for a short period of time. Threat actor uses different IOCs for attacking different organizations and FMX is something which helps to find threat actors based on the fingerprint. The biggest challenge in that time was the failure to have a framework for analyzing the attacker behaviour. This made it difficult to analyze the threat actor activity and as a result the forensics were restricted to IOCs or functionality of malware. For resolving the issue MITRE collect reports on APTs and extracted the various techniques used by each APT. Based on information from red team, MITRE created a list of known techniques and referred it to the public reports available on malware, threat actors and threat intelligence and groups were created based on different set of techniques. This is now called as tactics or the column headings. Now the MITRE ATT&CK framework helps in communicating about the host-based attacker behaviour and provides framework for analyzing the behaviour of APTs on the network. The genesis of the thesis was born in the year 2018. Then one researcher was working as incident responder and his main goal was creation of process and methodology for network threat hunting. The guidance was obtained from MITRE ATT&CK matrix like the ways to generate hypothesis, sources for hunting and activities to focus on. When they checked the MITRE ATT&CK website 4 it was found that they focus on endpoint behaviour, and it wasn’t practical, and this is how the current thesis was started. Methodology Techniques, tactics, and procedures (TTPs) TTPs are used for simulating the adversary behaviour. TTP shows the actions performed by the adversaries in a detailed manner. TTP is divided as Tactics, Techniques and Procedures. Tactics- The method an attacker choose for performing his attack till the end. It can be like how the initial compromise is done, lateral movement, how to remove his traces after the attack etc. Techniques- The strategies used for getting immediate results like sending malicious codes in document which gets executed after it is being opened, sending emails to the victims with malicious documents, using keystrokes for grabbing credit card information, using HTTP for the communicating with Command-and-Control server etc. Procedures- The information which the adversary searches inside the target network like creating malware for exploiting or bypassing the detection from endpoint tools, establishing a commandand-control server, send email to the victims, and for crafting socially engineered documents and emails which looks genuine. Adversary Models The process of an APT is described by two favoured models and they are Lockheed Martin Cyber Kill Chain and Mandiant Attack Lifecycle. Bryant Kill Chain is an evolution of both Lockheed Martin Cyber Kill Chain and Mandiant Attack. Cyber Kill Chain by Lockheed Martin This was the first attack model known to the public. This model shows the steps that the attacker needs to complete for achieving the goal. Even though this model was created from attacker perspective, this model was indented for defenders to be used. This model is not adequate for the defenders since it is not possible for the defenders to detect some of the attack phases. Weaponization is one of the phases in the model and here malicious documents or zero-day exploits are being used for controlling the target network and this cannot be detected. Figure 1 shows the different phases of the Cyber Kill Chain. Figure 1 - Cyber Kill Chain by Lockheed Martin 5 Note. From EventTracker Enterprise and the Cyber Kill Chain by Netsurion (https://www.netsurion.com/articles/eventtracker-enterprise-and-the-cyber-kill-chain ) There are two main reasons that this Cyber Kill Chain is not appropriate for the defenders the first one is the defenders are not able to detect weaponization phase and the second fact is that the visual representation of Cyber Kill Chain is wrong. It doesn’t represent the actions performed by the attackers but only displays the linear progression. Till the attackers reach their objective attackers continues to perform lateral movement, internal recon and there is another lifecycle created called Attack Life Cycle by Mandiant because of the flaws in the network. Attack life cycle by Mandiant The Mandiant Attack Life Cycle is something which can be used by both attacker and the defender for explaining the actions of various APT. Here all the phases can be detected by the defender including the weaponization phase and as a result this phase is being removed. A loop is being added for the representation of attacker’s path. This is one of the preferred attacker models in the community. There are phases which cannot be detected in attack life cycle and one such is privilege escalation. This is a phase which happens to the host and as a result this cannot be detected from the network. Figure 2 shows the Attack life cycle by Mandiant. Figure 2- Mandiant Attack Lifecycle (Cyber attack lifecycle, 2015) Bryant Kill Chain The Bryant Kill Chain is mainly focused on the analysis of the network and is an evolution of both Lockheed Martin Cyber Kill Chain and Mandiant Attack Lifecycle. With this Kill Chain except one all other phases are being acknowledged and that one is privilege escalation. This model 6 combines two models which are actions on objectives and the exfiltration since it is considered as part of it. Endgame’s threat hunting process There are six steps in the Endgame’s threat hunting process, and they are: proposing a hypothesis, identifying all the evidence for proving it, developing analytics, Automating, Documenting and Communicating and reporting it. Threat hunting process in action The first step is creating hypothesis. Scoped hypothesis should be created which provides definite conclusions. The conclusion should always state that whether signs of malware activity was detected or not in the environment