What Is Intelligence?

The last bullet point is important. Intelligence must be relevant. It does no good to look for traffic going to and from domains or IPs used by adversaries targeting industrial control systems. Those attackers likely will never target health records.

Threat Intelligence Strategy and Objectives

The starting point for developing a cyber threat intelligence program is to understand why the program is necessary and what a successful threat intelligence program looks like. The strategy and objectives can be developed once those decisions are made. Revisit the Figure 1-1 from Chapter 1, where we discussed how each component of security operations creates data points useful for one or more of the other SOC components. Threat intelligence feeds the vulnerability management where SOC members are able to understand what vulnerabilities a threat is exploiting. Continuous monitoring uses threat intelligence to improve detecting capabilities and incident response to understand the scope of an attack and ensure the attack is contained and fully eradicated. Figure 3-1 attempts to display this fact visually.

Understanding the tools, tactics, and techniques attackers employ when targeting patient information aids the construction of tactical methods for detecting attacks. At the time of this writing, many attacks suffered by healthcare providers begin with spear phishing and end with ePHI stolen from mail servers. The attackers in these scenarios use spear phishing to gain an initial foothold with the goal of finding a mail server and removing data. In this scenario, the organization first must understand how vulnerable it is to this attack scenario. This is done by confirming if email attachments containing ePHI and are present in the email server. This represents a confirmed vulnerability threats target. Next the organization can review logging and monitoring sources available for the email servers. The goal is monitoring all connections and data exfiltration attempts to that mail server.

When reviewing the definition of strategic threat intelligence in Bob Gourley’s article, “Security Intelligence at the Strategic, Operational and Tactical Level,”⁴ a threat intelligence strategy must focus on understanding the threat actors carrying out these attacks. Traits such as motivation and capabilities to carry out the attacks are gathered and analyzed so appropriate detective and response capabilities are applied. The objective is to deploy resources in such a manner that security operations make good decisions faster and resources are deployed appropriately to that end. This is done at the strategic level by taking threat intelligence and assessing it based on knowledge of the environment where ePHI is at use, in transit, and at rest.

Recorded Future refers to this process as establishing direction.⁵ This means identifying and documenting the assets and business processes that are important, understanding the impacts of a compromise, and the need for threat intelligence to help protect those assets accordingly.

Threat Intelligence in Security Operations

Threat feeds, information sharing, and intelligence gathered by entities become part of the day-to-day security operations. Often, these sources are prioritized, which factors in how CTI is consumed and disseminated. Processes for gathering, aggregating, and acting on this information are vital to robust cybersecurity operations. As threat information comes into the environment in the way of indicators, a designee on the team takes the information, analyzes it, and decides on next steps. Some intelligence is consumed tactically in the form of generating alerts. This is as simple as feeding lists of IP addresses and/or domains into a monitoring tool. Intelligence is also used to make key decisions regarding monitoring, vulnerability management, and incident response.

Sources and types of intelligence should vary with an eye on “limiting how much time the team spends collecting data” so more time is spent conducting analysis.⁶

Threat Intelligence Sources

Numerous sources of threat intelligence exist. Threat sharing groups like the Information Sharing Analysis Centers (ISACs) formed for sharing threat intelligence among similar entities. ISAC groups exist for financial and healthcare entities. Organizations can subscribe to free or paid threat feeds. Advance entities develop their own intelligence. This is done by analyzing activities detected and alerts generated by monitoring tools to understand how attackers may be approaching the organization. This can generate monitoring techniques based on current activity. Figure 3-2 lists examples of threat sharing groups, paid feeds, and free feeds SOCs can employ.

The threat sharing communities often require membership and have rules about distribution of the CTI provided. The ISAC groups denote this based on the color assigned to the alert. This is not an exhaustive list by any means but examples of each. Some offer free services and paid with additional features. These are examples.

Threat Intelligence Tactics

Threat intelligence must enrich logs and alerts generated in the environment. For instance, if an alert is generated for an outbound connection to a malicious domain, that is blacklisted. If the alert comes with additional context noting the malicious domain is active and used by an adversary targeting healthcare, the alert means much more. Any additional data informing the SOC team of contextual examples of how the indicators are used in current attacks indicates the level of quality for the intelligence and alerting.

