Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Aligning Threat Intelligence to Defender Needs - Identifying Activity Groups

434 views

Published on

Attribution within threat intelligence operations generally focuses on trying to find a 'who' - pick a US three-letter agency or other intelligence service - rather than the 'how' - what totality of activities makes up a specific activity group responsible for one (or more) campaigns. This talk will explore and outline the differences between these approaches, and how the former might be useful when discussing things in the press or looking at events from a law enforcement perspective, but the latter is far more useful (and significantly less controversial) for actual network defenders. Specifically, by limiting ourselves to defining a collection of behaviors or TTPs surrounding a specific event or campaign, threat intelligence can then develop playbooks, response procedures, and evaluation of expected follow-on actions related to the documented activity group. Most importantly, activity groups - as collections of behaviors - are distinct from 'actors'. Thus, you may have multiple activity groups, associated with a set of targets and TTPs, that all happen to belong to the same hostile foreign intelligence service. But from an IR or SOC perspective, the 'geopolitical' aspect is irrelevant.

To illustrate the above and how this matters, I would provide a couple of examples - including one where aggressive attribution for the sake of press or other motives muddies the waters from a defense perspective. Specifically, I'll look into the Dragonfly2.0 report released earlier in 2017 and follow-on reporting related to it (most notably US-CERT's report) to show how multiple activity groups can be conflated and produce a confusing and unhelpful threat landscape understanding for network defenders.

Following this discussion, attendees will have a more robust understanding of threat intelligence operations, the different types of attribution based upon threat intelligence work, and why an activity group-focused approach is more useful to security operations than alternatives. Attendees will be equipped to more robustly examine and, where necessary, challenge threat intelligence reporting, and learn what details are most useful in applying threat intelligence data to security operations.