based on the technique used. For generating scoped hypothesis, the MITRE ATT&CK matrix is used. The MITRE ATT&CK consists of different column heading which are different phases of Attack Lifecycle by Mandiant and from the research based on different APT groups. For example, if we look at the column lateral movement. This contains information regarding the various techniques used by the attackers to perform lateral movement. If we want to hunt for lateral movement in our environment, we can select one technique from the column Lateral movement and use that for creating hypothesis. If we find that SMB was being used for performing lateral movement the hypothesis will be attackers are using SMB for performing lateral movement through the network and the sub-hypothesis will be that PsExec was being compromised to connect to SMB for performing lateral movement. The next step is collecting more evidence for proving the hypothesis or vice verse. After the collection of valid data, the datasets are being cut short for easy analysis. When the reduced dataset is constructed both the connection and reduction processes are automated. When this is done it is documented like by providing the decisions taken for reducing the dataset etc. All the findings need to be reported and documented and absence of malicious activity doesn’t confirm that the hunt is not successful, but it shows that the security controls are working perfectly, and the security analyst filtering doesn’t have any malicious activity and the result was interpreted correctly by the security analyst. Based on the MITRE ATT&CK, it encourages the security analyst to hunt for threats in the network based on behaviour of APT in the network and for analyzing the APTs network monitoring tool Zeek can be used for analyzing the traffic to detect the malicious behaviour. Criteria for network security monitoring There are a lot of NSM platform available, and the difficult part is selecting the best NSM. There are some criteria for selecting the NSM and the first one is that NSM should be protocol aware and should also provide timeline of the events. For example, if malware communities with HTTP on port 443 the protocol aware NSM doesn’t think that the traffic is encrypted, and it scans the traffic thoroughly. What is meant by timeline of events is that if a machine is infected with ransomware and it spreads to another machine the NSM should generate the timeline of events starting from the initial beacon which is setup in the first machine to the C2 server. After this it should provide timeline for other machines which are infected and provide scope to the incidents. 7 The next criteria are that NSM should be having various level of fidelity. There are various logging levels in the NSM platform, and they are statistical based logging, event-based logging, full PCAP capturing logging and session data, and these are ordered using fidelity. From this the first one shows the volume and nature of the data which is moving across the network. The statistical logging helps in detect the traffic with irregular volumes and beacons in the network. The beacons communicate to the C2 in certain interval of time, and this can be easily analyzed with statistical data. With the help of statistical data exfiltration can also be detected by examining the huge amount of data which leaves the network. The third one is event-based systems. Here alerts are being triggered when the predefined conditions set are found in the network. This is one of the popular options used in most enterprise networks and this only create alerts when the condition defined matches. For example, if we look at the signature here alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN FAKE AOL SSL Cert APT1"; flow:established,from_server; content:"|7c a2 74 d0 fb c3 d1 54 b3 d1 a3 00 62 e3 7e f6|"; content:"|55 04 03|"; content:"|0c|mail.aol.com"; distance:1; within:13; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016469; rev:3;) (Bornholm, 2019) The signature is created for detecting APT1 in the network. The signature has three contents which looks for a certificate with serial number starting with “7c a2 74” and mail.aol.com which will be issuer of the certificate. The signature will be triggered only when all the criteria matches. Here the traffic expected is from the port 443 which is used by HTTP to the home network. The distance is 1 here and if only all the criteria match, the alert will be triggered. The conversion between two network nodes are collected by session data and this includes the IP address, Source and destination port, source and destination IP, protocol, the application bytes sent from source to destination. There are other information which provides more about the connection like HTTP method or URI which is used for connection etc. For example, the session data is used for detection of SMB calls through PsExec which was initially initiated from Windows server machine. Full packet logging is basically the collection of the data which is transferred between the different systems which helps the incident response team to develop signatures monitor the activities and to find the data which is being stolen. For the investigation of the alerts the Full PCAP data can be used, and it also provides fidelity since it shows the actual data transferred. If it was a requirement for a full pcap capture it becomes difficult for the small businesses. It was reported that a link of 1 GB saturated link can generate up to PCAP which is almost 6TB in length and based on this requirement it will become difficult for small businesses to store the data in cloud storages. The hardware for this will be very difficult and in order to solve the problem an open-source solution like Zeek can be used. Zeek was tested within organizations with almost 100G links and based on the Berkely labs Zeek can run in commodity