Pyramid of Pain

Any discussion on the use of tactical threat intelligence should begin with an introduction to the Pyramid of Pain. The pyramid was introduced by David Bianco in his blog posted March 1, 2013, and updated in January 2014. He introduced the pyramid as a means of using artifacts not easily changed by attackers to detect the presence of these groups. In his blog, he demonstrates why relying on IP addresses, domain names, and file hashes quickly loses value. Monitoring capabilities designed to uncover network artifacts, host-based artifacts, software tools, and tactics, techniques, and procedures to generate alerts increases the likelihood these alerts are meaningful.⁷ Figure 3-3 shows the pyramid.

As you can see, hashes provide some value but are so trivial to change, detecting on them is not going to generate meaningful alerts. Often, by the time a list of known hashes is available, adversaries make the necessary changes to avoid detection. Getting a hash value to change is as trivial as adding a period to a string of characters.

IP addresses and domains are not much better. Most malicious domains used in phishing campaigns and for C2 communications are only a few months old. Changing these indicators takes little additional effort compared to changing file hashes.

Bianco recommends focusing the upper layers of the pyramid. Network artifacts are things like user agent strings, uri patterns, and SMTP values used during C2 communications.

Host-based artifacts include directories created, registry changes, and new services started. The blog post rates Network and Host Artifacts as “annoying” for attackers to change. Odds are detecting these events are more valuable than the items at the bottom of the pyramid.

Tools include commands entered and software/malware used by attackers. To make changes here forces attackers to go back to the drawing board, compiling and rendering new software.

Tactics are methods such as command-line use during the execution phase of an attack. Techniques are specific actions described such as downloading tools to the victim machine via the command line. Procedures are the methods attackers go through during an attack. When dissecting Deep Panda, procedures are compromising an endpoint, downloading tools via the command line, then scanning the network for other hosts available.

Feedback

The feedback process tells the team if the threat intelligence makes a difference for the security operations team. First, identifying the use of the intelligence is important and will be based on available resources. In most instances, intelligence is used for monitoring and detection, or for threat hunting. The primary objective should be to enhance detection so that if anything significant occurs, it is detected as quickly as possible. If the time and people are available, intelligence can be used to review historical logs and data to find out if the indicators existed in the environment previously. It is a historical analysis of the environment based on new information. Teams may not always have the resources available to conduct these operations, and defining the expected use up front removes the possibility of working outside the defined objectives. Entities must understand what the right intelligence is for them and how to get it. A generic feed is not going to derive much value for security operations. Once the intelligence needs are understood, it is important for the organization to make the CTI actionable, and if it is not actionable, determine if enrichment will make it actionable.

MITRE ATT&CK Framework

The ATT&CK framework¹⁰ is a knowledge base of tactics and techniques used by attackers. Several dozen attack groups are highlighted, and dynamically created dashboards are utilized for planning detection capabilities based on adversaries that organizations anticipate attacks from. The framework consists of 11 tactics and 217 techniques. The tactics include

Each tactic contains a list of techniques used to achieve attacker objectives.

Katie Nickels wrote several blogs outlining steps for getting started with ATT&CK. The first states the benefits of using such a framework vs. traditional approaches to CTI. The second focuses on specific questions to consider when designing an ATT&CK plan.

Nickels states the goal of ATT&CK is to improve how cyber threat intelligence is performed so that it is useful to entities.¹¹ ATT&CK defines CTI as the application of information about adversaries in such a way that it provides value to defenders through analysis. Nickels says having analysts read reports by vendors and collecting data points from disparate sources to develop written summaries for his or her audience is outdated and unproductive. ATT&CK does not focus on indicators of compromise like IP addresses, domains, and hashes. Like the Pyramid of Pain, the focus is on the top of the pyramid, specifically, the tip where TTPs lie.

It would not be uncommon for entities to identify two groups who pose a threat to ePHI. Viewing the data side by side allows for defending against common TTPs. Color-coding those techniques with one color, and the techniques unique to an attack group in other colors, makes analyzing these techniques easy. Then a plan for how to address monitoring and detection of these tactics and techniques can be developed. Entities can focus first on techniques used by multiple groups, getting the largest return on investment and then addressing the unique techniques. Another way of addressing the monitoring capabilities would be to focus on techniques with a larger impact to the organization’s assets. This would be determined through risk assessment and impact analysis. Figure 3-4 shows an example of the comparison Katie Nickels walked through comparing APT 3 and APT 29. The items in green are shared among the two groups, the items in yellow belong to APT 3 and items in blue belong to APT 29.

