Leverging TI in Incident Response/Management: Really Responding FasterBy Mike Rothman
In the introduction to our Leveraging Threat Intelligence in Incident Response/Management series we described how the world has changed since we last documented our incident response process. Adversaries are getting better and using more advanced tactics. The difficulty is compounded by corporate data escaping our control into the cloud, and the proliferation of mobile devices.
When we started talking about reacting faster back in early 2007, not many folks were talking about the futility of trying to block every attack. That is less of an issue now that the industry understands security is imperfect, and continues to shift resources to detection and response. Butt the problem becomes more acute as the interval between attack and exfiltration continues to decrease.
The ultimate goal of any incident management process is to contain the damage of attacks. This requires you to investigate and find the root causes of attacks faster. The words are easy, but how? Where do you look? The possible attack paths are infinite.
To really react faster you need to streamline your investigations and make the most of your resources. That starts with an understanding of what information would interest to attackers. From there you can identify potential adversaries and gather threat intelligence to figure out their targets and tactics. With that information you can protect yourself, look for indicators of compromise via monitoring, and streamline your response when you (inevitably) miss.
We suggest stating with adversary analysis because the attacks you will see vary greatly based on the attacker’s mission and assessment of the most likely (and easiest) way to compromise your environment.
- Evaluate the Mission: To start the process you need to learn what’s important in your environment, which leads you to identify interesting targets for attackers. This usually breaks down into a few discrete categories including intellectual property, protected customer data, and business operations information.
- Profile the Adversary: To defend yourself you will need to not only know what adversaries are likely to look for, but what kinds of tactics those attackers typically use, by type of adversary. So next figure out which categories of attacker you are likely to face. Categories include unsophisticated (uses widely available tools), organized crime, competitors, and state-sponsored. Each class has a different range of capabilities.
- Identify Likely Attack Scenarios: Based on the mission and the adversary’s general tactics, put your attacker hat on and figure out the path you would most likely take to achieve the mission. At this point the attack has already taken place (or is still in progress) and you are trying to assess and contain the damage. Hopefully investigating your proposed paths will prove or disprove your hypothesis.
Keep in mind that you don’t need to be exactly right about the scenario. You need to make assumptions about what the attacker has done, and you will not predict their actions perfectly. The objective here is to get a head start on response, which means narrowing down the investigation by focusing on specific devices and attacks.
Gathering Threat Intelligence
Armed with context on likely adversaries we can move on to intelligence gathering. This entail learning everything we can about possible and likely adversaries, profiling probable behaviors, and determining which kinds of defenses and controls make sense to address higher probability attacks. Be realistic about what you can gather yourself and what intel you may need to buy. Optimally you can devote some resources to gathering and processing intelligence on an ongoing basis based on the needs of your organization, but in the real world you may need to supplement your resources with external data sources.
Threat Intelligence Indicators
Here is a high-level overview of the general kinds of threat intelligence you are likely to leverage to streamline your incident response/management.
Malware analysis is maturing rapidly; it is now possible to quickly and thoroughly understand exactly what a malicious code sample does, and define both technical and behavioral indicators to seek out within your environment, as described in gory detail in Malware Analysis Quant. More sophisticated malware analysis is required because classical AV blacklisting is no longer sufficient in the face of polymorphic malware and other attacker tactics to defeat file signatures. Instead you will identify indicators of what malware did to a device. Malware identification has shifted from what file looks like to what it does.
As part of your response/management process, you’ll need to identify the specific pieces of malware you’ve found on the compromised devices. You can do that via a web-based malware analysis service. You basically upload a hash of a malware file to the service – if it recognizes the malware (via a hash match), you get the the analysis within minutes; if not you can then upload the whole file for a fresh analysis. These services run malware samples through proprietary sandbox environments and other analysis engines to figure out what malware does, build a detailed profile, and return a comprehensive report including specific behaviors and indicators you can search your environment for.