hardware. Network security Monitoring Criteria 8 There are different criteria for network security monitoring, and they are: Should be an open-source platform, shouldn’t be a part of tools like SecurityOnion, it should be having an extensible framework and rules engine, Protocol aware and should have Network monitoring fidelity. Here the network-based fidelity can be divided into four: Statistics- Generating the high-level statistics helps to analyze the volume and nature of the data Event-based – Generates when the predefined conditions matches and when it is detected on the network. Session data- The conversion between two network nodes are collected by session data and this includes the IP address, Source and destination port, source and destination IP, protocol, the application bytes sent from source to destination. Full content data- Capturing all the traffic in the network. The next criteria is to have a timeline which shows detailed network events, provide scope on the incident and should be having a considerate hardware requirement. Network security monitoring platform comparison Multiple platforms are available for monitoring the network activity and based on criteria which was discussed Zeek scores more. The NSM platforms which was selected for comparison was Zeek, Suricata, Snort and Molach. Based on the comparison it was found that Suricata and Snort doesn’t provide scope and Molach doesn’t work based on a considerate hardware. So as shown in Figure 3 Zeek is the best platform to be used for NSM. Figure 3 – NSM platform comparison (Bornholm, 2019) Adversary emulation This is defined by SANs as activity where the operation of an adversary is emulated by the security experts and the main objective is to make the organization more resilient against the techniques used by adversaries. For leveraging an attacker emulation platform first an environment is created which is being monitored by Zeek for performing its activities. The network consists of three machines in which two machines which are having an operating system of Windows 10 are being 9 connected to domain controller on Windows server machine. When the attack simulation is completed the Zeek logs are being analyzed and based on the logs heat maps are being created based on the techniques used and discovered. The objective here is to show the efficiency of the matrix by comparing both techniques used by the attacker for simulating the threat actor and the techniques in the matrix. Adversary emulation process The adversary emulation process consists of 5 simple processes: • • • • • Gathering threat intelligence about threat actors Extraction of the techniques which are being used by threat actor Analyze and Organize Developing tools Emulating the adversary (Bornholm, 2019) First step is the identification of the adversary which needs to be emulated and once a threat actor is identified then threat intelligence is gathered about threat actor and this information is not limited any sort of information which is gathered from Virus Total, IOCs, malware, APT reports etc. Next step is extraction of techniques which ate used by the threat actor and then mapping it to the MITRE ATT&CK matrix. This research provides matrix of techniques from the network aspect which allows the security analysts for mapping the network techniques. The third step is analyzing and organizing the techniques which are extracted. First a goal should be set like if threat actor APT3 is known fir stealing IP. Once goal is set the different techniques which are used by the threat actor for planning the technique flow. Once that is set the flaw is divided into two phases which could be done within a period. Figure 4 describes the emulation plan. Figure 4: Emulation plan APT3 (Bornholm, 2019) The next step is to develop proper tools to accomplish the emulation. The tools selected needs to be based on threat actor and techniques. Once the tools are developed, payloads should be created for emulation of the adversary and shouldn’t be based on signature detection and lastly the adversary should be emulated. The timeline of threat actor is one thing which needs to be noted and after it is finished, both red and the blue team could discuss about the detection, prevents etc. Criteria for adversary emulation platform 10 When it is stated by an emulation platform that it can emulate the APT it means that it should be able to perform various techniques from the Mandiant attack lifecycle phases. The techniques used should be based on the threat group for the different phases. Plethora of post-exploitation techniques should be contained in the platform for emulating the APT fully. For example, if APT3 uses 13 techniques for credential access, 3 for lateral movement, 8 for defense evasion and 7 for persistence. It is possible that APT3 used just 6 techniques within the MIRE ATT&CK matrix and rest techniques from outside. This shows the necessity to have multiple communication methods for the C2 by the attacker emulation platform. Lastly the emulation platform needs to perform defense evasion. For accomplishing this there are two themes which are bypassing security controls and thwart signature detection. Disabling antivirus software or being aware of a weakness that won't be picked up by the programme are two easy ways to get around security measures. Additionally, the adversary's emulation artefacts signatures shouldn’t be created by the defenders which means for instance if a binary which related to adversary emulation is detected and signature is being developed for detecting the file hash, the defenders shouldn’t use the hash on a later point. There are different criteria’s which are added by the researchers like extensible framework, mapping techniques to the MITRE ATT&CK by the platform, capable to perform full chain attacks and generation of both logging and reporting. First the platform should