ATT&CK goes further by incorporating the capabilities of the entity. As shown in Figure 3-5, the team can see where capabilities meet the TTPs of the adversary and where work is needed to close gaps. The techniques in red are areas where the entity has a gap in defenses.

ATT&CK is flexible. While Katie Nickels provides an easy-to-use method for getting started, it by no means is the only way to use ATT&CK. The visual representation makes ATT&CK easy to view and understand. The team can color-code the techniques of concern, using colors to indicate level of concern. The level of concern usually depends on the existence of capabilities to defend against those techniques. As Nickels put in her blog, the ones in red did not have defenses available.

In her second blog introducing ATT&CK, Nickels mentions the need to have a database where indicators are stored. If one already exists, then it can be used by the entity. If one does not, then the MISP platform can be used.¹² MISP is Malware Information Sharing Platform supported by the Open Standards for Threat Information Sharing (OSINT). MISP is a platform for sharing, storing, and correlating threat intelligence indicators. These indicators include information about malware, incidents, and attackers both technical and non-technical.

Again, this platform, like ATT&CK, brings value and maturity to security operations. Automatic correlation, finding relationships between attributes and indicators from malware, and attack campaigns are example use cases. The correlation engine is capable of advanced correlations like Fuzzy hashing. This technique looks for domains that are close to yours referenced in network traffic. Often, attackers will use domains close in name to fool end users and avoid detection. Entities using MISP can choose to enable and disable attributes based on need. Data from the platform can be fed into tools like intrusion detections systems (IDS). Data exports in CSV, XML, or JSON make it possible to parse the data with relatively little effort. This also allows for bulk, batch, or ad hoc imports of indicators to monitoring tools.¹³

Walkthrough Using ATT&CK

One adversary known for targeting healthcare entities are Deep Panda (a.k.a. Black Vine) a group Symantec credited with the 2015 breaches of Anthem and Premera Blue Cross.¹⁴ A discussion of these groups and how ATT&CK can be used to prepare defenses follows.

Deep Panda/Black Vine

Deep Panda is one of the groups ATT&CK describes tactics and techniques for. Deep Panda has several aliases including

• Shell Crew

• WebMasters

• KungFu Kittens

• Pink Panther

• Black Vine

For our purposes here, the objective is identifying defenses against these attack groups. Earlier we discussed the Pyramid of Pain¹⁵ by David J. Bianco. Using the pyramid focuses security operations on ways to detect the presence of these groups. ATT&CK describes indicators located at the top of the pyramid. Much of the data describes the tools/software used and TTPs. For example, software tools used by attackers are where entities should focus detection capabilities. Detecting an attacker’s presence based on specific actions of software/tools used forces the group to find or develop new tools. This is not a trivial task, so attackers do not make changes like this very often.

With this information, detections are formulated to detect presence as quickly as possible. The software tools used by Deep Panda/Black Vine and described earlier are Derusbi, Mivast, and Sakula:

• Derusbi: This software/malware tool is used across many of the tactics: execution, privilege escalation, evasion, credential access, discovery, and collection. That is six of the ten tactics ATT&CK tracks. Derusbi also communicates via command and control.

• Mivast: This is a software/malware tool that creates a backdoor assisting attackers in persistence, privilege escalation, and lateral movement.

• Sakula: This is a Remote Administration Trojan used in execution, privilege escalation, and defense evasion. Sakula also communicates via command and control.

Black Vine ATT&CK Matrix

The tactics and techniques used by Black Vine listed as follows are found in the ATT&CK framework tactics. Figure 3-6 shows the tactics used by Deep Panda during the execution stage of the attack.¹⁶

Execution is the first phase in the attack chain developed by MITRE. A lot of activity occurs at the command line. Running commands vs. executing programs in files avoids detecting by scanning tools. Each software tool documented by ATT&CK uses the command line at some point. PowerShell is used by Deep Panda. Programs are downloaded and executed using this tool to avoid detection by file analysis tools.

