Understanding Threat Actors and Indicators of Compromise

Utilize Attack Frameworks and Indicator Management

Understanding Threat Actors and Indicators of Compromise

Classifying threat actor types helps us understand their motivations and capabilities. However, the variety of threat actors today requires more advanced tools to provide useful threat intelligence. In this section, we will look at different frameworks for identifying and analyzing indicators of compromise (IoCs), which are signs of potential attacks or intrusions.

Threat Research

Traditionally, security tools relied on detecting malware signatures. However, this signature-based detection often fails against sophisticated tactics because the tools used by attackers may not match known malware in databases. As a result, threat research has shifted focus from static malware signatures to identifying and correlating IoCs. By linking multiple IoCs, analysts can recognize patterns in adversary behavior, which helps in modeling threats and conducting proactive threat hunting.

Reputational Threat Research

One way to identify threats is by using reputation data associated with indicators found in logs. Reputational threat research sources track IP addresses and DNS domains linked to malicious activities, such as sending spam or launching DDoS attacks. An example is the Talos Reputation Center, which monitors these activities and assigns reputation scores to each source, ranging from good to poor. Similar systems also assess file reputations based on a file’s digital signature.

Indicator of Compromise (IoC)

An indicator of compromise (IoC) is a sign that a network or asset has been attacked or is still under attack. Some IoCs are clear and easily identifiable, like a malware signature. However, many require subjective judgment based on an analyst’s experience and understanding of the organization’s systems. Because IoCs are often identified through unusual activity rather than obvious incidents, they can be interpreted in different ways. Therefore, it’s essential to correlate multiple IoCs to create a more accurate picture of what happened.

Common Indicators of Compromise

There are many types of IoCs, including:

• Unauthorized Software and Files: Programs or files that shouldn’t be on the system.

• Suspicious Emails: Emails that seem strange or contain unexpected links or attachments.

• Suspicious Registry and File System Changes: Unusual changes to the system’s settings or files.

• Unknown Port and Protocol Usage: Use of unusual network connections that aren’t typical for the organization.

• Excessive Bandwidth Usage: Unexplained increases in network traffic.

• Rogue Hardware: Unauthorized devices connected to the network.

• Service Disruption and Defacement: Unexpected outages or changes to online services.

• Suspicious or Unauthorized Account Usage: Unusual activity on user accounts, like logins from strange locations.

Monitoring these IoCs helps in detecting potential attacks and improving security.

Behavioral Threat Research

Most threats cannot be identified by just one sign. Behavioral threat research looks at multiple indicators of compromise (IoCs) to find attack patterns. By analyzing past hacks, researchers define the tactics, techniques, and procedures (TTP) used in attacks. Here are some common TTP behaviors:

• DDoS Attacks: A sudden increase in traffic may indicate a distributed denial of service (DDoS) attack. Attackers often use a botnet, and you might see unusual geographic locations of the source IP addresses.

• Viruses and Worms: High CPU or memory usage on a device could mean that it is infected with malware.

• Network Scanning: Frequent scans on multiple ports or IP addresses can signal that someone is trying to gather information about your network. This can serve as an early warning of potential attacks.

• Advanced Persistent Threats (APTs): Attackers often use a command and control (C2) system to communicate with their control server. This C2 traffic can be detected on the network if you know what to look for. Common techniques include:

  • Port Hopping: The C2 application may switch between different ports for communication. Modern firewalls can detect unusual TCP or UDP traffic on these ports, especially if they are typically used for standard services like HTTP or DNS.

  • Fast Flux DNS: This technique rapidly changes the IP address linked to a domain, making it harder to block. However, the patterns of these changes can sometimes be detected.

  • Data Exfiltration: Sudden spikes in database access or large network transfers might indicate that data is being stolen. This is especially true if the involved endpoints usually don’t have high traffic. Exfiltration might also use unusual file types or encryption methods that regular users don’t typically use.

· By studying these behaviors, security teams can better understand and respond to potential threats.

Kill Chain

The kill chain is a model that describes the steps an attacker takes to compromise a system. This concept comes from a paper by Lockheed Martin about defense strategies. Lockheed Martin (lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM- White-Paper-Intel-Driven-Defense.pdf). Here are the main stages in the kill chain:

1. Reconnaissance: The attacker gathers information about the target. They look for methods to attack without being noticed. This can involve both passive research and active scanning of the network to find weaknesses. The goal is to identify potential exploits and set up resources for the attack, often using a botnet to hide their true location.

2. Weaponization: The attacker combines a piece of code (the payload) that allows access with an exploit that takes advantage of a vulnerability in the target system.

3. Delivery: The attacker sends the weaponized code to the target. This can be done through email attachments or USB drives.

4. Exploitation: The weaponized code is executed on the target system. For instance, a phishing email might trick the user into running the code, or the code might automatically run on an unprotected system.

5. Installation: This step involves installing tools that allow the attacker to maintain access to the target system.

6. Command and Control (C2): The code creates a connection to a remote server, allowing the attacker to control the system and possibly download more tools.

7. Actions on Objectives: Finally, the attacker uses their access to collect data from the target system and send it to another location. They may have other goals as well.