be mapping the techniques to MITRE ATT&CK matrix. When Scythe capabilities are compared to the open-source projects, this exceeds the other platforms. The emulation platform should be capable for running full-chain attacks. Next the platform should be able to generate payload, do initial compromise, place persistence, escalate privileges, perform lateral movement, and do exfiltration. After finishing all the steps, a detailed report which includes the timeline of events, network and forensic artifacts should be provided by the platform. Adversary emulation criteria • • • • • • • • • • Firstly, it should be paid or an open-source platform and if it is open-source then project should be maintained. All the techniques should be mapped to MITRE ATT&CK matrix. The framework should be extensible which can be added or modified. Should be capable to perform full chain attacks and also has the capability for performing the different phases of Mandiant attack lifecycle. It should be able to perform attack behaviour like external reconnaissance on targets. Should be able to generate payloads and this process is called weaponization. The platform should be able to perform initial compromise. It has ability to establish foothold and can perform privilege escalations. The platform can perform attacker behaviour such as lateral movement, action on objectives (Exfiltration). Provides adequate post exploitation methods and various Command and Control channel modules and should be able to perform logging and reporting. Finally, the platform has the ability to bypass the security controls and could change the signatures to thwart signature both creation and detection. 11 Adversary emulation platform comparison Based on the comparison with different emulation platform it was discovered that various platforms can be used for emulation and Scythe was selected from all because of the highest score it scored based on the criteria explained above. The best platform therefore is Scythe. MITRE ATT&CK matrix as an open system The basic definition of system theory is that various parts which interact together to form a complex whole and the MITRE ATT&CK here is a system which consist of various parts which are TTPs of the APT. This is open source since it depends on different inputs for deriving the output. Here the input refers to the behaviour of adversary on the network. The creation of the TTPs is based on the intelligence classification. When there is collection of TTPs they are assigned to different groups which are called techniques and grouping of these techniques are called tactics and the tools or commands which are used for accomplishing the technique is called procedures. Due to the absence of new TTP as source of input it is considered feedback loop. Feedback helps in validating the model in the current state and make sure that they are usable. The feedback helps in improving and tracking both success and failure of the model. Process and method Preface This starts with the creation of foundational matrix which is the template for all the heatmaps for all the experiments. The core of heatmap is to measure efficacy of the matrix for the detection of APT on the network and to check validity of the technique. The three experiments which are analyzed are APT reports, PCAP analysis and adversary emulation. The experimet1 consist of a variety of APT reports and this helps to measure the efficacy of the matrix against the APT groups. The APT reports are selected because it shows the efficacy of the matrix in a publicly released threat intelligence. These are open source which helps to reproduce the experiments. The second experiment uses Scythe Adversary emulation platform for emulating the APT. It starts by initial compromise in the network and once it is done it follows instructions to perform lateral movement in the network and for exfiltrating the data. The third experiment uses the dataset from 2017 National collegiate Cyber Defense Competition which is obtained from ImpactCyberTrust organization. This is a attacker vs defender event where enterprise network is defended from the red team network. Building the foundational matrix Preface First of all, for an attacker model is required for describing the actions performed by the attackers from network perspective. The attacker model here is Bryant Kill Chain and this generates the initial column headings. This model provides the keywords for searching inside the APT reports for filling the columns based on the techniques. Next for generating the list of techniques used by 12 the APTs the APT report repositories are used as the threat intelligence. This is known as the foundation matrix, and this is used as the template for the heatmaps. The heatmap main objective is to measure efficacy of the matrix for APT detected and for measuring the validity of the techniques which are used. Attack themes The column headings in the matrix represent the different phases of an APT and this is calculated from network perspective and called attack themes. The attack theme evasion represents techniques which is used by the APT groups or evading detection. This is a behaviour of the techniques performed by APT in the network. Bryant Kill Chain attack themes include Recon and weaponization, Lateral movement, initial compromise, Delivery and actions on objectives (Bornholm, 2019). Internal recon, Impersonation, Evasion, DOS and Command and Control are attack themes in the literature review (Bornholm, 2019). Aggregating techniques Validating our APT sources The foundational matrix composes of techniques which are used APTs and this shows that only referenced techniques are foundation on the foundational matrix. When the report was written there were 0 academic reports on Advanced Persistent Threat and as a result the reference for this academic paper uses publicly unvetted sources. Here the APT report repositories