Network-based Threat Intelligence: Understanding the Kill ChainBy Mike Rothman
Our recently published Early Warning paper put forth the idea of leveraging external threat intelligence to better utilize internal data collection, further shortening the window between weaponized attack and ability to detect said attack. But of course, the Devil is in the details and taking this concept to reality means delving into actually putting these ideas into practice. There are number of different types of “threat intelligence” that can (and should) be utilized in an Early Warning context. We’ve already documented a detailed process map and metric model to undertaking malware analysis (check out our Malware Analysis Quant research). Being able to identify and search for those specific indicators of compromise on your devices can be invaluable to determine the extent of an outbreak.
But what can be done to identify malicious activity, if you don’t have the specific IoCs for the malware in question? That’s when we can look at the network to yield information about what may be a problem, even if the controls on the specific device fail. Why look at the network? Obviously it’s very hard to stage attacks, move laterally within an organization, and achieve the objective of data exfiltration without relying on the network.
This means the attackers will necessarily leave a trail of bits on the network, which can provide a powerful indication of the kinds of attacks you’re seeing and which devices on your network are already compromised. In Network-based Threat Intelligence: Searching for the Smoking Gun, we’ll going to dig into these network-based indicators and share tactics to leverage these indicators quickly to identify compromised devices. Hopefully shortening this detection window helps to contain imminent damage and prevent data loss. Finally we’ll discuss how this approach allows you to iterate towards a true Early Warning System.
We’d like to thank our friends at Damballa for licensing the content at the end of the project, but as always we’ll be developing the research independently in accordance with our Totally Transparent Research methodology.
With that pre-amble done, in order to understand how to detect signs of malware on your network, you need to understand how malware gains a presence in a network, spreads within that network, and finally moves the data outside of the network. That’s become known in industry parlance as The Kill Chain.
Describing the Attack
There has been plenty of research done through the years about how malware does it’s nefarious dealings. The best description of the Kill Chain we’ve seen was done back in 2009 by Mike Cloppert, which we recommend you check out for yourself. To highlight Mike’s terminology, let’s describe (at a high level) how malware works.
- Reconnaissance: The attackers first profile their targets. Understanding how the target organization is structured, gleaning information about the control set, and assembling information that can be used in social engineering attacks.
- Weaponization: Next comes preparing malware to exploit a vulnerability on the device. This involves the R&D efforts to find these exploits, which allow the attacker to gain control of the victim’s device, and the development of a delivery system to get the exploit onto the target device.
- Delivery: Once the exploit is weaponized, it needs to be delivered to the target. This usually means some kind of effort to get the target to take an action (usually clicking on a link or using an application attack) that would render a web page to deliver the malware.
- Exploitation: This is the actual running of the exploit code on the target device to provide the attacker with control of the device. This can be a pretty complicated process and take advantage of known or unknown vulnerabilities in either the operating system or application code. Nowadays this tends to be a multi-stage process where a downloader gains control of the machine and then downloads additional exploit code. Another focus of this step is obfuscation of the attack to hide the trail of the attackers and stay below the radar.
- C2: Known nowadays as Command and Control, this is the process of the newly compromised device establishing contact with the network to receive further instructions.
- Exfiltration: Once the attackers achieve their goals of their mission, they must package up the spoils and move it to a place where they can pick it up. Again, this can be a rather sophisticated endeavor to evade detection of the stolen data leaving the organization.
There has been significant innovation in a number of the aspects of the kill chain, but overall the process remains largely the same. Let’s talk a bit about how each step in the process has evolved over the past 3 years. Let’s start with reconnaissance, since that’s become far easier now that lots of targets seem to publish their life story and sordid details on public social networks. There are tools today (like Maltego) that can automatically assemble a fairly detailed profile of a person by mining social networks. Despite the protestations of many security professionals, folks aren’t going to stop sharing their information on social networks, and that is going to make the attackers recon efforts that much easier.
In terms of weaponization, we’ve seen increasing sophistication and maturity in terms of how the exploits are developed and updated. Besides a third party market for good exploits creating a significant economic opportunity for those willing to sell their exploits, you see attackers using modern software development techniques like Agile programming, as well as undertaking sophisticated testing of the attack against not only the targets, but the majority of security software products designed to stop the attack. Finally, attackers now package up their code into “kits” foruse by anyone with a checkbook (or BitCoin account). So sophisticated malware is now within reach of unsophisticated attackers. Awesome.
In terms of the delivery step, as mentioned above, given the rapid change inherent to malware many attackers opt to deliver a very small downloader onto the compromised device. Once C&C contact is established, the downloader will receive a specific package for whatever role the attacker plans for the device. For exploitation, the continued advancement of operating system security (kudos to Microsoft in making Windows 7 and 8 much harder to exploit) the attackers have moved onto other low hanging fruit, which is application software. First they targeted the browser, but as browser security advanced the attackers moved their focus to popular applications like Java and Adobe Reader. Basically you can count on the attackers to continue to find the weakest software link on the target device.
The area of greatest advancement is command and control, which makes sense given that ongoing communication with the device is the lifeblood of the malware enterprise. Now C&C networks feature resilient, multi-tiered structures focused on survivability. When the first tier of distribution points are taken down, there seems to always be another set ready to step in, and isolating the true command and control nodes is hard. Additionally, the C&C nodes frequently hide in plain site by compromising and then leveraging legitimate web sites and domains, making it even more difficult to identify bad sites. Finally the attackers have also advanced their exfiltration tactics, now moving away from proprietary encrypted protocols to encrypt only specific files to make detection harder.
But all of these advancements only represent a point in time. By the time you read this, the attackers will already be changing tactics and evolving the efficiency of their exploits, command and control, and exfiltration. Malware is truly an arms race, and for the past few years the attackers have had the upper hand.
Building an Army
For many of the attackers, there is safety in numbers. They work to develop armies of compromised devices that can number in the hundreds of thousands to ensure they have ready access to tremendous offensive firepower when needed. The advantage of the multi-stage attack and constant communication with the compromised devices via command and control is that devices can lie dormant and/or be repurposed at any time by sending new exploit code and instructions.
Detection of these compromised devices typically involves waiting until the devices do something bad and then reacting to contain the threat. The bad news is that many of these compromised devices don’t act compromised, thus evading attempts to catch anomalous or bad behavior. Obviously this complicates detection. The good news is that with the on-demand nature of malware networks, devices need to frequently communicate with the C&C hierarchy to get updated direction. Even if the instructions from C&C are to do nothing. That means you have an opportunity to detect this C&C traffic and remediate the device, before it gets involved in something bad. It’s not exactly proactive, since the device is already compromised, but it’s much better than cleaning up the mess after the compromised device launches an attack, no?
Thus the focus on network-based threat intelligence to follow the proverbial trail of bits on the network to isolate compromised devices before they do something bad. Think Minority Report, but without the cool visualizations. In the next post, we’ll start digging into the indicators that can be found on the network and how that information can be used to determine which devices are already compromised in your environment.