Threat Landscape

Broadly speaking, there are two types of adversaries you are likely to face that should be of concern to you. There is another type of adversary, but it poses a different threat that may be less troubling to you. At a minimum, the mitigation against that adversary is very different. You will often hear the term advanced persistent threat (APT). This is a term used to describe modern adversaries. The word “advanced” suggests they are using sophisticated techniques, though this is not always the case. Initially, when the term was put into use to describe these digital organizations, the groups were often using custom malware as part of their attacks. More and more, attackers are using something called commodity malware, meaning malware anyone can obtain, often by purchasing it.

Persistent is the part of the expression to be most troubled by. These are not drive-by attacks where they spray digital bullets and keep going. They are looking to move into the basement, the attic, the closets—anywhere you may not notice they are hanging around. They are bringing food, television, and a comfortable chair because they are planning to be there for a while and expect to enjoy their time. May as well settle in for a bit. The threat is self-explanatory. These are groups who are out to do something bad to you, as an organization.

The following are the adversaries you are going to run across today and, sorry to disappoint, but the kid in his room is not one of them. At least not directly, and likely not really at all:

Nation-state actors

This is more or less self-explanatory. This is a group of people who either work directly for a government, as in the case of the military, or they are sponsored/funded by the government of a country. In the case of a country like China, there are divisions in the military where the role of individuals is to break into companies. One important takeaway from this is that this is the job of people. They go to work to perform these actions. They aren’t working randomly or periodically. They go to work every day, sit at their computer, and start targeting either new companies or new systems. They may also be just showing up to extract data they had previously collected the day before.

Organized crime

Organized crime has identified these digital attacks as an easy way to make money, so they are engaged in stealing information and breaking into systems. Again, it’s important to recognize that people who are working with organized crime are engaged in this as a job. This is a business. It’s not a legitimate business, but it’s a business nonetheless. There are employees and profits.

Hacktivists

These are perhaps less concerning to some organizations because they may be little more than a nuisance. These are people, often loosely organized in groups, who have a particular viewpoint. They engage in denial of service attacks, website defacements, and other, similar activities, in order to make a point.

One reason to be aware of the organizational nature of these groups is because they are organized. They have objectives, just as your business does. They are generally motivated by a couple of factors. Because of this, it’s best to think of them as businesses. They are going to engage in these behaviors because it’s their charter. When it comes to motivations, you’ll generally find that these organizations are driven by two objects:

Financial gain

You may think this is the sole dominion of organized crime, but that’s not the case. There are also many ways to obtain money from targets. One of them is to just get the money directly. This may be from wire fraud—getting someone to wire money directly to an account by masquerading as an executive of the company and issuing the wire order. It may be by stealing and selling information like credit cards. It could also be from stealing credit cards and using them to obtain goods and services, which are then resold. North Korea is a nation-state actor that engages in these sorts of activities in order to fund their government because financial sanctions against them are causing economic strain. Another common financial attack is ransomware. This isn’t always just encrypting information either. Below is a portion of an email demanding money to prevent a nonexistent video from being sent. What you don’t see in this portion is the request for $1,800 in bitcoin:

i installed a malware on the X vids (porno) web site and guess what, you visited this website to have fun (you know what i mean). While you were watching video clips, your browser started out operating as a Remote Desktop with a key logger which provided me with accessibility to your display as well as web camera. Right after that, my software program obtained your complete contacts from your Messenger, social networks, and e-mail account. after that i created a double-screen video. First part shows the video you were watching (you have a fine taste lol … ), and next part displays the recording of your web camera, yea its u.

Intellectual property theft

Some nation-states, and China is especially notorious for this, gain access to companies in order to steal intellectual property. This is done to feed state-run business with information that can make them more competitive on a global scale. This is perhaps best illustrated by the case of Huawei which, demonstrably, had used stolen source code from Cisco in its own networking products to bring those products along faster than having to develop all the technology and software itself. This is a case from over 15 years ago, and there is ample evidence that China has continued to steal intellectual property from many other companies over the years. This theft isn’t always just to prop up state-run businesses so they can compete globally. Sometimes the theft is about obtaining technology and information that can enhance the infrastructure in China. Ultimately, this is probably just as much about preparing the company to be a global economic force, but it’s not directly about putting products into a company that is trying to sell those products in a global marketplace.

Monetary theft

There are many organizations that are financially motivated. This is fairly straightforward. They are looking to increase revenues for their “company.” It’s just that the company is in the business of stealing things. This may be stealing information, like credit cards and personally identifiable information (PII), and selling it off. It may be selling services like denial of service attacks or network infrastructure. This could be selling off your home system as a web server to someone who wants cheap web infrastructure. Well, your home system and thousands of other home systems. It could be as simple as demanding ransom for either data or to keep information from being leaked, as in the email discussed previously. This is also not the province entirely of organized crime. Some nation-state actors resort to stealing or extorting money in order to fund their operations.