used are collection of APT reports used in both academic reports and released publicly. Reviewing APT sources The Bryant kill chain provides keywords to search in the reports. Reading a lot of reports are not practical and as a result a python script was developed which uses keywords and directory of the PDFs and this script scan all the PDF for keywords. For example, a keyword like command and control is detected in the PDF it will be recorded and later it is tested manually by human. When this was compiled, this helped the researchers for the PDF reports. Next the researcher opens the PDF and then look fir the keyword and the context may show a previous or new technique. When a new technique is being detected it will be added to the matrix and this will be added to the keyword list. For the technique which is added to the matrix a set of APT reports and groups will be used for referencing the operation of the technique. Next the keyword added will be used again for scanning APT reports and researcher will open the PDF and search again for the obtaining the context and this process is repeated till foundation matrix used by the APTs are constructed. When the attack techniques are discovered, new attack themes are also identified. This is discovered while reading more about the context of the techniques. For example, if a report uses the HTTPs of command-and-control technique then additional context includes information about encryption. HTTPs is not classified as a new technique, but the encryption used for evading the 13 detection is considered as technique. Therefor a new theme is created called evasion for techniques like encryption, encoding, compression etc. So, for validating the column, more than one technique is used. Each APT report which is referencing a new technique is validated by technique used by APT and multiple techniques in the column validates the theme. Foundational matrix Figure 5 displays the foundational matrix Figure 5: Foundational matrix (Bornholm, 2019) Matrix heatmap – APT reports The foundational matrix is being used for the creation of the heatmap. As the heatmap shown in Figure 6 validates various APT reports which reference various techniques used. The heatmap conveys the validity of each technique based on the APT report. The color used on the heatmap is based on the scheme explained the APT report heatmap section. The red colour represents 1 APT report and the green represent more than 5. The yellow colour occurs more than 13 times and this shows that 13 techniques have more than 2-4 reports referencing the technique and last column is percentage of the colour count based on total count. The report will only be shown in the matrix when at least one report references the techniques used by the APT. A heatmap will be the conclusions for experiments performed. Based on all the experiments a final heatmap will be generated and this decides existence of the techniques on the heatmap. APT report Heatmap key Red – the number of sources is 1, count is 3 and percentage is 6.98%. Yellow - the number of sources is 2-4, count is 13 and percentage is 30.23%. Green - Sources are more than 5, count is 27 and percentage is 62.79%. (Bornholm, 2019) 14 Figure 6- APT report heatmap (Bornholm, 2019) Experiments Experiment 1: APT reports Preface Here for the experiment 1 three different test cases are being used and each one of them specifies different threat actors which means APT groups. Public reports are being gathered about the threat actor by the researchers and then the techniques used by the attackers observed from a network perspective is being noted. After gathering a list of network-based techniques from threat actor heatmap is created. This displays the efficacy of the matrix and also helps in the easy detection of that particular threat actor. Criteria for choosing threat actor The experiment 1 included three test cases and each case there is different threat actors. The threat actors used here are APT41, APT3 and APT39. Each test case has different motivation, techniques and capabilities. The first test is the analysis of APT41. This was chosen randomly. This is not recommended but since it is unknown what the APT target, this random APT was chosen for the illustrating the efficacy of the matrix vs a random APT. APT41 is a well-known state-sponsored espionage outfit from China that targets businesses in both the public and private sectors as well as engaging in financially driven action for individual benefit. It was active from the year 2012 and targets organization like healthcare, video game industries in various countries and technologies. The APT 41 target is aligned with China’s economic development plans. They access the production 15 environments for injecting malicious codes in legitimate files which later distributed to the victim (APT41). For the second test case, the APT3 was analyzed. This was selected since it was known APT group, and this is the APT which is emulated in the experiment 2. Another reason is that there is a paper issued by MITRE about APT3 on ways to emulate APT3. The use of this APT helped to analyze APT3 from perspective of threat intelligence. This helps to make sure that emulation platform emulated APT3 accurately. In the third test case the APT39 is being analyzed. APT39 is cyberespionage activity which is conducted by the Iranian Ministry of Intelligence and Security from year 2014 (Mandiant, Apt39: An Iranian cyber espionage group focused on personal information). They are responsible for the widespread theft of the personal information, and they steal the personal information for supporting the monitoring, tracking and surveillance operations of Iran. APT 39 is known to leverage the SEAWEED and CACHEMONEY backdoor (Mandiant, Apt39: An iranian cyber espionage group focused on personal information). The APT group target primarily the