Uploaded by Lucía Amanda Boza Barajas

6. Distinguishing Threat Actors, Vectors, and Intelligence Sources

advertisement
6. Distinguishing Threat Actors, Vectors, and Intelligence
Sources
Module Review
Each of these different groups have specific attributes, weaknesses, typical motivations, methods of attack,
etc. We'll see threat intelligence sources; how can you gather information to help strengthen your defences.
Also, research sources just to make sure that we're all clear on the various ways we can gather information,
whether it be through conferences, academic research papers, RFCs, etc.
Script Kiddies
Hackers that are relatively new or unskilled
-
Typically looking to see what they can get into.
The challenge is the attraction.
Not typically associated with any organized hacking groups.
Usually not well funded.
Hacktivists
Hackers who are motivated by ideology or some social/political cause:
-
Can be well funded and skilled.
Usually deface websites.
Steal information:
• Personal information and credentials.
DDoS.
Not particularly patient or stealthy.
Organized Crime
Hackers who are motivated by financial gain:
-
Deliberate with high technical capability.
Well-funded.
Patient and persistent.
POS terminals, ATM machines, credit card numbers, etc.
Steal personal information for sale on the dark web.
Nation States / APT
Highly skilled hackers whose main goal is to penetrate government or commercial systems:
-
Cyber espionage
Data/IP theft
Sabotage
Cyber warfare
Very stealthy and persistent, well-funded and connected. They don't want their victims to know that they're
there, they go through a lot of time and effort and expense to make sure those tracks are as covered as
possible.
Insiders
Often motivated by financial gain
-
CERT advises that over 70% of IP theft cases involve insiders.
Accidental exposure can occur from misuse or misconfigured systems. They can exfiltrate that
information slowly over periods of time.
Data theft includes IP and company secrets.
Competitors
Motivated by financial gain:
-
Competitive advantage.
Theft of IP or company secrets.
Sabotage.
Can be well funded and range from low to high skill.
Threat Actor Attributes
Attack Vectors
Use of Open Source Intelligence
Open Source Intelligence, or OSIN or OSINT: there are numerous tools and websites available for intelligence
gathering and reconnaissance. They can be applications, browser plugins, they can be passive or active in
nature. Examples: Maltego, Metagoofil, Shodan, the Google Hacking database (Google Dorks: they will show
you websites that have those vulnerabilities in them).
These different types of tools allow you to get intelligence gathering from fingerprinting websites and
operating systems, server information, you can find the background information on web addresses, email
addresses, the server addresses behind the scenes, etc.
Social Engineering Toolkit allows you to go in and find out a lot of information about a company that's publicly
available, who the people are, who the directors are. You can use the Wayback Machine to see what a website
looked like maybe 5-6 months ago, a year ago, 5 years ago. This makes it much easier for them to extract
information from a social engineering perspective from potential victims.
Closed / Proprietary Intelligence
To compare and contrast against open source intelligence, we also have closed or proprietary intelligence. For
example, commercial sources. It’s information that's gathered and kept through a commercial package or a
commercial service, you don't necessarily buy a piece of software, but you subscribe to a service. And then,
these commercial packages often will have SIEM (Security Information and Event Management) integration or
SOAR (Security orchestration, automation and response) capabilities built in so that when this actionable
intelligence does come in, you can act on it very quickly and respond to those threats almost in real time if not
actually in real time.
Vulnerability Databases




Google Hacking Database, that can be seen at www.exploit-db.com.
VirusTotal (virustotal.com) allows you to actually upload files, viruses, etc, and in some cases,
download pieces of malware and viruses for testing. It allows you to upload these things so that they
get added to the database and can be analysed through their service.
National Vulnerability Database (nvd.nist.gov), is operated by the federal government that is pretty
much a go-to database for vulnerabilities.
MITRE, the MITRE CVE database (cve.mitre.org): they maintain the database of CVEs. They are a
not-for-profit company that does a lot of work in this space.
Public and Private Information Sharing
Cybersecurity Act of 2015: signed in 2015 and really put into action in 2016 with the goal of increasing sharing,
information sharing between public and private entities, right government, and commercial entities. It
provided a framework for sharing of information between government and private sector. The goal of sharing
information across both sectors to help strengthen defence and to quicken response times.
A couple entities that are associated with this is the information sharing and analysis centre, the ISAC, there
are 20 of those centres sharing and disseminating information, and also the National Cybersecurity and
Communications Integration Centre, or the NCCIC.
Dark Web
The dark web is an area of the internet not accessible via normal web browsers, right - Safari, Explorer,
Chrome, Firefox, etc. Regular DNS does not get you to these websites or to these resources, so it requires
special software or applications, such as:



