Incident Analysis
Outline
• Early Models of Attacks
• Indicators
• The Cyber Kill Chain
• Tactics, Techniques and Procedures
• Analysis vs Synthesis
• The OODA Loop
― Dueling OODA Loops
• Developing a Courses of Action Matrix
• The Diamond Model
― Analytic Pivoting
A Simple Model of an Attack
“THE FIVE P’S”
Probe Penetrate
Persist Propagate
Plunder / Paralyze
3
Indicators
• Atomic indicators
― Cannot be broken down.
― Examples: IP addresses, ASN numbers, email addresses, CVE identifiers
• Computed indicators
― Derived from observed data
― Examples: hash digests of malware files, regular expressions matching observed strings
• Behavioural indicators
― Collections of atomic and computed indicators
― Examples:
“the email-attached PDF exploited CVE-2018-xxx to install a remote access trojan with MD5 xxxx. This then attempted to contact a C2 server at the hostname www.xxxx.com and if that failed, connected to a Twitter feed to wait for a new C2 hostname”
“the RAT exfiltrated a drive image by using zlib compression and then sending the data in the ID field of raw IP datagrams at the rate of 50 datagrams per second”
4
The Indicator Life Cycle
Report
Analyse
Utilized
Revealed
Leverage
Mature
Discover
5
The Cyber Kill Chain
(OR CYBER ATTACK LIFECYCLE)
The attacker needs to complete each stage of the attack to succeed. Preventing success at any stage blocks the attack (compare with the Reason Model of aviation and industrial safety).
Recon
Weaponize Deliver Exploit Installation C2
Actions on Objectives
E. M. Hutchins, M. J. Cloppert, and R. M. Amin, ‘Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains’, in Leading Issues in Information Warfare and Security Research, vol. 1, 2011, pp. 80–106.
6
Stages in the Chain
• Reconnaissance
― Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
• Weaponization
― Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.
• Delivery
― Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media.
7
Stages in the Chain (cont)
• Exploitation
― After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.
• Installation
― Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
• Command and Control (C2)
― Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.
8
Stages in the Chain (cont)
• Actions on Objectives
― Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.
9
Typical techniques
Recon Weaponize Deliver Exploit Installation C2
Actions on Objectives
Port scans
Powershell
Software updates
DLL injection
Logon scripts
Custom protocols
Exfiltration
“About Us” pages
Supply-chain attack
Malmail
Buffer overflow
Startup configuration
Domain fronting
Denial of service
DNS zone transfers
Exploit public application
Drive-by compromise
Privilege escalation
Fallback channels
Data corruption
Service enumeration
Remote access trojans
For a detailed list of tactics and techniques, see https://attack.mitre.org/.
10
TTP’s
• Tactics, Techniques and Procedures
• Effectively, the modus operandi of cyber actors
• Used for
― Incident response ― Remediation
― Analysis
― Attribution
11
MITRE ATT&CK
ADVERSARIAL TACTICS, TECHNIQUES & COMMON KNOWLEDGE
• Knowledge base and model (framework) for cyber adversary behaviour
See https://attack.mitre.org/wiki/Main_Page 12
Analysis vs Synthesis
Late Phase Detection
Analysis
Recon Weaponize Deliver Exploit Installation C2
Actions on Objectives
Detection Reconstruct and analyze earlier phases to learn adversary TTP’s and block
subsequent intrusions. Force adversaries to use new TTP’s and increase their cost.
Earlier Phase Detection
Analysis Synthesis
Recon Weaponize Deliver Exploit Installation C2
Detection
Actions on Objectives
Synthesize what might have happened – anticipate future intrusions which bypass currently effective controls. Maintain tactical advantage by implementing countermeasures faster than adversaries can evolve.