hospitality, travel, telecommunication and the academic industries throughout Asia, Africa, Europe and North America. Test case reporting model The report starts with description of threat actor, aliases which are known, techniques which are used which are mapped to MITRE ATT&CK matrix if available, known tools and malware which is used by the attacker and the references for it. Calculating efficacy of matrix vs threat actor The APT reports are read for each test case for the analysis of particular threat actor, network techniques which are extracted and for mapping it to the matrix for creation of the heatmap. This heatmap help to calculate the efficacy of the matrix vs a known threat actor. (Bornholm, 2019) For the test cases, count of all the techniques which are used by the threat actor which exist in the matrix and one which doesn’t exist are noted. For calculating the efficacy, the equation 1 shown below is used. Equation 1: Efficacy of matrix vs threat actor equation Here the equation uses ratio in the percentage format, and this is to display the efficacy of the matrix. The determined ratio will compare a certain APT group's network-specific tactics to their overall matrix-specific approaches. Here the techniques which are present in the matrix which are used in the APT group over the amount of the network techniques which are used by the APT group are the similar thing which is measured. Here the ratio helps in the detection of a particular threat actor. M = List of techniques on the matrix which is used by the APT group T = List of the total network techniques used by the APT group 16 Efficacy of matrix = M/T * 100 (Bornholm, 2019) Calculating efficacy of matrix vs all threat actor Here it uses the same premise as shown in the equation 1 and instead of a single threat actor used in equation, here efficacy of matrix vs. all threat actors are calculated. Equation 2: Efficacy of matrix vs threat actor equation Wm -> Prevalence of technique from all the threat actors Wt -> The total techniques which is used by the threat actors Wm = Σ prevalence of a technique from all threat actors Wt = Σ Total techniques used by all threat actors Efficacy of the matrix vs. all threat actors = Σ Wm / Σ Wt *100 (Bornholm, 2019) Test case 1: APT 41 Description APT41 is a well-known state-sponsored espionage outfit from China that targets businesses in both the public and private sectors as well as engaging in financially driven action for individual benefit. It was active from the year 2012 and targets organization like healthcare, video game industries in various countries and technologies. The APT 41 target is aligned with China’s economic development plans. They access the production environments for injecting malicious codes in legitimate files which later distributed to the victim (APT41). Aliases WICKED PANDA (APT41). Network techniques Recon and weaponization No techniques are found for the category. Lateral movement • • Remote Desktop Protocol APT41 use RDP sessions for performing lateral movement in the environment. SMB/Windows Admin Shares The implant files are shared using the Windows Admin Shares and the SMB services which are exposed in internet helps to grab the credentials for accessing the network and performing the objectives (Remote Services: SMB/windows admin shares). 17 Internal recon • • Port scanning The APT41 uses built in commands like ping, netstat for scanning the ports. Network sniffing APT41 uses tools for gathering information about the network. Initial compromise • • • Malicious stager Malicious payloads are injected by the APT 41 to the victim to compromise the system and get initial access to it. Exploit The APT group leverage many exploits in the operations, and it also uses the proof-ofconcept exploit code for CVE-2019-3396 (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Spearphishing Attachment Send spear-phishing emails which contains malicious documents or compiled HTML which initially compromise the victim. Impersonation No techniques are found for the category. Evasion • • • Encryption The APT41 encrypts the malicious payloads created which helps to evade detection. Encoding The malware HIGHNOON.LINUX which is backdoor which utilizes the encoded base64 hosting strings for accessing the C2 address (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Compression APT41 creates RAR archives of the files which are targeted for performing exfiltration (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). DOS No techniques are found for the category. Delivery • • Phishing Send spear-phishing emails which contains malicious documents or files Watering hole 18 The targeted organization is observed for a while and waterhole attacks are performed and initial compromise is performed (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Command and control • • • • DNS DNS used by the APT41 for communicating with C2 HTTP APT41 used malware or tools like LIFEBOAT which is a backdoor for communicating to C2 over HTTP and CHINACHOP could execute the Microsoft .NET code using HTTP post commands. FTP Used by APT41 for exfiltrate the data separate from the Command and Control protocol (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Dead Drop Resolver The APT group uses the Dead Drop Resolver method on the legitimate websites which subvert the network defenders (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Actions on objective • Exfiltration They use exfiltration tools and perform exfiltration over physical and network medium and over Command and Control channel (FireEye, [report] double dragon: APT41, a dual espionage and cyber crime). Tools/malware ASPXSpy, BITSAdmin, BLACKCOFFEE, Certutil, China Chopper, Cobalt Strike, Derusbi, Empire, ftp, gh0st RAT, ipconfig, MESSAGETAP, Mimikatz, Net, netstat, njRAT, Ping, PlugX, PowerSploit, pwdump, ROCKBOOT, ShadowPad, Winnti for Linux, ZxShell (APT41). Heat Map