The CISO’s Guide to Advanced Attacks: Intelligence, the Crystal Ball of SecurityBy Mike Rothman
As discussed in our first post in the CISO’s Guide to Advanced Attackers, the first step is to determine what kind of attack would have the greatest impact on your environment (most likely mission), so you can infer which kinds of adversaries you are likely to face. Armed with context on likely adversaries, we can move into the intelligence gathering phase. This involves learning everything we can about possible and likely adversaries, profiling probable behaviors, and determining which kinds of defenses and controls make sense to address the higher probabilities.
As we mentioned when wrapping up the last post, at the end of the day these are all just educated guess. That’s why we keep using the word likely. But these guesses can be very useful for a head start on detect advanced attacks. When you are racing the clock with an adversary in your environment that head start can make the difference in whether key data is exfiltrated.
Master the Basics
But first there iss something we neglected in the introductory post, the importance of a strong set of security controls in place at the start of the process. Dealing with advanced attackers is not for unsophisticated or immature security organizations. The first order of business is to pick the low hanging fruit, and ensure you aren’t making it easy for attackers.
What does that mean? You need to master the basics and have good security practices implemented. We will not go into detail here – you can check out our research library for chapter and verse on security practices. Before you can address advanced attacks, you need to have already hardened key devices, implemented a strong hygiene (patch and configuration management) program, and properly segmented your network to make it difficult for attackers to get at important data. We can laugh about the futility of traditional endpoint protection, but you still need some measure of protection on key devices with access to sensitive data.
For the rest of this series we will assume (and yes, we know the hazards of assuming anything) that you are ready to deal with an advanced attacker – meaning you have a relatively mature security program in place with proper control sets. If you can’t make that kind of statement, go do that now, and you can resume reading this paper once you’re done.
Profiling the Adversary
For better or worse, the industry seems to believe that intelligence = “threat intelligence.” And the many organizations not doing much to shorten the detection cycle for advanced attacks can get away with this generalization. But threat intelligence is a subset of intelligence – to really understand your adversaries you need to go deeper than learning the indicators of compromise found in their last attack.
That means you will want to learn what they do, how they do it, where they live, what they like to do, where they were trained, the tools they use, the attacks they have undertaken, the nuances of their attack code, and their motives. Yes, that is a big list, and not many organizations are in a position to gather this kind of real intelligence on adversaries. You can check out some of the publicly available information in the APT1 report, which provide unprecedented detail about these apparently state-sponsored Chinese hackers to get a feel for the depth of intelligence needed to seriously combat advanced attackers.
In light of the reality of limited resources and even more limited intelligence expertise, you are likely to buy this kind of intelligence or get it from buddies who have more resources and expertise. You can gather a lot of intelligence by asking the right questions within your information sharing community or talking to researchers at your strategic information security vendors. Depending on how the intelligence is packaged, you may pay or get the ability to interact with their security researchers as part of your product/service agreement.
The kind of adversary intelligence you need goes well beyond what’s published in the quarterly threat reports from all the security vendors. They tend to give away their least interesting data as bait, but they are very likely to have much more interesting data which use they for their own work – you just have to ask and possibly subscribe to get access. When we talk about how advanced attackers impact the security process at the end of this series, we will discuss how to integrate this type of adversary intelligence into your security program.
Threat Intelligence Indicators
Now that we have defined the intelligence terminology we can get into the stuff that will directly impact your security activity: the threat intelligence that has become such a hot topic in security circles. We have recently researched this topic extensively so we will highlight a bunch of it here, but we also recommend you read our papers on Building an Early Warning System, Network-based Threat Intelligence, and Email-based Threat Intelligence for a much deeper look at the specific data sources and indicators you will be looking for.
But let’s start with a high-level overview of the general kinds of threat intelligence you are likely to leverage in your efforts to deal with advanced attackers.
Malware analysis is maturing rapidly, and it is becoming common to quickly and thoroughly understand exactly what a malicious code sample does and define behavioral indicators you can search for within your environment. We described this in gory detail in Malware Analysis Quant. For now suffice it to say that you aren’t looking for a specific file – that would just take us back to AV blacklists – instead you will seek indicators of what a file did to a device. Remember, it is no longer about what malware looks like – it is now about what it does.
Fortunately a number of parties offer information services that provide data on specific pieces of malware. You can get an analysis based on a hash of a malware file, or upload a file that hasn’t been seen before. The services run malware samples through a sandbox to figure out what it does, profile it, and return a comprehensive report which includes specific behaviors and indicators.
Since its emergence as a key data source in the battle against spam, reputation data seems to have become a component of every single security control. The most popular type of reputation is based on IP addresses and provides a dynamic list of known bad and/or suspicious IP addresses. This is valuable for a bunch of uses – for example learning that a partner IP address is compromised should set off alarms, especially if that partner has a direct connection to your network.
Besides IP addresses, you can expect pretty much everything to have a reputation. Devices, URLs, domains, and files, for starters. If you have traffic going to a known bad site, weird traffic coming from a vulnerable contractor-owned device, or even a known bad file showing up when a salesperson connects to the corporate network, you know it might be a problem. If something in your environment gets a bad reputation – perhaps as a spam relay or DoS attacker – you need to know ASAP.
C&C Traffic Patterns
One specialization of reputation which is emerging as a separate intelligence feed is intelligence on command and control (C&C) traffic. These feeds track C&C traffic globally and use that information to pinpoint malware originators, botnet controllers, and other IP addresses and sites your devices should avoid. They also help to identify devices within your own environment which are likely compromised by their frequent communications with malware networks. Integrating this kind of feed with an egress-centric firewall or web filter could prevent exfiltration or enable a more aggressive monitoring stance to identify what attackers are doing.
Of course advanced attackers do not make analyzing their C&C traffic easy. They do a lot to obscure the traffic, including using compromised legitimate devices as C&C nodes to defeat reputation, and frequently changing the locations of their nodes using a variety of sophisticated Domain Generating Algorithms (DGA). So making an accurate determination about what is C&C traffic is currently a kind of black magic, but it is nonetheless a critical aspect of intelligence which you need to identify advanced attacks.
Intelligence for Sale
You might figure that if you could bottle and sell intelligence, there would be an infinite market for that, right? All kidding aside, we are starting to see the development of a market for stand-alone security/threat intelligence services which offer information on attacks and malware. We also expect a thriving market for detailed research about specific attackers, sold to larger companies with the sophistication to take advantage of it, and another market selling monitoring of important people (such as executives) and critical intellectual property across the Internet. It is a combination of Big Brother watching your executives, and global DLP looking out for instances of your brand or intellectual property being misused.
That may be a comforting thought, but without a view of the broader world you will continue to fly blind and not realize you have been hit until too late. Of course until you have the ability to consume and capitalize on this kind of intelligence, any money spent on it is wasted. More sophisticated and mature security operations can start to leverage intelligence for indications of ongoing attacks within their environments. Our next post will dig into shortening the detection window by leveraging intelligence and mining existing security data.
Photo credit: “Zoltar” originally uploaded by Jonathan Reyes