6. Distinguishing Threat Actors, Vectors, and Intelligence Sources
advertisement
6. Distinguishing Threat Actors, Vectors, and Intelligence Sources Module Review Each of these different groups have specific attributes, weaknesses, typical motivations, methods of attack, etc. We'll see threat intelligence sources; how can you gather information to help strengthen your defences. Also, research sources just to make sure that we're all clear on the various ways we can gather information, whether it be through conferences, academic research papers, RFCs, etc. Script Kiddies Hackers that are relatively new or unskilled - Typically looking to see what they can get into. The challenge is the attraction. Not typically associated with any organized hacking groups. Usually not well funded. Hacktivists Hackers who are motivated by ideology or some social/political cause: - Can be well funded and skilled. Usually deface websites. Steal information: • Personal information and credentials. DDoS. Not particularly patient or stealthy. Organized Crime Hackers who are motivated by financial gain: - Deliberate with high technical capability. Well-funded. Patient and persistent. POS terminals, ATM machines, credit card numbers, etc. Steal personal information for sale on the dark web. Nation States / APT Highly skilled hackers whose main goal is to penetrate government or commercial systems: - Cyber espionage Data/IP theft Sabotage Cyber warfare Very stealthy and persistent, well-funded and connected. They don't want their victims to know that they're there, they go through a lot of time and effort and expense to make sure those tracks are as covered as possible. Insiders Often motivated by financial gain - CERT advises that over 70% of IP theft cases involve insiders. Accidental exposure can occur from misuse or misconfigured systems. They can exfiltrate that information slowly over periods of time. Data theft includes IP and company secrets. Competitors Motivated by financial gain: - Competitive advantage. Theft of IP or company secrets. Sabotage. Can be well funded and range from low to high skill. Threat Actor Attributes Attack Vectors Use of Open Source Intelligence Open Source Intelligence, or OSIN or OSINT: there are numerous tools and websites available for intelligence gathering and reconnaissance. They can be applications, browser plugins, they can be passive or active in nature. Examples: Maltego, Metagoofil, Shodan, the Google Hacking database (Google Dorks: they will show you websites that have those vulnerabilities in them). These different types of tools allow you to get intelligence gathering from fingerprinting websites and operating systems, server information, you can find the background information on web addresses, email addresses, the server addresses behind the scenes, etc. Social Engineering Toolkit allows you to go in and find out a lot of information about a company that's publicly available, who the people are, who the directors are. You can use the Wayback Machine to see what a website looked like maybe 5-6 months ago, a year ago, 5 years ago. This makes it much easier for them to extract information from a social engineering perspective from potential victims. Closed / Proprietary Intelligence To compare and contrast against open source intelligence, we also have closed or proprietary intelligence. For example, commercial sources. It’s information that's gathered and kept through a commercial package or a commercial service, you don't necessarily buy a piece of software, but you subscribe to a service. And then, these commercial packages often will have SIEM (Security Information and Event Management) integration or SOAR (Security orchestration, automation and response) capabilities built in so that when this actionable intelligence does come in, you can act on it very quickly and respond to those threats almost in real time if not actually in real time. Vulnerability Databases Google Hacking Database, that can be seen at www.exploit-db.com. VirusTotal (virustotal.com) allows you to actually upload files, viruses, etc, and in some cases, download pieces of malware and viruses for testing. It allows you to upload these things so that they get added to the database and can be analysed through their service. National Vulnerability Database (nvd.nist.gov), is operated by the federal government that is pretty much a go-to database for vulnerabilities. MITRE, the MITRE CVE database (cve.mitre.org): they maintain the database of CVEs. They are a not-for-profit company that does a lot of work in this space. Public and Private Information Sharing Cybersecurity Act of 2015: signed in 2015 and really put into action in 2016 with the goal of increasing sharing, information sharing between public and private entities, right government, and commercial entities. It provided a framework for sharing of information between government and private sector. The goal of sharing information across both sectors to help strengthen defence and to quicken response times. A couple entities that are associated with this is the information sharing and analysis centre, the ISAC, there are 20 of those centres sharing and disseminating information, and also the National Cybersecurity and Communications Integration Centre, or the NCCIC. Dark Web The dark web is an area of the internet not accessible via normal web browsers, right - Safari, Explorer, Chrome, Firefox, etc. Regular DNS does not get you to these websites or to these resources, so it requires special software or applications, such as: TOR, The Onion Router, is an anonymized service that allows applications, websites, etc to operate outside of DNS. It requires having an onion address (.onion address instead of a .com or .mil or .gov). TOR gateway, tor2web as an example, alllows someone with a regular browser to go through a gateway to get to TOR sites. Not necessarily the most secure thing. Invisible Internet Project, or I2P. The deep web is basically things that are not accessible via the regular internet, and then the dark web is a subset of that. The public internet or the bright web, comprises about 10% of what's out there, and then the deep web and dark web is about 90%. The dark web itself is a tiny portion of the deep web. Indicators of Compromise (IOC) Pieces of data (breadcrumbs) that can identify potential malicious activity. Common IOCs: • • • • • Unusual outbound traffic. Unusual, privileged account activity. Geographical anomalies. Suspicious registry or system file changes. Mismatched