Key Count Techniques used by threat 14 actor New techniques discovered 3 Efficacy of matrix 14/17 Total number of techniques 46 Percentage 30.43% 6.52% 82.35% 19 Recon and Weaponiza tion Public scanning services Lateral movement Internal recon Initial compromise Impersonat ion Evasi on DOS WMI Service enumeratio n Malicious stager VPN tunneling UDP Flood Vulnerabili ty scanning WinRM Port scanning SQL injection Trusted third party Anon ymo us servi ce Publi c servi ces SSH Hijacking Network sniffing Encr yptio n HTTP Flood SMB Exploit Phishing Reverse RDP tunnel Certificate impersonat ion Remote Desktop Domain spoofing Exploit ARP spoofing TCP flood Deli ver y Wat erin g hole Command and control Peer-topeer Action on objectives Pois one d torr ents Phis hin g IRC Defacement Exfiltration ICMP Enco ding DNS Cust om Proto col Cust om obfus catio n Com press ion Webshell Remote Admin Tools Listening service HTTP FTP Dead Drop Resolver Test case 2: APT 3 Description The threat group APT 3 is Chinese-based threat group. It was first found in 2010. This is linked to the Chinese Ministry of State Security. This had target myriad of international and US targets. On the report in September 2016, it was noticed that the group had change their focus from US victims and started targeting Hong Kong organizations (Cyware Labs, APT3: A nation-state sponsored adversary responsible for multiple high profile campaigns: Research and analysis). The report also included the fact that they are more focused in exfiltration of the documents. They target printers, 20 file shares and intellectual properties and they target organizations in different sectors like Defense, Aerospace, Transportation, Telecommunications (APT3). Aliases APT 3 Gothic Panda Pirpi UPS Team Buckeye Threat Group-0110 TG-0110 (APT3) Network techniques Recon and weaponization • No techniques are found for this category Lateral movement • • Remote Desktop Protocol APT 3 have used the Remote Desktop Protocol for persistence and they have interacted with the systems for browsing and copying the files (APT3). SMB/Windows Admin Shares APT 3 uses SMB/ Windows Admin Shares for copying files into it for performing lateral movement. They have targeted printers and the file shares (Endpoint protection). Internal recon • APT 3 have used port scanner, ping scans and perform remote system discoveries (APT3 adversary Emulation Plan - Mitre Corporation). Initial compromise • • • Phishing APT 3 has sent spearphishing emails which contains malicious links to the victim (Mandiant, Operation clandestine wolf – adobe flash Zero-Day in APT3 phishing campaign). Stager Malicious documents lead to download of stager. Exploits 0-day exploits on both windows machines and internet facing assets. Impersonation 21 • No techniques were found for this category. Evasion • • • • Custom Protocol They use custom C2 protocols. Encryption For C2 communication SSL is used by APT3. Compression While performing spear phishing attack the APT3 uses zip archives and uses RAR archives for email attachments. DOS • No techniques were found for this category. Delivery • • Phishing The initial compromises are performed using phishing by sending malicious documents Waterhole The targeted organization is observed for a while and waterhole attacks are performed and initial compromise is performed. Command and control • • • • FTP FTP is used by Pirpi for performing exfiltration. HTTP With a specified interval the APT3, HTTP C2 Listening service Telnet services are installed by PlugX (Mandiant, Operation clandestine wolf – adobe flash Zero-Day in APT3 phishing campaign). SOCKS5 The C2 server uses the port 1913 and the protocol SOCKS5 (Mandiant, Operation clandestine wolf – adobe flash Zero-Day in APT3 phishing campaign). Actions on objective • Exfiltration They are focused on the exfiltration of documents and target printers, file shares and intellectual properties and they target organizations in different sectors like Defense, Aerospace, Transportation, Telecommunications (Research: Trellix stories). Tools/malware 22 LaZagne OsInfo PlugX RemoteCMD schtasks SHOTPUT (APT3) Heat Map Key Count Techniques used by threat actor New techniques discovered Efficacy of matrix Total number of techniques Percentage 14 3 14/17 46 30.43% 6.52% 82.35% Recon and Weaponiza tion Public scanning services Lateral moveme nt WMI Internal recon Initial compromise Impersonat ion Evasi on DOS Service enumeration Malicious stager VPN tunneling UDP Flood Vulnerabili ty scanning WinRM Port scanning SQL injection Trusted third party Anon ymo us servi ce Publi c servi ces SSH Hijackin g Network sniffing Encr yptio n HTTP Flood SMB Remote Desktop Exploit Reverse RDP tunnel Phishing TCP flood Deli ver y Wat erin g hole Command and control Peer-topeer Action on objectives Pois one d torr ents Phis hin g IRC Defacement ICMP Certificate impersonat ion Enco ding DNS Domain spoofing Cust om Proto col Webshell Exfiltration 23 Exploit ARP spoofing Cust om obfus catio n Com press ion Remote Admin Tools Listening service HTTP FTP SOCKS5 Test case 3: APT 39 Description APT39 is cyberespionage activity which is conducted by the Iranian Ministry of Intelligence and Security from year 2014 (Mandiant, Apt39: An Iranian cyber espionage group focused on personal information). They are responsible for the widespread theft of the personal information, and they steal the personal information for supporting the monitoring, tracking and surveillance operations of Iran. APT 39 is known to leverage the SEAWEED and CACHEMONEY backdoor (Mandiant, Apt39: An iranian cyber espionage group focused on personal information). The APT group target primarily the hospitality, travel, telecommunication and the academic industries throughout Asia, Africa, Europe and North America. They target the individuals or entities which is considered for them by the Iranian Ministry of Intelligence and