TOR, The Onion Router, is an anonymized service that allows applications, websites, etc to operate
outside of DNS. It requires having an onion address (.onion address instead of a .com or .mil or .gov).
TOR gateway, tor2web as an example, alllows someone with a regular browser to go through a
gateway to get to TOR sites. Not necessarily the most secure thing.
Invisible Internet Project, or I2P.
The deep web is basically things that are not accessible via the regular internet, and then the dark web is a
subset of that. The public internet or the bright web, comprises about 10% of what's out there, and then the
deep web and dark web is about 90%. The dark web itself is a tiny portion of the deep web.
Indicators of Compromise (IOC)
Pieces of data (breadcrumbs) that can identify potential malicious activity. Common IOCs:
•
•
•
•
•
Unusual outbound traffic.
Unusual, privileged account activity.
Geographical anomalies.
Suspicious registry or system file changes.
Mismatched port-application traffic.
Automate Indicator Sharing (AIS)
Automated indicator sharing or AIS system is from the Department of Homeland Security, and it's a free
sharing service that shares indicators between the federal government and private sector at what's known as
“machine speed”: getting this information out as quickly as possible to all the members of this service. The
participants will connect to DHS-managed systems at the NCCIC. All systems must be able to communicate
using STIX (structured threat information expression) and TAXII (trusted automation exchange of indicator
information) specifications. It's a set of protocols and a standard way of communicating over APIs so that all
these different systems can talk to each other. As quickly as information comes in, it gets disseminated out to
the member companies.
TAXII Layout
We have two channels here or two collections and channels. On the channel side, we have a TAXII server and a
TAXII client can publish or push to a TAXII server or a client could subscribe to a TAXII server or multiple TAXII
servers. So it's a one-to-many or a many-to-one relationship. If one entity comes across some type of indicator,
it can publish that out to the TAXII server, and then it gets pushed out to all other agencies at once or as
quickly as possible. They don't vet that information, everyone has the same information almost in real time,
and then it's up to them to verify, to vet, maybe to enrich that data with their own threat intelligence feeds
and then to act upon it accordingly.
MITRE
MITRE is a not-for-profit organization, and they manage federal funding for research projects across multiple
agencies. They are responsible for:
•
•
•
•
Common Vulnerabilities and Exposures database, or the CVE database.
Common Weakness Enumeration, or the CWE, database.
Trusted Automation Exchange of Intelligence Information, or TAXII: it is a transport protocol that
allows sharing of threat intelligence information over HTTPS using common APIs.
Structured Threat Information eXpression, or STIX: it’s a standardized format for presenting threat
intelligence information.
The MITRE ATT&CK, the actual name of the framework, stands for
Adversarial Tactics, Techniques, and Common Knowledge. There are
314 tactics spread across 12 different categories. We have Initial
Access, Execution, Persistence, Privilege Escalation, Defense Evasion,
Credential Access, Discovery, Lateral Movement, Collection, Command
and Control, Exfiltration, and then Impact.
If we understand where something is happening in the cyber kill chain,
as an example, and we're able to identify through our threat
intelligence analysis what type of threat group is executing or
attempting to execute the specific attack, we can use something like
the MITRE ATT&CK framework to understand that specific group uses
these X number of tactics, 3, 5, 10, so we can quickly focus our
attention, we can start enriching that data, pass it on to our defenders so they can go out and do their job of
either trying to mitigate or remediate that threat as quickly as possible.
Gathering and Correlating Information
Data in a vacuum without context is extremely difficult to interpret and to understand exactly what data is
valuable and what is noise. All this information comes from, it can come from a variety of sources: forensics,
from alerts within our systems, telemetry information, it could be thresholds that are triggered, it could be, it
could be AI or machine learning alerts, and so forth. What we should strive for is to take all these disparate
pieces of information and combine them into a system, a tool that allows us to aggregate the data, to allow
one source to enrich the other, we put it into a system the methods that allows us to systematically track and
enrich that data to make us a much more effective threat intelligence analyst.
Predictive Analysis
We are talking about AI or artificial intelligence and machine learning. So this will provide proactive analysis to
detect breaches really before they occur. It's basically looking for indicators of compromise, learning from
what other incidents are made up of. So this is done through learning algorithms that constantly monitor, they
learn, and take all the things that have happened before, apply algorithms to those prior events, and then to
categorize and ultimately learn from them to be proactive in the future.
Threat Maps
A threat map can come in many shapes and sizes. There's lots of different companies that offer this type of
functionality (Check Point). It provides real-time monitoring of threats, as the type, the origin, and the
destination of the threat - where it came from and where it's going. And this data can also then be enriched
with additional threat feeds and additional data to make it even more actionable. These types of threat maps
can also be localized for a specific company or a specific industry, or like in this instance, it can be global,
showing attacks as they happen, worldwide.
File / Code Repositories
Numerous GitHub repositories are not properly secured. They have information in there that perhaps the
developer didn't realize they were pushing up to the repository, session keys, sensitive information, and so
forth. Bitbucket is a similar offering and has similar capabilities to GitHub, two different companies. Bitbucket
is geared more towards enterprise customers. We need to make sure within our own companies that our
GitHub repositories are secure, that we audit them periodically to make sure they're not containing or leaking
sensitive information.
Research Sources
•
•
•
•
•
•
•
•
•
Vendor websites, a great tool about product-specific information.
Vulnerability feeds. Some are public, some are private.
Conferences is a great way to network, to also see what other folks are doing, to learn what other
companies are doing.
Academic journals. Some things that are potentially proof of concept and have not really been seen in
the wild yet, but it gives you a great foothold in understanding of what's potentially coming down the
pike, and you can prepare accordingly.
Request for Comments, RFCs. RFCs are a good way to understand in detail about that specific
protocol, how things work.
Local industry groups, very much like conferences.
Social media is ridiculously good for threat intelligence, for doing a little bit of recon, learning about
companies because so many companies and so many people post way too much information.
Threat feeds: Recorded Future is a great threat feed.
Adversary Tactics, Techniques, and Procedures, TTPs: MITRE ATT&CK is a great blueprint of the
various TTPs that adversaries will use.
Download