13
The OODA Loop
(BOYD CYCLE)
Act
Orient
Observe
Decide
14
Duelling OODA Loops
THE BAD GUYS KNOW THIS STUFF, TOO
Observe
•Release of vuln information, patches
Observe
• Patch releases
Act
Act
• Deliver
Orient
• Identify vulnerability
Orient
•Applicability, operational issues (downtime), risk
•Regression test patches, roll out, monitor, back out of failures
Decide
• Weaponize
Decide
•Prioritize patch application
After Sager, 2015
15
Using the Kill Chain to Design Defences
DEFENCE IN DEPTH
• Derive a Courses of Action Matrix (from US DOD information operations (IO) doctrine)
― Detect, deny, disrupt, degrade, deceive, destroy
Phase
(Joint Publication 3-13)
Detect Deny
Disrupt
Degrade
Deceive
Destroy
Reconnaisance
Web analytics
Firewall ACL
Weaponization
NIDS
NIPS
Delivery
Vigilant user
Proxy filter
In-line AV
Queueing
Exploitation
HIDS
Patch
DEP
Installation
HIDS
Sandboxing
AV
C2
NIDS
Firewall ACL
NIPS
Tarpit
DNS redirect
Actions on Objectives
Audit log & SIEM
Quality of Service
Honeypot
16
Campaign Analysis
• Goal: Identify the adversary’s TTP (tactics, techniques and procedures)
• Done through correlation between multiple intrusions across multiple kill chain phases
• Attribution of events to a specific threat actor is often not possible, but that’s not what we need anyway
• We need to evaluate the adversary’s capabilities, doctrine, objectives and limitations – particularly their persistence
17
Typical High-Level Tactics and Techniques
• Persistence
• Privilege Escalation
• Defence Evasion
• Credential Access
• Discovery
• Lateral Movement
• Execution
• Collection
• Exfiltration
• Command and Control
From MITRE Att&ck Model
18
Persistence
• The adversary will:
― Leave back doors on as many systems as possible
― Store tools in obscure locations Printer non-volatile storage
VoIP phones
19
Threat Hunting
• Uses machine learning to identify patterns of indicators before
• Various techniques employed
― Classification and categorization
E.g. Bayesian classifiers, support vector machines, decision trees and forests, k-
nearest neighbours, neural networks
― Anomaly detection
Statistical fitting to spot outliers
• Applications of machine learning
― Spam filtering
― Malware analysis (by features)
― Network traffic analysis
― Intrusion detection systems, intrusion prevention systems
― User behaviour analysis
20
Threat Intelligence
Post-detection analysis will reveal these steps in the attack
Recon Weaponize Deliver Exploit Installation C2
Actions on Objectives
Threat intelligence-driven detection and blocking
Classic threat detection and remediation
21
The Diamond Model
• Developed from 2006 in response to emerging advanced persistent threats
• Intended as a systematic, repeatable, structured way to
― Characterize organized threats
― Track those threats as they evolved
― Distinguish between them
― Develop counter-measures
• Used by hundreds of cyber intelligence, threat intelligence and DFIR
companies
• Underlies security automation ontologies, standards and protocols such as CyBox and STIX
• Internal model used by advanced tools
22
Events
ARE DIAMONDS
• Persona:
• Email addresses
• Handles
• Phone numbers
• Network Assets
Infrastructure
• IP addresses
• Domain names
• Email addresses
• Malware • Exploits
• •
Hacker Tools Stolen Certificates
Capabilities
Meta-Features
• Timestamp
• Phase of killchain
• Result
• Direction (i2v, a2i, etc)
• Methodology
• Resources
Victim
• Personas
• Network assets
• Email addresses
23
Adversary
The Extended Diamond Model
Infrastructure
Technology
Social-political
Capabilities
Victim
24
Adversary
Analytic Pivoting
• Extracting data elements and relating them to other data sources, using the edges of the diamond to locate other evidence of an adversary’s operations
• Victim-Centered
― Starts by analysing (potential) victim-related data, e.g. honeypots, honeynets or network services (email, etc.)
• Capability-Centered
― Analysis of TTP’s, code similarities, etc. allows pivoting from capabilities to adversary characteristics (persistence, etc.)
• Infrastructure-Centered
― Focuses on infrastructure, e.g. using WHOIS database to identify domain registrant (infrastructure-to-adversary pivot) and then identify other domains they have registered
• Adversary-Centered
― Involves monitoring the adversary directly via phone taps, implants, etc.
― Generally only available to intelligence agencies and law enforcement
25
Kaspersky “Red October” Analysis
• Reverse-engineer malware to identify technologies (HTTP, RC4 crypto, zlib compression), C2 servers/domains, other infrastructure
• These capabilities were then correlated with Kaspersky’s anti-virus detection database (victim-to-capability pivot) to identify “over 1000 different” associated files which were then also reverse-engineered to identify other C2 infrastructure (capability-to-infrastructure pivot)
• The C2 servers were then sinkholed to identify global victims (infrastructure- to-victim pivot)
• The victims were then classified by socio-political category (embassies, government, military energy)
26
Other Pivots
• Socio-Political-Centered
― Correlates intrusion attempts to real-world political events, e.g. protests, phishing as fund-raising for terrorist groups, etc.
• Technology-Centered
― Investigates anomalous behaviours and traffic, e.g. in domain name system, packet headers, etc.
27