By analyzing the kill chain, security teams can develop strategies to stop attacks at each stage. For example, they can monitor website traffic to detect reconnaissance attempts, use firewalls to block delivery, and set proper permissions to hinder installation efforts.

The MITRE ATT&CK Framework

The MITRE ATT&CK Framework is a more modern way to understand how attackers operate compared to the earlier Lockheed Martin model. The Lockheed Martin model is often criticized for focusing too much on perimeter security, while many attacks today occur within networks or the cloud.

Key Features of the MITRE ATT&CK Framework

1. Tactics, Techniques, and Procedures (TTPs): The framework includes a comprehensive database of known TTPs used by attackers. Each technique has a unique ID and is organized into categories like initial access, persistence, and lateral movement.

2. No Fixed Sequence: Unlike the kill chain model, the ATT&CK framework does not dictate the order in which tactics are used. This means analysts must rely on specific evidence to interpret each attack.

3. Comparability: The framework allows for direct comparison of TTPs across different adversary groups. This helps analysts understand the various ways attackers might execute their plans.

4. Multiple Matrices: There are different matrices for various environments:

   • Enterprise Matrix: Covers tactics for Windows, Linux, and macOS systems.

   • Mobile Matrix: Focuses on tactics used in mobile environments.

   • Pre-ATT&CK Matrix: Addresses early phases like target selection and information gathering, corresponding to reconnaissance and weaponization in the traditional kill chain.

For example, the technique “Drive-by Compromise” has the ID T1189 and falls under the Initial Access category, targeting various operating systems. Each entry provides information on detection methods, mitigation strategies, and historical examples.

Overall, the MITRE ATT&CK Framework helps organizations better understand and defend against modern cyber threats.

The Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis helps understand and analyze cyber intrusion events. It was developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz. The model focuses on four key features represented as the corners of a diamond:

Key Features of the Diamond Model

1. Adversary: The person or group behind the attack.

2. Capability: The tools and techniques the adversary uses to carry out the attack.

3. Infrastructure: The systems and networks that the adversary uses to launch the attack.

4. Victim: The target of the attack.

Each event can also include meta-features, such as the date and time of the incident, the phase of the kill chain it falls under, and the outcome of the attack.

Additionally, each feature is assigned a confidence level (C), which indicates how accurate the data is or how reliable the conclusions drawn from it are. This helps analysts better assess the situation and respond effectively.

Overall, the Diamond Model provides a structured way to analyze and understand intrusion events by exploring the relationships between these four core features.

Structured Threat Information eXpression (STIX)

Structured Threat Information eXpression (STIX) is part of a framework that helps organizations share cyber threat intelligence (CTI). It standardizes how to describe indicators of compromise (IoCs) and their relationships, making it easier to communicate and analyze threat information.

Key Features of STIX 2

• Data Format: STIX uses JavaScript Object Notation (JSON), which organizes data in pairs of attributes and values. This allows for complex data structures.

Key Components of STIX 2

1. Observed Data: Information about events or properties in a computer system, like an IP address or a file change.

2. Indicator: A pattern of observables that is noteworthy for cybersecurity analysis. These help identify potential threats.

3. Attack Pattern: Descriptions of known attack behaviors, including the goals and techniques used by adversaries. This helps in spotting indicators and understanding intrusion sets.

4. Campaign and Threat Actors: The adversaries behind attacks are called Threat Actors. When these actors use various tactics against the same target, it’s known as a campaign.

5. Course of Action (CoA): Actions taken to reduce risks from attacks or to resolve security incidents.

Relationships in STIX

STIX also describes how different pieces of information relate to one another through relationship objects. Examples include:

• Indicates: Shows a connection between an indicator and observed data.

• Targets: Identifies what a threat actor is targeting.

• Attributed To: Links actions to specific threat actors.

By using STIX, organizations can effectively share and analyze threat information to improve their cybersecurity posture.

Trusted Automated eXchange of Indicator Information (TAXII)

TAXII is a protocol designed to help share cyber threat intelligence (CTI) data securely over the internet. It works alongside STIX, which provides the structure for the data itself.

Key Features of TAXII

• Data Transmission: TAXII allows CTI data to be sent between servers and clients using HTTPS, ensuring secure communication.

• REST API: It uses a REST API, making it easy for applications to interact with the data.

• Data Access:

  • Collection: Clients can request specific data updates.

  • Channel: Data can be automatically pushed to subscribers, keeping them updated without needing to request it.

Other Threat Data Sharing Frameworks

1. OpenIOC:

   • Developed by Mandiant, OpenIOC is a framework for sharing threat intelligence.

   • It uses XML format to structure its data.

   • Each entry includes:

     • Metadata: Information about the author, category, confidence level, and license.

     • Description: A brief explanation of the threat.

     • Detection Rules: Logical statements that define how to identify threats, such as specific DNS hostnames or filename patterns.

2. MISP:

   • Another platform for sharing threat intelligence that focuses on sharing structured threat information and indicators.

These frameworks help organizations share and analyze threat data more effectively, enhancing overall cybersecurity efforts.