Security. Aliases REMIX KITTEN ITG07 Chafer Network techniques Recon and weaponization No techniques are found for the category. Lateral movement • • • SSH hijacking APT39 uses Secure Shell for moving laterally through the environment. SMB SMB is used for lateral movement. Remote Desktop 24 APT39 perform lateral movement and persistence through myriad tool like Remote Desktop Protocol and sometimes uses rdpwinst tool for managing multiple sessions (More on aptsim,1970). Internal recon • • Port scanning Internal reconnaissance is performed using custom scripts and free tools like portscanner, BLUETORCH (More on aptsim,1970). Network sniffing APT 39 uses various tools for gathering information about the network (More on aptsim,1970). Initial compromise • • • • Malicious stager Malicious payloads are injected by the APT 39 to the victim to compromise the system and get initial access to it. SQL injection APT 39 uses SQL injection for exploiting the public-facing applications. Exploit APT 39 exploit the vulnerable web servers inside the organization targeted and install web shell like ANTAX and ASPXSPY. Phishing Leveraged spearphishing emails are sent to the victim by the APT39 with malicious attachments and links which causes POWBAT infection (Mandiant, Apt39: An Iranian cyber espionage group focused on personal information). Impersonation • Trusted third party The malware scripts were embedded in Microsoft Office documents Evasion • • Encryption The malware files were encrypted for bypassing the detection from the defense. Compression APT 39 uses compression tools like WinRAR and 7-Zip on the stolen victim data for compressing and archiving it for bypassing detection. DOS No techniques are found for the category. 25 Delivery • Phishing Send spear phishing emails which contains malicious documents, files and links Command and control • • • DNS Remote access tools which are capable for leveraging the DNS in communications with the C2 are used by APT 39. HTTP HTTP is being used for communication with C2 by the APT group. SOCK5 Tools like PINKTRIP, REDTRIP and BLUETRIP which are custom made are used for creating the SOCK5 proxies among the hosts which are infected. Actions on objective • Exfiltration APT 39 exfiltrate the stolen victim data through the C2 communications. Tools/malware ASPXSpy Cadelspy CrackMapExec ftp MechaFlounder Mimikatz NBTscan PsExec pwdump Remexi Windows Credential Editor Heatmap Key Count Techniques used by threat actor Percentage 15 33.33% 26 New techniques discovered Efficacy of matrix Total number of techniques 2 15/17 45 4.44% 88.23% Recon and Weaponiza tion Public scanning services Lateral movement Internal recon Initial compromise Impersonat ion Evasi on DOS WMI Service enumeratio n Malicious stager VPN tunneling UDP Flood Vulnerabili ty scanning WinRM Port scanning SQL injection Trusted third party Anon ymo us servi ce Publi c servi ces SSH Hijacking Network sniffing Encr yptio n HTTP Flood SMB Exploit Phishing Reverse RDP tunnel Certificate impersonat ion Remote Desktop Domain spoofing Exploit ARP spoofing TCP flood Deli ver y Wat erin g hole Command and control Peer-topeer Action on objectives Pois one d torr ents Phis hin g IRC Defacement ICMP Enco ding DNS Cust om Proto col Cust om obfus catio n Com press ion Webshell Remote Admin Tools Listening service HTTP SOCK5 Reference APT3. APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110, Group G0022 | MITRE ATT&CK®. (n.d.). Retrieved October 19, 2022, from https://attack.mitre.org/groups/G0022/ Exfiltration 27 APT3 adversary Emulation Plan - Mitre Corporation. (n.d.). Retrieved October 19, 2022, from https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf APT41. APT41, WICKED PANDA, Group G0096 | MITRE ATT&CK®. (n.d.). Retrieved October 19, 2022, from https://attack.mitre.org/groups/G0096/ Bornholm, B. (2019). Network-based Apt Profiler (thesis). Rochester Institute of Technology. Cyber attack lifecycle. Law Enforcement Cyber Center. (2015, October 27). Retrieved September 29, 2022, from https://www.iacpcybercenter.org/resource-center/what-is-cybercrime/cyber-attack-lifecycle/ Cyware Labs. (n.d.). APT3: A nation-state sponsored adversary responsible for multiple high profile campaigns: Research and analysis. Cyware Labs. Retrieved October 19, 2022, from https://cyware.com/blog/apt3-a-nation-state-sponsored-adversary-responsible-formultiple-high-profile-campaigns-f58c Endpoint protection. Endpoint Protection - Symantec Enterprise. (n.d.). Retrieved October 19, 2022, from https://community.broadcom.com/symantecenterprise/communities/communityhome/librarydocuments/viewdocument?DocumentKey=92a4528c-2bdb-498f-85c84273bfdc66aa&CommunityKey=1ecf5f55-9545-44d6-b0f44e4a7f5f5e68&tab=librarydocuments FireEye. (n.d.). [report] double dragon: APT41, a dual espionage and cyber crime. FireEye. Retrieved October 19, 2022, from https://content.fireeye.com/apt-41/rpt-apt41 Mandiant. (n.d.). Apt39: An iranian cyber espionage group focused on personal information. Mandiant. Retrieved October 19, 2022, from https://www.mandiant.com/resources/blog/apt39-iranian-cyber-espionage-group-focusedon-personal-information Mandiant. (n.d.). Operation clandestine wolf – adobe flash Zero-Day in APT3 phishing campaign. Mandiant. Retrieved October 19, 2022, from https://www.mandiant.com/resources/blog/operation-clandestine-wolf-adobe-flash-zeroday Remote Services: SMB/windows admin shares. Remote Services: SMB/Windows Admin Shares, Sub-technique T1021.002 - Enterprise | MITRE ATT&CK®. (n.d.). Retrieved October 19, 2022, from https://attack.mitre.org/techniques/T1021/002/ Research: Trellix stories. Trellix. (n.d.). Retrieved October 19, 2022, from https://www.trellix.com/en-us/about/newsroom/stories/research.html Valsmith. (1970, January 1). More on aptsim. Carnal0wnage Blog. Retrieved October 19, 2022, from https://blog.carnal0wnage.com/2012/09/more-on-aptsim.html 28