There are ways to log commands executed at the command line. The ability to log commands executed is valuable when investigating endpoints of interest. Long commands and commands not normally executed by end users on an endpoint are signs of trouble. Looking for the use of Invoke-Expression, its alias iex and Net.WebClient the command line are potential indicators of nefarious behavior.

Figure 3-7 shows tactics used by Deep Panda for persistence. This part of the kill chain ensures software implants, tools, and access points survive system shutdown and reboots.

Deep Panda uses sticky keys to bypass login screens where Windows Remote Desktop is enabled. RSA reported in its Emerging Threat Profile of Shell_Crew in January 2014 that this is achieved in one of two ways: either via replacing the sethc.exe file or by making registry modifications. Once either of these techniques is implemented, the attacker only needed to hit the Shift key five times to bypass the login screen and get a shell prompt.¹⁷

Symantec’s report on the use of Mivast malware highlights changes made in the registry, specifically, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMicromedia.¹⁸

Web shells report¹⁹ describes the use of web shells and Deep Panda’s use during attacks. These shells are commonly used as backdoors and leverage scripting languages. Examples include ASP, ASPX, PHP, and JSP. Commonly, this is used for attackers to remotely access systems to perform malicious actions. Attackers often use these shells as the foothold into organizations during initial phases of attack. CrowdStrike found that Deep Panda used these shells as a form of persistence. Deep Panda uses Internet Control Message Protocol (ICMP) Echo Request (a.k.a. ping) for remote system discovery. Spotting ping sweeps from web servers might indicate a compromise and enumeration of the environment underway.

Privilege escalation is necessary for attacks to be successful. Deep Panda has four techniques described in Figure 3-8.

The privilege escalation techniques titled Accessibility Techniques, used by Deep Panda in Windows environments, is C:WindowsSystem32sethc.exe. attributed to Shell Crew in RSA’s Emerging Threat Profile.²⁰ Known as the sticky key backdoor, it is used against systems using Microsoft Remote Desktop Protocol (RDP). The threat profile documented by RSA describes two methods used to make this technique successful. One involves replacing the sethc.exe file and the other making modification to the registry. Security operations objectives should include evaluating capabilities that may detect registry changes like those described in RSA’s documentation.

By injecting itself into a Secure Shell (SSH) process, Derusbi can elevate privileges. SSH is used to create secure connections between servers. Administrators use this protocol often when remotely accessing servers on the network. Process injection is described in detail during the defense evasion section, but here, Derusbi injects code into memory where the SSH process instructions are located. This can allow Derusbi to capture the credentials used for that process, thus elevating privileges.

Deep Panda uses web shells for a few reasons. Web shells are key in some initial compromises, used as a persistence mechanism and a method to escalate privileges. The shell may have elevated privileges when gained, or it can be a pivot to other opportunities for privilege escalation.

Figure 3-9 shows techniques Deep Panda and its tools use to avoid detection.

Deep Panda and its software use several techniques to avoid detection. Dynamic Link Libraries (DLLs) are code libraries for use in Windows programs. DLL imports are common in malware, and here Sakula uses DLLs signed by Kaspersky and McAfee to avoid detection by these solutions.

Process injection involves injecting malicious code into memory address spaces used by legitimate processes. This allows the malicious code to use the resources meant for the use by the legitimate process making it difficult to detect the malicious process because it appears the legitimate process is running normally.

The use of PowerShell scripting and executing programs in memory, keeping scripts out of files and disk space, avoids detection. This means detection capabilities must detect the use of PowerShell. Enabling module or script block logging of PowerShell use and/or deploying Sysmon detects the use of malicious PowerShell activity.

Removing evidence by deleting files and changing timestamps in logs make the SOC’s job harder. These actions make it difficult for analysts and investigators to put together a complete picture of an attack sequence.

Like many attackers, Deep Panda moves laterally and escalates privileges by stealing credentials. Figure 3-10 highlights two tactics used by Mivast and Derusbi. Mivast steals NTLM credentials, and Derusbi steals credentials via keylogging.