Malware also provides additional clues. Can you tie the malware to a specific adversary? Or at least a category of adversaries? Do you see these kinds of activities during reconnaissance, exploitation, or exfiltration – a useful clue to the degree the attack has progressed.
Reputation data, since its emergence as a primary data source in the battle against spam, seems to have become a component of every security control. Which makes sense because entities that behave badly are likely to continue doing so. The most common reputation data is based on IP addresses, offered as a dynamic list of known bad and/or suspicious addresses. As with malware analysis, identifying an adversary helps you look for associated tactics.
Aside from IP addresses, pretty much everything within your environment can (and should) have a reputation. Devices, URLs, domains, and files, for starters. If you see traffic going to a site known to be controlled by a particular adversary, you can look for other devices communicating with that adversary. Containing the damage requires identifying and understanding all your compromised devices, and reputation can help you pinpoint them.
C&C Traffic Patterns
One specialized type of reputation which is now often a separate feed is intelligence on Command and Control (C&C) or botnet networks. These feeds track global C&C traffic and use it to pinpoint malware originators, botnet controllers, and other IP addresses and sites your devices should avoid. They also help identify likely compromised devices within your network from their communication with malware controllers. Integrating this kind of network-based threat intelligence into your investigation again provides key information about the adversary, as well as identifying devices which are clearly compromised for quarantined and further investigation.
Most advanced attacks seem to start with a simple email. Given the ubiquity of email and the ease of adding links to messages, attackers typically use email as the path of least resistance to a foothold in your environment. Isolating and analyzing phishing attack email can yield a ton of information about attackers and their tactics.
In our Email-based Threat Intelligence paper, we used a Who, What, Where, and When approach to gather this kind of intelligence. Identifying the adversary (who) yields a ton of information about motive and tactics. Understanding what was attacked and how tells you whether they used a standard kit or custom malware. You can also evaluate where the phishing message compromised the user for additional context about the attacker’s current botnets. Finally, assessing when the attack happened and how it has evolved can provide clues to what they will do next. Again, you don’t need to be right the first time, but guesses provide a place to start looking.
This is just a short summary of the kinds of threat intel at your disposal. If you would like to learn more, we offer research on Building an Early Warning System, Network-based Threat Intelligence, and Email-based Threat Intelligence for much more detail on specific data sources and indicators to look for.
That all sounds good, right? You just hit the EZ button, gather some threat intelligence, and find the attackers in a hot minute, leaving plenty of time for golf. Uh, not so much. Threat intelligence is an emerging capability with an emerging practice of incident response/management. So there are a few challenges to operationalizing this kind of approach:
- Aggregating the data: Where do you collect the intel? You already have systems that can and should automatically integrate intelligence, and use it within rules or an analytics engine. The more automation applied the better you can handle the urgency of incident management.
- Analyzing the data: How do you know what’s important, among the massive amount of data at your disposal? You need to continue refining your rules and tuning your intel feed. As you leverage intel within real responses you will get a feel for what works and what isn’t so useful, and opportunities to refine the data and your process. You can also leverage intel providers’ analysis customer data for ideas about where to focus.
- Actionable data: This relates directly to intel aggregation, taking it to the next level, where tools can automatically search the environment based on intelligence feeds to identify attack indicators – perhaps even before the attacker goes operational. Existing tools like SIEMs, network operations devices, and even GRC-type reporting environments can (and should) leverage this intel, as they may all be used during investigation. You will want your forensics tools to play along, with the ability to leverage the intel as well.
- False positives/false flags: Finally, we should warn you that threat intel is still more art than science. See if your intel provider can offer some type of prioritization or ranking of alerts. Then you can decide to use the most urgent intel more and earlier. Another buyer beware aspect of threat intel is disinformation. Many adversaries shift, using tactics associated with other adversaries to confuse you. That is another reason it is important to not just profile an adversary, but cross-reference them with information you have to make sure that specific adversary would have an interest in your environment.
Our next post will flesh these concept out a bit, delving into how the incident response/management process should evolve to leverage threat intelligence most effectively.