port-application traffic. Automate Indicator Sharing (AIS) Automated indicator sharing or AIS system is from the Department of Homeland Security, and it's a free sharing service that shares indicators between the federal government and private sector at what's known as “machine speed”: getting this information out as quickly as possible to all the members of this service. The participants will connect to DHS-managed systems at the NCCIC. All systems must be able to communicate using STIX (structured threat information expression) and TAXII (trusted automation exchange of indicator information) specifications. It's a set of protocols and a standard way of communicating over APIs so that all these different systems can talk to each other. As quickly as information comes in, it gets disseminated out to the member companies. TAXII Layout We have two channels here or two collections and channels. On the channel side, we have a TAXII server and a TAXII client can publish or push to a TAXII server or a client could subscribe to a TAXII server or multiple TAXII servers. So it's a one-to-many or a many-to-one relationship. If one entity comes across some type of indicator, it can publish that out to the TAXII server, and then it gets pushed out to all other agencies at once or as quickly as possible. They don't vet that information, everyone has the same information almost in real time, and then it's up to them to verify, to vet, maybe to enrich that data with their own threat intelligence feeds and then to act upon it accordingly. MITRE MITRE is a not-for-profit organization, and they manage federal funding for research projects across multiple agencies. They are responsible for: • • • • Common Vulnerabilities and Exposures database, or the CVE database. Common Weakness Enumeration, or the CWE, database. Trusted Automation Exchange of Intelligence Information, or TAXII: it is a transport protocol that allows sharing of threat intelligence information over HTTPS using common APIs. Structured Threat Information eXpression, or STIX: it’s a standardized format for presenting threat intelligence information. The MITRE ATT&CK, the actual name of the framework, stands for Adversarial Tactics, Techniques, and Common Knowledge. There are 314 tactics spread across 12 different categories. We have Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and then Impact. If we understand where something is happening in the cyber kill chain, as an example, and we're able to identify through our threat intelligence analysis what type of threat group is executing or attempting to execute the specific attack, we can use something like the MITRE ATT&CK framework to understand that specific group uses these X number of tactics, 3, 5, 10, so we can quickly focus our attention, we can start enriching that data, pass it on to our defenders so they can go out and do their job of either trying to mitigate or remediate that threat as quickly as possible. Gathering and Correlating Information Data in a vacuum without context is extremely difficult to interpret and to understand exactly what data is valuable and what is noise. All this information comes from, it can come from a variety of sources: forensics, from alerts within our systems, telemetry information, it could be thresholds that are triggered, it could be, it could be AI or machine learning alerts, and so forth. What we should strive for is to take all these disparate pieces of information and combine them into a system, a tool that allows us to aggregate the data, to allow one source to enrich the other, we put it into a system the methods that allows us to systematically track and enrich that data to make us a much more effective threat intelligence analyst. Predictive Analysis We are talking about AI or artificial intelligence and machine learning. So this will provide proactive analysis to detect breaches really before they occur. It's basically looking for indicators of compromise, learning from what other incidents are made up of. So this is done through learning algorithms that constantly monitor, they learn, and take all the things that have happened before, apply algorithms to those prior events, and then to categorize and ultimately learn from them to be proactive in the future. Threat Maps A threat map can come in many shapes and sizes. There's lots of different companies that offer this type of functionality (Check Point). It provides real-time monitoring of threats, as the type, the origin, and the destination of the threat - where it came from and where it's going. And this data can also then be enriched with additional threat feeds and additional data to make it even more actionable. These types of threat maps can also be localized for a specific company or a specific industry, or like in this instance, it can be global, showing attacks as they happen, worldwide. File / Code Repositories Numerous GitHub repositories are not properly secured. They have information in there that perhaps the developer didn't realize they were pushing up to the repository, session keys, sensitive information, and so forth. Bitbucket is a similar offering and has similar capabilities to GitHub, two different companies. Bitbucket is geared more towards enterprise customers. We need to make sure within our own companies that our GitHub repositories are secure, that we audit them periodically to make sure they're not containing or leaking sensitive information. Research Sources • • • • • • • • • Vendor websites, a great tool about product-specific information. Vulnerability feeds. Some are public, some are private. Conferences is a great way to network, to also see what other folks are doing, to learn what other companies are doing. Academic journals. Some things that are potentially proof of concept and have not really been seen in the wild yet, but it gives you a great foothold in understanding of what's potentially coming down the pike, and you can prepare accordingly. Request for Comments, RFCs. RFCs are a good way to understand in detail about that specific protocol, how things work. Local industry groups, very much like conferences. Social media is ridiculously good for threat intelligence, for doing a little bit of recon, learning about companies because so many companies and so many people post way too much information. Threat feeds: Recorded Future is a great threat feed. Adversary Tactics, Techniques, and Procedures, TTPs: MITRE ATT&CK is a great blueprint of the various TTPs that adversaries will use.