New Technology LAN Manager is a security protocol designed by Microsoft. In Microsoft lingo, NT stands for New Technologies. NTLM v2 is the current version. This protocol uses a 128-bit MD4 hash to store password values on a server, usually a domain controller (DC). If the attacker obtains these hashes, they can be used to authenticate to systems through attack techniques known as pass the hash. To learn more, most pen testing books and articles contain detailed walkthroughs of these techniques. Deep Panda also used software tools to capture keystrokes. If successful, a log containing usernames and passwords can be gathered.

Figure 3-11 shows the tactics used by Deep Panda for discovery.

Just like any other attack group, Deep Panda uses resources available in the network to achieve its objectives. Either manually or using software tools, Deep Panda enumerates file systems, identifies processes running on endpoints, and uses them to its advantage. Blending in with expected processes makes it difficult to identify malicious use. Derusbi will query the registry to gather keys and values.²¹ This way, settings can be changed to aid in maintaining persistence. Other techniques include understanding if remote systems are in play – like using Windows Remote Desktop Services (RDS) or Virtual Private Networks (VPNs). Gathering information on system owners, naming conventions for endpoints, and service account usage give Deep Panda insight into understanding what administrative credentials are useful.

Figure 3-12 shows tactics used by Deep Panda to collect data.

Deep Panda uses several techniques to collect data based on the objectives of the attack. These techniques are executed by Derusbi, which FireEye also calls PHOTO in its threat research blog.²² Derusbi captures data on screens, user input, video, and audio files.

Figure 3-13 shows the command and control tactics used by Deep Panda.

Malware like the ones attributed to Black Vine need to communicate with the group’s command and control servers. This is done via application layer protocols like DNS, SMTP, HTTP, or HTTPS. Others may be used, but these techniques are most common. Common ports are sometimes used with the protocols and sometimes non-standard ports are used. Some tools associate protocols with common ports, so any traffic on port 80 is considered HTTP by the monitoring tool. Deep Panda also uses custom ports. Derusbi, ATT&CK states, does use ports 31,800 to 31,900 during command and control communication. These are raw socket connections operating as a customized protocol. A tool like Zeek would catch this technique because it looks for specific attributes in the traffic. GET and POST requests on any port will identify as HTTP and be logged by Zeek as such. Finally, Black Vine’s tactics will disguise communications using encryption.²³ Alerting on the ports used and the standard and non-standard protocols can detect the use of these techniques. Derusbi also uses custom cryptographic protocols for command and control. Deep Panda XORs the communications with a 4-byte key. There is really no way to see this artifact in any traffic analysis tools. To detect C2 communications by Deep Panda, flow data showing connections to known/current IPs and domains in use by Deep Panda is the key to detection. Finally, the fallback channels noted describe Deep Panda’s plan B move to common protocols and applications when the custom options do not work.

Other Threat Intelligence Frameworks

Other threat intelligence frameworks besides ATT&CK exist. These alternatives are used as stand-alone implementations or as complements to each other. The two detailed here are the Malware Information Sharing Platform (MISP) with integration to the ATT&CK framework and Palo Alto’s Unit 42.

Conclusion

Cyber threat intelligence (CTI) is a value-add component of security operations. The benefits derived occur if the right people and processes exist. Subscribing to a threat feed, integrating it with monitoring devices and/or a Security Incident and Event Management (SIEM) solutions, and waiting for matches to occur is a process that does not work. The Pyramid of Pain illustrates this. IP addresses, domain names, and file hashes that make up the bulk of some feeds do not trigger substantive alerts. Instead false positives abound. An IP address considered malicious six months ago may not be when seen in the network. Analysts take time investigating these false alerts taking time away from more value-added activities. Using CTI and indicators at the top of the pyramid helps enrich alerts and direct the security team toward meaningful alerts.

To get started using threat intelligence, organizations must first ensure the fundamental security processes are in place. Control frameworks such as the NIST Cybersecurity Framework and Center for Internet Security (CIS) list of 20 controls signify fundamental processes needed. Once complete, CTI adds enrichment to logging and alerting. Stakeholders must convey threat intelligence needs. Large organizations with separate duties between information security and SOC analyst teams require those operating the SOC to collect and disseminate intelligence useful to members of the security team. In small and medium organizations like most healthcare providers and business associates where individuals wear both types of hats, the intelligence gathered should augment logs and alerts.