Published in: Technology
  • Be the first to comment

Aligning Threat Intelligence to Defender Needs - Identifying Activity Groups

  1. 1. • Joe Slowik, Threat Intelligence & Hunter • Current: Dragos Adversary Hunter • Previous: • Los Alamos National Lab: IR Lead • US Navy: Information Warfare Officer • University of Chicago: Philosophy Drop-Out
  2. 2. • Typical Attribution • Purpose of Attribution • Defining Activity Groups • Behavior-Focused Attribution • Examples
  3. 3. • Attribution typically focuses on ‘who’ • Identify signifying details in data • Tie these back to a concrete entity
  4. 4. • Satisfies a primal human need • Who is responsible • Frames matters in a way that is easily understood • Actor X is responsible for Event Y
  5. 5. • Attribution is really hard! • Typically collection only consists of technical artifacts • Obscures underlying actions and events • Leads to cognitive bias • Of course Country X performed action Y
  6. 6. • Attribution can get ‘just far enough’ to blame a ‘country’ • And take the resulting media ‘bump’ • But not far enough to develop meaningful breakdown of responsibility
  7. 7. • What does knowing Country X is responsible for Event Y tell you? • From a network defense perspective: • Likely nothing • Or, potentially damaging due to assumptions about Country X
  8. 8. • Determining who is responsible has specific value – but not for defense • Identifying how an attack took place informs network defense
  9. 9. • Align resources, identify TTPs, focus defense • If it doesn’t inform or benefit defense, what’s the point?
  10. 10. Attack Takes Place • Capture Data • Record Context Analysis & Production • Transition Data to Information • Formulate Conclusions Develop Conception of Adversary • How Does Adversary Act? • What are Targets, Intentions, and Infrastructure?
  11. 11. Intelligence • Track how the adversary operates • Learn to anticipate activity Playbooks • Based on actions, define responses • Create SOPs for defense Remediation • Knowing capabilities informs response • Reduce time to remediation
  12. 12. • Ultimately: • Prepare and enable defenders • Improve defenses, anticipate attacks • Other items are superfluous • Flashy media headlines • Provocative stories
  13. 13. • Methodology for defining actors by actions • Distinct from traditional attribution: • Focus on the how • The who is in many ways irrelevant
  14. 14. • Focus on observable items from events • Avoids speculation, inferring intention • Resulting picture is a composite for how an attack took place
  15. 15. Command Authority Operations Group A Operations Group B Operations Group C Development Teams
  16. 16. • Traditional attribution focuses on readily observed items: • Malware • C2 • As a result, focuses on development teams • Less relevance to operations
  17. 17. • Operations teams can mean many things: • Different military units • Contractors • Etc. • Main point: different elements implementing common capabilities
  18. 18. • Different operations teams can use similar toolset for different operations • Behavioral approach enables operations tracking • Goal: identify operations teams by behavior and objective
  19. 19. http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
  20. 20. The ‘who’ – just one part of whole
  21. 21. What enables the attack – relevant to target environment The required connection between adversary and victim
  22. 22. Purpose and focus for the action
  23. 23. • Analysis primarily focuses on technical observations: • Infrastructure • Capabilities • ‘Adversary’ can be abstracted, ‘victim’ useful for parsing campaigns
  24. 24. • The means through which a capability is executed • Provides the link from Adversary to Victim • Can be characterized as atomic or behavioral
  25. 25. • Typical ‘IOCs’: • IP addresses • Domain names • Relevant to an identified event • Not helpful for characterizing future activity
  26. 26. • Trends and patterns • Less likely to change, longer lasting • Examples: • SSL certificate creation • Infrastructure types and themes
  27. 27. • Compromised vs. Owned Infrastructure • Hosting and registration patterns • SSL certificate re-use
  28. 28. • What an adversary utilizes to achieve objective against victim • Primarily behavioral in nature when properly implemented • Can include indications of intent
  29. 29. • An ‘atomic capability’ is simply an observation from a specific instantiation of that capability • Examples: • Hash value • File name • Easily changed, highly mutable
  30. 30. • True understanding of capability gained by analyzing behaviors • How does the adversary operate • What actions are typically performed • Goal is to build a picture of adversary operations
  31. 31. • Intrusion techniques – malware vs. ‘living off the land’ • Coding and deployment consistencies • Tendencies for persistence, clearing artifacts
  32. 32. • Characterize adversary activity • Identify commonalities and general trends • Build a profile based upon observed behavior • Design detections and alerts around observations
  33. 33. • Leverage available evidence to group and define activities • Differentiation: two or more unique vertices of diamond model
  34. 34. • Multiple reporting on Russian infiltration of US energy companies in summer 2017 • Eventually combined several distinct attacks into one campaign • Resulting picture muddies situation for defenders
  35. 35. July 2017: ALLANITE October 2017: DYMALLOY October 2017: TA-293A March 2018: TA-074A
  36. 36. 2013-2014: DRAGONFLY Dec 2015 – Mar 2017: DYMALLOY May 2017 - ?: ALLANITE
  37. 37. Initial Access: • Phishing • Strategic website compromise Deploy Implants: • RATs: Karagany.B, Heriplor • Backdoors: DorShel, Goodor Information Collection • Mimikatz integrated into broader credential capture tool • Framework for harvesting documents, intelligence info
  38. 38. Initial Access: • Phishing • Strategic website compromise Leverage Scripts and System Commands: • Credential capture and re-use • Unique LNK icon image to ensure continued credential capture Information Collection • Various publicly-available password cracking frameworks • RDP for connectivity and transfer
  39. 39. word/_rels/settings.xml.rels: Target="file://5.153.58.45/Normal.dotm" word/_rels/settings.xml.rels: Target="file://62.8.193.206/Normal.dotm" word/_rels/settings.xml.rels: Target=”file://62.8.193.206/Normal.dotm”
  40. 40. • DYMALLOY: • US, Europe, Turkey • Broad ICS targeting • ALLANITE: • US, UK and possibly Ireland • Energy sector
  41. 41. • DYMALLOY and ALLANITE look substantially different from each other • May be related, one may be evolution of the other • BUT based on available evidence, they are not the same
  42. 42. • Different targeting and techniques mean different responses, defense plans • Shift in targeting indicates change in tasking or priorities • Combining the two as one potentially impairs planning
  43. 43. • Dragonfly, DYMALLOY, ALLANITE – may all be the same ‘adversary’ but different teams • Different TTPs and targeting over time requires different defensive measures • Tracking OPS teams subordinate to larger entity
  44. 44. • COVELLITE initially discovered September 2017 • Targeted phishing of US electric companies • Review of TTPs indicated strong overlap with LAZARUS Group
  45. 45. • ‘LAZARUS Group’ is increasingly a catch- all for DPRK-linked activity • Ranges from disruption to intelligence collection to theft • Active in many forms since at least 2012
  46. 46. • Multiple technical overlaps: • Malicious document dropper format • Malware code, functionality • Infrastructure overlap: • Use of compromised, legit systems • Re-use of IPs across campaigns
  47. 47. • Phishing with malicious document attachment • Embedded EXE built via macros • EXE beacons via fake-TLS connection to compromised C2 servers
  48. 48. • Overlap in capabilities • Some unique aspects in COVELLITE • Multiple beacon IPs • Unique variant of phishing document • Otherwise very similar
  49. 49. • ‘LAZARUS’ simply encompasses too much activity • Makes tracking, identifying, and defending difficult • Multiple operations combined as a single group
  50. 50. • Ensure coverage against actionable, relevant threats • Don’t waste resources on unlikely items • Focus on threat model • LAZARUS approach is too broad in scope for meaningful defense
  51. 51. • COVELLITE is very specific in targeting • Focus on electric utilities • Overlap in TTPs can be distinguished by uniqueness in targeting • Filter TTPs only related to non-ICS LAZARUS actions
  52. 52. • Break apart activity into component parts • Track what matters • Focus defense on what fits threat model
  53. 53. • Break down entities: • Operational groups • Specific campaigns • TTP variants • Not all iterations will follow the same pattern
  54. 54. • Attribution is beneficial when properly focused • Identifying activities provides actionable information to defenders • Focus on observable items avoids guesswork and assumptions
  55. 55. Activity • Note observable items • Determine Operational Purpose • Align observations to own- network operations Characterization • Group observed activities • Orient to targets and perceived interests Definition • Define a group around characteristics • Focus on observable behavior • Build detection and defenses around result

×