These are the actors and their motivations. This doesn’t talk about how they operate. Just knowing who they are and what they are after will only bring you part of the way to doing something about it.

Tactics, Techniques, and Procedures

You have two goals. The first is to do what you can to protect your systems and data from being attacked. The second is to detect when your protection fails. In either case, threat intelligence is helpful. If you know how the adversary is going to behave, you can use that knowledge. Let’s say you are aware that a particular financially motivated attacker uses spoofed email messsages purporting to be from your chief financial officer (CFO) to get staff members to wire money to a numbered account. Knowing that is a threat to your organization, because your industry sector is one of those targeted by this group, you can put procedures into place to have all requests be verified by a phone call or an in-person conversation. This helps to make sure the spoofing attack won’t work. That’s using threat intelligence for prevention.

Detection also needs to be considered. Looking at tactics, techniques, and procedures (TTPs) from threat groups will give you an idea of where you should start looking for behaviors within your environment. TTPs allow you to identify activities. In order to get TTPs, though, you should be making use of a threat intelligence source. There are ways of categorizing the different TTPs, which can help you identify where to look for indications the TTPs are being used. One source is the MITRE corporation’s ATT&CK Framework. The ATT&CK Framework defines different TTP categories, as follows:

• Initial access

• Execution

• Persistence

• Privilege escalation

• Defense evasion

• Credential access

• Discovery

• Lateral movement

• Collection

• Command and control

• Exfiltration

• Impact

You may notice there is some resemblance to the attack life cycle. One reason is that different TTPs are used in different phases of an attack. For example, spear phishing links and drive-by compromise are in the initial access category. These are not TTPs that would be used in any other phase of the attack life cycle. When you know the phase of the attack or the category of the ATT&CK Framework, you can make better decisions about where to implement your detection, as well as what priority to assign to any alert that may be generated.

Any detected TTP, for example, in persistence will tell you the attacker has gained initial access. If you notice large data transfers leaving your network, there is a possibility data is being exfiltrated. This is especially true if you see large data sizes in protocols where you shouldn’t be seeing large data amounts. This may include large Internet Control Message Protocol (ICMP) messages. If you are seeing data being sent from your network to other networks/systems, it’s time to act very quickly.

Integrating Threat Intelligence

The first step to integrating threat intelligence is to find a threat intelligence source. There are many ways to get threat intelligence. Some of them are the Information Sharing and Analysis Centers (ISACs). These are groups dedicated to sharing information, generally focused around specific industries. The Automotive ISAC is for any automotive manufacturer or supplier. One reason for having these targeted ISACs is because threat groups going after one automotive manufacturer will likely look to target other automotive manufacturers. If one company sees attack traffic, they can save a lot of hassle for other companies if they share some details of the attack. This allows the businesses to help each other. This may seem counterintuitive, but if company A shares information that helps companies C and D, company D may share information that ends up helping company A later.

There are plenty of sources for buying threat intelligence. Different sources will provide different levels of data. ThreatConnect is a service you can enroll in for free, though you’ll have limited information with the free account. Figure 3-1 shows part of the dashboard from ThreatConnect with a list of incidents and the top sources for intelligence.

Figure 3-1. ThreatConnect dashboard

Once you have a threat source, you’d need to make use of it. Intelligence isn’t much good if you aren’t implementing it. The first thing to consider is taking your threat intelligence and creating indicators of compromise (IoCs) from that threat intelligence. As an example, Figure 3-2 shows some indicators. What you see here is a list of IP addresses. These addresses are associated with suspicious behavior. You can implement this intelligence by adding to your firewall rules and also your intrusion detection rules. This gives you some results in both prevention as well as detection.

Figure 3-2. Threat indicators

You shouldn’t expect that once you get threat intelligence, it’s only going to be for something happening in the future. You shouldn’t expect that the source of the threat intelligence was the first target. Assume they have gone after you previously as well. Once you have rules created, you can also go searching through your SIEM and log data to find evidence of anything that may have happened before you got the threat intelligence. If you find evidence, you can perform a broader investigation. Never assume you’ve managed to keep the bad people out.

Threat intelligence is an important element of an overall incident response program. It’s also an important element in a complete information security program. As seen previously, you can use threat intelligence to inform your prevention and detection strategies. You can also use threat intelligence for threat hunting, which is the process of locating evidence of compromise within your environment after the fact. You may not have been able to detect something when it happened, but if you have the right log information and it’s searchable, you can identify threats within your environment and work to get those threats out of your environment.